--- /dev/null
+From 221bfce5ebbdf72ff08b3bf2510ae81058ee568b Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@amd.com>
+Date: Tue, 8 Sep 2020 16:47:36 -0500
+Subject: arch/x86/amd/ibs: Fix re-arming IBS Fetch
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+commit 221bfce5ebbdf72ff08b3bf2510ae81058ee568b upstream.
+
+Stephane Eranian found a bug in that IBS' current Fetch counter was not
+being reset when the driver would write the new value to clear it along
+with the enable bit set, and found that adding an MSR write that would
+first disable IBS Fetch would make IBS Fetch reset its current count.
+
+Indeed, the PPR for AMD Family 17h Model 31h B0 55803 Rev 0.54 - Sep 12,
+2019 states "The periodic fetch counter is set to IbsFetchCnt [...] when
+IbsFetchEn is changed from 0 to 1."
+
+Explicitly set IbsFetchEn to 0 and then to 1 when re-enabling IBS Fetch,
+so the driver properly resets the internal counter to 0 and IBS
+Fetch starts counting again.
+
+A family 15h machine tested does not have this problem, and the extra
+wrmsr is also not needed on Family 19h, so only do the extra wrmsr on
+families 16h through 18h.
+
+Reported-by: Stephane Eranian <stephane.eranian@google.com>
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+[peterz: optimized]
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/amd/ibs.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/events/amd/ibs.c
++++ b/arch/x86/events/amd/ibs.c
+@@ -88,6 +88,7 @@ struct perf_ibs {
+ u64 max_period;
+ unsigned long offset_mask[1];
+ int offset_max;
++ unsigned int fetch_count_reset_broken : 1;
+ struct cpu_perf_ibs __percpu *pcpu;
+
+ struct attribute **format_attrs;
+@@ -374,7 +375,12 @@ perf_ibs_event_update(struct perf_ibs *p
+ static inline void perf_ibs_enable_event(struct perf_ibs *perf_ibs,
+ struct hw_perf_event *hwc, u64 config)
+ {
+- wrmsrl(hwc->config_base, hwc->config | config | perf_ibs->enable_mask);
++ u64 tmp = hwc->config | config;
++
++ if (perf_ibs->fetch_count_reset_broken)
++ wrmsrl(hwc->config_base, tmp & ~perf_ibs->enable_mask);
++
++ wrmsrl(hwc->config_base, tmp | perf_ibs->enable_mask);
+ }
+
+ /*
+@@ -743,6 +749,13 @@ static __init void perf_event_ibs_init(v
+ {
+ struct attribute **attr = ibs_op_format_attrs;
+
++ /*
++ * Some chips fail to reset the fetch count when it is written; instead
++ * they need a 0-1 transition of IbsFetchEn.
++ */
++ if (boot_cpu_data.x86 >= 0x16 && boot_cpu_data.x86 <= 0x18)
++ perf_ibs_fetch.fetch_count_reset_broken = 1;
++
+ perf_ibs_pmu_init(&perf_ibs_fetch, "ibs_fetch");
+
+ if (ibs_caps & IBS_CAPS_OPCNT) {
--- /dev/null
+From df9c590986fdb6db9d5636d6cd93bc919c01b451 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 17 Sep 2020 15:09:20 +0200
+Subject: ata: sata_rcar: Fix DMA boundary mask
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit df9c590986fdb6db9d5636d6cd93bc919c01b451 upstream.
+
+Before commit 9495b7e92f716ab2 ("driver core: platform: Initialize
+dma_parms for platform devices"), the R-Car SATA device didn't have DMA
+parameters. Hence the DMA boundary mask supplied by its driver was
+silently ignored, as __scsi_init_queue() doesn't check the return value
+of dma_set_seg_boundary(), and the default value of 0xffffffff was used.
+
+Now the device has gained DMA parameters, the driver-supplied value is
+used, and the following warning is printed on Salvator-XS:
+
+ DMA-API: sata_rcar ee300000.sata: mapping sg segment across boundary [start=0x00000000ffffe000] [end=0x00000000ffffefff] [boundary=0x000000001ffffffe]
+ WARNING: CPU: 5 PID: 38 at kernel/dma/debug.c:1233 debug_dma_map_sg+0x298/0x300
+
+(the range of start/end values depend on whether IOMMU support is
+ enabled or not)
+
+The issue here is that SATA_RCAR_DMA_BOUNDARY doesn't have bit 0 set, so
+any typical end value, which is odd, will trigger the check.
+
+Fix this by increasing the DMA boundary value by 1.
+
+This also fixes the following WRITE DMA EXT timeout issue:
+
+ # dd if=/dev/urandom of=/mnt/de1/file1-1024M bs=1M count=1024
+ ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
+ ata1.00: failed command: WRITE DMA EXT
+ ata1.00: cmd 35/00:00:00:e6:0c/00:0a:00:00:00/e0 tag 0 dma 1310720 out
+ res 40/00:01:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
+ ata1.00: status: { DRDY }
+
+as seen by Shimoda-san since commit 429120f3df2dba2b ("block: fix
+splitting segments on boundary masks").
+
+Fixes: 8bfbeed58665dbbf ("sata_rcar: correct 'sata_rcar_sht'")
+Fixes: 9495b7e92f716ab2 ("driver core: platform: Initialize dma_parms for platform devices")
+Fixes: 429120f3df2dba2b ("block: fix splitting segments on boundary masks")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Tested-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/sata_rcar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/sata_rcar.c
++++ b/drivers/ata/sata_rcar.c
+@@ -122,7 +122,7 @@
+ /* Descriptor table word 0 bit (when DTA32M = 1) */
+ #define SATA_RCAR_DTEND BIT(0)
+
+-#define SATA_RCAR_DMA_BOUNDARY 0x1FFFFFFEUL
++#define SATA_RCAR_DMA_BOUNDARY 0x1FFFFFFFUL
+
+ /* Gen2 Physical Layer Control Registers */
+ #define RCAR_GEN2_PHY_CTL1_REG 0x1704
--- /dev/null
+From d78092e4937de9ce55edcb4ee4c5e3c707be0190 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 18 Sep 2020 10:36:50 +0200
+Subject: fuse: fix page dereference after free
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit d78092e4937de9ce55edcb4ee4c5e3c707be0190 upstream.
+
+After unlock_request() pages from the ap->pages[] array may be put (e.g. by
+aborting the connection) and the pages can be freed.
+
+Prevent use after free by grabbing a reference to the page before calling
+unlock_request().
+
+The original patch was created by Pradeep P V K.
+
+Reported-by: Pradeep P V K <ppvk@codeaurora.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -846,15 +846,16 @@ static int fuse_try_move_page(struct fus
+ struct page *newpage;
+ struct pipe_buffer *buf = cs->pipebufs;
+
++ get_page(oldpage);
+ err = unlock_request(cs->req);
+ if (err)
+- return err;
++ goto out_put_old;
+
+ fuse_copy_finish(cs);
+
+ err = pipe_buf_confirm(cs->pipe, buf);
+ if (err)
+- return err;
++ goto out_put_old;
+
+ BUG_ON(!cs->nr_segs);
+ cs->currbuf = buf;
+@@ -894,7 +895,7 @@ static int fuse_try_move_page(struct fus
+ err = replace_page_cache_page(oldpage, newpage, GFP_KERNEL);
+ if (err) {
+ unlock_page(newpage);
+- return err;
++ goto out_put_old;
+ }
+
+ get_page(newpage);
+@@ -913,14 +914,19 @@ static int fuse_try_move_page(struct fus
+ if (err) {
+ unlock_page(newpage);
+ put_page(newpage);
+- return err;
++ goto out_put_old;
+ }
+
+ unlock_page(oldpage);
++ /* Drop ref for ap->pages[] array */
+ put_page(oldpage);
+ cs->len = 0;
+
+- return 0;
++ err = 0;
++out_put_old:
++ /* Drop ref obtained in this function */
++ put_page(oldpage);
++ return err;
+
+ out_fallback_unlock:
+ unlock_page(newpage);
+@@ -929,10 +935,10 @@ out_fallback:
+ cs->offset = buf->offset;
+
+ err = lock_request(cs->req);
+- if (err)
+- return err;
++ if (!err)
++ err = 1;
+
+- return 1;
++ goto out_put_old;
+ }
+
+ static int fuse_ref_page(struct fuse_copy_state *cs, struct page *page,
+@@ -944,14 +950,16 @@ static int fuse_ref_page(struct fuse_cop
+ if (cs->nr_segs == cs->pipe->buffers)
+ return -EIO;
+
++ get_page(page);
+ err = unlock_request(cs->req);
+- if (err)
++ if (err) {
++ put_page(page);
+ return err;
++ }
+
+ fuse_copy_finish(cs);
+
+ buf = cs->pipebufs;
+- get_page(page);
+ buf->page = page;
+ buf->offset = offset;
+ buf->len = count;
--- /dev/null
+From 1c9c02bb22684f6949d2e7ddc0a3ff364fd5a6fc Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 27 Apr 2020 14:50:37 -0500
+Subject: mtd: lpddr: Fix bad logic in print_drs_error
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 1c9c02bb22684f6949d2e7ddc0a3ff364fd5a6fc upstream.
+
+Update logic for broken test. Use a more common logging style.
+
+It appears the logic in this function is broken for the
+consecutive tests of
+
+ if (prog_status & 0x3)
+ ...
+ else if (prog_status & 0x2)
+ ...
+ else (prog_status & 0x1)
+ ...
+
+Likely the first test should be
+
+ if ((prog_status & 0x3) == 0x3)
+
+Found by inspection of include files using printk.
+
+Fixes: eb3db27507f7 ("[MTD] LPDDR PFOW definition")
+Cc: stable@vger.kernel.org
+Reported-by: Joe Perches <joe@perches.com>
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/3fb0e29f5b601db8be2938a01d974b00c8788501.1588016644.git.gustavo@embeddedor.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mtd/pfow.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/mtd/pfow.h
++++ b/include/linux/mtd/pfow.h
+@@ -127,7 +127,7 @@ static inline void print_drs_error(unsig
+
+ if (!(dsr & DSR_AVAILABLE))
+ printk(KERN_NOTICE"DSR.15: (0) Device not Available\n");
+- if (prog_status & 0x03)
++ if ((prog_status & 0x03) == 0x03)
+ printk(KERN_NOTICE"DSR.9,8: (11) Attempt to program invalid "
+ "half with 41h command\n");
+ else if (prog_status & 0x02)
--- /dev/null
+From 478762855b5ae9f68fa6ead1edf7abada70fcd5f Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju@tsinghua.edu.cn>
+Date: Sun, 2 Aug 2020 21:29:49 +0800
+Subject: p54: avoid accessing the data mapped to streaming DMA
+
+From: Jia-Ju Bai <baijiaju@tsinghua.edu.cn>
+
+commit 478762855b5ae9f68fa6ead1edf7abada70fcd5f upstream.
+
+In p54p_tx(), skb->data is mapped to streaming DMA on line 337:
+ mapping = pci_map_single(..., skb->data, ...);
+
+Then skb->data is accessed on line 349:
+ desc->device_addr = ((struct p54_hdr *)skb->data)->req_id;
+
+This access may cause data inconsistency between CPU cache and hardware.
+
+To fix this problem, ((struct p54_hdr *)skb->data)->req_id is stored in
+a local variable before DMA mapping, and then the driver accesses this
+local variable instead of skb->data.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jia-Ju Bai <baijiaju@tsinghua.edu.cn>
+Acked-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200802132949.26788-1-baijiaju@tsinghua.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intersil/p54/p54pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intersil/p54/p54pci.c
++++ b/drivers/net/wireless/intersil/p54/p54pci.c
+@@ -332,10 +332,12 @@ static void p54p_tx(struct ieee80211_hw
+ struct p54p_desc *desc;
+ dma_addr_t mapping;
+ u32 idx, i;
++ __le32 device_addr;
+
+ spin_lock_irqsave(&priv->lock, flags);
+ idx = le32_to_cpu(ring_control->host_idx[1]);
+ i = idx % ARRAY_SIZE(ring_control->tx_data);
++ device_addr = ((struct p54_hdr *)skb->data)->req_id;
+
+ mapping = pci_map_single(priv->pdev, skb->data, skb->len,
+ PCI_DMA_TODEVICE);
+@@ -349,7 +351,7 @@ static void p54p_tx(struct ieee80211_hw
+
+ desc = &ring_control->tx_data[i];
+ desc->host_addr = cpu_to_le32(mapping);
+- desc->device_addr = ((struct p54_hdr *)skb->data)->req_id;
++ desc->device_addr = device_addr;
+ desc->len = cpu_to_le16(skb->len);
+ desc->flags = 0;
+
efivarfs-replace-invalid-slashes-with-exclamation-marks-in-dentries.patch
ravb-fix-bit-fields-checking-in-ravb_hwtstamp_get.patch
tipc-fix-memory-leak-caused-by-tipc_buf_append.patch
+arch-x86-amd-ibs-fix-re-arming-ibs-fetch.patch
+fuse-fix-page-dereference-after-free.patch
+p54-avoid-accessing-the-data-mapped-to-streaming-dma.patch
+mtd-lpddr-fix-bad-logic-in-print_drs_error.patch
+ata-sata_rcar-fix-dma-boundary-mask.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
