From d867ee3129c720eae788856988f545cbd83fee33 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 9 Dec 2019 21:03:00 +0100 Subject: [PATCH] 5.4-stable patches added patches: arm64-dts-exynos-revert-remove-unneeded-address-space-mapping-for-soc-node.patch arm64-validate-tagged-addresses-in-access_ok-called-from-kernel-threads.patch crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch crypto-atmel-aes-fix-iv-handling-when-req-nbytes-ivsize.patch crypto-ccp-fix-uninitialized-list-head.patch crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fallback.patch crypto-user-fix-memory-leak-in-crypto_report.patch crypto-user-fix-memory-leak-in-crypto_reportstat.patch drm-damage_helper-fix-race-checking-plane-state-fb.patch drm-i810-prevent-underflow-in-ioctl.patch drm-msm-fix-memleak-on-release.patch kvm-arm-arm64-vgic-don-t-rely-on-the-wrong-pending-table.patch kvm-nvmx-always-write-vmcs02.guest_cr3-during-nested-vm-enter.patch kvm-ppc-book3s-hv-xive-fix-potential-page-leak-on-error-path.patch kvm-ppc-book3s-hv-xive-free-previous-eq-page-when-setting-up-a-new-one.patch kvm-ppc-book3s-hv-xive-set-kvm-arch.xive-when-vps-are-allocated.patch kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch kvm-x86-grab-kvm-s-srcu-lock-when-setting-nested-state.patch kvm-x86-remove-a-spurious-export-of-a-static-function.patch spi-atmel-fix-cs-high-support.patch spi-fix-null-pointer-when-setting-spi_cs_high-for-gpio-cs.patch spi-fix-spi_cs_high-setting-when-using-native-and-gpio-cs.patch spi-spi-fsl-qspi-clear-tdh-bits-in-flshcr-register.patch spi-stm32-qspi-fix-kernel-oops-when-unbinding-driver.patch --- ...d-address-space-mapping-for-soc-node.patch | 81 ++++++++ ...access_ok-called-from-kernel-threads.patch | 55 ++++++ ...g-cast-ki_complete-ternary-op-to-int.patch | 47 +++++ ...x-iv-handling-when-req-nbytes-ivsize.patch | 110 +++++++++++ ...ypto-ccp-fix-uninitialized-list-head.patch | 87 +++++++++ ...double-free-in-crypto4xx_destroy_sdr.patch | 43 +++++ ...dh-fix-big-endian-bug-in-ecc-library.patch | 42 ++++ ...tch-to-skcipher-for-cbc-aes-fallback.patch | 179 ++++++++++++++++++ ...ser-fix-memory-leak-in-crypto_report.patch | 36 ++++ ...fix-memory-leak-in-crypto_reportstat.patch | 37 ++++ ...per-fix-race-checking-plane-state-fb.patch | 58 ++++++ .../drm-i810-prevent-underflow-in-ioctl.patch | 43 +++++ .../drm-msm-fix-memleak-on-release.patch | 45 +++++ ...on-t-rely-on-the-wrong-pending-table.patch | 54 ++++++ ...s02.guest_cr3-during-nested-vm-enter.patch | 93 +++++++++ ...ix-potential-page-leak-on-error-path.patch | 56 ++++++ ...us-eq-page-when-setting-up-a-new-one.patch | 109 +++++++++++ ...kvm-arch.xive-when-vps-are-allocated.patch | 87 +++++++++ ...ot-modify-masked-bits-of-shared-msrs.patch | 51 +++++ ...-of-tsx-feature-in-arch_capabilities.patch | 47 +++++ ...-srcu-lock-when-setting-nested-state.patch | 88 +++++++++ ...spurious-export-of-a-static-function.patch | 33 ++++ queue-5.4/series | 27 +++ queue-5.4/spi-atmel-fix-cs-high-support.patch | 50 +++++ ...when-setting-spi_cs_high-for-gpio-cs.patch | 36 ++++ ...etting-when-using-native-and-gpio-cs.patch | 64 +++++++ ...pi-clear-tdh-bits-in-flshcr-register.patch | 126 ++++++++++++ ...ix-kernel-oops-when-unbinding-driver.patch | 144 ++++++++++++++ 28 files changed, 1928 insertions(+) create mode 100644 queue-5.4/arm64-dts-exynos-revert-remove-unneeded-address-space-mapping-for-soc-node.patch create mode 100644 queue-5.4/arm64-validate-tagged-addresses-in-access_ok-called-from-kernel-threads.patch create mode 100644 queue-5.4/crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch create mode 100644 queue-5.4/crypto-atmel-aes-fix-iv-handling-when-req-nbytes-ivsize.patch create mode 100644 queue-5.4/crypto-ccp-fix-uninitialized-list-head.patch create mode 100644 queue-5.4/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch create mode 100644 queue-5.4/crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch create mode 100644 queue-5.4/crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fallback.patch create mode 100644 queue-5.4/crypto-user-fix-memory-leak-in-crypto_report.patch create mode 100644 queue-5.4/crypto-user-fix-memory-leak-in-crypto_reportstat.patch create mode 100644 queue-5.4/drm-damage_helper-fix-race-checking-plane-state-fb.patch create mode 100644 queue-5.4/drm-i810-prevent-underflow-in-ioctl.patch create mode 100644 queue-5.4/drm-msm-fix-memleak-on-release.patch create mode 100644 queue-5.4/kvm-arm-arm64-vgic-don-t-rely-on-the-wrong-pending-table.patch create mode 100644 queue-5.4/kvm-nvmx-always-write-vmcs02.guest_cr3-during-nested-vm-enter.patch create mode 100644 queue-5.4/kvm-ppc-book3s-hv-xive-fix-potential-page-leak-on-error-path.patch create mode 100644 queue-5.4/kvm-ppc-book3s-hv-xive-free-previous-eq-page-when-setting-up-a-new-one.patch create mode 100644 queue-5.4/kvm-ppc-book3s-hv-xive-set-kvm-arch.xive-when-vps-are-allocated.patch create mode 100644 queue-5.4/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch create mode 100644 queue-5.4/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch create mode 100644 queue-5.4/kvm-x86-grab-kvm-s-srcu-lock-when-setting-nested-state.patch create mode 100644 queue-5.4/kvm-x86-remove-a-spurious-export-of-a-static-function.patch create mode 100644 queue-5.4/spi-atmel-fix-cs-high-support.patch create mode 100644 queue-5.4/spi-fix-null-pointer-when-setting-spi_cs_high-for-gpio-cs.patch create mode 100644 queue-5.4/spi-fix-spi_cs_high-setting-when-using-native-and-gpio-cs.patch create mode 100644 queue-5.4/spi-spi-fsl-qspi-clear-tdh-bits-in-flshcr-register.patch create mode 100644 queue-5.4/spi-stm32-qspi-fix-kernel-oops-when-unbinding-driver.patch diff --git a/queue-5.4/arm64-dts-exynos-revert-remove-unneeded-address-space-mapping-for-soc-node.patch b/queue-5.4/arm64-dts-exynos-revert-remove-unneeded-address-space-mapping-for-soc-node.patch new file mode 100644 index 00000000000..24f273feffe --- /dev/null +++ b/queue-5.4/arm64-dts-exynos-revert-remove-unneeded-address-space-mapping-for-soc-node.patch @@ -0,0 +1,81 @@ +From bed903167ae5b5532eda5d7db26de451bd232da5 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 12 Sep 2019 09:36:02 +0200 +Subject: arm64: dts: exynos: Revert "Remove unneeded address space mapping for soc node" + +From: Marek Szyprowski + +commit bed903167ae5b5532eda5d7db26de451bd232da5 upstream. + +Commit ef72171b3621 ("arm64: dts: exynos: Remove unneeded address space +mapping for soc node") changed the address and size cells in root node from +2 to 1, but /memory nodes for the affected boards were not updated. This +went unnoticed on Exynos5433-based TM2(e) boards, because they use u-boot, +which updates /memory node to the correct values. On the other hand, the +mentioned commit broke boot on Exynos7-based Espresso board, which +bootloader doesn't touch /memory node at all. + +This patch reverts commit ef72171b3621 ("arm64: dts: exynos: Remove +unneeded address space mapping for soc node"), so Exynos5433 and Exynos7 +SoCs again matches other ARM64 platforms with 64bit mappings in root +node. + +Reported-by: Alim Akhtar +Fixes: ef72171b3621 ("arm64: dts: exynos: Remove unneeded address space mapping for soc node") +Signed-off-by: Marek Szyprowski +Cc: # 5.3.x: 72ddcf6aa224 arm64: dts: exynos: Move GPU under /soc node for Exynos5433 +Cc: # 5.3.x: ede87c3a2bdb arm64: dts: exynos: Move GPU under /soc node for Exynos7 +Cc: # 4.18.x +Tested-by: Alim Akhtar +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/exynos/exynos5433.dtsi | 6 +++--- + arch/arm64/boot/dts/exynos/exynos7.dtsi | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/arm64/boot/dts/exynos/exynos5433.dtsi ++++ b/arch/arm64/boot/dts/exynos/exynos5433.dtsi +@@ -18,8 +18,8 @@ + + / { + compatible = "samsung,exynos5433"; +- #address-cells = <1>; +- #size-cells = <1>; ++ #address-cells = <2>; ++ #size-cells = <2>; + + interrupt-parent = <&gic>; + +@@ -311,7 +311,7 @@ + compatible = "simple-bus"; + #address-cells = <1>; + #size-cells = <1>; +- ranges; ++ ranges = <0x0 0x0 0x0 0x18000000>; + + chipid@10000000 { + compatible = "samsung,exynos4210-chipid"; +--- a/arch/arm64/boot/dts/exynos/exynos7.dtsi ++++ b/arch/arm64/boot/dts/exynos/exynos7.dtsi +@@ -12,8 +12,8 @@ + / { + compatible = "samsung,exynos7"; + interrupt-parent = <&gic>; +- #address-cells = <1>; +- #size-cells = <1>; ++ #address-cells = <2>; ++ #size-cells = <2>; + + aliases { + pinctrl0 = &pinctrl_alive; +@@ -98,7 +98,7 @@ + compatible = "simple-bus"; + #address-cells = <1>; + #size-cells = <1>; +- ranges; ++ ranges = <0 0 0 0x18000000>; + + chipid@10000000 { + compatible = "samsung,exynos4210-chipid"; diff --git a/queue-5.4/arm64-validate-tagged-addresses-in-access_ok-called-from-kernel-threads.patch b/queue-5.4/arm64-validate-tagged-addresses-in-access_ok-called-from-kernel-threads.patch new file mode 100644 index 00000000000..9e02eefd835 --- /dev/null +++ b/queue-5.4/arm64-validate-tagged-addresses-in-access_ok-called-from-kernel-threads.patch @@ -0,0 +1,55 @@ +From df325e05a682e9c624f471835c35bd3f870d5e8c Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Thu, 5 Dec 2019 13:57:36 +0000 +Subject: arm64: Validate tagged addresses in access_ok() called from kernel threads + +From: Catalin Marinas + +commit df325e05a682e9c624f471835c35bd3f870d5e8c upstream. + +__range_ok(), invoked from access_ok(), clears the tag of the user +address only if CONFIG_ARM64_TAGGED_ADDR_ABI is enabled and the thread +opted in to the relaxed ABI. The latter sets the TIF_TAGGED_ADDR thread +flag. In the case of asynchronous I/O (e.g. io_submit()), the +access_ok() may be called from a kernel thread. Since kernel threads +don't have TIF_TAGGED_ADDR set, access_ok() will fail for valid tagged +user addresses. Example from the ffs_user_copy_worker() thread: + + use_mm(io_data->mm); + ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data); + unuse_mm(io_data->mm); + +Relax the __range_ok() check to always untag the user address if called +in the context of a kernel thread. The user pointers would have already +been checked via aio_setup_rw() -> import_{single_range,iovec}() at the +time of the asynchronous I/O request. + +Fixes: 63f0c6037965 ("arm64: Introduce prctl() options to control the tagged user addresses ABI") +Cc: # 5.4.x- +Cc: Will Deacon +Reported-by: Evgenii Stepanov +Tested-by: Evgenii Stepanov +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/uaccess.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/uaccess.h ++++ b/arch/arm64/include/asm/uaccess.h +@@ -62,8 +62,13 @@ static inline unsigned long __range_ok(c + { + unsigned long ret, limit = current_thread_info()->addr_limit; + ++ /* ++ * Asynchronous I/O running in a kernel thread does not have the ++ * TIF_TAGGED_ADDR flag of the process owning the mm, so always untag ++ * the user address before checking. ++ */ + if (IS_ENABLED(CONFIG_ARM64_TAGGED_ADDR_ABI) && +- test_thread_flag(TIF_TAGGED_ADDR)) ++ (current->flags & PF_KTHREAD || test_thread_flag(TIF_TAGGED_ADDR))) + addr = untagged_addr(addr); + + __chk_user_ptr(addr); diff --git a/queue-5.4/crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch b/queue-5.4/crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch new file mode 100644 index 00000000000..b01601a4fe9 --- /dev/null +++ b/queue-5.4/crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch @@ -0,0 +1,47 @@ +From 64e7f852c47ce99f6c324c46d6a299a5a7ebead9 Mon Sep 17 00:00:00 2001 +From: Ayush Sawal +Date: Fri, 4 Oct 2019 10:50:58 -0700 +Subject: crypto: af_alg - cast ki_complete ternary op to int + +From: Ayush Sawal + +commit 64e7f852c47ce99f6c324c46d6a299a5a7ebead9 upstream. + +when libkcapi test is executed using HW accelerator, cipher operation +return -74.Since af_alg_async_cb->ki_complete treat err as unsigned int, +libkcapi receive 429467222 even though it expect -ve value. + +Hence its required to cast resultlen to int so that proper +error is returned to libkcapi. + +AEAD one shot non-aligned test 2(libkcapi test) +./../bin/kcapi -x 10 -c "gcm(aes)" -i 7815d4b06ae50c9c56e87bd7 +-k ea38ac0c9b9998c80e28fb496a2b88d9 -a +"853f98a750098bec1aa7497e979e78098155c877879556bb51ddeb6374cbaefc" +-t "c4ce58985b7203094be1d134c1b8ab0b" -q +"b03692f86d1b8b39baf2abb255197c98" + +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Cc: +Signed-off-by: Ayush Sawal +Signed-off-by: Atul Gupta +Signed-off-by: Herbert Xu +Signed-off-by: Ayush Sawal +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/af_alg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1043,7 +1043,7 @@ void af_alg_async_cb(struct crypto_async + af_alg_free_resources(areq); + sock_put(sk); + +- iocb->ki_complete(iocb, err ? err : resultlen, 0); ++ iocb->ki_complete(iocb, err ? err : (int)resultlen, 0); + } + EXPORT_SYMBOL_GPL(af_alg_async_cb); + diff --git a/queue-5.4/crypto-atmel-aes-fix-iv-handling-when-req-nbytes-ivsize.patch b/queue-5.4/crypto-atmel-aes-fix-iv-handling-when-req-nbytes-ivsize.patch new file mode 100644 index 00000000000..048e7442e39 --- /dev/null +++ b/queue-5.4/crypto-atmel-aes-fix-iv-handling-when-req-nbytes-ivsize.patch @@ -0,0 +1,110 @@ +From 86ef1dfcb561473fbf5e199d58d18c55554d78be Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Fri, 4 Oct 2019 08:55:37 +0000 +Subject: crypto: atmel-aes - Fix IV handling when req->nbytes < ivsize + +From: Tudor Ambarus + +commit 86ef1dfcb561473fbf5e199d58d18c55554d78be upstream. + +commit 394a9e044702 ("crypto: cfb - add missing 'chunksize' property") +adds a test vector where the input length is smaller than the IV length +(the second test vector). This revealed a NULL pointer dereference in +the atmel-aes driver, that is caused by passing an incorrect offset in +scatterwalk_map_and_copy() when atmel_aes_complete() is called. + +Do not save the IV in req->info of ablkcipher_request (or equivalently +req->iv of skcipher_request) when req->nbytes < ivsize, because the IV +will not be further used. + +While touching the code, modify the type of ivsize from int to +unsigned int, to comply with the return type of +crypto_ablkcipher_ivsize(). + +Fixes: 91308019ecb4 ("crypto: atmel-aes - properly set IV after {en,de}crypt") +Cc: +Signed-off-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/atmel-aes.c | 53 +++++++++++++++++++++++++-------------------- + 1 file changed, 30 insertions(+), 23 deletions(-) + +--- a/drivers/crypto/atmel-aes.c ++++ b/drivers/crypto/atmel-aes.c +@@ -490,6 +490,29 @@ static inline bool atmel_aes_is_encrypt( + static void atmel_aes_authenc_complete(struct atmel_aes_dev *dd, int err); + #endif + ++static void atmel_aes_set_iv_as_last_ciphertext_block(struct atmel_aes_dev *dd) ++{ ++ struct ablkcipher_request *req = ablkcipher_request_cast(dd->areq); ++ struct atmel_aes_reqctx *rctx = ablkcipher_request_ctx(req); ++ struct crypto_ablkcipher *ablkcipher = crypto_ablkcipher_reqtfm(req); ++ unsigned int ivsize = crypto_ablkcipher_ivsize(ablkcipher); ++ ++ if (req->nbytes < ivsize) ++ return; ++ ++ if (rctx->mode & AES_FLAGS_ENCRYPT) { ++ scatterwalk_map_and_copy(req->info, req->dst, ++ req->nbytes - ivsize, ivsize, 0); ++ } else { ++ if (req->src == req->dst) ++ memcpy(req->info, rctx->lastc, ivsize); ++ else ++ scatterwalk_map_and_copy(req->info, req->src, ++ req->nbytes - ivsize, ++ ivsize, 0); ++ } ++} ++ + static inline int atmel_aes_complete(struct atmel_aes_dev *dd, int err) + { + #ifdef CONFIG_CRYPTO_DEV_ATMEL_AUTHENC +@@ -500,26 +523,8 @@ static inline int atmel_aes_complete(str + clk_disable(dd->iclk); + dd->flags &= ~AES_FLAGS_BUSY; + +- if (!dd->ctx->is_aead) { +- struct ablkcipher_request *req = +- ablkcipher_request_cast(dd->areq); +- struct atmel_aes_reqctx *rctx = ablkcipher_request_ctx(req); +- struct crypto_ablkcipher *ablkcipher = +- crypto_ablkcipher_reqtfm(req); +- int ivsize = crypto_ablkcipher_ivsize(ablkcipher); +- +- if (rctx->mode & AES_FLAGS_ENCRYPT) { +- scatterwalk_map_and_copy(req->info, req->dst, +- req->nbytes - ivsize, ivsize, 0); +- } else { +- if (req->src == req->dst) { +- memcpy(req->info, rctx->lastc, ivsize); +- } else { +- scatterwalk_map_and_copy(req->info, req->src, +- req->nbytes - ivsize, ivsize, 0); +- } +- } +- } ++ if (!dd->ctx->is_aead) ++ atmel_aes_set_iv_as_last_ciphertext_block(dd); + + if (dd->is_async) + dd->areq->complete(dd->areq, err); +@@ -1125,10 +1130,12 @@ static int atmel_aes_crypt(struct ablkci + rctx->mode = mode; + + if (!(mode & AES_FLAGS_ENCRYPT) && (req->src == req->dst)) { +- int ivsize = crypto_ablkcipher_ivsize(ablkcipher); ++ unsigned int ivsize = crypto_ablkcipher_ivsize(ablkcipher); + +- scatterwalk_map_and_copy(rctx->lastc, req->src, +- (req->nbytes - ivsize), ivsize, 0); ++ if (req->nbytes >= ivsize) ++ scatterwalk_map_and_copy(rctx->lastc, req->src, ++ req->nbytes - ivsize, ++ ivsize, 0); + } + + return atmel_aes_handle_queue(dd, &req->base); diff --git a/queue-5.4/crypto-ccp-fix-uninitialized-list-head.patch b/queue-5.4/crypto-ccp-fix-uninitialized-list-head.patch new file mode 100644 index 00000000000..539218a3d0b --- /dev/null +++ b/queue-5.4/crypto-ccp-fix-uninitialized-list-head.patch @@ -0,0 +1,87 @@ +From 691505a803a7f223b2af621848d581259c61f77d Mon Sep 17 00:00:00 2001 +From: Mark Salter +Date: Mon, 21 Oct 2019 11:29:49 -0400 +Subject: crypto: ccp - fix uninitialized list head + +From: Mark Salter + +commit 691505a803a7f223b2af621848d581259c61f77d upstream. + +A NULL-pointer dereference was reported in fedora bz#1762199 while +reshaping a raid6 array after adding a fifth drive to an existing +array. + +[ 47.343549] md/raid:md0: raid level 6 active with 3 out of 5 devices, algorithm 2 +[ 47.804017] md0: detected capacity change from 0 to 7885289422848 +[ 47.822083] Unable to handle kernel read from unreadable memory at virtual address 0000000000000000 +... +[ 47.940477] CPU: 1 PID: 14210 Comm: md0_raid6 Tainted: G W 5.2.18-200.fc30.aarch64 #1 +[ 47.949594] Hardware name: AMD Overdrive/Supercharger/To be filled by O.E.M., BIOS ROD1002C 04/08/2016 +[ 47.958886] pstate: 00400085 (nzcv daIf +PAN -UAO) +[ 47.963668] pc : __list_del_entry_valid+0x2c/0xa8 +[ 47.968366] lr : ccp_tx_submit+0x84/0x168 [ccp] +[ 47.972882] sp : ffff00001369b970 +[ 47.976184] x29: ffff00001369b970 x28: ffff00001369bdb8 +[ 47.981483] x27: 00000000ffffffff x26: ffff8003b758af70 +[ 47.986782] x25: ffff8003b758b2d8 x24: ffff8003e6245818 +[ 47.992080] x23: 0000000000000000 x22: ffff8003e62450c0 +[ 47.997379] x21: ffff8003dfd6add8 x20: 0000000000000003 +[ 48.002678] x19: ffff8003e6245100 x18: 0000000000000000 +[ 48.007976] x17: 0000000000000000 x16: 0000000000000000 +[ 48.013274] x15: 0000000000000000 x14: 0000000000000000 +[ 48.018572] x13: ffff7e000ef83a00 x12: 0000000000000001 +[ 48.023870] x11: ffff000010eff998 x10: 00000000000019a0 +[ 48.029169] x9 : 0000000000000000 x8 : ffff8003e6245180 +[ 48.034467] x7 : 0000000000000000 x6 : 000000000000003f +[ 48.039766] x5 : 0000000000000040 x4 : ffff8003e0145080 +[ 48.045064] x3 : dead000000000200 x2 : 0000000000000000 +[ 48.050362] x1 : 0000000000000000 x0 : ffff8003e62450c0 +[ 48.055660] Call trace: +[ 48.058095] __list_del_entry_valid+0x2c/0xa8 +[ 48.062442] ccp_tx_submit+0x84/0x168 [ccp] +[ 48.066615] async_tx_submit+0x224/0x368 [async_tx] +[ 48.071480] async_trigger_callback+0x68/0xfc [async_tx] +[ 48.076784] ops_run_biofill+0x178/0x1e8 [raid456] +[ 48.081566] raid_run_ops+0x248/0x818 [raid456] +[ 48.086086] handle_stripe+0x864/0x1208 [raid456] +[ 48.090781] handle_active_stripes.isra.0+0xb0/0x278 [raid456] +[ 48.096604] raid5d+0x378/0x618 [raid456] +[ 48.100602] md_thread+0xa0/0x150 +[ 48.103905] kthread+0x104/0x130 +[ 48.107122] ret_from_fork+0x10/0x18 +[ 48.110686] Code: d2804003 f2fbd5a3 eb03003f 54000320 (f9400021) +[ 48.116766] ---[ end trace 23f390a527f7ad77 ]--- + +ccp_tx_submit is passed a dma_async_tx_descriptor which is contained in +a ccp_dma_desc and adds it to a ccp channel's pending list: + + list_del(&desc->entry); + list_add_tail(&desc->entry, &chan->pending); + +The problem is that desc->entry may be uninitialized in the +async_trigger_callback path where the descriptor was gotten +from ccp_prep_dma_interrupt which got it from ccp_alloc_dma_desc +which doesn't initialize the desc->entry list head. So, just +initialize the list head to avoid the problem. + +Cc: +Reported-by: Sahaj Sarup +Signed-off-by: Mark Salter +Acked-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-dmaengine.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/crypto/ccp/ccp-dmaengine.c ++++ b/drivers/crypto/ccp/ccp-dmaengine.c +@@ -342,6 +342,7 @@ static struct ccp_dma_desc *ccp_alloc_dm + desc->tx_desc.flags = flags; + desc->tx_desc.tx_submit = ccp_tx_submit; + desc->ccp = chan->ccp; ++ INIT_LIST_HEAD(&desc->entry); + INIT_LIST_HEAD(&desc->pending); + INIT_LIST_HEAD(&desc->active); + desc->status = DMA_IN_PROGRESS; diff --git a/queue-5.4/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch b/queue-5.4/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch new file mode 100644 index 00000000000..0a09d144042 --- /dev/null +++ b/queue-5.4/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch @@ -0,0 +1,43 @@ +From 746c908c4d72e49068ab216c3926d2720d71a90d Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Thu, 31 Oct 2019 17:14:38 +0100 +Subject: crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr + +From: Christian Lamparter + +commit 746c908c4d72e49068ab216c3926d2720d71a90d upstream. + +This patch fixes a crash that can happen during probe +when the available dma memory is not enough (this can +happen if the crypto4xx is built as a module). + +The descriptor window mapping would end up being free'd +twice, once in crypto4xx_build_pdr() and the second time +in crypto4xx_destroy_sdr(). + +Fixes: 5d59ad6eea82 ("crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak") +Cc: +Signed-off-by: Christian Lamparter +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/amcc/crypto4xx_core.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/crypto/amcc/crypto4xx_core.c ++++ b/drivers/crypto/amcc/crypto4xx_core.c +@@ -365,12 +365,8 @@ static u32 crypto4xx_build_sdr(struct cr + dma_alloc_coherent(dev->core_dev->device, + PPC4XX_SD_BUFFER_SIZE * PPC4XX_NUM_SD, + &dev->scatter_buffer_pa, GFP_ATOMIC); +- if (!dev->scatter_buffer_va) { +- dma_free_coherent(dev->core_dev->device, +- sizeof(struct ce_sd) * PPC4XX_NUM_SD, +- dev->sdr, dev->sdr_pa); ++ if (!dev->scatter_buffer_va) + return -ENOMEM; +- } + + for (i = 0; i < PPC4XX_NUM_SD; i++) { + dev->sdr[i].ptr = dev->scatter_buffer_pa + diff --git a/queue-5.4/crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch b/queue-5.4/crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch new file mode 100644 index 00000000000..301f5d3f98e --- /dev/null +++ b/queue-5.4/crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch @@ -0,0 +1,42 @@ +From f398243e9fd6a3a059c1ea7b380c40628dbf0c61 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 23 Oct 2019 11:50:44 +0200 +Subject: crypto: ecdh - fix big endian bug in ECC library + +From: Ard Biesheuvel + +commit f398243e9fd6a3a059c1ea7b380c40628dbf0c61 upstream. + +The elliptic curve arithmetic library used by the EC-DH KPP implementation +assumes big endian byte order, and unconditionally reverses the byte +and word order of multi-limb quantities. On big endian systems, the byte +reordering is not necessary, while the word ordering needs to be retained. + +So replace the __swab64() invocation with a call to be64_to_cpu() which +should do the right thing for both little and big endian builds. + +Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support") +Cc: # v4.9+ +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ecc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/ecc.c ++++ b/crypto/ecc.c +@@ -1284,10 +1284,11 @@ EXPORT_SYMBOL(ecc_point_mult_shamir); + static inline void ecc_swap_digits(const u64 *in, u64 *out, + unsigned int ndigits) + { ++ const __be64 *src = (__force __be64 *)in; + int i; + + for (i = 0; i < ndigits; i++) +- out[i] = __swab64(in[ndigits - 1 - i]); ++ out[i] = be64_to_cpu(src[ndigits - 1 - i]); + } + + static int __ecc_is_key_valid(const struct ecc_curve *curve, diff --git a/queue-5.4/crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fallback.patch b/queue-5.4/crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fallback.patch new file mode 100644 index 00000000000..c1ffadbe123 --- /dev/null +++ b/queue-5.4/crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fallback.patch @@ -0,0 +1,179 @@ +From 504582e8e40b90b8f8c58783e2d1e4f6a2b71a3a Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sat, 5 Oct 2019 11:11:10 +0200 +Subject: crypto: geode-aes - switch to skcipher for cbc(aes) fallback + +From: Ard Biesheuvel + +commit 504582e8e40b90b8f8c58783e2d1e4f6a2b71a3a upstream. + +Commit 79c65d179a40e145 ("crypto: cbc - Convert to skcipher") updated +the generic CBC template wrapper from a blkcipher to a skcipher algo, +to get away from the deprecated blkcipher interface. However, as a side +effect, drivers that instantiate CBC transforms using the blkcipher as +a fallback no longer work, since skciphers can wrap blkciphers but not +the other way around. This broke the geode-aes driver. + +So let's fix it by moving to the sync skcipher interface when allocating +the fallback. At the same time, align with the generic API for ECB and +CBC by rejecting inputs that are not a multiple of the AES block size. + +Fixes: 79c65d179a40e145 ("crypto: cbc - Convert to skcipher") +Cc: # v4.20+ ONLY +Signed-off-by: Ard Biesheuvel +Signed-off-by: Florian Bezdeka +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/geode-aes.c | 57 ++++++++++++++++++++++++++------------------- + drivers/crypto/geode-aes.h | 2 - + 2 files changed, 34 insertions(+), 25 deletions(-) + +--- a/drivers/crypto/geode-aes.c ++++ b/drivers/crypto/geode-aes.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -166,13 +167,15 @@ static int geode_setkey_blk(struct crypt + /* + * The requested key size is not supported by HW, do a fallback + */ +- op->fallback.blk->base.crt_flags &= ~CRYPTO_TFM_REQ_MASK; +- op->fallback.blk->base.crt_flags |= (tfm->crt_flags & CRYPTO_TFM_REQ_MASK); ++ crypto_sync_skcipher_clear_flags(op->fallback.blk, CRYPTO_TFM_REQ_MASK); ++ crypto_sync_skcipher_set_flags(op->fallback.blk, ++ tfm->crt_flags & CRYPTO_TFM_REQ_MASK); + +- ret = crypto_blkcipher_setkey(op->fallback.blk, key, len); ++ ret = crypto_sync_skcipher_setkey(op->fallback.blk, key, len); + if (ret) { + tfm->crt_flags &= ~CRYPTO_TFM_RES_MASK; +- tfm->crt_flags |= (op->fallback.blk->base.crt_flags & CRYPTO_TFM_RES_MASK); ++ tfm->crt_flags |= crypto_sync_skcipher_get_flags(op->fallback.blk) & ++ CRYPTO_TFM_RES_MASK; + } + return ret; + } +@@ -181,33 +184,28 @@ static int fallback_blk_dec(struct blkci + struct scatterlist *dst, struct scatterlist *src, + unsigned int nbytes) + { +- unsigned int ret; +- struct crypto_blkcipher *tfm; + struct geode_aes_op *op = crypto_blkcipher_ctx(desc->tfm); ++ SYNC_SKCIPHER_REQUEST_ON_STACK(req, op->fallback.blk); + +- tfm = desc->tfm; +- desc->tfm = op->fallback.blk; +- +- ret = crypto_blkcipher_decrypt_iv(desc, dst, src, nbytes); ++ skcipher_request_set_sync_tfm(req, op->fallback.blk); ++ skcipher_request_set_callback(req, 0, NULL, NULL); ++ skcipher_request_set_crypt(req, src, dst, nbytes, desc->info); + +- desc->tfm = tfm; +- return ret; ++ return crypto_skcipher_decrypt(req); + } ++ + static int fallback_blk_enc(struct blkcipher_desc *desc, + struct scatterlist *dst, struct scatterlist *src, + unsigned int nbytes) + { +- unsigned int ret; +- struct crypto_blkcipher *tfm; + struct geode_aes_op *op = crypto_blkcipher_ctx(desc->tfm); ++ SYNC_SKCIPHER_REQUEST_ON_STACK(req, op->fallback.blk); + +- tfm = desc->tfm; +- desc->tfm = op->fallback.blk; +- +- ret = crypto_blkcipher_encrypt_iv(desc, dst, src, nbytes); ++ skcipher_request_set_sync_tfm(req, op->fallback.blk); ++ skcipher_request_set_callback(req, 0, NULL, NULL); ++ skcipher_request_set_crypt(req, src, dst, nbytes, desc->info); + +- desc->tfm = tfm; +- return ret; ++ return crypto_skcipher_encrypt(req); + } + + static void +@@ -307,6 +305,9 @@ geode_cbc_decrypt(struct blkcipher_desc + struct blkcipher_walk walk; + int err, ret; + ++ if (nbytes % AES_BLOCK_SIZE) ++ return -EINVAL; ++ + if (unlikely(op->keylen != AES_KEYSIZE_128)) + return fallback_blk_dec(desc, dst, src, nbytes); + +@@ -339,6 +340,9 @@ geode_cbc_encrypt(struct blkcipher_desc + struct blkcipher_walk walk; + int err, ret; + ++ if (nbytes % AES_BLOCK_SIZE) ++ return -EINVAL; ++ + if (unlikely(op->keylen != AES_KEYSIZE_128)) + return fallback_blk_enc(desc, dst, src, nbytes); + +@@ -366,9 +370,8 @@ static int fallback_init_blk(struct cryp + const char *name = crypto_tfm_alg_name(tfm); + struct geode_aes_op *op = crypto_tfm_ctx(tfm); + +- op->fallback.blk = crypto_alloc_blkcipher(name, 0, +- CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK); +- ++ op->fallback.blk = crypto_alloc_sync_skcipher(name, 0, ++ CRYPTO_ALG_NEED_FALLBACK); + if (IS_ERR(op->fallback.blk)) { + printk(KERN_ERR "Error allocating fallback algo %s\n", name); + return PTR_ERR(op->fallback.blk); +@@ -381,7 +384,7 @@ static void fallback_exit_blk(struct cry + { + struct geode_aes_op *op = crypto_tfm_ctx(tfm); + +- crypto_free_blkcipher(op->fallback.blk); ++ crypto_free_sync_skcipher(op->fallback.blk); + op->fallback.blk = NULL; + } + +@@ -420,6 +423,9 @@ geode_ecb_decrypt(struct blkcipher_desc + struct blkcipher_walk walk; + int err, ret; + ++ if (nbytes % AES_BLOCK_SIZE) ++ return -EINVAL; ++ + if (unlikely(op->keylen != AES_KEYSIZE_128)) + return fallback_blk_dec(desc, dst, src, nbytes); + +@@ -450,6 +456,9 @@ geode_ecb_encrypt(struct blkcipher_desc + struct blkcipher_walk walk; + int err, ret; + ++ if (nbytes % AES_BLOCK_SIZE) ++ return -EINVAL; ++ + if (unlikely(op->keylen != AES_KEYSIZE_128)) + return fallback_blk_enc(desc, dst, src, nbytes); + +--- a/drivers/crypto/geode-aes.h ++++ b/drivers/crypto/geode-aes.h +@@ -60,7 +60,7 @@ struct geode_aes_op { + u8 *iv; + + union { +- struct crypto_blkcipher *blk; ++ struct crypto_sync_skcipher *blk; + struct crypto_cipher *cip; + } fallback; + u32 keylen; diff --git a/queue-5.4/crypto-user-fix-memory-leak-in-crypto_report.patch b/queue-5.4/crypto-user-fix-memory-leak-in-crypto_report.patch new file mode 100644 index 00000000000..861fbb81ed7 --- /dev/null +++ b/queue-5.4/crypto-user-fix-memory-leak-in-crypto_report.patch @@ -0,0 +1,36 @@ +From ffdde5932042600c6807d46c1550b28b0db6a3bc Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Fri, 4 Oct 2019 14:29:16 -0500 +Subject: crypto: user - fix memory leak in crypto_report + +From: Navid Emamdoost + +commit ffdde5932042600c6807d46c1550b28b0db6a3bc upstream. + +In crypto_report, a new skb is created via nlmsg_new(). This skb should +be released if crypto_report_alg() fails. + +Fixes: a38f7907b926 ("crypto: Add userspace configuration API") +Cc: +Signed-off-by: Navid Emamdoost +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/crypto_user_base.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/crypto/crypto_user_base.c ++++ b/crypto/crypto_user_base.c +@@ -213,8 +213,10 @@ static int crypto_report(struct sk_buff + drop_alg: + crypto_mod_put(alg); + +- if (err) ++ if (err) { ++ kfree_skb(skb); + return err; ++ } + + return nlmsg_unicast(net->crypto_nlsk, skb, NETLINK_CB(in_skb).portid); + } diff --git a/queue-5.4/crypto-user-fix-memory-leak-in-crypto_reportstat.patch b/queue-5.4/crypto-user-fix-memory-leak-in-crypto_reportstat.patch new file mode 100644 index 00000000000..aad05207897 --- /dev/null +++ b/queue-5.4/crypto-user-fix-memory-leak-in-crypto_reportstat.patch @@ -0,0 +1,37 @@ +From c03b04dcdba1da39903e23cc4d072abf8f68f2dd Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Fri, 4 Oct 2019 14:34:54 -0500 +Subject: crypto: user - fix memory leak in crypto_reportstat + +From: Navid Emamdoost + +commit c03b04dcdba1da39903e23cc4d072abf8f68f2dd upstream. + +In crypto_reportstat, a new skb is created by nlmsg_new(). This skb is +leaked if crypto_reportstat_alg() fails. Required release for skb is +added. + +Fixes: cac5818c25d0 ("crypto: user - Implement a generic crypto statistics") +Cc: +Signed-off-by: Navid Emamdoost +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/crypto_user_stat.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/crypto/crypto_user_stat.c ++++ b/crypto/crypto_user_stat.c +@@ -328,8 +328,10 @@ int crypto_reportstat(struct sk_buff *in + drop_alg: + crypto_mod_put(alg); + +- if (err) ++ if (err) { ++ kfree_skb(skb); + return err; ++ } + + return nlmsg_unicast(net->crypto_nlsk, skb, NETLINK_CB(in_skb).portid); + } diff --git a/queue-5.4/drm-damage_helper-fix-race-checking-plane-state-fb.patch b/queue-5.4/drm-damage_helper-fix-race-checking-plane-state-fb.patch new file mode 100644 index 00000000000..e9403525642 --- /dev/null +++ b/queue-5.4/drm-damage_helper-fix-race-checking-plane-state-fb.patch @@ -0,0 +1,58 @@ +From 354c2d310082d1c384213ba76c3757dd3cd8755d Mon Sep 17 00:00:00 2001 +From: Sean Paul +Date: Wed, 4 Sep 2019 16:29:13 -0400 +Subject: drm: damage_helper: Fix race checking plane->state->fb + +From: Sean Paul + +commit 354c2d310082d1c384213ba76c3757dd3cd8755d upstream. + +Since the dirtyfb ioctl doesn't give us any hints as to which plane is +scanning out the fb it's marking as damaged, we need to loop through +planes to find it. + +Currently we just reach into plane state and check, but that can race +with another commit changing the fb out from under us. This patch locks +the plane before checking the fb and will release the lock if the plane +is not displaying the dirty fb. + +Fixes: b9fc5e01d1ce ("drm: Add helper to implement legacy dirtyfb") +Cc: Rob Clark +Cc: Deepak Rawat +Cc: Daniel Vetter +Cc: Thomas Hellstrom +Cc: Maarten Lankhorst +Cc: Maxime Ripard +Cc: Sean Paul +Cc: David Airlie +Cc: Daniel Vetter +Cc: dri-devel@lists.freedesktop.org +Cc: # v5.0+ +Reported-by: Daniel Vetter +Reviewed-by: Daniel Vetter +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190904202938.110207-1-sean@poorly.run +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_damage_helper.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_damage_helper.c ++++ b/drivers/gpu/drm/drm_damage_helper.c +@@ -212,8 +212,14 @@ retry: + drm_for_each_plane(plane, fb->dev) { + struct drm_plane_state *plane_state; + +- if (plane->state->fb != fb) ++ ret = drm_modeset_lock(&plane->mutex, state->acquire_ctx); ++ if (ret) ++ goto out; ++ ++ if (plane->state->fb != fb) { ++ drm_modeset_unlock(&plane->mutex); + continue; ++ } + + plane_state = drm_atomic_get_plane_state(state, plane); + if (IS_ERR(plane_state)) { diff --git a/queue-5.4/drm-i810-prevent-underflow-in-ioctl.patch b/queue-5.4/drm-i810-prevent-underflow-in-ioctl.patch new file mode 100644 index 00000000000..71f993e55f8 --- /dev/null +++ b/queue-5.4/drm-i810-prevent-underflow-in-ioctl.patch @@ -0,0 +1,43 @@ +From 4f69851fbaa26b155330be35ce8ac393e93e7442 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 4 Oct 2019 13:22:51 +0300 +Subject: drm/i810: Prevent underflow in ioctl + +From: Dan Carpenter + +commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream. + +The "used" variables here come from the user in the ioctl and it can be +negative. It could result in an out of bounds write. + +Signed-off-by: Dan Carpenter +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i810/i810_dma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i810/i810_dma.c ++++ b/drivers/gpu/drm/i810/i810_dma.c +@@ -728,7 +728,7 @@ static void i810_dma_dispatch_vertex(str + if (nbox > I810_NR_SAREA_CLIPRECTS) + nbox = I810_NR_SAREA_CLIPRECTS; + +- if (used > 4 * 1024) ++ if (used < 0 || used > 4 * 1024) + used = 0; + + if (sarea_priv->dirty) +@@ -1048,7 +1048,7 @@ static void i810_dma_dispatch_mc(struct + if (u != I810_BUF_CLIENT) + DRM_DEBUG("MC found buffer that isn't mine!\n"); + +- if (used > 4 * 1024) ++ if (used < 0 || used > 4 * 1024) + used = 0; + + sarea_priv->dirty = 0x7f; diff --git a/queue-5.4/drm-msm-fix-memleak-on-release.patch b/queue-5.4/drm-msm-fix-memleak-on-release.patch new file mode 100644 index 00000000000..b2ace1c9683 --- /dev/null +++ b/queue-5.4/drm-msm-fix-memleak-on-release.patch @@ -0,0 +1,45 @@ +From a64fc11b9a520c55ca34d82e5ca32274f49b6b15 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 10 Oct 2019 15:13:30 +0200 +Subject: drm/msm: fix memleak on release + +From: Johan Hovold + +commit a64fc11b9a520c55ca34d82e5ca32274f49b6b15 upstream. + +If a process is interrupted while accessing the "gpu" debugfs file and +the drm device struct_mutex is contended, release() could return early +and fail to free related resources. + +Note that the return value from release() is ignored. + +Fixes: 4f776f4511c7 ("drm/msm/gpu: Convert the GPU show function to use the GPU state") +Cc: stable # 4.18 +Cc: Jordan Crouse +Cc: Rob Clark +Reviewed-by: Rob Clark +Signed-off-by: Johan Hovold +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20191010131333.23635-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/msm/msm_debugfs.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_debugfs.c ++++ b/drivers/gpu/drm/msm/msm_debugfs.c +@@ -47,12 +47,8 @@ static int msm_gpu_release(struct inode + struct msm_gpu_show_priv *show_priv = m->private; + struct msm_drm_private *priv = show_priv->dev->dev_private; + struct msm_gpu *gpu = priv->gpu; +- int ret; +- +- ret = mutex_lock_interruptible(&show_priv->dev->struct_mutex); +- if (ret) +- return ret; + ++ mutex_lock(&show_priv->dev->struct_mutex); + gpu->funcs->gpu_state_put(show_priv->state); + mutex_unlock(&show_priv->dev->struct_mutex); + diff --git a/queue-5.4/kvm-arm-arm64-vgic-don-t-rely-on-the-wrong-pending-table.patch b/queue-5.4/kvm-arm-arm64-vgic-don-t-rely-on-the-wrong-pending-table.patch new file mode 100644 index 00000000000..c68f6ec2f1d --- /dev/null +++ b/queue-5.4/kvm-arm-arm64-vgic-don-t-rely-on-the-wrong-pending-table.patch @@ -0,0 +1,54 @@ +From ca185b260951d3b55108c0b95e188682d8a507b7 Mon Sep 17 00:00:00 2001 +From: Zenghui Yu +Date: Tue, 29 Oct 2019 15:19:19 +0800 +Subject: KVM: arm/arm64: vgic: Don't rely on the wrong pending table + +From: Zenghui Yu + +commit ca185b260951d3b55108c0b95e188682d8a507b7 upstream. + +It's possible that two LPIs locate in the same "byte_offset" but target +two different vcpus, where their pending status are indicated by two +different pending tables. In such a scenario, using last_byte_offset +optimization will lead KVM relying on the wrong pending table entry. +Let us use last_ptr instead, which can be treated as a byte index into +a pending table and also, can be vcpu specific. + +Fixes: 280771252c1b ("KVM: arm64: vgic-v3: KVM_DEV_ARM_VGIC_SAVE_PENDING_TABLES") +Cc: stable@vger.kernel.org +Signed-off-by: Zenghui Yu +Signed-off-by: Marc Zyngier +Acked-by: Eric Auger +Link: https://lore.kernel.org/r/20191029071919.177-4-yuzenghui@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/vgic/vgic-v3.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/virt/kvm/arm/vgic/vgic-v3.c ++++ b/virt/kvm/arm/vgic/vgic-v3.c +@@ -363,8 +363,8 @@ retry: + int vgic_v3_save_pending_tables(struct kvm *kvm) + { + struct vgic_dist *dist = &kvm->arch.vgic; +- int last_byte_offset = -1; + struct vgic_irq *irq; ++ gpa_t last_ptr = ~(gpa_t)0; + int ret; + u8 val; + +@@ -384,11 +384,11 @@ int vgic_v3_save_pending_tables(struct k + bit_nr = irq->intid % BITS_PER_BYTE; + ptr = pendbase + byte_offset; + +- if (byte_offset != last_byte_offset) { ++ if (ptr != last_ptr) { + ret = kvm_read_guest_lock(kvm, ptr, &val, 1); + if (ret) + return ret; +- last_byte_offset = byte_offset; ++ last_ptr = ptr; + } + + stored = val & (1U << bit_nr); diff --git a/queue-5.4/kvm-nvmx-always-write-vmcs02.guest_cr3-during-nested-vm-enter.patch b/queue-5.4/kvm-nvmx-always-write-vmcs02.guest_cr3-during-nested-vm-enter.patch new file mode 100644 index 00000000000..dcdfa9e7a22 --- /dev/null +++ b/queue-5.4/kvm-nvmx-always-write-vmcs02.guest_cr3-during-nested-vm-enter.patch @@ -0,0 +1,93 @@ +From 04f11ef45810da5ae2542dd78cc353f3761bd2cb Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 27 Sep 2019 14:45:16 -0700 +Subject: KVM: nVMX: Always write vmcs02.GUEST_CR3 during nested VM-Enter + +From: Sean Christopherson + +commit 04f11ef45810da5ae2542dd78cc353f3761bd2cb upstream. + +Write the desired L2 CR3 into vmcs02.GUEST_CR3 during nested VM-Enter +instead of deferring the VMWRITE until vmx_set_cr3(). If the VMWRITE +is deferred, then KVM can consume a stale vmcs02.GUEST_CR3 when it +refreshes vmcs12->guest_cr3 during nested_vmx_vmexit() if the emulated +VM-Exit occurs without actually entering L2, e.g. if the nested run +is squashed because nested VM-Enter (from L1) is putting L2 into HLT. + +Note, the above scenario can occur regardless of whether L1 is +intercepting HLT, e.g. L1 can intercept HLT and then re-enter L2 with +vmcs.GUEST_ACTIVITY_STATE=HALTED. But practically speaking, a VMM will +likely put a guest into HALTED if and only if it's not intercepting HLT. + +In an ideal world where EPT *requires* unrestricted guest (and vice +versa), VMX could handle CR3 similar to how it handles RSP and RIP, +e.g. mark CR3 dirty and conditionally load it at vmx_vcpu_run(). But +the unrestricted guest silliness complicates the dirty tracking logic +to the point that explicitly handling vmcs02.GUEST_CR3 during nested +VM-Enter is a simpler overall implementation. + +Cc: stable@vger.kernel.org +Reported-and-tested-by: Reto Buerki +Tested-by: Vitaly Kuznetsov +Reviewed-by: Liran Alon +Signed-off-by: Sean Christopherson +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx/nested.c | 10 ++++++++++ + arch/x86/kvm/vmx/vmx.c | 10 +++++++--- + 2 files changed, 17 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -2418,6 +2418,16 @@ static int prepare_vmcs02(struct kvm_vcp + entry_failure_code)) + return -EINVAL; + ++ /* ++ * Immediately write vmcs02.GUEST_CR3. It will be propagated to vmcs12 ++ * on nested VM-Exit, which can occur without actually running L2 and ++ * thus without hitting vmx_set_cr3(), e.g. if L1 is entering L2 with ++ * vmcs12.GUEST_ACTIVITYSTATE=HLT, in which case KVM will intercept the ++ * transition to HLT instead of running L2. ++ */ ++ if (enable_ept) ++ vmcs_writel(GUEST_CR3, vmcs12->guest_cr3); ++ + /* Late preparation of GUEST_PDPTRs now that EFER and CRs are set. */ + if (load_guest_pdptrs_vmcs12 && nested_cpu_has_ept(vmcs12) && + is_pae_paging(vcpu)) { +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -2995,6 +2995,7 @@ u64 construct_eptp(struct kvm_vcpu *vcpu + void vmx_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3) + { + struct kvm *kvm = vcpu->kvm; ++ bool update_guest_cr3 = true; + unsigned long guest_cr3; + u64 eptp; + +@@ -3011,15 +3012,18 @@ void vmx_set_cr3(struct kvm_vcpu *vcpu, + spin_unlock(&to_kvm_vmx(kvm)->ept_pointer_lock); + } + +- if (enable_unrestricted_guest || is_paging(vcpu) || +- is_guest_mode(vcpu)) ++ /* Loading vmcs02.GUEST_CR3 is handled by nested VM-Enter. */ ++ if (is_guest_mode(vcpu)) ++ update_guest_cr3 = false; ++ else if (enable_unrestricted_guest || is_paging(vcpu)) + guest_cr3 = kvm_read_cr3(vcpu); + else + guest_cr3 = to_kvm_vmx(kvm)->ept_identity_map_addr; + ept_load_pdptrs(vcpu); + } + +- vmcs_writel(GUEST_CR3, guest_cr3); ++ if (update_guest_cr3) ++ vmcs_writel(GUEST_CR3, guest_cr3); + } + + int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) diff --git a/queue-5.4/kvm-ppc-book3s-hv-xive-fix-potential-page-leak-on-error-path.patch b/queue-5.4/kvm-ppc-book3s-hv-xive-fix-potential-page-leak-on-error-path.patch new file mode 100644 index 00000000000..3f6d0c0cab3 --- /dev/null +++ b/queue-5.4/kvm-ppc-book3s-hv-xive-fix-potential-page-leak-on-error-path.patch @@ -0,0 +1,56 @@ +From 30486e72093ea2e594f44876b7a445c219449bce Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Wed, 13 Nov 2019 17:46:19 +0100 +Subject: KVM: PPC: Book3S HV: XIVE: Fix potential page leak on error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kurz + +commit 30486e72093ea2e594f44876b7a445c219449bce upstream. + +We need to check the host page size is big enough to accomodate the +EQ. Let's do this before taking a reference on the EQ page to avoid +a potential leak if the check fails. + +Cc: stable@vger.kernel.org # v5.2 +Fixes: 13ce3297c576 ("KVM: PPC: Book3S HV: XIVE: Add controls for the EQ configuration") +Signed-off-by: Greg Kurz +Reviewed-by: Cédric Le Goater +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_xive_native.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/kvm/book3s_xive_native.c ++++ b/arch/powerpc/kvm/book3s_xive_native.c +@@ -637,12 +637,6 @@ static int kvmppc_xive_native_set_queue_ + + srcu_idx = srcu_read_lock(&kvm->srcu); + gfn = gpa_to_gfn(kvm_eq.qaddr); +- page = gfn_to_page(kvm, gfn); +- if (is_error_page(page)) { +- srcu_read_unlock(&kvm->srcu, srcu_idx); +- pr_err("Couldn't get queue page %llx!\n", kvm_eq.qaddr); +- return -EINVAL; +- } + + page_size = kvm_host_page_size(kvm, gfn); + if (1ull << kvm_eq.qshift > page_size) { +@@ -651,6 +645,13 @@ static int kvmppc_xive_native_set_queue_ + return -EINVAL; + } + ++ page = gfn_to_page(kvm, gfn); ++ if (is_error_page(page)) { ++ srcu_read_unlock(&kvm->srcu, srcu_idx); ++ pr_err("Couldn't get queue page %llx!\n", kvm_eq.qaddr); ++ return -EINVAL; ++ } ++ + qaddr = page_to_virt(page) + (kvm_eq.qaddr & ~PAGE_MASK); + srcu_read_unlock(&kvm->srcu, srcu_idx); + diff --git a/queue-5.4/kvm-ppc-book3s-hv-xive-free-previous-eq-page-when-setting-up-a-new-one.patch b/queue-5.4/kvm-ppc-book3s-hv-xive-free-previous-eq-page-when-setting-up-a-new-one.patch new file mode 100644 index 00000000000..690e1822353 --- /dev/null +++ b/queue-5.4/kvm-ppc-book3s-hv-xive-free-previous-eq-page-when-setting-up-a-new-one.patch @@ -0,0 +1,109 @@ +From 31a88c82b466d2f31a44e21c479f45b4732ccfd0 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Wed, 13 Nov 2019 17:46:13 +0100 +Subject: KVM: PPC: Book3S HV: XIVE: Free previous EQ page when setting up a new one +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kurz + +commit 31a88c82b466d2f31a44e21c479f45b4732ccfd0 upstream. + +The EQ page is allocated by the guest and then passed to the hypervisor +with the H_INT_SET_QUEUE_CONFIG hcall. A reference is taken on the page +before handing it over to the HW. This reference is dropped either when +the guest issues the H_INT_RESET hcall or when the KVM device is released. +But, the guest can legitimately call H_INT_SET_QUEUE_CONFIG several times, +either to reset the EQ (vCPU hot unplug) or to set a new EQ (guest reboot). +In both cases the existing EQ page reference is leaked because we simply +overwrite it in the XIVE queue structure without calling put_page(). + +This is especially visible when the guest memory is backed with huge pages: +start a VM up to the guest userspace, either reboot it or unplug a vCPU, +quit QEMU. The leak is observed by comparing the value of HugePages_Free in +/proc/meminfo before and after the VM is run. + +Ideally we'd want the XIVE code to handle the EQ page de-allocation at the +platform level. This isn't the case right now because the various XIVE +drivers have different allocation needs. It could maybe worth introducing +hooks for this purpose instead of exposing XIVE internals to the drivers, +but this is certainly a huge work to be done later. + +In the meantime, for easier backport, fix both vCPU unplug and guest reboot +leaks by introducing a wrapper around xive_native_configure_queue() that +does the necessary cleanup. + +Reported-by: Satheesh Rajendran +Cc: stable@vger.kernel.org # v5.2 +Fixes: 13ce3297c576 ("KVM: PPC: Book3S HV: XIVE: Add controls for the EQ configuration") +Signed-off-by: Cédric Le Goater +Signed-off-by: Greg Kurz +Tested-by: Lijun Pan +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_xive_native.c | 31 ++++++++++++++++++++++--------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +--- a/arch/powerpc/kvm/book3s_xive_native.c ++++ b/arch/powerpc/kvm/book3s_xive_native.c +@@ -50,6 +50,24 @@ static void kvmppc_xive_native_cleanup_q + } + } + ++static int kvmppc_xive_native_configure_queue(u32 vp_id, struct xive_q *q, ++ u8 prio, __be32 *qpage, ++ u32 order, bool can_escalate) ++{ ++ int rc; ++ __be32 *qpage_prev = q->qpage; ++ ++ rc = xive_native_configure_queue(vp_id, q, prio, qpage, order, ++ can_escalate); ++ if (rc) ++ return rc; ++ ++ if (qpage_prev) ++ put_page(virt_to_page(qpage_prev)); ++ ++ return rc; ++} ++ + void kvmppc_xive_native_cleanup_vcpu(struct kvm_vcpu *vcpu) + { + struct kvmppc_xive_vcpu *xc = vcpu->arch.xive_vcpu; +@@ -582,19 +600,14 @@ static int kvmppc_xive_native_set_queue_ + q->guest_qaddr = 0; + q->guest_qshift = 0; + +- rc = xive_native_configure_queue(xc->vp_id, q, priority, +- NULL, 0, true); ++ rc = kvmppc_xive_native_configure_queue(xc->vp_id, q, priority, ++ NULL, 0, true); + if (rc) { + pr_err("Failed to reset queue %d for VCPU %d: %d\n", + priority, xc->server_num, rc); + return rc; + } + +- if (q->qpage) { +- put_page(virt_to_page(q->qpage)); +- q->qpage = NULL; +- } +- + return 0; + } + +@@ -653,8 +666,8 @@ static int kvmppc_xive_native_set_queue_ + * OPAL level because the use of END ESBs is not supported by + * Linux. + */ +- rc = xive_native_configure_queue(xc->vp_id, q, priority, +- (__be32 *) qaddr, kvm_eq.qshift, true); ++ rc = kvmppc_xive_native_configure_queue(xc->vp_id, q, priority, ++ (__be32 *) qaddr, kvm_eq.qshift, true); + if (rc) { + pr_err("Failed to configure queue %d for VCPU %d: %d\n", + priority, xc->server_num, rc); diff --git a/queue-5.4/kvm-ppc-book3s-hv-xive-set-kvm-arch.xive-when-vps-are-allocated.patch b/queue-5.4/kvm-ppc-book3s-hv-xive-set-kvm-arch.xive-when-vps-are-allocated.patch new file mode 100644 index 00000000000..efc12b9269e --- /dev/null +++ b/queue-5.4/kvm-ppc-book3s-hv-xive-set-kvm-arch.xive-when-vps-are-allocated.patch @@ -0,0 +1,87 @@ +From e7d71c943040c23f2fd042033d319f56e84f845b Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Fri, 27 Sep 2019 13:53:38 +0200 +Subject: KVM: PPC: Book3S HV: XIVE: Set kvm->arch.xive when VPs are allocated +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kurz + +commit e7d71c943040c23f2fd042033d319f56e84f845b upstream. + +If we cannot allocate the XIVE VPs in OPAL, the creation of a XIVE or +XICS-on-XIVE device is aborted as expected, but we leave kvm->arch.xive +set forever since the release method isn't called in this case. Any +subsequent tentative to create a XIVE or XICS-on-XIVE for this VM will +thus always fail (DoS). This is a problem for QEMU since it destroys +and re-creates these devices when the VM is reset: the VM would be +restricted to using the much slower emulated XIVE or XICS forever. + +As an alternative to adding rollback, do not assign kvm->arch.xive before +making sure the XIVE VPs are allocated in OPAL. + +Cc: stable@vger.kernel.org # v5.2 +Fixes: 5422e95103cf ("KVM: PPC: Book3S HV: XIVE: Replace the 'destroy' method by a 'release' method") +Signed-off-by: Greg Kurz +Reviewed-by: Cédric Le Goater +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_xive.c | 11 +++++------ + arch/powerpc/kvm/book3s_xive_native.c | 2 +- + 2 files changed, 6 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/kvm/book3s_xive.c ++++ b/arch/powerpc/kvm/book3s_xive.c +@@ -2005,6 +2005,10 @@ static int kvmppc_xive_create(struct kvm + + pr_devel("Creating xive for partition\n"); + ++ /* Already there ? */ ++ if (kvm->arch.xive) ++ return -EEXIST; ++ + xive = kvmppc_xive_get_device(kvm, type); + if (!xive) + return -ENOMEM; +@@ -2014,12 +2018,6 @@ static int kvmppc_xive_create(struct kvm + xive->kvm = kvm; + mutex_init(&xive->lock); + +- /* Already there ? */ +- if (kvm->arch.xive) +- ret = -EEXIST; +- else +- kvm->arch.xive = xive; +- + /* We use the default queue size set by the host */ + xive->q_order = xive_native_default_eq_shift(); + if (xive->q_order < PAGE_SHIFT) +@@ -2039,6 +2037,7 @@ static int kvmppc_xive_create(struct kvm + if (ret) + return ret; + ++ kvm->arch.xive = xive; + return 0; + } + +--- a/arch/powerpc/kvm/book3s_xive_native.c ++++ b/arch/powerpc/kvm/book3s_xive_native.c +@@ -1095,7 +1095,6 @@ static int kvmppc_xive_native_create(str + dev->private = xive; + xive->dev = dev; + xive->kvm = kvm; +- kvm->arch.xive = xive; + mutex_init(&xive->mapping_lock); + mutex_init(&xive->lock); + +@@ -1116,6 +1115,7 @@ static int kvmppc_xive_native_create(str + if (ret) + return ret; + ++ kvm->arch.xive = xive; + return 0; + } + diff --git a/queue-5.4/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch b/queue-5.4/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch new file mode 100644 index 00000000000..d09dd66a2dc --- /dev/null +++ b/queue-5.4/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch @@ -0,0 +1,51 @@ +From de1fca5d6e0105c9d33924e1247e2f386efc3ece Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 18 Nov 2019 12:23:00 -0500 +Subject: KVM: x86: do not modify masked bits of shared MSRs + +From: Paolo Bonzini + +commit de1fca5d6e0105c9d33924e1247e2f386efc3ece upstream. + +"Shared MSRs" are guest MSRs that are written to the host MSRs but +keep their value until the next return to userspace. They support +a mask, so that some bits keep the host value, but this mask is +only used to skip an unnecessary MSR write and the value written +to the MSR is always the guest MSR. + +Fix this and, while at it, do not update smsr->values[slot].curr if +for whatever reason the wrmsr fails. This should only happen due to +reserved bits, so the value written to smsr->values[slot].curr +will not match when the user-return notifier and the host value will +always be restored. However, it is untidy and in rare cases this +can actually avoid spurious WRMSRs on return to userspace. + +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Tested-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -300,13 +300,14 @@ int kvm_set_shared_msr(unsigned slot, u6 + struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); + int err; + +- if (((value ^ smsr->values[slot].curr) & mask) == 0) ++ value = (value & mask) | (smsr->values[slot].host & ~mask); ++ if (value == smsr->values[slot].curr) + return 0; +- smsr->values[slot].curr = value; + err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); + if (err) + return 1; + ++ smsr->values[slot].curr = value; + if (!smsr->registered) { + smsr->urn.on_user_return = kvm_on_user_return; + user_return_notifier_register(&smsr->urn); diff --git a/queue-5.4/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch b/queue-5.4/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch new file mode 100644 index 00000000000..9c2eb415f9e --- /dev/null +++ b/queue-5.4/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch @@ -0,0 +1,47 @@ +From cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 18 Nov 2019 18:58:26 +0100 +Subject: KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES + +From: Paolo Bonzini + +commit cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b upstream. + +KVM does not implement MSR_IA32_TSX_CTRL, so it must not be presented +to the guests. It is also confusing to have !ARCH_CAP_TSX_CTRL_MSR && +!RTM && ARCH_CAP_TAA_NO: lack of MSR_IA32_TSX_CTRL suggests TSX was not +hidden (it actually was), yet the value says that TSX is not vulnerable +to microarchitectural data sampling. Fix both. + +Cc: stable@vger.kernel.org +Tested-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1328,12 +1328,18 @@ static u64 kvm_get_arch_capabilities(voi + * If TSX is disabled on the system, guests are also mitigated against + * TAA and clear CPU buffer mitigation is not required for guests. + */ +- if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) && +- (data & ARCH_CAP_TSX_CTRL_MSR)) ++ if (!boot_cpu_has(X86_FEATURE_RTM)) ++ data &= ~ARCH_CAP_TAA_NO; ++ else if (!boot_cpu_has_bug(X86_BUG_TAA)) ++ data |= ARCH_CAP_TAA_NO; ++ else if (data & ARCH_CAP_TSX_CTRL_MSR) + data &= ~ARCH_CAP_MDS_NO; + ++ /* KVM does not emulate MSR_IA32_TSX_CTRL. */ ++ data &= ~ARCH_CAP_TSX_CTRL_MSR; + return data; + } ++EXPORT_SYMBOL_GPL(kvm_get_arch_capabilities); + + static int kvm_get_msr_feature(struct kvm_msr_entry *msr) + { diff --git a/queue-5.4/kvm-x86-grab-kvm-s-srcu-lock-when-setting-nested-state.patch b/queue-5.4/kvm-x86-grab-kvm-s-srcu-lock-when-setting-nested-state.patch new file mode 100644 index 00000000000..f9f9c753a84 --- /dev/null +++ b/queue-5.4/kvm-x86-grab-kvm-s-srcu-lock-when-setting-nested-state.patch @@ -0,0 +1,88 @@ +From ad5996d9a0e8019c3ae5151e687939369acfe044 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 22 Nov 2019 08:58:18 -0800 +Subject: KVM: x86: Grab KVM's srcu lock when setting nested state + +From: Sean Christopherson + +commit ad5996d9a0e8019c3ae5151e687939369acfe044 upstream. + +Acquire kvm->srcu for the duration of ->set_nested_state() to fix a bug +where nVMX derefences ->memslots without holding ->srcu or ->slots_lock. + +The other half of nested migration, ->get_nested_state(), does not need +to acquire ->srcu as it is a purely a dump of internal KVM (and CPU) +state to userspace. + +Detected as an RCU lockdep splat that is 100% reproducible by running +KVM's state_test selftest with CONFIG_PROVE_LOCKING=y. Note that the +failing function, kvm_is_visible_gfn(), is only checking the validity of +a gfn, it's not actually accessing guest memory (which is more or less +unsupported during vmx_set_nested_state() due to incorrect MMU state), +i.e. vmx_set_nested_state() itself isn't fundamentally broken. In any +case, setting nested state isn't a fast path so there's no reason to go +out of our way to avoid taking ->srcu. + + ============================= + WARNING: suspicious RCU usage + 5.4.0-rc7+ #94 Not tainted + ----------------------------- + include/linux/kvm_host.h:626 suspicious rcu_dereference_check() usage! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 1 lock held by evmcs_test/10939: + #0: ffff88826ffcb800 (&vcpu->mutex){+.+.}, at: kvm_vcpu_ioctl+0x85/0x630 [kvm] + + stack backtrace: + CPU: 1 PID: 10939 Comm: evmcs_test Not tainted 5.4.0-rc7+ #94 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + Call Trace: + dump_stack+0x68/0x9b + kvm_is_visible_gfn+0x179/0x180 [kvm] + mmu_check_root+0x11/0x30 [kvm] + fast_cr3_switch+0x40/0x120 [kvm] + kvm_mmu_new_cr3+0x34/0x60 [kvm] + nested_vmx_load_cr3+0xbd/0x1f0 [kvm_intel] + nested_vmx_enter_non_root_mode+0xab8/0x1d60 [kvm_intel] + vmx_set_nested_state+0x256/0x340 [kvm_intel] + kvm_arch_vcpu_ioctl+0x491/0x11a0 [kvm] + kvm_vcpu_ioctl+0xde/0x630 [kvm] + do_vfs_ioctl+0xa2/0x6c0 + ksys_ioctl+0x66/0x70 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x54/0x200 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7f59a2b95f47 + +Fixes: 8fcc4b5923af5 ("kvm: nVMX: Introduce KVM_CAP_NESTED_STATE") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4427,6 +4427,7 @@ long kvm_arch_vcpu_ioctl(struct file *fi + case KVM_SET_NESTED_STATE: { + struct kvm_nested_state __user *user_kvm_nested_state = argp; + struct kvm_nested_state kvm_state; ++ int idx; + + r = -EINVAL; + if (!kvm_x86_ops->set_nested_state) +@@ -4450,7 +4451,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi + && !(kvm_state.flags & KVM_STATE_NESTED_GUEST_MODE)) + break; + ++ idx = srcu_read_lock(&vcpu->kvm->srcu); + r = kvm_x86_ops->set_nested_state(vcpu, user_kvm_nested_state, &kvm_state); ++ srcu_read_unlock(&vcpu->kvm->srcu, idx); + break; + } + case KVM_GET_SUPPORTED_HV_CPUID: { diff --git a/queue-5.4/kvm-x86-remove-a-spurious-export-of-a-static-function.patch b/queue-5.4/kvm-x86-remove-a-spurious-export-of-a-static-function.patch new file mode 100644 index 00000000000..30e41c3b09e --- /dev/null +++ b/queue-5.4/kvm-x86-remove-a-spurious-export-of-a-static-function.patch @@ -0,0 +1,33 @@ +From 24885d1d79e2e83d49201aeae0bc59f1402fd4f1 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 22 Nov 2019 12:15:49 -0800 +Subject: KVM: x86: Remove a spurious export of a static function + +From: Sean Christopherson + +commit 24885d1d79e2e83d49201aeae0bc59f1402fd4f1 upstream. + +A recent change inadvertently exported a static function, which results +in modpost throwing a warning. Fix it. + +Fixes: cbbaa2727aa3 ("KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES") +Signed-off-by: Sean Christopherson +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1339,7 +1339,6 @@ static u64 kvm_get_arch_capabilities(voi + data &= ~ARCH_CAP_TSX_CTRL_MSR; + return data; + } +-EXPORT_SYMBOL_GPL(kvm_get_arch_capabilities); + + static int kvm_get_msr_feature(struct kvm_msr_entry *msr) + { diff --git a/queue-5.4/series b/queue-5.4/series index 9ee226613d9..abaa559160a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -51,3 +51,30 @@ nfsd-ensure-clone-persists-data-and-metadata-changes-to-the-target-file.patch nfsd-restore-nfsv3-acl-support.patch kernfs-fix-ino-wrap-around-detection.patch jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch +drm-msm-fix-memleak-on-release.patch +drm-damage_helper-fix-race-checking-plane-state-fb.patch +drm-i810-prevent-underflow-in-ioctl.patch +arm64-validate-tagged-addresses-in-access_ok-called-from-kernel-threads.patch +arm64-dts-exynos-revert-remove-unneeded-address-space-mapping-for-soc-node.patch +kvm-ppc-book3s-hv-xive-free-previous-eq-page-when-setting-up-a-new-one.patch +kvm-ppc-book3s-hv-xive-fix-potential-page-leak-on-error-path.patch +kvm-ppc-book3s-hv-xive-set-kvm-arch.xive-when-vps-are-allocated.patch +kvm-nvmx-always-write-vmcs02.guest_cr3-during-nested-vm-enter.patch +kvm-arm-arm64-vgic-don-t-rely-on-the-wrong-pending-table.patch +kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch +kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch +kvm-x86-remove-a-spurious-export-of-a-static-function.patch +kvm-x86-grab-kvm-s-srcu-lock-when-setting-nested-state.patch +crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch +crypto-atmel-aes-fix-iv-handling-when-req-nbytes-ivsize.patch +crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch +crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fallback.patch +crypto-ccp-fix-uninitialized-list-head.patch +crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch +crypto-user-fix-memory-leak-in-crypto_report.patch +crypto-user-fix-memory-leak-in-crypto_reportstat.patch +spi-spi-fsl-qspi-clear-tdh-bits-in-flshcr-register.patch +spi-stm32-qspi-fix-kernel-oops-when-unbinding-driver.patch +spi-atmel-fix-cs-high-support.patch +spi-fix-spi_cs_high-setting-when-using-native-and-gpio-cs.patch +spi-fix-null-pointer-when-setting-spi_cs_high-for-gpio-cs.patch diff --git a/queue-5.4/spi-atmel-fix-cs-high-support.patch b/queue-5.4/spi-atmel-fix-cs-high-support.patch new file mode 100644 index 00000000000..c02f9d8d202 --- /dev/null +++ b/queue-5.4/spi-atmel-fix-cs-high-support.patch @@ -0,0 +1,50 @@ +From 7cbb16b2122c09f2ae393a1542fed628505b9da6 Mon Sep 17 00:00:00 2001 +From: Gregory CLEMENT +Date: Thu, 17 Oct 2019 16:18:41 +0200 +Subject: spi: atmel: Fix CS high support + +From: Gregory CLEMENT + +commit 7cbb16b2122c09f2ae393a1542fed628505b9da6 upstream. + +Until a few years ago, this driver was only used with CS GPIO. The +only exception is CS0 on AT91RM9200 which has to use internal CS. A +limitation of the internal CS is that they don't support CS High. + +So by using the CS GPIO the CS high configuration was available except +for the particular case CS0 on RM9200. + +When the support for the internal chip-select was added, the check of +the CS high support was not updated. Due to this the driver accepts +this configuration for all the SPI controller v2 (used by all SoCs +excepting the AT91RM9200) whereas the hardware doesn't support it for +infernal CS. + +This patch fixes the test to match the hardware capabilities. + +Fixes: 4820303480a1 ("spi: atmel: add support for the internal chip-select of the spi controller") +Cc: +Signed-off-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20191017141846.7523-3-gregory.clement@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-atmel.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -1183,10 +1183,8 @@ static int atmel_spi_setup(struct spi_de + as = spi_master_get_devdata(spi->master); + + /* see notes above re chipselect */ +- if (!atmel_spi_is_v2(as) +- && spi->chip_select == 0 +- && (spi->mode & SPI_CS_HIGH)) { +- dev_dbg(&spi->dev, "setup: can't be active-high\n"); ++ if (!as->use_cs_gpios && (spi->mode & SPI_CS_HIGH)) { ++ dev_warn(&spi->dev, "setup: non GPIO CS can't be active-high\n"); + return -EINVAL; + } + diff --git a/queue-5.4/spi-fix-null-pointer-when-setting-spi_cs_high-for-gpio-cs.patch b/queue-5.4/spi-fix-null-pointer-when-setting-spi_cs_high-for-gpio-cs.patch new file mode 100644 index 00000000000..0a2f761903d --- /dev/null +++ b/queue-5.4/spi-fix-null-pointer-when-setting-spi_cs_high-for-gpio-cs.patch @@ -0,0 +1,36 @@ +From 15f794bd977a0135328fbdd8a83cc64c1d267b39 Mon Sep 17 00:00:00 2001 +From: Gregory CLEMENT +Date: Thu, 24 Oct 2019 16:13:09 +0200 +Subject: spi: Fix NULL pointer when setting SPI_CS_HIGH for GPIO CS + +From: Gregory CLEMENT + +commit 15f794bd977a0135328fbdd8a83cc64c1d267b39 upstream. + +Even if the flag use_gpio_descriptors is set, it is possible that +cs_gpiods was not allocated, which leads to a kernel crash. + +Reported-by: "kernelci.org bot" +Fixes: 3e5ec1db8bfe ("spi: Fix SPI_CS_HIGH setting when using native and GPIO CS") +Signed-off-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20191024141309.22434-1-gregory.clement@bootlin.com +Signed-off-by: Mark Brown +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1780,7 +1780,8 @@ static int of_spi_parse_dt(struct spi_co + * handled in the gpiolib, so all gpio chip selects are "active high" + * in the logical sense, the gpiolib will invert the line if need be. + */ +- if ((ctlr->use_gpio_descriptors) && ctlr->cs_gpiods[spi->chip_select]) ++ if ((ctlr->use_gpio_descriptors) && ctlr->cs_gpiods && ++ ctlr->cs_gpiods[spi->chip_select]) + spi->mode |= SPI_CS_HIGH; + + /* Device speed */ diff --git a/queue-5.4/spi-fix-spi_cs_high-setting-when-using-native-and-gpio-cs.patch b/queue-5.4/spi-fix-spi_cs_high-setting-when-using-native-and-gpio-cs.patch new file mode 100644 index 00000000000..7f3727222bc --- /dev/null +++ b/queue-5.4/spi-fix-spi_cs_high-setting-when-using-native-and-gpio-cs.patch @@ -0,0 +1,64 @@ +From 3e5ec1db8bfee845d9f8560d1c64aeaccd586398 Mon Sep 17 00:00:00 2001 +From: Gregory CLEMENT +Date: Fri, 18 Oct 2019 17:29:29 +0200 +Subject: spi: Fix SPI_CS_HIGH setting when using native and GPIO CS + +From: Gregory CLEMENT + +commit 3e5ec1db8bfee845d9f8560d1c64aeaccd586398 upstream. + +When improving the CS GPIO support at core level, the SPI_CS_HIGH +has been enabled for all the CS lines used for a given SPI controller. + +However, the SPI framework allows to have on the same controller native +CS and GPIO CS. The native CS may not support the SPI_CS_HIGH, so they +should not be setup automatically. + +With this patch the setting is done only for the CS that will use a +GPIO as CS + +Fixes: f3186dd87669 ("spi: Optionally use GPIO descriptors for CS GPIOs") +Cc: +Signed-off-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20191018152929.3287-1-gregory.clement@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1711,15 +1711,7 @@ static int of_spi_parse_dt(struct spi_co + spi->mode |= SPI_3WIRE; + if (of_property_read_bool(nc, "spi-lsb-first")) + spi->mode |= SPI_LSB_FIRST; +- +- /* +- * For descriptors associated with the device, polarity inversion is +- * handled in the gpiolib, so all chip selects are "active high" in +- * the logical sense, the gpiolib will invert the line if need be. +- */ +- if (ctlr->use_gpio_descriptors) +- spi->mode |= SPI_CS_HIGH; +- else if (of_property_read_bool(nc, "spi-cs-high")) ++ if (of_property_read_bool(nc, "spi-cs-high")) + spi->mode |= SPI_CS_HIGH; + + /* Device DUAL/QUAD mode */ +@@ -1783,6 +1775,14 @@ static int of_spi_parse_dt(struct spi_co + } + spi->chip_select = value; + ++ /* ++ * For descriptors associated with the device, polarity inversion is ++ * handled in the gpiolib, so all gpio chip selects are "active high" ++ * in the logical sense, the gpiolib will invert the line if need be. ++ */ ++ if ((ctlr->use_gpio_descriptors) && ctlr->cs_gpiods[spi->chip_select]) ++ spi->mode |= SPI_CS_HIGH; ++ + /* Device speed */ + rc = of_property_read_u32(nc, "spi-max-frequency", &value); + if (rc) { diff --git a/queue-5.4/spi-spi-fsl-qspi-clear-tdh-bits-in-flshcr-register.patch b/queue-5.4/spi-spi-fsl-qspi-clear-tdh-bits-in-flshcr-register.patch new file mode 100644 index 00000000000..76bf88f51b6 --- /dev/null +++ b/queue-5.4/spi-spi-fsl-qspi-clear-tdh-bits-in-flshcr-register.patch @@ -0,0 +1,126 @@ +From f6910679e17ad4915f008bd2c614d38052426f7c Mon Sep 17 00:00:00 2001 +From: Frieder Schrempf +Date: Mon, 7 Oct 2019 07:23:02 +0000 +Subject: spi: spi-fsl-qspi: Clear TDH bits in FLSHCR register + +From: Frieder Schrempf + +commit f6910679e17ad4915f008bd2c614d38052426f7c upstream. + +Later versions of the QSPI controller (e.g. in i.MX6UL/ULL and i.MX7) +seem to have an additional TDH setting in the FLSHCR register, that +needs to be set in accordance with the access mode that is used (DDR +or SDR). + +Previous bootstages such as BootROM or bootloader might have used the +DDR mode to access the flash. As we currently only use SDR mode, we +need to make sure the TDH bits are cleared upon initialization. + +Fixes: 84d043185dbe ("spi: Add a driver for the Freescale/NXP QuadSPI controller") +Cc: +Signed-off-by: Frieder Schrempf +Acked-by: Han Xu +Link: https://lore.kernel.org/r/20191007071933.26786-1-frieder.schrempf@kontron.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-fsl-qspi.c | 38 +++++++++++++++++++++++++++++++++----- + 1 file changed, 33 insertions(+), 5 deletions(-) + +--- a/drivers/spi/spi-fsl-qspi.c ++++ b/drivers/spi/spi-fsl-qspi.c +@@ -63,6 +63,11 @@ + #define QUADSPI_IPCR 0x08 + #define QUADSPI_IPCR_SEQID(x) ((x) << 24) + ++#define QUADSPI_FLSHCR 0x0c ++#define QUADSPI_FLSHCR_TCSS_MASK GENMASK(3, 0) ++#define QUADSPI_FLSHCR_TCSH_MASK GENMASK(11, 8) ++#define QUADSPI_FLSHCR_TDH_MASK GENMASK(17, 16) ++ + #define QUADSPI_BUF3CR 0x1c + #define QUADSPI_BUF3CR_ALLMST_MASK BIT(31) + #define QUADSPI_BUF3CR_ADATSZ(x) ((x) << 8) +@@ -95,6 +100,9 @@ + #define QUADSPI_FR 0x160 + #define QUADSPI_FR_TFF_MASK BIT(0) + ++#define QUADSPI_RSER 0x164 ++#define QUADSPI_RSER_TFIE BIT(0) ++ + #define QUADSPI_SPTRCLR 0x16c + #define QUADSPI_SPTRCLR_IPPTRC BIT(8) + #define QUADSPI_SPTRCLR_BFPTRC BIT(0) +@@ -112,9 +120,6 @@ + #define QUADSPI_LCKER_LOCK BIT(0) + #define QUADSPI_LCKER_UNLOCK BIT(1) + +-#define QUADSPI_RSER 0x164 +-#define QUADSPI_RSER_TFIE BIT(0) +- + #define QUADSPI_LUT_BASE 0x310 + #define QUADSPI_LUT_OFFSET (SEQID_LUT * 4 * 4) + #define QUADSPI_LUT_REG(idx) \ +@@ -181,6 +186,12 @@ + */ + #define QUADSPI_QUIRK_BASE_INTERNAL BIT(4) + ++/* ++ * Controller uses TDH bits in register QUADSPI_FLSHCR. ++ * They need to be set in accordance with the DDR/SDR mode. ++ */ ++#define QUADSPI_QUIRK_USE_TDH_SETTING BIT(5) ++ + struct fsl_qspi_devtype_data { + unsigned int rxfifo; + unsigned int txfifo; +@@ -209,7 +220,8 @@ static const struct fsl_qspi_devtype_dat + .rxfifo = SZ_128, + .txfifo = SZ_512, + .ahb_buf_size = SZ_1K, +- .quirks = QUADSPI_QUIRK_TKT253890 | QUADSPI_QUIRK_4X_INT_CLK, ++ .quirks = QUADSPI_QUIRK_TKT253890 | QUADSPI_QUIRK_4X_INT_CLK | ++ QUADSPI_QUIRK_USE_TDH_SETTING, + .little_endian = true, + }; + +@@ -217,7 +229,8 @@ static const struct fsl_qspi_devtype_dat + .rxfifo = SZ_128, + .txfifo = SZ_512, + .ahb_buf_size = SZ_1K, +- .quirks = QUADSPI_QUIRK_TKT253890 | QUADSPI_QUIRK_4X_INT_CLK, ++ .quirks = QUADSPI_QUIRK_TKT253890 | QUADSPI_QUIRK_4X_INT_CLK | ++ QUADSPI_QUIRK_USE_TDH_SETTING, + .little_endian = true, + }; + +@@ -275,6 +288,11 @@ static inline int needs_amba_base_offset + return !(q->devtype_data->quirks & QUADSPI_QUIRK_BASE_INTERNAL); + } + ++static inline int needs_tdh_setting(struct fsl_qspi *q) ++{ ++ return q->devtype_data->quirks & QUADSPI_QUIRK_USE_TDH_SETTING; ++} ++ + /* + * An IC bug makes it necessary to rearrange the 32-bit data. + * Later chips, such as IMX6SLX, have fixed this bug. +@@ -710,6 +728,16 @@ static int fsl_qspi_default_setup(struct + qspi_writel(q, QUADSPI_MCR_MDIS_MASK | QUADSPI_MCR_RESERVED_MASK, + base + QUADSPI_MCR); + ++ /* ++ * Previous boot stages (BootROM, bootloader) might have used DDR ++ * mode and did not clear the TDH bits. As we currently use SDR mode ++ * only, clear the TDH bits if necessary. ++ */ ++ if (needs_tdh_setting(q)) ++ qspi_writel(q, qspi_readl(q, base + QUADSPI_FLSHCR) & ++ ~QUADSPI_FLSHCR_TDH_MASK, ++ base + QUADSPI_FLSHCR); ++ + reg = qspi_readl(q, base + QUADSPI_SMPR); + qspi_writel(q, reg & ~(QUADSPI_SMPR_FSDLY_MASK + | QUADSPI_SMPR_FSPHS_MASK diff --git a/queue-5.4/spi-stm32-qspi-fix-kernel-oops-when-unbinding-driver.patch b/queue-5.4/spi-stm32-qspi-fix-kernel-oops-when-unbinding-driver.patch new file mode 100644 index 00000000000..30e7067d022 --- /dev/null +++ b/queue-5.4/spi-stm32-qspi-fix-kernel-oops-when-unbinding-driver.patch @@ -0,0 +1,144 @@ +From 3c0af1dd2fe78adc02fe21f6cfe7d6cb8602573e Mon Sep 17 00:00:00 2001 +From: Patrice Chotard +Date: Fri, 4 Oct 2019 14:36:06 +0200 +Subject: spi: stm32-qspi: Fix kernel oops when unbinding driver + +From: Patrice Chotard + +commit 3c0af1dd2fe78adc02fe21f6cfe7d6cb8602573e upstream. + +spi_master_put() must only be called in .probe() in case of error. + +As devm_spi_register_master() is used during probe, spi_master_put() +mustn't be called in .remove() callback. + +It fixes the following kernel WARNING/Oops when executing +echo "58003000.spi" > /sys/bus/platform/drivers/stm32-qspi/unbind : + +------------[ cut here ]------------ +WARNING: CPU: 1 PID: 496 at fs/kernfs/dir.c:1504 kernfs_remove_by_name_ns+0x9c/0xa4 +kernfs: can not remove 'uevent', no directory +Modules linked in: +CPU: 1 PID: 496 Comm: sh Not tainted 5.3.0-rc1-00219-ga0e07bb51a37 #62 +Hardware name: STM32 (Device Tree Support) +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0xb4/0xc8) +[] (dump_stack) from [] (__warn.part.3+0xbc/0xd8) +[] (__warn.part.3) from [] (warn_slowpath_fmt+0x68/0x8c) +[] (warn_slowpath_fmt) from [] (kernfs_remove_by_name_ns+0x9c/0xa4) +[] (kernfs_remove_by_name_ns) from [] (device_del+0x128/0x358) +[] (device_del) from [] (device_unregister+0x24/0x64) +[] (device_unregister) from [] (spi_unregister_controller+0x88/0xe8) +[] (spi_unregister_controller) from [] (release_nodes+0x1bc/0x200) +[] (release_nodes) from [] (device_release_driver_internal+0xec/0x1ac) +[] (device_release_driver_internal) from [] (unbind_store+0x60/0xd4) +[] (unbind_store) from [] (kernfs_fop_write+0xe8/0x1c4) +[] (kernfs_fop_write) from [] (__vfs_write+0x2c/0x1c0) +[] (__vfs_write) from [] (vfs_write+0xa4/0x184) +[] (vfs_write) from [] (ksys_write+0x58/0xd0) +[] (ksys_write) from [] (ret_fast_syscall+0x0/0x54) +Exception stack(0xdd289fa8 to 0xdd289ff0) +9fa0: 0000006c 000e20e8 00000001 000e20e8 0000000d 00000000 +9fc0: 0000006c 000e20e8 b6f87da0 00000004 0000000d 0000000d 00000000 00000000 +9fe0: 00000004 bee639b0 b6f2286b b6eaf6c6 +---[ end trace 1b15df8a02d76aef ]--- +------------[ cut here ]------------ +WARNING: CPU: 1 PID: 496 at fs/kernfs/dir.c:1504 kernfs_remove_by_name_ns+0x9c/0xa4 +kernfs: can not remove 'online', no directory +Modules linked in: +CPU: 1 PID: 496 Comm: sh Tainted: G W 5.3.0-rc1-00219-ga0e07bb51a37 #62 +Hardware name: STM32 (Device Tree Support) +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0xb4/0xc8) +[] (dump_stack) from [] (__warn.part.3+0xbc/0xd8) +[] (__warn.part.3) from [] (warn_slowpath_fmt+0x68/0x8c) +[] (warn_slowpath_fmt) from [] (kernfs_remove_by_name_ns+0x9c/0xa4) +[] (kernfs_remove_by_name_ns) from [] (device_remove_attrs+0x20/0x5c) +[] (device_remove_attrs) from [] (device_del+0x134/0x358) +[] (device_del) from [] (device_unregister+0x24/0x64) +[] (device_unregister) from [] (spi_unregister_controller+0x88/0xe8) +[] (spi_unregister_controller) from [] (release_nodes+0x1bc/0x200) +[] (release_nodes) from [] (device_release_driver_internal+0xec/0x1ac) +[] (device_release_driver_internal) from [] (unbind_store+0x60/0xd4) +[] (unbind_store) from [] (kernfs_fop_write+0xe8/0x1c4) +[] (kernfs_fop_write) from [] (__vfs_write+0x2c/0x1c0) +[] (__vfs_write) from [] (vfs_write+0xa4/0x184) +[] (vfs_write) from [] (ksys_write+0x58/0xd0) +[] (ksys_write) from [] (ret_fast_syscall+0x0/0x54) +Exception stack(0xdd289fa8 to 0xdd289ff0) +9fa0: 0000006c 000e20e8 00000001 000e20e8 0000000d 00000000 +9fc0: 0000006c 000e20e8 b6f87da0 00000004 0000000d 0000000d 00000000 00000000 +9fe0: 00000004 bee639b0 b6f2286b b6eaf6c6 +---[ end trace 1b15df8a02d76af0 ]--- +8<--- cut here --- +Unable to handle kernel NULL pointer dereference at virtual address 00000050 +pgd = e612f14d +[00000050] *pgd=ff1f5835 +Internal error: Oops: 17 [#1] SMP ARM +Modules linked in: +CPU: 1 PID: 496 Comm: sh Tainted: G W 5.3.0-rc1-00219-ga0e07bb51a37 #62 +Hardware name: STM32 (Device Tree Support) +PC is at kernfs_find_ns+0x8/0xfc +LR is at kernfs_find_and_get_ns+0x30/0x48 +pc : [] lr : [] psr: 40010013 +sp : dd289dac ip : 00000000 fp : 00000000 +r10: 00000000 r9 : def6ec58 r8 : dd289e54 +r7 : 00000000 r6 : c0abb234 r5 : 00000000 r4 : c0d26a30 +r3 : ddab5080 r2 : 00000000 r1 : c0abb234 r0 : 00000000 +Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c5387d Table: dd11c06a DAC: 00000051 +Process sh (pid: 496, stack limit = 0xe13a592d) +Stack: (0xdd289dac to 0xdd28a000) +9da0: c0d26a30 00000000 c0abb234 00000000 c02e4ac8 +9dc0: 00000000 c0976b44 def6ec00 dea53810 dd289e54 c02e864c c0a61a48 c0a4a5ec +9de0: c0d630a8 def6ec00 c0d04c48 c02e86e0 def6ec00 de909338 c0d04c48 c05833b0 +9e00: 00000000 c0638144 dd289e54 def59900 00000000 475b3ee5 def6ec00 00000000 +9e20: def6ec00 def59b80 dd289e54 def59900 00000000 c05835f8 def6ec00 c0638dac +9e40: 0000000a dea53810 c0d04c48 c058c580 dea53810 def59500 def59b80 475b3ee5 +9e60: ddc63e00 dea53810 dea3fe10 c0d63a0c dea53810 ddc63e00 dd289f78 dd240d10 +9e80: 00000000 c0588a44 c0d59a20 0000000d c0d63a0c c0586840 0000000d dd240d00 +9ea0: 00000000 00000000 ddc63e00 c02e64e8 00000000 00000000 c0d04c48 dd9bbcc0 +9ec0: c02e6400 dd289f78 00000000 000e20e8 0000000d c0266b44 00000055 00000cc0 +9ee0: 000000e3 000e3000 dd11c000 dd11c000 00000000 00000000 00000000 00000000 +9f00: ffeee38c dff99688 00000000 475b3ee5 00000001 dd289fb0 ddab5080 ddaa5800 +9f20: 00000817 000e30ec dd9e7720 475b3ee5 ddaa583c 0000000d dd9bbcc0 000e20e8 +9f40: dd289f78 00000000 000e20e8 0000000d 00000000 c02694c0 00000000 00000000 +9f60: c0d04c48 dd9bbcc0 00000000 00000000 dd9bbcc0 c0269710 00000000 00000000 +9f80: 000a91f4 475b3ee5 0000006c 000e20e8 b6f87da0 00000004 c0101204 dd288000 +9fa0: 00000004 c0101000 0000006c 000e20e8 00000001 000e20e8 0000000d 00000000 +9fc0: 0000006c 000e20e8 b6f87da0 00000004 0000000d 0000000d 00000000 00000000 +9fe0: 00000004 bee639b0 b6f2286b b6eaf6c6 600e0030 00000001 00000000 00000000 +[] (kernfs_find_ns) from [] (0xdef6ec00) +Code: ebf8eeab c0dc50b8 e92d40f0 e292c000 (e1d035b0) +---[ end trace 1b15df8a02d76af1 ]--- + +Fixes: a88eceb17ac7 ("spi: stm32-qspi: add spi_master_put in release function") +Cc: +Signed-off-by: Patrice Chotard +Link: https://lore.kernel.org/r/20191004123606.17241-1-patrice.chotard@st.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-stm32-qspi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-stm32-qspi.c ++++ b/drivers/spi/spi-stm32-qspi.c +@@ -528,7 +528,6 @@ static void stm32_qspi_release(struct st + stm32_qspi_dma_free(qspi); + mutex_destroy(&qspi->lock); + clk_disable_unprepare(qspi->clk); +- spi_master_put(qspi->ctrl); + } + + static int stm32_qspi_probe(struct platform_device *pdev) +@@ -626,6 +625,8 @@ static int stm32_qspi_probe(struct platf + + err: + stm32_qspi_release(qspi); ++ spi_master_put(qspi->ctrl); ++ + return ret; + } + -- 2.47.3