--- /dev/null
+From 10e62b47973b0b0ceda076255bcb147b83e20517 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Tue, 30 Jul 2019 21:29:56 +0800
+Subject: bus: hisi_lpc: Add .remove method to avoid driver unbind crash
+
+From: John Garry <john.garry@huawei.com>
+
+commit 10e62b47973b0b0ceda076255bcb147b83e20517 upstream.
+
+The original driver author seemed to be under the impression that a driver
+cannot be removed if it does not have a .remove method. Or maybe if it is
+a built-in platform driver.
+
+This is not true. This crash can be created:
+
+root@ubuntu:/sys/bus/platform/drivers/hisi-lpc# echo HISI0191\:00 > unbind
+root@ubuntu:/sys/bus/platform/drivers/hisi-lpc# ipmitool raw 6 1
+ Unable to handle kernel paging request at virtual address ffff000010035010
+ Mem abort info:
+ ESR = 0x96000047
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000047
+ CM = 0, WnR = 1
+ swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000000118b000
+ [ffff000010035010] pgd=0000041ffbfff003, pud=0000041ffbffe003, pmd=0000041ffbffd003, pte=0000000000000000
+ Internal error: Oops: 96000047 [#1] PREEMPT SMP
+ Modules linked in:
+ CPU: 17 PID: 1473 Comm: ipmitool Not tainted 5.2.0-rc5-00003-gf68c53b414a3-dirty #198
+ Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT21 Nemo 2.0 RC0 04/18/2018
+ pstate: 20000085 (nzCv daIf -PAN -UAO)
+ pc : hisi_lpc_target_in+0x7c/0x120
+ lr : hisi_lpc_target_in+0x70/0x120
+ sp : ffff00001efe3930
+ x29: ffff00001efe3930 x28: ffff841f9f599200
+ x27: 0000000000000002 x26: 0000000000000000
+ x25: 0000000000000080 x24: 00000000000000e4
+ x23: 0000000000000000 x22: 0000000000000064
+ x21: ffff801fb667d280 x20: 0000000000000001
+ x19: ffff00001efe39ac x18: 0000000000000000
+ x17: 0000000000000000 x16: 0000000000000000
+ x15: 0000000000000000 x14: 0000000000000000
+ x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000000 x10: 0000000000000000
+ x9 : 0000000000000000 x8 : ffff841febe60340
+ x7 : ffff801fb55c52e8 x6 : 0000000000000000
+ x5 : 0000000000ffc0e3 x4 : 0000000000000001
+ x3 : ffff801fb667d280 x2 : 0000000000000001
+ x1 : ffff000010035010 x0 : ffff000010035000
+ Call trace:
+ hisi_lpc_target_in+0x7c/0x120
+ hisi_lpc_comm_in+0x88/0x98
+ logic_inb+0x5c/0xb8
+ port_inb+0x18/0x20
+ bt_event+0x38/0x808
+ smi_event_handler+0x4c/0x5a0
+ check_start_timer_thread.part.4+0x40/0x58
+ sender+0x78/0x88
+ smi_send.isra.6+0x94/0x108
+ i_ipmi_request+0x2c4/0x8f8
+ ipmi_request_settime+0x124/0x160
+ handle_send_req+0x19c/0x208
+ ipmi_ioctl+0x2c0/0x990
+ do_vfs_ioctl+0xb8/0x8f8
+ ksys_ioctl+0x80/0xb8
+ __arm64_sys_ioctl+0x1c/0x28
+ el0_svc_common.constprop.0+0x64/0x160
+ el0_svc_handler+0x28/0x78
+ el0_svc+0x8/0xc
+ Code: 941d1511 aa0003f9 f94006a0 91004001 (b9000034)
+ ---[ end trace aa842b86af7069e4 ]---
+
+The problem here is that the host goes away but the associated logical PIO
+region remains registered, as do the children devices.
+
+Fix by adding a .remove method to tidy-up by removing the child devices
+and unregistering the logical PIO region.
+
+Cc: stable@vger.kernel.org
+Fixes: adf38bb0b595 ("HISI LPC: Support the LPC host on Hip06/Hip07 with DT bindings")
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/hisi_lpc.c | 38 ++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 36 insertions(+), 2 deletions(-)
+
+--- a/drivers/bus/hisi_lpc.c
++++ b/drivers/bus/hisi_lpc.c
+@@ -456,6 +456,17 @@ struct hisi_lpc_acpi_cell {
+ size_t pdata_size;
+ };
+
++static void hisi_lpc_acpi_remove(struct device *hostdev)
++{
++ struct acpi_device *adev = ACPI_COMPANION(hostdev);
++ struct acpi_device *child;
++
++ device_for_each_child(hostdev, NULL, hisi_lpc_acpi_remove_subdev);
++
++ list_for_each_entry(child, &adev->children, node)
++ acpi_device_clear_enumerated(child);
++}
++
+ /*
+ * hisi_lpc_acpi_probe - probe children for ACPI FW
+ * @hostdev: LPC host device pointer
+@@ -556,8 +567,7 @@ static int hisi_lpc_acpi_probe(struct de
+ return 0;
+
+ fail:
+- device_for_each_child(hostdev, NULL,
+- hisi_lpc_acpi_remove_subdev);
++ hisi_lpc_acpi_remove(hostdev);
+ return ret;
+ }
+
+@@ -570,6 +580,10 @@ static int hisi_lpc_acpi_probe(struct de
+ {
+ return -ENODEV;
+ }
++
++static void hisi_lpc_acpi_remove(struct device *hostdev)
++{
++}
+ #endif // CONFIG_ACPI
+
+ /*
+@@ -627,6 +641,8 @@ static int hisi_lpc_probe(struct platfor
+ return ret;
+ }
+
++ dev_set_drvdata(dev, lpcdev);
++
+ io_end = lpcdev->io_host->io_start + lpcdev->io_host->size;
+ dev_info(dev, "registered range [%pa - %pa]\n",
+ &lpcdev->io_host->io_start, &io_end);
+@@ -634,6 +650,23 @@ static int hisi_lpc_probe(struct platfor
+ return ret;
+ }
+
++static int hisi_lpc_remove(struct platform_device *pdev)
++{
++ struct device *dev = &pdev->dev;
++ struct acpi_device *acpi_device = ACPI_COMPANION(dev);
++ struct hisi_lpc_dev *lpcdev = dev_get_drvdata(dev);
++ struct logic_pio_hwaddr *range = lpcdev->io_host;
++
++ if (acpi_device)
++ hisi_lpc_acpi_remove(dev);
++ else
++ of_platform_depopulate(dev);
++
++ logic_pio_unregister_range(range);
++
++ return 0;
++}
++
+ static const struct of_device_id hisi_lpc_of_match[] = {
+ { .compatible = "hisilicon,hip06-lpc", },
+ { .compatible = "hisilicon,hip07-lpc", },
+@@ -647,5 +680,6 @@ static struct platform_driver hisi_lpc_d
+ .acpi_match_table = ACPI_PTR(hisi_lpc_acpi_match),
+ },
+ .probe = hisi_lpc_probe,
++ .remove = hisi_lpc_remove,
+ };
+ builtin_platform_driver(hisi_lpc_driver);
--- /dev/null
+From 1b15a5632a809ab57d403fd972ca68785363b654 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Tue, 30 Jul 2019 21:29:55 +0800
+Subject: bus: hisi_lpc: Unregister logical PIO range to avoid potential use-after-free
+
+From: John Garry <john.garry@huawei.com>
+
+commit 1b15a5632a809ab57d403fd972ca68785363b654 upstream.
+
+If, after registering a logical PIO range, the driver probe later fails,
+the logical PIO range memory will be released automatically.
+
+This causes an issue, in that the logical PIO range is not unregistered
+and the released range memory may be later referenced.
+
+Fix by unregistering the logical PIO range.
+
+And since we now unregister the logical PIO range for probe failure, avoid
+the special ordering of setting logical PIO range ops, which was the
+previous (poor) attempt at a safeguard against this.
+
+Cc: stable@vger.kernel.org
+Fixes: adf38bb0b595 ("HISI LPC: Support the LPC host on Hip06/Hip07 with DT bindings")
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/hisi_lpc.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/bus/hisi_lpc.c
++++ b/drivers/bus/hisi_lpc.c
+@@ -607,24 +607,25 @@ static int hisi_lpc_probe(struct platfor
+ range->fwnode = dev->fwnode;
+ range->flags = LOGIC_PIO_INDIRECT;
+ range->size = PIO_INDIRECT_SIZE;
++ range->hostdata = lpcdev;
++ range->ops = &hisi_lpc_ops;
++ lpcdev->io_host = range;
+
+ ret = logic_pio_register_range(range);
+ if (ret) {
+ dev_err(dev, "register IO range failed (%d)!\n", ret);
+ return ret;
+ }
+- lpcdev->io_host = range;
+
+ /* register the LPC host PIO resources */
+ if (acpi_device)
+ ret = hisi_lpc_acpi_probe(dev);
+ else
+ ret = of_platform_populate(dev->of_node, NULL, NULL, dev);
+- if (ret)
++ if (ret) {
++ logic_pio_unregister_range(range);
+ return ret;
+-
+- lpcdev->io_host->hostdata = lpcdev;
+- lpcdev->io_host->ops = &hisi_lpc_ops;
++ }
+
+ io_end = lpcdev->io_host->io_start + lpcdev->io_host->size;
+ dev_info(dev, "registered range [%pa - %pa]\n",
--- /dev/null
+From 5871cd93692c8071fb9358daccb715b5081316ac Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Mon, 19 Aug 2019 22:23:27 +0000
+Subject: crypto: ccp - Ignore unconfigured CCP device on suspend/resume
+
+From: Gary R Hook <gary.hook@amd.com>
+
+commit 5871cd93692c8071fb9358daccb715b5081316ac upstream.
+
+If a CCP is unconfigured (e.g. there are no available queues) then
+there will be no data structures allocated for the device. Thus, we
+must check for validity of a pointer before trying to access structure
+members.
+
+Fixes: 720419f01832f ("crypto: ccp - Introduce the AMD Secure Processor device")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-dev.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/crypto/ccp/ccp-dev.c
++++ b/drivers/crypto/ccp/ccp-dev.c
+@@ -543,6 +543,10 @@ int ccp_dev_suspend(struct sp_device *sp
+ unsigned long flags;
+ unsigned int i;
+
++ /* If there's no device there's nothing to do */
++ if (!ccp)
++ return 0;
++
+ spin_lock_irqsave(&ccp->cmd_lock, flags);
+
+ ccp->suspending = 1;
+@@ -567,6 +571,10 @@ int ccp_dev_resume(struct sp_device *sp)
+ unsigned long flags;
+ unsigned int i;
+
++ /* If there's no device there's nothing to do */
++ if (!ccp)
++ return 0;
++
+ spin_lock_irqsave(&ccp->cmd_lock, flags);
+
+ ccp->suspending = 0;
--- /dev/null
+From 317a3aaef94d73ba6be88aea11b41bb631b2d581 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 27 Aug 2019 17:33:32 +0800
+Subject: drm/amdgpu: Add APTX quirk for Dell Latitude 5495
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 317a3aaef94d73ba6be88aea11b41bb631b2d581 upstream.
+
+Needs ATPX rather than _PR3 to really turn off the dGPU. This can save
+~5W when dGPU is runtime-suspended.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
+@@ -575,6 +575,7 @@ static const struct amdgpu_px_quirk amdg
+ { 0x1002, 0x6900, 0x1002, 0x0124, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0x1002, 0x6900, 0x1028, 0x0812, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0x1002, 0x6900, 0x1028, 0x0813, AMDGPU_PX_QUIRK_FORCE_ATPX },
++ { 0x1002, 0x699f, 0x1028, 0x0814, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0x1002, 0x6900, 0x1025, 0x125A, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0x1002, 0x6900, 0x17AA, 0x3806, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0, 0, 0, 0, 0 },
--- /dev/null
+From 32f0a982650b123bdab36865617d3e03ebcacf3b Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Fri, 23 Aug 2019 16:52:51 -0400
+Subject: drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe()
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit 32f0a982650b123bdab36865617d3e03ebcacf3b upstream.
+
+Currently, we don't call dma_set_max_seg_size() for i915 because we
+intentionally do not limit the segment length that the device supports.
+However, this results in a warning being emitted if we try to map
+anything larger than SZ_64K on a kernel with CONFIG_DMA_API_DEBUG_SG
+enabled:
+
+[ 7.751926] DMA-API: i915 0000:00:02.0: mapping sg segment longer
+than device claims to support [len=98304] [max=65536]
+[ 7.751934] WARNING: CPU: 5 PID: 474 at kernel/dma/debug.c:1220
+debug_dma_map_sg+0x20f/0x340
+
+This was originally brought up on
+https://bugs.freedesktop.org/show_bug.cgi?id=108517 , and the consensus
+there was it wasn't really useful to set a limit (and that dma-debug
+isn't really all that useful for i915 in the first place). Unfortunately
+though, CONFIG_DMA_API_DEBUG_SG is enabled in the debug configs for
+various distro kernels. Since a WARN_ON() will disable automatic problem
+reporting (and cause any CI with said option enabled to start
+complaining), we really should just fix the problem.
+
+Note that as me and Chris Wilson discussed, the other solution for this
+would be to make DMA-API not make such assumptions when a driver hasn't
+explicitly set a maximum segment size. But, taking a look at the commit
+which originally introduced this behavior, commit 78c47830a5cb
+("dma-debug: check scatterlist segments"), there is an explicit mention
+of this assumption and how it applies to devices with no segment size:
+
+ Conversely, devices which are less limited than the rather
+ conservative defaults, or indeed have no limitations at all
+ (e.g. GPUs with their own internal MMU), should be encouraged to
+ set appropriate dma_parms, as they may get more efficient DMA
+ mapping performance out of it.
+
+So unless there's any concerns (I'm open to discussion!), let's just
+follow suite and call dma_set_max_seg_size() with UINT_MAX as our limit
+to silence any warnings.
+
+Changes since v3:
+* Drop patch for enabling CONFIG_DMA_API_DEBUG_SG in CI. It looks like
+ just turning it on causes the kernel to spit out bogus WARN_ONs()
+ during some igt tests which would otherwise require teaching igt to
+ disable the various DMA-API debugging options causing this. This is
+ too much work to be worth it, since DMA-API debugging is useless for
+ us. So, we'll just settle with this single patch to squelch WARN_ONs()
+ during driver load for users that have CONFIG_DMA_API_DEBUG_SG turned
+ on for some reason.
+* Move dma_set_max_seg_size() call into i915_driver_hw_probe() - Chris
+ Wilson
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: <stable@vger.kernel.org> # v4.18+
+Link: https://patchwork.freedesktop.org/patch/msgid/20190823205251.14298-1-lyude@redhat.com
+(cherry picked from commit acd674af95d3f627062007429b9c195c6b32361d)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_drv.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_drv.c
++++ b/drivers/gpu/drm/i915/i915_drv.c
+@@ -1120,6 +1120,12 @@ static int i915_driver_init_hw(struct dr
+
+ pci_set_master(pdev);
+
++ /*
++ * We don't have a max segment size, so set it to the max so sg's
++ * debugging layer doesn't complain
++ */
++ dma_set_max_seg_size(&pdev->dev, UINT_MAX);
++
+ /* overlay on gen2 is broken and can't address above 1G */
+ if (IS_GEN2(dev_priv)) {
+ ret = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(30));
--- /dev/null
+From 0a3dfbb5cd9033752639ef33e319c2f2863c713a Mon Sep 17 00:00:00 2001
+From: Xiong Zhang <xiong.y.zhang@intel.com>
+Date: Tue, 20 Aug 2019 13:46:17 +0800
+Subject: drm/i915: Don't deballoon unused ggtt drm_mm_node in linux guest
+
+From: Xiong Zhang <xiong.y.zhang@intel.com>
+
+commit 0a3dfbb5cd9033752639ef33e319c2f2863c713a upstream.
+
+The following call trace may exist in linux guest dmesg when guest i915
+driver is unloaded.
+[ 90.776610] [drm:vgt_deballoon_space.isra.0 [i915]] deballoon space: range [0x0 - 0x0] 0 KiB.
+[ 90.776621] BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0
+[ 90.776691] IP: drm_mm_remove_node+0x4d/0x320 [drm]
+[ 90.776718] PGD 800000012c7d0067 P4D 800000012c7d0067 PUD 138e4c067 PMD 0
+[ 90.777091] task: ffff9adab60f2f00 task.stack: ffffaf39c0fe0000
+[ 90.777142] RIP: 0010:drm_mm_remove_node+0x4d/0x320 [drm]
+[ 90.777573] Call Trace:
+[ 90.777653] intel_vgt_deballoon+0x4c/0x60 [i915]
+[ 90.777729] i915_ggtt_cleanup_hw+0x121/0x190 [i915]
+[ 90.777792] i915_driver_unload+0x145/0x180 [i915]
+[ 90.777856] i915_pci_remove+0x15/0x20 [i915]
+[ 90.777890] pci_device_remove+0x3b/0xc0
+[ 90.777916] device_release_driver_internal+0x157/0x220
+[ 90.777945] driver_detach+0x39/0x70
+[ 90.777967] bus_remove_driver+0x51/0xd0
+[ 90.777990] pci_unregister_driver+0x23/0x90
+[ 90.778019] SyS_delete_module+0x1da/0x240
+[ 90.778045] entry_SYSCALL_64_fastpath+0x24/0x87
+[ 90.778072] RIP: 0033:0x7f34312af067
+[ 90.778092] RSP: 002b:00007ffdea3da0d8 EFLAGS: 00000206
+[ 90.778297] RIP: drm_mm_remove_node+0x4d/0x320 [drm] RSP: ffffaf39c0fe3dc0
+[ 90.778344] ---[ end trace f4b1bc8305fc59dd ]---
+
+Four drm_mm_node are used to reserve guest ggtt space, but some of them
+may be skipped and not initialised due to space constraints in
+intel_vgt_balloon(). If drm_mm_remove_node() is called with
+uninitialized drm_mm_node, the above call trace occurs.
+
+This patch check drm_mm_node's validity before calling
+drm_mm_remove_node().
+
+Fixes: ff8f797557c7("drm/i915: return the correct usable aperture size under gvt environment")
+Cc: stable@vger.kernel.org
+Signed-off-by: Xiong Zhang <xiong.y.zhang@intel.com>
+Acked-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/1566279978-9659-1-git-send-email-xiong.y.zhang@intel.com
+(cherry picked from commit 4776f3529d6b1e47f02904ad1d264d25ea22b27b)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_vgpu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_vgpu.c
++++ b/drivers/gpu/drm/i915/i915_vgpu.c
+@@ -100,6 +100,9 @@ static struct _balloon_info_ bl_info;
+ static void vgt_deballoon_space(struct i915_ggtt *ggtt,
+ struct drm_mm_node *node)
+ {
++ if (!drm_mm_node_allocated(node))
++ return;
++
+ DRM_DEBUG_DRIVER("deballoon space: range [0x%llx - 0x%llx] %llu KiB.\n",
+ node->start,
+ node->start + node->size,
--- /dev/null
+From 8919dfcb31161fae7d607bbef5247e5e82fd6457 Mon Sep 17 00:00:00 2001
+From: Eddie James <eajames@linux.ibm.com>
+Date: Tue, 27 Aug 2019 12:12:49 +0800
+Subject: fsi: scom: Don't abort operations for minor errors
+
+From: Eddie James <eajames@linux.ibm.com>
+
+commit 8919dfcb31161fae7d607bbef5247e5e82fd6457 upstream.
+
+The scom driver currently fails out of operations if certain system
+errors are flagged in the status register; system checkstop, special
+attention, or recoverable error. These errors won't impact the ability
+of the scom engine to perform operations, so the driver should continue
+under these conditions.
+Also, don't do a PIB reset for these conditions, since it won't help.
+
+Fixes: 6b293258cded ("fsi: scom: Major overhaul")
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Jeremy Kerr <jk@ozlabs.org>
+Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Link: https://lore.kernel.org/r/20190827041249.13381-1-jk@ozlabs.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/fsi/fsi-scom.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/fsi/fsi-scom.c
++++ b/drivers/fsi/fsi-scom.c
+@@ -47,8 +47,7 @@
+ #define SCOM_STATUS_PIB_RESP_MASK 0x00007000
+ #define SCOM_STATUS_PIB_RESP_SHIFT 12
+
+-#define SCOM_STATUS_ANY_ERR (SCOM_STATUS_ERR_SUMMARY | \
+- SCOM_STATUS_PROTECTION | \
++#define SCOM_STATUS_ANY_ERR (SCOM_STATUS_PROTECTION | \
+ SCOM_STATUS_PARITY | \
+ SCOM_STATUS_PIB_ABORT | \
+ SCOM_STATUS_PIB_RESP_MASK)
+@@ -260,11 +259,6 @@ static int handle_fsi2pib_status(struct
+ /* Return -EBUSY on PIB abort to force a retry */
+ if (status & SCOM_STATUS_PIB_ABORT)
+ return -EBUSY;
+- if (status & SCOM_STATUS_ERR_SUMMARY) {
+- fsi_device_write(scom->fsi_dev, SCOM_FSI2PIB_RESET_REG, &dummy,
+- sizeof(uint32_t));
+- return -EIO;
+- }
+ return 0;
+ }
+
--- /dev/null
+From 164eb56e3b64f3a816238d410c9efec7567a82ef Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Wed, 21 Aug 2019 10:49:54 +0300
+Subject: intel_th: pci: Add support for another Lewisburg PCH
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 164eb56e3b64f3a816238d410c9efec7567a82ef upstream.
+
+Add support for the Trace Hub in another Lewisburg PCH.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: stable@vger.kernel.org # v4.14+
+Link: https://lore.kernel.org/r/20190821074955.3925-4-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -141,6 +141,11 @@ static const struct pci_device_id intel_
+ .driver_data = (kernel_ulong_t)0,
+ },
+ {
++ /* Lewisburg PCH */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa226),
++ .driver_data = (kernel_ulong_t)0,
++ },
++ {
+ /* Gemini Lake */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
--- /dev/null
+From 9c78255fdde45c6b9a1ee30f652f7b34c727f5c7 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Wed, 21 Aug 2019 10:49:55 +0300
+Subject: intel_th: pci: Add Tiger Lake support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 9c78255fdde45c6b9a1ee30f652f7b34c727f5c7 upstream.
+
+This adds support for the Trace Hub in Tiger Lake PCH.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: stable@vger.kernel.org # v4.14+
+Link: https://lore.kernel.org/r/20190821074955.3925-5-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -180,6 +180,11 @@ static const struct pci_device_id intel_
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x45c5),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
++ {
++ /* Tiger Lake PCH */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa0a6),
++ .driver_data = (kernel_ulong_t)&intel_th_2x,
++ },
+ { 0 },
+ };
+
--- /dev/null
+From b884e2de2afc68ce30f7093747378ef972dde253 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Tue, 30 Jul 2019 21:29:54 +0800
+Subject: lib: logic_pio: Add logic_pio_unregister_range()
+
+From: John Garry <john.garry@huawei.com>
+
+commit b884e2de2afc68ce30f7093747378ef972dde253 upstream.
+
+Add a function to unregister a logical PIO range.
+
+Logical PIO space can still be leaked when unregistering certain
+LOGIC_PIO_CPU_MMIO regions, but this acceptable for now since there are no
+callers to unregister LOGIC_PIO_CPU_MMIO regions, and the logical PIO
+region allocation scheme would need significant work to improve this.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/logic_pio.h | 1 +
+ lib/logic_pio.c | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+)
+
+--- a/include/linux/logic_pio.h
++++ b/include/linux/logic_pio.h
+@@ -117,6 +117,7 @@ struct logic_pio_hwaddr *find_io_range_b
+ unsigned long logic_pio_trans_hwaddr(struct fwnode_handle *fwnode,
+ resource_size_t hw_addr, resource_size_t size);
+ int logic_pio_register_range(struct logic_pio_hwaddr *newrange);
++void logic_pio_unregister_range(struct logic_pio_hwaddr *range);
+ resource_size_t logic_pio_to_hwaddr(unsigned long pio);
+ unsigned long logic_pio_trans_cpuaddr(resource_size_t hw_addr);
+
+--- a/lib/logic_pio.c
++++ b/lib/logic_pio.c
+@@ -99,6 +99,20 @@ end_register:
+ }
+
+ /**
++ * logic_pio_unregister_range - unregister a logical PIO range for a host
++ * @range: pointer to the IO range which has been already registered.
++ *
++ * Unregister a previously-registered IO range node.
++ */
++void logic_pio_unregister_range(struct logic_pio_hwaddr *range)
++{
++ mutex_lock(&io_range_mutex);
++ list_del_rcu(&range->list);
++ mutex_unlock(&io_range_mutex);
++ synchronize_rcu();
++}
++
++/**
+ * find_io_range_by_fwnode - find logical PIO range for given FW node
+ * @fwnode: FW node handle associated with logical PIO range
+ *
--- /dev/null
+From 0a27142bd1ee259e24a0be2b0133e5ca5df8da91 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Tue, 30 Jul 2019 21:29:53 +0800
+Subject: lib: logic_pio: Avoid possible overlap for unregistering regions
+
+From: John Garry <john.garry@huawei.com>
+
+commit 0a27142bd1ee259e24a0be2b0133e5ca5df8da91 upstream.
+
+The code was originally written to not support unregistering logical PIO
+regions.
+
+To accommodate supporting unregistering logical PIO regions, subtly modify
+LOGIC_PIO_CPU_MMIO region registration code, such that the "end" of the
+registered regions is the "end" of the last region, and not the sum of
+the sizes of all the registered regions.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/logic_pio.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/lib/logic_pio.c
++++ b/lib/logic_pio.c
+@@ -35,7 +35,7 @@ int logic_pio_register_range(struct logi
+ struct logic_pio_hwaddr *range;
+ resource_size_t start;
+ resource_size_t end;
+- resource_size_t mmio_sz = 0;
++ resource_size_t mmio_end = 0;
+ resource_size_t iio_sz = MMIO_UPPER_LIMIT;
+ int ret = 0;
+
+@@ -56,7 +56,7 @@ int logic_pio_register_range(struct logi
+ /* for MMIO ranges we need to check for overlap */
+ if (start >= range->hw_start + range->size ||
+ end < range->hw_start) {
+- mmio_sz += range->size;
++ mmio_end = range->io_start + range->size;
+ } else {
+ ret = -EFAULT;
+ goto end_register;
+@@ -69,16 +69,16 @@ int logic_pio_register_range(struct logi
+
+ /* range not registered yet, check for available space */
+ if (new_range->flags == LOGIC_PIO_CPU_MMIO) {
+- if (mmio_sz + new_range->size - 1 > MMIO_UPPER_LIMIT) {
++ if (mmio_end + new_range->size - 1 > MMIO_UPPER_LIMIT) {
+ /* if it's too big check if 64K space can be reserved */
+- if (mmio_sz + SZ_64K - 1 > MMIO_UPPER_LIMIT) {
++ if (mmio_end + SZ_64K - 1 > MMIO_UPPER_LIMIT) {
+ ret = -E2BIG;
+ goto end_register;
+ }
+ new_range->size = SZ_64K;
+ pr_warn("Requested IO range too big, new size set to 64K\n");
+ }
+- new_range->io_start = mmio_sz;
++ new_range->io_start = mmio_end;
+ } else if (new_range->flags == LOGIC_PIO_INDIRECT) {
+ if (iio_sz + new_range->size - 1 > IO_SPACE_LIMIT) {
+ ret = -E2BIG;
--- /dev/null
+From 06709e81c668f5f56c65b806895b278517bd44e0 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Tue, 30 Jul 2019 21:29:52 +0800
+Subject: lib: logic_pio: Fix RCU usage
+
+From: John Garry <john.garry@huawei.com>
+
+commit 06709e81c668f5f56c65b806895b278517bd44e0 upstream.
+
+The traversing of io_range_list with list_for_each_entry_rcu()
+is not properly protected by rcu_read_lock() and rcu_read_unlock(),
+so add them.
+
+These functions mark the critical section scope where the list is
+protected for the reader, it cannot be "reclaimed". Any updater - in
+this case, the logical PIO registration functions - cannot update the
+list until the reader exits this critical section.
+
+In addition, the list traversing used in logic_pio_register_range()
+does not need to use the rcu variant.
+
+This is because we are already using io_range_mutex to guarantee mutual
+exclusion from mutating the list.
+
+Cc: stable@vger.kernel.org
+Fixes: 031e3601869c ("lib: Add generic PIO mapping method")
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/logic_pio.c | 49 +++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 35 insertions(+), 14 deletions(-)
+
+--- a/lib/logic_pio.c
++++ b/lib/logic_pio.c
+@@ -46,7 +46,7 @@ int logic_pio_register_range(struct logi
+ end = new_range->hw_start + new_range->size;
+
+ mutex_lock(&io_range_mutex);
+- list_for_each_entry_rcu(range, &io_range_list, list) {
++ list_for_each_entry(range, &io_range_list, list) {
+ if (range->fwnode == new_range->fwnode) {
+ /* range already there */
+ goto end_register;
+@@ -108,26 +108,38 @@ end_register:
+ */
+ struct logic_pio_hwaddr *find_io_range_by_fwnode(struct fwnode_handle *fwnode)
+ {
+- struct logic_pio_hwaddr *range;
++ struct logic_pio_hwaddr *range, *found_range = NULL;
+
++ rcu_read_lock();
+ list_for_each_entry_rcu(range, &io_range_list, list) {
+- if (range->fwnode == fwnode)
+- return range;
++ if (range->fwnode == fwnode) {
++ found_range = range;
++ break;
++ }
+ }
+- return NULL;
++ rcu_read_unlock();
++
++ return found_range;
+ }
+
+ /* Return a registered range given an input PIO token */
+ static struct logic_pio_hwaddr *find_io_range(unsigned long pio)
+ {
+- struct logic_pio_hwaddr *range;
++ struct logic_pio_hwaddr *range, *found_range = NULL;
+
++ rcu_read_lock();
+ list_for_each_entry_rcu(range, &io_range_list, list) {
+- if (in_range(pio, range->io_start, range->size))
+- return range;
++ if (in_range(pio, range->io_start, range->size)) {
++ found_range = range;
++ break;
++ }
+ }
+- pr_err("PIO entry token %lx invalid\n", pio);
+- return NULL;
++ rcu_read_unlock();
++
++ if (!found_range)
++ pr_err("PIO entry token 0x%lx invalid\n", pio);
++
++ return found_range;
+ }
+
+ /**
+@@ -180,14 +192,23 @@ unsigned long logic_pio_trans_cpuaddr(re
+ {
+ struct logic_pio_hwaddr *range;
+
++ rcu_read_lock();
+ list_for_each_entry_rcu(range, &io_range_list, list) {
+ if (range->flags != LOGIC_PIO_CPU_MMIO)
+ continue;
+- if (in_range(addr, range->hw_start, range->size))
+- return addr - range->hw_start + range->io_start;
++ if (in_range(addr, range->hw_start, range->size)) {
++ unsigned long cpuaddr;
++
++ cpuaddr = addr - range->hw_start + range->io_start;
++
++ rcu_read_unlock();
++ return cpuaddr;
++ }
+ }
+- pr_err("addr %llx not registered in io_range_list\n",
+- (unsigned long long) addr);
++ rcu_read_unlock();
++
++ pr_err("addr %pa not registered in io_range_list\n", &addr);
++
+ return ~0UL;
+ }
+
--- /dev/null
+From 72741084d903e65e121c27bd29494d941729d4a1 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Tue, 27 Aug 2019 10:10:43 +0200
+Subject: mmc: core: Fix init of SD cards reporting an invalid VDD range
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 72741084d903e65e121c27bd29494d941729d4a1 upstream.
+
+The OCR register defines the supported range of VDD voltages for SD cards.
+However, it has turned out that some SD cards reports an invalid voltage
+range, for example having bit7 set.
+
+When a host supports MMC_CAP2_FULL_PWR_CYCLE and some of the voltages from
+the invalid VDD range, this triggers the core to run a power cycle of the
+card to try to initialize it at the lowest common supported voltage.
+Obviously this fails, since the card can't support it.
+
+Let's fix this problem, by clearing invalid bits from the read OCR register
+for SD cards, before proceeding with the VDD voltage negotiation.
+
+Cc: stable@vger.kernel.org
+Reported-by: Philip Langdale <philipl@overt.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Reviewed-by: Philip Langdale <philipl@overt.org>
+Tested-by: Philip Langdale <philipl@overt.org>
+Tested-by: Manuel Presnitz <mail@mpy.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/sd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -1277,6 +1277,12 @@ int mmc_attach_sd(struct mmc_host *host)
+ goto err;
+ }
+
++ /*
++ * Some SD cards claims an out of spec VDD voltage range. Let's treat
++ * these bits as being in-valid and especially also bit7.
++ */
++ ocr &= ~0x7FFF;
++
+ rocr = mmc_select_voltage(host, ocr);
+
+ /*
--- /dev/null
+From 7871aa60ae0086fe4626abdf5ed13eeddf306c61 Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Thu, 8 Aug 2019 08:35:40 +0000
+Subject: mmc: sdhci-of-at91: add quirk for broken HS200
+
+From: Eugen Hristev <eugen.hristev@microchip.com>
+
+commit 7871aa60ae0086fe4626abdf5ed13eeddf306c61 upstream.
+
+HS200 is not implemented in the driver, but the controller claims it
+through caps. Remove it via a quirk, to make sure the mmc core do not try
+to enable HS200, as it causes the eMMC initialization to fail.
+
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: bb5f8ea4d514 ("mmc: sdhci-of-at91: introduce driver for the Atmel SDMMC")
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-of-at91.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-of-at91.c
++++ b/drivers/mmc/host/sdhci-of-at91.c
+@@ -365,6 +365,9 @@ static int sdhci_at91_probe(struct platf
+ pm_runtime_set_autosuspend_delay(&pdev->dev, 50);
+ pm_runtime_use_autosuspend(&pdev->dev);
+
++ /* HS200 is broken at this moment */
++ host->quirks2 = SDHCI_QUIRK2_BROKEN_HS200;
++
+ ret = sdhci_add_host(host);
+ if (ret)
+ goto pm_runtime_disable;
usb-storage-ums-realtek-update-module-parameter-description-for-auto_delink_en.patch
usb-storage-ums-realtek-whitelist-auto-delink-support.patch
mei-me-add-tiger-lake-point-lp-device-id.patch
+mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch
+mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch
+stm-class-fix-a-double-free-of-stm_source_device.patch
+intel_th-pci-add-support-for-another-lewisburg-pch.patch
+intel_th-pci-add-tiger-lake-support.patch
+typec-tcpm-fix-a-typo-in-the-comparison-of-pdo_max_voltage.patch
+fsi-scom-don-t-abort-operations-for-minor-errors.patch
+lib-logic_pio-fix-rcu-usage.patch
+lib-logic_pio-avoid-possible-overlap-for-unregistering-regions.patch
+lib-logic_pio-add-logic_pio_unregister_range.patch
+drm-amdgpu-add-aptx-quirk-for-dell-latitude-5495.patch
+drm-i915-don-t-deballoon-unused-ggtt-drm_mm_node-in-linux-guest.patch
+drm-i915-call-dma_set_max_seg_size-in-i915_driver_hw_probe.patch
+bus-hisi_lpc-unregister-logical-pio-range-to-avoid-potential-use-after-free.patch
+bus-hisi_lpc-add-.remove-method-to-avoid-driver-unbind-crash.patch
+vmci-release-resource-if-the-work-is-already-queued.patch
+crypto-ccp-ignore-unconfigured-ccp-device-on-suspend-resume.patch
--- /dev/null
+From 961b6ffe0e2c403b09a8efe4a2e986b3c415391a Mon Sep 17 00:00:00 2001
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Date: Wed, 21 Aug 2019 10:49:52 +0300
+Subject: stm class: Fix a double free of stm_source_device
+
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+
+commit 961b6ffe0e2c403b09a8efe4a2e986b3c415391a upstream.
+
+In the error path of stm_source_register_device(), the kfree is
+unnecessary, as the put_device() before it ends up calling
+stm_source_device_release() to free stm_source_device, leading to
+a double free at the outer kfree() call. Remove it.
+
+Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 7bd1d4093c2fa ("stm class: Introduce an abstraction for System Trace Module devices")
+Link: https://lore.kernel.org/linux-arm-kernel/1563354988-23826-1-git-send-email-dingxiang@cmss.chinamobile.com/
+Cc: stable@vger.kernel.org # v4.4+
+Link: https://lore.kernel.org/r/20190821074955.3925-2-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/stm/core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -1098,7 +1098,6 @@ int stm_source_register_device(struct de
+
+ err:
+ put_device(&src->dev);
+- kfree(src);
+
+ return err;
+ }
--- /dev/null
+From a684d8fd87182090ee96e34519ecdf009cef093a Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 22 Aug 2019 14:52:12 +0100
+Subject: typec: tcpm: fix a typo in the comparison of pdo_max_voltage
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit a684d8fd87182090ee96e34519ecdf009cef093a upstream.
+
+There appears to be a typo in the comparison of pdo_max_voltage[i]
+with the previous value, currently it is checking against the
+array pdo_min_voltage rather than pdo_max_voltage. I believe this
+is a typo. Fix this.
+
+Addresses-Coverity: ("Copy-paste error")
+Fixes: 5007e1b5db73 ("typec: tcpm: Validate source and sink caps")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20190822135212.10195-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tcpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/tcpm.c
++++ b/drivers/usb/typec/tcpm.c
+@@ -1445,7 +1445,7 @@ static enum pdo_err tcpm_caps_err(struct
+ else if ((pdo_min_voltage(pdo[i]) ==
+ pdo_min_voltage(pdo[i - 1])) &&
+ (pdo_max_voltage(pdo[i]) ==
+- pdo_min_voltage(pdo[i - 1])))
++ pdo_max_voltage(pdo[i - 1])))
+ return PDO_ERR_DUPE_PDO;
+ break;
+ /*
--- /dev/null
+From ba03a9bbd17b149c373c0ea44017f35fc2cd0f28 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Tue, 20 Aug 2019 13:26:38 -0700
+Subject: VMCI: Release resource if the work is already queued
+
+From: Nadav Amit <namit@vmware.com>
+
+commit ba03a9bbd17b149c373c0ea44017f35fc2cd0f28 upstream.
+
+Francois reported that VMware balloon gets stuck after a balloon reset,
+when the VMCI doorbell is removed. A similar error can occur when the
+balloon driver is removed with the following splat:
+
+[ 1088.622000] INFO: task modprobe:3565 blocked for more than 120 seconds.
+[ 1088.622035] Tainted: G W 5.2.0 #4
+[ 1088.622087] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[ 1088.622205] modprobe D 0 3565 1450 0x00000000
+[ 1088.622210] Call Trace:
+[ 1088.622246] __schedule+0x2a8/0x690
+[ 1088.622248] schedule+0x2d/0x90
+[ 1088.622250] schedule_timeout+0x1d3/0x2f0
+[ 1088.622252] wait_for_completion+0xba/0x140
+[ 1088.622320] ? wake_up_q+0x80/0x80
+[ 1088.622370] vmci_resource_remove+0xb9/0xc0 [vmw_vmci]
+[ 1088.622373] vmci_doorbell_destroy+0x9e/0xd0 [vmw_vmci]
+[ 1088.622379] vmballoon_vmci_cleanup+0x6e/0xf0 [vmw_balloon]
+[ 1088.622381] vmballoon_exit+0x18/0xcc8 [vmw_balloon]
+[ 1088.622394] __x64_sys_delete_module+0x146/0x280
+[ 1088.622408] do_syscall_64+0x5a/0x130
+[ 1088.622410] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1088.622415] RIP: 0033:0x7f54f62791b7
+[ 1088.622421] Code: Bad RIP value.
+[ 1088.622421] RSP: 002b:00007fff2a949008 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+[ 1088.622426] RAX: ffffffffffffffda RBX: 000055dff8b55d00 RCX: 00007f54f62791b7
+[ 1088.622426] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055dff8b55d68
+[ 1088.622427] RBP: 000055dff8b55d00 R08: 00007fff2a947fb1 R09: 0000000000000000
+[ 1088.622427] R10: 00007f54f62f5cc0 R11: 0000000000000206 R12: 000055dff8b55d68
+[ 1088.622428] R13: 0000000000000001 R14: 000055dff8b55d68 R15: 00007fff2a94a3f0
+
+The cause for the bug is that when the "delayed" doorbell is invoked, it
+takes a reference on the doorbell entry and schedules work that is
+supposed to run the appropriate code and drop the doorbell entry
+reference. The code ignores the fact that if the work is already queued,
+it will not be scheduled to run one more time. As a result one of the
+references would not be dropped. When the code waits for the reference
+to get to zero, during balloon reset or module removal, it gets stuck.
+
+Fix it. Drop the reference if schedule_work() indicates that the work is
+already queued.
+
+Note that this bug got more apparent (or apparent at all) due to
+commit ce664331b248 ("vmw_balloon: VMCI_DOORBELL_SET does not check status").
+
+Fixes: 83e2ec765be03 ("VMCI: doorbell implementation.")
+Reported-by: Francois Rigault <rigault.francois@gmail.com>
+Cc: Jorgen Hansen <jhansen@vmware.com>
+Cc: Adit Ranadive <aditr@vmware.com>
+Cc: Alexios Zavras <alexios.zavras@intel.com>
+Cc: Vishnu DASA <vdasa@vmware.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
+Link: https://lore.kernel.org/r/20190820202638.49003-1-namit@vmware.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vmw_vmci/vmci_doorbell.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_doorbell.c
++++ b/drivers/misc/vmw_vmci/vmci_doorbell.c
+@@ -318,7 +318,8 @@ int vmci_dbell_host_context_notify(u32 s
+
+ entry = container_of(resource, struct dbell_entry, resource);
+ if (entry->run_delayed) {
+- schedule_work(&entry->work);
++ if (!schedule_work(&entry->work))
++ vmci_resource_put(resource);
+ } else {
+ entry->notify_cb(entry->client_data);
+ vmci_resource_put(resource);
+@@ -366,7 +367,8 @@ static void dbell_fire_entries(u32 notif
+ atomic_read(&dbell->active) == 1) {
+ if (dbell->run_delayed) {
+ vmci_resource_get(&dbell->resource);
+- schedule_work(&dbell->work);
++ if (!schedule_work(&dbell->work))
++ vmci_resource_put(&dbell->resource);
+ } else {
+ dbell->notify_cb(dbell->client_data);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
