From 99ddbc35ae2cae5ce983ae7a79c183765a5c1956 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 15 Dec 2019 16:31:07 -0500 Subject: [PATCH] fixes for 5.4 Signed-off-by: Sasha Levin --- .../iio-ad7949-fix-channels-mixups.patch | 128 ++++++++++++++ ...ill-pointless-readback-handling-code.patch | 91 ++++++++++ ...s-remove-openpandora-quirks-for-mmc3.patch | 142 ++++++++++++++++ ...s-revert-pandora-specific-gpiod-addi.patch | 90 ++++++++++ ...xxx-fix-memory-leak-when-sending-i-o.patch | 48 ++++++ ...csi-qla2xxx-fix-a-dma_pool_free-call.patch | 62 +++++++ ...x-srb-leak-on-switch-command-timeout.patch | 160 ++++++++++++++++++ queue-5.4/series | 7 + 8 files changed, 728 insertions(+) create mode 100644 queue-5.4/iio-ad7949-fix-channels-mixups.patch create mode 100644 queue-5.4/iio-ad7949-kill-pointless-readback-handling-code.patch create mode 100644 queue-5.4/omap-pdata-quirks-remove-openpandora-quirks-for-mmc3.patch create mode 100644 queue-5.4/omap-pdata-quirks-revert-pandora-specific-gpiod-addi.patch create mode 100644 queue-5.4/revert-scsi-qla2xxx-fix-memory-leak-when-sending-i-o.patch create mode 100644 queue-5.4/scsi-qla2xxx-fix-a-dma_pool_free-call.patch create mode 100644 queue-5.4/scsi-qla2xxx-fix-srb-leak-on-switch-command-timeout.patch diff --git a/queue-5.4/iio-ad7949-fix-channels-mixups.patch b/queue-5.4/iio-ad7949-fix-channels-mixups.patch new file mode 100644 index 00000000000..63a46cb9fc7 --- /dev/null +++ b/queue-5.4/iio-ad7949-fix-channels-mixups.patch @@ -0,0 +1,128 @@ +From 64add7223ca803067a2df8b3d4ca085937a4b04b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2019 15:13:36 +0100 +Subject: iio: ad7949: fix channels mixups + +From: Andrea Merello + +[ Upstream commit 3b71f6b59508b1c9befcb43de434866aafc76520 ] + +Each time we need to read a sample (from the sysfs interface, since the +driver supports only it) the driver writes the configuration register +with the proper settings needed to perform the said read, then it runs +another xfer to actually read the resulting value. Most notably the +configuration register is updated to set the ADC internal MUX depending by +which channel the read targets. + +Unfortunately this seems not enough to ensure correct operation because +the ADC works in a pipelined-like fashion and the new configuration isn't +applied in time. + +The ADC alternates two phases: acquisition and conversion. During the +acquisition phase the ADC samples the analog signal in an internal +capacitor; in the conversion phase the ADC performs the actual analog to +digital conversion of the stored voltage. Note that of course the MUX +needs to be set to the proper channel when the acquisition phase is +performed. + +Once the conversion phase has been completed, the device automatically +switches back to a new acquisition; on the other hand the device switches +from acquisition to conversion on the rising edge of SPI cs signal (that +is when the xfer finishes). + +Only after both two phases have been completed (with the proper settings +already written in the configuration register since the beginning) it is +possible to read the outcome from SPI bus. + +With the current driver implementation, we end up in the following +situation: + + _______ 1st xfer ____________ 2nd xfer ___________________ +SPI cs.. \_________/ \_________/ +SPI rd.. idle |(val N-2)+ idle | val N-1 + idle ... +SPI wr.. idle | cfg N + idle | (X) + idle ... +------------------------ + -------------------- + ------------------ + AD .. acq N-1 + cnv N-1 | acq N + cnv N | acq N+1 + +As shown in the diagram above, the value we read in the Nth read belongs +to configuration setting N-1. + +In case the configuration is not changed (config[N] == config[N-1]), then +we still get correct data, but in case the configuration changes (i.e. +switching the MUX on another channel), we get wrong data (data from the +previously selected channel). + +This patch fixes this by performing one more "dummy" transfer in order to +ending up in reading the data when it's really ready, as per the following +timing diagram. + + _______ 1st xfer ____________ 2nd xfer ___________ 3rd xfer ___ +SPI cs.. \_________/ \_________/ \_________/ +SPI rd.. idle |(val N-2)+ idle |(val N-1)+ idle | val N + .. +SPI wr.. idle | cfg N + idle | (X) + idle | (X) + .. +------------------------ + -------------------- + ------------------- + -- + AD .. acq N-1 + cnv N-1 | acq N + cnv N | acq N+1 | .. + +NOTE: in the latter case (cfg changes), the acquisition phase for the +value to be read begins after the 1st xfer, that is after the read request +has been issued on sysfs. On the other hand, if the cfg doesn't change, +then we can refer to the fist diagram assuming N == (N - 1); the +acquisition phase _begins_ before the 1st xfer (potentially a lot of time +before the read has been issued via sysfs, but it _ends_ after the 1st +xfer, that is _after_ the read has started. This should guarantee a +reasonably fresh data, which value represents the voltage that the sampled +signal has after the read start or maybe just around it. + +Signed-off-by: Andrea Merello +Reviewed-by: Charles-Antoine Couret +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7949.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/drivers/iio/adc/ad7949.c b/drivers/iio/adc/ad7949.c +index 518044c31a73b..6b51bfcad0d04 100644 +--- a/drivers/iio/adc/ad7949.c ++++ b/drivers/iio/adc/ad7949.c +@@ -89,6 +89,7 @@ static int ad7949_spi_read_channel(struct ad7949_adc_chip *ad7949_adc, int *val, + unsigned int channel) + { + int ret; ++ int i; + int bits_per_word = ad7949_adc->resolution; + int mask = GENMASK(ad7949_adc->resolution, 0); + struct spi_message msg; +@@ -100,12 +101,23 @@ static int ad7949_spi_read_channel(struct ad7949_adc_chip *ad7949_adc, int *val, + }, + }; + +- ret = ad7949_spi_write_cfg(ad7949_adc, +- channel << AD7949_OFFSET_CHANNEL_SEL, +- AD7949_MASK_CHANNEL_SEL); +- if (ret) +- return ret; ++ /* ++ * 1: write CFG for sample N and read old data (sample N-2) ++ * 2: if CFG was not changed since sample N-1 then we'll get good data ++ * at the next xfer, so we bail out now, otherwise we write something ++ * and we read garbage (sample N-1 configuration). ++ */ ++ for (i = 0; i < 2; i++) { ++ ret = ad7949_spi_write_cfg(ad7949_adc, ++ channel << AD7949_OFFSET_CHANNEL_SEL, ++ AD7949_MASK_CHANNEL_SEL); ++ if (ret) ++ return ret; ++ if (channel == ad7949_adc->current_channel) ++ break; ++ } + ++ /* 3: write something and read actual data */ + ad7949_adc->buffer = 0; + spi_message_init_with_transfers(&msg, tx, 1); + ret = spi_sync(ad7949_adc->spi, &msg); +-- +2.20.1 + diff --git a/queue-5.4/iio-ad7949-kill-pointless-readback-handling-code.patch b/queue-5.4/iio-ad7949-kill-pointless-readback-handling-code.patch new file mode 100644 index 00000000000..a6a11bdf979 --- /dev/null +++ b/queue-5.4/iio-ad7949-kill-pointless-readback-handling-code.patch @@ -0,0 +1,91 @@ +From 3a660b3024d50b03eda017c8244c42a772465587 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2019 16:43:07 +0200 +Subject: iio: ad7949: kill pointless "readback"-handling code + +From: Andrea Merello + +[ Upstream commit c270bbf7bb9ddc4e2a51b3c56557c377c9ac79bc ] + +The device could be configured to spit out also the configuration word +while reading the AD result value (in the same SPI xfer) - this is called +"readback" in the device datasheet. + +The driver checks if readback is enabled and it eventually adjusts the SPI +xfer length and it applies proper shifts to still get the data, discarding +the configuration word. + +The readback option is actually never enabled (the driver disables it), so +the said checks do not serve for any purpose. + +Since enabling the readback option seems not to provide any advantage (the +driver entirely sets the configuration word without relying on any default +value), just kill the said, unused, code. + +Signed-off-by: Andrea Merello +Reviewed-by: Alexandru Ardelean +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7949.c | 27 +++------------------------ + 1 file changed, 3 insertions(+), 24 deletions(-) + +diff --git a/drivers/iio/adc/ad7949.c b/drivers/iio/adc/ad7949.c +index ac0ffff6c5ae1..518044c31a73b 100644 +--- a/drivers/iio/adc/ad7949.c ++++ b/drivers/iio/adc/ad7949.c +@@ -57,29 +57,11 @@ struct ad7949_adc_chip { + u32 buffer ____cacheline_aligned; + }; + +-static bool ad7949_spi_cfg_is_read_back(struct ad7949_adc_chip *ad7949_adc) +-{ +- if (!(ad7949_adc->cfg & AD7949_CFG_READ_BACK)) +- return true; +- +- return false; +-} +- +-static int ad7949_spi_bits_per_word(struct ad7949_adc_chip *ad7949_adc) +-{ +- int ret = ad7949_adc->resolution; +- +- if (ad7949_spi_cfg_is_read_back(ad7949_adc)) +- ret += AD7949_CFG_REG_SIZE_BITS; +- +- return ret; +-} +- + static int ad7949_spi_write_cfg(struct ad7949_adc_chip *ad7949_adc, u16 val, + u16 mask) + { + int ret; +- int bits_per_word = ad7949_spi_bits_per_word(ad7949_adc); ++ int bits_per_word = ad7949_adc->resolution; + int shift = bits_per_word - AD7949_CFG_REG_SIZE_BITS; + struct spi_message msg; + struct spi_transfer tx[] = { +@@ -107,7 +89,7 @@ static int ad7949_spi_read_channel(struct ad7949_adc_chip *ad7949_adc, int *val, + unsigned int channel) + { + int ret; +- int bits_per_word = ad7949_spi_bits_per_word(ad7949_adc); ++ int bits_per_word = ad7949_adc->resolution; + int mask = GENMASK(ad7949_adc->resolution, 0); + struct spi_message msg; + struct spi_transfer tx[] = { +@@ -138,10 +120,7 @@ static int ad7949_spi_read_channel(struct ad7949_adc_chip *ad7949_adc, int *val, + + ad7949_adc->current_channel = channel; + +- if (ad7949_spi_cfg_is_read_back(ad7949_adc)) +- *val = (ad7949_adc->buffer >> AD7949_CFG_REG_SIZE_BITS) & mask; +- else +- *val = ad7949_adc->buffer & mask; ++ *val = ad7949_adc->buffer & mask; + + return 0; + } +-- +2.20.1 + diff --git a/queue-5.4/omap-pdata-quirks-remove-openpandora-quirks-for-mmc3.patch b/queue-5.4/omap-pdata-quirks-remove-openpandora-quirks-for-mmc3.patch new file mode 100644 index 00000000000..c8b50f4ffb6 --- /dev/null +++ b/queue-5.4/omap-pdata-quirks-remove-openpandora-quirks-for-mmc3.patch @@ -0,0 +1,142 @@ +From b0d9b77ca4c225a9d8870198c97f58e9e7569111 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 11:30:39 +0100 +Subject: omap: pdata-quirks: remove openpandora quirks for mmc3 and wl1251 + +From: H. Nikolaus Schaller + +[ Upstream commit 2398c41d64321e62af54424fd399964f3d48cdc2 ] + +With a wl1251 child node of mmc3 in the device tree decoded +in omap_hsmmc.c to handle special wl1251 initialization, we do +no longer need to instantiate the mmc3 through pdata quirks. + +We also can remove the wlan regulator and reset/interrupt definitions +and do them through device tree. + +Fixes: 81eef6ca9201 ("mmc: omap_hsmmc: Use dma_request_chan() for requesting DMA channel") +Signed-off-by: H. Nikolaus Schaller +Cc: # v4.7+ +Acked-by: Tony Lindgren +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/pdata-quirks.c | 93 ------------------------------ + 1 file changed, 93 deletions(-) + +diff --git a/arch/arm/mach-omap2/pdata-quirks.c b/arch/arm/mach-omap2/pdata-quirks.c +index 800a602c06ecc..1b7cf81ff0356 100644 +--- a/arch/arm/mach-omap2/pdata-quirks.c ++++ b/arch/arm/mach-omap2/pdata-quirks.c +@@ -310,108 +310,15 @@ static void __init omap3_logicpd_torpedo_init(void) + } + + /* omap3pandora legacy devices */ +-#define PANDORA_WIFI_IRQ_GPIO 21 +-#define PANDORA_WIFI_NRESET_GPIO 23 + + static struct platform_device pandora_backlight = { + .name = "pandora-backlight", + .id = -1, + }; + +-static struct regulator_consumer_supply pandora_vmmc3_supply[] = { +- REGULATOR_SUPPLY("vmmc", "omap_hsmmc.2"), +-}; +- +-static struct regulator_init_data pandora_vmmc3 = { +- .constraints = { +- .valid_ops_mask = REGULATOR_CHANGE_STATUS, +- }, +- .num_consumer_supplies = ARRAY_SIZE(pandora_vmmc3_supply), +- .consumer_supplies = pandora_vmmc3_supply, +-}; +- +-static struct fixed_voltage_config pandora_vwlan = { +- .supply_name = "vwlan", +- .microvolts = 1800000, /* 1.8V */ +- .gpio = PANDORA_WIFI_NRESET_GPIO, +- .startup_delay = 50000, /* 50ms */ +- .enable_high = 1, +- .init_data = &pandora_vmmc3, +-}; +- +-static struct platform_device pandora_vwlan_device = { +- .name = "reg-fixed-voltage", +- .id = 1, +- .dev = { +- .platform_data = &pandora_vwlan, +- }, +-}; +- +-static void pandora_wl1251_init_card(struct mmc_card *card) +-{ +- /* +- * We have TI wl1251 attached to MMC3. Pass this information to +- * SDIO core because it can't be probed by normal methods. +- */ +- if (card->type == MMC_TYPE_SDIO || card->type == MMC_TYPE_SD_COMBO) { +- card->quirks |= MMC_QUIRK_NONSTD_SDIO; +- card->cccr.wide_bus = 1; +- card->cis.vendor = 0x104c; +- card->cis.device = 0x9066; +- card->cis.blksize = 512; +- card->cis.max_dtr = 24000000; +- card->ocr = 0x80; +- } +-} +- +-static struct omap2_hsmmc_info pandora_mmc3[] = { +- { +- .mmc = 3, +- .caps = MMC_CAP_4_BIT_DATA | MMC_CAP_POWER_OFF_CARD, +- .gpio_cd = -EINVAL, +- .gpio_wp = -EINVAL, +- .init_card = pandora_wl1251_init_card, +- }, +- {} /* Terminator */ +-}; +- +-static void __init pandora_wl1251_init(void) +-{ +- struct wl1251_platform_data pandora_wl1251_pdata; +- int ret; +- +- memset(&pandora_wl1251_pdata, 0, sizeof(pandora_wl1251_pdata)); +- +- pandora_wl1251_pdata.power_gpio = -1; +- +- ret = gpio_request_one(PANDORA_WIFI_IRQ_GPIO, GPIOF_IN, "wl1251 irq"); +- if (ret < 0) +- goto fail; +- +- pandora_wl1251_pdata.irq = gpio_to_irq(PANDORA_WIFI_IRQ_GPIO); +- if (pandora_wl1251_pdata.irq < 0) +- goto fail_irq; +- +- pandora_wl1251_pdata.use_eeprom = true; +- ret = wl1251_set_platform_data(&pandora_wl1251_pdata); +- if (ret < 0) +- goto fail_irq; +- +- return; +- +-fail_irq: +- gpio_free(PANDORA_WIFI_IRQ_GPIO); +-fail: +- pr_err("wl1251 board initialisation failed\n"); +-} +- + static void __init omap3_pandora_legacy_init(void) + { + platform_device_register(&pandora_backlight); +- platform_device_register(&pandora_vwlan_device); +- omap_hsmmc_init(pandora_mmc3); +- omap_hsmmc_late_init(pandora_mmc3); +- pandora_wl1251_init(); + } + #endif /* CONFIG_ARCH_OMAP3 */ + +-- +2.20.1 + diff --git a/queue-5.4/omap-pdata-quirks-revert-pandora-specific-gpiod-addi.patch b/queue-5.4/omap-pdata-quirks-revert-pandora-specific-gpiod-addi.patch new file mode 100644 index 00000000000..cf204b24a19 --- /dev/null +++ b/queue-5.4/omap-pdata-quirks-revert-pandora-specific-gpiod-addi.patch @@ -0,0 +1,90 @@ +From 4cb1d2f3a49b98dd7aff1cf0979934faa81dfecb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 11:30:38 +0100 +Subject: omap: pdata-quirks: revert pandora specific gpiod additions + +From: H. Nikolaus Schaller + +[ Upstream commit 4e8fad98171babe019db51c15055ec74697e9525 ] + +This partly reverts the commit efdfeb079cc3 ("regulator: fixed: Convert to +use GPIO descriptor only"). + +We must remove this from mainline first, so that the following patch +to remove the openpandora quirks for mmc3 and wl1251 cleanly applies +to stable v4.9, v4.14, v4.19 where the above mentioned patch is not yet +present. + +Since the code affected is removed (no pandora gpios in pdata-quirks +and more), there will be no matching revert-of-the-revert. + +Signed-off-by: H. Nikolaus Schaller +Acked-by: Tony Lindgren +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/pdata-quirks.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/arch/arm/mach-omap2/pdata-quirks.c b/arch/arm/mach-omap2/pdata-quirks.c +index 2efd18e8824c7..800a602c06ecc 100644 +--- a/arch/arm/mach-omap2/pdata-quirks.c ++++ b/arch/arm/mach-omap2/pdata-quirks.c +@@ -7,7 +7,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -334,7 +333,9 @@ static struct regulator_init_data pandora_vmmc3 = { + static struct fixed_voltage_config pandora_vwlan = { + .supply_name = "vwlan", + .microvolts = 1800000, /* 1.8V */ ++ .gpio = PANDORA_WIFI_NRESET_GPIO, + .startup_delay = 50000, /* 50ms */ ++ .enable_high = 1, + .init_data = &pandora_vmmc3, + }; + +@@ -346,19 +347,6 @@ static struct platform_device pandora_vwlan_device = { + }, + }; + +-static struct gpiod_lookup_table pandora_vwlan_gpiod_table = { +- .dev_id = "reg-fixed-voltage.1", +- .table = { +- /* +- * As this is a low GPIO number it should be at the first +- * GPIO bank. +- */ +- GPIO_LOOKUP("gpio-0-31", PANDORA_WIFI_NRESET_GPIO, +- NULL, GPIO_ACTIVE_HIGH), +- { }, +- }, +-}; +- + static void pandora_wl1251_init_card(struct mmc_card *card) + { + /* +@@ -380,6 +368,8 @@ static struct omap2_hsmmc_info pandora_mmc3[] = { + { + .mmc = 3, + .caps = MMC_CAP_4_BIT_DATA | MMC_CAP_POWER_OFF_CARD, ++ .gpio_cd = -EINVAL, ++ .gpio_wp = -EINVAL, + .init_card = pandora_wl1251_init_card, + }, + {} /* Terminator */ +@@ -418,7 +408,6 @@ fail: + static void __init omap3_pandora_legacy_init(void) + { + platform_device_register(&pandora_backlight); +- gpiod_add_lookup_table(&pandora_vwlan_gpiod_table); + platform_device_register(&pandora_vwlan_device); + omap_hsmmc_init(pandora_mmc3); + omap_hsmmc_late_init(pandora_mmc3); +-- +2.20.1 + diff --git a/queue-5.4/revert-scsi-qla2xxx-fix-memory-leak-when-sending-i-o.patch b/queue-5.4/revert-scsi-qla2xxx-fix-memory-leak-when-sending-i-o.patch new file mode 100644 index 00000000000..aa34cf3f545 --- /dev/null +++ b/queue-5.4/revert-scsi-qla2xxx-fix-memory-leak-when-sending-i-o.patch @@ -0,0 +1,48 @@ +From cc283ee92afee784ca05fa1d10c485e04b92479c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2019 23:55:45 -0500 +Subject: Revert "scsi: qla2xxx: Fix memory leak when sending I/O fails" + +From: Martin K. Petersen + +[ Upstream commit 5a993e507ee65a28eca6690ee11868555c4ca46b ] + +This reverts commit 2f856d4e8c23f5ad5221f8da4a2f22d090627f19. + +This patch was found to introduce a double free regression. The issue +it originally attempted to address was fixed in patch +f45bca8c5052 ("scsi: qla2xxx: Fix double scsi_done for abort path"). + +Link: https://lore.kernel.org/r/4BDE2B95-835F-43BE-A32C-2629D7E03E0A@marvell.com +Requested-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_os.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 0bbc6a82470a5..06037e3c78549 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -909,8 +909,6 @@ qla2xxx_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd) + + qc24_host_busy_free_sp: + sp->free(sp); +- CMD_SP(cmd) = NULL; +- qla2x00_rel_sp(sp); + + qc24_target_busy: + return SCSI_MLQUEUE_TARGET_BUSY; +@@ -994,8 +992,6 @@ qla2xxx_mqueuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd, + + qc24_host_busy_free_sp: + sp->free(sp); +- CMD_SP(cmd) = NULL; +- qla2xxx_rel_qpair_sp(sp->qpair, sp); + + qc24_target_busy: + return SCSI_MLQUEUE_TARGET_BUSY; +-- +2.20.1 + diff --git a/queue-5.4/scsi-qla2xxx-fix-a-dma_pool_free-call.patch b/queue-5.4/scsi-qla2xxx-fix-a-dma_pool_free-call.patch new file mode 100644 index 00000000000..18657f76840 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-a-dma_pool_free-call.patch @@ -0,0 +1,62 @@ +From d8c58da50c6a032b73d0d61387eb64375d83179b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 20:42:26 -0800 +Subject: scsi: qla2xxx: Fix a dma_pool_free() call + +From: Bart Van Assche + +[ Upstream commit 162b805e38327135168cb0938bd37b131b481cb0 ] + +This patch fixes the following kernel warning: + +DMA-API: qla2xxx 0000:00:0a.0: device driver frees DMA memory with different size [device address=0x00000000c7b60000] [map size=4088 bytes] [unmap size=512 bytes] +WARNING: CPU: 3 PID: 1122 at kernel/dma/debug.c:1021 check_unmap+0x4d0/0xbd0 +CPU: 3 PID: 1122 Comm: rmmod Tainted: G O 5.4.0-rc1-dbg+ #1 +RIP: 0010:check_unmap+0x4d0/0xbd0 +Call Trace: + debug_dma_free_coherent+0x123/0x173 + dma_free_attrs+0x76/0xe0 + qla2x00_mem_free+0x329/0xc40 [qla2xxx_scst] + qla2x00_free_device+0x170/0x1c0 [qla2xxx_scst] + qla2x00_remove_one+0x4f0/0x6d0 [qla2xxx_scst] + pci_device_remove+0xd5/0x1f0 + device_release_driver_internal+0x159/0x280 + driver_detach+0x8b/0xf2 + bus_remove_driver+0x9a/0x15a + driver_unregister+0x51/0x70 + pci_unregister_driver+0x2d/0x130 + qla2x00_module_exit+0x1c/0xbc [qla2xxx_scst] + __x64_sys_delete_module+0x22a/0x300 + do_syscall_64+0x6f/0x2e0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 3f006ac342c0 ("scsi: qla2xxx: Secure flash update support for ISP28XX") # v5.2-rc1~130^2~270. +Cc: Michael Hernandez +Cc: Himanshu Madhani +Link: https://lore.kernel.org/r/20191106044226.5207-3-bvanassche@acm.org +Reviewed-by: Martin Wilck +Acked-by: Himanshu Madhani +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_os.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 23c3927751637..0bbc6a82470a5 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -4680,7 +4680,8 @@ qla2x00_mem_free(struct qla_hw_data *ha) + ha->sfp_data = NULL; + + if (ha->flt) +- dma_free_coherent(&ha->pdev->dev, SFP_DEV_SIZE, ++ dma_free_coherent(&ha->pdev->dev, ++ sizeof(struct qla_flt_header) + FLT_REGIONS_SIZE, + ha->flt, ha->flt_dma); + ha->flt = NULL; + ha->flt_dma = 0; +-- +2.20.1 + diff --git a/queue-5.4/scsi-qla2xxx-fix-srb-leak-on-switch-command-timeout.patch b/queue-5.4/scsi-qla2xxx-fix-srb-leak-on-switch-command-timeout.patch new file mode 100644 index 00000000000..58697232df2 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-srb-leak-on-switch-command-timeout.patch @@ -0,0 +1,160 @@ +From f6cb09258f1e9a198ba2373cfb91302b9cf986a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 07:06:52 -0800 +Subject: scsi: qla2xxx: Fix SRB leak on switch command timeout + +From: Quinn Tran + +[ Upstream commit af2a0c51b1205327f55a7e82e530403ae1d42cbb ] + +when GPSC/GPDB switch command fails, driver just returns without doing a +proper cleanup. This patch fixes this memory leak by calling sp->free() in +the error path. + +Link: https://lore.kernel.org/r/20191105150657.8092-4-hmadhani@marvell.com +Reviewed-by: Ewan D. Milne +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_gs.c | 2 +- + drivers/scsi/qla2xxx/qla_init.c | 11 +++++------ + drivers/scsi/qla2xxx/qla_mbx.c | 4 ---- + drivers/scsi/qla2xxx/qla_mid.c | 11 ++++------- + drivers/scsi/qla2xxx/qla_os.c | 7 ++++++- + 5 files changed, 16 insertions(+), 19 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c +index 5298ed10059f2..84bb4a0480166 100644 +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -3005,7 +3005,7 @@ static void qla24xx_async_gpsc_sp_done(srb_t *sp, int res) + fcport->flags &= ~(FCF_ASYNC_SENT | FCF_ASYNC_ACTIVE); + + if (res == QLA_FUNCTION_TIMEOUT) +- return; ++ goto done; + + if (res == (DID_ERROR << 16)) { + /* entry status error */ +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 8c0aae937c1f7..d400b51929a6e 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -1153,19 +1153,18 @@ static void qla24xx_async_gpdb_sp_done(srb_t *sp, int res) + "Async done-%s res %x, WWPN %8phC mb[1]=%x mb[2]=%x \n", + sp->name, res, fcport->port_name, mb[1], mb[2]); + +- if (res == QLA_FUNCTION_TIMEOUT) { +- dma_pool_free(sp->vha->hw->s_dma_pool, sp->u.iocb_cmd.u.mbx.in, +- sp->u.iocb_cmd.u.mbx.in_dma); +- return; +- } +- + fcport->flags &= ~(FCF_ASYNC_SENT | FCF_ASYNC_ACTIVE); ++ ++ if (res == QLA_FUNCTION_TIMEOUT) ++ goto done; ++ + memset(&ea, 0, sizeof(ea)); + ea.fcport = fcport; + ea.sp = sp; + + qla24xx_handle_gpdb_event(vha, &ea); + ++done: + dma_pool_free(ha->s_dma_pool, sp->u.iocb_cmd.u.mbx.in, + sp->u.iocb_cmd.u.mbx.in_dma); + +diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c +index 4a1f21c11758e..4d90cf101f5fc 100644 +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -6287,17 +6287,13 @@ int qla24xx_send_mb_cmd(struct scsi_qla_host *vha, mbx_cmd_t *mcp) + case QLA_SUCCESS: + ql_dbg(ql_dbg_mbx, vha, 0x119d, "%s: %s done.\n", + __func__, sp->name); +- sp->free(sp); + break; + default: + ql_dbg(ql_dbg_mbx, vha, 0x119e, "%s: %s Failed. %x.\n", + __func__, sp->name, rval); +- sp->free(sp); + break; + } + +- return rval; +- + done_free_sp: + sp->free(sp); + done: +diff --git a/drivers/scsi/qla2xxx/qla_mid.c b/drivers/scsi/qla2xxx/qla_mid.c +index 238240984bc15..eabc5127174ed 100644 +--- a/drivers/scsi/qla2xxx/qla_mid.c ++++ b/drivers/scsi/qla2xxx/qla_mid.c +@@ -946,7 +946,7 @@ int qla24xx_control_vp(scsi_qla_host_t *vha, int cmd) + + sp = qla2x00_get_sp(base_vha, NULL, GFP_KERNEL); + if (!sp) +- goto done; ++ return rval; + + sp->type = SRB_CTRL_VP; + sp->name = "ctrl_vp"; +@@ -962,7 +962,7 @@ int qla24xx_control_vp(scsi_qla_host_t *vha, int cmd) + ql_dbg(ql_dbg_async, vha, 0xffff, + "%s: %s Failed submission. %x.\n", + __func__, sp->name, rval); +- goto done_free_sp; ++ goto done; + } + + ql_dbg(ql_dbg_vport, vha, 0x113f, "%s hndl %x submitted\n", +@@ -980,16 +980,13 @@ int qla24xx_control_vp(scsi_qla_host_t *vha, int cmd) + case QLA_SUCCESS: + ql_dbg(ql_dbg_vport, vha, 0xffff, "%s: %s done.\n", + __func__, sp->name); +- goto done_free_sp; ++ break; + default: + ql_dbg(ql_dbg_vport, vha, 0xffff, "%s: %s Failed. %x.\n", + __func__, sp->name, rval); +- goto done_free_sp; ++ break; + } + done: +- return rval; +- +-done_free_sp: + sp->free(sp); + return rval; + } +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 909c61cbf0fce..23c3927751637 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -986,7 +986,7 @@ qla2xxx_mqueuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd, + ql_dbg(ql_dbg_io + ql_dbg_verbose, vha, 0x3078, + "Start scsi failed rval=%d for cmd=%p.\n", rval, cmd); + if (rval == QLA_INTERFACE_ERROR) +- goto qc24_fail_command; ++ goto qc24_free_sp_fail_command; + goto qc24_host_busy_free_sp; + } + +@@ -1000,6 +1000,11 @@ qc24_host_busy_free_sp: + qc24_target_busy: + return SCSI_MLQUEUE_TARGET_BUSY; + ++qc24_free_sp_fail_command: ++ sp->free(sp); ++ CMD_SP(cmd) = NULL; ++ qla2xxx_rel_qpair_sp(sp->qpair, sp); ++ + qc24_fail_command: + cmd->scsi_done(cmd); + +-- +2.20.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 67dc3115735..c8b441ed1b2 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -153,3 +153,10 @@ seccomp-avoid-overflow-in-implicit-constant-conversion.patch quota-fix-livelock-in-dquot_writeback_dquots.patch ext4-fix-credit-estimate-for-final-inode-freeing.patch reiserfs-fix-extended-attributes-on-the-root-directory.patch +scsi-qla2xxx-fix-srb-leak-on-switch-command-timeout.patch +scsi-qla2xxx-fix-a-dma_pool_free-call.patch +revert-scsi-qla2xxx-fix-memory-leak-when-sending-i-o.patch +iio-ad7949-kill-pointless-readback-handling-code.patch +iio-ad7949-fix-channels-mixups.patch +omap-pdata-quirks-revert-pandora-specific-gpiod-addi.patch +omap-pdata-quirks-remove-openpandora-quirks-for-mmc3.patch -- 2.47.3