From: Greg Kroah-Hartman Date: Fri, 6 Dec 2019 14:17:32 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v5.4.3~84 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e334e206b1d94159a6cbcfda582a4ef0927dd238;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: serial-ifx6x60-add-missed-pm_runtime_disable.patch serial-pl011-fix-dma-flush_buffer.patch serial-serial_core-perform-null-checks-for-break_ctl-ops.patch tty-serial-fsl_lpuart-use-the-sg-count-from-dma_map_sg.patch tty-serial-msm_serial-fix-flow-control.patch usb-gadget-u_serial-add-missing-port-entry-locking.patch --- diff --git a/queue-4.14/serial-ifx6x60-add-missed-pm_runtime_disable.patch b/queue-4.14/serial-ifx6x60-add-missed-pm_runtime_disable.patch new file mode 100644 index 00000000000..d4b94ac4ce9 --- /dev/null +++ b/queue-4.14/serial-ifx6x60-add-missed-pm_runtime_disable.patch @@ -0,0 +1,33 @@ +From 50b2b571c5f3df721fc81bf9a12c521dfbe019ba Mon Sep 17 00:00:00 2001 +From: Chuhong Yuan +Date: Mon, 18 Nov 2019 10:48:33 +0800 +Subject: serial: ifx6x60: add missed pm_runtime_disable + +From: Chuhong Yuan + +commit 50b2b571c5f3df721fc81bf9a12c521dfbe019ba upstream. + +The driver forgets to call pm_runtime_disable in remove. +Add the missed calls to fix it. + +Signed-off-by: Chuhong Yuan +Cc: stable +Link: https://lore.kernel.org/r/20191118024833.21587-1-hslester96@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/ifx6x60.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/serial/ifx6x60.c ++++ b/drivers/tty/serial/ifx6x60.c +@@ -1245,6 +1245,9 @@ static int ifx_spi_spi_remove(struct spi + struct ifx_spi_device *ifx_dev = spi_get_drvdata(spi); + /* stop activity */ + tasklet_kill(&ifx_dev->io_work_tasklet); ++ ++ pm_runtime_disable(&spi->dev); ++ + /* free irq */ + free_irq(gpio_to_irq(ifx_dev->gpio.reset_out), ifx_dev); + free_irq(gpio_to_irq(ifx_dev->gpio.srdy), ifx_dev); diff --git a/queue-4.14/serial-pl011-fix-dma-flush_buffer.patch b/queue-4.14/serial-pl011-fix-dma-flush_buffer.patch new file mode 100644 index 00000000000..bd7b4799420 --- /dev/null +++ b/queue-4.14/serial-pl011-fix-dma-flush_buffer.patch @@ -0,0 +1,73 @@ +From f6a196477184b99a31d16366a8e826558aa11f6d Mon Sep 17 00:00:00 2001 +From: Vincent Whitchurch +Date: Mon, 18 Nov 2019 10:25:47 +0100 +Subject: serial: pl011: Fix DMA ->flush_buffer() + +From: Vincent Whitchurch + +commit f6a196477184b99a31d16366a8e826558aa11f6d upstream. + +PL011's ->flush_buffer() implementation releases and reacquires the port +lock. Due to a race condition here, data can end up being added to the +circular buffer but neither being discarded nor being sent out. This +leads to, for example, tcdrain(2) waiting indefinitely. + +Process A Process B + +uart_flush_buffer() + - acquire lock + - circ_clear + - pl011_flush_buffer() + -- release lock + -- dmaengine_terminate_all() + + uart_write() + - acquire lock + - add chars to circ buffer + - start_tx() + -- start DMA + - release lock + + -- acquire lock + -- turn off DMA + -- release lock + + // Data in circ buffer but DMA is off + +According to the comment in the code, the releasing of the lock around +dmaengine_terminate_all() is to avoid a deadlock with the DMA engine +callback. However, since the time this code was written, the DMA engine +API documentation seems to have been clarified to say that +dmaengine_terminate_all() (in the identically implemented but +differently named dmaengine_terminate_async() variant) does not wait for +any running complete callback to be completed and can even be called +from a complete callback. So there is no possibility of deadlock if the +DMA engine driver implements this API correctly. + +So we should be able to just remove this release and reacquire of the +lock to prevent the aforementioned race condition. + +Signed-off-by: Vincent Whitchurch +Cc: stable +Link: https://lore.kernel.org/r/20191118092547.32135-1-vincent.whitchurch@axis.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/amba-pl011.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -829,10 +829,8 @@ __acquires(&uap->port.lock) + if (!uap->using_tx_dma) + return; + +- /* Avoid deadlock with the DMA engine callback */ +- spin_unlock(&uap->port.lock); +- dmaengine_terminate_all(uap->dmatx.chan); +- spin_lock(&uap->port.lock); ++ dmaengine_terminate_async(uap->dmatx.chan); ++ + if (uap->dmatx.queued) { + dma_unmap_sg(uap->dmatx.chan->device->dev, &uap->dmatx.sg, 1, + DMA_TO_DEVICE); diff --git a/queue-4.14/serial-serial_core-perform-null-checks-for-break_ctl-ops.patch b/queue-4.14/serial-serial_core-perform-null-checks-for-break_ctl-ops.patch new file mode 100644 index 00000000000..d358a37203a --- /dev/null +++ b/queue-4.14/serial-serial_core-perform-null-checks-for-break_ctl-ops.patch @@ -0,0 +1,126 @@ +From 7d73170e1c282576419f8b50a771f1fcd2b81a94 Mon Sep 17 00:00:00 2001 +From: Jiangfeng Xiao +Date: Wed, 20 Nov 2019 23:18:53 +0800 +Subject: serial: serial_core: Perform NULL checks for break_ctl ops + +From: Jiangfeng Xiao + +commit 7d73170e1c282576419f8b50a771f1fcd2b81a94 upstream. + +Doing fuzz test on sbsa uart device, causes a kernel crash +due to NULL pointer dereference: + +------------[ cut here ]------------ +Unable to handle kernel paging request at virtual address fffffffffffffffc +pgd = ffffffe331723000 +[fffffffffffffffc] *pgd=0000002333595003, *pud=0000002333595003, *pmd=00000 +Internal error: Oops: 96000005 [#1] PREEMPT SMP +Modules linked in: ping(O) jffs2 rtos_snapshot(O) pramdisk(O) hisi_sfc(O) +Drv_Nandc_K(O) Drv_SysCtl_K(O) Drv_SysClk_K(O) bsp_reg(O) hns3(O) +hns3_uio_enet(O) hclgevf(O) hclge(O) hnae3(O) mdio_factory(O) +mdio_registry(O) mdio_dev(O) mdio(O) hns3_info(O) rtos_kbox_panic(O) +uart_suspend(O) rsm(O) stp llc tunnel4 xt_tcpudp ipt_REJECT nf_reject_ipv4 +iptable_filter ip_tables x_tables sd_mod xhci_plat_hcd xhci_pci xhci_hcd +usbmon usbhid usb_storage ohci_platform ohci_pci ohci_hcd hid_generic hid +ehci_platform ehci_pci ehci_hcd vfat fat usbcore usb_common scsi_mod +yaffs2multi(O) ext4 jbd2 ext2 mbcache ofpart i2c_dev i2c_core uio ubi nand +nand_ecc nand_ids cfi_cmdset_0002 cfi_cmdset_0001 cfi_probe gen_probe +cmdlinepart chipreg mtdblock mtd_blkdevs mtd nfsd auth_rpcgss oid_registry +nfsv3 nfs nfs_acl lockd sunrpc grace autofs4 +CPU: 2 PID: 2385 Comm: tty_fuzz_test Tainted: G O 4.4.193 #1 +task: ffffffe32b23f110 task.stack: ffffffe32bda4000 +PC is at uart_break_ctl+0x44/0x84 +LR is at uart_break_ctl+0x34/0x84 +pc : [] lr : [] pstate: 80000005 +sp : ffffffe32bda7cc0 +x29: ffffffe32bda7cc0 x28: ffffffe32b23f110 +x27: ffffff8393402000 x26: 0000000000000000 +x25: ffffffe32b233f40 x24: ffffffc07a8ec680 +x23: 0000000000005425 x22: 00000000ffffffff +x21: ffffffe33ed73c98 x20: 0000000000000000 +x19: ffffffe33ed94168 x18: 0000000000000004 +x17: 0000007f92ae9d30 x16: ffffff8392fa6064 +x15: 0000000000000010 x14: 0000000000000000 +x13: 0000000000000000 x12: 0000000000000000 +x11: 0000000000000020 x10: 0000007ffdac1708 +x9 : 0000000000000078 x8 : 000000000000001d +x7 : 0000000052a64887 x6 : ffffffe32bda7e08 +x5 : ffffffe32b23c000 x4 : 0000005fbc5b0000 +x3 : ffffff83938d5018 x2 : 0000000000000080 +x1 : ffffffe32b23c040 x0 : ffffff83934428f8 +virtual start addr offset is 38ac00000 +module base offset is 2cd4cf1000 +linear region base offset is : 0 +Process tty_fuzz_test (pid: 2385, stack limit = 0xffffffe32bda4000) +Stack: (0xffffffe32bda7cc0 to 0xffffffe32bda8000) +7cc0: ffffffe32bda7cf0 ffffff8393177718 ffffffc07a8ec680 ffffff8393196054 +7ce0: 000000001739f2e0 0000007ffdac1978 ffffffe32bda7d20 ffffff8393179a1c +7d00: 0000000000000000 ffffff8393c0a000 ffffffc07a8ec680 cb88537fdc8ba600 +7d20: ffffffe32bda7df0 ffffff8392fa5a40 ffffff8393c0a000 0000000000005425 +7d40: 0000007ffdac1978 ffffffe32b233f40 ffffff8393178dcc 0000000000000003 +7d60: 000000000000011d 000000000000001d ffffffe32b23f110 000000000000029e +7d80: ffffffe34fe8d5d0 0000000000000000 ffffffe32bda7e14 cb88537fdc8ba600 +7da0: ffffffe32bda7e30 ffffff8393042cfc ffffff8393c41720 ffffff8393c46410 +7dc0: ffffff839304fa68 ffffffe32b233f40 0000000000005425 0000007ffdac1978 +7de0: 000000000000011d cb88537fdc8ba600 ffffffe32bda7e70 ffffff8392fa60cc +7e00: 0000000000000000 ffffffe32b233f40 ffffffe32b233f40 0000000000000003 +7e20: 0000000000005425 0000007ffdac1978 ffffffe32bda7e70 ffffff8392fa60b0 +7e40: 0000000000000280 ffffffe32b233f40 ffffffe32b233f40 0000000000000003 +7e60: 0000000000005425 cb88537fdc8ba600 0000000000000000 ffffff8392e02e78 +7e80: 0000000000000280 0000005fbc5b0000 ffffffffffffffff 0000007f92ae9d3c +7ea0: 0000000060000000 0000000000000015 0000000000000003 0000000000005425 +7ec0: 0000007ffdac1978 0000000000000000 00000000a54c910e 0000007f92b95014 +7ee0: 0000007f92b95090 0000000052a64887 000000000000001d 0000000000000078 +7f00: 0000007ffdac1708 0000000000000020 0000000000000000 0000000000000000 +7f20: 0000000000000000 0000000000000010 000000556acf0090 0000007f92ae9d30 +7f40: 0000000000000004 000000556acdef10 0000000000000000 000000556acdebd0 +7f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +7f80: 0000000000000000 0000000000000000 0000000000000000 0000007ffdac1840 +7fa0: 000000556acdedcc 0000007ffdac1840 0000007f92ae9d3c 0000000060000000 +7fc0: 0000000000000000 0000000000000000 0000000000000003 000000000000001d +7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +Call trace: +Exception stack(0xffffffe32bda7ab0 to 0xffffffe32bda7bf0) +7aa0: 0000000000001000 0000007fffffffff +7ac0: ffffffe32bda7cc0 ffffff8393196098 0000000080000005 0000000000000025 +7ae0: ffffffe32b233f40 ffffff83930d777c ffffffe32bda7b30 ffffff83930d777c +7b00: ffffffe32bda7be0 ffffff83938d5000 ffffffe32bda7be0 ffffffe32bda7c20 +7b20: ffffffe32bda7b60 ffffff83930d777c ffffffe32bda7c10 ffffff83938d5000 +7b40: ffffffe32bda7c10 ffffffe32bda7c50 ffffff8393c0a000 ffffffe32b23f110 +7b60: ffffffe32bda7b70 ffffff8392e09df4 ffffffe32bda7bb0 cb88537fdc8ba600 +7b80: ffffff83934428f8 ffffffe32b23c040 0000000000000080 ffffff83938d5018 +7ba0: 0000005fbc5b0000 ffffffe32b23c000 ffffffe32bda7e08 0000000052a64887 +7bc0: 000000000000001d 0000000000000078 0000007ffdac1708 0000000000000020 +7be0: 0000000000000000 0000000000000000 +[] uart_break_ctl+0x44/0x84 +[] send_break+0xa0/0x114 +[] tty_ioctl+0xc50/0xe84 +[] do_vfs_ioctl+0xc4/0x6e8 +[] SyS_ioctl+0x68/0x9c +[] __sys_trace_return+0x0/0x4 +Code: b9410ea0 34000160 f9408aa0 f9402814 (b85fc280) +---[ end trace 8606094f1960c5e0 ]--- +Kernel panic - not syncing: Fatal exception + +Fix this problem by adding NULL checks prior to calling break_ctl ops. + +Signed-off-by: Jiangfeng Xiao +Cc: stable +Link: https://lore.kernel.org/r/1574263133-28259-1-git-send-email-xiaojiangfeng@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/serial_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1125,7 +1125,7 @@ static int uart_break_ctl(struct tty_str + if (!uport) + goto out; + +- if (uport->type != PORT_UNKNOWN) ++ if (uport->type != PORT_UNKNOWN && uport->ops->break_ctl) + uport->ops->break_ctl(uport, break_state); + ret = 0; + out: diff --git a/queue-4.14/series b/queue-4.14/series index 1d87a15df24..f8c6a0e9791 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1,2 +1,8 @@ rsi-release-skb-if-rsi_prepare_beacon-fails.patch arm64-tegra-fix-active-low-warning-for-jetson-tx1-regulator.patch +usb-gadget-u_serial-add-missing-port-entry-locking.patch +tty-serial-fsl_lpuart-use-the-sg-count-from-dma_map_sg.patch +tty-serial-msm_serial-fix-flow-control.patch +serial-pl011-fix-dma-flush_buffer.patch +serial-serial_core-perform-null-checks-for-break_ctl-ops.patch +serial-ifx6x60-add-missed-pm_runtime_disable.patch diff --git a/queue-4.14/tty-serial-fsl_lpuart-use-the-sg-count-from-dma_map_sg.patch b/queue-4.14/tty-serial-fsl_lpuart-use-the-sg-count-from-dma_map_sg.patch new file mode 100644 index 00000000000..81bffbfff98 --- /dev/null +++ b/queue-4.14/tty-serial-fsl_lpuart-use-the-sg-count-from-dma_map_sg.patch @@ -0,0 +1,39 @@ +From 487ee861de176090b055eba5b252b56a3b9973d6 Mon Sep 17 00:00:00 2001 +From: Peng Fan +Date: Tue, 5 Nov 2019 05:51:10 +0000 +Subject: tty: serial: fsl_lpuart: use the sg count from dma_map_sg + +From: Peng Fan + +commit 487ee861de176090b055eba5b252b56a3b9973d6 upstream. + +The dmaengine_prep_slave_sg needs to use sg count returned +by dma_map_sg, not use sport->dma_tx_nents, because the return +value of dma_map_sg is not always same with "nents". + +When enabling iommu for lpuart + edma, iommu framework may concatenate +two sgs into one. + +Fixes: 6250cc30c4c4e ("tty: serial: fsl_lpuart: Use scatter/gather DMA for Tx") +Cc: +Signed-off-by: Peng Fan +Link: https://lore.kernel.org/r/1572932977-17866-1-git-send-email-peng.fan@nxp.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/fsl_lpuart.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -380,8 +380,8 @@ static void lpuart_dma_tx(struct lpuart_ + } + + sport->dma_tx_desc = dmaengine_prep_slave_sg(sport->dma_tx_chan, sgl, +- sport->dma_tx_nents, +- DMA_MEM_TO_DEV, DMA_PREP_INTERRUPT); ++ ret, DMA_MEM_TO_DEV, ++ DMA_PREP_INTERRUPT); + if (!sport->dma_tx_desc) { + dma_unmap_sg(dev, sgl, sport->dma_tx_nents, DMA_TO_DEVICE); + dev_err(dev, "Cannot prepare TX slave DMA!\n"); diff --git a/queue-4.14/tty-serial-msm_serial-fix-flow-control.patch b/queue-4.14/tty-serial-msm_serial-fix-flow-control.patch new file mode 100644 index 00000000000..5ec88d757ea --- /dev/null +++ b/queue-4.14/tty-serial-msm_serial-fix-flow-control.patch @@ -0,0 +1,69 @@ +From b027ce258369cbfa88401a691c23dad01deb9f9b Mon Sep 17 00:00:00 2001 +From: Jeffrey Hugo +Date: Mon, 21 Oct 2019 08:46:16 -0700 +Subject: tty: serial: msm_serial: Fix flow control + +From: Jeffrey Hugo + +commit b027ce258369cbfa88401a691c23dad01deb9f9b upstream. + +hci_qca interfaces to the wcn3990 via a uart_dm on the msm8998 mtp and +Lenovo Miix 630 laptop. As part of initializing the wcn3990, hci_qca +disables flow, configures the uart baudrate, and then reenables flow - at +which point an event is expected to be received over the uart from the +wcn3990. It is observed that this event comes after the baudrate change +but before hci_qca re-enables flow. This is unexpected, and is a result of +msm_reset() being broken. + +According to the uart_dm hardware documentation, it is recommended that +automatic hardware flow control be enabled by setting RX_RDY_CTL. Auto +hw flow control will manage RFR based on the configured watermark. When +there is space to receive data, the hw will assert RFR. When the watermark +is hit, the hw will de-assert RFR. + +The hardware documentation indicates that RFR can me manually managed via +CR when RX_RDY_CTL is not set. SET_RFR asserts RFR, and RESET_RFR +de-asserts RFR. + +msm_reset() is broken because after resetting the hardware, it +unconditionally asserts RFR via SET_RFR. This enables flow regardless of +the current configuration, and would undo a previous flow disable +operation. It should instead de-assert RFR via RESET_RFR to block flow +until the hardware is reconfigured. msm_serial should rely on the client +to specify that flow should be enabled, either via mctrl() or the termios +structure, and only assert RFR in response to those triggers. + +Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.") +Signed-off-by: Jeffrey Hugo +Reviewed-by: Bjorn Andersson +Cc: stable +Reviewed-by: Andy Gross +Link: https://lore.kernel.org/r/20191021154616.25457-1-jeffrey.l.hugo@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/msm_serial.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -988,6 +988,7 @@ static unsigned int msm_get_mctrl(struct + static void msm_reset(struct uart_port *port) + { + struct msm_port *msm_port = UART_TO_MSM(port); ++ unsigned int mr; + + /* reset everything */ + msm_write(port, UART_CR_CMD_RESET_RX, UART_CR); +@@ -995,7 +996,10 @@ static void msm_reset(struct uart_port * + msm_write(port, UART_CR_CMD_RESET_ERR, UART_CR); + msm_write(port, UART_CR_CMD_RESET_BREAK_INT, UART_CR); + msm_write(port, UART_CR_CMD_RESET_CTS, UART_CR); +- msm_write(port, UART_CR_CMD_SET_RFR, UART_CR); ++ msm_write(port, UART_CR_CMD_RESET_RFR, UART_CR); ++ mr = msm_read(port, UART_MR1); ++ mr &= ~UART_MR1_RX_RDY_CTL; ++ msm_write(port, mr, UART_MR1); + + /* Disable DM modes */ + if (msm_port->is_uartdm) diff --git a/queue-4.14/usb-gadget-u_serial-add-missing-port-entry-locking.patch b/queue-4.14/usb-gadget-u_serial-add-missing-port-entry-locking.patch new file mode 100644 index 00000000000..f669d95e26f --- /dev/null +++ b/queue-4.14/usb-gadget-u_serial-add-missing-port-entry-locking.patch @@ -0,0 +1,39 @@ +From daf82bd24e308c5a83758047aff1bd81edda4f11 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= +Date: Sat, 10 Aug 2019 10:42:48 +0200 +Subject: usb: gadget: u_serial: add missing port entry locking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Mirosław + +commit daf82bd24e308c5a83758047aff1bd81edda4f11 upstream. + +gserial_alloc_line() misses locking (for a release barrier) while +resetting port entry on TTY allocation failure. Fix this. + +Cc: stable@vger.kernel.org +Signed-off-by: Michał Mirosław +Reviewed-by: Greg Kroah-Hartman +Tested-by: Ladislav Michl +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/u_serial.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/gadget/function/u_serial.c ++++ b/drivers/usb/gadget/function/u_serial.c +@@ -1392,8 +1392,10 @@ int gserial_alloc_line(unsigned char *li + __func__, port_num, PTR_ERR(tty_dev)); + + ret = PTR_ERR(tty_dev); ++ mutex_lock(&ports[port_num].lock); + port = ports[port_num].port; + ports[port_num].port = NULL; ++ mutex_unlock(&ports[port_num].lock); + gserial_free_port(port); + goto err; + }