]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
projects / thirdparty / kernel / stable-queue.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7691748)
5.4-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 19 Aug 2020 13:33:38 +0000 (15:33 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 19 Aug 2020 13:33:38 +0000 (15:33 +0200)
added patches:
drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch
module-correctly-truncate-sysfs-sections-output.patch
perf-intel-pt-fix-duplicate-branch-after-cbr.patch
perf-intel-pt-fix-fup-packet-state.patch
remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch
remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch

queue-5.4/drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch [new file with mode: 0644] patch | blob
queue-5.4/module-correctly-truncate-sysfs-sections-output.patch [new file with mode: 0644] patch | blob
queue-5.4/perf-intel-pt-fix-duplicate-branch-after-cbr.patch [new file with mode: 0644] patch | blob
queue-5.4/perf-intel-pt-fix-fup-packet-state.patch [new file with mode: 0644] patch | blob
queue-5.4/remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch [new file with mode: 0644] patch | blob
queue-5.4/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch [new file with mode: 0644] patch | blob
queue-5.4/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch [new file with mode: 0644] patch | blob
queue-5.4/series patch | blob | blame | history

diff --git a/queue-5.4/drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch b/queue-5.4/drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch
new file mode 100644 (file)
index 0000000..7b1cfd9
--- /dev/null
+++ b/queue-5.4/drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch
@@ -0,0 +1,52 @@
+From 3b2a999582c467d1883716b37ffcc00178a13713 Mon Sep 17 00:00:00 2001
+From: Liu Ying <victor.liu@nxp.com>
+Date: Thu, 9 Jul 2020 10:28:52 +0800
+Subject: drm/imx: imx-ldb: Disable both channels for split mode in enc->disable()
+
+From: Liu Ying <victor.liu@nxp.com>
+
+commit 3b2a999582c467d1883716b37ffcc00178a13713 upstream.
+
+Both of the two LVDS channels should be disabled for split mode
+in the encoder's ->disable() callback, because they are enabled
+in the encoder's ->enable() callback.
+
+Fixes: 6556f7f82b9c ("drm: imx: Move imx-drm driver out of staging")
+Cc: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
+Cc: NXP Linux Team <linux-imx@nxp.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Liu Ying <victor.liu@nxp.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/imx/imx-ldb.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/imx/imx-ldb.c
++++ b/drivers/gpu/drm/imx/imx-ldb.c
+@@ -302,18 +302,19 @@ static void imx_ldb_encoder_disable(stru
+ {
+       struct imx_ldb_channel *imx_ldb_ch = enc_to_imx_ldb_ch(encoder);
+       struct imx_ldb *ldb = imx_ldb_ch->ldb;
++      int dual = ldb->ldb_ctrl & LDB_SPLIT_MODE_EN;
+       int mux, ret;
+       drm_panel_disable(imx_ldb_ch->panel);
+-      if (imx_ldb_ch == &ldb->channel[0])
++      if (imx_ldb_ch == &ldb->channel[0] || dual)
+               ldb->ldb_ctrl &= ~LDB_CH0_MODE_EN_MASK;
+-      else if (imx_ldb_ch == &ldb->channel[1])
++      if (imx_ldb_ch == &ldb->channel[1] || dual)
+               ldb->ldb_ctrl &= ~LDB_CH1_MODE_EN_MASK;
+       regmap_write(ldb->regmap, IOMUXC_GPR2, ldb->ldb_ctrl);
+-      if (ldb->ldb_ctrl & LDB_SPLIT_MODE_EN) {
++      if (dual) {
+               clk_disable_unprepare(ldb->clk[0]);
+               clk_disable_unprepare(ldb->clk[1]);
+       }
diff --git a/queue-5.4/module-correctly-truncate-sysfs-sections-output.patch b/queue-5.4/module-correctly-truncate-sysfs-sections-output.patch
new file mode 100644 (file)
index 0000000..da2bd27
--- /dev/null
+++ b/queue-5.4/module-correctly-truncate-sysfs-sections-output.patch
@@ -0,0 +1,77 @@
+From 11990a5bd7e558e9203c1070fc52fb6f0488e75b Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 6 Aug 2020 14:15:23 -0700
+Subject: module: Correctly truncate sysfs sections output
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 11990a5bd7e558e9203c1070fc52fb6f0488e75b upstream.
+
+The only-root-readable /sys/module/$module/sections/$section files
+did not truncate their output to the available buffer size. While most
+paths into the kernfs read handlers end up using PAGE_SIZE buffers,
+it's possible to get there through other paths (e.g. splice, sendfile).
+Actually limit the output to the "count" passed into the read function,
+and report it back correctly. *sigh*
+
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/lkml/20200805002015.GE23458@shao2-debian
+Fixes: ed66f991bb19 ("module: Refactor section attr into bin attribute")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/module.c |   22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -1517,18 +1517,34 @@ struct module_sect_attrs {
+       struct module_sect_attr attrs[0];
+ };
++#define MODULE_SECT_READ_SIZE (3 /* "0x", "\n" */ + (BITS_PER_LONG / 4))
+ static ssize_t module_sect_read(struct file *file, struct kobject *kobj,
+                               struct bin_attribute *battr,
+                               char *buf, loff_t pos, size_t count)
+ {
+       struct module_sect_attr *sattr =
+               container_of(battr, struct module_sect_attr, battr);
++      char bounce[MODULE_SECT_READ_SIZE + 1];
++      size_t wrote;
+       if (pos != 0)
+               return -EINVAL;
+-      return sprintf(buf, "0x%px\n",
+-                     kallsyms_show_value(file->f_cred) ? (void *)sattr->address : NULL);
++      /*
++       * Since we're a binary read handler, we must account for the
++       * trailing NUL byte that sprintf will write: if "buf" is
++       * too small to hold the NUL, or the NUL is exactly the last
++       * byte, the read will look like it got truncated by one byte.
++       * Since there is no way to ask sprintf nicely to not write
++       * the NUL, we have to use a bounce buffer.
++       */
++      wrote = scnprintf(bounce, sizeof(bounce), "0x%px\n",
++                       kallsyms_show_value(file->f_cred)
++                              ? (void *)sattr->address : NULL);
++      count = min(count, wrote);
++      memcpy(buf, bounce, count);
++
++      return count;
+ }
+ static void free_sect_attrs(struct module_sect_attrs *sect_attrs)
+@@ -1577,7 +1593,7 @@ static void add_sect_attrs(struct module
+                       goto out;
+               sect_attrs->nsections++;
+               sattr->battr.read = module_sect_read;
+-              sattr->battr.size = 3 /* "0x", "\n" */ + (BITS_PER_LONG / 4);
++              sattr->battr.size = MODULE_SECT_READ_SIZE;
+               sattr->battr.attr.mode = 0400;
+               *(gattr++) = &(sattr++)->battr;
+       }
diff --git a/queue-5.4/perf-intel-pt-fix-duplicate-branch-after-cbr.patch b/queue-5.4/perf-intel-pt-fix-duplicate-branch-after-cbr.patch
new file mode 100644 (file)
index 0000000..53c8b97
--- /dev/null
+++ b/queue-5.4/perf-intel-pt-fix-duplicate-branch-after-cbr.patch
@@ -0,0 +1,77 @@
+From a58a057ce65b52125dd355b7d8b0d540ea267a5f Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 10 Jul 2020 18:10:54 +0300
+Subject: perf intel-pt: Fix duplicate branch after CBR
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit a58a057ce65b52125dd355b7d8b0d540ea267a5f upstream.
+
+CBR events can result in a duplicate branch event, because the state
+type defaults to a branch. Fix by clearing the state type.
+
+Example: trace 'sleep' and hope for a frequency change
+
+ Before:
+
+   $ perf record -e intel_pt//u sleep 0.1
+   [ perf record: Woken up 1 times to write data ]
+   [ perf record: Captured and wrote 0.034 MB perf.data ]
+   $ perf script --itrace=bpe > before.txt
+
+ After:
+
+   $ perf script --itrace=bpe > after.txt
+   $ diff -u before.txt after.txt
+#  --- before.txt  2020-07-07 14:42:18.191508098 +0300
+#  +++ after.txt   2020-07-07 14:42:36.587891753 +0300
+   @@ -29673,7 +29673,6 @@
+               sleep 93431 [007] 15411.619905:          1  branches:u:                 0 [unknown] ([unknown]) =>     7f0818abb2e0 clock_nanosleep@@GLIBC_2.17+0x0 (/usr/lib/x86_64-linux-gnu/libc-2.31.so)
+               sleep 93431 [007] 15411.619905:          1  branches:u:      7f0818abb30c clock_nanosleep@@GLIBC_2.17+0x2c (/usr/lib/x86_64-linux-gnu/libc-2.31.so) =>                0 [unknown] ([unknown])
+               sleep 93431 [007] 15411.720069:         cbr:  cbr: 15 freq: 1507 MHz ( 56%)         7f0818abb30c clock_nanosleep@@GLIBC_2.17+0x2c (/usr/lib/x86_64-linux-gnu/libc-2.31.so)
+   -           sleep 93431 [007] 15411.720069:          1  branches:u:      7f0818abb30c clock_nanosleep@@GLIBC_2.17+0x2c (/usr/lib/x86_64-linux-gnu/libc-2.31.so) =>                0 [unknown] ([unknown])
+               sleep 93431 [007] 15411.720076:          1  branches:u:                 0 [unknown] ([unknown]) =>     7f0818abb30e clock_nanosleep@@GLIBC_2.17+0x2e (/usr/lib/x86_64-linux-gnu/libc-2.31.so)
+               sleep 93431 [007] 15411.720077:          1  branches:u:      7f0818abb323 clock_nanosleep@@GLIBC_2.17+0x43 (/usr/lib/x86_64-linux-gnu/libc-2.31.so) =>     7f0818ac0eb7 __nanosleep+0x17 (/usr/lib/x86_64-linux-gnu/libc-2.31.so)
+               sleep 93431 [007] 15411.720077:          1  branches:u:      7f0818ac0ebf __nanosleep+0x1f (/usr/lib/x86_64-linux-gnu/libc-2.31.so) =>     55cb7e4c2827 rpl_nanosleep+0x97 (/usr/bin/sleep)
+
+Fixes: 91de8684f1cff ("perf intel-pt: Cater for CBR change in PSB+")
+Fixes: abe5a1d3e4bee ("perf intel-pt: Decoder to output CBR changes immediately")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20200710151104.15137-3-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1977,8 +1977,10 @@ next:
+                        * possibility of another CBR change that gets caught up
+                        * in the PSB+.
+                        */
+-                      if (decoder->cbr != decoder->cbr_seen)
++                      if (decoder->cbr != decoder->cbr_seen) {
++                              decoder->state.type = 0;
+                               return 0;
++                      }
+                       break;
+               case INTEL_PT_PIP:
+@@ -2019,8 +2021,10 @@ next:
+               case INTEL_PT_CBR:
+                       intel_pt_calc_cbr(decoder);
+-                      if (decoder->cbr != decoder->cbr_seen)
++                      if (decoder->cbr != decoder->cbr_seen) {
++                              decoder->state.type = 0;
+                               return 0;
++                      }
+                       break;
+               case INTEL_PT_MODE_EXEC:
diff --git a/queue-5.4/perf-intel-pt-fix-fup-packet-state.patch b/queue-5.4/perf-intel-pt-fix-fup-packet-state.patch
new file mode 100644 (file)
index 0000000..7c80111
--- /dev/null
+++ b/queue-5.4/perf-intel-pt-fix-fup-packet-state.patch
@@ -0,0 +1,76 @@
+From 401136bb084fd021acd9f8c51b52fe0a25e326b2 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 10 Jul 2020 18:10:53 +0300
+Subject: perf intel-pt: Fix FUP packet state
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 401136bb084fd021acd9f8c51b52fe0a25e326b2 upstream.
+
+While walking code towards a FUP ip, the packet state is
+INTEL_PT_STATE_FUP or INTEL_PT_STATE_FUP_NO_TIP. That was mishandled
+resulting in the state becoming INTEL_PT_STATE_IN_SYNC prematurely.  The
+result was an occasional lost EXSTOP event.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20200710151104.15137-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c |   21 ++++++--------------
+ 1 file changed, 7 insertions(+), 14 deletions(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1164,6 +1164,7 @@ static int intel_pt_walk_fup(struct inte
+                       return 0;
+               if (err == -EAGAIN ||
+                   intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) {
++                      decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
+                       if (intel_pt_fup_event(decoder))
+                               return 0;
+                       return -EAGAIN;
+@@ -1942,17 +1943,13 @@ next:
+                       }
+                       if (decoder->set_fup_mwait)
+                               no_tip = true;
++                      if (no_tip)
++                              decoder->pkt_state = INTEL_PT_STATE_FUP_NO_TIP;
++                      else
++                              decoder->pkt_state = INTEL_PT_STATE_FUP;
+                       err = intel_pt_walk_fup(decoder);
+-                      if (err != -EAGAIN) {
+-                              if (err)
+-                                      return err;
+-                              if (no_tip)
+-                                      decoder->pkt_state =
+-                                              INTEL_PT_STATE_FUP_NO_TIP;
+-                              else
+-                                      decoder->pkt_state = INTEL_PT_STATE_FUP;
+-                              return 0;
+-                      }
++                      if (err != -EAGAIN)
++                              return err;
+                       if (no_tip) {
+                               no_tip = false;
+                               break;
+@@ -2599,15 +2596,11 @@ const struct intel_pt_state *intel_pt_de
+                       err = intel_pt_walk_tip(decoder);
+                       break;
+               case INTEL_PT_STATE_FUP:
+-                      decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
+                       err = intel_pt_walk_fup(decoder);
+                       if (err == -EAGAIN)
+                               err = intel_pt_walk_fup_tip(decoder);
+-                      else if (!err)
+-                              decoder->pkt_state = INTEL_PT_STATE_FUP;
+                       break;
+               case INTEL_PT_STATE_FUP_NO_TIP:
+-                      decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
+                       err = intel_pt_walk_fup(decoder);
+                       if (err == -EAGAIN)
+                               err = intel_pt_walk_trace(decoder);
diff --git a/queue-5.4/remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch b/queue-5.4/remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch
new file mode 100644 (file)
index 0000000..ce4f038
--- /dev/null
+++ b/queue-5.4/remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch
@@ -0,0 +1,44 @@
+From 5b7be880074c73540948f8fc597e0407b98fabfa Mon Sep 17 00:00:00 2001
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Tue, 2 Jun 2020 22:02:56 +0530
+Subject: remoteproc: qcom: q6v5: Update running state before requesting stop
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit 5b7be880074c73540948f8fc597e0407b98fabfa upstream.
+
+Sometimes the stop triggers a watchdog rather than a stop-ack. Update
+the running state to false on requesting stop to skip the watchdog
+instead.
+
+Error Logs:
+$ echo stop > /sys/class/remoteproc/remoteproc0/state
+ipa 1e40000.ipa: received modem stopping event
+remoteproc-modem: watchdog received: sys_m_smsm_mpss.c:291:APPS force stop
+qcom-q6v5-mss 4080000.remoteproc-modem: port failed halt
+ipa 1e40000.ipa: received modem offline event
+remoteproc0: stopped remote processor 4080000.remoteproc-modem
+
+Reviewed-by: Evan Green <evgreen@chromium.org>
+Fixes: 3b415c8fb263 ("remoteproc: q6v5: Extract common resource handling")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20200602163257.26978-1-sibis@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/qcom_q6v5.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/remoteproc/qcom_q6v5.c
++++ b/drivers/remoteproc/qcom_q6v5.c
+@@ -151,6 +151,8 @@ int qcom_q6v5_request_stop(struct qcom_q
+ {
+       int ret;
++      q6v5->running = false;
++
+       qcom_smem_state_update_bits(q6v5->state,
+                                   BIT(q6v5->stop_bit), BIT(q6v5->stop_bit));
diff --git a/queue-5.4/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch b/queue-5.4/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
new file mode 100644 (file)
index 0000000..dfba70d
--- /dev/null
+++ b/queue-5.4/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
@@ -0,0 +1,60 @@
+From e013f455d95add874f310dc47c608e8c70692ae5 Mon Sep 17 00:00:00 2001
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Thu, 23 Jul 2020 01:40:45 +0530
+Subject: remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit e013f455d95add874f310dc47c608e8c70692ae5 upstream.
+
+The following mem abort is observed when the mba firmware size exceeds
+the allocated mba region. MBA firmware size is restricted to a maximum
+size of 1M and remaining memory region is used by modem debug policy
+firmware when available. Hence verify whether the MBA firmware size lies
+within the allocated memory region and is not greater than 1M before
+loading.
+
+Err Logs:
+Unable to handle kernel paging request at virtual address
+Mem abort info:
+...
+Call trace:
+  __memcpy+0x110/0x180
+  rproc_start+0x40/0x218
+  rproc_boot+0x5b4/0x608
+  state_store+0x54/0xf8
+  dev_attr_store+0x44/0x60
+  sysfs_kf_write+0x58/0x80
+  kernfs_fop_write+0x140/0x230
+  vfs_write+0xc4/0x208
+  ksys_write+0x74/0xf8
+  __arm64_sys_write+0x24/0x30
+...
+
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20200722201047.12975-2-sibis@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/qcom_q6v5_mss.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/remoteproc/qcom_q6v5_mss.c
++++ b/drivers/remoteproc/qcom_q6v5_mss.c
+@@ -381,6 +381,12 @@ static int q6v5_load(struct rproc *rproc
+ {
+       struct q6v5 *qproc = rproc->priv;
++      /* MBA is restricted to a maximum size of 1M */
++      if (fw->size > qproc->mba_size || fw->size > SZ_1M) {
++              dev_err(qproc->dev, "MBA firmware load failed\n");
++              return -EINVAL;
++      }
++
+       memcpy(qproc->mba_region, fw->data, fw->size);
+       return 0;
diff --git a/queue-5.4/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch b/queue-5.4/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch
new file mode 100644 (file)
index 0000000..46b96fc
--- /dev/null
+++ b/queue-5.4/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch
@@ -0,0 +1,61 @@
+From 135b9e8d1cd8ba5ac9ad9bcf24b464b7b052e5b8 Mon Sep 17 00:00:00 2001
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Thu, 23 Jul 2020 01:40:46 +0530
+Subject: remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit 135b9e8d1cd8ba5ac9ad9bcf24b464b7b052e5b8 upstream.
+
+The following mem abort is observed when one of the modem blob firmware
+size exceeds the allocated mpss region. Fix this by restricting the copy
+size to segment size using request_firmware_into_buf before load.
+
+Err Logs:
+Unable to handle kernel paging request at virtual address
+Mem abort info:
+...
+Call trace:
+  __memcpy+0x110/0x180
+  rproc_start+0xd0/0x190
+  rproc_boot+0x404/0x550
+  state_store+0x54/0xf8
+  dev_attr_store+0x44/0x60
+  sysfs_kf_write+0x58/0x80
+  kernfs_fop_write+0x140/0x230
+  vfs_write+0xc4/0x208
+  ksys_write+0x74/0xf8
+...
+
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20200722201047.12975-3-sibis@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/qcom_q6v5_mss.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/remoteproc/qcom_q6v5_mss.c
++++ b/drivers/remoteproc/qcom_q6v5_mss.c
+@@ -1034,15 +1034,14 @@ static int q6v5_mpss_load(struct q6v5 *q
+               } else if (phdr->p_filesz) {
+                       /* Replace "xxx.xxx" with "xxx.bxx" */
+                       sprintf(fw_name + fw_name_len - 3, "b%02d", i);
+-                      ret = request_firmware(&seg_fw, fw_name, qproc->dev);
++                      ret = request_firmware_into_buf(&seg_fw, fw_name, qproc->dev,
++                                                      ptr, phdr->p_filesz);
+                       if (ret) {
+                               dev_err(qproc->dev, "failed to load %s\n", fw_name);
+                               iounmap(ptr);
+                               goto release_firmware;
+                       }
+-                      memcpy(ptr, seg_fw->data, seg_fw->size);
+-
+                       release_firmware(seg_fw);
+               }
diff --git a/queue-5.4/series b/queue-5.4/series
index c7714d6a5acf954c5558ce8c4c3b7a7edff9d4c1..9e271d094693638d542125bf2c433218cbaaf0e4 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -65,3 +65,10 @@ watchdog-f71808e_wdt-clear-watchdog-timeout-occurred-flag.patch
 ceph-set-sec_context-xattr-on-symlink-creation.patch
 ceph-handle-zero-length-feature-mask-in-session-messages.patch
 pseries-fix-64-bit-logical-memory-block-panic.patch
+module-correctly-truncate-sysfs-sections-output.patch
+perf-intel-pt-fix-fup-packet-state.patch
+perf-intel-pt-fix-duplicate-branch-after-cbr.patch
+remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch
+remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
+remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch
+drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git