--- /dev/null
+From 90d4d3f4ea45370d482fa609dbae4d2281b4074f Mon Sep 17 00:00:00 2001
+From: Kishon Vijay Abraham I <kishon@ti.com>
+Date: Fri, 17 Apr 2020 12:13:40 +0530
+Subject: ARM: dts: dra7: Fix bus_dma_limit for PCIe
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+commit 90d4d3f4ea45370d482fa609dbae4d2281b4074f upstream.
+
+Even though commit cfb5d65f2595 ("ARM: dts: dra7: Add bus_dma_limit
+for L3 bus") added bus_dma_limit for L3 bus, the PCIe controller
+gets incorrect value of bus_dma_limit.
+
+Fix it by adding empty dma-ranges property to axi@0 and axi@1
+(parent device tree node of PCIe controller).
+
+Cc: stable@kernel.org
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/dra7.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -312,6 +312,7 @@
+ #address-cells = <1>;
+ ranges = <0x51000000 0x51000000 0x3000
+ 0x0 0x20000000 0x10000000>;
++ dma-ranges;
+ /**
+ * To enable PCI endpoint mode, disable the pcie1_rc
+ * node and enable pcie1_ep mode.
+@@ -325,7 +326,6 @@
+ device_type = "pci";
+ ranges = <0x81000000 0 0 0x03000 0 0x00010000
+ 0x82000000 0 0x20013000 0x13000 0 0xffed000>;
+- dma-ranges = <0x02000000 0x0 0x00000000 0x00000000 0x1 0x00000000>;
+ bus-range = <0x00 0xff>;
+ #interrupt-cells = <1>;
+ num-lanes = <1>;
+@@ -368,6 +368,7 @@
+ #address-cells = <1>;
+ ranges = <0x51800000 0x51800000 0x3000
+ 0x0 0x30000000 0x10000000>;
++ dma-ranges;
+ status = "disabled";
+ pcie2_rc: pcie@51800000 {
+ reg = <0x51800000 0x2000>, <0x51802000 0x14c>, <0x1000 0x2000>;
+@@ -378,7 +379,6 @@
+ device_type = "pci";
+ ranges = <0x81000000 0 0 0x03000 0 0x00010000
+ 0x82000000 0 0x30013000 0x13000 0 0xffed000>;
+- dma-ranges = <0x02000000 0x0 0x00000000 0x00000000 0x1 0x00000000>;
+ bus-range = <0x00 0xff>;
+ #interrupt-cells = <1>;
+ num-lanes = <1>;
--- /dev/null
+From 0caf34350a25907515d929a9c77b9b206aac6d1e Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Fri, 27 Mar 2020 10:36:24 -0300
+Subject: ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries
+
+From: Fabio Estevam <festevam@gmail.com>
+
+commit 0caf34350a25907515d929a9c77b9b206aac6d1e upstream.
+
+The I2C2 pins are already used and the following errors are seen:
+
+imx27-pinctrl 10015000.iomuxc: pin MX27_PAD_I2C2_SDA already requested by 10012000.i2c; cannot claim for 1001d000.i2c
+imx27-pinctrl 10015000.iomuxc: pin-69 (1001d000.i2c) status -22
+imx27-pinctrl 10015000.iomuxc: could not request pin 69 (MX27_PAD_I2C2_SDA) from group i2c2grp on device 10015000.iomuxc
+imx-i2c 1001d000.i2c: Error applying setting, reverse things back
+imx-i2c: probe of 1001d000.i2c failed with error -22
+
+Fix it by adding the correct I2C1 IOMUX entries for the pinctrl_i2c1 group.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 61664d0b432a ("ARM: dts: imx27 phyCARD-S pinctrl")
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Stefan Riedmueller <s.riedmueller@phytec.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts
++++ b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts
+@@ -81,8 +81,8 @@
+ imx27-phycard-s-rdk {
+ pinctrl_i2c1: i2c1grp {
+ fsl,pins = <
+- MX27_PAD_I2C2_SDA__I2C2_SDA 0x0
+- MX27_PAD_I2C2_SCL__I2C2_SCL 0x0
++ MX27_PAD_I2C_DATA__I2C_DATA 0x0
++ MX27_PAD_I2C_CLK__I2C_CLK 0x0
+ >;
+ };
+
--- /dev/null
+From a48137996063d22ffba77e077425f49873856ca5 Mon Sep 17 00:00:00 2001
+From: Adam McCoy <adam@forsedomani.com>
+Date: Wed, 13 May 2020 11:53:30 +0000
+Subject: cifs: fix leaked reference on requeued write
+
+From: Adam McCoy <adam@forsedomani.com>
+
+commit a48137996063d22ffba77e077425f49873856ca5 upstream.
+
+Failed async writes that are requeued may not clean up a refcount
+on the file, which can result in a leaked open. This scenario arises
+very reliably when using persistent handles and a reconnect occurs
+while writing.
+
+cifs_writev_requeue only releases the reference if the write fails
+(rc != 0). The server->ops->async_writev operation will take its own
+reference, so the initial reference can always be released.
+
+Signed-off-by: Adam McCoy <adam@forsedomani.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifssmb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -2051,8 +2051,8 @@ cifs_writev_requeue(struct cifs_writedat
+ }
+ }
+
++ kref_put(&wdata2->refcount, cifs_writedata_release);
+ if (rc) {
+- kref_put(&wdata2->refcount, cifs_writedata_release);
+ if (is_retryable_error(rc))
+ continue;
+ i += nr_pages;
--- /dev/null
+From cec9d101d70a3509da9bd2e601e0b242154ce616 Mon Sep 17 00:00:00 2001
+From: Justin Swartz <justin.swartz@risingedge.co.za>
+Date: Tue, 14 Jan 2020 16:25:02 +0000
+Subject: clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks
+
+From: Justin Swartz <justin.swartz@risingedge.co.za>
+
+commit cec9d101d70a3509da9bd2e601e0b242154ce616 upstream.
+
+The following changes prevent the unrecoverable freezes and rcu_sched
+stall warnings experienced in each of my attempts to take advantage of
+lima.
+
+Replace the COMPOSITE_NOGATE definition of aclk_gpu_pre with a
+COMPOSITE that retains the selection of HDMIPHY as the PLL source, but
+instead makes uses of the aclk_gpu PLL source gate and parent names
+defined by mux_pll_src_4plls_p rather than mux_aclk_gpu_pre_p.
+
+Remove the now unused mux_aclk_gpu_pre_p and the four named but also
+unused definitions (cpll_gpu, gpll_gpu, hdmiphy_gpu and usb480m_gpu)
+of the aclk_gpu PLL source gate.
+
+Use the correct gate offset for aclk_gpu and aclk_gpu_noc.
+
+Fixes: 307a2e9ac524 ("clk: rockchip: add clock controller for rk3228")
+Cc: stable@vger.kernel.org
+Signed-off-by: Justin Swartz <justin.swartz@risingedge.co.za>
+[double-checked against SoC manual and added fixes tag]
+Link: https://lore.kernel.org/r/20200114162503.7548-1-justin.swartz@risingedge.co.za
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/rockchip/clk-rk3228.c | 17 ++++-------------
+ 1 file changed, 4 insertions(+), 13 deletions(-)
+
+--- a/drivers/clk/rockchip/clk-rk3228.c
++++ b/drivers/clk/rockchip/clk-rk3228.c
+@@ -163,8 +163,6 @@ PNAME(mux_i2s_out_p) = { "i2s1_pre", "x
+ PNAME(mux_i2s2_p) = { "i2s2_src", "i2s2_frac", "xin12m" };
+ PNAME(mux_sclk_spdif_p) = { "sclk_spdif_src", "spdif_frac", "xin12m" };
+
+-PNAME(mux_aclk_gpu_pre_p) = { "cpll_gpu", "gpll_gpu", "hdmiphy_gpu", "usb480m_gpu" };
+-
+ PNAME(mux_uart0_p) = { "uart0_src", "uart0_frac", "xin24m" };
+ PNAME(mux_uart1_p) = { "uart1_src", "uart1_frac", "xin24m" };
+ PNAME(mux_uart2_p) = { "uart2_src", "uart2_frac", "xin24m" };
+@@ -475,16 +473,9 @@ static struct rockchip_clk_branch rk3228
+ RK2928_CLKSEL_CON(24), 6, 10, DFLAGS,
+ RK2928_CLKGATE_CON(2), 8, GFLAGS),
+
+- GATE(0, "cpll_gpu", "cpll", 0,
+- RK2928_CLKGATE_CON(3), 13, GFLAGS),
+- GATE(0, "gpll_gpu", "gpll", 0,
+- RK2928_CLKGATE_CON(3), 13, GFLAGS),
+- GATE(0, "hdmiphy_gpu", "hdmiphy", 0,
+- RK2928_CLKGATE_CON(3), 13, GFLAGS),
+- GATE(0, "usb480m_gpu", "usb480m", 0,
++ COMPOSITE(0, "aclk_gpu_pre", mux_pll_src_4plls_p, 0,
++ RK2928_CLKSEL_CON(34), 5, 2, MFLAGS, 0, 5, DFLAGS,
+ RK2928_CLKGATE_CON(3), 13, GFLAGS),
+- COMPOSITE_NOGATE(0, "aclk_gpu_pre", mux_aclk_gpu_pre_p, 0,
+- RK2928_CLKSEL_CON(34), 5, 2, MFLAGS, 0, 5, DFLAGS),
+
+ COMPOSITE(SCLK_SPI0, "sclk_spi0", mux_pll_src_2plls_p, 0,
+ RK2928_CLKSEL_CON(25), 8, 1, MFLAGS, 0, 7, DFLAGS,
+@@ -589,8 +580,8 @@ static struct rockchip_clk_branch rk3228
+ GATE(0, "pclk_peri_noc", "pclk_peri", CLK_IGNORE_UNUSED, RK2928_CLKGATE_CON(12), 2, GFLAGS),
+
+ /* PD_GPU */
+- GATE(ACLK_GPU, "aclk_gpu", "aclk_gpu_pre", 0, RK2928_CLKGATE_CON(13), 14, GFLAGS),
+- GATE(0, "aclk_gpu_noc", "aclk_gpu_pre", 0, RK2928_CLKGATE_CON(13), 15, GFLAGS),
++ GATE(ACLK_GPU, "aclk_gpu", "aclk_gpu_pre", 0, RK2928_CLKGATE_CON(7), 14, GFLAGS),
++ GATE(0, "aclk_gpu_noc", "aclk_gpu_pre", 0, RK2928_CLKGATE_CON(7), 15, GFLAGS),
+
+ /* PD_BUS */
+ GATE(0, "sclk_initmem_mbist", "aclk_cpu", 0, RK2928_CLKGATE_CON(8), 1, GFLAGS),
--- /dev/null
+From 00e21763f2c8cab21b7befa52996d1b18bde5c42 Mon Sep 17 00:00:00 2001
+From: John Stultz <john.stultz@linaro.org>
+Date: Mon, 4 May 2020 23:12:15 +0000
+Subject: dwc3: Remove check for HWO flag in dwc3_gadget_ep_reclaim_trb_sg()
+
+From: John Stultz <john.stultz@linaro.org>
+
+commit 00e21763f2c8cab21b7befa52996d1b18bde5c42 upstream.
+
+The check for the HWO flag in dwc3_gadget_ep_reclaim_trb_sg()
+causes us to break out of the loop before we call
+dwc3_gadget_ep_reclaim_completed_trb(), which is what likely
+should be clearing the HWO flag.
+
+This can cause odd behavior where we never reclaim all the trbs
+in the sg list, so we never call giveback on a usb req, and that
+will causes transfer stalls.
+
+This effectively resovles the adb stalls seen on HiKey960
+after userland changes started only using AIO in adbd.
+
+Cc: YongQin Liu <yongqin.liu@linaro.org>
+Cc: Anurag Kumar Vulisha <anurag.kumar.vulisha@xilinx.com>
+Cc: Yang Fei <fei.yang@intel.com>
+Cc: Thinh Nguyen <thinhn@synopsys.com>
+Cc: Tejas Joglekar <tejas.joglekar@synopsys.com>
+Cc: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
+Cc: Jack Pham <jackp@codeaurora.org>
+Cc: Josh Gao <jmgao@google.com>
+Cc: Todd Kjos <tkjos@google.com>
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-usb@vger.kernel.org
+Cc: stable@vger.kernel.org #4.20+
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2279,9 +2279,6 @@ static int dwc3_gadget_ep_reclaim_trb_sg
+ for_each_sg(sg, s, pending, i) {
+ trb = &dep->trb_pool[dep->trb_dequeue];
+
+- if (trb->ctrl & DWC3_TRB_CTRL_HWO)
+- break;
+-
+ req->sg = sg_next(s);
+ req->num_pending_sgs--;
+
--- /dev/null
+From f87d1c9559164294040e58f5e3b74a162bf7c6e8 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sat, 16 May 2020 16:29:20 -0500
+Subject: exec: Move would_dump into flush_old_exec
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit f87d1c9559164294040e58f5e3b74a162bf7c6e8 upstream.
+
+I goofed when I added mm->user_ns support to would_dump. I missed the
+fact that in the case of binfmt_loader, binfmt_em86, binfmt_misc, and
+binfmt_script bprm->file is reassigned. Which made the move of
+would_dump from setup_new_exec to __do_execve_file before exec_binprm
+incorrect as it can result in would_dump running on the script instead
+of the interpreter of the script.
+
+The net result is that the code stopped making unreadable interpreters
+undumpable. Which allows them to be ptraced and written to disk
+without special permissions. Oops.
+
+The move was necessary because the call in set_new_exec was after
+bprm->mm was no longer valid.
+
+To correct this mistake move the misplaced would_dump from
+__do_execve_file into flos_old_exec, before exec_mmap is called.
+
+I tested and confirmed that without this fix I can attach with gdb to
+a script with an unreadable interpreter, and with this fix I can not.
+
+Cc: stable@vger.kernel.org
+Fixes: f84df2a6f268 ("exec: Ensure mm->user_ns contains the execed files")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/exec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1269,6 +1269,8 @@ int flush_old_exec(struct linux_binprm *
+ */
+ set_mm_exe_file(bprm->mm, bprm->file);
+
++ would_dump(bprm, bprm->file);
++
+ /*
+ * Release all of the old mmap stuff
+ */
+@@ -1814,8 +1816,6 @@ static int __do_execve_file(int fd, stru
+ if (retval < 0)
+ goto out;
+
+- would_dump(bprm, bprm->file);
+-
+ retval = exec_binprm(bprm);
+ if (retval < 0)
+ goto out;
alsa-rawmidi-fix-racy-buffer-resize-under-concurrent-accesses.patch
alsa-usb-audio-add-control-message-quirk-delay-for-kingston-hyperx-headset.patch
usb-core-hub-limit-hub_quirk_disable_autosuspend-to-usb5534b.patch
+usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch
+usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch
+usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch
+arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch
+arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch
+cifs-fix-leaked-reference-on-requeued-write.patch
+x86-fix-early-boot-crash-on-gcc-10-third-try.patch
+x86-unwind-orc-fix-error-handling-in-__unwind_start.patch
+exec-move-would_dump-into-flush_old_exec.patch
+clk-rockchip-fix-incorrect-configuration-of-rk3228-aclk_gpu-clocks.patch
+dwc3-remove-check-for-hwo-flag-in-dwc3_gadget_ep_reclaim_trb_sg.patch
--- /dev/null
+From 15753588bcd4bbffae1cca33c8ced5722477fe1f Mon Sep 17 00:00:00 2001
+From: Kyungtae Kim <kt0755@gmail.com>
+Date: Sun, 10 May 2020 05:43:34 +0000
+Subject: USB: gadget: fix illegal array access in binding with UDC
+
+From: Kyungtae Kim <kt0755@gmail.com>
+
+commit 15753588bcd4bbffae1cca33c8ced5722477fe1f upstream.
+
+FuzzUSB (a variant of syzkaller) found an illegal array access
+using an incorrect index while binding a gadget with UDC.
+
+Reference: https://www.spinics.net/lists/linux-usb/msg194331.html
+
+This bug occurs when a size variable used for a buffer
+is misused to access its strcpy-ed buffer.
+Given a buffer along with its size variable (taken from user input),
+from which, a new buffer is created using kstrdup().
+Due to the original buffer containing 0 value in the middle,
+the size of the kstrdup-ed buffer becomes smaller than that of the original.
+So accessing the kstrdup-ed buffer with the same size variable
+triggers memory access violation.
+
+The fix makes sure no zero value in the buffer,
+by comparing the strlen() of the orignal buffer with the size variable,
+so that the access to the kstrdup-ed buffer is safe.
+
+BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200
+drivers/usb/gadget/configfs.c:266
+Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208
+
+CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xce/0x128 lib/dump_stack.c:118
+ print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
+ __kasan_report+0x131/0x1b0 mm/kasan/report.c:506
+ kasan_report+0x12/0x20 mm/kasan/common.c:641
+ __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132
+ gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266
+ flush_write_buffer fs/configfs/file.c:251 [inline]
+ configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283
+ __vfs_write+0x85/0x110 fs/read_write.c:494
+ vfs_write+0x1cd/0x510 fs/read_write.c:558
+ ksys_write+0x18a/0x220 fs/read_write.c:611
+ __do_sys_write fs/read_write.c:623 [inline]
+ __se_sys_write fs/read_write.c:620 [inline]
+ __x64_sys_write+0x73/0xb0 fs/read_write.c:620
+ do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Signed-off-by: Kyungtae Kim <kt0755@gmail.com>
+Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com>
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/configfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -260,6 +260,9 @@ static ssize_t gadget_dev_desc_UDC_store
+ char *name;
+ int ret;
+
++ if (strlen(page) < len)
++ return -EOVERFLOW;
++
+ name = kstrdup(page, GFP_KERNEL);
+ if (!name)
+ return -ENOMEM;
--- /dev/null
+From 1449cb2c2253d37d998c3714aa9b95416d16d379 Mon Sep 17 00:00:00 2001
+From: Li Jun <jun.li@nxp.com>
+Date: Thu, 14 May 2020 14:04:32 +0300
+Subject: usb: host: xhci-plat: keep runtime active when removing host
+
+From: Li Jun <jun.li@nxp.com>
+
+commit 1449cb2c2253d37d998c3714aa9b95416d16d379 upstream.
+
+While removing the host (e.g. for USB role switch from host to device),
+if runtime pm is enabled by user, below oops occurs on dwc3 and cdns3
+platforms.
+Keeping the xhci-plat device active during host removal, and disabling
+runtime pm before calling pm_runtime_set_suspended() fixes them.
+
+oops1:
+Unable to handle kernel NULL pointer dereference at virtual address
+0000000000000240
+Internal error: Oops: 96000004 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.4.3-00107-g64d454a-dirty
+Hardware name: FSL i.MX8MP EVK (DT)
+Workqueue: pm pm_runtime_work
+pstate: 60000005 (nZCv daif -PAN -UAO)
+pc : xhci_suspend+0x34/0x698
+lr : xhci_plat_runtime_suspend+0x2c/0x38
+sp : ffff800011ddbbc0
+Call trace:
+ xhci_suspend+0x34/0x698
+ xhci_plat_runtime_suspend+0x2c/0x38
+ pm_generic_runtime_suspend+0x28/0x40
+ __rpm_callback+0xd8/0x138
+ rpm_callback+0x24/0x98
+ rpm_suspend+0xe0/0x448
+ rpm_idle+0x124/0x140
+ pm_runtime_work+0xa0/0xf8
+ process_one_work+0x1dc/0x370
+ worker_thread+0x48/0x468
+ kthread+0xf0/0x120
+ ret_from_fork+0x10/0x1c
+
+oops2:
+usb 2-1: USB disconnect, device number 2
+xhci-hcd xhci-hcd.1.auto: remove, state 4
+usb usb2: USB disconnect, device number 1
+xhci-hcd xhci-hcd.1.auto: USB bus 2 deregistered
+xhci-hcd xhci-hcd.1.auto: remove, state 4
+usb usb1: USB disconnect, device number 1
+Unable to handle kernel NULL pointer dereference at virtual address
+0000000000000138
+Internal error: Oops: 96000004 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 2 PID: 7 Comm: kworker/u8:0 Not tainted 5.6.0-rc4-next-20200304-03578
+Hardware name: Freescale i.MX8QXP MEK (DT)
+Workqueue: 1-0050 tcpm_state_machine_work
+pstate: 20000005 (nzCv daif -PAN -UAO)
+pc : xhci_free_dev+0x214/0x270
+lr : xhci_plat_runtime_resume+0x78/0x88
+sp : ffff80001006b5b0
+Call trace:
+ xhci_free_dev+0x214/0x270
+ xhci_plat_runtime_resume+0x78/0x88
+ pm_generic_runtime_resume+0x30/0x48
+ __rpm_callback+0x90/0x148
+ rpm_callback+0x28/0x88
+ rpm_resume+0x568/0x758
+ rpm_resume+0x260/0x758
+ rpm_resume+0x260/0x758
+ __pm_runtime_resume+0x40/0x88
+ device_release_driver_internal+0xa0/0x1c8
+ device_release_driver+0x1c/0x28
+ bus_remove_device+0xd4/0x158
+ device_del+0x15c/0x3a0
+ usb_disable_device+0xb0/0x268
+ usb_disconnect+0xcc/0x300
+ usb_remove_hcd+0xf4/0x1dc
+ xhci_plat_remove+0x78/0xe0
+ platform_drv_remove+0x30/0x50
+ device_release_driver_internal+0xfc/0x1c8
+ device_release_driver+0x1c/0x28
+ bus_remove_device+0xd4/0x158
+ device_del+0x15c/0x3a0
+ platform_device_del.part.0+0x20/0x90
+ platform_device_unregister+0x28/0x40
+ cdns3_host_exit+0x20/0x40
+ cdns3_role_stop+0x60/0x90
+ cdns3_role_set+0x64/0xd8
+ usb_role_switch_set_role.part.0+0x3c/0x68
+ usb_role_switch_set_role+0x20/0x30
+ tcpm_mux_set+0x60/0xf8
+ tcpm_reset_port+0xa4/0xf0
+ tcpm_detach.part.0+0x28/0x50
+ tcpm_state_machine_work+0x12ac/0x2360
+ process_one_work+0x1c8/0x470
+ worker_thread+0x50/0x428
+ kthread+0xfc/0x128
+ ret_from_fork+0x10/0x18
+Code: c8037c02 35ffffa3 17ffe7c3 f9800011 (c85f7c01)
+---[ end trace 45b1a173d2679e44 ]---
+
+[minor commit message cleanup -Mathias]
+Cc: Baolin Wang <baolin.wang@linaro.org>
+Cc: <stable@vger.kernel.org>
+Fixes: b0c69b4bace3 ("usb: host: plat: Enable xHCI plat runtime PM")
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Tested-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Li Jun <jun.li@nxp.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20200514110432.25564-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-plat.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -361,6 +361,7 @@ static int xhci_plat_remove(struct platf
+ struct clk *reg_clk = xhci->reg_clk;
+ struct usb_hcd *shared_hcd = xhci->shared_hcd;
+
++ pm_runtime_get_sync(&dev->dev);
+ xhci->xhc_state |= XHCI_STATE_REMOVING;
+
+ usb_remove_hcd(shared_hcd);
+@@ -374,8 +375,9 @@ static int xhci_plat_remove(struct platf
+ clk_disable_unprepare(reg_clk);
+ usb_put_hcd(hcd);
+
+- pm_runtime_set_suspended(&dev->dev);
+ pm_runtime_disable(&dev->dev);
++ pm_runtime_put_noidle(&dev->dev);
++ pm_runtime_set_suspended(&dev->dev);
+
+ return 0;
+ }
--- /dev/null
+From 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a Mon Sep 17 00:00:00 2001
+From: Sriharsha Allenki <sallenki@codeaurora.org>
+Date: Thu, 14 May 2020 14:04:31 +0300
+Subject: usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list
+
+From: Sriharsha Allenki <sallenki@codeaurora.org>
+
+commit 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a upstream.
+
+On platforms with IOMMU enabled, multiple SGs can be coalesced into one
+by the IOMMU driver. In that case the SG list processing as part of the
+completion of a urb on a bulk endpoint can result into a NULL pointer
+dereference with the below stack dump.
+
+<6> Unable to handle kernel NULL pointer dereference at virtual address 0000000c
+<6> pgd = c0004000
+<6> [0000000c] *pgd=00000000
+<6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+<2> PC is at xhci_queue_bulk_tx+0x454/0x80c
+<2> LR is at xhci_queue_bulk_tx+0x44c/0x80c
+<2> pc : [<c08907c4>] lr : [<c08907bc>] psr: 000000d3
+<2> sp : ca337c80 ip : 00000000 fp : ffffffff
+<2> r10: 00000000 r9 : 50037000 r8 : 00004000
+<2> r7 : 00000000 r6 : 00004000 r5 : 00000000 r4 : 00000000
+<2> r3 : 00000000 r2 : 00000082 r1 : c2c1a200 r0 : 00000000
+<2> Flags: nzcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none
+<2> Control: 10c0383d Table: b412c06a DAC: 00000051
+<6> Process usb-storage (pid: 5961, stack limit = 0xca336210)
+<snip>
+<2> [<c08907c4>] (xhci_queue_bulk_tx)
+<2> [<c0881b3c>] (xhci_urb_enqueue)
+<2> [<c0831068>] (usb_hcd_submit_urb)
+<2> [<c08350b4>] (usb_sg_wait)
+<2> [<c089f384>] (usb_stor_bulk_transfer_sglist)
+<2> [<c089f2c0>] (usb_stor_bulk_srb)
+<2> [<c089fe38>] (usb_stor_Bulk_transport)
+<2> [<c089f468>] (usb_stor_invoke_transport)
+<2> [<c08a11b4>] (usb_stor_control_thread)
+<2> [<c014a534>] (kthread)
+
+The above NULL pointer dereference is the result of block_len and the
+sent_len set to zero after the first SG of the list when IOMMU driver
+is enabled. Because of this the loop of processing the SGs has run
+more than num_sgs which resulted in a sg_next on the last SG of the
+list which has SG_END set.
+
+Fix this by check for the sg before any attributes of the sg are
+accessed.
+
+[modified reason for null pointer dereference in commit message subject -Mathias]
+Fixes: f9c589e142d04 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20200514110432.25564-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -3331,8 +3331,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *
+ /* New sg entry */
+ --num_sgs;
+ sent_len -= block_len;
+- if (num_sgs != 0) {
+- sg = sg_next(sg);
++ sg = sg_next(sg);
++ if (num_sgs != 0 && sg) {
+ block_len = sg_dma_len(sg);
+ addr = (u64) sg_dma_address(sg);
+ addr += sent_len;
--- /dev/null
+From a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 22 Apr 2020 18:11:30 +0200
+Subject: x86: Fix early boot crash on gcc-10, third try
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Borislav Petkov <bp@suse.de>
+
+commit a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e upstream.
+
+... or the odyssey of trying to disable the stack protector for the
+function which generates the stack canary value.
+
+The whole story started with Sergei reporting a boot crash with a kernel
+built with gcc-10:
+
+ Kernel panic — not syncing: stack-protector: Kernel stack is corrupted in: start_secondary
+ CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5—00235—gfffb08b37df9 #139
+ Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M—D3H, BIOS F12 11/14/2013
+ Call Trace:
+ dump_stack
+ panic
+ ? start_secondary
+ __stack_chk_fail
+ start_secondary
+ secondary_startup_64
+ -—-[ end Kernel panic — not syncing: stack—protector: Kernel stack is corrupted in: start_secondary
+
+This happens because gcc-10 tail-call optimizes the last function call
+in start_secondary() - cpu_startup_entry() - and thus emits a stack
+canary check which fails because the canary value changes after the
+boot_init_stack_canary() call.
+
+To fix that, the initial attempt was to mark the one function which
+generates the stack canary with:
+
+ __attribute__((optimize("-fno-stack-protector"))) ... start_secondary(void *unused)
+
+however, using the optimize attribute doesn't work cumulatively
+as the attribute does not add to but rather replaces previously
+supplied optimization options - roughly all -fxxx options.
+
+The key one among them being -fno-omit-frame-pointer and thus leading to
+not present frame pointer - frame pointer which the kernel needs.
+
+The next attempt to prevent compilers from tail-call optimizing
+the last function call cpu_startup_entry(), shy of carving out
+start_secondary() into a separate compilation unit and building it with
+-fno-stack-protector, was to add an empty asm("").
+
+This current solution was short and sweet, and reportedly, is supported
+by both compilers but we didn't get very far this time: future (LTO?)
+optimization passes could potentially eliminate this, which leads us
+to the third attempt: having an actual memory barrier there which the
+compiler cannot ignore or move around etc.
+
+That should hold for a long time, but hey we said that about the other
+two solutions too so...
+
+Reported-by: Sergei Trofimovich <slyfox@gentoo.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Tested-by: Kalle Valo <kvalo@codeaurora.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20200314164451.346497-1-slyfox@gentoo.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/stackprotector.h | 7 ++++++-
+ arch/x86/kernel/smpboot.c | 8 ++++++++
+ arch/x86/xen/smp_pv.c | 1 +
+ include/linux/compiler.h | 6 ++++++
+ init/main.c | 2 ++
+ 5 files changed, 23 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/stackprotector.h
++++ b/arch/x86/include/asm/stackprotector.h
+@@ -55,8 +55,13 @@
+ /*
+ * Initialize the stackprotector canary value.
+ *
+- * NOTE: this must only be called from functions that never return,
++ * NOTE: this must only be called from functions that never return
+ * and it must always be inlined.
++ *
++ * In addition, it should be called from a compilation unit for which
++ * stack protector is disabled. Alternatively, the caller should not end
++ * with a function call which gets tail-call optimized as that would
++ * lead to checking a modified canary value.
+ */
+ static __always_inline void boot_init_stack_canary(void)
+ {
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -269,6 +269,14 @@ static void notrace start_secondary(void
+
+ wmb();
+ cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
++
++ /*
++ * Prevent tail call to cpu_startup_entry() because the stack protector
++ * guard has been changed a couple of function calls up, in
++ * boot_init_stack_canary() and must not be checked before tail calling
++ * another function.
++ */
++ prevent_tail_call_optimization();
+ }
+
+ /**
+--- a/arch/x86/xen/smp_pv.c
++++ b/arch/x86/xen/smp_pv.c
+@@ -89,6 +89,7 @@ asmlinkage __visible void cpu_bringup_an
+ {
+ cpu_bringup();
+ cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
++ prevent_tail_call_optimization();
+ }
+
+ void xen_smp_intr_free_pv(unsigned int cpu)
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -351,4 +351,10 @@ static inline void *offset_to_ptr(const
+ compiletime_assert(__native_word(t), \
+ "Need native word sized stores/loads for atomicity.")
+
++/*
++ * This is needed in functions which generate the stack canary, see
++ * arch/x86/kernel/smpboot.c::start_secondary() for an example.
++ */
++#define prevent_tail_call_optimization() mb()
++
+ #endif /* __LINUX_COMPILER_H */
+--- a/init/main.c
++++ b/init/main.c
+@@ -735,6 +735,8 @@ asmlinkage __visible void __init start_k
+
+ /* Do the rest non-__init'ed, we're now alive */
+ rest_init();
++
++ prevent_tail_call_optimization();
+ }
+
+ /* Call all constructor functions linked into the kernel. */
--- /dev/null
+From 71c95825289f585014fe9741b051d32a7a916680 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Thu, 14 May 2020 15:31:10 -0500
+Subject: x86/unwind/orc: Fix error handling in __unwind_start()
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit 71c95825289f585014fe9741b051d32a7a916680 upstream.
+
+The unwind_state 'error' field is used to inform the reliable unwinding
+code that the stack trace can't be trusted. Set this field for all
+errors in __unwind_start().
+
+Also, move the zeroing out of the unwind_state struct to before the ORC
+table initialization check, to prevent the caller from reading
+uninitialized data if the ORC table is corrupted.
+
+Fixes: af085d9084b4 ("stacktrace/x86: add function for detecting reliable stack traces")
+Fixes: d3a09104018c ("x86/unwinder/orc: Dont bail on stack overflow")
+Fixes: 98d0c8ebf77e ("x86/unwind/orc: Prevent unwinding before ORC initialization")
+Reported-by: Pavel Machek <pavel@denx.de>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/d6ac7215a84ca92b895fdd2e1aa546729417e6e6.1589487277.git.jpoimboe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/unwind_orc.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kernel/unwind_orc.c
++++ b/arch/x86/kernel/unwind_orc.c
+@@ -589,23 +589,23 @@ EXPORT_SYMBOL_GPL(unwind_next_frame);
+ void __unwind_start(struct unwind_state *state, struct task_struct *task,
+ struct pt_regs *regs, unsigned long *first_frame)
+ {
+- if (!orc_init)
+- goto done;
+-
+ memset(state, 0, sizeof(*state));
+ state->task = task;
+
++ if (!orc_init)
++ goto err;
++
+ /*
+ * Refuse to unwind the stack of a task while it's executing on another
+ * CPU. This check is racy, but that's ok: the unwinder has other
+ * checks to prevent it from going off the rails.
+ */
+ if (task_on_another_cpu(task))
+- goto done;
++ goto err;
+
+ if (regs) {
+ if (user_mode(regs))
+- goto done;
++ goto the_end;
+
+ state->ip = regs->ip;
+ state->sp = kernel_stack_pointer(regs);
+@@ -638,6 +638,7 @@ void __unwind_start(struct unwind_state
+ * generate some kind of backtrace if this happens.
+ */
+ void *next_page = (void *)PAGE_ALIGN((unsigned long)state->sp);
++ state->error = true;
+ if (get_stack_info(next_page, state->task, &state->stack_info,
+ &state->stack_mask))
+ return;
+@@ -663,8 +664,9 @@ void __unwind_start(struct unwind_state
+
+ return;
+
+-done:
++err:
++ state->error = true;
++the_end:
+ state->stack_info.type = STACK_TYPE_UNKNOWN;
+- return;
+ }
+ EXPORT_SYMBOL_GPL(__unwind_start);
projects / thirdparty / kernel / stable-queue.git / commitdiff
