From: Greg Kroah-Hartman Date: Mon, 28 Dec 2020 08:54:03 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.249~23 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a920005964ea3b05e9ef3c7c59d7d38008239e54;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: acpi-pnp-compare-the-string-length-in-the-matching_id.patch alsa-core-memalloc-add-page-alignment-for-iram.patch alsa-hda-apply-jack-fixup-for-the-acer-veriton-n4640g-n6640g-n2510g.patch alsa-hda-ca0132-change-input-source-enum-strings.patch alsa-hda-ca0132-fix-ae-5-rear-headphone-pincfg.patch alsa-hda-fix-regressions-on-clear-and-reconfig-sysfs.patch alsa-hda-realtek-add-quirk-for-msi-gp73.patch alsa-hda-realtek-add-supported-for-more-lenovo-alc285-headset-button.patch alsa-hda-realtek-apply-jack-fixup-for-quanta-nl3.patch alsa-hda-realtek-enable-headset-mic-of-asus-q524uqk-with-alc255.patch alsa-hda-realtek-enable-headset-mic-of-asus-x430un-with-alc256.patch alsa-hda-realtek-make-bass-spk-volume-adjustable-on-a-yoga-laptop.patch alsa-pcm-oss-fix-a-few-more-ubsan-fixes.patch alsa-usb-audio-add-vid-to-support-native-dsd-reproduction-on-fiio-devices.patch alsa-usb-audio-disable-sample-read-check-if-firmware-doesn-t-give-back.patch asoc-cx2072x-fix-doubly-definitions-of-playback-and-capture-streams.patch binder-add-flag-to-clear-buffer-on-txn-complete.patch cpuset-fix-race-between-hotplug-work-and-later-cpu-offline.patch crypto-arm-aes-ce-work-around-cortex-a57-a72-silion-errata.patch crypto-ecdh-avoid-unaligned-accesses-in-ecdh_set_secret.patch edac-amd64-fix-pci-component-registration.patch edac-i10nm-use-readl-to-access-mmio-registers.patch input-cyapa_gen6-fix-out-of-bounds-stack-access.patch media-gspca-fix-memory-leak-in-probe.patch media-ipu3-cio2-make-the-field-on-subdev-format-v4l2_field_none.patch media-ipu3-cio2-remove-traces-of-returned-buffers.patch media-ipu3-cio2-return-actual-subdev-format.patch media-ipu3-cio2-serialise-access-to-pad-format.patch media-ipu3-cio2-validate-mbus-format-in-setting-subdev-format.patch media-netup_unidvb-don-t-leak-spi-master-in-probe-error-path.patch media-sunxi-cir-ensure-ir-is-handled-when-it-is-continuous.patch perf-x86-intel-add-event-constraint-for-cycle_activity.stalls_mem_any.patch perf-x86-intel-fix-rtm_abort_event-encoding-on-ice-lake.patch pm-acpi-pci-drop-acpi_pm_set_bridge_wakeup.patch powerpc-perf-exclude-kernel-samples-while-counting-events-in-user-space.patch revert-acpi-resources-use-ae_ctrl_terminate-to-terminate-resources-walks.patch s390-dasd-fix-hanging-device-offline-processing.patch s390-dasd-fix-list-corruption-of-lcu-list.patch s390-dasd-fix-list-corruption-of-pavgroup-group-list.patch s390-dasd-prevent-inconsistent-lcu-device-data.patch s390-kexec_file-fix-diag308-subcode-when-loading-crash-kernel.patch s390-smp-perform-initial-cpu-reset-also-for-smt-siblings.patch staging-comedi-mf6x4-fix-ai-end-of-conversion-detection.patch usb-serial-digi_acceleport-fix-write-wakeup-deadlocks.patch usb-serial-keyspan_pda-fix-dropped-unthrottle-interrupts.patch usb-serial-keyspan_pda-fix-stalled-writes.patch usb-serial-keyspan_pda-fix-tx-unthrottle-use-after-free.patch usb-serial-keyspan_pda-fix-write-deadlock.patch usb-serial-keyspan_pda-fix-write-unthrottling.patch usb-serial-keyspan_pda-fix-write-wakeup-use-after-free.patch usb-serial-mos7720-fix-parallel-port-state-restore.patch vfio-pci-nvlink2-do-not-attempt-npu2-setup-on-power8nvl-npu.patch --- diff --git a/queue-5.4/acpi-pnp-compare-the-string-length-in-the-matching_id.patch b/queue-5.4/acpi-pnp-compare-the-string-length-in-the-matching_id.patch new file mode 100644 index 00000000000..b1c1c1ce217 --- /dev/null +++ b/queue-5.4/acpi-pnp-compare-the-string-length-in-the-matching_id.patch @@ -0,0 +1,48 @@ +From b08221c40febcbda9309dd70c61cf1b0ebb0e351 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Fri, 11 Dec 2020 10:18:14 +0800 +Subject: ACPI: PNP: compare the string length in the matching_id() + +From: Hui Wang + +commit b08221c40febcbda9309dd70c61cf1b0ebb0e351 upstream. + +Recently we met a touchscreen problem on some Thinkpad machines, the +touchscreen driver (i2c-hid) is not loaded and the touchscreen can't +work. + +An i2c ACPI device with the name WACF2200 is defined in the BIOS, with +the current rule in matching_id(), this device will be regarded as +a PNP device since there is WACFXXX in the acpi_pnp_device_ids[] and +this PNP device is attached to the acpi device as the 1st +physical_node, this will make the i2c bus match fail when i2c bus +calls acpi_companion_match() to match the acpi_id_table in the i2c-hid +driver. + +WACF2200 is an i2c device instead of a PNP device, after adding the +string length comparing, the matching_id() will return false when +matching WACF2200 and WACFXXX, and it is reasonable to compare the +string length when matching two IDs. + +Suggested-by: Rafael J. Wysocki +Signed-off-by: Hui Wang +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpi_pnp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/acpi/acpi_pnp.c ++++ b/drivers/acpi/acpi_pnp.c +@@ -317,6 +317,9 @@ static bool matching_id(const char *idst + { + int i; + ++ if (strlen(idstr) != strlen(list_id)) ++ return false; ++ + if (memcmp(idstr, list_id, 3)) + return false; + diff --git a/queue-5.4/alsa-core-memalloc-add-page-alignment-for-iram.patch b/queue-5.4/alsa-core-memalloc-add-page-alignment-for-iram.patch new file mode 100644 index 00000000000..857776cd3ac --- /dev/null +++ b/queue-5.4/alsa-core-memalloc-add-page-alignment-for-iram.patch @@ -0,0 +1,35 @@ +From 74c64efa1557fef731b59eb813f115436d18078e Mon Sep 17 00:00:00 2001 +From: Robin Gong +Date: Fri, 18 Dec 2020 00:15:47 +0800 +Subject: ALSA: core: memalloc: add page alignment for iram + +From: Robin Gong + +commit 74c64efa1557fef731b59eb813f115436d18078e upstream. + +Since mmap for userspace is based on page alignment, add page alignment +for iram alloc from pool, otherwise, some good data located in the same +page of dmab->area maybe touched wrongly by userspace like pulseaudio. + +Signed-off-by: Robin Gong +Cc: +Link: https://lore.kernel.org/r/1608221747-3474-1-git-send-email-yibin.gong@nxp.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/memalloc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/core/memalloc.c ++++ b/sound/core/memalloc.c +@@ -76,7 +76,8 @@ static void snd_malloc_dev_iram(struct s + /* Assign the pool into private_data field */ + dmab->private_data = pool; + +- dmab->area = gen_pool_dma_alloc(pool, size, &dmab->addr); ++ dmab->area = gen_pool_dma_alloc_align(pool, size, &dmab->addr, ++ PAGE_SIZE); + } + + /** diff --git a/queue-5.4/alsa-hda-apply-jack-fixup-for-the-acer-veriton-n4640g-n6640g-n2510g.patch b/queue-5.4/alsa-hda-apply-jack-fixup-for-the-acer-veriton-n4640g-n6640g-n2510g.patch new file mode 100644 index 00000000000..9a6bc70b3f6 --- /dev/null +++ b/queue-5.4/alsa-hda-apply-jack-fixup-for-the-acer-veriton-n4640g-n6640g-n2510g.patch @@ -0,0 +1,45 @@ +From 13be30f156fda725b168ac89fc91f78651575307 Mon Sep 17 00:00:00 2001 +From: Chris Chiu +Date: Tue, 22 Dec 2020 23:04:59 +0800 +Subject: ALSA/hda: apply jack fixup for the Acer Veriton N4640G/N6640G/N2510G + +From: Chris Chiu + +commit 13be30f156fda725b168ac89fc91f78651575307 upstream. + +This Acer Veriton N4640G/N6640G/N2510G desktops have 2 headphone +jacks(front and rear), and a separate Mic In jack. + +The rear headphone jack is actually a line out jack but always silent +while playing audio. The front 'Mic In' also fails the jack sensing. +Apply the ALC269_FIXUP_LIFEBOOK to have all audio jacks to work as +expected. + +Signed-off-by: Chris Chiu +Signed-off-by: Jian-Hong Pan +Cc: +Link: https://lore.kernel.org/r/20201222150459.9545-2-chiu@endlessos.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7735,11 +7735,14 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1025, 0x0762, "Acer Aspire E1-472", ALC271_FIXUP_HP_GATE_MIC_JACK_E1_572), + SND_PCI_QUIRK(0x1025, 0x0775, "Acer Aspire E1-572", ALC271_FIXUP_HP_GATE_MIC_JACK_E1_572), + SND_PCI_QUIRK(0x1025, 0x079b, "Acer Aspire V5-573G", ALC282_FIXUP_ASPIRE_V5_PINS), ++ SND_PCI_QUIRK(0x1025, 0x101c, "Acer Veriton N2510G", ALC269_FIXUP_LIFEBOOK), + SND_PCI_QUIRK(0x1025, 0x102b, "Acer Aspire C24-860", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x1065, "Acer Aspire C20-820", ALC269VC_FIXUP_ACER_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x106d, "Acer Cloudbook 14", ALC283_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0x1025, 0x1099, "Acer Aspire E5-523G", ALC255_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x110e, "Acer Aspire ES1-432", ALC255_FIXUP_ACER_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1025, 0x1166, "Acer Veriton N4640G", ALC269_FIXUP_LIFEBOOK), ++ SND_PCI_QUIRK(0x1025, 0x1167, "Acer Veriton N6640G", ALC269_FIXUP_LIFEBOOK), + SND_PCI_QUIRK(0x1025, 0x1246, "Acer Predator Helios 500", ALC299_FIXUP_PREDATOR_SPK), + SND_PCI_QUIRK(0x1025, 0x1247, "Acer vCopperbox", ALC269VC_FIXUP_ACER_VCOPPERBOX_PINS), + SND_PCI_QUIRK(0x1025, 0x1248, "Acer Veriton N4660G", ALC269VC_FIXUP_ACER_MIC_NO_PRESENCE), diff --git a/queue-5.4/alsa-hda-ca0132-change-input-source-enum-strings.patch b/queue-5.4/alsa-hda-ca0132-change-input-source-enum-strings.patch new file mode 100644 index 00000000000..7676955e289 --- /dev/null +++ b/queue-5.4/alsa-hda-ca0132-change-input-source-enum-strings.patch @@ -0,0 +1,35 @@ +From 7079f785b50055a32b72eddcb7d9ba5688db24d0 Mon Sep 17 00:00:00 2001 +From: Connor McAdams +Date: Thu, 10 Dec 2020 12:35:49 -0500 +Subject: ALSA: hda/ca0132 - Change Input Source enum strings. + +From: Connor McAdams + +commit 7079f785b50055a32b72eddcb7d9ba5688db24d0 upstream. + +Change the Input Source enumerated control's strings to make it play +nice with pulseaudio. + +Fixes: 7cb9d94c05de9 ("ALSA: hda/ca0132: add alt_select_in/out for R3Di + SBZ") +Cc: +Signed-off-by: Connor McAdams +Link: https://lore.kernel.org/r/20201208195223.424753-2-conmanx360@gmail.com +Link: https://lore.kernel.org/r/20201210173550.2968-2-conmanx360@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -93,7 +93,7 @@ enum { + }; + + /* Strings for Input Source Enum Control */ +-static const char *const in_src_str[3] = {"Rear Mic", "Line", "Front Mic" }; ++static const char *const in_src_str[3] = { "Microphone", "Line In", "Front Microphone" }; + #define IN_SRC_NUM_OF_INPUTS 3 + enum { + REAR_MIC, diff --git a/queue-5.4/alsa-hda-ca0132-fix-ae-5-rear-headphone-pincfg.patch b/queue-5.4/alsa-hda-ca0132-fix-ae-5-rear-headphone-pincfg.patch new file mode 100644 index 00000000000..03c8db261c9 --- /dev/null +++ b/queue-5.4/alsa-hda-ca0132-fix-ae-5-rear-headphone-pincfg.patch @@ -0,0 +1,37 @@ +From c697ba85a94b8f65bf90dec5ef9af5c39c3e73b2 Mon Sep 17 00:00:00 2001 +From: Connor McAdams +Date: Thu, 10 Dec 2020 12:35:48 -0500 +Subject: ALSA: hda/ca0132 - Fix AE-5 rear headphone pincfg. + +From: Connor McAdams + +commit c697ba85a94b8f65bf90dec5ef9af5c39c3e73b2 upstream. + +The Windows driver sets the pincfg for the AE-5's rear-headphone to +report as a microphone. This causes issues with Pulseaudio mistakenly +believing there is no headphone plugged in. In Linux, we should instead +set it to be a headphone. + +Fixes: a6b0961b39896 ("ALSA: hda/ca0132 - fix AE-5 pincfg") +Cc: +Signed-off-by: Connor McAdams +Link: https://lore.kernel.org/r/20201208195223.424753-1-conmanx360@gmail.com +Link: https://lore.kernel.org/r/20201210173550.2968-1-conmanx360@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1147,7 +1147,7 @@ static const struct hda_pintbl ae5_pincf + { 0x0e, 0x01c510f0 }, /* SPDIF In */ + { 0x0f, 0x01017114 }, /* Port A -- Rear L/R. */ + { 0x10, 0x01017012 }, /* Port D -- Center/LFE or FP Hp */ +- { 0x11, 0x01a170ff }, /* Port B -- LineMicIn2 / Rear Headphone */ ++ { 0x11, 0x012170ff }, /* Port B -- LineMicIn2 / Rear Headphone */ + { 0x12, 0x01a170f0 }, /* Port C -- LineIn1 */ + { 0x13, 0x908700f0 }, /* What U Hear In*/ + { 0x18, 0x50d000f0 }, /* N/A */ diff --git a/queue-5.4/alsa-hda-fix-regressions-on-clear-and-reconfig-sysfs.patch b/queue-5.4/alsa-hda-fix-regressions-on-clear-and-reconfig-sysfs.patch new file mode 100644 index 00000000000..369eb4e2939 --- /dev/null +++ b/queue-5.4/alsa-hda-fix-regressions-on-clear-and-reconfig-sysfs.patch @@ -0,0 +1,54 @@ +From 2506318e382c4c7daa77bdc48f80a0ee82804588 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 9 Dec 2020 16:01:19 +0100 +Subject: ALSA: hda: Fix regressions on clear and reconfig sysfs + +From: Takashi Iwai + +commit 2506318e382c4c7daa77bdc48f80a0ee82804588 upstream. + +It seems that the HD-audio clear and reconfig sysfs don't work any +longer after the recent driver core change. There are multiple issues +around that: the linked list corruption and the dead device handling. +The former issue is fixed by another patch for the driver core itself, +while the latter patch needs to be addressed in HD-audio side. + +This patch corresponds to the latter, it recovers those broken +functions by replacing the device detach and attach actions with the +standard core API functions, which are almost equivalent with unbind +and bind actions. + +Fixes: 654888327e9f ("driver core: Avoid binding drivers to dead devices") +Cc: +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=209207 +Link: https://lore.kernel.org/r/20201209150119.7705-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_codec.c | 2 +- + sound/pci/hda/hda_sysfs.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -1798,7 +1798,7 @@ int snd_hda_codec_reset(struct hda_codec + return -EBUSY; + + /* OK, let it free */ +- snd_hdac_device_unregister(&codec->core); ++ device_release_driver(hda_codec_dev(codec)); + + /* allow device access again */ + snd_hda_unlock_devices(bus); +--- a/sound/pci/hda/hda_sysfs.c ++++ b/sound/pci/hda/hda_sysfs.c +@@ -139,7 +139,7 @@ static int reconfig_codec(struct hda_cod + "The codec is being used, can't reconfigure.\n"); + goto error; + } +- err = snd_hda_codec_configure(codec); ++ err = device_reprobe(hda_codec_dev(codec)); + if (err < 0) + goto error; + err = snd_card_register(codec->card); diff --git a/queue-5.4/alsa-hda-realtek-add-quirk-for-msi-gp73.patch b/queue-5.4/alsa-hda-realtek-add-quirk-for-msi-gp73.patch new file mode 100644 index 00000000000..0879b2fc333 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-add-quirk-for-msi-gp73.patch @@ -0,0 +1,32 @@ +From 09926202e939fd699650ac0fc0baa5757e069390 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 20 Dec 2020 09:09:43 +0100 +Subject: ALSA: hda/realtek: Add quirk for MSI-GP73 + +From: Takashi Iwai + +commit 09926202e939fd699650ac0fc0baa5757e069390 upstream. + +MSI-GP73 (with SSID 1462:1229) requires yet again +ALC1220_FIXUP_CLEVO_P950 quirk like other MSI models. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=210793 +Cc: +Link: https://lore.kernel.org/r/20201220080943.24839-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2506,6 +2506,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1458, 0xa0ce, "Gigabyte X570 Aorus Xtreme", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x11f7, "MSI-GE63", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1228, "MSI-GP63", ALC1220_FIXUP_CLEVO_P950), ++ SND_PCI_QUIRK(0x1462, 0x1229, "MSI-GP73", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1275, "MSI-GL63", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1276, "MSI-GL73", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1293, "MSI-GP65", ALC1220_FIXUP_CLEVO_P950), diff --git a/queue-5.4/alsa-hda-realtek-add-supported-for-more-lenovo-alc285-headset-button.patch b/queue-5.4/alsa-hda-realtek-add-supported-for-more-lenovo-alc285-headset-button.patch new file mode 100644 index 00000000000..9f0d47a91e2 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-add-supported-for-more-lenovo-alc285-headset-button.patch @@ -0,0 +1,34 @@ +From 607184cb1635eaee239fe3fb9648a8b82a5232d7 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Fri, 11 Dec 2020 14:17:09 +0800 +Subject: ALSA: hda/realtek - Add supported for more Lenovo ALC285 Headset Button + +From: Kailang Yang + +commit 607184cb1635eaee239fe3fb9648a8b82a5232d7 upstream. + +Add supported for more Lenovo ALC285 Headset Button. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/bb1f1da1526d460885aa4257be81eb94@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8525,6 +8525,10 @@ static const struct snd_hda_pin_quirk al + {0x12, 0x90a60130}, + {0x19, 0x03a11020}, + {0x21, 0x0321101f}), ++ SND_HDA_PIN_QUIRK(0x10ec0285, 0x17aa, "Lenovo", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK, ++ {0x14, 0x90170110}, ++ {0x19, 0x04a11040}, ++ {0x21, 0x04211020}), + SND_HDA_PIN_QUIRK(0x10ec0285, 0x17aa, "Lenovo", ALC285_FIXUP_LENOVO_PC_BEEP_IN_NOISE, + {0x12, 0x90a60130}, + {0x14, 0x90170110}, diff --git a/queue-5.4/alsa-hda-realtek-apply-jack-fixup-for-quanta-nl3.patch b/queue-5.4/alsa-hda-realtek-apply-jack-fixup-for-quanta-nl3.patch new file mode 100644 index 00000000000..81ef342eeae --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-apply-jack-fixup-for-quanta-nl3.patch @@ -0,0 +1,40 @@ +From 6ca653e3f73a1af0f30dbf9c2c79d2897074989f Mon Sep 17 00:00:00 2001 +From: Chris Chiu +Date: Tue, 22 Dec 2020 23:04:58 +0800 +Subject: ALSA: hda/realtek: Apply jack fixup for Quanta NL3 + +From: Chris Chiu + +commit 6ca653e3f73a1af0f30dbf9c2c79d2897074989f upstream. + +The Quanta NL3 laptop has both a headphone output jack and a headset +jack, on the right edge of the chassis. + +The pin information suggests that both of these are at the Front. +The PulseAudio is confused to differentiate them so one of the jack +can neither get the jack sense working nor the audio output. + +The ALC269_FIXUP_LIFEBOOK chained with ALC269_FIXUP_QUANTA_MUTE can +help to differentiate 2 jacks and get the 'Auto-Mute Mode' working +correctly. + +Signed-off-by: Chris Chiu +Cc: +Link: https://lore.kernel.org/r/20201222150459.9545-1-chiu@endlessos.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7947,6 +7947,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1462, 0xb120, "MSI Cubi MS-B120", ALC283_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1462, 0xb171, "Cubi N 8GL (MS-B171)", ALC283_FIXUP_HEADSET_MIC), ++ SND_PCI_QUIRK(0x152d, 0x1082, "Quanta NL3", ALC269_FIXUP_LIFEBOOK), + SND_PCI_QUIRK(0x1558, 0x1323, "Clevo N130ZU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x1325, "System76 Darter Pro (darp5)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x1401, "Clevo L140[CZ]U", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/queue-5.4/alsa-hda-realtek-enable-headset-mic-of-asus-q524uqk-with-alc255.patch b/queue-5.4/alsa-hda-realtek-enable-headset-mic-of-asus-q524uqk-with-alc255.patch new file mode 100644 index 00000000000..63ee9611d41 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-enable-headset-mic-of-asus-q524uqk-with-alc255.patch @@ -0,0 +1,33 @@ +From 7e413528474d5895e3e315c019fb0c43522eb6d9 Mon Sep 17 00:00:00 2001 +From: Chris Chiu +Date: Wed, 9 Dec 2020 12:57:30 +0800 +Subject: ALSA: hda/realtek - Enable headset mic of ASUS Q524UQK with ALC255 + +From: Chris Chiu + +commit 7e413528474d5895e3e315c019fb0c43522eb6d9 upstream. + +The ASUS laptop Q524UQK with ALC255 codec can't detect the headset +microphone until ALC255_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied. + +Signed-off-by: Chris Chiu +Signed-off-by: Jian-Hong Pan +Cc: +Link: https://lore.kernel.org/r/20201209045730.9972-1-chiu@endlessos.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7905,6 +7905,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x1043, 0x1bbd, "ASUS Z550MA", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x1043, 0x125e, "ASUS Q524UQK", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1d4e, "ASUS TM420", ALC256_FIXUP_ASUS_HPE), + SND_PCI_QUIRK(0x1043, 0x1e11, "ASUS Zephyrus G15", ALC289_FIXUP_ASUS_GA502), diff --git a/queue-5.4/alsa-hda-realtek-enable-headset-mic-of-asus-x430un-with-alc256.patch b/queue-5.4/alsa-hda-realtek-enable-headset-mic-of-asus-x430un-with-alc256.patch new file mode 100644 index 00000000000..21bb8319b3a --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-enable-headset-mic-of-asus-x430un-with-alc256.patch @@ -0,0 +1,33 @@ +From 5cfca59604e423f720297e30a9dc493eea623493 Mon Sep 17 00:00:00 2001 +From: Chris Chiu +Date: Mon, 7 Dec 2020 15:27:55 +0800 +Subject: ALSA: hda/realtek - Enable headset mic of ASUS X430UN with ALC256 + +From: Chris Chiu + +commit 5cfca59604e423f720297e30a9dc493eea623493 upstream. + +The ASUS laptop X430UN with ALC256 can't detect the headset microphone +until ALC256_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied. + +Signed-off-by: Chris Chiu +Signed-off-by: Jian-Hong Pan +Cc: +Link: https://lore.kernel.org/r/20201207072755.16210-1-chiu@endlessos.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7884,6 +7884,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x10d0, "ASUS X540LA/X540LJ", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1043, 0x11c0, "ASUS X556UR", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1043, 0x1271, "ASUS X430UN", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1290, "ASUS X441SA", ALC233_FIXUP_EAPD_COEF_AND_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x12a0, "ASUS X441UV", ALC233_FIXUP_EAPD_COEF_AND_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x12f0, "ASUS X541UV", ALC256_FIXUP_ASUS_MIC), diff --git a/queue-5.4/alsa-hda-realtek-make-bass-spk-volume-adjustable-on-a-yoga-laptop.patch b/queue-5.4/alsa-hda-realtek-make-bass-spk-volume-adjustable-on-a-yoga-laptop.patch new file mode 100644 index 00000000000..47dcd5d28c3 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-make-bass-spk-volume-adjustable-on-a-yoga-laptop.patch @@ -0,0 +1,62 @@ +From c72b9bfe0f914639cc475585f45722a3eb57a56d Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Sat, 5 Dec 2020 13:11:30 +0800 +Subject: ALSA: hda/realtek: make bass spk volume adjustable on a yoga laptop + +From: Hui Wang + +commit c72b9bfe0f914639cc475585f45722a3eb57a56d upstream. + +This change could fix 2 issues on this machine: + - the bass speaker's output volume can't be adjusted, that is because + the bass speaker is routed to the DAC (Nid 0x6) which has no volume + control. + - after plugging a headset with vol+, vol- and pause buttons on it, + press those buttons, nothing happens, this means those buttons + don't work at all. This machine has alc287 codec, need to add the + codec id to the disable/enable_headset_jack_key(), then the headset + button could work. + +The quirk of ALC285_FIXUP_THINKPAD_HEADSET_JACK could fix both of these +2 issues. + +Cc: +Signed-off-by: Hui Wang +Link: https://lore.kernel.org/r/20201205051130.8122-1-hui.wang@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3094,6 +3094,7 @@ static void alc_disable_headset_jack_key + case 0x10ec0215: + case 0x10ec0225: + case 0x10ec0285: ++ case 0x10ec0287: + case 0x10ec0295: + case 0x10ec0289: + case 0x10ec0299: +@@ -3120,6 +3121,7 @@ static void alc_enable_headset_jack_key( + case 0x10ec0215: + case 0x10ec0225: + case 0x10ec0285: ++ case 0x10ec0287: + case 0x10ec0295: + case 0x10ec0289: + case 0x10ec0299: +@@ -8526,6 +8528,11 @@ static const struct snd_hda_pin_quirk al + {0x14, 0x90170110}, + {0x19, 0x04a11040}, + {0x21, 0x04211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0287, 0x17aa, "Lenovo", ALC285_FIXUP_THINKPAD_HEADSET_JACK, ++ {0x14, 0x90170110}, ++ {0x17, 0x90170111}, ++ {0x19, 0x03a11030}, ++ {0x21, 0x03211020}), + SND_HDA_PIN_QUIRK(0x10ec0286, 0x1025, "Acer", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE, + {0x12, 0x90a60130}, + {0x17, 0x90170110}, diff --git a/queue-5.4/alsa-pcm-oss-fix-a-few-more-ubsan-fixes.patch b/queue-5.4/alsa-pcm-oss-fix-a-few-more-ubsan-fixes.patch new file mode 100644 index 00000000000..44fb26b1e86 --- /dev/null +++ b/queue-5.4/alsa-pcm-oss-fix-a-few-more-ubsan-fixes.patch @@ -0,0 +1,66 @@ +From 11cb881bf075cea41092a20236ba708b18e1dbb2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 18 Dec 2020 17:17:30 +0100 +Subject: ALSA: pcm: oss: Fix a few more UBSAN fixes + +From: Takashi Iwai + +commit 11cb881bf075cea41092a20236ba708b18e1dbb2 upstream. + +There are a few places that call round{up|down}_pow_of_two() with the +value zero, and this causes undefined behavior warnings. Avoid +calling those macros if such a nonsense value is passed; it's a minor +optimization as well, as we handle it as either an error or a value to +be skipped, instead. + +Reported-by: syzbot+33ef0b6639a8d2d42b4c@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/20201218161730.26596-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/oss/pcm_oss.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -693,6 +693,8 @@ static int snd_pcm_oss_period_size(struc + + oss_buffer_size = snd_pcm_plug_client_size(substream, + snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_BUFFER_SIZE, NULL)) * oss_frame_size; ++ if (!oss_buffer_size) ++ return -EINVAL; + oss_buffer_size = rounddown_pow_of_two(oss_buffer_size); + if (atomic_read(&substream->mmap_count)) { + if (oss_buffer_size > runtime->oss.mmap_bytes) +@@ -728,17 +730,21 @@ static int snd_pcm_oss_period_size(struc + + min_period_size = snd_pcm_plug_client_size(substream, + snd_pcm_hw_param_value_min(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL)); +- min_period_size *= oss_frame_size; +- min_period_size = roundup_pow_of_two(min_period_size); +- if (oss_period_size < min_period_size) +- oss_period_size = min_period_size; ++ if (min_period_size) { ++ min_period_size *= oss_frame_size; ++ min_period_size = roundup_pow_of_two(min_period_size); ++ if (oss_period_size < min_period_size) ++ oss_period_size = min_period_size; ++ } + + max_period_size = snd_pcm_plug_client_size(substream, + snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL)); +- max_period_size *= oss_frame_size; +- max_period_size = rounddown_pow_of_two(max_period_size); +- if (oss_period_size > max_period_size) +- oss_period_size = max_period_size; ++ if (max_period_size) { ++ max_period_size *= oss_frame_size; ++ max_period_size = rounddown_pow_of_two(max_period_size); ++ if (oss_period_size > max_period_size) ++ oss_period_size = max_period_size; ++ } + + oss_periods = oss_buffer_size / oss_period_size; + diff --git a/queue-5.4/alsa-usb-audio-add-vid-to-support-native-dsd-reproduction-on-fiio-devices.patch b/queue-5.4/alsa-usb-audio-add-vid-to-support-native-dsd-reproduction-on-fiio-devices.patch new file mode 100644 index 00000000000..8c1e451c343 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-add-vid-to-support-native-dsd-reproduction-on-fiio-devices.patch @@ -0,0 +1,33 @@ +From 725124d10d00b2f56bb5bd08b431cc74ab3b3ace Mon Sep 17 00:00:00 2001 +From: Amadej Kastelic +Date: Tue, 15 Dec 2020 19:09:05 +0100 +Subject: ALSA: usb-audio: Add VID to support native DSD reproduction on FiiO devices + +From: Amadej Kastelic + +commit 725124d10d00b2f56bb5bd08b431cc74ab3b3ace upstream. + +Add VID to support native DSD reproduction on FiiO devices. + +Tested-by: Amadej Kastelic +Signed-off-by: Emilio Moretti +Signed-off-by: Amadej Kastelic +Cc: +Link: https://lore.kernel.org/r/X9j7wdXSr4XyK7Bd@ryzen.localdomain +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1731,6 +1731,7 @@ u64 snd_usb_interface_dsd_format_quirks( + case 0x25ce: /* Mytek devices */ + case 0x278b: /* Rotel? */ + case 0x292b: /* Gustard/Ess based devices */ ++ case 0x2972: /* FiiO devices */ + case 0x2ab6: /* T+A devices */ + case 0x3353: /* Khadas devices */ + case 0x3842: /* EVGA */ diff --git a/queue-5.4/alsa-usb-audio-disable-sample-read-check-if-firmware-doesn-t-give-back.patch b/queue-5.4/alsa-usb-audio-disable-sample-read-check-if-firmware-doesn-t-give-back.patch new file mode 100644 index 00000000000..f90b5512d93 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-disable-sample-read-check-if-firmware-doesn-t-give-back.patch @@ -0,0 +1,37 @@ +From 9df28edce7c6ab38050235f6f8b43dd7ccd01b6d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 18 Dec 2020 15:58:58 +0100 +Subject: ALSA: usb-audio: Disable sample read check if firmware doesn't give back + +From: Takashi Iwai + +commit 9df28edce7c6ab38050235f6f8b43dd7ccd01b6d upstream. + +Some buggy firmware don't give the current sample rate but leaves +zero. Handle this case more gracefully without warning but just skip +the current rate verification from the next time. + +Cc: +Link: https://lore.kernel.org/r/20201218145858.2357-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/clock.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -531,6 +531,12 @@ static int set_sample_rate_v1(struct snd + } + + crate = data[0] | (data[1] << 8) | (data[2] << 16); ++ if (!crate) { ++ dev_info(&dev->dev, "failed to read current rate; disabling the check\n"); ++ chip->sample_rate_read_error = 3; /* three strikes, see above */ ++ return 0; ++ } ++ + if (crate != rate) { + dev_warn(&dev->dev, "current rate %d is different from the runtime rate %d\n", crate, rate); + // runtime->rate = crate; diff --git a/queue-5.4/asoc-cx2072x-fix-doubly-definitions-of-playback-and-capture-streams.patch b/queue-5.4/asoc-cx2072x-fix-doubly-definitions-of-playback-and-capture-streams.patch new file mode 100644 index 00000000000..7b63fb2203f --- /dev/null +++ b/queue-5.4/asoc-cx2072x-fix-doubly-definitions-of-playback-and-capture-streams.patch @@ -0,0 +1,49 @@ +From 0d024a8bec084205fdd9fa17479ba91f45f85db3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 8 Dec 2020 14:51:54 +0100 +Subject: ASoC: cx2072x: Fix doubly definitions of Playback and Capture streams + +From: Takashi Iwai + +commit 0d024a8bec084205fdd9fa17479ba91f45f85db3 upstream. + +The cx2072x codec driver defines multiple DAIs with the same stream +name "Playback" and "Capture". Although the current code works more +or less as is as the secondary streams are never used, it still leads +the error message like: + debugfs: File 'Playback' in directory 'dapm' already present! + debugfs: File 'Capture' in directory 'dapm' already present! + +Fix it by renaming the secondary streams to unique names. + +Fixes: a497a4363706 ("ASoC: Add support for Conexant CX2072X CODEC") +Cc: +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20201208135154.9188-1-tiwai@suse.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/cx2072x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/cx2072x.c ++++ b/sound/soc/codecs/cx2072x.c +@@ -1579,7 +1579,7 @@ static struct snd_soc_dai_driver soc_cod + .id = CX2072X_DAI_DSP, + .probe = cx2072x_dsp_dai_probe, + .playback = { +- .stream_name = "Playback", ++ .stream_name = "DSP Playback", + .channels_min = 2, + .channels_max = 2, + .rates = CX2072X_RATES_DSP, +@@ -1591,7 +1591,7 @@ static struct snd_soc_dai_driver soc_cod + .name = "cx2072x-aec", + .id = 3, + .capture = { +- .stream_name = "Capture", ++ .stream_name = "AEC Capture", + .channels_min = 2, + .channels_max = 2, + .rates = CX2072X_RATES_DSP, diff --git a/queue-5.4/binder-add-flag-to-clear-buffer-on-txn-complete.patch b/queue-5.4/binder-add-flag-to-clear-buffer-on-txn-complete.patch new file mode 100644 index 00000000000..3a77528d114 --- /dev/null +++ b/queue-5.4/binder-add-flag-to-clear-buffer-on-txn-complete.patch @@ -0,0 +1,146 @@ +From 0f966cba95c78029f491b433ea95ff38f414a761 Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Fri, 20 Nov 2020 15:37:43 -0800 +Subject: binder: add flag to clear buffer on txn complete + +From: Todd Kjos + +commit 0f966cba95c78029f491b433ea95ff38f414a761 upstream. + +Add a per-transaction flag to indicate that the buffer +must be cleared when the transaction is complete to +prevent copies of sensitive data from being preserved +in memory. + +Signed-off-by: Todd Kjos +Link: https://lore.kernel.org/r/20201120233743.3617529-1-tkjos@google.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 1 + drivers/android/binder_alloc.c | 48 ++++++++++++++++++++++++++++++++++++ + drivers/android/binder_alloc.h | 4 ++- + include/uapi/linux/android/binder.h | 1 + 4 files changed, 53 insertions(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -3150,6 +3150,7 @@ static void binder_transaction(struct bi + t->buffer->debug_id = t->debug_id; + t->buffer->transaction = t; + t->buffer->target_node = target_node; ++ t->buffer->clear_on_free = !!(t->flags & TF_CLEAR_BUF); + trace_binder_transaction_alloc_buf(t->buffer); + + if (binder_alloc_copy_user_to_buffer( +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -647,6 +647,8 @@ static void binder_free_buf_locked(struc + binder_insert_free_buffer(alloc, buffer); + } + ++static void binder_alloc_clear_buf(struct binder_alloc *alloc, ++ struct binder_buffer *buffer); + /** + * binder_alloc_free_buf() - free a binder buffer + * @alloc: binder_alloc for this proc +@@ -657,6 +659,18 @@ static void binder_free_buf_locked(struc + void binder_alloc_free_buf(struct binder_alloc *alloc, + struct binder_buffer *buffer) + { ++ /* ++ * We could eliminate the call to binder_alloc_clear_buf() ++ * from binder_alloc_deferred_release() by moving this to ++ * binder_alloc_free_buf_locked(). However, that could ++ * increase contention for the alloc mutex if clear_on_free ++ * is used frequently for large buffers. The mutex is not ++ * needed for correctness here. ++ */ ++ if (buffer->clear_on_free) { ++ binder_alloc_clear_buf(alloc, buffer); ++ buffer->clear_on_free = false; ++ } + mutex_lock(&alloc->mutex); + binder_free_buf_locked(alloc, buffer); + mutex_unlock(&alloc->mutex); +@@ -753,6 +767,10 @@ void binder_alloc_deferred_release(struc + /* Transaction should already have been freed */ + BUG_ON(buffer->transaction); + ++ if (buffer->clear_on_free) { ++ binder_alloc_clear_buf(alloc, buffer); ++ buffer->clear_on_free = false; ++ } + binder_free_buf_locked(alloc, buffer); + buffers++; + } +@@ -1087,6 +1105,36 @@ static struct page *binder_alloc_get_pag + } + + /** ++ * binder_alloc_clear_buf() - zero out buffer ++ * @alloc: binder_alloc for this proc ++ * @buffer: binder buffer to be cleared ++ * ++ * memset the given buffer to 0 ++ */ ++static void binder_alloc_clear_buf(struct binder_alloc *alloc, ++ struct binder_buffer *buffer) ++{ ++ size_t bytes = binder_alloc_buffer_size(alloc, buffer); ++ binder_size_t buffer_offset = 0; ++ ++ while (bytes) { ++ unsigned long size; ++ struct page *page; ++ pgoff_t pgoff; ++ void *kptr; ++ ++ page = binder_alloc_get_page(alloc, buffer, ++ buffer_offset, &pgoff); ++ size = min_t(size_t, bytes, PAGE_SIZE - pgoff); ++ kptr = kmap(page) + pgoff; ++ memset(kptr, 0, size); ++ kunmap(page); ++ bytes -= size; ++ buffer_offset += size; ++ } ++} ++ ++/** + * binder_alloc_copy_user_to_buffer() - copy src user to tgt user + * @alloc: binder_alloc for this proc + * @buffer: binder buffer to be accessed +--- a/drivers/android/binder_alloc.h ++++ b/drivers/android/binder_alloc.h +@@ -23,6 +23,7 @@ struct binder_transaction; + * @entry: entry alloc->buffers + * @rb_node: node for allocated_buffers/free_buffers rb trees + * @free: %true if buffer is free ++ * @clear_on_free: %true if buffer must be zeroed after use + * @allow_user_free: %true if user is allowed to free buffer + * @async_transaction: %true if buffer is in use for an async txn + * @debug_id: unique ID for debugging +@@ -40,9 +41,10 @@ struct binder_buffer { + struct rb_node rb_node; /* free entry by size or allocated entry */ + /* by address */ + unsigned free:1; ++ unsigned clear_on_free:1; + unsigned allow_user_free:1; + unsigned async_transaction:1; +- unsigned debug_id:29; ++ unsigned debug_id:28; + + struct binder_transaction *transaction; + +--- a/include/uapi/linux/android/binder.h ++++ b/include/uapi/linux/android/binder.h +@@ -248,6 +248,7 @@ enum transaction_flags { + TF_ROOT_OBJECT = 0x04, /* contents are the component's root object */ + TF_STATUS_CODE = 0x08, /* contents are a 32-bit status code */ + TF_ACCEPT_FDS = 0x10, /* allow replies with file descriptors */ ++ TF_CLEAR_BUF = 0x20, /* clear buffer on txn complete */ + }; + + struct binder_transaction_data { diff --git a/queue-5.4/cpuset-fix-race-between-hotplug-work-and-later-cpu-offline.patch b/queue-5.4/cpuset-fix-race-between-hotplug-work-and-later-cpu-offline.patch new file mode 100644 index 00000000000..3134bf47649 --- /dev/null +++ b/queue-5.4/cpuset-fix-race-between-hotplug-work-and-later-cpu-offline.patch @@ -0,0 +1,126 @@ +From 406100f3da08066c00105165db8520bbc7694a36 Mon Sep 17 00:00:00 2001 +From: Daniel Jordan +Date: Thu, 12 Nov 2020 12:17:11 -0500 +Subject: cpuset: fix race between hotplug work and later CPU offline + +From: Daniel Jordan + +commit 406100f3da08066c00105165db8520bbc7694a36 upstream. + +One of our machines keeled over trying to rebuild the scheduler domains. +Mainline produces the same splat: + + BUG: unable to handle page fault for address: 0000607f820054db + CPU: 2 PID: 149 Comm: kworker/1:1 Not tainted 5.10.0-rc1-master+ #6 + Workqueue: events cpuset_hotplug_workfn + RIP: build_sched_domains + Call Trace: + partition_sched_domains_locked + rebuild_sched_domains_locked + cpuset_hotplug_workfn + +It happens with cgroup2 and exclusive cpusets only. This reproducer +triggers it on an 8-cpu vm and works most effectively with no +preexisting child cgroups: + + cd $UNIFIED_ROOT + mkdir cg1 + echo 4-7 > cg1/cpuset.cpus + echo root > cg1/cpuset.cpus.partition + + # with smt/control reading 'on', + echo off > /sys/devices/system/cpu/smt/control + +RIP maps to + + sd->shared = *per_cpu_ptr(sdd->sds, sd_id); + +from sd_init(). sd_id is calculated earlier in the same function: + + cpumask_and(sched_domain_span(sd), cpu_map, tl->mask(cpu)); + sd_id = cpumask_first(sched_domain_span(sd)); + +tl->mask(cpu), which reads cpu_sibling_map on x86, returns an empty mask +and so cpumask_first() returns >= nr_cpu_ids, which leads to the bogus +value from per_cpu_ptr() above. + +The problem is a race between cpuset_hotplug_workfn() and a later +offline of CPU N. cpuset_hotplug_workfn() updates the effective masks +when N is still online, the offline clears N from cpu_sibling_map, and +then the worker uses the stale effective masks that still have N to +generate the scheduling domains, leading the worker to read +N's empty cpu_sibling_map in sd_init(). + +rebuild_sched_domains_locked() prevented the race during the cgroup2 +cpuset series up until the Fixes commit changed its check. Make the +check more robust so that it can detect an offline CPU in any exclusive +cpuset's effective mask, not just the top one. + +Fixes: 0ccea8feb980 ("cpuset: Make generate_sched_domains() work with partition") +Signed-off-by: Daniel Jordan +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Tejun Heo +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20201112171711.639541-1-daniel.m.jordan@oracle.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/cpuset.c | 33 ++++++++++++++++++++++++++++----- + 1 file changed, 28 insertions(+), 5 deletions(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -981,25 +981,48 @@ partition_and_rebuild_sched_domains(int + */ + static void rebuild_sched_domains_locked(void) + { ++ struct cgroup_subsys_state *pos_css; + struct sched_domain_attr *attr; + cpumask_var_t *doms; ++ struct cpuset *cs; + int ndoms; + + lockdep_assert_cpus_held(); + percpu_rwsem_assert_held(&cpuset_rwsem); + + /* +- * We have raced with CPU hotplug. Don't do anything to avoid ++ * If we have raced with CPU hotplug, return early to avoid + * passing doms with offlined cpu to partition_sched_domains(). +- * Anyways, hotplug work item will rebuild sched domains. ++ * Anyways, cpuset_hotplug_workfn() will rebuild sched domains. ++ * ++ * With no CPUs in any subpartitions, top_cpuset's effective CPUs ++ * should be the same as the active CPUs, so checking only top_cpuset ++ * is enough to detect racing CPU offlines. + */ + if (!top_cpuset.nr_subparts_cpus && + !cpumask_equal(top_cpuset.effective_cpus, cpu_active_mask)) + return; + +- if (top_cpuset.nr_subparts_cpus && +- !cpumask_subset(top_cpuset.effective_cpus, cpu_active_mask)) +- return; ++ /* ++ * With subpartition CPUs, however, the effective CPUs of a partition ++ * root should be only a subset of the active CPUs. Since a CPU in any ++ * partition root could be offlined, all must be checked. ++ */ ++ if (top_cpuset.nr_subparts_cpus) { ++ rcu_read_lock(); ++ cpuset_for_each_descendant_pre(cs, pos_css, &top_cpuset) { ++ if (!is_partition_root(cs)) { ++ pos_css = css_rightmost_descendant(pos_css); ++ continue; ++ } ++ if (!cpumask_subset(cs->effective_cpus, ++ cpu_active_mask)) { ++ rcu_read_unlock(); ++ return; ++ } ++ } ++ rcu_read_unlock(); ++ } + + /* Generate domain masks and attrs */ + ndoms = generate_sched_domains(&doms, &attr); diff --git a/queue-5.4/crypto-arm-aes-ce-work-around-cortex-a57-a72-silion-errata.patch b/queue-5.4/crypto-arm-aes-ce-work-around-cortex-a57-a72-silion-errata.patch new file mode 100644 index 00000000000..4ed6be951e1 --- /dev/null +++ b/queue-5.4/crypto-arm-aes-ce-work-around-cortex-a57-a72-silion-errata.patch @@ -0,0 +1,80 @@ +From f3456b9fd269c6d0c973b136c5449d46b2510f4b Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 26 Nov 2020 08:49:07 +0100 +Subject: crypto: arm/aes-ce - work around Cortex-A57/A72 silion errata + +From: Ard Biesheuvel + +commit f3456b9fd269c6d0c973b136c5449d46b2510f4b upstream. + +ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are affected +by silicon errata #1742098 and #1655431, respectively, where the second +instruction of a AES instruction pair may execute twice if an interrupt +is taken right after the first instruction consumes an input register of +which a single 32-bit lane has been updated the last time it was modified. + +This is not such a rare occurrence as it may seem: in counter mode, only +the least significant 32-bit word is incremented in the absence of a +carry, which makes our counter mode implementation susceptible to these +errata. + +So let's shuffle the counter assignments around a bit so that the most +recent updates when the AES instruction pair executes are 128-bit wide. + +[0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice +[1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice + +Cc: # v5.4+ +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/crypto/aes-ce-core.S | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +--- a/arch/arm/crypto/aes-ce-core.S ++++ b/arch/arm/crypto/aes-ce-core.S +@@ -386,20 +386,32 @@ ENTRY(ce_aes_ctr_encrypt) + .Lctrloop4x: + subs r4, r4, #4 + bmi .Lctr1x +- add r6, r6, #1 ++ ++ /* ++ * NOTE: the sequence below has been carefully tweaked to avoid ++ * a silicon erratum that exists in Cortex-A57 (#1742098) and ++ * Cortex-A72 (#1655431) cores, where AESE/AESMC instruction pairs ++ * may produce an incorrect result if they take their input from a ++ * register of which a single 32-bit lane has been updated the last ++ * time it was modified. To work around this, the lanes of registers ++ * q0-q3 below are not manipulated individually, and the different ++ * counter values are prepared by successive manipulations of q7. ++ */ ++ add ip, r6, #1 + vmov q0, q7 ++ rev ip, ip ++ add lr, r6, #2 ++ vmov s31, ip @ set lane 3 of q1 via q7 ++ add ip, r6, #3 ++ rev lr, lr + vmov q1, q7 +- rev ip, r6 +- add r6, r6, #1 ++ vmov s31, lr @ set lane 3 of q2 via q7 ++ rev ip, ip + vmov q2, q7 +- vmov s7, ip +- rev ip, r6 +- add r6, r6, #1 ++ vmov s31, ip @ set lane 3 of q3 via q7 ++ add r6, r6, #4 + vmov q3, q7 +- vmov s11, ip +- rev ip, r6 +- add r6, r6, #1 +- vmov s15, ip ++ + vld1.8 {q4-q5}, [r1]! + vld1.8 {q6}, [r1]! + vld1.8 {q15}, [r1]! diff --git a/queue-5.4/crypto-ecdh-avoid-unaligned-accesses-in-ecdh_set_secret.patch b/queue-5.4/crypto-ecdh-avoid-unaligned-accesses-in-ecdh_set_secret.patch new file mode 100644 index 00000000000..c7bf08b16d0 --- /dev/null +++ b/queue-5.4/crypto-ecdh-avoid-unaligned-accesses-in-ecdh_set_secret.patch @@ -0,0 +1,47 @@ +From 17858b140bf49961b71d4e73f1c3ea9bc8e7dda0 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Tue, 24 Nov 2020 11:47:19 +0100 +Subject: crypto: ecdh - avoid unaligned accesses in ecdh_set_secret() + +From: Ard Biesheuvel + +commit 17858b140bf49961b71d4e73f1c3ea9bc8e7dda0 upstream. + +ecdh_set_secret() casts a void* pointer to a const u64* in order to +feed it into ecc_is_key_valid(). This is not generally permitted by +the C standard, and leads to actual misalignment faults on ARMv6 +cores. In some cases, these are fixed up in software, but this still +leads to performance hits that are entirely avoidable. + +So let's copy the key into the ctx buffer first, which we will do +anyway in the common case, and which guarantees correct alignment. + +Cc: +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ecdh.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/crypto/ecdh.c ++++ b/crypto/ecdh.c +@@ -53,12 +53,13 @@ static int ecdh_set_secret(struct crypto + return ecc_gen_privkey(ctx->curve_id, ctx->ndigits, + ctx->private_key); + +- if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits, +- (const u64 *)params.key, params.key_size) < 0) +- return -EINVAL; +- + memcpy(ctx->private_key, params.key, params.key_size); + ++ if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits, ++ ctx->private_key, params.key_size) < 0) { ++ memzero_explicit(ctx->private_key, params.key_size); ++ return -EINVAL; ++ } + return 0; + } + diff --git a/queue-5.4/edac-amd64-fix-pci-component-registration.patch b/queue-5.4/edac-amd64-fix-pci-component-registration.patch new file mode 100644 index 00000000000..7c901b4bb5b --- /dev/null +++ b/queue-5.4/edac-amd64-fix-pci-component-registration.patch @@ -0,0 +1,114 @@ +From 706657b1febf446a9ba37dc51b89f46604f57ee9 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Sun, 22 Nov 2020 15:57:21 +0100 +Subject: EDAC/amd64: Fix PCI component registration + +From: Borislav Petkov + +commit 706657b1febf446a9ba37dc51b89f46604f57ee9 upstream. + +In order to setup its PCI component, the driver needs any node private +instance in order to get a reference to the PCI device and hand that +into edac_pci_create_generic_ctl(). For convenience, it uses the 0th +memory controller descriptor under the assumption that if any, the 0th +will be always present. + +However, this assumption goes wrong when the 0th node doesn't have +memory and the driver doesn't initialize an instance for it: + + EDAC amd64: F17h detected (node 0). + ... + EDAC amd64: Node 0: No DIMMs detected. + +But looking up node instances is not really needed - all one needs is +the pointer to the proper device which gets discovered during instance +init. + +So stash that pointer into a variable and use it when setting up the +EDAC PCI component. + +Clear that variable when the driver needs to unwind due to some +instances failing init to avoid any registration imbalance. + +Cc: +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20201122150815.13808-1-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/amd64_edac.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +--- a/drivers/edac/amd64_edac.c ++++ b/drivers/edac/amd64_edac.c +@@ -22,6 +22,9 @@ static struct ecc_settings **ecc_stngs; + /* Number of Unified Memory Controllers */ + static u8 num_umcs; + ++/* Device for the PCI component */ ++static struct device *pci_ctl_dev; ++ + /* + * Valid scrub rates for the K8 hardware memory scrubber. We map the scrubbing + * bandwidth to a valid bit pattern. The 'set' operation finds the 'matching- +@@ -2672,6 +2675,9 @@ reserve_mc_sibling_devs(struct amd64_pvt + return -ENODEV; + } + ++ if (!pci_ctl_dev) ++ pci_ctl_dev = &pvt->F0->dev; ++ + edac_dbg(1, "F0: %s\n", pci_name(pvt->F0)); + edac_dbg(1, "F3: %s\n", pci_name(pvt->F3)); + edac_dbg(1, "F6: %s\n", pci_name(pvt->F6)); +@@ -2696,6 +2702,9 @@ reserve_mc_sibling_devs(struct amd64_pvt + return -ENODEV; + } + ++ if (!pci_ctl_dev) ++ pci_ctl_dev = &pvt->F2->dev; ++ + edac_dbg(1, "F1: %s\n", pci_name(pvt->F1)); + edac_dbg(1, "F2: %s\n", pci_name(pvt->F2)); + edac_dbg(1, "F3: %s\n", pci_name(pvt->F3)); +@@ -3626,21 +3635,10 @@ static void remove_one_instance(unsigned + + static void setup_pci_device(void) + { +- struct mem_ctl_info *mci; +- struct amd64_pvt *pvt; +- + if (pci_ctl) + return; + +- mci = edac_mc_find(0); +- if (!mci) +- return; +- +- pvt = mci->pvt_info; +- if (pvt->umc) +- pci_ctl = edac_pci_create_generic_ctl(&pvt->F0->dev, EDAC_MOD_STR); +- else +- pci_ctl = edac_pci_create_generic_ctl(&pvt->F2->dev, EDAC_MOD_STR); ++ pci_ctl = edac_pci_create_generic_ctl(pci_ctl_dev, EDAC_MOD_STR); + if (!pci_ctl) { + pr_warn("%s(): Unable to create PCI control\n", __func__); + pr_warn("%s(): PCI error report via EDAC not set\n", __func__); +@@ -3723,6 +3721,8 @@ static int __init amd64_edac_init(void) + return 0; + + err_pci: ++ pci_ctl_dev = NULL; ++ + msrs_free(msrs); + msrs = NULL; + +@@ -3754,6 +3754,8 @@ static void __exit amd64_edac_exit(void) + kfree(ecc_stngs); + ecc_stngs = NULL; + ++ pci_ctl_dev = NULL; ++ + msrs_free(msrs); + msrs = NULL; + } diff --git a/queue-5.4/edac-i10nm-use-readl-to-access-mmio-registers.patch b/queue-5.4/edac-i10nm-use-readl-to-access-mmio-registers.patch new file mode 100644 index 00000000000..fd532c7cd21 --- /dev/null +++ b/queue-5.4/edac-i10nm-use-readl-to-access-mmio-registers.patch @@ -0,0 +1,61 @@ +From 83ff51c4e3fecf6b8587ce4d46f6eac59f5d7c5a Mon Sep 17 00:00:00 2001 +From: Qiuxu Zhuo +Date: Tue, 17 Nov 2020 20:49:51 +0800 +Subject: EDAC/i10nm: Use readl() to access MMIO registers + +From: Qiuxu Zhuo + +commit 83ff51c4e3fecf6b8587ce4d46f6eac59f5d7c5a upstream. + +Instead of raw access, use readl() to access MMIO registers of +memory controller to avoid possible compiler re-ordering. + +Fixes: d4dc89d069aa ("EDAC, i10nm: Add a driver for Intel 10nm server processors") +Cc: +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/i10nm_base.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/edac/i10nm_base.c ++++ b/drivers/edac/i10nm_base.c +@@ -6,6 +6,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -19,14 +20,16 @@ + #define i10nm_printk(level, fmt, arg...) \ + edac_printk(level, "i10nm", fmt, ##arg) + +-#define I10NM_GET_SCK_BAR(d, reg) \ ++#define I10NM_GET_SCK_BAR(d, reg) \ + pci_read_config_dword((d)->uracu, 0xd0, &(reg)) + #define I10NM_GET_IMC_BAR(d, i, reg) \ + pci_read_config_dword((d)->uracu, 0xd8 + (i) * 4, &(reg)) + #define I10NM_GET_DIMMMTR(m, i, j) \ +- (*(u32 *)((m)->mbase + 0x2080c + (i) * 0x4000 + (j) * 4)) ++ readl((m)->mbase + 0x2080c + (i) * 0x4000 + (j) * 4) + #define I10NM_GET_MCDDRTCFG(m, i, j) \ +- (*(u32 *)((m)->mbase + 0x20970 + (i) * 0x4000 + (j) * 4)) ++ readl((m)->mbase + 0x20970 + (i) * 0x4000 + (j) * 4) ++#define I10NM_GET_MCMTR(m, i) \ ++ readl((m)->mbase + 0x20ef8 + (i) * 0x4000) + + #define I10NM_GET_SCK_MMIO_BASE(reg) (GET_BITFIELD(reg, 0, 28) << 23) + #define I10NM_GET_IMC_MMIO_OFFSET(reg) (GET_BITFIELD(reg, 0, 10) << 12) +@@ -134,7 +137,7 @@ static bool i10nm_check_ecc(struct skx_i + { + u32 mcmtr; + +- mcmtr = *(u32 *)(imc->mbase + 0x20ef8 + chan * 0x4000); ++ mcmtr = I10NM_GET_MCMTR(imc, chan); + edac_dbg(1, "ch%d mcmtr reg %x\n", chan, mcmtr); + + return !!GET_BITFIELD(mcmtr, 2, 2); diff --git a/queue-5.4/input-cyapa_gen6-fix-out-of-bounds-stack-access.patch b/queue-5.4/input-cyapa_gen6-fix-out-of-bounds-stack-access.patch new file mode 100644 index 00000000000..f1d4ef6e8f6 --- /dev/null +++ b/queue-5.4/input-cyapa_gen6-fix-out-of-bounds-stack-access.patch @@ -0,0 +1,44 @@ +From f051ae4f6c732c231046945b36234e977f8467c6 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 14 Dec 2020 13:37:46 -0800 +Subject: Input: cyapa_gen6 - fix out-of-bounds stack access + +From: Arnd Bergmann + +commit f051ae4f6c732c231046945b36234e977f8467c6 upstream. + +gcc -Warray-bounds warns about a serious bug in +cyapa_pip_retrieve_data_structure: + +drivers/input/mouse/cyapa_gen6.c: In function 'cyapa_pip_retrieve_data_structure.constprop': +include/linux/unaligned/access_ok.h:40:17: warning: array subscript -1 is outside array bounds of 'struct retrieve_data_struct_cmd[1]' [-Warray-bounds] + 40 | *((__le16 *)p) = cpu_to_le16(val); +drivers/input/mouse/cyapa_gen6.c:569:13: note: while referencing 'cmd' + 569 | } __packed cmd; + | ^~~ + +Apparently the '-2' was added to the pointer instead of the value, +writing garbage into the stack next to this variable. + +Fixes: c2c06c41f700 ("Input: cyapa - add gen6 device module support") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20201026161332.3708389-1-arnd@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/cyapa_gen6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/mouse/cyapa_gen6.c ++++ b/drivers/input/mouse/cyapa_gen6.c +@@ -573,7 +573,7 @@ static int cyapa_pip_retrieve_data_struc + + memset(&cmd, 0, sizeof(cmd)); + put_unaligned_le16(PIP_OUTPUT_REPORT_ADDR, &cmd.head.addr); +- put_unaligned_le16(sizeof(cmd), &cmd.head.length - 2); ++ put_unaligned_le16(sizeof(cmd) - 2, &cmd.head.length); + cmd.head.report_id = PIP_APP_CMD_REPORT_ID; + cmd.head.cmd_code = PIP_RETRIEVE_DATA_STRUCTURE; + put_unaligned_le16(read_offset, &cmd.read_offset); diff --git a/queue-5.4/media-gspca-fix-memory-leak-in-probe.patch b/queue-5.4/media-gspca-fix-memory-leak-in-probe.patch new file mode 100644 index 00000000000..89431a6f983 --- /dev/null +++ b/queue-5.4/media-gspca-fix-memory-leak-in-probe.patch @@ -0,0 +1,40 @@ +From e469d0b09a19496e1972a20974bbf55b728151eb Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 2 Dec 2020 18:20:04 +0100 +Subject: media: gspca: Fix memory leak in probe + +From: Alan Stern + +commit e469d0b09a19496e1972a20974bbf55b728151eb upstream. + +The gspca driver leaks memory when a probe fails. gspca_dev_probe2() +calls v4l2_device_register(), which takes a reference to the +underlying device node (in this case, a USB interface). But the +failure pathway neglects to call v4l2_device_unregister(), the routine +responsible for dropping this reference. Consequently the memory for +the USB interface and its device never gets released. + +This patch adds the missing function call. + +Reported-and-tested-by: syzbot+44e64397bd81d5e84cba@syzkaller.appspotmail.com + +Signed-off-by: Alan Stern +CC: +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/gspca/gspca.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/usb/gspca/gspca.c ++++ b/drivers/media/usb/gspca/gspca.c +@@ -1575,6 +1575,7 @@ out: + input_unregister_device(gspca_dev->input_dev); + #endif + v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler); ++ v4l2_device_unregister(&gspca_dev->v4l2_dev); + kfree(gspca_dev->usb_buf); + kfree(gspca_dev); + return ret; diff --git a/queue-5.4/media-ipu3-cio2-make-the-field-on-subdev-format-v4l2_field_none.patch b/queue-5.4/media-ipu3-cio2-make-the-field-on-subdev-format-v4l2_field_none.patch new file mode 100644 index 00000000000..c53373dbfb9 --- /dev/null +++ b/queue-5.4/media-ipu3-cio2-make-the-field-on-subdev-format-v4l2_field_none.patch @@ -0,0 +1,35 @@ +From 219a8b9c04e54872f9a4d566633fb42f08bcbe2a Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Fri, 9 Oct 2020 15:56:05 +0200 +Subject: media: ipu3-cio2: Make the field on subdev format V4L2_FIELD_NONE + +From: Sakari Ailus + +commit 219a8b9c04e54872f9a4d566633fb42f08bcbe2a upstream. + +The ipu3-cio2 doesn't make use of the field and this is reflected in V4L2 +buffers as well as the try format. Do this in active format, too. + +Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") +Signed-off-by: Sakari Ailus +Reviewed-by: Bingbu Cao +Reviewed-by: Andy Shevchenko +Reviewed-by: Laurent Pinchart +Cc: stable@vger.kernel.org # v4.16 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/intel/ipu3/ipu3-cio2.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/pci/intel/ipu3/ipu3-cio2.c ++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.c +@@ -1297,6 +1297,7 @@ static int cio2_subdev_set_fmt(struct v4 + fmt->format.width = min_t(u32, fmt->format.width, CIO2_IMAGE_MAX_WIDTH); + fmt->format.height = min_t(u32, fmt->format.height, + CIO2_IMAGE_MAX_LENGTH); ++ fmt->format.field = V4L2_FIELD_NONE; + + mutex_lock(&q->subdev_lock); + *mbus = fmt->format; diff --git a/queue-5.4/media-ipu3-cio2-remove-traces-of-returned-buffers.patch b/queue-5.4/media-ipu3-cio2-remove-traces-of-returned-buffers.patch new file mode 100644 index 00000000000..38631c59cd0 --- /dev/null +++ b/queue-5.4/media-ipu3-cio2-remove-traces-of-returned-buffers.patch @@ -0,0 +1,35 @@ +From 61e7f892b5ee1dd10ea8bff805f3c3fe6e535959 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Mon, 12 Oct 2020 17:25:28 +0200 +Subject: media: ipu3-cio2: Remove traces of returned buffers + +From: Sakari Ailus + +commit 61e7f892b5ee1dd10ea8bff805f3c3fe6e535959 upstream. + +If starting a video buffer queue fails, the buffers are returned to +videobuf2. Remove the reference to the buffer from the driver's queue as +well. + +Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") +Signed-off-by: Sakari Ailus +Cc: stable@vger.kernel.org # v4.16 and up +Reviewed-by: Andy Shevchenko +Reviewed-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/intel/ipu3/ipu3-cio2.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/pci/intel/ipu3/ipu3-cio2.c ++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.c +@@ -799,6 +799,7 @@ static void cio2_vb2_return_all_buffers( + atomic_dec(&q->bufs_queued); + vb2_buffer_done(&q->bufs[i]->vbb.vb2_buf, + state); ++ q->bufs[i] = NULL; + } + } + } diff --git a/queue-5.4/media-ipu3-cio2-return-actual-subdev-format.patch b/queue-5.4/media-ipu3-cio2-return-actual-subdev-format.patch new file mode 100644 index 00000000000..e84c8fedec6 --- /dev/null +++ b/queue-5.4/media-ipu3-cio2-return-actual-subdev-format.patch @@ -0,0 +1,62 @@ +From 8160e86702e0807bd36d40f82648f9f9820b9d5a Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Thu, 8 Oct 2020 21:06:28 +0200 +Subject: media: ipu3-cio2: Return actual subdev format + +From: Sakari Ailus + +commit 8160e86702e0807bd36d40f82648f9f9820b9d5a upstream. + +Return actual subdev format on ipu3-cio2 subdev pads. The earlier +implementation was based on an infinite recursion that exhausted the +stack. + +Reported-by: Tsuchiya Yuto +Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") +Signed-off-by: Sakari Ailus +Reviewed-by: Laurent Pinchart +Reviewed-by: Bingbu Cao +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org # v4.16 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/intel/ipu3/ipu3-cio2.c | 24 +++--------------------- + 1 file changed, 3 insertions(+), 21 deletions(-) + +--- a/drivers/media/pci/intel/ipu3/ipu3-cio2.c ++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.c +@@ -1244,29 +1244,11 @@ static int cio2_subdev_get_fmt(struct v4 + struct v4l2_subdev_format *fmt) + { + struct cio2_queue *q = container_of(sd, struct cio2_queue, subdev); +- struct v4l2_subdev_format format; +- int ret; + +- if (fmt->which == V4L2_SUBDEV_FORMAT_TRY) { ++ if (fmt->which == V4L2_SUBDEV_FORMAT_TRY) + fmt->format = *v4l2_subdev_get_try_format(sd, cfg, fmt->pad); +- return 0; +- } +- +- if (fmt->pad == CIO2_PAD_SINK) { +- format.which = V4L2_SUBDEV_FORMAT_ACTIVE; +- ret = v4l2_subdev_call(sd, pad, get_fmt, NULL, +- &format); +- +- if (ret) +- return ret; +- /* update colorspace etc */ +- q->subdev_fmt.colorspace = format.format.colorspace; +- q->subdev_fmt.ycbcr_enc = format.format.ycbcr_enc; +- q->subdev_fmt.quantization = format.format.quantization; +- q->subdev_fmt.xfer_func = format.format.xfer_func; +- } +- +- fmt->format = q->subdev_fmt; ++ else ++ fmt->format = q->subdev_fmt; + + return 0; + } diff --git a/queue-5.4/media-ipu3-cio2-serialise-access-to-pad-format.patch b/queue-5.4/media-ipu3-cio2-serialise-access-to-pad-format.patch new file mode 100644 index 00000000000..1e5cbb6da7f --- /dev/null +++ b/queue-5.4/media-ipu3-cio2-serialise-access-to-pad-format.patch @@ -0,0 +1,95 @@ +From 55a6c6b2be3d6670bf5772364d8208bd8dc17da4 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Thu, 8 Oct 2020 21:29:38 +0200 +Subject: media: ipu3-cio2: Serialise access to pad format + +From: Sakari Ailus + +commit 55a6c6b2be3d6670bf5772364d8208bd8dc17da4 upstream. + +Pad format can be accessed from user space. Serialise access to it. + +Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") +Signed-off-by: Sakari Ailus +Reviewed-by: Laurent Pinchart +Reviewed-by: Bingbu Cao +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org # v4.16 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/intel/ipu3/ipu3-cio2.c | 11 +++++++++++ + drivers/media/pci/intel/ipu3/ipu3-cio2.h | 1 + + 2 files changed, 12 insertions(+) + +--- a/drivers/media/pci/intel/ipu3/ipu3-cio2.c ++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.c +@@ -1245,11 +1245,15 @@ static int cio2_subdev_get_fmt(struct v4 + { + struct cio2_queue *q = container_of(sd, struct cio2_queue, subdev); + ++ mutex_lock(&q->subdev_lock); ++ + if (fmt->which == V4L2_SUBDEV_FORMAT_TRY) + fmt->format = *v4l2_subdev_get_try_format(sd, cfg, fmt->pad); + else + fmt->format = q->subdev_fmt; + ++ mutex_unlock(&q->subdev_lock); ++ + return 0; + } + +@@ -1273,6 +1277,8 @@ static int cio2_subdev_set_fmt(struct v4 + if (fmt->pad == CIO2_PAD_SOURCE) + return cio2_subdev_get_fmt(sd, cfg, fmt); + ++ mutex_lock(&q->subdev_lock); ++ + if (fmt->which == V4L2_SUBDEV_FORMAT_TRY) { + *v4l2_subdev_get_try_format(sd, cfg, fmt->pad) = fmt->format; + } else { +@@ -1283,6 +1289,8 @@ static int cio2_subdev_set_fmt(struct v4 + fmt->format = q->subdev_fmt; + } + ++ mutex_unlock(&q->subdev_lock); ++ + return 0; + } + +@@ -1541,6 +1549,7 @@ static int cio2_queue_init(struct cio2_d + + /* Initialize miscellaneous variables */ + mutex_init(&q->lock); ++ mutex_init(&q->subdev_lock); + + /* Initialize formats to default values */ + fmt = &q->subdev_fmt; +@@ -1659,6 +1668,7 @@ fail_vdev_media_entity: + fail_subdev_media_entity: + cio2_fbpt_exit(q, &cio2->pci_dev->dev); + fail_fbpt: ++ mutex_destroy(&q->subdev_lock); + mutex_destroy(&q->lock); + + return r; +@@ -1672,6 +1682,7 @@ static void cio2_queue_exit(struct cio2_ + v4l2_device_unregister_subdev(&q->subdev); + media_entity_cleanup(&q->subdev.entity); + cio2_fbpt_exit(q, &cio2->pci_dev->dev); ++ mutex_destroy(&q->subdev_lock); + mutex_destroy(&q->lock); + } + +--- a/drivers/media/pci/intel/ipu3/ipu3-cio2.h ++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.h +@@ -332,6 +332,7 @@ struct cio2_queue { + + /* Subdev, /dev/v4l-subdevX */ + struct v4l2_subdev subdev; ++ struct mutex subdev_lock; /* Serialise acces to subdev_fmt field */ + struct media_pad subdev_pads[CIO2_PADS]; + struct v4l2_mbus_framefmt subdev_fmt; + atomic_t frame_sequence; diff --git a/queue-5.4/media-ipu3-cio2-validate-mbus-format-in-setting-subdev-format.patch b/queue-5.4/media-ipu3-cio2-validate-mbus-format-in-setting-subdev-format.patch new file mode 100644 index 00000000000..c02410ef5ac --- /dev/null +++ b/queue-5.4/media-ipu3-cio2-validate-mbus-format-in-setting-subdev-format.patch @@ -0,0 +1,74 @@ +From a86cf9b29e8b12811cf53c4970eefe0c1d290476 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Thu, 8 Oct 2020 21:33:26 +0200 +Subject: media: ipu3-cio2: Validate mbus format in setting subdev format + +From: Sakari Ailus + +commit a86cf9b29e8b12811cf53c4970eefe0c1d290476 upstream. + +Validate media bus code, width and height when setting the subdev format. + +This effectively reworks how setting subdev format is implemented in the +driver. + +Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") +Signed-off-by: Sakari Ailus +Reviewed-by: Andy Shevchenko +Reviewed-by: Laurent Pinchart +Cc: stable@vger.kernel.org # v4.16 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/intel/ipu3/ipu3-cio2.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +--- a/drivers/media/pci/intel/ipu3/ipu3-cio2.c ++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.c +@@ -1269,6 +1269,9 @@ static int cio2_subdev_set_fmt(struct v4 + struct v4l2_subdev_format *fmt) + { + struct cio2_queue *q = container_of(sd, struct cio2_queue, subdev); ++ struct v4l2_mbus_framefmt *mbus; ++ u32 mbus_code = fmt->format.code; ++ unsigned int i; + + /* + * Only allow setting sink pad format; +@@ -1277,18 +1280,26 @@ static int cio2_subdev_set_fmt(struct v4 + if (fmt->pad == CIO2_PAD_SOURCE) + return cio2_subdev_get_fmt(sd, cfg, fmt); + +- mutex_lock(&q->subdev_lock); ++ if (fmt->which == V4L2_SUBDEV_FORMAT_TRY) ++ mbus = v4l2_subdev_get_try_format(sd, cfg, fmt->pad); ++ else ++ mbus = &q->subdev_fmt; ++ ++ fmt->format.code = formats[0].mbus_code; + +- if (fmt->which == V4L2_SUBDEV_FORMAT_TRY) { +- *v4l2_subdev_get_try_format(sd, cfg, fmt->pad) = fmt->format; +- } else { +- /* It's the sink, allow changing frame size */ +- q->subdev_fmt.width = fmt->format.width; +- q->subdev_fmt.height = fmt->format.height; +- q->subdev_fmt.code = fmt->format.code; +- fmt->format = q->subdev_fmt; ++ for (i = 0; i < ARRAY_SIZE(formats); i++) { ++ if (formats[i].mbus_code == fmt->format.code) { ++ fmt->format.code = mbus_code; ++ break; ++ } + } + ++ fmt->format.width = min_t(u32, fmt->format.width, CIO2_IMAGE_MAX_WIDTH); ++ fmt->format.height = min_t(u32, fmt->format.height, ++ CIO2_IMAGE_MAX_LENGTH); ++ ++ mutex_lock(&q->subdev_lock); ++ *mbus = fmt->format; + mutex_unlock(&q->subdev_lock); + + return 0; diff --git a/queue-5.4/media-netup_unidvb-don-t-leak-spi-master-in-probe-error-path.patch b/queue-5.4/media-netup_unidvb-don-t-leak-spi-master-in-probe-error-path.patch new file mode 100644 index 00000000000..57489d9f80f --- /dev/null +++ b/queue-5.4/media-netup_unidvb-don-t-leak-spi-master-in-probe-error-path.patch @@ -0,0 +1,69 @@ +From e297ddf296de35037fa97f4302782def196d350a Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:12 +0100 +Subject: media: netup_unidvb: Don't leak SPI master in probe error path + +From: Lukas Wunner + +commit e297ddf296de35037fa97f4302782def196d350a upstream. + +If the call to spi_register_master() fails on probe of the NetUP +Universal DVB driver, the spi_master struct is erroneously not freed. + +Likewise, if spi_new_device() fails, the spi_controller struct is +not unregistered. Plug the leaks. + +While at it, fix an ordering issue in netup_spi_release() wherein +spi_unregister_master() is called after fiddling with the IRQ control +register. The correct order is to call spi_unregister_master() *before* +this teardown step because bus accesses may still be ongoing until that +function returns. + +Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver") +Signed-off-by: Lukas Wunner +Reviewed-by: Mauro Carvalho Chehab +Cc: # v4.3+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v4.3+ +Cc: Kozlov Sergey +Link: https://lore.kernel.org/r/c4c24f333fc7840f4a3db24789e6e10dd660bede.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/netup_unidvb/netup_unidvb_spi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/pci/netup_unidvb/netup_unidvb_spi.c ++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_spi.c +@@ -175,7 +175,7 @@ int netup_spi_init(struct netup_unidvb_d + struct spi_master *master; + struct netup_spi *nspi; + +- master = spi_alloc_master(&ndev->pci_dev->dev, ++ master = devm_spi_alloc_master(&ndev->pci_dev->dev, + sizeof(struct netup_spi)); + if (!master) { + dev_err(&ndev->pci_dev->dev, +@@ -208,6 +208,7 @@ int netup_spi_init(struct netup_unidvb_d + ndev->pci_slot, + ndev->pci_func); + if (!spi_new_device(master, &netup_spi_board)) { ++ spi_unregister_master(master); + ndev->spi = NULL; + dev_err(&ndev->pci_dev->dev, + "%s(): unable to create SPI device\n", __func__); +@@ -226,13 +227,13 @@ void netup_spi_release(struct netup_unid + if (!spi) + return; + ++ spi_unregister_master(spi->master); + spin_lock_irqsave(&spi->lock, flags); + reg = readw(&spi->regs->control_stat); + writew(reg | NETUP_SPI_CTRL_IRQ, &spi->regs->control_stat); + reg = readw(&spi->regs->control_stat); + writew(reg & ~NETUP_SPI_CTRL_IMASK, &spi->regs->control_stat); + spin_unlock_irqrestore(&spi->lock, flags); +- spi_unregister_master(spi->master); + ndev->spi = NULL; + } + diff --git a/queue-5.4/media-sunxi-cir-ensure-ir-is-handled-when-it-is-continuous.patch b/queue-5.4/media-sunxi-cir-ensure-ir-is-handled-when-it-is-continuous.patch new file mode 100644 index 00000000000..019055ea61b --- /dev/null +++ b/queue-5.4/media-sunxi-cir-ensure-ir-is-handled-when-it-is-continuous.patch @@ -0,0 +1,42 @@ +From 3f56df4c8ffeb120ed41906d3aae71799b7e726a Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Mon, 9 Nov 2020 23:16:52 +0100 +Subject: media: sunxi-cir: ensure IR is handled when it is continuous + +From: Sean Young + +commit 3f56df4c8ffeb120ed41906d3aae71799b7e726a upstream. + +If a user holds a button down on a remote, then no ir idle interrupt will +be generated until the user releases the button, depending on how quickly +the remote repeats. No IR is processed until that point, which means that +holding down a button may not do anything. + +This also resolves an issue on a Cubieboard 1 where the IR receiver is +picking up ambient infrared as IR and spews out endless +"rc rc0: IR event FIFO is full!" messages unless you choose to live in +the dark. + +Cc: stable@vger.kernel.org +Tested-by: Hans Verkuil +Acked-by: Maxime Ripard +Reported-by: Hans Verkuil +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/sunxi-cir.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/rc/sunxi-cir.c ++++ b/drivers/media/rc/sunxi-cir.c +@@ -137,6 +137,8 @@ static irqreturn_t sunxi_ir_irq(int irqn + } else if (status & REG_RXSTA_RPE) { + ir_raw_event_set_idle(ir->rc, true); + ir_raw_event_handle(ir->rc); ++ } else { ++ ir_raw_event_handle(ir->rc); + } + + spin_unlock(&ir->ir_lock); diff --git a/queue-5.4/perf-x86-intel-add-event-constraint-for-cycle_activity.stalls_mem_any.patch b/queue-5.4/perf-x86-intel-add-event-constraint-for-cycle_activity.stalls_mem_any.patch new file mode 100644 index 00000000000..0bb3500df8d --- /dev/null +++ b/queue-5.4/perf-x86-intel-add-event-constraint-for-cycle_activity.stalls_mem_any.patch @@ -0,0 +1,41 @@ +From 306e3e91edf1c6739a55312edd110d298ff498dd Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Mon, 19 Oct 2020 09:45:29 -0700 +Subject: perf/x86/intel: Add event constraint for CYCLE_ACTIVITY.STALLS_MEM_ANY + +From: Kan Liang + +commit 306e3e91edf1c6739a55312edd110d298ff498dd upstream. + +The event CYCLE_ACTIVITY.STALLS_MEM_ANY (0x14a3) should be available on +all 8 GP counters on ICL, but it's only scheduled on the first four +counters due to the current ICL constraint table. + +Add a line for the CYCLE_ACTIVITY.STALLS_MEM_ANY event in the ICL +constraint table. +Correct the comments for the CYCLE_ACTIVITY.CYCLES_MEM_ANY event. + +Fixes: 6017608936c1 ("perf/x86/intel: Add Icelake support") +Reported-by: Andi Kleen +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20201019164529.32154-1-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -253,7 +253,8 @@ static struct event_constraint intel_icl + INTEL_EVENT_CONSTRAINT_RANGE(0x48, 0x54, 0xf), + INTEL_EVENT_CONSTRAINT_RANGE(0x60, 0x8b, 0xf), + INTEL_UEVENT_CONSTRAINT(0x04a3, 0xff), /* CYCLE_ACTIVITY.STALLS_TOTAL */ +- INTEL_UEVENT_CONSTRAINT(0x10a3, 0xff), /* CYCLE_ACTIVITY.STALLS_MEM_ANY */ ++ INTEL_UEVENT_CONSTRAINT(0x10a3, 0xff), /* CYCLE_ACTIVITY.CYCLES_MEM_ANY */ ++ INTEL_UEVENT_CONSTRAINT(0x14a3, 0xff), /* CYCLE_ACTIVITY.STALLS_MEM_ANY */ + INTEL_EVENT_CONSTRAINT(0xa3, 0xf), /* CYCLE_ACTIVITY.* */ + INTEL_EVENT_CONSTRAINT_RANGE(0xa8, 0xb0, 0xf), + INTEL_EVENT_CONSTRAINT_RANGE(0xb7, 0xbd, 0xf), diff --git a/queue-5.4/perf-x86-intel-fix-rtm_abort_event-encoding-on-ice-lake.patch b/queue-5.4/perf-x86-intel-fix-rtm_abort_event-encoding-on-ice-lake.patch new file mode 100644 index 00000000000..ec7f70d0f04 --- /dev/null +++ b/queue-5.4/perf-x86-intel-fix-rtm_abort_event-encoding-on-ice-lake.patch @@ -0,0 +1,39 @@ +From 46b72e1bf4fc571da0c29c6fb3e5b2a2107a4c26 Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Wed, 25 Nov 2020 13:37:19 -0800 +Subject: perf/x86/intel: Fix rtm_abort_event encoding on Ice Lake + +From: Kan Liang + +commit 46b72e1bf4fc571da0c29c6fb3e5b2a2107a4c26 upstream. + +According to the event list from icelake_core_v1.09.json, the encoding +of the RTM_RETIRED.ABORTED event on Ice Lake should be, + "EventCode": "0xc9", + "UMask": "0x04", + "EventName": "RTM_RETIRED.ABORTED", + +Correct the wrong encoding. + +Fixes: 6017608936c1 ("perf/x86/intel: Add Icelake support") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20201125213720.15692-1-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -5058,7 +5058,7 @@ __init int intel_pmu_init(void) + extra_skl_attr = skl_format_attr; + mem_attr = icl_events_attrs; + tsx_attr = icl_tsx_events_attrs; +- x86_pmu.rtm_abort_event = X86_CONFIG(.event=0xca, .umask=0x02); ++ x86_pmu.rtm_abort_event = X86_CONFIG(.event=0xc9, .umask=0x04); + x86_pmu.lbr_pt_coexist = true; + intel_pmu_pebs_data_source_skl(pmem); + pr_cont("Icelake events, "); diff --git a/queue-5.4/pm-acpi-pci-drop-acpi_pm_set_bridge_wakeup.patch b/queue-5.4/pm-acpi-pci-drop-acpi_pm_set_bridge_wakeup.patch new file mode 100644 index 00000000000..9b3fd6d81a9 --- /dev/null +++ b/queue-5.4/pm-acpi-pci-drop-acpi_pm_set_bridge_wakeup.patch @@ -0,0 +1,186 @@ +From 7482c5cb90e5a7f9e9e12dd154d405e0219656e3 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 24 Nov 2020 20:44:00 +0100 +Subject: PM: ACPI: PCI: Drop acpi_pm_set_bridge_wakeup() + +From: Rafael J. Wysocki + +commit 7482c5cb90e5a7f9e9e12dd154d405e0219656e3 upstream. + +The idea behind acpi_pm_set_bridge_wakeup() was to allow bridges to +be reference counted for wakeup enabling, because they may be enabled +to signal wakeup on behalf of their subordinate devices and that +may happen for multiple times in a row, whereas for the other devices +it only makes sense to enable wakeup signaling once. + +However, this becomes problematic if the bridge itself is suspended, +because it is treated as a "regular" device in that case and the +reference counting doesn't work. + +For instance, suppose that there are two devices below a bridge and +they both can signal wakeup. Every time one of them is suspended, +wakeup signaling is enabled for the bridge, so when they both have +been suspended, the bridge's wakeup reference counter value is 2. + +Say that the bridge is suspended subsequently and acpi_pci_wakeup() +is called for it. Because the bridge can signal wakeup, that +function will invoke acpi_pm_set_device_wakeup() to configure it +and __acpi_pm_set_device_wakeup() will be called with the last +argument equal to 1. This causes __acpi_device_wakeup_enable() +invoked by it to omit the reference counting, because the reference +counter of the target device (the bridge) is 2 at that time. + +Now say that the bridge resumes and one of the device below it +resumes too, so the bridge's reference counter becomes 0 and +wakeup signaling is disabled for it, but there is still the other +suspended device which may need the bridge to signal wakeup on its +behalf and that is not going to work. + +To address this scenario, use wakeup enable reference counting for +all devices, not just for bridges, so drop the last argument from +__acpi_device_wakeup_enable() and __acpi_pm_set_device_wakeup(), +which causes acpi_pm_set_device_wakeup() and +acpi_pm_set_bridge_wakeup() to become identical, so drop the latter +and use the former instead of it everywhere. + +Fixes: 1ba51a7c1496 ("ACPI / PCI / PM: Rework acpi_pci_propagate_wakeup()") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mika Westerberg +Acked-by: Bjorn Helgaas +Cc: 4.14+ # 4.14+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/device_pm.c | 41 ++++++++++++----------------------------- + drivers/pci/pci-acpi.c | 4 ++-- + include/acpi/acpi_bus.h | 5 ----- + 3 files changed, 14 insertions(+), 36 deletions(-) + +--- a/drivers/acpi/device_pm.c ++++ b/drivers/acpi/device_pm.c +@@ -749,7 +749,7 @@ static void acpi_pm_notify_work_func(str + static DEFINE_MUTEX(acpi_wakeup_lock); + + static int __acpi_device_wakeup_enable(struct acpi_device *adev, +- u32 target_state, int max_count) ++ u32 target_state) + { + struct acpi_device_wakeup *wakeup = &adev->wakeup; + acpi_status status; +@@ -757,9 +757,10 @@ static int __acpi_device_wakeup_enable(s + + mutex_lock(&acpi_wakeup_lock); + +- if (wakeup->enable_count >= max_count) ++ if (wakeup->enable_count >= INT_MAX) { ++ acpi_handle_info(adev->handle, "Wakeup enable count out of bounds!\n"); + goto out; +- ++ } + if (wakeup->enable_count > 0) + goto inc; + +@@ -799,7 +800,7 @@ out: + */ + static int acpi_device_wakeup_enable(struct acpi_device *adev, u32 target_state) + { +- return __acpi_device_wakeup_enable(adev, target_state, 1); ++ return __acpi_device_wakeup_enable(adev, target_state); + } + + /** +@@ -829,8 +830,12 @@ out: + mutex_unlock(&acpi_wakeup_lock); + } + +-static int __acpi_pm_set_device_wakeup(struct device *dev, bool enable, +- int max_count) ++/** ++ * acpi_pm_set_device_wakeup - Enable/disable remote wakeup for given device. ++ * @dev: Device to enable/disable to generate wakeup events. ++ * @enable: Whether to enable or disable the wakeup functionality. ++ */ ++int acpi_pm_set_device_wakeup(struct device *dev, bool enable) + { + struct acpi_device *adev; + int error; +@@ -850,37 +855,15 @@ static int __acpi_pm_set_device_wakeup(s + return 0; + } + +- error = __acpi_device_wakeup_enable(adev, acpi_target_system_state(), +- max_count); ++ error = __acpi_device_wakeup_enable(adev, acpi_target_system_state()); + if (!error) + dev_dbg(dev, "Wakeup enabled by ACPI\n"); + + return error; + } +- +-/** +- * acpi_pm_set_device_wakeup - Enable/disable remote wakeup for given device. +- * @dev: Device to enable/disable to generate wakeup events. +- * @enable: Whether to enable or disable the wakeup functionality. +- */ +-int acpi_pm_set_device_wakeup(struct device *dev, bool enable) +-{ +- return __acpi_pm_set_device_wakeup(dev, enable, 1); +-} + EXPORT_SYMBOL_GPL(acpi_pm_set_device_wakeup); + + /** +- * acpi_pm_set_bridge_wakeup - Enable/disable remote wakeup for given bridge. +- * @dev: Bridge device to enable/disable to generate wakeup events. +- * @enable: Whether to enable or disable the wakeup functionality. +- */ +-int acpi_pm_set_bridge_wakeup(struct device *dev, bool enable) +-{ +- return __acpi_pm_set_device_wakeup(dev, enable, INT_MAX); +-} +-EXPORT_SYMBOL_GPL(acpi_pm_set_bridge_wakeup); +- +-/** + * acpi_dev_pm_low_power - Put ACPI device into a low-power state. + * @dev: Device to put into a low-power state. + * @adev: ACPI device node corresponding to @dev. +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -1060,7 +1060,7 @@ static int acpi_pci_propagate_wakeup(str + { + while (bus->parent) { + if (acpi_pm_device_can_wakeup(&bus->self->dev)) +- return acpi_pm_set_bridge_wakeup(&bus->self->dev, enable); ++ return acpi_pm_set_device_wakeup(&bus->self->dev, enable); + + bus = bus->parent; + } +@@ -1068,7 +1068,7 @@ static int acpi_pci_propagate_wakeup(str + /* We have reached the root bus. */ + if (bus->bridge) { + if (acpi_pm_device_can_wakeup(bus->bridge)) +- return acpi_pm_set_bridge_wakeup(bus->bridge, enable); ++ return acpi_pm_set_device_wakeup(bus->bridge, enable); + } + return 0; + } +--- a/include/acpi/acpi_bus.h ++++ b/include/acpi/acpi_bus.h +@@ -614,7 +614,6 @@ acpi_status acpi_remove_pm_notifier(stru + bool acpi_pm_device_can_wakeup(struct device *dev); + int acpi_pm_device_sleep_state(struct device *, int *, int); + int acpi_pm_set_device_wakeup(struct device *dev, bool enable); +-int acpi_pm_set_bridge_wakeup(struct device *dev, bool enable); + #else + static inline void acpi_pm_wakeup_event(struct device *dev) + { +@@ -645,10 +644,6 @@ static inline int acpi_pm_set_device_wak + { + return -ENODEV; + } +-static inline int acpi_pm_set_bridge_wakeup(struct device *dev, bool enable) +-{ +- return -ENODEV; +-} + #endif + + #ifdef CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT diff --git a/queue-5.4/powerpc-perf-exclude-kernel-samples-while-counting-events-in-user-space.patch b/queue-5.4/powerpc-perf-exclude-kernel-samples-while-counting-events-in-user-space.patch new file mode 100644 index 00000000000..b17604f3909 --- /dev/null +++ b/queue-5.4/powerpc-perf-exclude-kernel-samples-while-counting-events-in-user-space.patch @@ -0,0 +1,46 @@ +From aa8e21c053d72b6639ea5a7f1d3a1d0209534c94 Mon Sep 17 00:00:00 2001 +From: Athira Rajeev +Date: Wed, 25 Nov 2020 02:26:55 -0500 +Subject: powerpc/perf: Exclude kernel samples while counting events in user space. + +From: Athira Rajeev + +commit aa8e21c053d72b6639ea5a7f1d3a1d0209534c94 upstream. + +Perf event attritube supports exclude_kernel flag to avoid +sampling/profiling in supervisor state (kernel). Based on this event +attr flag, Monitor Mode Control Register bit is set to freeze on +supervisor state. But sometimes (due to hardware limitation), Sampled +Instruction Address Register (SIAR) locks on to kernel address even +when freeze on supervisor is set. Patch here adds a check to drop +those samples. + +Cc: stable@vger.kernel.org +Signed-off-by: Athira Rajeev +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1606289215-1433-1-git-send-email-atrajeev@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/perf/core-book3s.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -2090,6 +2090,16 @@ static void record_and_restart(struct pe + perf_event_update_userpage(event); + + /* ++ * Due to hardware limitation, sometimes SIAR could sample a kernel ++ * address even when freeze on supervisor state (kernel) is set in ++ * MMCR2. Check attr.exclude_kernel and address to drop the sample in ++ * these cases. ++ */ ++ if (event->attr.exclude_kernel && record) ++ if (is_kernel_addr(mfspr(SPRN_SIAR))) ++ record = 0; ++ ++ /* + * Finally record data if requested. + */ + if (record) { diff --git a/queue-5.4/revert-acpi-resources-use-ae_ctrl_terminate-to-terminate-resources-walks.patch b/queue-5.4/revert-acpi-resources-use-ae_ctrl_terminate-to-terminate-resources-walks.patch new file mode 100644 index 00000000000..3b564dbb13c --- /dev/null +++ b/queue-5.4/revert-acpi-resources-use-ae_ctrl_terminate-to-terminate-resources-walks.patch @@ -0,0 +1,39 @@ +From 12fc4dad94dfac25599f31257aac181c691ca96f Mon Sep 17 00:00:00 2001 +From: Daniel Scally +Date: Sat, 5 Dec 2020 17:04:03 +0000 +Subject: Revert "ACPI / resources: Use AE_CTRL_TERMINATE to terminate resources walks" + +From: Daniel Scally + +commit 12fc4dad94dfac25599f31257aac181c691ca96f upstream. + +This reverts commit 8a66790b7850a6669129af078768a1d42076a0ef. + +Switching this function to AE_CTRL_TERMINATE broke the documented +behaviour of acpi_dev_get_resources() - AE_CTRL_TERMINATE does not, in +fact, terminate the resource walk because acpi_walk_resource_buffer() +ignores it (specifically converting it to AE_OK), referring to that +value as "an OK termination by the user function". This means that +acpi_dev_get_resources() does not abort processing when the preproc +function returns a negative value. + +Signed-off-by: Daniel Scally +Cc: 3.10+ # 3.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -541,7 +541,7 @@ static acpi_status acpi_dev_process_reso + ret = c->preproc(ares, c->preproc_data); + if (ret < 0) { + c->error = ret; +- return AE_CTRL_TERMINATE; ++ return AE_ABORT_METHOD; + } else if (ret > 0) { + return AE_OK; + } diff --git a/queue-5.4/s390-dasd-fix-hanging-device-offline-processing.patch b/queue-5.4/s390-dasd-fix-hanging-device-offline-processing.patch new file mode 100644 index 00000000000..bdf94d6c7bc --- /dev/null +++ b/queue-5.4/s390-dasd-fix-hanging-device-offline-processing.patch @@ -0,0 +1,58 @@ +From 658a337a606f48b7ebe451591f7681d383fa115e Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Thu, 17 Dec 2020 16:59:04 +0100 +Subject: s390/dasd: fix hanging device offline processing + +From: Stefan Haberland + +commit 658a337a606f48b7ebe451591f7681d383fa115e upstream. + +For an LCU update a read unit address configuration IO is required. +This is started using sleep_on(), which has early exit paths in case the +device is not usable for IO. For example when it is in offline processing. + +In those cases the LCU update should fail and not be retried. +Therefore lcu_update_work checks if EOPNOTSUPP is returned or not. + +Commit 41995342b40c ("s390/dasd: fix endless loop after read unit address configuration") +accidentally removed the EOPNOTSUPP return code from +read_unit_address_configuration(), which in turn might lead to an endless +loop of the LCU update in offline processing. + +Fix by returning EOPNOTSUPP again if the device is not able to perform the +request. + +Fixes: 41995342b40c ("s390/dasd: fix endless loop after read unit address configuration") +Cc: stable@vger.kernel.org #5.3 +Signed-off-by: Stefan Haberland +Reviewed-by: Jan Hoeppner +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/block/dasd_alias.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/s390/block/dasd_alias.c ++++ b/drivers/s390/block/dasd_alias.c +@@ -462,11 +462,19 @@ static int read_unit_address_configurati + spin_unlock_irqrestore(&lcu->lock, flags); + + rc = dasd_sleep_on(cqr); +- if (rc && !suborder_not_supported(cqr)) { ++ if (!rc) ++ goto out; ++ ++ if (suborder_not_supported(cqr)) { ++ /* suborder not supported or device unusable for IO */ ++ rc = -EOPNOTSUPP; ++ } else { ++ /* IO failed but should be retried */ + spin_lock_irqsave(&lcu->lock, flags); + lcu->flags |= NEED_UAC_UPDATE; + spin_unlock_irqrestore(&lcu->lock, flags); + } ++out: + dasd_sfree_request(cqr, cqr->memdev); + return rc; + } diff --git a/queue-5.4/s390-dasd-fix-list-corruption-of-lcu-list.patch b/queue-5.4/s390-dasd-fix-list-corruption-of-lcu-list.patch new file mode 100644 index 00000000000..02530318ed8 --- /dev/null +++ b/queue-5.4/s390-dasd-fix-list-corruption-of-lcu-list.patch @@ -0,0 +1,53 @@ +From 53a7f655834c7c335bf683f248208d4fbe4b47bc Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Thu, 17 Dec 2020 16:59:07 +0100 +Subject: s390/dasd: fix list corruption of lcu list + +From: Stefan Haberland + +commit 53a7f655834c7c335bf683f248208d4fbe4b47bc upstream. + +In dasd_alias_disconnect_device_from_lcu the device is removed from any +list on the LCU. Afterwards the LCU is removed from the lcu list if it +does not contain devices any longer. + +The lcu->lock protects the lcu from parallel updates. But to cancel all +workers and wait for completion the lcu->lock has to be unlocked. + +If two devices are removed in parallel and both are removed from the LCU +the first device that takes the lcu->lock again will delete the LCU because +it is already empty but the second device also tries to free the LCU which +leads to a list corruption of the lcu list. + +Fix by removing the device right before the lcu is checked without +unlocking the lcu->lock in between. + +Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1") +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Haberland +Reviewed-by: Jan Hoeppner +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/block/dasd_alias.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/block/dasd_alias.c ++++ b/drivers/s390/block/dasd_alias.c +@@ -256,7 +256,6 @@ void dasd_alias_disconnect_device_from_l + return; + device->discipline->get_uid(device, &uid); + spin_lock_irqsave(&lcu->lock, flags); +- list_del_init(&device->alias_list); + /* make sure that the workers don't use this device */ + if (device == lcu->suc_data.device) { + spin_unlock_irqrestore(&lcu->lock, flags); +@@ -283,6 +282,7 @@ void dasd_alias_disconnect_device_from_l + + spin_lock_irqsave(&aliastree.lock, flags); + spin_lock(&lcu->lock); ++ list_del_init(&device->alias_list); + if (list_empty(&lcu->grouplist) && + list_empty(&lcu->active_devices) && + list_empty(&lcu->inactive_devices)) { diff --git a/queue-5.4/s390-dasd-fix-list-corruption-of-pavgroup-group-list.patch b/queue-5.4/s390-dasd-fix-list-corruption-of-pavgroup-group-list.patch new file mode 100644 index 00000000000..5174796010a --- /dev/null +++ b/queue-5.4/s390-dasd-fix-list-corruption-of-pavgroup-group-list.patch @@ -0,0 +1,55 @@ +From 0ede91f83aa335da1c3ec68eb0f9e228f269f6d8 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Thu, 17 Dec 2020 16:59:06 +0100 +Subject: s390/dasd: fix list corruption of pavgroup group list + +From: Stefan Haberland + +commit 0ede91f83aa335da1c3ec68eb0f9e228f269f6d8 upstream. + +dasd_alias_add_device() moves devices to the active_devices list in case +of a scheduled LCU update regardless if they have previously been in a +pavgroup or not. + +Example: device A and B are in the same pavgroup. + +Device A has already been in a pavgroup and the private->pavgroup pointer +is set and points to a valid pavgroup. While going through dasd_add_device +it is moved from the pavgroup to the active_devices list. + +In parallel device B might be removed from the same pavgroup in +remove_device_from_lcu() which in turn checks if the group is empty +and deletes it accordingly because device A has already been removed from +there. + +When now device A enters remove_device_from_lcu() it is tried to remove it +from the pavgroup again because the pavgroup pointer is still set and again +the empty group will be cleaned up which leads to a list corruption. + +Fix by setting private->pavgroup to NULL in dasd_add_device. + +If the device has been the last device on the pavgroup an empty pavgroup +remains but this will be cleaned up by the scheduled lcu_update which +iterates over all existing pavgroups. + +Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1") +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Haberland +Reviewed-by: Jan Hoeppner +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/block/dasd_alias.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/s390/block/dasd_alias.c ++++ b/drivers/s390/block/dasd_alias.c +@@ -642,6 +642,7 @@ int dasd_alias_add_device(struct dasd_de + } + if (lcu->flags & UPDATE_PENDING) { + list_move(&device->alias_list, &lcu->active_devices); ++ private->pavgroup = NULL; + _schedule_lcu_update(lcu, device); + } + spin_unlock_irqrestore(&lcu->lock, flags); diff --git a/queue-5.4/s390-dasd-prevent-inconsistent-lcu-device-data.patch b/queue-5.4/s390-dasd-prevent-inconsistent-lcu-device-data.patch new file mode 100644 index 00000000000..74a15a2fc1f --- /dev/null +++ b/queue-5.4/s390-dasd-prevent-inconsistent-lcu-device-data.patch @@ -0,0 +1,52 @@ +From a29ea01653493b94ea12bb2b89d1564a265081b6 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Thu, 17 Dec 2020 16:59:05 +0100 +Subject: s390/dasd: prevent inconsistent LCU device data + +From: Stefan Haberland + +commit a29ea01653493b94ea12bb2b89d1564a265081b6 upstream. + +Prevent _lcu_update from adding a device to a pavgroup if the LCU still +requires an update. The data is not reliable any longer and in parallel +devices might have been moved on the lists already. +This might lead to list corruptions or invalid PAV grouping. +Only add devices to a pavgroup if the LCU is up to date. Additional steps +are taken by the scheduled lcu update. + +Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1") +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Haberland +Reviewed-by: Jan Hoeppner +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/block/dasd_alias.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/s390/block/dasd_alias.c ++++ b/drivers/s390/block/dasd_alias.c +@@ -511,6 +511,14 @@ static int _lcu_update(struct dasd_devic + return rc; + + spin_lock_irqsave(&lcu->lock, flags); ++ /* ++ * there is another update needed skip the remaining handling ++ * the data might already be outdated ++ * but especially do not add the device to an LCU with pending ++ * update ++ */ ++ if (lcu->flags & NEED_UAC_UPDATE) ++ goto out; + lcu->pav = NO_PAV; + for (i = 0; i < MAX_DEVICES_PER_LCU; ++i) { + switch (lcu->uac->unit[i].ua_type) { +@@ -529,6 +537,7 @@ static int _lcu_update(struct dasd_devic + alias_list) { + _add_device_to_lcu(lcu, device, refdev); + } ++out: + spin_unlock_irqrestore(&lcu->lock, flags); + return 0; + } diff --git a/queue-5.4/s390-kexec_file-fix-diag308-subcode-when-loading-crash-kernel.patch b/queue-5.4/s390-kexec_file-fix-diag308-subcode-when-loading-crash-kernel.patch new file mode 100644 index 00000000000..5cdf56108ed --- /dev/null +++ b/queue-5.4/s390-kexec_file-fix-diag308-subcode-when-loading-crash-kernel.patch @@ -0,0 +1,65 @@ +From 613775d62ec60202f98d2c5f520e6e9ba6dd4ac4 Mon Sep 17 00:00:00 2001 +From: Philipp Rudo +Date: Thu, 26 Nov 2020 18:31:08 +0100 +Subject: s390/kexec_file: fix diag308 subcode when loading crash kernel + +From: Philipp Rudo + +commit 613775d62ec60202f98d2c5f520e6e9ba6dd4ac4 upstream. + +diag308 subcode 0 performes a clear reset which inlcudes the reset of +all registers in the system. While this is the preferred behavior when +loading a normal kernel via kexec it prevents the crash kernel to store +the register values in the dump. To prevent this use subcode 1 when +loading a crash kernel instead. + +Fixes: ee337f5469fd ("s390/kexec_file: Add crash support to image loader") +Cc: # 4.17 +Signed-off-by: Philipp Rudo +Reported-by: Xiaoying Yan +Tested-by: Lianbo Jiang +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/purgatory/head.S | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/s390/purgatory/head.S ++++ b/arch/s390/purgatory/head.S +@@ -62,14 +62,15 @@ + jh 10b + .endm + +-.macro START_NEXT_KERNEL base ++.macro START_NEXT_KERNEL base subcode + lg %r4,kernel_entry-\base(%r13) + lg %r5,load_psw_mask-\base(%r13) + ogr %r4,%r5 + stg %r4,0(%r0) + + xgr %r0,%r0 +- diag %r0,%r0,0x308 ++ lghi %r1,\subcode ++ diag %r0,%r1,0x308 + .endm + + .text +@@ -123,7 +124,7 @@ ENTRY(purgatory_start) + je .start_crash_kernel + + /* start normal kernel */ +- START_NEXT_KERNEL .base_crash ++ START_NEXT_KERNEL .base_crash 0 + + .return_old_kernel: + lmg %r6,%r15,gprregs-.base_crash(%r13) +@@ -227,7 +228,7 @@ ENTRY(purgatory_start) + MEMCPY %r9,%r10,%r11 + + /* start crash kernel */ +- START_NEXT_KERNEL .base_dst ++ START_NEXT_KERNEL .base_dst 1 + + + load_psw_mask: diff --git a/queue-5.4/s390-smp-perform-initial-cpu-reset-also-for-smt-siblings.patch b/queue-5.4/s390-smp-perform-initial-cpu-reset-also-for-smt-siblings.patch new file mode 100644 index 00000000000..1d7178e6e90 --- /dev/null +++ b/queue-5.4/s390-smp-perform-initial-cpu-reset-also-for-smt-siblings.patch @@ -0,0 +1,55 @@ +From b5e438ebd7e808d1d2435159ac4742e01a94b8da Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Tue, 8 Dec 2020 07:35:21 +0100 +Subject: s390/smp: perform initial CPU reset also for SMT siblings + +From: Sven Schnelle + +commit b5e438ebd7e808d1d2435159ac4742e01a94b8da upstream. + +Not resetting the SMT siblings might leave them in unpredictable +state. One of the observed problems was that the CPU timer wasn't +reset and therefore large system time values where accounted during +CPU bringup. + +Cc: # 4.0 +Fixes: 10ad34bc76dfb ("s390: add SMT support") +Reviewed-by: Heiko Carstens +Signed-off-by: Sven Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/smp.c | 18 +++--------------- + 1 file changed, 3 insertions(+), 15 deletions(-) + +--- a/arch/s390/kernel/smp.c ++++ b/arch/s390/kernel/smp.c +@@ -885,24 +885,12 @@ static void __no_sanitize_address smp_st + /* Upping and downing of CPUs */ + int __cpu_up(unsigned int cpu, struct task_struct *tidle) + { +- struct pcpu *pcpu; +- int base, i, rc; ++ struct pcpu *pcpu = pcpu_devices + cpu; ++ int rc; + +- pcpu = pcpu_devices + cpu; + if (pcpu->state != CPU_STATE_CONFIGURED) + return -EIO; +- base = smp_get_base_cpu(cpu); +- for (i = 0; i <= smp_cpu_mtid; i++) { +- if (base + i < nr_cpu_ids) +- if (cpu_online(base + i)) +- break; +- } +- /* +- * If this is the first CPU of the core to get online +- * do an initial CPU reset. +- */ +- if (i > smp_cpu_mtid && +- pcpu_sigp_retry(pcpu_devices + base, SIGP_INITIAL_CPU_RESET, 0) != ++ if (pcpu_sigp_retry(pcpu, SIGP_INITIAL_CPU_RESET, 0) != + SIGP_CC_ORDER_CODE_ACCEPTED) + return -EIO; + diff --git a/queue-5.4/series b/queue-5.4/series index 4bb3aedc591..f63af1040f6 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -318,3 +318,55 @@ drm-amdkfd-fix-leak-in-dmabuf-import.patch input-cros_ec_keyb-send-scancodes-in-addition-to-key.patch initramfs-fix-clang-build-failure.patch input-goodix-add-upside-down-quirk-for-teclast-x98-p.patch +vfio-pci-nvlink2-do-not-attempt-npu2-setup-on-power8nvl-npu.patch +media-gspca-fix-memory-leak-in-probe.patch +media-sunxi-cir-ensure-ir-is-handled-when-it-is-continuous.patch +media-netup_unidvb-don-t-leak-spi-master-in-probe-error-path.patch +media-ipu3-cio2-remove-traces-of-returned-buffers.patch +media-ipu3-cio2-return-actual-subdev-format.patch +media-ipu3-cio2-serialise-access-to-pad-format.patch +media-ipu3-cio2-validate-mbus-format-in-setting-subdev-format.patch +media-ipu3-cio2-make-the-field-on-subdev-format-v4l2_field_none.patch +input-cyapa_gen6-fix-out-of-bounds-stack-access.patch +alsa-hda-ca0132-change-input-source-enum-strings.patch +pm-acpi-pci-drop-acpi_pm_set_bridge_wakeup.patch +revert-acpi-resources-use-ae_ctrl_terminate-to-terminate-resources-walks.patch +acpi-pnp-compare-the-string-length-in-the-matching_id.patch +alsa-hda-fix-regressions-on-clear-and-reconfig-sysfs.patch +alsa-hda-ca0132-fix-ae-5-rear-headphone-pincfg.patch +alsa-hda-realtek-make-bass-spk-volume-adjustable-on-a-yoga-laptop.patch +alsa-hda-realtek-enable-headset-mic-of-asus-x430un-with-alc256.patch +alsa-hda-realtek-enable-headset-mic-of-asus-q524uqk-with-alc255.patch +alsa-hda-realtek-add-supported-for-more-lenovo-alc285-headset-button.patch +alsa-pcm-oss-fix-a-few-more-ubsan-fixes.patch +alsa-hda-apply-jack-fixup-for-the-acer-veriton-n4640g-n6640g-n2510g.patch +alsa-hda-realtek-add-quirk-for-msi-gp73.patch +alsa-hda-realtek-apply-jack-fixup-for-quanta-nl3.patch +alsa-usb-audio-add-vid-to-support-native-dsd-reproduction-on-fiio-devices.patch +alsa-usb-audio-disable-sample-read-check-if-firmware-doesn-t-give-back.patch +alsa-core-memalloc-add-page-alignment-for-iram.patch +s390-smp-perform-initial-cpu-reset-also-for-smt-siblings.patch +s390-kexec_file-fix-diag308-subcode-when-loading-crash-kernel.patch +s390-dasd-fix-hanging-device-offline-processing.patch +s390-dasd-prevent-inconsistent-lcu-device-data.patch +s390-dasd-fix-list-corruption-of-pavgroup-group-list.patch +s390-dasd-fix-list-corruption-of-lcu-list.patch +binder-add-flag-to-clear-buffer-on-txn-complete.patch +asoc-cx2072x-fix-doubly-definitions-of-playback-and-capture-streams.patch +staging-comedi-mf6x4-fix-ai-end-of-conversion-detection.patch +perf-x86-intel-add-event-constraint-for-cycle_activity.stalls_mem_any.patch +perf-x86-intel-fix-rtm_abort_event-encoding-on-ice-lake.patch +powerpc-perf-exclude-kernel-samples-while-counting-events-in-user-space.patch +crypto-ecdh-avoid-unaligned-accesses-in-ecdh_set_secret.patch +crypto-arm-aes-ce-work-around-cortex-a57-a72-silion-errata.patch +edac-i10nm-use-readl-to-access-mmio-registers.patch +edac-amd64-fix-pci-component-registration.patch +cpuset-fix-race-between-hotplug-work-and-later-cpu-offline.patch +usb-serial-mos7720-fix-parallel-port-state-restore.patch +usb-serial-digi_acceleport-fix-write-wakeup-deadlocks.patch +usb-serial-keyspan_pda-fix-dropped-unthrottle-interrupts.patch +usb-serial-keyspan_pda-fix-write-deadlock.patch +usb-serial-keyspan_pda-fix-stalled-writes.patch +usb-serial-keyspan_pda-fix-write-wakeup-use-after-free.patch +usb-serial-keyspan_pda-fix-tx-unthrottle-use-after-free.patch +usb-serial-keyspan_pda-fix-write-unthrottling.patch diff --git a/queue-5.4/staging-comedi-mf6x4-fix-ai-end-of-conversion-detection.patch b/queue-5.4/staging-comedi-mf6x4-fix-ai-end-of-conversion-detection.patch new file mode 100644 index 00000000000..28b627a4ae7 --- /dev/null +++ b/queue-5.4/staging-comedi-mf6x4-fix-ai-end-of-conversion-detection.patch @@ -0,0 +1,50 @@ +From 56c90457ebfe9422496aac6ef3d3f0f0ea8b2ec2 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Dec 2020 14:58:06 +0000 +Subject: staging: comedi: mf6x4: Fix AI end-of-conversion detection + +From: Ian Abbott + +commit 56c90457ebfe9422496aac6ef3d3f0f0ea8b2ec2 upstream. + +I have had reports from two different people that attempts to read the +analog input channels of the MF624 board fail with an `ETIMEDOUT` error. + +After triggering the conversion, the code calls `comedi_timeout()` with +`mf6x4_ai_eoc()` as the callback function to check if the conversion is +complete. The callback returns 0 if complete or `-EBUSY` if not yet +complete. `comedi_timeout()` returns `-ETIMEDOUT` if it has not +completed within a timeout period which is propagated as an error to the +user application. + +The existing code considers the conversion to be complete when the EOLC +bit is high. However, according to the user manuals for the MF624 and +MF634 boards, this test is incorrect because EOLC is an active low +signal that goes high when the conversion is triggered, and goes low +when the conversion is complete. Fix the problem by inverting the test +of the EOLC bit state. + +Fixes: 04b565021a83 ("comedi: Humusoft MF634 and MF624 DAQ cards driver") +Cc: # v4.4+ +Cc: Rostislav Lisovy +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20201207145806.4046-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/mf6x4.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/mf6x4.c ++++ b/drivers/staging/comedi/drivers/mf6x4.c +@@ -112,8 +112,9 @@ static int mf6x4_ai_eoc(struct comedi_de + struct mf6x4_private *devpriv = dev->private; + unsigned int status; + ++ /* EOLC goes low at end of conversion. */ + status = ioread32(devpriv->gpioc_reg); +- if (status & MF6X4_GPIOC_EOLC) ++ if ((status & MF6X4_GPIOC_EOLC) == 0) + return 0; + return -EBUSY; + } diff --git a/queue-5.4/usb-serial-digi_acceleport-fix-write-wakeup-deadlocks.patch b/queue-5.4/usb-serial-digi_acceleport-fix-write-wakeup-deadlocks.patch new file mode 100644 index 00000000000..b6371419772 --- /dev/null +++ b/queue-5.4/usb-serial-digi_acceleport-fix-write-wakeup-deadlocks.patch @@ -0,0 +1,156 @@ +From 5098e77962e7c8947f87bd8c5869c83e000a522a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 26 Oct 2020 11:43:06 +0100 +Subject: USB: serial: digi_acceleport: fix write-wakeup deadlocks + +From: Johan Hovold + +commit 5098e77962e7c8947f87bd8c5869c83e000a522a upstream. + +The driver must not call tty_wakeup() while holding its private lock as +line disciplines are allowed to call back into write() from +write_wakeup(), leading to a deadlock. + +Also remove the unneeded work struct that was used to defer wakeup in +order to work around a possible race in ancient times (see comment about +n_tty write_chan() in commit 14b54e39b412 ("USB: serial: remove +changelogs and old todo entries")). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/digi_acceleport.c | 45 ++++++++++------------------------- + 1 file changed, 13 insertions(+), 32 deletions(-) + +--- a/drivers/usb/serial/digi_acceleport.c ++++ b/drivers/usb/serial/digi_acceleport.c +@@ -19,7 +19,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -198,14 +197,12 @@ struct digi_port { + int dp_throttle_restart; + wait_queue_head_t dp_flush_wait; + wait_queue_head_t dp_close_wait; /* wait queue for close */ +- struct work_struct dp_wakeup_work; + struct usb_serial_port *dp_port; + }; + + + /* Local Function Declarations */ + +-static void digi_wakeup_write_lock(struct work_struct *work); + static int digi_write_oob_command(struct usb_serial_port *port, + unsigned char *buf, int count, int interruptible); + static int digi_write_inb_command(struct usb_serial_port *port, +@@ -356,26 +353,6 @@ __releases(lock) + return timeout; + } + +- +-/* +- * Digi Wakeup Write +- * +- * Wake up port, line discipline, and tty processes sleeping +- * on writes. +- */ +- +-static void digi_wakeup_write_lock(struct work_struct *work) +-{ +- struct digi_port *priv = +- container_of(work, struct digi_port, dp_wakeup_work); +- struct usb_serial_port *port = priv->dp_port; +- unsigned long flags; +- +- spin_lock_irqsave(&priv->dp_port_lock, flags); +- tty_port_tty_wakeup(&port->port); +- spin_unlock_irqrestore(&priv->dp_port_lock, flags); +-} +- + /* + * Digi Write OOB Command + * +@@ -986,6 +963,7 @@ static void digi_write_bulk_callback(str + unsigned long flags; + int ret = 0; + int status = urb->status; ++ bool wakeup; + + /* port and serial sanity check */ + if (port == NULL || (priv = usb_get_serial_port_data(port)) == NULL) { +@@ -1012,6 +990,7 @@ static void digi_write_bulk_callback(str + } + + /* try to send any buffered data on this port */ ++ wakeup = true; + spin_lock_irqsave(&priv->dp_port_lock, flags); + priv->dp_write_urb_in_use = 0; + if (priv->dp_out_buf_len > 0) { +@@ -1027,19 +1006,18 @@ static void digi_write_bulk_callback(str + if (ret == 0) { + priv->dp_write_urb_in_use = 1; + priv->dp_out_buf_len = 0; ++ wakeup = false; + } + } +- /* wake up processes sleeping on writes immediately */ +- tty_port_tty_wakeup(&port->port); +- /* also queue up a wakeup at scheduler time, in case we */ +- /* lost the race in write_chan(). */ +- schedule_work(&priv->dp_wakeup_work); +- + spin_unlock_irqrestore(&priv->dp_port_lock, flags); ++ + if (ret && ret != -EPERM) + dev_err_console(port, + "%s: usb_submit_urb failed, ret=%d, port=%d\n", + __func__, ret, priv->dp_port_num); ++ ++ if (wakeup) ++ tty_port_tty_wakeup(&port->port); + } + + static int digi_write_room(struct tty_struct *tty) +@@ -1239,7 +1217,6 @@ static int digi_port_init(struct usb_ser + init_waitqueue_head(&priv->dp_transmit_idle_wait); + init_waitqueue_head(&priv->dp_flush_wait); + init_waitqueue_head(&priv->dp_close_wait); +- INIT_WORK(&priv->dp_wakeup_work, digi_wakeup_write_lock); + priv->dp_port = port; + + init_waitqueue_head(&port->write_wait); +@@ -1508,13 +1485,14 @@ static int digi_read_oob_callback(struct + rts = C_CRTSCTS(tty); + + if (tty && opcode == DIGI_CMD_READ_INPUT_SIGNALS) { ++ bool wakeup = false; ++ + spin_lock_irqsave(&priv->dp_port_lock, flags); + /* convert from digi flags to termiox flags */ + if (val & DIGI_READ_INPUT_SIGNALS_CTS) { + priv->dp_modem_signals |= TIOCM_CTS; +- /* port must be open to use tty struct */ + if (rts) +- tty_port_tty_wakeup(&port->port); ++ wakeup = true; + } else { + priv->dp_modem_signals &= ~TIOCM_CTS; + /* port must be open to use tty struct */ +@@ -1533,6 +1511,9 @@ static int digi_read_oob_callback(struct + priv->dp_modem_signals &= ~TIOCM_CD; + + spin_unlock_irqrestore(&priv->dp_port_lock, flags); ++ ++ if (wakeup) ++ tty_port_tty_wakeup(&port->port); + } else if (opcode == DIGI_CMD_TRANSMIT_IDLE) { + spin_lock_irqsave(&priv->dp_port_lock, flags); + priv->dp_transmit_idle = 1; diff --git a/queue-5.4/usb-serial-keyspan_pda-fix-dropped-unthrottle-interrupts.patch b/queue-5.4/usb-serial-keyspan_pda-fix-dropped-unthrottle-interrupts.patch new file mode 100644 index 00000000000..f6ab1c5efe7 --- /dev/null +++ b/queue-5.4/usb-serial-keyspan_pda-fix-dropped-unthrottle-interrupts.patch @@ -0,0 +1,45 @@ +From 696c541c8c6cfa05d65aa24ae2b9e720fc01766e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sun, 25 Oct 2020 18:45:47 +0100 +Subject: USB: serial: keyspan_pda: fix dropped unthrottle interrupts + +From: Johan Hovold + +commit 696c541c8c6cfa05d65aa24ae2b9e720fc01766e upstream. + +Commit c528fcb116e6 ("USB: serial: keyspan_pda: fix receive sanity +checks") broke write-unthrottle handling by dropping well-formed +unthrottle-interrupt packets which are precisely two bytes long. This +could lead to blocked writers not being woken up when buffer space again +becomes available. + +Instead, stop unconditionally printing the third byte which is +(presumably) only valid on modem-line changes. + +Fixes: c528fcb116e6 ("USB: serial: keyspan_pda: fix receive sanity checks") +Cc: stable # 4.11 +Acked-by: Sebastian Andrzej Siewior +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/keyspan_pda.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/keyspan_pda.c ++++ b/drivers/usb/serial/keyspan_pda.c +@@ -172,11 +172,11 @@ static void keyspan_pda_rx_interrupt(str + break; + case 1: + /* status interrupt */ +- if (len < 3) { ++ if (len < 2) { + dev_warn(&port->dev, "short interrupt message received\n"); + break; + } +- dev_dbg(&port->dev, "rx int, d1=%d, d2=%d\n", data[1], data[2]); ++ dev_dbg(&port->dev, "rx int, d1=%d\n", data[1]); + switch (data[1]) { + case 1: /* modemline change */ + break; diff --git a/queue-5.4/usb-serial-keyspan_pda-fix-stalled-writes.patch b/queue-5.4/usb-serial-keyspan_pda-fix-stalled-writes.patch new file mode 100644 index 00000000000..d7a9eb0d893 --- /dev/null +++ b/queue-5.4/usb-serial-keyspan_pda-fix-stalled-writes.patch @@ -0,0 +1,35 @@ +From c01d2c58698f710c9e13ba3e2d296328606f74fd Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sun, 25 Oct 2020 18:45:49 +0100 +Subject: USB: serial: keyspan_pda: fix stalled writes + +From: Johan Hovold + +commit c01d2c58698f710c9e13ba3e2d296328606f74fd upstream. + +Make sure to clear the write-busy flag also in case no new data was +submitted due to lack of device buffer space so that writing is +resumed once space again becomes available. + +Fixes: 507ca9bc0476 ("[PATCH] USB: add ability for usb-serial drivers to determine if their write urb is currently being used.") +Cc: stable # 2.6.13 +Acked-by: Sebastian Andrzej Siewior +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/keyspan_pda.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/keyspan_pda.c ++++ b/drivers/usb/serial/keyspan_pda.c +@@ -548,7 +548,7 @@ static int keyspan_pda_write(struct tty_ + + rc = count; + exit: +- if (rc < 0) ++ if (rc <= 0) + set_bit(0, &port->write_urbs_free); + return rc; + } diff --git a/queue-5.4/usb-serial-keyspan_pda-fix-tx-unthrottle-use-after-free.patch b/queue-5.4/usb-serial-keyspan_pda-fix-tx-unthrottle-use-after-free.patch new file mode 100644 index 00000000000..d4f76da7823 --- /dev/null +++ b/queue-5.4/usb-serial-keyspan_pda-fix-tx-unthrottle-use-after-free.patch @@ -0,0 +1,41 @@ +From 49fbb8e37a961396a5b6c82937c70df91de45e9d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sun, 25 Oct 2020 18:45:51 +0100 +Subject: USB: serial: keyspan_pda: fix tx-unthrottle use-after-free + +From: Johan Hovold + +commit 49fbb8e37a961396a5b6c82937c70df91de45e9d upstream. + +The driver's transmit-unthrottle work was never flushed on disconnect, +something which could lead to the driver port data being freed while the +unthrottle work is still scheduled. + +Fix this by cancelling the unthrottle work when shutting down the port. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Acked-by: Sebastian Andrzej Siewior +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/keyspan_pda.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/keyspan_pda.c ++++ b/drivers/usb/serial/keyspan_pda.c +@@ -647,8 +647,12 @@ error: + } + static void keyspan_pda_close(struct usb_serial_port *port) + { ++ struct keyspan_pda_private *priv = usb_get_serial_port_data(port); ++ + usb_kill_urb(port->write_urb); + usb_kill_urb(port->interrupt_in_urb); ++ ++ cancel_work_sync(&priv->unthrottle_work); + } + + diff --git a/queue-5.4/usb-serial-keyspan_pda-fix-write-deadlock.patch b/queue-5.4/usb-serial-keyspan_pda-fix-write-deadlock.patch new file mode 100644 index 00000000000..585eda78746 --- /dev/null +++ b/queue-5.4/usb-serial-keyspan_pda-fix-write-deadlock.patch @@ -0,0 +1,52 @@ +From 7353cad7ee4deaefc16e94727e69285563e219f6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sun, 25 Oct 2020 18:45:48 +0100 +Subject: USB: serial: keyspan_pda: fix write deadlock + +From: Johan Hovold + +commit 7353cad7ee4deaefc16e94727e69285563e219f6 upstream. + +The write() callback can be called in interrupt context (e.g. when used +as a console) so interrupts must be disabled while holding the port lock +to prevent a possible deadlock. + +Fixes: e81ee637e4ae ("usb-serial: possible irq lock inversion (PPP vs. usb/serial)") +Fixes: 507ca9bc0476 ("[PATCH] USB: add ability for usb-serial drivers to determine if their write urb is currently being used.") +Cc: stable # 2.6.19 +Acked-by: Sebastian Andrzej Siewior +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/keyspan_pda.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/serial/keyspan_pda.c ++++ b/drivers/usb/serial/keyspan_pda.c +@@ -443,6 +443,7 @@ static int keyspan_pda_write(struct tty_ + int request_unthrottle = 0; + int rc = 0; + struct keyspan_pda_private *priv; ++ unsigned long flags; + + priv = usb_get_serial_port_data(port); + /* guess how much room is left in the device's ring buffer, and if we +@@ -462,13 +463,13 @@ static int keyspan_pda_write(struct tty_ + the TX urb is in-flight (wait until it completes) + the device is full (wait until it says there is room) + */ +- spin_lock_bh(&port->lock); ++ spin_lock_irqsave(&port->lock, flags); + if (!test_bit(0, &port->write_urbs_free) || priv->tx_throttled) { +- spin_unlock_bh(&port->lock); ++ spin_unlock_irqrestore(&port->lock, flags); + return 0; + } + clear_bit(0, &port->write_urbs_free); +- spin_unlock_bh(&port->lock); ++ spin_unlock_irqrestore(&port->lock, flags); + + /* At this point the URB is in our control, nobody else can submit it + again (the only sudden transition was the one from EINPROGRESS to diff --git a/queue-5.4/usb-serial-keyspan_pda-fix-write-unthrottling.patch b/queue-5.4/usb-serial-keyspan_pda-fix-write-unthrottling.patch new file mode 100644 index 00000000000..d15c0320441 --- /dev/null +++ b/queue-5.4/usb-serial-keyspan_pda-fix-write-unthrottling.patch @@ -0,0 +1,104 @@ +From 320f9028c7873c3c7710e8e93e5c979f4c857490 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sun, 25 Oct 2020 18:45:52 +0100 +Subject: USB: serial: keyspan_pda: fix write unthrottling + +From: Johan Hovold + +commit 320f9028c7873c3c7710e8e93e5c979f4c857490 upstream. + +The driver did not update its view of the available device buffer space +until write() was called in task context. This meant that write_room() +would return 0 even after the device had sent a write-unthrottle +notification, something which could lead to blocked writers not being +woken up (e.g. when using OPOST). + +Note that we must also request an unthrottle notification is case a +write() request fills the device buffer exactly. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable +Acked-by: Sebastian Andrzej Siewior +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/keyspan_pda.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +--- a/drivers/usb/serial/keyspan_pda.c ++++ b/drivers/usb/serial/keyspan_pda.c +@@ -40,6 +40,8 @@ + #define DRIVER_AUTHOR "Brian Warner " + #define DRIVER_DESC "USB Keyspan PDA Converter driver" + ++#define KEYSPAN_TX_THRESHOLD 16 ++ + struct keyspan_pda_private { + int tx_room; + int tx_throttled; +@@ -110,7 +112,7 @@ static void keyspan_pda_request_unthrott + 7, /* request_unthrottle */ + USB_TYPE_VENDOR | USB_RECIP_INTERFACE + | USB_DIR_OUT, +- 16, /* value: threshold */ ++ KEYSPAN_TX_THRESHOLD, + 0, /* index */ + NULL, + 0, +@@ -129,6 +131,8 @@ static void keyspan_pda_rx_interrupt(str + int retval; + int status = urb->status; + struct keyspan_pda_private *priv; ++ unsigned long flags; ++ + priv = usb_get_serial_port_data(port); + + switch (status) { +@@ -171,7 +175,10 @@ static void keyspan_pda_rx_interrupt(str + case 1: /* modemline change */ + break; + case 2: /* tx unthrottle interrupt */ ++ spin_lock_irqsave(&port->lock, flags); + priv->tx_throttled = 0; ++ priv->tx_room = max(priv->tx_room, KEYSPAN_TX_THRESHOLD); ++ spin_unlock_irqrestore(&port->lock, flags); + /* queue up a wakeup at scheduler time */ + usb_serial_port_softint(port); + break; +@@ -505,7 +512,8 @@ static int keyspan_pda_write(struct tty_ + goto exit; + } + } +- if (count > priv->tx_room) { ++ ++ if (count >= priv->tx_room) { + /* we're about to completely fill the Tx buffer, so + we'll be throttled afterwards. */ + count = priv->tx_room; +@@ -560,14 +568,17 @@ static void keyspan_pda_write_bulk_callb + static int keyspan_pda_write_room(struct tty_struct *tty) + { + struct usb_serial_port *port = tty->driver_data; +- struct keyspan_pda_private *priv; +- priv = usb_get_serial_port_data(port); +- /* used by n_tty.c for processing of tabs and such. Giving it our +- conservative guess is probably good enough, but needs testing by +- running a console through the device. */ +- return priv->tx_room; +-} ++ struct keyspan_pda_private *priv = usb_get_serial_port_data(port); ++ unsigned long flags; ++ int room = 0; ++ ++ spin_lock_irqsave(&port->lock, flags); ++ if (test_bit(0, &port->write_urbs_free) && !priv->tx_throttled) ++ room = priv->tx_room; ++ spin_unlock_irqrestore(&port->lock, flags); + ++ return room; ++} + + static int keyspan_pda_chars_in_buffer(struct tty_struct *tty) + { diff --git a/queue-5.4/usb-serial-keyspan_pda-fix-write-wakeup-use-after-free.patch b/queue-5.4/usb-serial-keyspan_pda-fix-write-wakeup-use-after-free.patch new file mode 100644 index 00000000000..7d714ad4164 --- /dev/null +++ b/queue-5.4/usb-serial-keyspan_pda-fix-write-wakeup-use-after-free.patch @@ -0,0 +1,81 @@ +From 37faf50615412947868c49aee62f68233307f4e4 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sun, 25 Oct 2020 18:45:50 +0100 +Subject: USB: serial: keyspan_pda: fix write-wakeup use-after-free + +From: Johan Hovold + +commit 37faf50615412947868c49aee62f68233307f4e4 upstream. + +The driver's deferred write wakeup was never flushed on disconnect, +something which could lead to the driver port data being freed while the +wakeup work is still scheduled. + +Fix this by using the usb-serial write wakeup which gets cancelled +properly on disconnect. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Acked-by: Sebastian Andrzej Siewior +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/keyspan_pda.c | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) + +--- a/drivers/usb/serial/keyspan_pda.c ++++ b/drivers/usb/serial/keyspan_pda.c +@@ -43,8 +43,7 @@ + struct keyspan_pda_private { + int tx_room; + int tx_throttled; +- struct work_struct wakeup_work; +- struct work_struct unthrottle_work; ++ struct work_struct unthrottle_work; + struct usb_serial *serial; + struct usb_serial_port *port; + }; +@@ -97,15 +96,6 @@ static const struct usb_device_id id_tab + }; + #endif + +-static void keyspan_pda_wakeup_write(struct work_struct *work) +-{ +- struct keyspan_pda_private *priv = +- container_of(work, struct keyspan_pda_private, wakeup_work); +- struct usb_serial_port *port = priv->port; +- +- tty_port_tty_wakeup(&port->port); +-} +- + static void keyspan_pda_request_unthrottle(struct work_struct *work) + { + struct keyspan_pda_private *priv = +@@ -183,7 +173,7 @@ static void keyspan_pda_rx_interrupt(str + case 2: /* tx unthrottle interrupt */ + priv->tx_throttled = 0; + /* queue up a wakeup at scheduler time */ +- schedule_work(&priv->wakeup_work); ++ usb_serial_port_softint(port); + break; + default: + break; +@@ -563,7 +553,7 @@ static void keyspan_pda_write_bulk_callb + priv = usb_get_serial_port_data(port); + + /* queue up a wakeup at scheduler time */ +- schedule_work(&priv->wakeup_work); ++ usb_serial_port_softint(port); + } + + +@@ -716,7 +706,6 @@ static int keyspan_pda_port_probe(struct + if (!priv) + return -ENOMEM; + +- INIT_WORK(&priv->wakeup_work, keyspan_pda_wakeup_write); + INIT_WORK(&priv->unthrottle_work, keyspan_pda_request_unthrottle); + priv->serial = port->serial; + priv->port = port; diff --git a/queue-5.4/usb-serial-mos7720-fix-parallel-port-state-restore.patch b/queue-5.4/usb-serial-mos7720-fix-parallel-port-state-restore.patch new file mode 100644 index 00000000000..cef9d436447 --- /dev/null +++ b/queue-5.4/usb-serial-mos7720-fix-parallel-port-state-restore.patch @@ -0,0 +1,34 @@ +From 975323ab8f116667676c30ca3502a6757bd89e8d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Nov 2020 17:47:27 +0100 +Subject: USB: serial: mos7720: fix parallel-port state restore + +From: Johan Hovold + +commit 975323ab8f116667676c30ca3502a6757bd89e8d upstream. + +The parallel-port restore operations is called when a driver claims the +port and is supposed to restore the provided state (e.g. saved when +releasing the port). + +Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715") +Cc: stable # 2.6.35 +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mos7720.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -638,6 +638,8 @@ static void parport_mos7715_restore_stat + spin_unlock(&release_lock); + return; + } ++ mos_parport->shadowDCR = s->u.pc.ctr; ++ mos_parport->shadowECR = s->u.pc.ecr; + write_parport_reg_nonblock(mos_parport, MOS7720_DCR, + mos_parport->shadowDCR); + write_parport_reg_nonblock(mos_parport, MOS7720_ECR, diff --git a/queue-5.4/vfio-pci-nvlink2-do-not-attempt-npu2-setup-on-power8nvl-npu.patch b/queue-5.4/vfio-pci-nvlink2-do-not-attempt-npu2-setup-on-power8nvl-npu.patch new file mode 100644 index 00000000000..d2f21a5b7ec --- /dev/null +++ b/queue-5.4/vfio-pci-nvlink2-do-not-attempt-npu2-setup-on-power8nvl-npu.patch @@ -0,0 +1,65 @@ +From d22f9a6c92de96304c81792942ae7c306f08ac77 Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Sun, 22 Nov 2020 18:39:50 +1100 +Subject: vfio/pci/nvlink2: Do not attempt NPU2 setup on POWER8NVL NPU + +From: Alexey Kardashevskiy + +commit d22f9a6c92de96304c81792942ae7c306f08ac77 upstream. + +We execute certain NPU2 setup code (such as mapping an LPID to a device +in NPU2) unconditionally if an Nvlink bridge is detected. However this +cannot succeed on POWER8NVL machines as the init helpers return an error +other than ENODEV which means the device is there is and setup failed so +vfio_pci_enable() fails and pass through is not possible. + +This changes the two NPU2 related init helpers to return -ENODEV if +there is no "memory-region" device tree property as this is +the distinction between NPU and NPU2. + +Tested on +- POWER9 pvr=004e1201, Ubuntu 19.04 host, Ubuntu 18.04 vm, + NVIDIA GV100 10de:1db1 driver 418.39 +- POWER8 pvr=004c0100, RHEL 7.6 host, Ubuntu 16.10 vm, + NVIDIA P100 10de:15f9 driver 396.47 + +Fixes: 7f92891778df ("vfio_pci: Add NVIDIA GV100GL [Tesla V100 SXM2] subdriver") +Cc: stable@vger.kernel.org # 5.0 +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/pci/vfio_pci_nvlink2.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/vfio/pci/vfio_pci_nvlink2.c ++++ b/drivers/vfio/pci/vfio_pci_nvlink2.c +@@ -231,7 +231,7 @@ int vfio_pci_nvdia_v100_nvlink2_init(str + return -EINVAL; + + if (of_property_read_u32(npu_node, "memory-region", &mem_phandle)) +- return -EINVAL; ++ return -ENODEV; + + mem_node = of_find_node_by_phandle(mem_phandle); + if (!mem_node) +@@ -393,7 +393,7 @@ int vfio_pci_ibm_npu2_init(struct vfio_p + int ret; + struct vfio_pci_npu2_data *data; + struct device_node *nvlink_dn; +- u32 nvlink_index = 0; ++ u32 nvlink_index = 0, mem_phandle = 0; + struct pci_dev *npdev = vdev->pdev; + struct device_node *npu_node = pci_device_to_OF_node(npdev); + struct pci_controller *hose = pci_bus_to_host(npdev->bus); +@@ -408,6 +408,9 @@ int vfio_pci_ibm_npu2_init(struct vfio_p + if (!pnv_pci_get_gpu_dev(vdev->pdev)) + return -ENODEV; + ++ if (of_property_read_u32(npu_node, "memory-region", &mem_phandle)) ++ return -ENODEV; ++ + /* + * NPU2 normally has 8 ATSD registers (for concurrency) and 6 links + * so we can allocate one register per link, using nvlink index as