From: Sasha Levin Date: Sat, 8 May 2021 03:21:17 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.4.118~79 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e399e216c9e1194b1b8cd9acef6915cf36979fc8;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/amdgpu-avoid-incorrect-hu-format-string.patch b/queue-5.4/amdgpu-avoid-incorrect-hu-format-string.patch new file mode 100644 index 00000000000..b934229470b --- /dev/null +++ b/queue-5.4/amdgpu-avoid-incorrect-hu-format-string.patch @@ -0,0 +1,50 @@ +From efdc4e721a6f6777544d59cc7a3846e1bfedf921 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 12:54:42 +0100 +Subject: amdgpu: avoid incorrect %hu format string +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit 7d98d416c2cc1c1f7d9508e887de4630e521d797 ] + +clang points out that the %hu format string does not match the type +of the variables here: + +drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c:263:7: warning: format specifies type 'unsigned short' but the argument has type 'unsigned int' [-Wformat] + version_major, version_minor); + ^~~~~~~~~~~~~ +include/drm/drm_print.h:498:19: note: expanded from macro 'DRM_ERROR' + __drm_err(fmt, ##__VA_ARGS__) + ~~~ ^~~~~~~~~~~ + +Change it to a regular %u, the same way a previous patch did for +another instance of the same warning. + +Reviewed-by: Christian König +Reviewed-by: Tom Rix +Signed-off-by: Arnd Bergmann +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c +index b2c364b8695f..cfa8324b9f51 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c +@@ -231,7 +231,7 @@ int amdgpu_uvd_sw_init(struct amdgpu_device *adev) + if ((adev->asic_type == CHIP_POLARIS10 || + adev->asic_type == CHIP_POLARIS11) && + (adev->uvd.fw_version < FW_1_66_16)) +- DRM_ERROR("POLARIS10/11 UVD firmware version %hu.%hu is too old.\n", ++ DRM_ERROR("POLARIS10/11 UVD firmware version %u.%u is too old.\n", + version_major, version_minor); + } else { + unsigned int enc_major, enc_minor, dec_minor; +-- +2.30.2 + diff --git a/queue-5.4/ata-ahci-disable-sxs-for-hisilicon-kunpeng920.patch b/queue-5.4/ata-ahci-disable-sxs-for-hisilicon-kunpeng920.patch new file mode 100644 index 00000000000..0440c93af2b --- /dev/null +++ b/queue-5.4/ata-ahci-disable-sxs-for-hisilicon-kunpeng920.patch @@ -0,0 +1,75 @@ +From ffb356331ab9ece0f7e02c26306c5615ec6be24b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 18:24:36 +0800 +Subject: ata: ahci: Disable SXS for Hisilicon Kunpeng920 + +From: Xingui Yang + +[ Upstream commit 234e6d2c18f5b080cde874483c4c361f3ae7cffe ] + +On Hisilicon Kunpeng920, ESP is set to 1 by default for all ports of +SATA controller. In some scenarios, some ports are not external SATA ports, +and it cause disks connected to these ports to be identified as removable +disks. So disable the SXS capability on the software side to prevent users +from mistakenly considering non-removable disks as removable disks and +performing related operations. + +Signed-off-by: Xingui Yang +Signed-off-by: Luo Jiaxing +Reviewed-by: John Garry +Link: https://lore.kernel.org/r/1615544676-61926-1-git-send-email-luojiaxing@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 5 +++++ + drivers/ata/ahci.h | 1 + + drivers/ata/libahci.c | 5 +++++ + 3 files changed, 11 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index d33528033042..8beb418ce167 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -1728,6 +1728,11 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + hpriv->flags |= AHCI_HFLAG_NO_DEVSLP; + + #ifdef CONFIG_ARM64 ++ if (pdev->vendor == PCI_VENDOR_ID_HUAWEI && ++ pdev->device == 0xa235 && ++ pdev->revision < 0x30) ++ hpriv->flags |= AHCI_HFLAG_NO_SXS; ++ + if (pdev->vendor == 0x177d && pdev->device == 0xa01c) + hpriv->irq_handler = ahci_thunderx_irq_handler; + #endif +diff --git a/drivers/ata/ahci.h b/drivers/ata/ahci.h +index 9ef62e647cd2..732912cd4e08 100644 +--- a/drivers/ata/ahci.h ++++ b/drivers/ata/ahci.h +@@ -242,6 +242,7 @@ enum { + suspend/resume */ + AHCI_HFLAG_IGN_NOTSUPP_POWER_ON = (1 << 27), /* ignore -EOPNOTSUPP + from phy_power_on() */ ++ AHCI_HFLAG_NO_SXS = (1 << 28), /* SXS not supported */ + + /* ap->flags bits */ + +diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c +index ea5bf5f4cbed..fec2e9754aed 100644 +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -493,6 +493,11 @@ void ahci_save_initial_config(struct device *dev, struct ahci_host_priv *hpriv) + cap |= HOST_CAP_ALPM; + } + ++ if ((cap & HOST_CAP_SXS) && (hpriv->flags & AHCI_HFLAG_NO_SXS)) { ++ dev_info(dev, "controller does not support SXS, disabling CAP_SXS\n"); ++ cap &= ~HOST_CAP_SXS; ++ } ++ + if (hpriv->force_port_map && port_map != hpriv->force_port_map) { + dev_info(dev, "forcing port_map 0x%x -> 0x%x\n", + port_map, hpriv->force_port_map); +-- +2.30.2 + diff --git a/queue-5.4/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch b/queue-5.4/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch new file mode 100644 index 00000000000..57abd448efa --- /dev/null +++ b/queue-5.4/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch @@ -0,0 +1,48 @@ +From ade4b90cfd7f385a8d0687bc5be1a173370a1bbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 15:25:21 -0500 +Subject: btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s + +From: Josef Bacik + +[ Upstream commit 7a9213a93546e7eaef90e6e153af6b8fc7553f10 ] + +A few BUG_ON()'s in replace_path are purely to keep us from making +logical mistakes, so replace them with ASSERT()'s. + +Reviewed-by: Qu Wenruo +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/relocation.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 68b5d7c4aa49..ba68b0b41dff 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -1836,8 +1836,8 @@ int replace_path(struct btrfs_trans_handle *trans, struct reloc_control *rc, + int ret; + int slot; + +- BUG_ON(src->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID); +- BUG_ON(dest->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID); ++ ASSERT(src->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID); ++ ASSERT(dest->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID); + + last_snapshot = btrfs_root_last_snapshot(&src->root_item); + again: +@@ -1871,7 +1871,7 @@ again: + struct btrfs_key first_key; + + level = btrfs_header_level(parent); +- BUG_ON(level < lowest_level); ++ ASSERT(level >= lowest_level); + + ret = btrfs_bin_search(parent, &key, level, &slot); + if (ret < 0) +-- +2.30.2 + diff --git a/queue-5.4/bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-interconnec.patch b/queue-5.4/bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-interconnec.patch new file mode 100644 index 00000000000..b6b560fb9d3 --- /dev/null +++ b/queue-5.4/bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-interconnec.patch @@ -0,0 +1,90 @@ +From 12f6e8d9335cb2f5408e42ed3d3838eb427784f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Mar 2021 11:35:07 +0200 +Subject: bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first + +From: Tony Lindgren + +[ Upstream commit 4700a00755fb5a4bb5109128297d6fd2d1272ee6 ] + +We want to probe l4_wkup and l4_cfg interconnect devices first to avoid +issues with missing resources. Otherwise we attempt to probe l4_per +devices first causing pointless deferred probe and also annoyingh +renumbering of the MMC devices for example. + +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 49 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 49 insertions(+) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index f9ff6d433dfe..d59e1ca9990b 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -602,6 +602,51 @@ static int sysc_parse_and_check_child_range(struct sysc *ddata) + return 0; + } + ++/* Interconnect instances to probe before l4_per instances */ ++static struct resource early_bus_ranges[] = { ++ /* am3/4 l4_wkup */ ++ { .start = 0x44c00000, .end = 0x44c00000 + 0x300000, }, ++ /* omap4/5 and dra7 l4_cfg */ ++ { .start = 0x4a000000, .end = 0x4a000000 + 0x300000, }, ++ /* omap4 l4_wkup */ ++ { .start = 0x4a300000, .end = 0x4a300000 + 0x30000, }, ++ /* omap5 and dra7 l4_wkup without dra7 dcan segment */ ++ { .start = 0x4ae00000, .end = 0x4ae00000 + 0x30000, }, ++}; ++ ++static atomic_t sysc_defer = ATOMIC_INIT(10); ++ ++/** ++ * sysc_defer_non_critical - defer non_critical interconnect probing ++ * @ddata: device driver data ++ * ++ * We want to probe l4_cfg and l4_wkup interconnect instances before any ++ * l4_per instances as l4_per instances depend on resources on l4_cfg and ++ * l4_wkup interconnects. ++ */ ++static int sysc_defer_non_critical(struct sysc *ddata) ++{ ++ struct resource *res; ++ int i; ++ ++ if (!atomic_read(&sysc_defer)) ++ return 0; ++ ++ for (i = 0; i < ARRAY_SIZE(early_bus_ranges); i++) { ++ res = &early_bus_ranges[i]; ++ if (ddata->module_pa >= res->start && ++ ddata->module_pa <= res->end) { ++ atomic_set(&sysc_defer, 0); ++ ++ return 0; ++ } ++ } ++ ++ atomic_dec_if_positive(&sysc_defer); ++ ++ return -EPROBE_DEFER; ++} ++ + static struct device_node *stdout_path; + + static void sysc_init_stdout_path(struct sysc *ddata) +@@ -826,6 +871,10 @@ static int sysc_map_and_check_registers(struct sysc *ddata) + if (error) + return error; + ++ error = sysc_defer_non_critical(ddata); ++ if (error) ++ return error; ++ + sysc_check_children(ddata); + + error = sysc_parse_registers(ddata); +-- +2.30.2 + diff --git a/queue-5.4/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch b/queue-5.4/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch new file mode 100644 index 00000000000..b64bc0ad1b3 --- /dev/null +++ b/queue-5.4/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch @@ -0,0 +1,38 @@ +From 549607e8111e01217e69ffd818bd84b5e35e3e77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 18:01:15 +0100 +Subject: clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return + +From: Colin Ian King + +[ Upstream commit 657d4d1934f75a2d978c3cf2086495eaa542e7a9 ] + +There is an error return path that is not kfree'ing socfpga_clk leading +to a memory leak. Fix this by adding in the missing kfree call. + +Addresses-Coverity: ("Resource leak") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20210406170115.430990-1-colin.king@canonical.com +Acked-by: Dinh Nguyen +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/socfpga/clk-gate-a10.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/socfpga/clk-gate-a10.c b/drivers/clk/socfpga/clk-gate-a10.c +index cd5df9103614..d62778884208 100644 +--- a/drivers/clk/socfpga/clk-gate-a10.c ++++ b/drivers/clk/socfpga/clk-gate-a10.c +@@ -146,6 +146,7 @@ static void __init __socfpga_gate_init(struct device_node *node, + if (IS_ERR(socfpga_clk->sys_mgr_base_addr)) { + pr_err("%s: failed to find altr,sys-mgr regmap!\n", + __func__); ++ kfree(socfpga_clk); + return; + } + } +-- +2.30.2 + diff --git a/queue-5.4/crypto-api-check-for-err-pointers-in-crypto_destroy_.patch b/queue-5.4/crypto-api-check-for-err-pointers-in-crypto_destroy_.patch new file mode 100644 index 00000000000..38d3025bafa --- /dev/null +++ b/queue-5.4/crypto-api-check-for-err-pointers-in-crypto_destroy_.patch @@ -0,0 +1,149 @@ +From 3fd6c33be401ca634ed69da2426b694e503434c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Mar 2021 21:33:03 +0100 +Subject: crypto: api - check for ERR pointers in crypto_destroy_tfm() + +From: Ard Biesheuvel + +[ Upstream commit 83681f2bebb34dbb3f03fecd8f570308ab8b7c2c ] + +Given that crypto_alloc_tfm() may return ERR pointers, and to avoid +crashes on obscure error paths where such pointers are presented to +crypto_destroy_tfm() (such as [0]), add an ERR_PTR check there +before dereferencing the second argument as a struct crypto_tfm +pointer. + +[0] https://lore.kernel.org/linux-crypto/000000000000de949705bc59e0f6@google.com/ + +Reported-by: syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com +Reviewed-by: Eric Biggers +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/api.c | 2 +- + include/crypto/acompress.h | 2 ++ + include/crypto/aead.h | 2 ++ + include/crypto/akcipher.h | 2 ++ + include/crypto/hash.h | 4 ++++ + include/crypto/kpp.h | 2 ++ + include/crypto/rng.h | 2 ++ + include/crypto/skcipher.h | 2 ++ + 8 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/crypto/api.c b/crypto/api.c +index eda0c56b8615..c71d1485541c 100644 +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -568,7 +568,7 @@ void crypto_destroy_tfm(void *mem, struct crypto_tfm *tfm) + { + struct crypto_alg *alg; + +- if (unlikely(!mem)) ++ if (IS_ERR_OR_NULL(mem)) + return; + + alg = tfm->__crt_alg; +diff --git a/include/crypto/acompress.h b/include/crypto/acompress.h +index d873f999b334..3a801a7d3a0e 100644 +--- a/include/crypto/acompress.h ++++ b/include/crypto/acompress.h +@@ -147,6 +147,8 @@ static inline struct crypto_acomp *crypto_acomp_reqtfm(struct acomp_req *req) + * crypto_free_acomp() -- free ACOMPRESS tfm handle + * + * @tfm: ACOMPRESS tfm handle allocated with crypto_alloc_acomp() ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_acomp(struct crypto_acomp *tfm) + { +diff --git a/include/crypto/aead.h b/include/crypto/aead.h +index 3c245b1859e7..3b870b4e8275 100644 +--- a/include/crypto/aead.h ++++ b/include/crypto/aead.h +@@ -179,6 +179,8 @@ static inline struct crypto_tfm *crypto_aead_tfm(struct crypto_aead *tfm) + /** + * crypto_free_aead() - zeroize and free aead handle + * @tfm: cipher handle to be freed ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_aead(struct crypto_aead *tfm) + { +diff --git a/include/crypto/akcipher.h b/include/crypto/akcipher.h +index 6924b091adec..8913b42fcb34 100644 +--- a/include/crypto/akcipher.h ++++ b/include/crypto/akcipher.h +@@ -174,6 +174,8 @@ static inline struct crypto_akcipher *crypto_akcipher_reqtfm( + * crypto_free_akcipher() - free AKCIPHER tfm handle + * + * @tfm: AKCIPHER tfm handle allocated with crypto_alloc_akcipher() ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_akcipher(struct crypto_akcipher *tfm) + { +diff --git a/include/crypto/hash.h b/include/crypto/hash.h +index 84e9f2380edf..e993c6beec07 100644 +--- a/include/crypto/hash.h ++++ b/include/crypto/hash.h +@@ -260,6 +260,8 @@ static inline struct crypto_tfm *crypto_ahash_tfm(struct crypto_ahash *tfm) + /** + * crypto_free_ahash() - zeroize and free the ahash handle + * @tfm: cipher handle to be freed ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_ahash(struct crypto_ahash *tfm) + { +@@ -703,6 +705,8 @@ static inline struct crypto_tfm *crypto_shash_tfm(struct crypto_shash *tfm) + /** + * crypto_free_shash() - zeroize and free the message digest handle + * @tfm: cipher handle to be freed ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_shash(struct crypto_shash *tfm) + { +diff --git a/include/crypto/kpp.h b/include/crypto/kpp.h +index cd9a9b500624..19a2eadbef61 100644 +--- a/include/crypto/kpp.h ++++ b/include/crypto/kpp.h +@@ -154,6 +154,8 @@ static inline void crypto_kpp_set_flags(struct crypto_kpp *tfm, u32 flags) + * crypto_free_kpp() - free KPP tfm handle + * + * @tfm: KPP tfm handle allocated with crypto_alloc_kpp() ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_kpp(struct crypto_kpp *tfm) + { +diff --git a/include/crypto/rng.h b/include/crypto/rng.h +index 8b4b844b4eef..17bb3673d3c1 100644 +--- a/include/crypto/rng.h ++++ b/include/crypto/rng.h +@@ -111,6 +111,8 @@ static inline struct rng_alg *crypto_rng_alg(struct crypto_rng *tfm) + /** + * crypto_free_rng() - zeroize and free RNG handle + * @tfm: cipher handle to be freed ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_rng(struct crypto_rng *tfm) + { +diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h +index aada87916918..0bce6005d325 100644 +--- a/include/crypto/skcipher.h ++++ b/include/crypto/skcipher.h +@@ -203,6 +203,8 @@ static inline struct crypto_tfm *crypto_skcipher_tfm( + /** + * crypto_free_skcipher() - zeroize and free cipher handle + * @tfm: cipher handle to be freed ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_skcipher(struct crypto_skcipher *tfm) + { +-- +2.30.2 + diff --git a/queue-5.4/crypto-omap-aes-fix-pm-reference-leak-on-omap-aes.c.patch b/queue-5.4/crypto-omap-aes-fix-pm-reference-leak-on-omap-aes.c.patch new file mode 100644 index 00000000000..880264e6973 --- /dev/null +++ b/queue-5.4/crypto-omap-aes-fix-pm-reference-leak-on-omap-aes.c.patch @@ -0,0 +1,55 @@ +From 94f02ea7939ba92dc3fcf9f246a66ed9e0689c19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 15:18:39 +0800 +Subject: crypto: omap-aes - Fix PM reference leak on omap-aes.c + +From: Shixin Liu + +[ Upstream commit 1f34cc4a8da34fbb250efb928f9b8c6fe7ee0642 ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Signed-off-by: Shixin Liu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/omap-aes.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/omap-aes.c b/drivers/crypto/omap-aes.c +index 103e704c1469..72edb10181b8 100644 +--- a/drivers/crypto/omap-aes.c ++++ b/drivers/crypto/omap-aes.c +@@ -103,7 +103,7 @@ static int omap_aes_hw_init(struct omap_aes_dev *dd) + dd->err = 0; + } + +- err = pm_runtime_get_sync(dd->dev); ++ err = pm_runtime_resume_and_get(dd->dev); + if (err < 0) { + dev_err(dd->dev, "failed to get sync: %d\n", err); + return err; +@@ -1153,7 +1153,7 @@ static int omap_aes_probe(struct platform_device *pdev) + pm_runtime_set_autosuspend_delay(dev, DEFAULT_AUTOSUSPEND_DELAY); + + pm_runtime_enable(dev); +- err = pm_runtime_get_sync(dev); ++ err = pm_runtime_resume_and_get(dev); + if (err < 0) { + dev_err(dev, "%s: failed to get_sync(%d)\n", + __func__, err); +@@ -1318,7 +1318,7 @@ static int omap_aes_suspend(struct device *dev) + + static int omap_aes_resume(struct device *dev) + { +- pm_runtime_get_sync(dev); ++ pm_runtime_resume_and_get(dev); + return 0; + } + #endif +-- +2.30.2 + diff --git a/queue-5.4/crypto-qat-fix-unmap-invalid-dma-address.patch b/queue-5.4/crypto-qat-fix-unmap-invalid-dma-address.patch new file mode 100644 index 00000000000..d8ddce28b98 --- /dev/null +++ b/queue-5.4/crypto-qat-fix-unmap-invalid-dma-address.patch @@ -0,0 +1,61 @@ +From e4365c111fc9b6bef547518d5652c3d7867289fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Mar 2021 14:35:01 +0800 +Subject: crypto: qat - fix unmap invalid dma address + +From: Hui Tang + +[ Upstream commit 792b32fad548281e1b7fe14df9063a96c54b32a2 ] + +'dma_mapping_error' return a negative value if 'dma_addr' is equal to +'DMA_MAPPING_ERROR' not zero, so fix initialization of 'dma_addr'. + +Signed-off-by: Hui Tang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/qat_algs.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/qat_algs.c b/drivers/crypto/qat/qat_common/qat_algs.c +index 0d67cf5ede51..6b8ad3d67481 100644 +--- a/drivers/crypto/qat/qat_common/qat_algs.c ++++ b/drivers/crypto/qat/qat_common/qat_algs.c +@@ -715,7 +715,7 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst, + struct qat_alg_buf_list *bufl; + struct qat_alg_buf_list *buflout = NULL; + dma_addr_t blp; +- dma_addr_t bloutp = 0; ++ dma_addr_t bloutp; + struct scatterlist *sg; + size_t sz_out, sz = struct_size(bufl, bufers, n + 1); + +@@ -727,6 +727,9 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst, + if (unlikely(!bufl)) + return -ENOMEM; + ++ for_each_sg(sgl, sg, n, i) ++ bufl->bufers[i].addr = DMA_MAPPING_ERROR; ++ + blp = dma_map_single(dev, bufl, sz, DMA_TO_DEVICE); + if (unlikely(dma_mapping_error(dev, blp))) + goto err_in; +@@ -760,10 +763,14 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst, + dev_to_node(&GET_DEV(inst->accel_dev))); + if (unlikely(!buflout)) + goto err_in; ++ ++ bufers = buflout->bufers; ++ for_each_sg(sglout, sg, n, i) ++ bufers[i].addr = DMA_MAPPING_ERROR; ++ + bloutp = dma_map_single(dev, buflout, sz_out, DMA_TO_DEVICE); + if (unlikely(dma_mapping_error(dev, bloutp))) + goto err_out; +- bufers = buflout->bufers; + for_each_sg(sglout, sg, n, i) { + int y = sg_nctr; + +-- +2.30.2 + diff --git a/queue-5.4/crypto-stm32-cryp-fix-pm-reference-leak-on-stm32-cry.patch b/queue-5.4/crypto-stm32-cryp-fix-pm-reference-leak-on-stm32-cry.patch new file mode 100644 index 00000000000..7f136d62836 --- /dev/null +++ b/queue-5.4/crypto-stm32-cryp-fix-pm-reference-leak-on-stm32-cry.patch @@ -0,0 +1,46 @@ +From 0150c8092e380f34e65f89dd41491240278248c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 15:18:36 +0800 +Subject: crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c + +From: Shixin Liu + +[ Upstream commit 747bf30fd944f02f341b5f3bc7d97a13f2ae2fbe ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Signed-off-by: Shixin Liu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-cryp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c +index ba5ea6434f9c..9b3511236ba2 100644 +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -537,7 +537,7 @@ static int stm32_cryp_hw_init(struct stm32_cryp *cryp) + int ret; + u32 cfg, hw_mode; + +- pm_runtime_get_sync(cryp->dev); ++ pm_runtime_resume_and_get(cryp->dev); + + /* Disable interrupt */ + stm32_cryp_write(cryp, CRYP_IMSCR, 0); +@@ -2054,7 +2054,7 @@ static int stm32_cryp_remove(struct platform_device *pdev) + if (!cryp) + return -ENODEV; + +- ret = pm_runtime_get_sync(cryp->dev); ++ ret = pm_runtime_resume_and_get(cryp->dev); + if (ret < 0) + return ret; + +-- +2.30.2 + diff --git a/queue-5.4/crypto-stm32-hash-fix-pm-reference-leak-on-stm32-has.patch b/queue-5.4/crypto-stm32-hash-fix-pm-reference-leak-on-stm32-has.patch new file mode 100644 index 00000000000..932c0dc2959 --- /dev/null +++ b/queue-5.4/crypto-stm32-hash-fix-pm-reference-leak-on-stm32-has.patch @@ -0,0 +1,64 @@ +From 0a6316071650babde8a02678f8c48baa27e9863e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 15:18:35 +0800 +Subject: crypto: stm32/hash - Fix PM reference leak on stm32-hash.c + +From: Shixin Liu + +[ Upstream commit 1cb3ad701970e68f18a9e5d090baf2b1b703d729 ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Signed-off-by: Shixin Liu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-hash.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32-hash.c b/drivers/crypto/stm32/stm32-hash.c +index cfc8e0e37bee..dcce15b55809 100644 +--- a/drivers/crypto/stm32/stm32-hash.c ++++ b/drivers/crypto/stm32/stm32-hash.c +@@ -810,7 +810,7 @@ static void stm32_hash_finish_req(struct ahash_request *req, int err) + static int stm32_hash_hw_init(struct stm32_hash_dev *hdev, + struct stm32_hash_request_ctx *rctx) + { +- pm_runtime_get_sync(hdev->dev); ++ pm_runtime_resume_and_get(hdev->dev); + + if (!(HASH_FLAGS_INIT & hdev->flags)) { + stm32_hash_write(hdev, HASH_CR, HASH_CR_INIT); +@@ -959,7 +959,7 @@ static int stm32_hash_export(struct ahash_request *req, void *out) + u32 *preg; + unsigned int i; + +- pm_runtime_get_sync(hdev->dev); ++ pm_runtime_resume_and_get(hdev->dev); + + while ((stm32_hash_read(hdev, HASH_SR) & HASH_SR_BUSY)) + cpu_relax(); +@@ -997,7 +997,7 @@ static int stm32_hash_import(struct ahash_request *req, const void *in) + + preg = rctx->hw_context; + +- pm_runtime_get_sync(hdev->dev); ++ pm_runtime_resume_and_get(hdev->dev); + + stm32_hash_write(hdev, HASH_IMR, *preg++); + stm32_hash_write(hdev, HASH_STR, *preg++); +@@ -1553,7 +1553,7 @@ static int stm32_hash_remove(struct platform_device *pdev) + if (!hdev) + return -ENODEV; + +- ret = pm_runtime_get_sync(hdev->dev); ++ ret = pm_runtime_resume_and_get(hdev->dev); + if (ret < 0) + return ret; + +-- +2.30.2 + diff --git a/queue-5.4/drm-added-orientation-quirk-for-onegx1-pro.patch b/queue-5.4/drm-added-orientation-quirk-for-onegx1-pro.patch new file mode 100644 index 00000000000..1d151bc5935 --- /dev/null +++ b/queue-5.4/drm-added-orientation-quirk-for-onegx1-pro.patch @@ -0,0 +1,56 @@ +From f88ca7199ef284660fef03f3b6f8a8f9f182a3c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 12:56:26 -0800 +Subject: drm: Added orientation quirk for OneGX1 Pro + +From: Jared Baldridge + +[ Upstream commit 81ad7f9f78e4ff80e95be8282423f511b84f1166 ] + +The OneGX1 Pro has a fairly unique combination of generic strings, +but we additionally match on the BIOS date just to be safe. + +Signed-off-by: Jared Baldridge +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/41288ccb-1012-486b-81c1-a24c31850c91@www.fastmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index 58f5dc2f6dd5..f6bdec7fa925 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -84,6 +84,13 @@ static const struct drm_dmi_panel_orientation_data itworks_tw891 = { + .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, + }; + ++static const struct drm_dmi_panel_orientation_data onegx1_pro = { ++ .width = 1200, ++ .height = 1920, ++ .bios_dates = (const char * const []){ "12/17/2020", NULL }, ++ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, ++}; ++ + static const struct drm_dmi_panel_orientation_data lcd720x1280_rightside_up = { + .width = 720, + .height = 1280, +@@ -211,6 +218,13 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGM"), + }, + .driver_data = (void *)&lcd1200x1920_rightside_up, ++ }, { /* OneGX1 Pro */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SYSTEM_MANUFACTURER"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "SYSTEM_PRODUCT_NAME"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Default string"), ++ }, ++ .driver_data = (void *)&onegx1_pro, + }, { /* VIOS LTH17 */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "VIOS"), +-- +2.30.2 + diff --git a/queue-5.4/drm-amd-display-check-for-dsc-support-instead-of-asi.patch b/queue-5.4/drm-amd-display-check-for-dsc-support-instead-of-asi.patch new file mode 100644 index 00000000000..5741eaa0faa --- /dev/null +++ b/queue-5.4/drm-amd-display-check-for-dsc-support-instead-of-asi.patch @@ -0,0 +1,44 @@ +From f5c34fe221fc019305bcb21621fa8e024283410f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Feb 2021 17:09:52 -0500 +Subject: drm/amd/display: Check for DSC support instead of ASIC revision + +From: Eryk Brol + +[ Upstream commit 349a19b2f1b01e713268c7de9944ad669ccdf369 ] + +[why] +This check for ASIC revision is no longer useful and causes +lightup issues after a topology change in MST DSC scenario. +In this case, DSC configs should be recalculated for the new +topology. This check prevented that from happening on certain +ASICs that do, in fact, support DSC. + +[how] +Change the ASIC revision to instead check if DSC is supported. + +Signed-off-by: Eryk Brol +Acked-by: Bindu Ramamurthy +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index fbbe611d4873..2626aacf492f 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -7330,7 +7330,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev, + } + + #if defined(CONFIG_DRM_AMD_DC_DCN) +- if (adev->asic_type >= CHIP_NAVI10) { ++ if (dc_resource_is_dsc_encoding_supported(dc)) { + for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state, new_crtc_state, i) { + if (drm_atomic_crtc_needs_modeset(new_crtc_state)) { + ret = add_affected_mst_dsc_crtcs(state, crtc); +-- +2.30.2 + diff --git a/queue-5.4/drm-amd-display-don-t-optimize-bandwidth-before-disa.patch b/queue-5.4/drm-amd-display-don-t-optimize-bandwidth-before-disa.patch new file mode 100644 index 00000000000..5f90e843c81 --- /dev/null +++ b/queue-5.4/drm-amd-display-don-t-optimize-bandwidth-before-disa.patch @@ -0,0 +1,44 @@ +From 8d9cbf686c58c2469a60d1ae50286a840b4e281e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Feb 2021 18:13:59 -0500 +Subject: drm/amd/display: Don't optimize bandwidth before disabling planes + +From: Aric Cyr + +[ Upstream commit 6ad98e8aeb0106f453bb154933e8355849244990 ] + +[Why] +There is a window of time where we optimize bandwidth due to no streams +enabled will enable PSTATE changing but HUBPs are not disabled yet. +This results in underflow counter increasing in some hotplug scenarios. + +[How] +Set the optimize-bandwidth flag for later processing once all the HUBPs +are properly disabled. + +Signed-off-by: Aric Cyr +Acked-by: Bindu Ramamurthy +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 68d56a91d44b..092db590087c 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1961,7 +1961,8 @@ static void commit_planes_do_stream_update(struct dc *dc, + if (pipe_ctx->stream_res.audio && !dc->debug.az_endpoint_mute_only) + pipe_ctx->stream_res.audio->funcs->az_disable(pipe_ctx->stream_res.audio); + +- dc->hwss.optimize_bandwidth(dc, dc->current_state); ++ dc->optimized_required = true; ++ + } else { + if (!dc->optimize_seamless_boot) + dc->hwss.prepare_bandwidth(dc, dc->current_state); +-- +2.30.2 + diff --git a/queue-5.4/drm-amd-display-fix-dml-prefetch-validation.patch b/queue-5.4/drm-amd-display-fix-dml-prefetch-validation.patch new file mode 100644 index 00000000000..d679f050395 --- /dev/null +++ b/queue-5.4/drm-amd-display-fix-dml-prefetch-validation.patch @@ -0,0 +1,49 @@ +From 11afb75ab9162c8c563c7e6dee20f0aeaecf31eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Mar 2021 11:04:26 -0500 +Subject: drm/amd/display: fix dml prefetch validation + +From: Dmytro Laktyushkin + +[ Upstream commit 8ee0fea4baf90e43efe2275de208a7809f9985bc ] + +Incorrect variable used, missing initialization during validation. + +Tested-by: Daniel Wheeler +Signed-off-by: Dmytro Laktyushkin +Reviewed-by: Eric Bernstein +Acked-by: Solomon Chiu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c | 1 + + drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20v2.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c +index 6c6c486b774a..945d23ca3677 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c +@@ -3435,6 +3435,7 @@ void dml20_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + mode_lib->vba.DCCEnabledInAnyPlane = true; + } + } ++ mode_lib->vba.UrgentLatency = mode_lib->vba.UrgentLatencyPixelDataOnly; + for (i = 0; i <= mode_lib->vba.soc.num_states; i++) { + locals->FabricAndDRAMBandwidthPerState[i] = dml_min( + mode_lib->vba.DRAMSpeedPerState[i] * mode_lib->vba.NumberOfChannels +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20v2.c b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20v2.c +index 0fafd693ffb4..5b5ed1be19ba 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20v2.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20v2.c +@@ -3467,6 +3467,7 @@ void dml20v2_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode + mode_lib->vba.DCCEnabledInAnyPlane = true; + } + } ++ mode_lib->vba.UrgentLatency = mode_lib->vba.UrgentLatencyPixelDataOnly; + for (i = 0; i <= mode_lib->vba.soc.num_states; i++) { + locals->FabricAndDRAMBandwidthPerState[i] = dml_min( + mode_lib->vba.DRAMSpeedPerState[i] * mode_lib->vba.NumberOfChannels +-- +2.30.2 + diff --git a/queue-5.4/drm-amd-display-fix-ubsan-warning-for-not-a-valid-va.patch b/queue-5.4/drm-amd-display-fix-ubsan-warning-for-not-a-valid-va.patch new file mode 100644 index 00000000000..ea04753f2ec --- /dev/null +++ b/queue-5.4/drm-amd-display-fix-ubsan-warning-for-not-a-valid-va.patch @@ -0,0 +1,58 @@ +From adf31c0f6bedf43891f2574ff8939bab495b6173 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Mar 2021 16:16:36 -0500 +Subject: drm/amd/display: Fix UBSAN warning for not a valid value for type + '_Bool' + +From: Anson Jacob + +[ Upstream commit 6a30a92997eee49554f72b462dce90abe54a496f ] + +[Why] +dc_cursor_position do not initialise position.translate_by_source when +crtc or plane->state->fb is NULL. UBSAN caught this error in +dce110_set_cursor_position, as the value was garbage. + +[How] +Initialise dc_cursor_position structure elements to 0 in handle_cursor_update +before calling get_cursor_position. + +Tested-by: Daniel Wheeler +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1471 +Reported-by: Lyude Paul +Signed-off-by: Anson Jacob +Reviewed-by: Aurabindo Jayamohanan Pillai +Acked-by: Solomon Chiu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 2626aacf492f..1aec841fda35 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -5372,10 +5372,6 @@ static int get_cursor_position(struct drm_plane *plane, struct drm_crtc *crtc, + int x, y; + int xorigin = 0, yorigin = 0; + +- position->enable = false; +- position->x = 0; +- position->y = 0; +- + if (!crtc || !plane->state->fb) + return 0; + +@@ -5427,7 +5423,7 @@ static void handle_cursor_update(struct drm_plane *plane, + struct dm_crtc_state *crtc_state = crtc ? to_dm_crtc_state(crtc->state) : NULL; + struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc); + uint64_t address = afb ? afb->address : 0; +- struct dc_cursor_position position; ++ struct dc_cursor_position position = {0}; + struct dc_cursor_attributes attributes; + int ret; + +-- +2.30.2 + diff --git a/queue-5.4/drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch b/queue-5.4/drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch new file mode 100644 index 00000000000..42bc25b7e4a --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch @@ -0,0 +1,37 @@ +From 22fa469981e334bf1be1cab60f457388b9d269b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 10:30:15 -0500 +Subject: drm/amdgpu : Fix asic reset regression issue introduce by + 8f211fe8ac7c4f + +From: shaoyunl + +[ Upstream commit c8941550aa66b2a90f4b32c45d59e8571e33336e ] + +This recent change introduce SDMA interrupt info printing with irq->process function. +These functions do not require a set function to enable/disable the irq + +Signed-off-by: shaoyunl +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c +index 2a3f5ec298db..76429932035e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c +@@ -469,7 +469,7 @@ void amdgpu_irq_gpu_reset_resume_helper(struct amdgpu_device *adev) + for (j = 0; j < AMDGPU_MAX_IRQ_SRC_ID; ++j) { + struct amdgpu_irq_src *src = adev->irq.client[i].sources[j]; + +- if (!src) ++ if (!src || !src->funcs || !src->funcs->set) + continue; + for (k = 0; k < src->num_types; k++) + amdgpu_irq_update(adev, src, k); +-- +2.30.2 + diff --git a/queue-5.4/drm-amdgpu-fix-null-pointer-dereference.patch b/queue-5.4/drm-amdgpu-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..aa225f3057f --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-null-pointer-dereference.patch @@ -0,0 +1,60 @@ +From 32a1ce4539839742b42225613ac3f49a3b40ca1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Mar 2021 17:52:18 +0800 +Subject: drm/amdgpu: fix NULL pointer dereference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guchun Chen + +[ Upstream commit 3c3dc654333f6389803cdcaf03912e94173ae510 ] + +ttm->sg needs to be checked before accessing its child member. + +Call Trace: + amdgpu_ttm_backend_destroy+0x12/0x70 [amdgpu] + ttm_bo_cleanup_memtype_use+0x3a/0x60 [ttm] + ttm_bo_release+0x17d/0x300 [ttm] + amdgpu_bo_unref+0x1a/0x30 [amdgpu] + amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x78b/0x8b0 [amdgpu] + kfd_ioctl_alloc_memory_of_gpu+0x118/0x220 [amdgpu] + kfd_ioctl+0x222/0x400 [amdgpu] + ? kfd_dev_is_large_bar+0x90/0x90 [amdgpu] + __x64_sys_ioctl+0x8e/0xd0 + ? __context_tracking_exit+0x52/0x90 + do_syscall_64+0x33/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7f97f264d317 +Code: b3 66 90 48 8b 05 71 4b 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 41 4b 2d 00 f7 d8 64 89 01 48 +RSP: 002b:00007ffdb402c338 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f97f3cc63a0 RCX: 00007f97f264d317 +RDX: 00007ffdb402c380 RSI: 00000000c0284b16 RDI: 0000000000000003 +RBP: 00007ffdb402c380 R08: 00007ffdb402c428 R09: 00000000c4000004 +R10: 00000000c4000004 R11: 0000000000000246 R12: 00000000c0284b16 +R13: 0000000000000003 R14: 00007f97f3cc63a0 R15: 00007f8836200000 + +Signed-off-by: Guchun Chen +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +index c6a1dfe79e80..91e3a87b1de8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -984,7 +984,7 @@ static void amdgpu_ttm_tt_unpin_userptr(struct ttm_tt *ttm) + DMA_BIDIRECTIONAL : DMA_TO_DEVICE; + + /* double check that we don't free the table twice */ +- if (!ttm->sg->sgl) ++ if (!ttm->sg || !ttm->sg->sgl) + return; + + /* unmap the pages mapped to the device */ +-- +2.30.2 + diff --git a/queue-5.4/drm-amdgpu-mask-the-xgmi-number-of-hops-reported-fro.patch b/queue-5.4/drm-amdgpu-mask-the-xgmi-number-of-hops-reported-fro.patch new file mode 100644 index 00000000000..af215ac3c76 --- /dev/null +++ b/queue-5.4/drm-amdgpu-mask-the-xgmi-number-of-hops-reported-fro.patch @@ -0,0 +1,55 @@ +From 164c442056a6ba9f07997c2874450984c27697ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jan 2021 15:24:59 -0500 +Subject: drm/amdgpu: mask the xgmi number of hops reported from psp to kfd + +From: Jonathan Kim + +[ Upstream commit 4ac5617c4b7d0f0a8f879997f8ceaa14636d7554 ] + +The psp supplies the link type in the upper 2 bits of the psp xgmi node +information num_hops field. With a new link type, Aldebaran has these +bits set to a non-zero value (1 = xGMI3) so the KFD topology will report +the incorrect IO link weights without proper masking. +The actual number of hops is located in the 3 least significant bits of +this field so mask if off accordingly before passing it to the KFD. + +Signed-off-by: Jonathan Kim +Reviewed-by: Amber Lin +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c +index 65aae75f80fd..ce1048bad158 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c +@@ -311,15 +311,22 @@ int amdgpu_xgmi_update_topology(struct amdgpu_hive_info *hive, struct amdgpu_dev + } + + ++/* ++ * NOTE psp_xgmi_node_info.num_hops layout is as follows: ++ * num_hops[7:6] = link type (0 = xGMI2, 1 = xGMI3, 2/3 = reserved) ++ * num_hops[5:3] = reserved ++ * num_hops[2:0] = number of hops ++ */ + int amdgpu_xgmi_get_hops_count(struct amdgpu_device *adev, + struct amdgpu_device *peer_adev) + { + struct psp_xgmi_topology_info *top = &adev->psp.xgmi_context.top_info; ++ uint8_t num_hops_mask = 0x7; + int i; + + for (i = 0 ; i < top->num_nodes; ++i) + if (top->nodes[i].node_id == peer_adev->gmc.xgmi.node_id) +- return top->nodes[i].num_hops; ++ return top->nodes[i].num_hops & num_hops_mask; + return -EINVAL; + } + +-- +2.30.2 + diff --git a/queue-5.4/drm-amdkfd-fix-cat-debugfs-hang_hws-file-causes-syst.patch b/queue-5.4/drm-amdkfd-fix-cat-debugfs-hang_hws-file-causes-syst.patch new file mode 100644 index 00000000000..94e68d3083f --- /dev/null +++ b/queue-5.4/drm-amdkfd-fix-cat-debugfs-hang_hws-file-causes-syst.patch @@ -0,0 +1,81 @@ +From ec984f19f578651e5480b58bf485624d91cdf6c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 16:28:18 +0800 +Subject: drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug + +From: Qu Huang + +[ Upstream commit d73610211eec8aa027850982b1a48980aa1bc96e ] + +Here is the system crash log: +[ 1272.884438] BUG: unable to handle kernel NULL pointer dereference at +(null) +[ 1272.884444] IP: [< (null)>] (null) +[ 1272.884447] PGD 825b09067 PUD 8267c8067 PMD 0 +[ 1272.884452] Oops: 0010 [#1] SMP +[ 1272.884509] CPU: 13 PID: 3485 Comm: cat Kdump: loaded Tainted: G +[ 1272.884515] task: ffff9a38dbd4d140 ti: ffff9a37cd3b8000 task.ti: +ffff9a37cd3b8000 +[ 1272.884517] RIP: 0010:[<0000000000000000>] [< (null)>] +(null) +[ 1272.884520] RSP: 0018:ffff9a37cd3bbe68 EFLAGS: 00010203 +[ 1272.884522] RAX: 0000000000000000 RBX: 0000000000000000 RCX: +0000000000014d5f +[ 1272.884524] RDX: fffffffffffffff4 RSI: 0000000000000001 RDI: +ffff9a38aca4d200 +[ 1272.884526] RBP: ffff9a37cd3bbed0 R08: ffff9a38dcd5f1a0 R09: +ffff9a31ffc07300 +[ 1272.884527] R10: ffff9a31ffc07300 R11: ffffffffaddd5e9d R12: +ffff9a38b4e0fb00 +[ 1272.884529] R13: 0000000000000001 R14: ffff9a37cd3bbf18 R15: +ffff9a38aca4d200 +[ 1272.884532] FS: 00007feccaa67740(0000) GS:ffff9a38dcd40000(0000) +knlGS:0000000000000000 +[ 1272.884534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1272.884536] CR2: 0000000000000000 CR3: 00000008267c0000 CR4: +00000000003407e0 +[ 1272.884537] Call Trace: +[ 1272.884544] [] ? seq_read+0x130/0x440 +[ 1272.884548] [] vfs_read+0x9f/0x170 +[ 1272.884552] [] SyS_read+0x7f/0xf0 +[ 1272.884557] [] system_call_fastpath+0x22/0x27 +[ 1272.884558] Code: Bad RIP value. +[ 1272.884562] RIP [< (null)>] (null) +[ 1272.884564] RSP +[ 1272.884566] CR2: 0000000000000000 + +Signed-off-by: Qu Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_debugfs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_debugfs.c b/drivers/gpu/drm/amd/amdkfd/kfd_debugfs.c +index 511712c2e382..673d5e34f213 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_debugfs.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_debugfs.c +@@ -33,6 +33,11 @@ static int kfd_debugfs_open(struct inode *inode, struct file *file) + + return single_open(file, show, NULL); + } ++static int kfd_debugfs_hang_hws_read(struct seq_file *m, void *data) ++{ ++ seq_printf(m, "echo gpu_id > hang_hws\n"); ++ return 0; ++} + + static ssize_t kfd_debugfs_hang_hws_write(struct file *file, + const char __user *user_buf, size_t size, loff_t *ppos) +@@ -94,7 +99,7 @@ void kfd_debugfs_init(void) + debugfs_create_file("rls", S_IFREG | 0444, debugfs_root, + kfd_debugfs_rls_by_device, &kfd_debugfs_fops); + debugfs_create_file("hang_hws", S_IFREG | 0200, debugfs_root, +- NULL, &kfd_debugfs_hang_hws_fops); ++ kfd_debugfs_hang_hws_read, &kfd_debugfs_hang_hws_fops); + } + + void kfd_debugfs_fini(void) +-- +2.30.2 + diff --git a/queue-5.4/drm-amdkfd-fix-ubsan-shift-out-of-bounds-warning.patch b/queue-5.4/drm-amdkfd-fix-ubsan-shift-out-of-bounds-warning.patch new file mode 100644 index 00000000000..ce18c813e3a --- /dev/null +++ b/queue-5.4/drm-amdkfd-fix-ubsan-shift-out-of-bounds-warning.patch @@ -0,0 +1,67 @@ +From 46bea7d5eb16c82068b3e8cca18df8bae89c72de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 12:33:15 -0500 +Subject: drm/amdkfd: Fix UBSAN shift-out-of-bounds warning + +From: Anson Jacob + +[ Upstream commit 50e2fc36e72d4ad672032ebf646cecb48656efe0 ] + +If get_num_sdma_queues or get_num_xgmi_sdma_queues is 0, we end up +doing a shift operation where the number of bits shifted equals +number of bits in the operand. This behaviour is undefined. + +Set num_sdma_queues or num_xgmi_sdma_queues to ULLONG_MAX, if the +count is >= number of bits in the operand. + +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1472 + +Reported-by: Lyude Paul +Signed-off-by: Anson Jacob +Reviewed-by: Alex Deucher +Reviewed-by: Felix Kuehling +Tested-by: Lyude Paul +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/amdkfd/kfd_device_queue_manager.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +index e9a278440079..ab69898c9cb7 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -1011,6 +1011,9 @@ static int set_sched_resources(struct device_queue_manager *dqm) + + static int initialize_cpsch(struct device_queue_manager *dqm) + { ++ uint64_t num_sdma_queues; ++ uint64_t num_xgmi_sdma_queues; ++ + pr_debug("num of pipes: %d\n", get_pipes_per_mec(dqm)); + + mutex_init(&dqm->lock_hidden); +@@ -1019,8 +1022,18 @@ static int initialize_cpsch(struct device_queue_manager *dqm) + dqm->sdma_queue_count = 0; + dqm->xgmi_sdma_queue_count = 0; + dqm->active_runlist = false; +- dqm->sdma_bitmap = ~0ULL >> (64 - get_num_sdma_queues(dqm)); +- dqm->xgmi_sdma_bitmap = ~0ULL >> (64 - get_num_xgmi_sdma_queues(dqm)); ++ ++ num_sdma_queues = get_num_sdma_queues(dqm); ++ if (num_sdma_queues >= BITS_PER_TYPE(dqm->sdma_bitmap)) ++ dqm->sdma_bitmap = ULLONG_MAX; ++ else ++ dqm->sdma_bitmap = (BIT_ULL(num_sdma_queues) - 1); ++ ++ num_xgmi_sdma_queues = get_num_xgmi_sdma_queues(dqm); ++ if (num_xgmi_sdma_queues >= BITS_PER_TYPE(dqm->xgmi_sdma_bitmap)) ++ dqm->xgmi_sdma_bitmap = ULLONG_MAX; ++ else ++ dqm->xgmi_sdma_bitmap = (BIT_ULL(num_xgmi_sdma_queues) - 1); + + INIT_WORK(&dqm->hw_exception_work, kfd_process_hw_exception); + +-- +2.30.2 + diff --git a/queue-5.4/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch b/queue-5.4/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch new file mode 100644 index 00000000000..117c4eee5de --- /dev/null +++ b/queue-5.4/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch @@ -0,0 +1,57 @@ +From 2821d1bcfa6505de280ff19749dd30a09cc56c5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 23:47:24 +0200 +Subject: drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal + +From: Marijn Suijten + +[ Upstream commit 2ad52bdb220de5ab348098e3482b01235d15a842 ] + +Leaving this at a close-to-maximum register value 0xFFF0 means it takes +very long for the MDSS to generate a software vsync interrupt when the +hardware TE interrupt doesn't arrive. Configuring this to double the +vtotal (like some downstream kernels) leads to a frame to take at most +twice before the vsync signal, until hardware TE comes up. + +In this case the hardware interrupt responsible for providing this +signal - "disp-te" gpio - is not hooked up to the mdp5 vsync/pp logic at +all. This solves severe panel update issues observed on at least the +Xperia Loire and Tone series, until said gpio is properly hooked up to +an irq. + +Suggested-by: AngeloGioacchino Del Regno +Signed-off-by: Marijn Suijten +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20210406214726.131534-2-marijn.suijten@somainline.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c +index eeef41fcd4e1..288f18cbf62d 100644 +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c +@@ -70,9 +70,17 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder, + | MDP5_PP_SYNC_CONFIG_VSYNC_IN_EN; + cfg |= MDP5_PP_SYNC_CONFIG_VSYNC_COUNT(vclks_line); + ++ /* ++ * Tearcheck emits a blanking signal every vclks_line * vtotal * 2 ticks on ++ * the vsync_clk equating to roughly half the desired panel refresh rate. ++ * This is only necessary as stability fallback if interrupts from the ++ * panel arrive too late or not at all, but is currently used by default ++ * because these panel interrupts are not wired up yet. ++ */ + mdp5_write(mdp5_kms, REG_MDP5_PP_SYNC_CONFIG_VSYNC(pp_id), cfg); + mdp5_write(mdp5_kms, +- REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), 0xfff0); ++ REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), (2 * mode->vtotal)); ++ + mdp5_write(mdp5_kms, + REG_MDP5_PP_VSYNC_INIT_VAL(pp_id), mode->vdisplay); + mdp5_write(mdp5_kms, REG_MDP5_PP_RD_PTR_IRQ(pp_id), mode->vdisplay + 1); +-- +2.30.2 + diff --git a/queue-5.4/drm-msm-mdp5-do-not-multiply-vclk-line-count-by-100.patch b/queue-5.4/drm-msm-mdp5-do-not-multiply-vclk-line-count-by-100.patch new file mode 100644 index 00000000000..7f451a0af83 --- /dev/null +++ b/queue-5.4/drm-msm-mdp5-do-not-multiply-vclk-line-count-by-100.patch @@ -0,0 +1,71 @@ +From 122704217c2bca7bd359f230588460ca0d42d7cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 23:47:25 +0200 +Subject: drm/msm/mdp5: Do not multiply vclk line count by 100 + +From: Marijn Suijten + +[ Upstream commit 377569f82ea8228c421cef4da33e056a900b58ca ] + +Neither vtotal nor drm_mode_vrefresh contain a value that is +premultiplied by 100 making the x100 variable name incorrect and +resulting in vclks_line to become 100 times larger than it is supposed +to be. The hardware counts 100 clockticks too many before tearcheck, +leading to severe panel issues on at least the Sony Xperia lineup. + +This is likely an artifact from the original MDSS DSI panel driver where +the calculation [1] corrected for a premultiplied reference framerate by +100 [2]. It does not appear that the above values were ever +premultiplied in the history of the DRM MDP5 driver. + +With this change applied the value written to the SYNC_CONFIG_VSYNC +register is now identical to downstream kernels. + +[1]: https://source.codeaurora.org/quic/la/kernel/msm-3.18/tree/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c?h=LA.UM.8.6.c26-02400-89xx.0#n288 +[2]: https://source.codeaurora.org/quic/la/kernel/msm-3.18/tree/drivers/video/msm/mdss/mdss_dsi_panel.c?h=LA.UM.8.6.c26-02400-89xx.0#n1648 + +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Marijn Suijten +Link: https://lore.kernel.org/r/20210406214726.131534-3-marijn.suijten@somainline.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c +index 288f18cbf62d..0425400f44db 100644 +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c +@@ -41,7 +41,7 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder, + { + struct mdp5_kms *mdp5_kms = get_kms(encoder); + struct device *dev = encoder->dev->dev; +- u32 total_lines_x100, vclks_line, cfg; ++ u32 total_lines, vclks_line, cfg; + long vsync_clk_speed; + struct mdp5_hw_mixer *mixer = mdp5_crtc_get_mixer(encoder->crtc); + int pp_id = mixer->pp; +@@ -51,8 +51,8 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder, + return -EINVAL; + } + +- total_lines_x100 = mode->vtotal * drm_mode_vrefresh(mode); +- if (!total_lines_x100) { ++ total_lines = mode->vtotal * drm_mode_vrefresh(mode); ++ if (!total_lines) { + DRM_DEV_ERROR(dev, "%s: vtotal(%d) or vrefresh(%d) is 0\n", + __func__, mode->vtotal, drm_mode_vrefresh(mode)); + return -EINVAL; +@@ -64,7 +64,7 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder, + vsync_clk_speed); + return -EINVAL; + } +- vclks_line = vsync_clk_speed * 100 / total_lines_x100; ++ vclks_line = vsync_clk_speed / total_lines; + + cfg = MDP5_PP_SYNC_CONFIG_VSYNC_COUNTER_EN + | MDP5_PP_SYNC_CONFIG_VSYNC_IN_EN; +-- +2.30.2 + diff --git a/queue-5.4/drm-qxl-release-shadow-on-shutdown.patch b/queue-5.4/drm-qxl-release-shadow-on-shutdown.patch new file mode 100644 index 00000000000..a4b9976306a --- /dev/null +++ b/queue-5.4/drm-qxl-release-shadow-on-shutdown.patch @@ -0,0 +1,38 @@ +From b1b1a2af135e0ed16d501b8ed3862f043da1ed6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Feb 2021 15:57:06 +0100 +Subject: drm/qxl: release shadow on shutdown + +From: Gerd Hoffmann + +[ Upstream commit 4ca77c513537700d3fae69030879f781dde1904c ] + +In case we have a shadow surface on shutdown release +it so it doesn't leak. + +Signed-off-by: Gerd Hoffmann +Acked-by: Thomas Zimmermann +Link: http://patchwork.freedesktop.org/patch/msgid/20210204145712.1531203-6-kraxel@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/qxl/qxl_display.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c +index 9abf3dc5ef99..a6ee10cbcfdd 100644 +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -1237,6 +1237,10 @@ int qxl_modeset_init(struct qxl_device *qdev) + + void qxl_modeset_fini(struct qxl_device *qdev) + { ++ if (qdev->dumb_shadow_bo) { ++ drm_gem_object_put(&qdev->dumb_shadow_bo->tbo.base); ++ qdev->dumb_shadow_bo = NULL; ++ } + qxl_destroy_monitors_object(qdev); + drm_mode_config_cleanup(&qdev->ddev); + } +-- +2.30.2 + diff --git a/queue-5.4/drm-vkms-fix-misuse-of-warn_on.patch b/queue-5.4/drm-vkms-fix-misuse-of-warn_on.patch new file mode 100644 index 00000000000..fae120f6e83 --- /dev/null +++ b/queue-5.4/drm-vkms-fix-misuse-of-warn_on.patch @@ -0,0 +1,47 @@ +From 8f9d6bbd3a43b40b67c1d6d0e07dc4ccd0999a3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Mar 2021 14:28:40 +0100 +Subject: drm/vkms: fix misuse of WARN_ON + +From: Dmitry Vyukov + +[ Upstream commit b4142fc4d52d051d4d8df1fb6c569e5b445d369e ] + +vkms_vblank_simulate() uses WARN_ON for timing-dependent condition +(timer overrun). This is a mis-use of WARN_ON, WARN_ON must be used +to denote kernel bugs. Use pr_warn() instead. + +Signed-off-by: Dmitry Vyukov +Reported-by: syzbot+4fc21a003c8332eb0bdd@syzkaller.appspotmail.com +Cc: Rodrigo Siqueira +Cc: Melissa Wen +Cc: Haneen Mohammed +Cc: Daniel Vetter +Cc: David Airlie +Cc: dri-devel@lists.freedesktop.org +Cc: linux-kernel@vger.kernel.org +Acked-by: Melissa Wen +Signed-off-by: Melissa Wen +Link: https://patchwork.freedesktop.org/patch/msgid/20210320132840.1315853-1-dvyukov@google.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_crtc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c +index 927dafaebc76..8b01fae65f43 100644 +--- a/drivers/gpu/drm/vkms/vkms_crtc.c ++++ b/drivers/gpu/drm/vkms/vkms_crtc.c +@@ -20,7 +20,8 @@ static enum hrtimer_restart vkms_vblank_simulate(struct hrtimer *timer) + + ret_overrun = hrtimer_forward_now(&output->vblank_hrtimer, + output->period_ns); +- WARN_ON(ret_overrun != 1); ++ if (ret_overrun != 1) ++ pr_warn("%s: vblank timer overrun\n", __func__); + + ret = drm_crtc_handle_vblank(crtc); + if (!ret) +-- +2.30.2 + diff --git a/queue-5.4/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch b/queue-5.4/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch new file mode 100644 index 00000000000..d8d62ad0c16 --- /dev/null +++ b/queue-5.4/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch @@ -0,0 +1,96 @@ +From 72ae0d8ade767effebd0a95ed5ed64cb0b4ceac9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Mar 2021 16:17:56 +0100 +Subject: extcon: arizona: Fix some issues when HPDET IRQ fires after the jack + has been unplugged + +From: Hans de Goede + +[ Upstream commit c309a3e8793f7e01c4a4ec7960658380572cb576 ] + +When the jack is partially inserted and then removed again it may be +removed while the hpdet code is running. In this case the following +may happen: + +1. The "JACKDET rise" or ""JACKDET fall" IRQ triggers +2. arizona_jackdet runs and takes info->lock +3. The "HPDET" IRQ triggers +4. arizona_hpdet_irq runs, blocks on info->lock +5. arizona_jackdet calls arizona_stop_mic() and clears info->hpdet_done +6. arizona_jackdet releases info->lock +7. arizona_hpdet_irq now can continue running and: +7.1 Calls arizona_start_mic() (if a mic was detected) +7.2 sets info->hpdet_done + +Step 7 is undesirable / a bug: +7.1 causes the device to stay in a high power-state (with MICVDD enabled) +7.2 causes hpdet to not run on the next jack insertion, which in turn + causes the EXTCON_JACK_HEADPHONE state to never get set + +This fixes both issues by skipping these 2 steps when arizona_hpdet_irq +runs after the jack has been unplugged. + +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Acked-by: Charles Keepax +Tested-by: Charles Keepax +Acked-by: Chanwoo Choi +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon-arizona.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c +index e970134c95fa..7f1cd61443ff 100644 +--- a/drivers/extcon/extcon-arizona.c ++++ b/drivers/extcon/extcon-arizona.c +@@ -597,7 +597,7 @@ static irqreturn_t arizona_hpdet_irq(int irq, void *data) + struct arizona *arizona = info->arizona; + int id_gpio = arizona->pdata.hpdet_id_gpio; + unsigned int report = EXTCON_JACK_HEADPHONE; +- int ret, reading; ++ int ret, reading, state; + bool mic = false; + + mutex_lock(&info->lock); +@@ -610,12 +610,11 @@ static irqreturn_t arizona_hpdet_irq(int irq, void *data) + } + + /* If the cable was removed while measuring ignore the result */ +- ret = extcon_get_state(info->edev, EXTCON_MECHANICAL); +- if (ret < 0) { +- dev_err(arizona->dev, "Failed to check cable state: %d\n", +- ret); ++ state = extcon_get_state(info->edev, EXTCON_MECHANICAL); ++ if (state < 0) { ++ dev_err(arizona->dev, "Failed to check cable state: %d\n", state); + goto out; +- } else if (!ret) { ++ } else if (!state) { + dev_dbg(arizona->dev, "Ignoring HPDET for removed cable\n"); + goto done; + } +@@ -668,7 +667,7 @@ done: + ARIZONA_ACCDET_MODE_MASK, ARIZONA_ACCDET_MODE_MIC); + + /* If we have a mic then reenable MICDET */ +- if (mic || info->mic) ++ if (state && (mic || info->mic)) + arizona_start_mic(info); + + if (info->hpdet_active) { +@@ -676,7 +675,9 @@ done: + info->hpdet_active = false; + } + +- info->hpdet_done = true; ++ /* Do not set hp_det done when the cable has been unplugged */ ++ if (state) ++ info->hpdet_done = true; + + out: + mutex_unlock(&info->lock); +-- +2.30.2 + diff --git a/queue-5.4/extcon-arizona-fix-various-races-on-driver-unbind.patch b/queue-5.4/extcon-arizona-fix-various-races-on-driver-unbind.patch new file mode 100644 index 00000000000..85de5ba4702 --- /dev/null +++ b/queue-5.4/extcon-arizona-fix-various-races-on-driver-unbind.patch @@ -0,0 +1,132 @@ +From 9b1b6d2215b6dbbb07cb56fdbd46a7ac84cc557c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Mar 2021 16:17:57 +0100 +Subject: extcon: arizona: Fix various races on driver unbind + +From: Hans de Goede + +[ Upstream commit e5b499f6fb17bc95a813e85d0796522280203806 ] + +We must free/disable all interrupts and cancel all pending works +before doing further cleanup. + +Before this commit arizona_extcon_remove() was doing several +register writes to shut things down before disabling the IRQs +and it was cancelling only 1 of the 3 different works used. + +Move all the register-writes shutting things down to after +the disabling of the IRQs and add the 2 missing +cancel_delayed_work_sync() calls. + +This fixes various possible races on driver unbind. One of which +would always trigger on devices using the mic-clamp feature for +jack detection. The ARIZONA_MICD_CLAMP_MODE_MASK update was +done before disabling the IRQs, causing: +1. arizona_jackdet() to run +2. detect a jack being inserted (clamp disabled means jack inserted) +3. call arizona_start_mic() which: +3.1 Enables the MICVDD regulator +3.2 takes a pm_runtime_reference + +And this was all happening after the ARIZONA_MICD_ENA bit clearing, +which would undo 3.1 and 3.2 because the ARIZONA_MICD_CLAMP_MODE_MASK +update was being done after the ARIZONA_MICD_ENA bit clearing. + +So this means that arizona_extcon_remove() would exit with +1. MICVDD enabled and 2. The pm_runtime_reference being unbalanced. + +MICVDD still being enabled caused the following oops when the +regulator is released by the devm framework: + +[ 2850.745757] ------------[ cut here ]------------ +[ 2850.745827] WARNING: CPU: 2 PID: 2098 at drivers/regulator/core.c:2123 _regulator_put.part.0+0x19f/0x1b0 +[ 2850.745835] Modules linked in: extcon_arizona ... +... +[ 2850.746909] Call Trace: +[ 2850.746932] regulator_put+0x2d/0x40 +[ 2850.746946] release_nodes+0x22a/0x260 +[ 2850.746984] __device_release_driver+0x190/0x240 +[ 2850.747002] driver_detach+0xd4/0x120 +... +[ 2850.747337] ---[ end trace f455dfd7abd9781f ]--- + +Note this oops is just one of various theoretically possible races caused +by the wrong ordering inside arizona_extcon_remove(), this fixes the +ordering fixing all possible races, including the reported oops. + +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Acked-by: Charles Keepax +Tested-by: Charles Keepax +Acked-by: Chanwoo Choi +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon-arizona.c | 40 +++++++++++++++++---------------- + 1 file changed, 21 insertions(+), 19 deletions(-) + +diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c +index 7f1cd61443ff..9a6103ac7118 100644 +--- a/drivers/extcon/extcon-arizona.c ++++ b/drivers/extcon/extcon-arizona.c +@@ -1725,25 +1725,6 @@ static int arizona_extcon_remove(struct platform_device *pdev) + bool change; + int ret; + +- ret = regmap_update_bits_check(arizona->regmap, ARIZONA_MIC_DETECT_1, +- ARIZONA_MICD_ENA, 0, +- &change); +- if (ret < 0) { +- dev_err(&pdev->dev, "Failed to disable micd on remove: %d\n", +- ret); +- } else if (change) { +- regulator_disable(info->micvdd); +- pm_runtime_put(info->dev); +- } +- +- gpiod_put(info->micd_pol_gpio); +- +- pm_runtime_disable(&pdev->dev); +- +- regmap_update_bits(arizona->regmap, +- ARIZONA_MICD_CLAMP_CONTROL, +- ARIZONA_MICD_CLAMP_MODE_MASK, 0); +- + if (info->micd_clamp) { + jack_irq_rise = ARIZONA_IRQ_MICD_CLAMP_RISE; + jack_irq_fall = ARIZONA_IRQ_MICD_CLAMP_FALL; +@@ -1759,10 +1740,31 @@ static int arizona_extcon_remove(struct platform_device *pdev) + arizona_free_irq(arizona, jack_irq_rise, info); + arizona_free_irq(arizona, jack_irq_fall, info); + cancel_delayed_work_sync(&info->hpdet_work); ++ cancel_delayed_work_sync(&info->micd_detect_work); ++ cancel_delayed_work_sync(&info->micd_timeout_work); ++ ++ ret = regmap_update_bits_check(arizona->regmap, ARIZONA_MIC_DETECT_1, ++ ARIZONA_MICD_ENA, 0, ++ &change); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Failed to disable micd on remove: %d\n", ++ ret); ++ } else if (change) { ++ regulator_disable(info->micvdd); ++ pm_runtime_put(info->dev); ++ } ++ ++ regmap_update_bits(arizona->regmap, ++ ARIZONA_MICD_CLAMP_CONTROL, ++ ARIZONA_MICD_CLAMP_MODE_MASK, 0); + regmap_update_bits(arizona->regmap, ARIZONA_JACK_DETECT_ANALOGUE, + ARIZONA_JD1_ENA, 0); + arizona_clk32k_disable(arizona); + ++ gpiod_put(info->micd_pol_gpio); ++ ++ pm_runtime_disable(&pdev->dev); ++ + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.4/genirq-matrix-prevent-allocation-counter-corruption.patch b/queue-5.4/genirq-matrix-prevent-allocation-counter-corruption.patch new file mode 100644 index 00000000000..6a31098fb24 --- /dev/null +++ b/queue-5.4/genirq-matrix-prevent-allocation-counter-corruption.patch @@ -0,0 +1,51 @@ +From 2851398385c9a65a5680207947b9ca4494ae0473 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 12:18:23 +0100 +Subject: genirq/matrix: Prevent allocation counter corruption + +From: Vitaly Kuznetsov + +[ Upstream commit c93a5e20c3c2dabef8ea360a3d3f18c6f68233ab ] + +When irq_matrix_free() is called for an unallocated vector the +managed_allocated and total_allocated counters get out of sync with the +real state of the matrix. Later, when the last interrupt is freed, these +counters will underflow resulting in UINTMAX because the counters are +unsigned. + +While this is certainly a problem of the calling code, this can be catched +in the allocator by checking the allocation bit for the to be freed vector +which simplifies debugging. + +An example of the problem described above: +https://lore.kernel.org/lkml/20210318192819.636943062@linutronix.de/ + +Add the missing sanity check and emit a warning when it triggers. + +Suggested-by: Thomas Gleixner +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20210319111823.1105248-1-vkuznets@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/irq/matrix.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/irq/matrix.c b/kernel/irq/matrix.c +index 651a4ad6d711..8e586858bcf4 100644 +--- a/kernel/irq/matrix.c ++++ b/kernel/irq/matrix.c +@@ -423,7 +423,9 @@ void irq_matrix_free(struct irq_matrix *m, unsigned int cpu, + if (WARN_ON_ONCE(bit < m->alloc_start || bit >= m->alloc_end)) + return; + +- clear_bit(bit, cm->alloc_map); ++ if (WARN_ON_ONCE(!test_and_clear_bit(bit, cm->alloc_map))) ++ return; ++ + cm->allocated--; + if(managed) + cm->managed_allocated--; +-- +2.30.2 + diff --git a/queue-5.4/intel_th-consistency-and-off-by-one-fix.patch b/queue-5.4/intel_th-consistency-and-off-by-one-fix.patch new file mode 100644 index 00000000000..2e5b7088e9d --- /dev/null +++ b/queue-5.4/intel_th-consistency-and-off-by-one-fix.patch @@ -0,0 +1,49 @@ +From a243b894db231d84f033f1ed70e92901c2751ed1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 20:12:49 +0300 +Subject: intel_th: Consistency and off-by-one fix + +From: Pavel Machek + +[ Upstream commit 18ffbc47d45a1489b664dd68fb3a7610a6e1dea3 ] + +Consistently use "< ... +1" in for loops. + +Fix of-by-one in for_each_set_bit(). + +Signed-off-by: Pavel Machek +Signed-off-by: Alexander Shishkin +Link: https://lore.kernel.org/lkml/20190724095841.GA6952@amd/ +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210414171251.14672-6-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/intel_th/gth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c +index f72803a02391..28509b02a0b5 100644 +--- a/drivers/hwtracing/intel_th/gth.c ++++ b/drivers/hwtracing/intel_th/gth.c +@@ -543,7 +543,7 @@ static void intel_th_gth_disable(struct intel_th_device *thdev, + output->active = false; + + for_each_set_bit(master, gth->output[output->port].master, +- TH_CONFIGURABLE_MASTERS) { ++ TH_CONFIGURABLE_MASTERS + 1) { + gth_master_set(gth, master, -1); + } + spin_unlock(>h->gth_lock); +@@ -697,7 +697,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev, + othdev->output.port = -1; + othdev->output.active = false; + gth->output[port].output = NULL; +- for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++) ++ for (master = 0; master < TH_CONFIGURABLE_MASTERS + 1; master++) + if (gth->master[master] == port) + gth->master[master] = -1; + spin_unlock(>h->gth_lock); +-- +2.30.2 + diff --git a/queue-5.4/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch b/queue-5.4/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch new file mode 100644 index 00000000000..d7b5d7f8731 --- /dev/null +++ b/queue-5.4/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch @@ -0,0 +1,43 @@ +From 760f8f60b048aca9451d908947ee02c920f21e06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 15:42:46 +0200 +Subject: media: adv7604: fix possible use-after-free in adv76xx_remove() + +From: Yang Yingliang + +[ Upstream commit fa56f5f1fe31c2050675fa63b84963ebd504a5b3 ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/adv7604.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c +index 2dedd6ebb236..b887299ac195 100644 +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -3606,7 +3606,7 @@ static int adv76xx_remove(struct i2c_client *client) + io_write(sd, 0x6e, 0); + io_write(sd, 0x73, 0); + +- cancel_delayed_work(&state->delayed_work_enable_hotplug); ++ cancel_delayed_work_sync(&state->delayed_work_enable_hotplug); + v4l2_async_unregister_subdev(sd); + media_entity_cleanup(&sd->entity); + adv76xx_unregister_clients(to_state(sd)); +-- +2.30.2 + diff --git a/queue-5.4/media-drivers-media-pci-sta2x11-fix-kconfig-dependen.patch b/queue-5.4/media-drivers-media-pci-sta2x11-fix-kconfig-dependen.patch new file mode 100644 index 00000000000..2ed8f30aadf --- /dev/null +++ b/queue-5.4/media-drivers-media-pci-sta2x11-fix-kconfig-dependen.patch @@ -0,0 +1,45 @@ +From 361d7ce95316773ac40da13bd116fa6694a9a3d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Feb 2021 09:06:58 +0100 +Subject: media: drivers: media: pci: sta2x11: fix Kconfig dependency on + GPIOLIB + +From: Julian Braha + +[ Upstream commit 24df8b74c8b2fb42c49ffe8585562da0c96446ff ] + +When STA2X11_VIP is enabled, and GPIOLIB is disabled, +Kbuild gives the following warning: + +WARNING: unmet direct dependencies detected for VIDEO_ADV7180 + Depends on [n]: MEDIA_SUPPORT [=y] && GPIOLIB [=n] && VIDEO_V4L2 [=y] && I2C [=y] + Selected by [y]: + - STA2X11_VIP [=y] && MEDIA_SUPPORT [=y] && MEDIA_PCI_SUPPORT [=y] && MEDIA_CAMERA_SUPPORT [=y] && PCI [=y] && VIDEO_V4L2 [=y] && VIRT_TO_BUS [=y] && I2C [=y] && (STA2X11 [=n] || COMPILE_TEST [=y]) && MEDIA_SUBDRV_AUTOSELECT [=y] + +This is because STA2X11_VIP selects VIDEO_ADV7180 +without selecting or depending on GPIOLIB, +despite VIDEO_ADV7180 depending on GPIOLIB. + +Signed-off-by: Julian Braha +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/sta2x11/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/pci/sta2x11/Kconfig b/drivers/media/pci/sta2x11/Kconfig +index 011b766f0bff..d613feee8176 100644 +--- a/drivers/media/pci/sta2x11/Kconfig ++++ b/drivers/media/pci/sta2x11/Kconfig +@@ -2,6 +2,7 @@ + config STA2X11_VIP + tristate "STA2X11 VIP Video For Linux" + depends on STA2X11 || COMPILE_TEST ++ select GPIOLIB if MEDIA_SUBDRV_AUTOSELECT + select VIDEO_ADV7180 if MEDIA_SUBDRV_AUTOSELECT + select VIDEOBUF2_DMA_CONTIG + depends on PCI && VIDEO_V4L2 && VIRT_TO_BUS +-- +2.30.2 + diff --git a/queue-5.4/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch b/queue-5.4/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch new file mode 100644 index 00000000000..24326ec0d27 --- /dev/null +++ b/queue-5.4/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch @@ -0,0 +1,83 @@ +From 3bf163cc7de6fe64b350402fdaf60313638c93d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Mar 2021 21:32:19 +0200 +Subject: media: dvb-usb: fix memory leak in dvb_usb_adapter_init + +From: Pavel Skripkin + +[ Upstream commit b7cd0da982e3043f2eec7235ac5530cb18d6af1d ] + +syzbot reported memory leak in dvb-usb. The problem was +in invalid error handling in dvb_usb_adapter_init(). + +for (n = 0; n < d->props.num_adapters; n++) { +.... + if ((ret = dvb_usb_adapter_stream_init(adap)) || + (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) || + (ret = dvb_usb_adapter_frontend_init(adap))) { + return ret; + } +... + d->num_adapters_initialized++; +... +} + +In case of error in dvb_usb_adapter_dvb_init() or +dvb_usb_adapter_dvb_init() d->num_adapters_initialized won't be +incremented, but dvb_usb_adapter_exit() relies on it: + + for (n = 0; n < d->num_adapters_initialized; n++) + +So, allocated objects won't be freed. + +Signed-off-by: Pavel Skripkin +Reported-by: syzbot+3c2be7424cea3b932b0e@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dvb-usb-init.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c +index 16a0b4a359ea..7c32c7b96520 100644 +--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c ++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c +@@ -79,11 +79,17 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs) + } + } + +- if ((ret = dvb_usb_adapter_stream_init(adap)) || +- (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) || +- (ret = dvb_usb_adapter_frontend_init(adap))) { ++ ret = dvb_usb_adapter_stream_init(adap); ++ if (ret) + return ret; +- } ++ ++ ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs); ++ if (ret) ++ goto dvb_init_err; ++ ++ ret = dvb_usb_adapter_frontend_init(adap); ++ if (ret) ++ goto frontend_init_err; + + /* use exclusive FE lock if there is multiple shared FEs */ + if (adap->fe_adap[1].fe) +@@ -103,6 +109,12 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs) + } + + return 0; ++ ++frontend_init_err: ++ dvb_usb_adapter_dvb_exit(adap); ++dvb_init_err: ++ dvb_usb_adapter_stream_exit(adap); ++ return ret; + } + + static int dvb_usb_adapter_exit(struct dvb_usb_device *d) +-- +2.30.2 + diff --git a/queue-5.4/media-em28xx-fix-memory-leak.patch b/queue-5.4/media-em28xx-fix-memory-leak.patch new file mode 100644 index 00000000000..c9b0acfb2f9 --- /dev/null +++ b/queue-5.4/media-em28xx-fix-memory-leak.patch @@ -0,0 +1,41 @@ +From 2f01eb2bd7a923b58b6b5fdd034c499ba1ae2a3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 19:07:53 +0100 +Subject: media: em28xx: fix memory leak + +From: Muhammad Usama Anjum + +[ Upstream commit 0ae10a7dc8992ee682ff0b1752ff7c83d472eef1 ] + +If some error occurs, URB buffers should also be freed. If they aren't +freed with the dvb here, the em28xx_dvb_fini call doesn't frees the URB +buffers as dvb is set to NULL. The function in which error occurs should +do all the cleanup for the allocations it had done. + +Tested the patch with the reproducer provided by syzbot. This patch +fixes the memleak. + +Reported-by: syzbot+889397c820fa56adf25d@syzkaller.appspotmail.com +Signed-off-by: Muhammad Usama Anjum +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-dvb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c +index a73faf12f7e4..e1946237ac8c 100644 +--- a/drivers/media/usb/em28xx/em28xx-dvb.c ++++ b/drivers/media/usb/em28xx/em28xx-dvb.c +@@ -1924,6 +1924,7 @@ ret: + return result; + + out_free: ++ em28xx_uninit_usb_xfer(dev, EM28XX_DIGITAL_MODE); + kfree(dvb); + dev->dvb = NULL; + goto ret; +-- +2.30.2 + diff --git a/queue-5.4/media-gscpa-stv06xx-fix-memory-leak.patch b/queue-5.4/media-gscpa-stv06xx-fix-memory-leak.patch new file mode 100644 index 00000000000..73646b3d482 --- /dev/null +++ b/queue-5.4/media-gscpa-stv06xx-fix-memory-leak.patch @@ -0,0 +1,84 @@ +From 830fa12cdc134d4c3e89f57870f389246eb8e73c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 12:31:20 +0200 +Subject: media: gscpa/stv06xx: fix memory leak + +From: Hans Verkuil + +[ Upstream commit 4f4e6644cd876c844cdb3bea2dd7051787d5ae25 ] + +For two of the supported sensors the stv06xx driver allocates memory which +is stored in sd->sensor_priv. This memory is freed on a disconnect, but if +the probe() fails, then it isn't freed and so this leaks memory. + +Add a new probe_error() op that drivers can use to free any allocated +memory in case there was a probe failure. + +Thanks to Pavel Skripkin for discovering the cause +of the memory leak. + +Reported-and-tested-by: syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/gspca/gspca.c | 2 ++ + drivers/media/usb/gspca/gspca.h | 1 + + drivers/media/usb/gspca/stv06xx/stv06xx.c | 9 +++++++++ + 3 files changed, 12 insertions(+) + +diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c +index 4210826cc910..e4d78e676e74 100644 +--- a/drivers/media/usb/gspca/gspca.c ++++ b/drivers/media/usb/gspca/gspca.c +@@ -1576,6 +1576,8 @@ out: + #endif + v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler); + v4l2_device_unregister(&gspca_dev->v4l2_dev); ++ if (sd_desc->probe_error) ++ sd_desc->probe_error(gspca_dev); + kfree(gspca_dev->usb_buf); + kfree(gspca_dev); + return ret; +diff --git a/drivers/media/usb/gspca/gspca.h b/drivers/media/usb/gspca/gspca.h +index b0ced2e14006..a6554d5e9e1a 100644 +--- a/drivers/media/usb/gspca/gspca.h ++++ b/drivers/media/usb/gspca/gspca.h +@@ -105,6 +105,7 @@ struct sd_desc { + cam_cf_op config; /* called on probe */ + cam_op init; /* called on probe and resume */ + cam_op init_controls; /* called on probe */ ++ cam_v_op probe_error; /* called if probe failed, do cleanup here */ + cam_op start; /* called on stream on after URBs creation */ + cam_pkt_op pkt_scan; + /* optional operations */ +diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx.c b/drivers/media/usb/gspca/stv06xx/stv06xx.c +index 95673fc0a99c..d9bc2aacc885 100644 +--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c ++++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c +@@ -529,12 +529,21 @@ static int sd_int_pkt_scan(struct gspca_dev *gspca_dev, + static int stv06xx_config(struct gspca_dev *gspca_dev, + const struct usb_device_id *id); + ++static void stv06xx_probe_error(struct gspca_dev *gspca_dev) ++{ ++ struct sd *sd = (struct sd *)gspca_dev; ++ ++ kfree(sd->sensor_priv); ++ sd->sensor_priv = NULL; ++} ++ + /* sub-driver description */ + static const struct sd_desc sd_desc = { + .name = MODULE_NAME, + .config = stv06xx_config, + .init = stv06xx_init, + .init_controls = stv06xx_init_controls, ++ .probe_error = stv06xx_probe_error, + .start = stv06xx_start, + .stopN = stv06xx_stopN, + .pkt_scan = stv06xx_pkt_scan, +-- +2.30.2 + diff --git a/queue-5.4/media-gspca-sq905.c-fix-uninitialized-variable.patch b/queue-5.4/media-gspca-sq905.c-fix-uninitialized-variable.patch new file mode 100644 index 00000000000..10a85ac93d0 --- /dev/null +++ b/queue-5.4/media-gspca-sq905.c-fix-uninitialized-variable.patch @@ -0,0 +1,36 @@ +From 1339552288d078d8c420229635dd6b79c5efe5ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 15:46:40 +0100 +Subject: media: gspca/sq905.c: fix uninitialized variable + +From: Hans Verkuil + +[ Upstream commit eaaea4681984c79d2b2b160387b297477f0c1aab ] + +act_len can be uninitialized if usb_bulk_msg() returns an error. +Set it to 0 to avoid a KMSAN error. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+a4e309017a5f3a24c7b3@syzkaller.appspotmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/gspca/sq905.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/gspca/sq905.c b/drivers/media/usb/gspca/sq905.c +index 863c485f4275..65a74060986a 100644 +--- a/drivers/media/usb/gspca/sq905.c ++++ b/drivers/media/usb/gspca/sq905.c +@@ -158,7 +158,7 @@ static int + sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int need_lock) + { + int ret; +- int act_len; ++ int act_len = 0; + + gspca_dev->usb_buf[0] = '\0'; + if (need_lock) +-- +2.30.2 + diff --git a/queue-5.4/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch b/queue-5.4/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch new file mode 100644 index 00000000000..19d0b7dd1cd --- /dev/null +++ b/queue-5.4/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch @@ -0,0 +1,44 @@ +From 9eeb5474cc1684db6b7701af4c7d6b082508ba0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 15:48:12 +0200 +Subject: media: i2c: adv7511-v4l2: fix possible use-after-free in + adv7511_remove() + +From: Yang Yingliang + +[ Upstream commit 2c9541720c66899adf6f3600984cf3ef151295ad ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/adv7511-v4l2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/adv7511-v4l2.c b/drivers/media/i2c/adv7511-v4l2.c +index 62763ec4cd07..809fa44ed988 100644 +--- a/drivers/media/i2c/adv7511-v4l2.c ++++ b/drivers/media/i2c/adv7511-v4l2.c +@@ -1964,7 +1964,7 @@ static int adv7511_remove(struct i2c_client *client) + + adv7511_set_isr(sd, false); + adv7511_init_setup(sd); +- cancel_delayed_work(&state->edid_handler); ++ cancel_delayed_work_sync(&state->edid_handler); + i2c_unregister_device(state->i2c_edid); + i2c_unregister_device(state->i2c_cec); + i2c_unregister_device(state->i2c_pktmem); +-- +2.30.2 + diff --git a/queue-5.4/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch b/queue-5.4/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch new file mode 100644 index 00000000000..860e6b125e1 --- /dev/null +++ b/queue-5.4/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch @@ -0,0 +1,43 @@ +From 09a61498fd3756e05fce4d37b0019d3aa529d19b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 15:50:53 +0200 +Subject: media: i2c: adv7842: fix possible use-after-free in adv7842_remove() + +From: Yang Yingliang + +[ Upstream commit 4a15275b6a18597079f18241c87511406575179a ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/adv7842.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c +index 885619841719..02cbab826d0b 100644 +--- a/drivers/media/i2c/adv7842.c ++++ b/drivers/media/i2c/adv7842.c +@@ -3586,7 +3586,7 @@ static int adv7842_remove(struct i2c_client *client) + struct adv7842_state *state = to_state(sd); + + adv7842_irq_enable(sd, false); +- cancel_delayed_work(&state->delayed_work_enable_hotplug); ++ cancel_delayed_work_sync(&state->delayed_work_enable_hotplug); + v4l2_device_unregister_subdev(sd); + media_entity_cleanup(&sd->entity); + adv7842_unregister_clients(sd); +-- +2.30.2 + diff --git a/queue-5.4/media-i2c-tda1997-fix-possible-use-after-free-in-tda.patch b/queue-5.4/media-i2c-tda1997-fix-possible-use-after-free-in-tda.patch new file mode 100644 index 00000000000..b346c0f7a85 --- /dev/null +++ b/queue-5.4/media-i2c-tda1997-fix-possible-use-after-free-in-tda.patch @@ -0,0 +1,43 @@ +From ff4fbd66df6e918fdc8b24a86cdc6ba8b2c53b2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 15:49:45 +0200 +Subject: media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() + +From: Yang Yingliang + +[ Upstream commit 7f820ab5d4eebfe2d970d32a76ae496a6c286f0f ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tda1997x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/tda1997x.c b/drivers/media/i2c/tda1997x.c +index 5e68182001ec..e43d8327b810 100644 +--- a/drivers/media/i2c/tda1997x.c ++++ b/drivers/media/i2c/tda1997x.c +@@ -2804,7 +2804,7 @@ static int tda1997x_remove(struct i2c_client *client) + media_entity_cleanup(&sd->entity); + v4l2_ctrl_handler_free(&state->hdl); + regulator_bulk_disable(TDA1997X_NUM_SUPPLIES, state->supplies); +- cancel_delayed_work(&state->delayed_work_enable_hpd); ++ cancel_delayed_work_sync(&state->delayed_work_enable_hpd); + mutex_destroy(&state->page_lock); + mutex_destroy(&state->lock); + +-- +2.30.2 + diff --git a/queue-5.4/media-imx-capture-return-epipe-from-__capture_legacy.patch b/queue-5.4/media-imx-capture-return-epipe-from-__capture_legacy.patch new file mode 100644 index 00000000000..278e405c3aa --- /dev/null +++ b/queue-5.4/media-imx-capture-return-epipe-from-__capture_legacy.patch @@ -0,0 +1,39 @@ +From 3d439fafe684148ee6633bd9de2957ec1b06a11b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Feb 2021 05:26:47 +0100 +Subject: media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt() + +From: Laurent Pinchart + +[ Upstream commit cc271b6754691af74d710b761eaf027e3743e243 ] + +The correct return code to report an invalid pipeline configuration is +-EPIPE. Return it instead of -EINVAL from __capture_legacy_try_fmt() +when the capture format doesn't match the media bus format of the +connected subdev. + +Signed-off-by: Laurent Pinchart +Reviewed-by: Rui Miguel Silva +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/imx/imx-media-capture.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/media/imx/imx-media-capture.c b/drivers/staging/media/imx/imx-media-capture.c +index d151cd6d3188..fabbfceaa107 100644 +--- a/drivers/staging/media/imx/imx-media-capture.c ++++ b/drivers/staging/media/imx/imx-media-capture.c +@@ -553,7 +553,7 @@ static int capture_validate_fmt(struct capture_priv *priv) + priv->vdev.fmt.fmt.pix.height != f.fmt.pix.height || + priv->vdev.cc->cs != cc->cs || + priv->vdev.compose.width != compose.width || +- priv->vdev.compose.height != compose.height) ? -EINVAL : 0; ++ priv->vdev.compose.height != compose.height) ? -EPIPE : 0; + } + + static int capture_start_streaming(struct vb2_queue *vq, unsigned int count) +-- +2.30.2 + diff --git a/queue-5.4/media-ite-cir-check-for-receive-overflow.patch b/queue-5.4/media-ite-cir-check-for-receive-overflow.patch new file mode 100644 index 00000000000..3a0c1faf38a --- /dev/null +++ b/queue-5.4/media-ite-cir-check-for-receive-overflow.patch @@ -0,0 +1,41 @@ +From ffe18919fbc86dda42e3dc6bad23a89031e692b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Feb 2021 09:08:35 +0100 +Subject: media: ite-cir: check for receive overflow + +From: Sean Young + +[ Upstream commit 28c7afb07ccfc0a939bb06ac1e7afe669901c65a ] + +It's best if this condition is reported. + +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/ite-cir.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c +index 3ab6cec0dc3b..4b8aee390518 100644 +--- a/drivers/media/rc/ite-cir.c ++++ b/drivers/media/rc/ite-cir.c +@@ -276,8 +276,14 @@ static irqreturn_t ite_cir_isr(int irq, void *data) + /* read the interrupt flags */ + iflags = dev->params.get_irq_causes(dev); + ++ /* Check for RX overflow */ ++ if (iflags & ITE_IRQ_RX_FIFO_OVERRUN) { ++ dev_warn(&dev->rdev->dev, "receive overflow\n"); ++ ir_raw_event_reset(dev->rdev); ++ } ++ + /* check for the receive interrupt */ +- if (iflags & (ITE_IRQ_RX_FIFO | ITE_IRQ_RX_FIFO_OVERRUN)) { ++ if (iflags & ITE_IRQ_RX_FIFO) { + /* read the FIFO bytes */ + rx_bytes = + dev->params.get_rx_bytes(dev, rx_buf, +-- +2.30.2 + diff --git a/queue-5.4/media-media-saa7164-fix-saa7164_encoder_register-mem.patch b/queue-5.4/media-media-saa7164-fix-saa7164_encoder_register-mem.patch new file mode 100644 index 00000000000..0d414bd8702 --- /dev/null +++ b/queue-5.4/media-media-saa7164-fix-saa7164_encoder_register-mem.patch @@ -0,0 +1,87 @@ +From d05f0fb116a4b9bb9e0e933c91023ca84dd6ddcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 03:53:00 +0100 +Subject: media: media/saa7164: fix saa7164_encoder_register() memory leak bugs + +From: Daniel Niv + +[ Upstream commit c759b2970c561e3b56aa030deb13db104262adfe ] + +Add a fix for the memory leak bugs that can occur when the +saa7164_encoder_register() function fails. +The function allocates memory without explicitly freeing +it when errors occur. +Add a better error handling that deallocate the unused buffers before the +function exits during a fail. + +Signed-off-by: Daniel Niv +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7164/saa7164-encoder.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/media/pci/saa7164/saa7164-encoder.c b/drivers/media/pci/saa7164/saa7164-encoder.c +index 3fca7257a720..df494644b5b6 100644 +--- a/drivers/media/pci/saa7164/saa7164-encoder.c ++++ b/drivers/media/pci/saa7164/saa7164-encoder.c +@@ -1008,7 +1008,7 @@ int saa7164_encoder_register(struct saa7164_port *port) + printk(KERN_ERR "%s() failed (errno = %d), NO PCI configuration\n", + __func__, result); + result = -ENOMEM; +- goto failed; ++ goto fail_pci; + } + + /* Establish encoder defaults here */ +@@ -1062,7 +1062,7 @@ int saa7164_encoder_register(struct saa7164_port *port) + 100000, ENCODER_DEF_BITRATE); + if (hdl->error) { + result = hdl->error; +- goto failed; ++ goto fail_hdl; + } + + port->std = V4L2_STD_NTSC_M; +@@ -1080,7 +1080,7 @@ int saa7164_encoder_register(struct saa7164_port *port) + printk(KERN_INFO "%s: can't allocate mpeg device\n", + dev->name); + result = -ENOMEM; +- goto failed; ++ goto fail_hdl; + } + + port->v4l_device->ctrl_handler = hdl; +@@ -1091,10 +1091,7 @@ int saa7164_encoder_register(struct saa7164_port *port) + if (result < 0) { + printk(KERN_INFO "%s: can't register mpeg device\n", + dev->name); +- /* TODO: We're going to leak here if we don't dealloc +- The buffers above. The unreg function can't deal wit it. +- */ +- goto failed; ++ goto fail_reg; + } + + printk(KERN_INFO "%s: registered device video%d [mpeg]\n", +@@ -1116,9 +1113,14 @@ int saa7164_encoder_register(struct saa7164_port *port) + + saa7164_api_set_encoder(port); + saa7164_api_get_encoder(port); ++ return 0; + +- result = 0; +-failed: ++fail_reg: ++ video_device_release(port->v4l_device); ++ port->v4l_device = NULL; ++fail_hdl: ++ v4l2_ctrl_handler_free(hdl); ++fail_pci: + return result; + } + +-- +2.30.2 + diff --git a/queue-5.4/media-platform-sti-fix-runtime-pm-imbalance-in-regs_.patch b/queue-5.4/media-platform-sti-fix-runtime-pm-imbalance-in-regs_.patch new file mode 100644 index 00000000000..d647efe5ce0 --- /dev/null +++ b/queue-5.4/media-platform-sti-fix-runtime-pm-imbalance-in-regs_.patch @@ -0,0 +1,39 @@ +From 2ca489f7bf4b06bea92a360e42b1350d45f41ad9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 07:43:13 +0200 +Subject: media: platform: sti: Fix runtime PM imbalance in regs_show + +From: Dinghao Liu + +[ Upstream commit 69306a947b3ae21e0d1cbfc9508f00fec86c7297 ] + +pm_runtime_get_sync() will increase the runtime PM counter +even it returns an error. Thus a pairing decrement is needed +to prevent refcount leak. Fix this by replacing this API with +pm_runtime_resume_and_get(), which will not change the runtime +PM counter on error. + +Signed-off-by: Dinghao Liu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/bdisp/bdisp-debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/sti/bdisp/bdisp-debug.c b/drivers/media/platform/sti/bdisp/bdisp-debug.c +index 77ca7517fa3e..bae62af82643 100644 +--- a/drivers/media/platform/sti/bdisp/bdisp-debug.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-debug.c +@@ -480,7 +480,7 @@ static int regs_show(struct seq_file *s, void *data) + int ret; + unsigned int i; + +- ret = pm_runtime_get_sync(bdisp->dev); ++ ret = pm_runtime_resume_and_get(bdisp->dev); + if (ret < 0) { + seq_puts(s, "Cannot wake up IP\n"); + return 0; +-- +2.30.2 + diff --git a/queue-5.4/media-tc358743-fix-possible-use-after-free-in-tc3587.patch b/queue-5.4/media-tc358743-fix-possible-use-after-free-in-tc3587.patch new file mode 100644 index 00000000000..914e1bc24eb --- /dev/null +++ b/queue-5.4/media-tc358743-fix-possible-use-after-free-in-tc3587.patch @@ -0,0 +1,43 @@ +From cc3529625a122aaed4f5506511282750cc097053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 15:39:29 +0200 +Subject: media: tc358743: fix possible use-after-free in tc358743_remove() + +From: Yang Yingliang + +[ Upstream commit 6107a4fdf8554a7aa9488bdc835bb010062fa8a9 ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index cff99cf61ed4..114c084c4aec 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -2192,7 +2192,7 @@ static int tc358743_remove(struct i2c_client *client) + del_timer_sync(&state->timer); + flush_work(&state->work_i2c_poll); + } +- cancel_delayed_work(&state->delayed_work_enable_hotplug); ++ cancel_delayed_work_sync(&state->delayed_work_enable_hotplug); + cec_unregister_adapter(state->cec_adap); + v4l2_async_unregister_subdev(sd); + v4l2_device_unregister_subdev(sd); +-- +2.30.2 + diff --git a/queue-5.4/media-vivid-update-edid.patch b/queue-5.4/media-vivid-update-edid.patch new file mode 100644 index 00000000000..e8f7c8eef24 --- /dev/null +++ b/queue-5.4/media-vivid-update-edid.patch @@ -0,0 +1,56 @@ +From 0d089083cbcaa352c25300d0f0e96f17c98ddb99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 08:48:21 +0100 +Subject: media: vivid: update EDID + +From: Hans Verkuil + +[ Upstream commit 443ec4bbc6116f6f492a7a1282bfd8422c862158 ] + +The EDID had a few mistakes as reported by edid-decode: + +Block 1, CTA-861 Extension Block: + Video Data Block: For improved preferred timing interoperability, set 'Native detailed modes' to 1. + Video Capability Data Block: S_PT is equal to S_IT and S_CE, so should be set to 0 instead. + +Fixed those. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vivid/vivid-core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/vivid/vivid-core.c b/drivers/media/platform/vivid/vivid-core.c +index f6a5cdbd74e7..cc71aa425597 100644 +--- a/drivers/media/platform/vivid/vivid-core.c ++++ b/drivers/media/platform/vivid/vivid-core.c +@@ -174,13 +174,13 @@ static const u8 vivid_hdmi_edid[256] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x7b, + +- 0x02, 0x03, 0x3f, 0xf0, 0x51, 0x61, 0x60, 0x5f, ++ 0x02, 0x03, 0x3f, 0xf1, 0x51, 0x61, 0x60, 0x5f, + 0x5e, 0x5d, 0x10, 0x1f, 0x04, 0x13, 0x22, 0x21, + 0x20, 0x05, 0x14, 0x02, 0x11, 0x01, 0x23, 0x09, + 0x07, 0x07, 0x83, 0x01, 0x00, 0x00, 0x6d, 0x03, + 0x0c, 0x00, 0x10, 0x00, 0x00, 0x3c, 0x21, 0x00, + 0x60, 0x01, 0x02, 0x03, 0x67, 0xd8, 0x5d, 0xc4, +- 0x01, 0x78, 0x00, 0x00, 0xe2, 0x00, 0xea, 0xe3, ++ 0x01, 0x78, 0x00, 0x00, 0xe2, 0x00, 0xca, 0xe3, + 0x05, 0x00, 0x00, 0xe3, 0x06, 0x01, 0x00, 0x4d, + 0xd0, 0x00, 0xa0, 0xf0, 0x70, 0x3e, 0x80, 0x30, + 0x20, 0x35, 0x00, 0xc0, 0x1c, 0x32, 0x00, 0x00, +@@ -189,7 +189,7 @@ static const u8 vivid_hdmi_edid[256] = { + 0x00, 0x00, 0x1a, 0x1a, 0x1d, 0x00, 0x80, 0x51, + 0xd0, 0x1c, 0x20, 0x40, 0x80, 0x35, 0x00, 0xc0, + 0x1c, 0x32, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x82, + }; + + static int vidioc_querycap(struct file *file, void *priv, +-- +2.30.2 + diff --git a/queue-5.4/mfd-arizona-fix-rumtime-pm-imbalance-on-error.patch b/queue-5.4/mfd-arizona-fix-rumtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..6514b6456ab --- /dev/null +++ b/queue-5.4/mfd-arizona-fix-rumtime-pm-imbalance-on-error.patch @@ -0,0 +1,39 @@ +From 259e616ba57d16e224e7d86769ed4d9afef14b57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 13:11:49 +0800 +Subject: mfd: arizona: Fix rumtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit fe6df2b48043bbe1e852b2320501d3b169363c35 ] + +pm_runtime_get_sync() will increase the rumtime PM counter +even it returns an error. Thus a pairing decrement is needed +to prevent refcount leak. Fix this by replacing this API with +pm_runtime_resume_and_get(), which will not change the runtime +PM counter on error. + +Signed-off-by: Dinghao Liu +Acked-by: Charles Keepax +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/arizona-irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/arizona-irq.c b/drivers/mfd/arizona-irq.c +index 077d9ab112b7..d919ae9691e2 100644 +--- a/drivers/mfd/arizona-irq.c ++++ b/drivers/mfd/arizona-irq.c +@@ -100,7 +100,7 @@ static irqreturn_t arizona_irq_thread(int irq, void *data) + unsigned int val; + int ret; + +- ret = pm_runtime_get_sync(arizona->dev); ++ ret = pm_runtime_resume_and_get(arizona->dev); + if (ret < 0) { + dev_err(arizona->dev, "Failed to resume device: %d\n", ret); + return IRQ_NONE; +-- +2.30.2 + diff --git a/queue-5.4/mmc-sdhci-pci-add-pci-ids-for-intel-lkf.patch b/queue-5.4/mmc-sdhci-pci-add-pci-ids-for-intel-lkf.patch new file mode 100644 index 00000000000..cb8696a2460 --- /dev/null +++ b/queue-5.4/mmc-sdhci-pci-add-pci-ids-for-intel-lkf.patch @@ -0,0 +1,49 @@ +From 1094800cd90a490bc22f0d4f06e27e00b7cd518a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 07:53:56 +0200 +Subject: mmc: sdhci-pci: Add PCI IDs for Intel LKF + +From: Adrian Hunter + +[ Upstream commit ee629112be8b4eff71d4d3d108a28bc7dc877e13 ] + +Add PCI IDs for Intel LKF eMMC and SD card host controllers. + +Signed-off-by: Adrian Hunter +Link: https://lore.kernel.org/r/20210322055356.24923-1-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-pci-core.c | 2 ++ + drivers/mmc/host/sdhci-pci.h | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-pci-core.c b/drivers/mmc/host/sdhci-pci-core.c +index 4ca7ab92c815..a9151bd27211 100644 +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -1934,6 +1934,8 @@ static const struct pci_device_id pci_ids[] = { + SDHCI_PCI_DEVICE(INTEL, CMLH_SD, intel_byt_sd), + SDHCI_PCI_DEVICE(INTEL, JSL_EMMC, intel_glk_emmc), + SDHCI_PCI_DEVICE(INTEL, JSL_SD, intel_byt_sd), ++ SDHCI_PCI_DEVICE(INTEL, LKF_EMMC, intel_glk_emmc), ++ SDHCI_PCI_DEVICE(INTEL, LKF_SD, intel_byt_sd), + SDHCI_PCI_DEVICE(O2, 8120, o2), + SDHCI_PCI_DEVICE(O2, 8220, o2), + SDHCI_PCI_DEVICE(O2, 8221, o2), +diff --git a/drivers/mmc/host/sdhci-pci.h b/drivers/mmc/host/sdhci-pci.h +index 981bbbe63aff..779156ce1ee1 100644 +--- a/drivers/mmc/host/sdhci-pci.h ++++ b/drivers/mmc/host/sdhci-pci.h +@@ -57,6 +57,8 @@ + #define PCI_DEVICE_ID_INTEL_CMLH_SD 0x06f5 + #define PCI_DEVICE_ID_INTEL_JSL_EMMC 0x4dc4 + #define PCI_DEVICE_ID_INTEL_JSL_SD 0x4df8 ++#define PCI_DEVICE_ID_INTEL_LKF_EMMC 0x98c4 ++#define PCI_DEVICE_ID_INTEL_LKF_SD 0x98f8 + + #define PCI_DEVICE_ID_SYSKONNECT_8000 0x8000 + #define PCI_DEVICE_ID_VIA_95D0 0x95d0 +-- +2.30.2 + diff --git a/queue-5.4/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch b/queue-5.4/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch new file mode 100644 index 00000000000..961e63fa7e5 --- /dev/null +++ b/queue-5.4/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch @@ -0,0 +1,72 @@ +From 07320e1da32fd8138440c87e66f302126ed6c6e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 16:51:40 +0100 +Subject: PCI: PM: Do not read power state in pci_enable_device_flags() + +From: Rafael J. Wysocki + +[ Upstream commit 4514d991d99211f225d83b7e640285f29f0755d0 ] + +It should not be necessary to update the current_state field of +struct pci_dev in pci_enable_device_flags() before calling +do_pci_enable_device() for the device, because none of the +code between that point and the pci_set_power_state() call in +do_pci_enable_device() invoked later depends on it. + +Moreover, doing that is actively harmful in some cases. For example, +if the given PCI device depends on an ACPI power resource whose _STA +method initially returns 0 ("off"), but the config space of the PCI +device is accessible and the power state retrieved from the +PCI_PM_CTRL register is D0, the current_state field in the struct +pci_dev representing that device will get out of sync with the +power.state of its ACPI companion object and that will lead to +power management issues going forward. + +To avoid such issues it is better to leave the current_state value +as is until it is changed to PCI_D0 by do_pci_enable_device() as +appropriate. However, the power state of the device is not changed +to PCI_D0 if it is already enabled when pci_enable_device_flags() +gets called for it, so update its current_state in that case, but +use pci_update_current_state() covering platform PM too for that. + +Link: https://lore.kernel.org/lkml/20210314000439.3138941-1-luzmaximilian@gmail.com/ +Reported-by: Maximilian Luz +Tested-by: Maximilian Luz +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 3c3bc9f58498..34a06e89e176 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1666,20 +1666,10 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags) + int err; + int i, bars = 0; + +- /* +- * Power state could be unknown at this point, either due to a fresh +- * boot or a device removal call. So get the current power state +- * so that things like MSI message writing will behave as expected +- * (e.g. if the device really is in D0 at enable time). +- */ +- if (dev->pm_cap) { +- u16 pmcsr; +- pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr); +- dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK); +- } +- +- if (atomic_inc_return(&dev->enable_cnt) > 1) ++ if (atomic_inc_return(&dev->enable_cnt) > 1) { ++ pci_update_current_state(dev, dev->current_state); + return 0; /* already enabled */ ++ } + + bridge = pci_upstream_bridge(dev); + if (bridge) +-- +2.30.2 + diff --git a/queue-5.4/perf-arm_pmu_platform-fix-error-handling.patch b/queue-5.4/perf-arm_pmu_platform-fix-error-handling.patch new file mode 100644 index 00000000000..21393f4c9d2 --- /dev/null +++ b/queue-5.4/perf-arm_pmu_platform-fix-error-handling.patch @@ -0,0 +1,36 @@ +From aee9c0f2d94f98a110c0b1c097db5f9c3dd5c834 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Mar 2021 16:02:41 +0000 +Subject: perf/arm_pmu_platform: Fix error handling + +From: Robin Murphy + +[ Upstream commit e338cb6bef254821a8c095018fd27254d74bfd6a ] + +If we're aborting after failing to register the PMU device, +we probably don't want to leak the IRQs that we've claimed. + +Signed-off-by: Robin Murphy +Link: https://lore.kernel.org/r/53031a607fc8412a60024bfb3bb8cd7141f998f5.1616774562.git.robin.murphy@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm_pmu_platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/perf/arm_pmu_platform.c b/drivers/perf/arm_pmu_platform.c +index 933bd8410fc2..e35cb76c8d10 100644 +--- a/drivers/perf/arm_pmu_platform.c ++++ b/drivers/perf/arm_pmu_platform.c +@@ -236,7 +236,7 @@ int arm_pmu_device_probe(struct platform_device *pdev, + + ret = armpmu_register(pmu); + if (ret) +- goto out_free; ++ goto out_free_irqs; + + return 0; + +-- +2.30.2 + diff --git a/queue-5.4/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch b/queue-5.4/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch new file mode 100644 index 00000000000..f23b64a7f74 --- /dev/null +++ b/queue-5.4/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch @@ -0,0 +1,45 @@ +From 510de2a7c8cdfdfc23b228592c5dd8c656b19b65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 17:27:16 +0800 +Subject: phy: phy-twl4030-usb: Fix possible use-after-free in + twl4030_usb_remove() + +From: Yang Yingliang + +[ Upstream commit e1723d8b87b73ab363256e7ca3af3ddb75855680 ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20210407092716.3270248-1-yangyingliang@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/phy/ti/phy-twl4030-usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/ti/phy-twl4030-usb.c b/drivers/phy/ti/phy-twl4030-usb.c +index 9887f908f540..812e5409d359 100644 +--- a/drivers/phy/ti/phy-twl4030-usb.c ++++ b/drivers/phy/ti/phy-twl4030-usb.c +@@ -779,7 +779,7 @@ static int twl4030_usb_remove(struct platform_device *pdev) + + usb_remove_phy(&twl->phy); + pm_runtime_get_sync(twl->dev); +- cancel_delayed_work(&twl->id_workaround_work); ++ cancel_delayed_work_sync(&twl->id_workaround_work); + device_remove_file(twl->dev, &dev_attr_vbus); + + /* set transceiver mode to power on defaults */ +-- +2.30.2 + diff --git a/queue-5.4/platform-x86-intel_pmc_core-don-t-use-global-pmcdev-.patch b/queue-5.4/platform-x86-intel_pmc_core-don-t-use-global-pmcdev-.patch new file mode 100644 index 00000000000..651c14352db --- /dev/null +++ b/queue-5.4/platform-x86-intel_pmc_core-don-t-use-global-pmcdev-.patch @@ -0,0 +1,81 @@ +From 9a3fcbea27cb68765bcfceb6a31f7b8a7376c35a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 20:12:44 -0700 +Subject: platform/x86: intel_pmc_core: Don't use global pmcdev in quirks + +From: David E. Box + +[ Upstream commit c9f86d6ca6b5e23d30d16ade4b9fff5b922a610a ] + +The DMI callbacks, used for quirks, currently access the PMC by getting +the address a global pmc_dev struct. Instead, have the callbacks set a +global quirk specific variable. In probe, after calling dmi_check_system(), +pass pmc_dev to a function that will handle each quirk if its variable +condition is met. This allows removing the global pmc_dev later. + +Signed-off-by: David E. Box +Reviewed-by: Hans de Goede +Reviewed-by: Rajneesh Bhardwaj +Link: https://lore.kernel.org/r/20210417031252.3020837-2-david.e.box@linux.intel.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_pmc_core.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c +index 571b4754477c..4c1312f1616c 100644 +--- a/drivers/platform/x86/intel_pmc_core.c ++++ b/drivers/platform/x86/intel_pmc_core.c +@@ -831,9 +831,15 @@ static const struct pci_device_id pmc_pci_ids[] = { + * the platform BIOS enforces 24Mhx Crystal to shutdown + * before PMC can assert SLP_S0#. + */ ++static bool xtal_ignore; + static int quirk_xtal_ignore(const struct dmi_system_id *id) + { +- struct pmc_dev *pmcdev = &pmc; ++ xtal_ignore = true; ++ return 0; ++} ++ ++static void pmc_core_xtal_ignore(struct pmc_dev *pmcdev) ++{ + u32 value; + + value = pmc_core_reg_read(pmcdev, pmcdev->map->pm_vric1_offset); +@@ -842,7 +848,6 @@ static int quirk_xtal_ignore(const struct dmi_system_id *id) + /* Low Voltage Mode Enable */ + value &= ~SPT_PMC_VRIC1_SLPS0LVEN; + pmc_core_reg_write(pmcdev, pmcdev->map->pm_vric1_offset, value); +- return 0; + } + + static const struct dmi_system_id pmc_core_dmi_table[] = { +@@ -857,6 +862,14 @@ static const struct dmi_system_id pmc_core_dmi_table[] = { + {} + }; + ++static void pmc_core_do_dmi_quirks(struct pmc_dev *pmcdev) ++{ ++ dmi_check_system(pmc_core_dmi_table); ++ ++ if (xtal_ignore) ++ pmc_core_xtal_ignore(pmcdev); ++} ++ + static int pmc_core_probe(struct platform_device *pdev) + { + static bool device_initialized; +@@ -898,7 +911,7 @@ static int pmc_core_probe(struct platform_device *pdev) + mutex_init(&pmcdev->lock); + platform_set_drvdata(pdev, pmcdev); + pmcdev->pmc_xram_read_bit = pmc_core_check_read_lock_bit(); +- dmi_check_system(pmc_core_dmi_table); ++ pmc_core_do_dmi_quirks(pmcdev); + + pmc_core_dbgfs_register(pmcdev); + +-- +2.30.2 + diff --git a/queue-5.4/power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch b/queue-5.4/power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch new file mode 100644 index 00000000000..1f5b5e68b72 --- /dev/null +++ b/queue-5.4/power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch @@ -0,0 +1,134 @@ +From e66012ca54bff2bcb5816bc101c8371b642bc4c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 10:54:19 +0100 +Subject: power: supply: bq27xxx: fix power_avg for newer ICs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthias Schiffer + +[ Upstream commit c4d57c22ac65bd503716062a06fad55a01569cac ] + +On all newer bq27xxx ICs, the AveragePower register contains a signed +value; in addition to handling the raw value as unsigned, the driver +code also didn't convert it to µW as expected. + +At least for the BQ28Z610, the reference manual incorrectly states that +the value is in units of 1mW and not 10mW. I have no way of knowing +whether the manuals of other supported ICs contain the same error, or if +there are models that actually use 1mW. At least, the new code shouldn't +be *less* correct than the old version for any device. + +power_avg is removed from the cache structure, se we don't have to +extend it to store both a signed value and an error code. Always getting +an up-to-date value may be desirable anyways, as it avoids inconsistent +current and power readings when switching between charging and +discharging. + +Signed-off-by: Matthias Schiffer +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery.c | 51 ++++++++++++++------------ + include/linux/power/bq27xxx_battery.h | 1 - + 2 files changed, 27 insertions(+), 25 deletions(-) + +diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c +index aff0a0a5e7f8..b1a37aa38880 100644 +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1499,27 +1499,6 @@ static int bq27xxx_battery_read_time(struct bq27xxx_device_info *di, u8 reg) + return tval * 60; + } + +-/* +- * Read an average power register. +- * Return < 0 if something fails. +- */ +-static int bq27xxx_battery_read_pwr_avg(struct bq27xxx_device_info *di) +-{ +- int tval; +- +- tval = bq27xxx_read(di, BQ27XXX_REG_AP, false); +- if (tval < 0) { +- dev_err(di->dev, "error reading average power register %02x: %d\n", +- BQ27XXX_REG_AP, tval); +- return tval; +- } +- +- if (di->opts & BQ27XXX_O_ZERO) +- return (tval * BQ27XXX_POWER_CONSTANT) / BQ27XXX_RS; +- else +- return tval; +-} +- + /* + * Returns true if a battery over temperature condition is detected + */ +@@ -1604,8 +1583,6 @@ void bq27xxx_battery_update(struct bq27xxx_device_info *di) + } + if (di->regs[BQ27XXX_REG_CYCT] != INVALID_REG_ADDR) + cache.cycle_count = bq27xxx_battery_read_cyct(di); +- if (di->regs[BQ27XXX_REG_AP] != INVALID_REG_ADDR) +- cache.power_avg = bq27xxx_battery_read_pwr_avg(di); + + /* We only have to read charge design full once */ + if (di->charge_design_full <= 0) +@@ -1668,6 +1645,32 @@ static int bq27xxx_battery_current(struct bq27xxx_device_info *di, + return 0; + } + ++/* ++ * Get the average power in µW ++ * Return < 0 if something fails. ++ */ ++static int bq27xxx_battery_pwr_avg(struct bq27xxx_device_info *di, ++ union power_supply_propval *val) ++{ ++ int power; ++ ++ power = bq27xxx_read(di, BQ27XXX_REG_AP, false); ++ if (power < 0) { ++ dev_err(di->dev, ++ "error reading average power register %02x: %d\n", ++ BQ27XXX_REG_AP, power); ++ return power; ++ } ++ ++ if (di->opts & BQ27XXX_O_ZERO) ++ val->intval = (power * BQ27XXX_POWER_CONSTANT) / BQ27XXX_RS; ++ else ++ /* Other gauges return a signed value in units of 10mW */ ++ val->intval = (int)((s16)power) * 10000; ++ ++ return 0; ++} ++ + static int bq27xxx_battery_status(struct bq27xxx_device_info *di, + union power_supply_propval *val) + { +@@ -1835,7 +1838,7 @@ static int bq27xxx_battery_get_property(struct power_supply *psy, + ret = bq27xxx_simple_value(di->cache.energy, val); + break; + case POWER_SUPPLY_PROP_POWER_AVG: +- ret = bq27xxx_simple_value(di->cache.power_avg, val); ++ ret = bq27xxx_battery_pwr_avg(di, val); + break; + case POWER_SUPPLY_PROP_HEALTH: + ret = bq27xxx_simple_value(di->cache.health, val); +diff --git a/include/linux/power/bq27xxx_battery.h b/include/linux/power/bq27xxx_battery.h +index 507c5e214c42..7413779484d5 100644 +--- a/include/linux/power/bq27xxx_battery.h ++++ b/include/linux/power/bq27xxx_battery.h +@@ -50,7 +50,6 @@ struct bq27xxx_reg_cache { + int capacity; + int energy; + int flags; +- int power_avg; + int health; + }; + +-- +2.30.2 + diff --git a/queue-5.4/power-supply-generic-adc-battery-fix-possible-use-af.patch b/queue-5.4/power-supply-generic-adc-battery-fix-possible-use-af.patch new file mode 100644 index 00000000000..474cc647878 --- /dev/null +++ b/queue-5.4/power-supply-generic-adc-battery-fix-possible-use-af.patch @@ -0,0 +1,43 @@ +From 9f129251f09f159b344fe1cf93a62f7d0810c9e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 17:17:06 +0800 +Subject: power: supply: generic-adc-battery: fix possible use-after-free in + gab_remove() + +From: Yang Yingliang + +[ Upstream commit b6cfa007b3b229771d9588970adb4ab3e0487f49 ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/generic-adc-battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/generic-adc-battery.c b/drivers/power/supply/generic-adc-battery.c +index bc462d1ec963..97b0e873e87d 100644 +--- a/drivers/power/supply/generic-adc-battery.c ++++ b/drivers/power/supply/generic-adc-battery.c +@@ -382,7 +382,7 @@ static int gab_remove(struct platform_device *pdev) + } + + kfree(adc_bat->psy_desc.properties); +- cancel_delayed_work(&adc_bat->bat_work); ++ cancel_delayed_work_sync(&adc_bat->bat_work); + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.4/power-supply-s3c_adc_battery-fix-possible-use-after-.patch b/queue-5.4/power-supply-s3c_adc_battery-fix-possible-use-after-.patch new file mode 100644 index 00000000000..da1e4c4b591 --- /dev/null +++ b/queue-5.4/power-supply-s3c_adc_battery-fix-possible-use-after-.patch @@ -0,0 +1,44 @@ +From b6c414d7d6237071964ad84c4a9ea958b655ce8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 17:19:03 +0800 +Subject: power: supply: s3c_adc_battery: fix possible use-after-free in + s3c_adc_bat_remove() + +From: Yang Yingliang + +[ Upstream commit 68ae256945d2abe9036a7b68af4cc65aff79d5b7 ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/s3c_adc_battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/s3c_adc_battery.c b/drivers/power/supply/s3c_adc_battery.c +index 3d00b35cafc9..8be31f80035c 100644 +--- a/drivers/power/supply/s3c_adc_battery.c ++++ b/drivers/power/supply/s3c_adc_battery.c +@@ -394,7 +394,7 @@ static int s3c_adc_bat_remove(struct platform_device *pdev) + gpio_free(pdata->gpio_charge_finished); + } + +- cancel_delayed_work(&bat_work); ++ cancel_delayed_work_sync(&bat_work); + + if (pdata->exit) + pdata->exit(); +-- +2.30.2 + diff --git a/queue-5.4/power-supply-use-irqf_oneshot.patch b/queue-5.4/power-supply-use-irqf_oneshot.patch new file mode 100644 index 00000000000..efe7a3bc5b1 --- /dev/null +++ b/queue-5.4/power-supply-use-irqf_oneshot.patch @@ -0,0 +1,83 @@ +From 7f59debe31f6208e64618ecc3ecbd04cf9b0c9d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 19:21:33 +0800 +Subject: power: supply: Use IRQF_ONESHOT + +From: dongjian + +[ Upstream commit 2469b836fa835c67648acad17d62bc805236a6ea ] + +Fixes coccicheck error: + +drivers/power/supply/pm2301_charger.c:1089:7-27: ERROR: +drivers/power/supply/lp8788-charger.c:502:8-28: ERROR: +drivers/power/supply/tps65217_charger.c:239:8-33: ERROR: +drivers/power/supply/tps65090-charger.c:303:8-33: ERROR: + +Threaded IRQ with no primary handler requested without IRQF_ONESHOT + +Signed-off-by: dongjian +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/lp8788-charger.c | 2 +- + drivers/power/supply/pm2301_charger.c | 2 +- + drivers/power/supply/tps65090-charger.c | 2 +- + drivers/power/supply/tps65217_charger.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/power/supply/lp8788-charger.c b/drivers/power/supply/lp8788-charger.c +index e7931ffb7151..397e5a03b7d9 100644 +--- a/drivers/power/supply/lp8788-charger.c ++++ b/drivers/power/supply/lp8788-charger.c +@@ -501,7 +501,7 @@ static int lp8788_set_irqs(struct platform_device *pdev, + + ret = request_threaded_irq(virq, NULL, + lp8788_charger_irq_thread, +- 0, name, pchg); ++ IRQF_ONESHOT, name, pchg); + if (ret) + break; + } +diff --git a/drivers/power/supply/pm2301_charger.c b/drivers/power/supply/pm2301_charger.c +index 17749fc90e16..d2aff1cf4f79 100644 +--- a/drivers/power/supply/pm2301_charger.c ++++ b/drivers/power/supply/pm2301_charger.c +@@ -1095,7 +1095,7 @@ static int pm2xxx_wall_charger_probe(struct i2c_client *i2c_client, + ret = request_threaded_irq(gpio_to_irq(pm2->pdata->gpio_irq_number), + NULL, + pm2xxx_charger_irq[0].isr, +- pm2->pdata->irq_type, ++ pm2->pdata->irq_type | IRQF_ONESHOT, + pm2xxx_charger_irq[0].name, pm2); + + if (ret != 0) { +diff --git a/drivers/power/supply/tps65090-charger.c b/drivers/power/supply/tps65090-charger.c +index 6b0098e5a88b..0990b2fa6cd8 100644 +--- a/drivers/power/supply/tps65090-charger.c ++++ b/drivers/power/supply/tps65090-charger.c +@@ -301,7 +301,7 @@ static int tps65090_charger_probe(struct platform_device *pdev) + + if (irq != -ENXIO) { + ret = devm_request_threaded_irq(&pdev->dev, irq, NULL, +- tps65090_charger_isr, 0, "tps65090-charger", cdata); ++ tps65090_charger_isr, IRQF_ONESHOT, "tps65090-charger", cdata); + if (ret) { + dev_err(cdata->dev, + "Unable to register irq %d err %d\n", irq, +diff --git a/drivers/power/supply/tps65217_charger.c b/drivers/power/supply/tps65217_charger.c +index 814c2b81fdfe..ba33d1617e0b 100644 +--- a/drivers/power/supply/tps65217_charger.c ++++ b/drivers/power/supply/tps65217_charger.c +@@ -238,7 +238,7 @@ static int tps65217_charger_probe(struct platform_device *pdev) + for (i = 0; i < NUM_CHARGER_IRQS; i++) { + ret = devm_request_threaded_irq(&pdev->dev, irq[i], NULL, + tps65217_charger_irq, +- 0, "tps65217-charger", ++ IRQF_ONESHOT, "tps65217-charger", + charger); + if (ret) { + dev_err(charger->dev, +-- +2.30.2 + diff --git a/queue-5.4/s390-archrandom-add-parameter-check-for-s390_arch_ra.patch b/queue-5.4/s390-archrandom-add-parameter-check-for-s390_arch_ra.patch new file mode 100644 index 00000000000..e687c3713a0 --- /dev/null +++ b/queue-5.4/s390-archrandom-add-parameter-check-for-s390_arch_ra.patch @@ -0,0 +1,45 @@ +From 41b1aeeab33b4eacca39a53da028659b251e5931 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Apr 2021 08:23:12 +0200 +Subject: s390/archrandom: add parameter check for s390_arch_random_generate + +From: Harald Freudenberger + +[ Upstream commit 28096067686c5a5cbd4c35b079749bd805df5010 ] + +A review of the code showed, that this function which is exposed +within the whole kernel should do a parameter check for the +amount of bytes requested. If this requested bytes is too high +an unsigned int overflow could happen causing this function to +try to memcpy a really big memory chunk. + +This is not a security issue as there are only two invocations +of this function from arch/s390/include/asm/archrandom.h and both +are not exposed to userland. + +Reported-by: Sven Schnelle +Signed-off-by: Harald Freudenberger +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/crypto/arch_random.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/s390/crypto/arch_random.c b/arch/s390/crypto/arch_random.c +index dd95cdbd22ce..4cbb4b6d85a8 100644 +--- a/arch/s390/crypto/arch_random.c ++++ b/arch/s390/crypto/arch_random.c +@@ -53,6 +53,10 @@ static DECLARE_DELAYED_WORK(arch_rng_work, arch_rng_refill_buffer); + + bool s390_arch_random_generate(u8 *buf, unsigned int nbytes) + { ++ /* max hunk is ARCH_RNG_BUF_SIZE */ ++ if (nbytes > ARCH_RNG_BUF_SIZE) ++ return false; ++ + /* lock rng buffer */ + if (!spin_trylock(&arch_rng_lock)) + return false; +-- +2.30.2 + diff --git a/queue-5.4/sched-fair-ignore-percpu-threads-for-imbalance-pulls.patch b/queue-5.4/sched-fair-ignore-percpu-threads-for-imbalance-pulls.patch new file mode 100644 index 00000000000..75ca0eb2edf --- /dev/null +++ b/queue-5.4/sched-fair-ignore-percpu-threads-for-imbalance-pulls.patch @@ -0,0 +1,76 @@ +From caf6aebf184feb370eb93032cb1aa0523fa9e3e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 23:06:26 +0100 +Subject: sched/fair: Ignore percpu threads for imbalance pulls + +From: Lingutla Chandrasekhar + +[ Upstream commit 9bcb959d05eeb564dfc9cac13a59843a4fb2edf2 ] + +During load balance, LBF_SOME_PINNED will be set if any candidate task +cannot be detached due to CPU affinity constraints. This can result in +setting env->sd->parent->sgc->group_imbalance, which can lead to a group +being classified as group_imbalanced (rather than any of the other, lower +group_type) when balancing at a higher level. + +In workloads involving a single task per CPU, LBF_SOME_PINNED can often be +set due to per-CPU kthreads being the only other runnable tasks on any +given rq. This results in changing the group classification during +load-balance at higher levels when in reality there is nothing that can be +done for this affinity constraint: per-CPU kthreads, as the name implies, +don't get to move around (modulo hotplug shenanigans). + +It's not as clear for userspace tasks - a task could be in an N-CPU cpuset +with N-1 offline CPUs, making it an "accidental" per-CPU task rather than +an intended one. KTHREAD_IS_PER_CPU gives us an indisputable signal which +we can leverage here to not set LBF_SOME_PINNED. + +Note that the aforementioned classification to group_imbalance (when +nothing can be done) is especially problematic on big.LITTLE systems, which +have a topology the likes of: + + DIE [ ] + MC [ ][ ] + 0 1 2 3 + L L B B + + arch_scale_cpu_capacity(L) < arch_scale_cpu_capacity(B) + +Here, setting LBF_SOME_PINNED due to a per-CPU kthread when balancing at MC +level on CPUs [0-1] will subsequently prevent CPUs [2-3] from classifying +the [0-1] group as group_misfit_task when balancing at DIE level. Thus, if +CPUs [0-1] are running CPU-bound (misfit) tasks, ill-timed per-CPU kthreads +can significantly delay the upgmigration of said misfit tasks. Systems +relying on ASYM_PACKING are likely to face similar issues. + +Signed-off-by: Lingutla Chandrasekhar +[Use kthread_is_per_cpu() rather than p->nr_cpus_allowed] +[Reword changelog] +Signed-off-by: Valentin Schneider +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Dietmar Eggemann +Reviewed-by: Vincent Guittot +Link: https://lkml.kernel.org/r/20210407220628.3798191-2-valentin.schneider@arm.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 611adca1e6d0..93ab546b6e16 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -7300,6 +7300,10 @@ int can_migrate_task(struct task_struct *p, struct lb_env *env) + if (throttled_lb_pair(task_group(p), env->src_cpu, env->dst_cpu)) + return 0; + ++ /* Disregard pcpu kthreads; they are where they need to be. */ ++ if ((p->flags & PF_KTHREAD) && kthread_is_per_cpu(p)) ++ return 0; ++ + if (!cpumask_test_cpu(env->dst_cpu, p->cpus_ptr)) { + int cpu; + +-- +2.30.2 + diff --git a/queue-5.4/scsi-libfc-fix-a-format-specifier.patch b/queue-5.4/scsi-libfc-fix-a-format-specifier.patch new file mode 100644 index 00000000000..ad9ce30db47 --- /dev/null +++ b/queue-5.4/scsi-libfc-fix-a-format-specifier.patch @@ -0,0 +1,45 @@ +From 65a197f61f5ddaa97e0830d70fdc65562e2f3981 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 15:08:13 -0700 +Subject: scsi: libfc: Fix a format specifier + +From: Bart Van Assche + +[ Upstream commit 90d6697810f06aceea9de71ad836a8c7669789cd ] + +Since the 'mfs' member has been declared as 'u32' in include/scsi/libfc.h, +use the %u format specifier instead of %hu. This patch fixes the following +clang compiler warning: + +warning: format specifies type + 'unsigned short' but the argument has type 'u32' (aka 'unsigned int') + [-Wformat] + "lport->mfs:%hu\n", mfs, lport->mfs); + ~~~ ^~~~~~~~~~ + %u + +Link: https://lore.kernel.org/r/20210415220826.29438-8-bvanassche@acm.org +Cc: Hannes Reinecke +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_lport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c +index 684c5e361a28..9399e1455d59 100644 +--- a/drivers/scsi/libfc/fc_lport.c ++++ b/drivers/scsi/libfc/fc_lport.c +@@ -1729,7 +1729,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp, + + if (mfs < FC_SP_MIN_MAX_PAYLOAD || mfs > FC_SP_MAX_MAX_PAYLOAD) { + FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, " +- "lport->mfs:%hu\n", mfs, lport->mfs); ++ "lport->mfs:%u\n", mfs, lport->mfs); + fc_lport_error(lport, fp); + goto out; + } +-- +2.30.2 + diff --git a/queue-5.4/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch b/queue-5.4/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch new file mode 100644 index 00000000000..792f238c989 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch @@ -0,0 +1,60 @@ +From d3a2c70aca8eeb19ba81ef37f7a5a97ddf7696e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Apr 2021 18:31:13 -0700 +Subject: scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO + response + +From: James Smart + +[ Upstream commit fffd18ec6579c2d9c72b212169259062fe747888 ] + +Fix a crash caused by a double put on the node when the driver completed an +ACC for an unsolicted abort on the same node. The second put was executed +by lpfc_nlp_not_used() and is wrong because the completion routine executes +the nlp_put when the iocbq was released. Additionally, the driver is +issuing a LOGO then immediately calls lpfc_nlp_set_state to put the node +into NPR. This call does nothing. + +Remove the lpfc_nlp_not_used call and additional set_state in the +completion routine. Remove the lpfc_nlp_set_state post issue_logo. Isn't +necessary. + +Link: https://lore.kernel.org/r/20210412013127.2387-3-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 2 -- + drivers/scsi/lpfc/lpfc_sli.c | 1 - + 2 files changed, 3 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index ea31711b1aeb..fdd87508c804 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -1961,8 +1961,6 @@ lpfc_cmpl_reglogin_reglogin_issue(struct lpfc_vport *vport, + ndlp->nlp_last_elscmd = ELS_CMD_PLOGI; + + lpfc_issue_els_logo(vport, ndlp, 0); +- ndlp->nlp_prev_state = NLP_STE_REG_LOGIN_ISSUE; +- lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE); + return ndlp->nlp_state; + } + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index b9857d7b224f..79ae01bc7abf 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -17472,7 +17472,6 @@ lpfc_sli4_seq_abort_rsp_cmpl(struct lpfc_hba *phba, + if (cmd_iocbq) { + ndlp = (struct lpfc_nodelist *)cmd_iocbq->context1; + lpfc_nlp_put(ndlp); +- lpfc_nlp_not_used(ndlp); + lpfc_sli_release_iocbq(phba, cmd_iocbq); + } + +-- +2.30.2 + diff --git a/queue-5.4/scsi-lpfc-fix-error-handling-for-mailboxes-completed.patch b/queue-5.4/scsi-lpfc-fix-error-handling-for-mailboxes-completed.patch new file mode 100644 index 00000000000..35466e1d646 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-error-handling-for-mailboxes-completed.patch @@ -0,0 +1,299 @@ +From 1b298abe48e42e022a4a5b5814f4c88ef160ac64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Apr 2021 18:31:17 -0700 +Subject: scsi: lpfc: Fix error handling for mailboxes completed in MBX_POLL + mode + +From: James Smart + +[ Upstream commit 304ee43238fed517faa123e034b593905b8679f8 ] + +In SLI-4, when performing a mailbox command with MBX_POLL, the driver uses +the BMBX register to send the command rather than the MQ. A flag is set +indicating the BMBX register is active and saves the mailbox job struct +(mboxq) in the mbox_active element of the adapter. The routine then waits +for completion or timeout. The mailbox job struct is not freed by the +routine. In cases of timeout, the adapter will be reset. The +lpfc_sli_mbox_sys_flush() routine will clean up the mbox in preparation for +the reset. It clears the BMBX active flag and marks the job structure as +MBX_NOT_FINISHED. But, it never frees the mboxq job structure. Expectation +in both normal completion and timeout cases is that the issuer of the mbx +command will free the structure. Unfortunately, not all calling paths are +freeing the memory in cases of error. + +All calling paths were looked at and updated, if missing, to free the mboxq +memory regardless of completion status. + +Link: https://lore.kernel.org/r/20210412013127.2387-7-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_attr.c | 75 +++++++++++++++++++++-------------- + drivers/scsi/lpfc/lpfc_init.c | 9 ++--- + drivers/scsi/lpfc/lpfc_sli.c | 42 ++++++++++---------- + 3 files changed, 70 insertions(+), 56 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c +index bb973901b672..45db19e31b34 100644 +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -1691,8 +1691,7 @@ lpfc_set_trunking(struct lpfc_hba *phba, char *buff_out) + lpfc_printf_log(phba, KERN_ERR, LOG_MBOX, + "0071 Set trunk mode failed with status: %d", + rc); +- if (rc != MBX_TIMEOUT) +- mempool_free(mbox, phba->mbox_mem_pool); ++ mempool_free(mbox, phba->mbox_mem_pool); + + return 0; + } +@@ -6608,15 +6607,19 @@ lpfc_get_stats(struct Scsi_Host *shost) + pmboxq->ctx_buf = NULL; + pmboxq->vport = vport; + +- if (vport->fc_flag & FC_OFFLINE_MODE) ++ if (vport->fc_flag & FC_OFFLINE_MODE) { + rc = lpfc_sli_issue_mbox(phba, pmboxq, MBX_POLL); +- else +- rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2); +- +- if (rc != MBX_SUCCESS) { +- if (rc != MBX_TIMEOUT) ++ if (rc != MBX_SUCCESS) { + mempool_free(pmboxq, phba->mbox_mem_pool); +- return NULL; ++ return NULL; ++ } ++ } else { ++ rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2); ++ if (rc != MBX_SUCCESS) { ++ if (rc != MBX_TIMEOUT) ++ mempool_free(pmboxq, phba->mbox_mem_pool); ++ return NULL; ++ } + } + + memset(hs, 0, sizeof (struct fc_host_statistics)); +@@ -6640,15 +6643,19 @@ lpfc_get_stats(struct Scsi_Host *shost) + pmboxq->ctx_buf = NULL; + pmboxq->vport = vport; + +- if (vport->fc_flag & FC_OFFLINE_MODE) ++ if (vport->fc_flag & FC_OFFLINE_MODE) { + rc = lpfc_sli_issue_mbox(phba, pmboxq, MBX_POLL); +- else +- rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2); +- +- if (rc != MBX_SUCCESS) { +- if (rc != MBX_TIMEOUT) ++ if (rc != MBX_SUCCESS) { + mempool_free(pmboxq, phba->mbox_mem_pool); +- return NULL; ++ return NULL; ++ } ++ } else { ++ rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2); ++ if (rc != MBX_SUCCESS) { ++ if (rc != MBX_TIMEOUT) ++ mempool_free(pmboxq, phba->mbox_mem_pool); ++ return NULL; ++ } + } + + hs->link_failure_count = pmb->un.varRdLnk.linkFailureCnt; +@@ -6721,15 +6728,19 @@ lpfc_reset_stats(struct Scsi_Host *shost) + pmboxq->vport = vport; + + if ((vport->fc_flag & FC_OFFLINE_MODE) || +- (!(psli->sli_flag & LPFC_SLI_ACTIVE))) ++ (!(psli->sli_flag & LPFC_SLI_ACTIVE))) { + rc = lpfc_sli_issue_mbox(phba, pmboxq, MBX_POLL); +- else +- rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2); +- +- if (rc != MBX_SUCCESS) { +- if (rc != MBX_TIMEOUT) ++ if (rc != MBX_SUCCESS) { + mempool_free(pmboxq, phba->mbox_mem_pool); +- return; ++ return; ++ } ++ } else { ++ rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2); ++ if (rc != MBX_SUCCESS) { ++ if (rc != MBX_TIMEOUT) ++ mempool_free(pmboxq, phba->mbox_mem_pool); ++ return; ++ } + } + + memset(pmboxq, 0, sizeof(LPFC_MBOXQ_t)); +@@ -6739,15 +6750,19 @@ lpfc_reset_stats(struct Scsi_Host *shost) + pmboxq->vport = vport; + + if ((vport->fc_flag & FC_OFFLINE_MODE) || +- (!(psli->sli_flag & LPFC_SLI_ACTIVE))) ++ (!(psli->sli_flag & LPFC_SLI_ACTIVE))) { + rc = lpfc_sli_issue_mbox(phba, pmboxq, MBX_POLL); +- else ++ if (rc != MBX_SUCCESS) { ++ mempool_free(pmboxq, phba->mbox_mem_pool); ++ return; ++ } ++ } else { + rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2); +- +- if (rc != MBX_SUCCESS) { +- if (rc != MBX_TIMEOUT) +- mempool_free( pmboxq, phba->mbox_mem_pool); +- return; ++ if (rc != MBX_SUCCESS) { ++ if (rc != MBX_TIMEOUT) ++ mempool_free(pmboxq, phba->mbox_mem_pool); ++ return; ++ } + } + + lso->link_failure_count = pmb->un.varRdLnk.linkFailureCnt; +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index d4c83eca0ad2..9ff463b597d2 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -9387,8 +9387,7 @@ lpfc_sli4_queue_setup(struct lpfc_hba *phba) + "3250 QUERY_FW_CFG mailbox failed with status " + "x%x add_status x%x, mbx status x%x\n", + shdr_status, shdr_add_status, rc); +- if (rc != MBX_TIMEOUT) +- mempool_free(mboxq, phba->mbox_mem_pool); ++ mempool_free(mboxq, phba->mbox_mem_pool); + rc = -ENXIO; + goto out_error; + } +@@ -9404,8 +9403,7 @@ lpfc_sli4_queue_setup(struct lpfc_hba *phba) + "ulp1_mode:x%x\n", phba->sli4_hba.fw_func_mode, + phba->sli4_hba.ulp0_mode, phba->sli4_hba.ulp1_mode); + +- if (rc != MBX_TIMEOUT) +- mempool_free(mboxq, phba->mbox_mem_pool); ++ mempool_free(mboxq, phba->mbox_mem_pool); + + /* + * Set up HBA Event Queues (EQs) +@@ -10001,8 +9999,7 @@ lpfc_pci_function_reset(struct lpfc_hba *phba) + shdr_status = bf_get(lpfc_mbox_hdr_status, &shdr->response); + shdr_add_status = bf_get(lpfc_mbox_hdr_add_status, + &shdr->response); +- if (rc != MBX_TIMEOUT) +- mempool_free(mboxq, phba->mbox_mem_pool); ++ mempool_free(mboxq, phba->mbox_mem_pool); + if (shdr_status || shdr_add_status || rc) { + lpfc_printf_log(phba, KERN_ERR, LOG_INIT, + "0495 SLI_FUNCTION_RESET mailbox " +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 79ae01bc7abf..ef7cef316d21 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -5423,12 +5423,10 @@ lpfc_sli4_get_ctl_attr(struct lpfc_hba *phba) + phba->sli4_hba.lnk_info.lnk_no, + phba->BIOSVersion); + out_free_mboxq: +- if (rc != MBX_TIMEOUT) { +- if (bf_get(lpfc_mqe_command, &mboxq->u.mqe) == MBX_SLI4_CONFIG) +- lpfc_sli4_mbox_cmd_free(phba, mboxq); +- else +- mempool_free(mboxq, phba->mbox_mem_pool); +- } ++ if (bf_get(lpfc_mqe_command, &mboxq->u.mqe) == MBX_SLI4_CONFIG) ++ lpfc_sli4_mbox_cmd_free(phba, mboxq); ++ else ++ mempool_free(mboxq, phba->mbox_mem_pool); + return rc; + } + +@@ -5529,12 +5527,10 @@ retrieve_ppname: + } + + out_free_mboxq: +- if (rc != MBX_TIMEOUT) { +- if (bf_get(lpfc_mqe_command, &mboxq->u.mqe) == MBX_SLI4_CONFIG) +- lpfc_sli4_mbox_cmd_free(phba, mboxq); +- else +- mempool_free(mboxq, phba->mbox_mem_pool); +- } ++ if (bf_get(lpfc_mqe_command, &mboxq->u.mqe) == MBX_SLI4_CONFIG) ++ lpfc_sli4_mbox_cmd_free(phba, mboxq); ++ else ++ mempool_free(mboxq, phba->mbox_mem_pool); + return rc; + } + +@@ -16485,8 +16481,7 @@ lpfc_rq_destroy(struct lpfc_hba *phba, struct lpfc_queue *hrq, + "2509 RQ_DESTROY mailbox failed with " + "status x%x add_status x%x, mbx status x%x\n", + shdr_status, shdr_add_status, rc); +- if (rc != MBX_TIMEOUT) +- mempool_free(mbox, hrq->phba->mbox_mem_pool); ++ mempool_free(mbox, hrq->phba->mbox_mem_pool); + return -ENXIO; + } + bf_set(lpfc_mbx_rq_destroy_q_id, &mbox->u.mqe.un.rq_destroy.u.request, +@@ -16583,7 +16578,9 @@ lpfc_sli4_post_sgl(struct lpfc_hba *phba, + shdr = (union lpfc_sli4_cfg_shdr *) &post_sgl_pages->header.cfg_shdr; + shdr_status = bf_get(lpfc_mbox_hdr_status, &shdr->response); + shdr_add_status = bf_get(lpfc_mbox_hdr_add_status, &shdr->response); +- if (rc != MBX_TIMEOUT) ++ if (!phba->sli4_hba.intr_enable) ++ mempool_free(mbox, phba->mbox_mem_pool); ++ else if (rc != MBX_TIMEOUT) + mempool_free(mbox, phba->mbox_mem_pool); + if (shdr_status || shdr_add_status || rc) { + lpfc_printf_log(phba, KERN_ERR, LOG_INIT, +@@ -16778,7 +16775,9 @@ lpfc_sli4_post_sgl_list(struct lpfc_hba *phba, + shdr = (union lpfc_sli4_cfg_shdr *) &sgl->cfg_shdr; + shdr_status = bf_get(lpfc_mbox_hdr_status, &shdr->response); + shdr_add_status = bf_get(lpfc_mbox_hdr_add_status, &shdr->response); +- if (rc != MBX_TIMEOUT) ++ if (!phba->sli4_hba.intr_enable) ++ lpfc_sli4_mbox_cmd_free(phba, mbox); ++ else if (rc != MBX_TIMEOUT) + lpfc_sli4_mbox_cmd_free(phba, mbox); + if (shdr_status || shdr_add_status || rc) { + lpfc_printf_log(phba, KERN_ERR, LOG_SLI, +@@ -16891,7 +16890,9 @@ lpfc_sli4_post_io_sgl_block(struct lpfc_hba *phba, struct list_head *nblist, + shdr = (union lpfc_sli4_cfg_shdr *)&sgl->cfg_shdr; + shdr_status = bf_get(lpfc_mbox_hdr_status, &shdr->response); + shdr_add_status = bf_get(lpfc_mbox_hdr_add_status, &shdr->response); +- if (rc != MBX_TIMEOUT) ++ if (!phba->sli4_hba.intr_enable) ++ lpfc_sli4_mbox_cmd_free(phba, mbox); ++ else if (rc != MBX_TIMEOUT) + lpfc_sli4_mbox_cmd_free(phba, mbox); + if (shdr_status || shdr_add_status || rc) { + lpfc_printf_log(phba, KERN_ERR, LOG_SLI, +@@ -18238,8 +18239,7 @@ lpfc_sli4_post_rpi_hdr(struct lpfc_hba *phba, struct lpfc_rpi_hdr *rpi_page) + shdr = (union lpfc_sli4_cfg_shdr *) &hdr_tmpl->header.cfg_shdr; + shdr_status = bf_get(lpfc_mbox_hdr_status, &shdr->response); + shdr_add_status = bf_get(lpfc_mbox_hdr_add_status, &shdr->response); +- if (rc != MBX_TIMEOUT) +- mempool_free(mboxq, phba->mbox_mem_pool); ++ mempool_free(mboxq, phba->mbox_mem_pool); + if (shdr_status || shdr_add_status || rc) { + lpfc_printf_log(phba, KERN_ERR, LOG_INIT, + "2514 POST_RPI_HDR mailbox failed with " +@@ -19464,7 +19464,9 @@ lpfc_wr_object(struct lpfc_hba *phba, struct list_head *dmabuf_list, + break; + } + } +- if (rc != MBX_TIMEOUT) ++ if (!phba->sli4_hba.intr_enable) ++ mempool_free(mbox, phba->mbox_mem_pool); ++ else if (rc != MBX_TIMEOUT) + mempool_free(mbox, phba->mbox_mem_pool); + if (shdr_status || shdr_add_status || rc) { + lpfc_printf_log(phba, KERN_ERR, LOG_INIT, +-- +2.30.2 + diff --git a/queue-5.4/scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch b/queue-5.4/scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch new file mode 100644 index 00000000000..22ccc1c8d20 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch @@ -0,0 +1,41 @@ +From 6c9546a77fd470901634f0fbcd403397eabf6242 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 09:18:00 -0800 +Subject: scsi: lpfc: Fix incorrect dbde assignment when building target abts + wqe + +From: James Smart + +[ Upstream commit 9302154c07bff4e7f7f43c506a1ac84540303d06 ] + +The wqe_dbde field indicates whether a Data BDE is present in Words 0:2 and +should therefore should be clear in the abts request wqe. By setting the +bit we can be misleading fw into error cases. + +Clear the wqe_dbde field. + +Link: https://lore.kernel.org/r/20210301171821.3427-2-jsmart2021@gmail.com +Co-developed-by: Dick Kennedy +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nvmet.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c +index f14394ab0e03..ce2e2b58fa7e 100644 +--- a/drivers/scsi/lpfc/lpfc_nvmet.c ++++ b/drivers/scsi/lpfc/lpfc_nvmet.c +@@ -3204,7 +3204,6 @@ lpfc_nvmet_unsol_issue_abort(struct lpfc_hba *phba, + bf_set(wqe_rcvoxid, &wqe_abts->xmit_sequence.wqe_com, xri); + + /* Word 10 */ +- bf_set(wqe_dbde, &wqe_abts->xmit_sequence.wqe_com, 1); + bf_set(wqe_iod, &wqe_abts->xmit_sequence.wqe_com, LPFC_WQE_IOD_WRITE); + bf_set(wqe_lenloc, &wqe_abts->xmit_sequence.wqe_com, + LPFC_WQE_LENLOC_WORD12); +-- +2.30.2 + diff --git a/queue-5.4/scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch b/queue-5.4/scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch new file mode 100644 index 00000000000..44ccd60d042 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch @@ -0,0 +1,50 @@ +From 9ca9a81b2ee5482c003ee7d37d59de43e7a1eaaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 09:18:06 -0800 +Subject: scsi: lpfc: Fix pt2pt connection does not recover after LOGO + +From: James Smart + +[ Upstream commit bd4f5100424d17d4e560d6653902ef8e49b2fc1f ] + +On a pt2pt setup, between 2 initiators, if one side issues a a LOGO, there +is no relogin attempt. The FC specs are grey in this area on which port +(higher wwn or not) is to re-login. + +As there is no spec guidance, unconditionally re-PLOGI after the logout to +ensure a login is re-established. + +Link: https://lore.kernel.org/r/20210301171821.3427-8-jsmart2021@gmail.com +Co-developed-by: Dick Kennedy +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index 418d62e94554..ea31711b1aeb 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -888,9 +888,14 @@ lpfc_rcv_logo(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + } + } else if ((!(ndlp->nlp_type & NLP_FABRIC) && + ((ndlp->nlp_type & NLP_FCP_TARGET) || +- !(ndlp->nlp_type & NLP_FCP_INITIATOR))) || ++ (ndlp->nlp_type & NLP_NVME_TARGET) || ++ (vport->fc_flag & FC_PT2PT))) || + (ndlp->nlp_state == NLP_STE_ADISC_ISSUE)) { +- /* Only try to re-login if this is NOT a Fabric Node */ ++ /* Only try to re-login if this is NOT a Fabric Node ++ * AND the remote NPORT is a FCP/NVME Target or we ++ * are in pt2pt mode. NLP_STE_ADISC_ISSUE is a special ++ * case for LOGO as a response to ADISC behavior. ++ */ + mod_timer(&ndlp->nlp_delayfunc, + jiffies + msecs_to_jiffies(1000 * 1)); + spin_lock_irq(shost->host_lock); +-- +2.30.2 + diff --git a/queue-5.4/scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch b/queue-5.4/scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch new file mode 100644 index 00000000000..ef0f3f34509 --- /dev/null +++ b/queue-5.4/scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch @@ -0,0 +1,431 @@ +From 8ce78fa510b58ca6cd6f24dec9fee35052d92fa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Apr 2021 18:31:22 -0700 +Subject: scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic + +From: James Smart + +[ Upstream commit b62232ba8caccaf1954e197058104a6478fac1af ] + +SLI-4 does not contain a PORT_CAPABILITIES mailbox command (only SLI-3 +does, and SLI-3 doesn't use it), yet there are SLI-4 code paths that have +code to issue the command. The command will always fail. + +Remove the code for the mailbox command and leave only the resulting +"failure path" logic. + +Link: https://lore.kernel.org/r/20210412013127.2387-12-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_crtn.h | 3 - + drivers/scsi/lpfc/lpfc_hw4.h | 174 +--------------------------------- + drivers/scsi/lpfc/lpfc_init.c | 103 +------------------- + drivers/scsi/lpfc/lpfc_mbox.c | 36 ------- + 4 files changed, 3 insertions(+), 313 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_crtn.h b/drivers/scsi/lpfc/lpfc_crtn.h +index 0f019e889ba6..bdb1f380e7d8 100644 +--- a/drivers/scsi/lpfc/lpfc_crtn.h ++++ b/drivers/scsi/lpfc/lpfc_crtn.h +@@ -56,9 +56,6 @@ void lpfc_register_new_vport(struct lpfc_hba *, struct lpfc_vport *, + void lpfc_unreg_vpi(struct lpfc_hba *, uint16_t, LPFC_MBOXQ_t *); + void lpfc_init_link(struct lpfc_hba *, LPFC_MBOXQ_t *, uint32_t, uint32_t); + void lpfc_request_features(struct lpfc_hba *, struct lpfcMboxq *); +-void lpfc_supported_pages(struct lpfcMboxq *); +-void lpfc_pc_sli4_params(struct lpfcMboxq *); +-int lpfc_pc_sli4_params_get(struct lpfc_hba *, LPFC_MBOXQ_t *); + int lpfc_sli4_mbox_rsrc_extent(struct lpfc_hba *, struct lpfcMboxq *, + uint16_t, uint16_t, bool); + int lpfc_get_sli4_parameters(struct lpfc_hba *, LPFC_MBOXQ_t *); +diff --git a/drivers/scsi/lpfc/lpfc_hw4.h b/drivers/scsi/lpfc/lpfc_hw4.h +index bd533475c86a..b8a772f80d6c 100644 +--- a/drivers/scsi/lpfc/lpfc_hw4.h ++++ b/drivers/scsi/lpfc/lpfc_hw4.h +@@ -122,6 +122,7 @@ struct lpfc_sli_intf { + /* Define SLI4 Alignment requirements. */ + #define LPFC_ALIGN_16_BYTE 16 + #define LPFC_ALIGN_64_BYTE 64 ++#define SLI4_PAGE_SIZE 4096 + + /* Define SLI4 specific definitions. */ + #define LPFC_MQ_CQE_BYTE_OFFSET 256 +@@ -2962,62 +2963,6 @@ struct lpfc_mbx_request_features { + #define lpfc_mbx_rq_ftr_rsp_mrqp_WORD word3 + }; + +-struct lpfc_mbx_supp_pages { +- uint32_t word1; +-#define qs_SHIFT 0 +-#define qs_MASK 0x00000001 +-#define qs_WORD word1 +-#define wr_SHIFT 1 +-#define wr_MASK 0x00000001 +-#define wr_WORD word1 +-#define pf_SHIFT 8 +-#define pf_MASK 0x000000ff +-#define pf_WORD word1 +-#define cpn_SHIFT 16 +-#define cpn_MASK 0x000000ff +-#define cpn_WORD word1 +- uint32_t word2; +-#define list_offset_SHIFT 0 +-#define list_offset_MASK 0x000000ff +-#define list_offset_WORD word2 +-#define next_offset_SHIFT 8 +-#define next_offset_MASK 0x000000ff +-#define next_offset_WORD word2 +-#define elem_cnt_SHIFT 16 +-#define elem_cnt_MASK 0x000000ff +-#define elem_cnt_WORD word2 +- uint32_t word3; +-#define pn_0_SHIFT 24 +-#define pn_0_MASK 0x000000ff +-#define pn_0_WORD word3 +-#define pn_1_SHIFT 16 +-#define pn_1_MASK 0x000000ff +-#define pn_1_WORD word3 +-#define pn_2_SHIFT 8 +-#define pn_2_MASK 0x000000ff +-#define pn_2_WORD word3 +-#define pn_3_SHIFT 0 +-#define pn_3_MASK 0x000000ff +-#define pn_3_WORD word3 +- uint32_t word4; +-#define pn_4_SHIFT 24 +-#define pn_4_MASK 0x000000ff +-#define pn_4_WORD word4 +-#define pn_5_SHIFT 16 +-#define pn_5_MASK 0x000000ff +-#define pn_5_WORD word4 +-#define pn_6_SHIFT 8 +-#define pn_6_MASK 0x000000ff +-#define pn_6_WORD word4 +-#define pn_7_SHIFT 0 +-#define pn_7_MASK 0x000000ff +-#define pn_7_WORD word4 +- uint32_t rsvd[27]; +-#define LPFC_SUPP_PAGES 0 +-#define LPFC_BLOCK_GUARD_PROFILES 1 +-#define LPFC_SLI4_PARAMETERS 2 +-}; +- + struct lpfc_mbx_memory_dump_type3 { + uint32_t word1; + #define lpfc_mbx_memory_dump_type3_type_SHIFT 0 +@@ -3234,121 +3179,6 @@ struct user_eeprom { + uint8_t reserved191[57]; + }; + +-struct lpfc_mbx_pc_sli4_params { +- uint32_t word1; +-#define qs_SHIFT 0 +-#define qs_MASK 0x00000001 +-#define qs_WORD word1 +-#define wr_SHIFT 1 +-#define wr_MASK 0x00000001 +-#define wr_WORD word1 +-#define pf_SHIFT 8 +-#define pf_MASK 0x000000ff +-#define pf_WORD word1 +-#define cpn_SHIFT 16 +-#define cpn_MASK 0x000000ff +-#define cpn_WORD word1 +- uint32_t word2; +-#define if_type_SHIFT 0 +-#define if_type_MASK 0x00000007 +-#define if_type_WORD word2 +-#define sli_rev_SHIFT 4 +-#define sli_rev_MASK 0x0000000f +-#define sli_rev_WORD word2 +-#define sli_family_SHIFT 8 +-#define sli_family_MASK 0x000000ff +-#define sli_family_WORD word2 +-#define featurelevel_1_SHIFT 16 +-#define featurelevel_1_MASK 0x000000ff +-#define featurelevel_1_WORD word2 +-#define featurelevel_2_SHIFT 24 +-#define featurelevel_2_MASK 0x0000001f +-#define featurelevel_2_WORD word2 +- uint32_t word3; +-#define fcoe_SHIFT 0 +-#define fcoe_MASK 0x00000001 +-#define fcoe_WORD word3 +-#define fc_SHIFT 1 +-#define fc_MASK 0x00000001 +-#define fc_WORD word3 +-#define nic_SHIFT 2 +-#define nic_MASK 0x00000001 +-#define nic_WORD word3 +-#define iscsi_SHIFT 3 +-#define iscsi_MASK 0x00000001 +-#define iscsi_WORD word3 +-#define rdma_SHIFT 4 +-#define rdma_MASK 0x00000001 +-#define rdma_WORD word3 +- uint32_t sge_supp_len; +-#define SLI4_PAGE_SIZE 4096 +- uint32_t word5; +-#define if_page_sz_SHIFT 0 +-#define if_page_sz_MASK 0x0000ffff +-#define if_page_sz_WORD word5 +-#define loopbk_scope_SHIFT 24 +-#define loopbk_scope_MASK 0x0000000f +-#define loopbk_scope_WORD word5 +-#define rq_db_window_SHIFT 28 +-#define rq_db_window_MASK 0x0000000f +-#define rq_db_window_WORD word5 +- uint32_t word6; +-#define eq_pages_SHIFT 0 +-#define eq_pages_MASK 0x0000000f +-#define eq_pages_WORD word6 +-#define eqe_size_SHIFT 8 +-#define eqe_size_MASK 0x000000ff +-#define eqe_size_WORD word6 +- uint32_t word7; +-#define cq_pages_SHIFT 0 +-#define cq_pages_MASK 0x0000000f +-#define cq_pages_WORD word7 +-#define cqe_size_SHIFT 8 +-#define cqe_size_MASK 0x000000ff +-#define cqe_size_WORD word7 +- uint32_t word8; +-#define mq_pages_SHIFT 0 +-#define mq_pages_MASK 0x0000000f +-#define mq_pages_WORD word8 +-#define mqe_size_SHIFT 8 +-#define mqe_size_MASK 0x000000ff +-#define mqe_size_WORD word8 +-#define mq_elem_cnt_SHIFT 16 +-#define mq_elem_cnt_MASK 0x000000ff +-#define mq_elem_cnt_WORD word8 +- uint32_t word9; +-#define wq_pages_SHIFT 0 +-#define wq_pages_MASK 0x0000ffff +-#define wq_pages_WORD word9 +-#define wqe_size_SHIFT 8 +-#define wqe_size_MASK 0x000000ff +-#define wqe_size_WORD word9 +- uint32_t word10; +-#define rq_pages_SHIFT 0 +-#define rq_pages_MASK 0x0000ffff +-#define rq_pages_WORD word10 +-#define rqe_size_SHIFT 8 +-#define rqe_size_MASK 0x000000ff +-#define rqe_size_WORD word10 +- uint32_t word11; +-#define hdr_pages_SHIFT 0 +-#define hdr_pages_MASK 0x0000000f +-#define hdr_pages_WORD word11 +-#define hdr_size_SHIFT 8 +-#define hdr_size_MASK 0x0000000f +-#define hdr_size_WORD word11 +-#define hdr_pp_align_SHIFT 16 +-#define hdr_pp_align_MASK 0x0000ffff +-#define hdr_pp_align_WORD word11 +- uint32_t word12; +-#define sgl_pages_SHIFT 0 +-#define sgl_pages_MASK 0x0000000f +-#define sgl_pages_WORD word12 +-#define sgl_pp_align_SHIFT 16 +-#define sgl_pp_align_MASK 0x0000ffff +-#define sgl_pp_align_WORD word12 +- uint32_t rsvd_13_63[51]; +-}; + #define SLI4_PAGE_ALIGN(addr) (((addr)+((SLI4_PAGE_SIZE)-1)) \ + &(~((SLI4_PAGE_SIZE)-1))) + +@@ -3958,8 +3788,6 @@ struct lpfc_mqe { + struct lpfc_mbx_post_hdr_tmpl hdr_tmpl; + struct lpfc_mbx_query_fw_config query_fw_cfg; + struct lpfc_mbx_set_beacon_config beacon_config; +- struct lpfc_mbx_supp_pages supp_pages; +- struct lpfc_mbx_pc_sli4_params sli4_params; + struct lpfc_mbx_get_sli4_parameters get_sli4_parameters; + struct lpfc_mbx_set_link_diag_state link_diag_state; + struct lpfc_mbx_set_link_diag_loopback link_diag_loopback; +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index 9ff463b597d2..b5cee2a2ac66 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -6415,8 +6415,6 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba) + LPFC_MBOXQ_t *mboxq; + MAILBOX_t *mb; + int rc, i, max_buf_size; +- uint8_t pn_page[LPFC_MAX_SUPPORTED_PAGES] = {0}; +- struct lpfc_mqe *mqe; + int longs; + int extra; + uint64_t wwn; +@@ -6640,32 +6638,6 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba) + + lpfc_nvme_mod_param_dep(phba); + +- /* Get the Supported Pages if PORT_CAPABILITIES is supported by port. */ +- lpfc_supported_pages(mboxq); +- rc = lpfc_sli_issue_mbox(phba, mboxq, MBX_POLL); +- if (!rc) { +- mqe = &mboxq->u.mqe; +- memcpy(&pn_page[0], ((uint8_t *)&mqe->un.supp_pages.word3), +- LPFC_MAX_SUPPORTED_PAGES); +- for (i = 0; i < LPFC_MAX_SUPPORTED_PAGES; i++) { +- switch (pn_page[i]) { +- case LPFC_SLI4_PARAMETERS: +- phba->sli4_hba.pc_sli4_params.supported = 1; +- break; +- default: +- break; +- } +- } +- /* Read the port's SLI4 Parameters capabilities if supported. */ +- if (phba->sli4_hba.pc_sli4_params.supported) +- rc = lpfc_pc_sli4_params_get(phba, mboxq); +- if (rc) { +- mempool_free(mboxq, phba->mbox_mem_pool); +- rc = -EIO; +- goto out_free_bsmbx; +- } +- } +- + /* + * Get sli4 parameters that override parameters from Port capabilities. + * If this call fails, it isn't critical unless the SLI4 parameters come +@@ -11574,78 +11546,6 @@ lpfc_sli4_hba_unset(struct lpfc_hba *phba) + phba->pport->work_port_events = 0; + } + +- /** +- * lpfc_pc_sli4_params_get - Get the SLI4_PARAMS port capabilities. +- * @phba: Pointer to HBA context object. +- * @mboxq: Pointer to the mailboxq memory for the mailbox command response. +- * +- * This function is called in the SLI4 code path to read the port's +- * sli4 capabilities. +- * +- * This function may be be called from any context that can block-wait +- * for the completion. The expectation is that this routine is called +- * typically from probe_one or from the online routine. +- **/ +-int +-lpfc_pc_sli4_params_get(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq) +-{ +- int rc; +- struct lpfc_mqe *mqe; +- struct lpfc_pc_sli4_params *sli4_params; +- uint32_t mbox_tmo; +- +- rc = 0; +- mqe = &mboxq->u.mqe; +- +- /* Read the port's SLI4 Parameters port capabilities */ +- lpfc_pc_sli4_params(mboxq); +- if (!phba->sli4_hba.intr_enable) +- rc = lpfc_sli_issue_mbox(phba, mboxq, MBX_POLL); +- else { +- mbox_tmo = lpfc_mbox_tmo_val(phba, mboxq); +- rc = lpfc_sli_issue_mbox_wait(phba, mboxq, mbox_tmo); +- } +- +- if (unlikely(rc)) +- return 1; +- +- sli4_params = &phba->sli4_hba.pc_sli4_params; +- sli4_params->if_type = bf_get(if_type, &mqe->un.sli4_params); +- sli4_params->sli_rev = bf_get(sli_rev, &mqe->un.sli4_params); +- sli4_params->sli_family = bf_get(sli_family, &mqe->un.sli4_params); +- sli4_params->featurelevel_1 = bf_get(featurelevel_1, +- &mqe->un.sli4_params); +- sli4_params->featurelevel_2 = bf_get(featurelevel_2, +- &mqe->un.sli4_params); +- sli4_params->proto_types = mqe->un.sli4_params.word3; +- sli4_params->sge_supp_len = mqe->un.sli4_params.sge_supp_len; +- sli4_params->if_page_sz = bf_get(if_page_sz, &mqe->un.sli4_params); +- sli4_params->rq_db_window = bf_get(rq_db_window, &mqe->un.sli4_params); +- sli4_params->loopbk_scope = bf_get(loopbk_scope, &mqe->un.sli4_params); +- sli4_params->eq_pages_max = bf_get(eq_pages, &mqe->un.sli4_params); +- sli4_params->eqe_size = bf_get(eqe_size, &mqe->un.sli4_params); +- sli4_params->cq_pages_max = bf_get(cq_pages, &mqe->un.sli4_params); +- sli4_params->cqe_size = bf_get(cqe_size, &mqe->un.sli4_params); +- sli4_params->mq_pages_max = bf_get(mq_pages, &mqe->un.sli4_params); +- sli4_params->mqe_size = bf_get(mqe_size, &mqe->un.sli4_params); +- sli4_params->mq_elem_cnt = bf_get(mq_elem_cnt, &mqe->un.sli4_params); +- sli4_params->wq_pages_max = bf_get(wq_pages, &mqe->un.sli4_params); +- sli4_params->wqe_size = bf_get(wqe_size, &mqe->un.sli4_params); +- sli4_params->rq_pages_max = bf_get(rq_pages, &mqe->un.sli4_params); +- sli4_params->rqe_size = bf_get(rqe_size, &mqe->un.sli4_params); +- sli4_params->hdr_pages_max = bf_get(hdr_pages, &mqe->un.sli4_params); +- sli4_params->hdr_size = bf_get(hdr_size, &mqe->un.sli4_params); +- sli4_params->hdr_pp_align = bf_get(hdr_pp_align, &mqe->un.sli4_params); +- sli4_params->sgl_pages_max = bf_get(sgl_pages, &mqe->un.sli4_params); +- sli4_params->sgl_pp_align = bf_get(sgl_pp_align, &mqe->un.sli4_params); +- +- /* Make sure that sge_supp_len can be handled by the driver */ +- if (sli4_params->sge_supp_len > LPFC_MAX_SGE_SIZE) +- sli4_params->sge_supp_len = LPFC_MAX_SGE_SIZE; +- +- return rc; +-} +- + /** + * lpfc_get_sli4_parameters - Get the SLI4 Config PARAMETERS. + * @phba: Pointer to HBA context object. +@@ -11704,7 +11604,8 @@ lpfc_get_sli4_parameters(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq) + else + phba->sli3_options &= ~LPFC_SLI4_PHWQ_ENABLED; + sli4_params->sge_supp_len = mbx_sli4_parameters->sge_supp_len; +- sli4_params->loopbk_scope = bf_get(loopbk_scope, mbx_sli4_parameters); ++ sli4_params->loopbk_scope = bf_get(cfg_loopbk_scope, ++ mbx_sli4_parameters); + sli4_params->oas_supported = bf_get(cfg_oas, mbx_sli4_parameters); + sli4_params->cqv = bf_get(cfg_cqv, mbx_sli4_parameters); + sli4_params->mqv = bf_get(cfg_mqv, mbx_sli4_parameters); +diff --git a/drivers/scsi/lpfc/lpfc_mbox.c b/drivers/scsi/lpfc/lpfc_mbox.c +index 8abe933bad09..4a331164086e 100644 +--- a/drivers/scsi/lpfc/lpfc_mbox.c ++++ b/drivers/scsi/lpfc/lpfc_mbox.c +@@ -2622,39 +2622,3 @@ lpfc_resume_rpi(struct lpfcMboxq *mbox, struct lpfc_nodelist *ndlp) + resume_rpi->event_tag = ndlp->phba->fc_eventTag; + } + +-/** +- * lpfc_supported_pages - Initialize the PORT_CAPABILITIES supported pages +- * mailbox command. +- * @mbox: pointer to lpfc mbox command to initialize. +- * +- * The PORT_CAPABILITIES supported pages mailbox command is issued to +- * retrieve the particular feature pages supported by the port. +- **/ +-void +-lpfc_supported_pages(struct lpfcMboxq *mbox) +-{ +- struct lpfc_mbx_supp_pages *supp_pages; +- +- memset(mbox, 0, sizeof(*mbox)); +- supp_pages = &mbox->u.mqe.un.supp_pages; +- bf_set(lpfc_mqe_command, &mbox->u.mqe, MBX_PORT_CAPABILITIES); +- bf_set(cpn, supp_pages, LPFC_SUPP_PAGES); +-} +- +-/** +- * lpfc_pc_sli4_params - Initialize the PORT_CAPABILITIES SLI4 Params mbox cmd. +- * @mbox: pointer to lpfc mbox command to initialize. +- * +- * The PORT_CAPABILITIES SLI4 parameters mailbox command is issued to +- * retrieve the particular SLI4 features supported by the port. +- **/ +-void +-lpfc_pc_sli4_params(struct lpfcMboxq *mbox) +-{ +- struct lpfc_mbx_pc_sli4_params *sli4_params; +- +- memset(mbox, 0, sizeof(*mbox)); +- sli4_params = &mbox->u.mqe.un.sli4_params; +- bf_set(lpfc_mqe_command, &mbox->u.mqe, MBX_PORT_CAPABILITIES); +- bf_set(cpn, sli4_params, LPFC_SLI4_PARAMETERS); +-} +-- +2.30.2 + diff --git a/queue-5.4/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch b/queue-5.4/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch new file mode 100644 index 00000000000..b951e439849 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch @@ -0,0 +1,60 @@ +From f4c4b3443d789dcf3e3bd2159f541748d51201d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Mar 2021 16:23:58 -0700 +Subject: scsi: qla2xxx: Always check the return value of + qla24xx_get_isp_stats() + +From: Bart Van Assche + +[ Upstream commit a2b2cc660822cae08c351c7f6b452bfd1330a4f7 ] + +This patch fixes the following Coverity warning: + + CID 361199 (#1 of 1): Unchecked return value (CHECKED_RETURN) + 3. check_return: Calling qla24xx_get_isp_stats without checking return + value (as is done elsewhere 4 out of 5 times). + +Link: https://lore.kernel.org/r/20210320232359.941-7-bvanassche@acm.org +Cc: Quinn Tran +Cc: Mike Christie +Cc: Himanshu Madhani +Cc: Daniel Wagner +Cc: Lee Duncan +Reviewed-by: Daniel Wagner +Reviewed-by: Himanshu Madhani +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_attr.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c +index bed7e8637217..580d30cd5c35 100644 +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -2691,6 +2691,8 @@ qla2x00_reset_host_stats(struct Scsi_Host *shost) + vha->qla_stats.jiffies_at_last_reset = get_jiffies_64(); + + if (IS_FWI2_CAPABLE(ha)) { ++ int rval; ++ + stats = dma_alloc_coherent(&ha->pdev->dev, + sizeof(*stats), &stats_dma, GFP_KERNEL); + if (!stats) { +@@ -2700,7 +2702,11 @@ qla2x00_reset_host_stats(struct Scsi_Host *shost) + } + + /* reset firmware statistics */ +- qla24xx_get_isp_stats(base_vha, stats, stats_dma, BIT_0); ++ rval = qla24xx_get_isp_stats(base_vha, stats, stats_dma, BIT_0); ++ if (rval != QLA_SUCCESS) ++ ql_log(ql_log_warn, vha, 0x70de, ++ "Resetting ISP statistics failed: rval = %d\n", ++ rval); + + dma_free_coherent(&ha->pdev->dev, sizeof(*stats), + stats, stats_dma); +-- +2.30.2 + diff --git a/queue-5.4/scsi-qla2xxx-fix-use-after-free-in-bsg.patch b/queue-5.4/scsi-qla2xxx-fix-use-after-free-in-bsg.patch new file mode 100644 index 00000000000..941265a088b --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-use-after-free-in-bsg.patch @@ -0,0 +1,61 @@ +From 81c5e751b663363b04310668c8aa2431917aa288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 01:52:22 -0700 +Subject: scsi: qla2xxx: Fix use after free in bsg + +From: Quinn Tran + +[ Upstream commit 2ce35c0821afc2acd5ee1c3f60d149f8b2520ce8 ] + +On bsg command completion, bsg_job_done() was called while qla driver +continued to access the bsg_job buffer. bsg_job_done() would free up +resources that ended up being reused by other task while the driver +continued to access the buffers. As a result, driver was reading garbage +data. + +localhost kernel: BUG: KASAN: use-after-free in sg_next+0x64/0x80 +localhost kernel: Read of size 8 at addr ffff8883228a3330 by task swapper/26/0 +localhost kernel: +localhost kernel: CPU: 26 PID: 0 Comm: swapper/26 Kdump: +loaded Tainted: G OE --------- - - 4.18.0-193.el8.x86_64+debug #1 +localhost kernel: Hardware name: HP ProLiant DL360 +Gen9/ProLiant DL360 Gen9, BIOS P89 08/12/2016 +localhost kernel: Call Trace: +localhost kernel: +localhost kernel: dump_stack+0x9a/0xf0 +localhost kernel: print_address_description.cold.3+0x9/0x23b +localhost kernel: kasan_report.cold.4+0x65/0x95 +localhost kernel: debug_dma_unmap_sg.part.12+0x10d/0x2d0 +localhost kernel: qla2x00_bsg_sp_free+0xaf6/0x1010 [qla2xxx] + +Link: https://lore.kernel.org/r/20210329085229.4367-6-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Saurav Kashyap +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_bsg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c +index cbaf178fc979..ce55121910e8 100644 +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -17,10 +17,11 @@ void qla2x00_bsg_job_done(srb_t *sp, int res) + struct bsg_job *bsg_job = sp->u.bsg_job; + struct fc_bsg_reply *bsg_reply = bsg_job->reply; + ++ sp->free(sp); ++ + bsg_reply->result = res; + bsg_job_done(bsg_job, bsg_reply->result, + bsg_reply->reply_payload_rcv_len); +- sp->free(sp); + } + + void qla2x00_bsg_sp_free(srb_t *sp) +-- +2.30.2 + diff --git a/queue-5.4/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch b/queue-5.4/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch new file mode 100644 index 00000000000..427b1c0cbc9 --- /dev/null +++ b/queue-5.4/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch @@ -0,0 +1,42 @@ +From 2d7d5901376f70efbac07460c0b81673bc3371bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 16:11:54 -0400 +Subject: scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg() + +From: Ewan D. Milne + +[ Upstream commit bc3f2b42b70eb1b8576e753e7d0e117bbb674496 ] + +Some arrays return ILLEGAL_REQUEST with ASC 00h if they don't support the +RTPG extended header so remove the check for INVALID FIELD IN CDB. + +Link: https://lore.kernel.org/r/20210331201154.20348-1-emilne@redhat.com +Reviewed-by: Hannes Reinecke +Signed-off-by: Ewan D. Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_alua.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index 308bda2e9c00..df5a3bbeba5e 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -565,10 +565,11 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg) + * even though it shouldn't according to T10. + * The retry without rtpg_ext_hdr_req set + * handles this. ++ * Note: some arrays return a sense key of ILLEGAL_REQUEST ++ * with ASC 00h if they don't support the extended header. + */ + if (!(pg->flags & ALUA_RTPG_EXT_HDR_UNSUPP) && +- sense_hdr.sense_key == ILLEGAL_REQUEST && +- sense_hdr.asc == 0x24 && sense_hdr.ascq == 0) { ++ sense_hdr.sense_key == ILLEGAL_REQUEST) { + pg->flags |= ALUA_RTPG_EXT_HDR_UNSUPP; + goto retry; + } +-- +2.30.2 + diff --git a/queue-5.4/scsi-smartpqi-add-new-pci-ids.patch b/queue-5.4/scsi-smartpqi-add-new-pci-ids.patch new file mode 100644 index 00000000000..d7472398c02 --- /dev/null +++ b/queue-5.4/scsi-smartpqi-add-new-pci-ids.patch @@ -0,0 +1,221 @@ +From b44c1bad9f872a9f6833f386a78114257fd5dfa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 14:17:48 -0600 +Subject: scsi: smartpqi: Add new PCI IDs + +From: Kevin Barnett + +[ Upstream commit 75fbeacca3ad30835e903002dba98dd909b4dfff ] + +Add support for newer hardware. + +Link: https://lore.kernel.org/r/161549386882.25025.2594251735886014958.stgit@brunhilda +Reviewed-by: Scott Benesh +Reviewed-by: Scott Teel +Acked-by: Martin Wilck +Signed-off-by: Kevin Barnett +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi_init.c | 156 ++++++++++++++++++++++++++ + 1 file changed, 156 insertions(+) + +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index 3480a0a66771..9bc451004184 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -8146,6 +8146,10 @@ static const struct pci_device_id pqi_pci_id_table[] = { + PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, + 0x152d, 0x8a37) + }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ 0x193d, 0x8460) ++ }, + { + PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, + 0x193d, 0x1104) +@@ -8218,6 +8222,22 @@ static const struct pci_device_id pqi_pci_id_table[] = { + PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, + 0x1bd4, 0x004f) + }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ 0x1bd4, 0x0051) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ 0x1bd4, 0x0052) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ 0x1bd4, 0x0053) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ 0x1bd4, 0x0054) ++ }, + { + PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, + 0x19e5, 0xd227) +@@ -8374,6 +8394,122 @@ static const struct pci_device_id pqi_pci_id_table[] = { + PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, + PCI_VENDOR_ID_ADAPTEC2, 0x1380) + }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1400) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1402) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1410) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1411) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1412) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1420) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1430) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1440) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1441) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1450) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1452) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1460) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1461) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1462) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1470) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1471) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1472) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1480) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1490) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x1491) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x14a0) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x14a1) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x14b0) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x14b1) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x14c0) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x14c1) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x14d0) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x14e0) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_ADAPTEC2, 0x14f0) ++ }, + { + PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, + PCI_VENDOR_ID_ADVANTECH, 0x8312) +@@ -8438,6 +8574,10 @@ static const struct pci_device_id pqi_pci_id_table[] = { + PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, + PCI_VENDOR_ID_HP, 0x1001) + }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ PCI_VENDOR_ID_HP, 0x1002) ++ }, + { + PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, + PCI_VENDOR_ID_HP, 0x1100) +@@ -8446,6 +8586,22 @@ static const struct pci_device_id pqi_pci_id_table[] = { + PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, + PCI_VENDOR_ID_HP, 0x1101) + }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ 0x1590, 0x0294) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ 0x1590, 0x02db) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ 0x1590, 0x02dc) ++ }, ++ { ++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, ++ 0x1590, 0x032e) ++ }, + { + PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f, + 0x1d8d, 0x0800) +-- +2.30.2 + diff --git a/queue-5.4/scsi-smartpqi-correct-request-leakage-during-reset-o.patch b/queue-5.4/scsi-smartpqi-correct-request-leakage-during-reset-o.patch new file mode 100644 index 00000000000..3a47c1ee25d --- /dev/null +++ b/queue-5.4/scsi-smartpqi-correct-request-leakage-during-reset-o.patch @@ -0,0 +1,52 @@ +From 3818600b9d2e455bdf2cfe95cf11e0a60951f01c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 14:15:03 -0600 +Subject: scsi: smartpqi: Correct request leakage during reset operations + +From: Murthy Bhat + +[ Upstream commit b622a601a13ae5974c5b0aeecb990c224b8db0d9 ] + +While failing queued I/Os in TMF path, there was a request leak and hence +stale entries in request pool with ref count being non-zero. In shutdown +path we have a BUG_ON to catch stuck I/O either in firmware or in the +driver. The stale requests caused a system crash. The I/O request pool +leakage also lead to a significant performance drop. + +Link: https://lore.kernel.org/r/161549370379.25025.12793264112620796062.stgit@brunhilda +Reviewed-by: Scott Teel +Reviewed-by: Scott Benesh +Reviewed-by: Kevin Barnett +Signed-off-by: Murthy Bhat +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi_init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index 093ed5d1eef2..3480a0a66771 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -5513,6 +5513,8 @@ static void pqi_fail_io_queued_for_device(struct pqi_ctrl_info *ctrl_info, + + list_del(&io_request->request_list_entry); + set_host_byte(scmd, DID_RESET); ++ pqi_free_io_request(io_request); ++ scsi_dma_unmap(scmd); + pqi_scsi_done(scmd); + } + +@@ -5549,6 +5551,8 @@ static void pqi_fail_io_queued_for_all_devices(struct pqi_ctrl_info *ctrl_info) + + list_del(&io_request->request_list_entry); + set_host_byte(scmd, DID_RESET); ++ pqi_free_io_request(io_request); ++ scsi_dma_unmap(scmd); + pqi_scsi_done(scmd); + } + +-- +2.30.2 + diff --git a/queue-5.4/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch b/queue-5.4/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch new file mode 100644 index 00000000000..555184775e9 --- /dev/null +++ b/queue-5.4/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch @@ -0,0 +1,46 @@ +From beb47ffd92c419bf117452ad9a82fe5596dbd838 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Feb 2021 21:56:26 -0800 +Subject: scsi: target: pscsi: Fix warning in pscsi_complete_cmd() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chaitanya Kulkarni + +[ Upstream commit fd48c056a32ed6e7754c7c475490f3bed54ed378 ] + +This fixes a compilation warning in pscsi_complete_cmd(): + + drivers/target/target_core_pscsi.c: In function ‘pscsi_complete_cmd’: + drivers/target/target_core_pscsi.c:624:5: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */ + +Link: https://lore.kernel.org/r/20210228055645.22253-5-chaitanya.kulkarni@wdc.com +Reviewed-by: Mike Christie +Reviewed-by: Johannes Thumshirn +Signed-off-by: Chaitanya Kulkarni +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_pscsi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c +index 5a047ce77bc0..55fe93296deb 100644 +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -620,8 +620,9 @@ static void pscsi_complete_cmd(struct se_cmd *cmd, u8 scsi_status, + unsigned char *buf; + + buf = transport_kmap_data_sg(cmd); +- if (!buf) ++ if (!buf) { + ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */ ++ } + + if (cdb[0] == MODE_SENSE_10) { + if (!(buf[3] & 0x80)) +-- +2.30.2 + diff --git a/queue-5.4/series b/queue-5.4/series index cf46a37bff6..331daced5e7 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -35,3 +35,90 @@ btrfs-fix-metadata-extent-leak-after-failure-to-create-subvolume.patch intel_th-pci-add-rocket-lake-cpu-support.patch posix-timers-preserve-return-value-in-clock_adjtime32.patch fbdev-zero-fill-colormap-in-fbcmap.c.patch +bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-interconnec.patch +staging-wimax-i2400m-fix-byte-order-issue.patch +spi-ath79-always-call-chipselect-function.patch +spi-ath79-remove-spi-master-setup-and-cleanup-assign.patch +crypto-api-check-for-err-pointers-in-crypto_destroy_.patch +crypto-qat-fix-unmap-invalid-dma-address.patch +usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch +usb-webcam-invalid-size-of-processing-unit-descripto.patch +genirq-matrix-prevent-allocation-counter-corruption.patch +usb-gadget-f_uac2-validate-input-parameters.patch +usb-gadget-f_uac1-validate-input-parameters.patch +usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch +usb-xhci-fix-port-minor-revision.patch +pci-pm-do-not-read-power-state-in-pci_enable_device_.patch +x86-build-propagate-clang_flags-to-realmode_flags.patch +tee-optee-do-not-check-memref-size-on-return-from-se.patch +perf-arm_pmu_platform-fix-error-handling.patch +usb-xhci-mtk-support-quirk-to-disable-usb2-lpm.patch +xhci-check-control-context-is-valid-before-dereferen.patch +xhci-fix-potential-array-out-of-bounds-with-several-.patch +spi-dln2-fix-reference-leak-to-master.patch +spi-omap-100k-fix-reference-leak-to-master.patch +spi-qup-fix-pm-reference-leak-in-spi_qup_remove.patch +usb-musb-fix-pm-reference-leak-in-musb_irq_work.patch +usb-core-hub-fix-pm-reference-leak-in-usb_port_resum.patch +tty-n_gsm-check-error-while-registering-tty-devices.patch +intel_th-consistency-and-off-by-one-fix.patch +phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch +crypto-stm32-hash-fix-pm-reference-leak-on-stm32-has.patch +crypto-stm32-cryp-fix-pm-reference-leak-on-stm32-cry.patch +crypto-omap-aes-fix-pm-reference-leak-on-omap-aes.c.patch +platform-x86-intel_pmc_core-don-t-use-global-pmcdev-.patch +btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch +drm-added-orientation-quirk-for-onegx1-pro.patch +drm-qxl-release-shadow-on-shutdown.patch +drm-amd-display-check-for-dsc-support-instead-of-asi.patch +drm-amd-display-don-t-optimize-bandwidth-before-disa.patch +scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch +scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch +scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch +media-ite-cir-check-for-receive-overflow.patch +media-drivers-media-pci-sta2x11-fix-kconfig-dependen.patch +media-imx-capture-return-epipe-from-__capture_legacy.patch +power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch +extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch +extcon-arizona-fix-various-races-on-driver-unbind.patch +media-media-saa7164-fix-saa7164_encoder_register-mem.patch +media-gspca-sq905.c-fix-uninitialized-variable.patch +power-supply-use-irqf_oneshot.patch +drm-amdgpu-mask-the-xgmi-number-of-hops-reported-fro.patch +drm-amdkfd-fix-ubsan-shift-out-of-bounds-warning.patch +drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch +drm-amd-display-fix-ubsan-warning-for-not-a-valid-va.patch +drm-amd-display-fix-dml-prefetch-validation.patch +scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch +drm-vkms-fix-misuse-of-warn_on.patch +scsi-qla2xxx-fix-use-after-free-in-bsg.patch +mmc-sdhci-pci-add-pci-ids-for-intel-lkf.patch +ata-ahci-disable-sxs-for-hisilicon-kunpeng920.patch +scsi-smartpqi-correct-request-leakage-during-reset-o.patch +scsi-smartpqi-add-new-pci-ids.patch +scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch +media-em28xx-fix-memory-leak.patch +media-vivid-update-edid.patch +clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch +power-supply-generic-adc-battery-fix-possible-use-af.patch +power-supply-s3c_adc_battery-fix-possible-use-after-.patch +media-tc358743-fix-possible-use-after-free-in-tc3587.patch +media-adv7604-fix-possible-use-after-free-in-adv76xx.patch +media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch +media-i2c-tda1997-fix-possible-use-after-free-in-tda.patch +media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch +media-platform-sti-fix-runtime-pm-imbalance-in-regs_.patch +media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch +media-gscpa-stv06xx-fix-memory-leak.patch +sched-fair-ignore-percpu-threads-for-imbalance-pulls.patch +drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch +drm-msm-mdp5-do-not-multiply-vclk-line-count-by-100.patch +drm-amdkfd-fix-cat-debugfs-hang_hws-file-causes-syst.patch +amdgpu-avoid-incorrect-hu-format-string.patch +drm-amdgpu-fix-null-pointer-dereference.patch +scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch +scsi-lpfc-fix-error-handling-for-mailboxes-completed.patch +scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch +mfd-arizona-fix-rumtime-pm-imbalance-on-error.patch +scsi-libfc-fix-a-format-specifier.patch +s390-archrandom-add-parameter-check-for-s390_arch_ra.patch diff --git a/queue-5.4/spi-ath79-always-call-chipselect-function.patch b/queue-5.4/spi-ath79-always-call-chipselect-function.patch new file mode 100644 index 00000000000..2af96823719 --- /dev/null +++ b/queue-5.4/spi-ath79-always-call-chipselect-function.patch @@ -0,0 +1,39 @@ +From e1785d1c6f9465ca3371ed41be27e415cd71706f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 17:08:36 +0100 +Subject: spi: ath79: always call chipselect function + +From: David Bauer + +[ Upstream commit 19e2132174583beb90c1bd3e9c842bc6d5c944d1 ] + +spi-bitbang has to call the chipselect function on the ath79 SPI driver +in order to communicate with the SPI slave device, as the ath79 SPI +driver has three dedicated chipselect lines but can also be used with +GPIOs for the CS lines. + +Fixes commit 4a07b8bcd503 ("spi: bitbang: Make chipselect callback optional") + +Signed-off-by: David Bauer +Link: https://lore.kernel.org/r/20210303160837.165771-1-mail@david-bauer.net +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-ath79.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-ath79.c b/drivers/spi/spi-ath79.c +index eb9a243e9526..436327fb58de 100644 +--- a/drivers/spi/spi-ath79.c ++++ b/drivers/spi/spi-ath79.c +@@ -158,6 +158,7 @@ static int ath79_spi_probe(struct platform_device *pdev) + master->bits_per_word_mask = SPI_BPW_RANGE_MASK(1, 32); + master->setup = spi_bitbang_setup; + master->cleanup = spi_bitbang_cleanup; ++ master->flags = SPI_MASTER_GPIO_SS; + if (pdata) { + master->bus_num = pdata->bus_num; + master->num_chipselect = pdata->num_chipselect; +-- +2.30.2 + diff --git a/queue-5.4/spi-ath79-remove-spi-master-setup-and-cleanup-assign.patch b/queue-5.4/spi-ath79-remove-spi-master-setup-and-cleanup-assign.patch new file mode 100644 index 00000000000..74d6c4bb44d --- /dev/null +++ b/queue-5.4/spi-ath79-remove-spi-master-setup-and-cleanup-assign.patch @@ -0,0 +1,41 @@ +From 35c4d593eebff43eb9eebb0a3fea7bdc4ee2802b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 17:08:37 +0100 +Subject: spi: ath79: remove spi-master setup and cleanup assignment + +From: David Bauer + +[ Upstream commit ffb597b2bd3cd78b9bfb68f536743cd46dbb2cc4 ] + +This removes the assignment of setup and cleanup functions for the ath79 +target. Assigning the setup-method will lead to 'setup_transfer' not +being assigned in spi_bitbang_init. Because of this, performing any +TX/RX operation will lead to a kernel oops. + +Also drop the redundant cleanup assignment, as it's also assigned in +spi_bitbang_init. + +Signed-off-by: David Bauer +Link: https://lore.kernel.org/r/20210303160837.165771-2-mail@david-bauer.net +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-ath79.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/spi/spi-ath79.c b/drivers/spi/spi-ath79.c +index 436327fb58de..98ace748cd98 100644 +--- a/drivers/spi/spi-ath79.c ++++ b/drivers/spi/spi-ath79.c +@@ -156,8 +156,6 @@ static int ath79_spi_probe(struct platform_device *pdev) + + master->use_gpio_descriptors = true; + master->bits_per_word_mask = SPI_BPW_RANGE_MASK(1, 32); +- master->setup = spi_bitbang_setup; +- master->cleanup = spi_bitbang_cleanup; + master->flags = SPI_MASTER_GPIO_SS; + if (pdata) { + master->bus_num = pdata->bus_num; +-- +2.30.2 + diff --git a/queue-5.4/spi-dln2-fix-reference-leak-to-master.patch b/queue-5.4/spi-dln2-fix-reference-leak-to-master.patch new file mode 100644 index 00000000000..33d62426dff --- /dev/null +++ b/queue-5.4/spi-dln2-fix-reference-leak-to-master.patch @@ -0,0 +1,40 @@ +From d1ec6f1c99a7628d75a9ab1d8718889e40bf3ae1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 08:29:55 +0000 +Subject: spi: dln2: Fix reference leak to master + +From: Wei Yongjun + +[ Upstream commit 9b844b087124c1538d05f40fda8a4fec75af55be ] + +Call spi_master_get() holds the reference count to master device, thus +we need an additional spi_master_put() call to reduce the reference +count, otherwise we will leak a reference to master. + +This commit fix it by removing the unnecessary spi_master_get(). + +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20210409082955.2907950-1-weiyongjun1@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dln2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-dln2.c b/drivers/spi/spi-dln2.c +index 75b33d7d14b0..9a4d942fafcf 100644 +--- a/drivers/spi/spi-dln2.c ++++ b/drivers/spi/spi-dln2.c +@@ -780,7 +780,7 @@ exit_free_master: + + static int dln2_spi_remove(struct platform_device *pdev) + { +- struct spi_master *master = spi_master_get(platform_get_drvdata(pdev)); ++ struct spi_master *master = platform_get_drvdata(pdev); + struct dln2_spi *dln2 = spi_master_get_devdata(master); + + pm_runtime_disable(&pdev->dev); +-- +2.30.2 + diff --git a/queue-5.4/spi-omap-100k-fix-reference-leak-to-master.patch b/queue-5.4/spi-omap-100k-fix-reference-leak-to-master.patch new file mode 100644 index 00000000000..f8130f63385 --- /dev/null +++ b/queue-5.4/spi-omap-100k-fix-reference-leak-to-master.patch @@ -0,0 +1,58 @@ +From 2a22b9a7f7d9f8e19427f92f56434b1fc03f7a1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 08:29:54 +0000 +Subject: spi: omap-100k: Fix reference leak to master + +From: Wei Yongjun + +[ Upstream commit a23faea76d4cf5f75decb574491e66f9ecd707e7 ] + +Call spi_master_get() holds the reference count to master device, thus +we need an additional spi_master_put() call to reduce the reference +count, otherwise we will leak a reference to master. + +This commit fix it by removing the unnecessary spi_master_get(). + +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20210409082954.2906933-1-weiyongjun1@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-omap-100k.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c +index b955ca8796d2..b8e201c09484 100644 +--- a/drivers/spi/spi-omap-100k.c ++++ b/drivers/spi/spi-omap-100k.c +@@ -426,7 +426,7 @@ err: + + static int omap1_spi100k_remove(struct platform_device *pdev) + { +- struct spi_master *master = spi_master_get(platform_get_drvdata(pdev)); ++ struct spi_master *master = platform_get_drvdata(pdev); + struct omap1_spi100k *spi100k = spi_master_get_devdata(master); + + pm_runtime_disable(&pdev->dev); +@@ -440,7 +440,7 @@ static int omap1_spi100k_remove(struct platform_device *pdev) + #ifdef CONFIG_PM + static int omap1_spi100k_runtime_suspend(struct device *dev) + { +- struct spi_master *master = spi_master_get(dev_get_drvdata(dev)); ++ struct spi_master *master = dev_get_drvdata(dev); + struct omap1_spi100k *spi100k = spi_master_get_devdata(master); + + clk_disable_unprepare(spi100k->ick); +@@ -451,7 +451,7 @@ static int omap1_spi100k_runtime_suspend(struct device *dev) + + static int omap1_spi100k_runtime_resume(struct device *dev) + { +- struct spi_master *master = spi_master_get(dev_get_drvdata(dev)); ++ struct spi_master *master = dev_get_drvdata(dev); + struct omap1_spi100k *spi100k = spi_master_get_devdata(master); + int ret; + +-- +2.30.2 + diff --git a/queue-5.4/spi-qup-fix-pm-reference-leak-in-spi_qup_remove.patch b/queue-5.4/spi-qup-fix-pm-reference-leak-in-spi_qup_remove.patch new file mode 100644 index 00000000000..6b9cdd46197 --- /dev/null +++ b/queue-5.4/spi-qup-fix-pm-reference-leak-in-spi_qup_remove.patch @@ -0,0 +1,40 @@ +From df1027a2fbb3bf0f8de701ce0e183d0b6c559df4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 09:54:58 +0000 +Subject: spi: qup: fix PM reference leak in spi_qup_remove() + +From: Wang Li + +[ Upstream commit cec77e0a249892ceb10061bf17b63f9fb111d870 ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Reported-by: Hulk Robot +Signed-off-by: Wang Li +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20210409095458.29921-1-wangli74@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-qup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c +index fa8079fbea77..d1dfb52008b4 100644 +--- a/drivers/spi/spi-qup.c ++++ b/drivers/spi/spi-qup.c +@@ -1263,7 +1263,7 @@ static int spi_qup_remove(struct platform_device *pdev) + struct spi_qup *controller = spi_master_get_devdata(master); + int ret; + +- ret = pm_runtime_get_sync(&pdev->dev); ++ ret = pm_runtime_resume_and_get(&pdev->dev); + if (ret < 0) + return ret; + +-- +2.30.2 + diff --git a/queue-5.4/staging-wimax-i2400m-fix-byte-order-issue.patch b/queue-5.4/staging-wimax-i2400m-fix-byte-order-issue.patch new file mode 100644 index 00000000000..a6e3af5e968 --- /dev/null +++ b/queue-5.4/staging-wimax-i2400m-fix-byte-order-issue.patch @@ -0,0 +1,36 @@ +From 47c80f3b577e224a2c4973ecf9d2a90c1ee08ca9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Feb 2021 21:01:05 +0530 +Subject: staging: wimax/i2400m: fix byte-order issue + +From: karthik alapati + +[ Upstream commit 0c37baae130df39b19979bba88bde2ee70a33355 ] + +fix sparse byte-order warnings by converting host byte-order +type to __le16 byte-order types before assigning to hdr.length + +Signed-off-by: karthik alapati +Link: https://lore.kernel.org/r/0ae5c5c4c646506d8be871e7be5705542671a1d5.1613921277.git.mail@karthek.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/net/wimax/i2400m/op-rfkill.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wimax/i2400m/op-rfkill.c b/drivers/net/wimax/i2400m/op-rfkill.c +index 5c79f052cad2..34f81f16b5a0 100644 +--- a/drivers/net/wimax/i2400m/op-rfkill.c ++++ b/drivers/net/wimax/i2400m/op-rfkill.c +@@ -86,7 +86,7 @@ int i2400m_op_rfkill_sw_toggle(struct wimax_dev *wimax_dev, + if (cmd == NULL) + goto error_alloc; + cmd->hdr.type = cpu_to_le16(I2400M_MT_CMD_RF_CONTROL); +- cmd->hdr.length = sizeof(cmd->sw_rf); ++ cmd->hdr.length = cpu_to_le16(sizeof(cmd->sw_rf)); + cmd->hdr.version = cpu_to_le16(I2400M_L3L4_VERSION); + cmd->sw_rf.hdr.type = cpu_to_le16(I2400M_TLV_RF_OPERATION); + cmd->sw_rf.hdr.length = cpu_to_le16(sizeof(cmd->sw_rf.status)); +-- +2.30.2 + diff --git a/queue-5.4/tee-optee-do-not-check-memref-size-on-return-from-se.patch b/queue-5.4/tee-optee-do-not-check-memref-size-on-return-from-se.patch new file mode 100644 index 00000000000..c4aae9c8b32 --- /dev/null +++ b/queue-5.4/tee-optee-do-not-check-memref-size-on-return-from-se.patch @@ -0,0 +1,54 @@ +From d258ab1d57817b4304ed022534b58b3511b1634b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 11:40:37 +0100 +Subject: tee: optee: do not check memref size on return from Secure World + +From: Jerome Forissier + +[ Upstream commit c650b8dc7a7910eb25af0aac1720f778b29e679d ] + +When Secure World returns, it may have changed the size attribute of the +memory references passed as [in/out] parameters. The GlobalPlatform TEE +Internal Core API specification does not restrict the values that this +size can take. In particular, Secure World may increase the value to be +larger than the size of the input buffer to indicate that it needs more. + +Therefore, the size check in optee_from_msg_param() is incorrect and +needs to be removed. This fixes a number of failed test cases in the +GlobalPlatform TEE Initial Configuratiom Test Suite v2_0_0_0-2017_06_09 +when OP-TEE is compiled without dynamic shared memory support +(CFG_CORE_DYN_SHM=n). + +Reviewed-by: Sumit Garg +Suggested-by: Jens Wiklander +Signed-off-by: Jerome Forissier +Signed-off-by: Jens Wiklander +Signed-off-by: Sasha Levin +--- + drivers/tee/optee/core.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c +index b830e0a87fba..ba6cfba589a6 100644 +--- a/drivers/tee/optee/core.c ++++ b/drivers/tee/optee/core.c +@@ -78,16 +78,6 @@ int optee_from_msg_param(struct tee_param *params, size_t num_params, + return rc; + p->u.memref.shm_offs = mp->u.tmem.buf_ptr - pa; + p->u.memref.shm = shm; +- +- /* Check that the memref is covered by the shm object */ +- if (p->u.memref.size) { +- size_t o = p->u.memref.shm_offs + +- p->u.memref.size - 1; +- +- rc = tee_shm_get_pa(shm, o, NULL); +- if (rc) +- return rc; +- } + break; + case OPTEE_MSG_ATTR_TYPE_RMEM_INPUT: + case OPTEE_MSG_ATTR_TYPE_RMEM_OUTPUT: +-- +2.30.2 + diff --git a/queue-5.4/tty-n_gsm-check-error-while-registering-tty-devices.patch b/queue-5.4/tty-n_gsm-check-error-while-registering-tty-devices.patch new file mode 100644 index 00000000000..9b2171015ec --- /dev/null +++ b/queue-5.4/tty-n_gsm-check-error-while-registering-tty-devices.patch @@ -0,0 +1,101 @@ +From 122b264d557225c0be7c2192a8c5515eb8dc1f73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Apr 2021 11:57:58 +0800 +Subject: tty: n_gsm: check error while registering tty devices + +From: Hillf Danton + +[ Upstream commit 0a360e8b65d62fe1a994f0a8da4f8d20877b2100 ] + +Add the error path for registering tty devices and roll back in case of error +in bid to avoid the UAF like the below one reported. + +Plus syzbot reported general protection fault in cdev_del() on Sep 24, 2020 +and both cases are down to the kobject_put() in tty_cdev_add(). + + ------------[ cut here ]------------ + refcount_t: underflow; use-after-free. + WARNING: CPU: 1 PID: 8923 at lib/refcount.c:28 + refcount_warn_saturate+0x1cf/0x210 -origin/lib/refcount.c:28 + Modules linked in: + CPU: 1 PID: 8923 Comm: executor Not tainted 5.12.0-rc5+ #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS + 1.13.0-1ubuntu1.1 04/01/2014 + RIP: 0010:refcount_warn_saturate+0x1cf/0x210 -origin/lib/refcount.c:28 + Code: 4f ff ff ff e8 32 fa b5 fe 48 c7 c7 3d f8 f6 86 e8 d6 ab c6 fe + c6 05 7c 34 67 04 01 48 c7 c7 68 f8 6d 86 31 c0 e8 81 2e 9d fe <0f> 0b + e9 22 ff ff ff e8 05 fa b5 fe 48 c7 c7 3e f8 f6 86 e8 a9 ab + RSP: 0018:ffffc90001633c60 EFLAGS: 00010246 + RAX: 15d08b2e34b77800 RBX: 0000000000000003 RCX: ffff88804c056c80 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: 0000000000000003 R08: ffffffff813767aa R09: 0001ffffffffffff + R10: 0001ffffffffffff R11: ffff88804c056c80 R12: ffff888040b7d000 + R13: ffff88804c206938 R14: ffff88804c206900 R15: ffff888041b18488 + FS: 00000000022c9940(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f9f9b122008 CR3: 0000000044b4b000 CR4: 0000000000750ee0 + PKRU: 55555554 + Call Trace: + __refcount_sub_and_test -origin/./include/linux/refcount.h:283 [inline] + __refcount_dec_and_test -origin/./include/linux/refcount.h:315 [inline] + refcount_dec_and_test -origin/./include/linux/refcount.h:333 [inline] + kref_put -origin/./include/linux/kref.h:64 [inline] + kobject_put+0x17b/0x180 -origin/lib/kobject.c:753 + cdev_del+0x4b/0x50 -origin/fs/char_dev.c:597 + tty_unregister_device+0x99/0xd0 -origin/drivers/tty/tty_io.c:3343 + gsmld_detach_gsm -origin/drivers/tty/n_gsm.c:2409 [inline] + gsmld_close+0x6c/0x140 -origin/drivers/tty/n_gsm.c:2478 + tty_ldisc_close -origin/drivers/tty/tty_ldisc.c:488 [inline] + tty_ldisc_kill -origin/drivers/tty/tty_ldisc.c:636 [inline] + tty_ldisc_release+0x1b6/0x400 -origin/drivers/tty/tty_ldisc.c:809 + tty_release_struct+0x19/0xb0 -origin/drivers/tty/tty_io.c:1714 + tty_release+0x9ad/0xa00 -origin/drivers/tty/tty_io.c:1885 + __fput+0x260/0x4e0 -origin/fs/file_table.c:280 + ____fput+0x11/0x20 -origin/fs/file_table.c:313 + task_work_run+0x8e/0x110 -origin/kernel/task_work.c:140 + tracehook_notify_resume -origin/./include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop -origin/kernel/entry/common.c:174 [inline] + exit_to_user_mode_prepare+0x16b/0x1a0 -origin/kernel/entry/common.c:208 + __syscall_exit_to_user_mode_work -origin/kernel/entry/common.c:290 [inline] + syscall_exit_to_user_mode+0x20/0x40 -origin/kernel/entry/common.c:301 + do_syscall_64+0x45/0x80 -origin/arch/x86/entry/common.c:56 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Reported-by: syzbot+c49fe6089f295a05e6f8@syzkaller.appspotmail.com +Reported-and-tested-by: Hao Sun +Signed-off-by: Hillf Danton +Link: https://lore.kernel.org/r/20210412035758.1974-1-hdanton@sina.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 75408b9f232d..38eb49ba361f 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -2377,8 +2377,18 @@ static int gsmld_attach_gsm(struct tty_struct *tty, struct gsm_mux *gsm) + /* Don't register device 0 - this is the control channel and not + a usable tty interface */ + base = mux_num_to_base(gsm); /* Base for this MUX */ +- for (i = 1; i < NUM_DLCI; i++) +- tty_register_device(gsm_tty_driver, base + i, NULL); ++ for (i = 1; i < NUM_DLCI; i++) { ++ struct device *dev; ++ ++ dev = tty_register_device(gsm_tty_driver, ++ base + i, NULL); ++ if (IS_ERR(dev)) { ++ for (i--; i >= 1; i--) ++ tty_unregister_device(gsm_tty_driver, ++ base + i); ++ return PTR_ERR(dev); ++ } ++ } + } + return ret; + } +-- +2.30.2 + diff --git a/queue-5.4/usb-core-hub-fix-pm-reference-leak-in-usb_port_resum.patch b/queue-5.4/usb-core-hub-fix-pm-reference-leak-in-usb_port_resum.patch new file mode 100644 index 00000000000..b8b60376efc --- /dev/null +++ b/queue-5.4/usb-core-hub-fix-pm-reference-leak-in-usb_port_resum.patch @@ -0,0 +1,39 @@ +From e95cf0cd9bf6db85a83e36153be0f2198258d857 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 21:08:31 +0800 +Subject: usb: core: hub: Fix PM reference leak in usb_port_resume() + +From: Bixuan Cui + +[ Upstream commit 025f97d188006eeee4417bb475a6878d1e0eed3f ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +thus a pairing decrement is needed. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Reported-by: Hulk Robot +Signed-off-by: Bixuan Cui +Link: https://lore.kernel.org/r/20210408130831.56239-1-cuibixuan@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 4d3de33885ff..cd61860cada5 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3537,7 +3537,7 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg) + u16 portchange, portstatus; + + if (!test_and_set_bit(port1, hub->child_usage_bits)) { +- status = pm_runtime_get_sync(&port_dev->dev); ++ status = pm_runtime_resume_and_get(&port_dev->dev); + if (status < 0) { + dev_dbg(&udev->dev, "can't resume usb port, status %d\n", + status); +-- +2.30.2 + diff --git a/queue-5.4/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch b/queue-5.4/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch new file mode 100644 index 00000000000..79858754573 --- /dev/null +++ b/queue-5.4/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch @@ -0,0 +1,48 @@ +From b4bfe41929d063947b0bc5268e08714be4dcb54d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 02:31:25 -0700 +Subject: usb: dwc3: gadget: Ignore EP queue requests during bus reset + +From: Wesley Cheng + +[ Upstream commit 71ca43f30df9c642970f9dc9b2d6f463f4967e7b ] + +The current dwc3_gadget_reset_interrupt() will stop any active +transfers, but only addresses blocking of EP queuing for while we are +coming from a disconnected scenario, i.e. after receiving the disconnect +event. If the host decides to issue a bus reset on the device, the +connected parameter will still be set to true, allowing for EP queuing +to continue while we are disabling the functions. To avoid this, set the +connected flag to false until the stop active transfers is complete. + +Signed-off-by: Wesley Cheng +Link: https://lore.kernel.org/r/1616146285-19149-3-git-send-email-wcheng@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 904b0043011c..aa520c343367 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2986,6 +2986,15 @@ static void dwc3_gadget_reset_interrupt(struct dwc3 *dwc) + + dwc->connected = true; + ++ /* ++ * Ideally, dwc3_reset_gadget() would trigger the function ++ * drivers to stop any active transfers through ep disable. ++ * However, for functions which defer ep disable, such as mass ++ * storage, we will need to rely on the call to stop active ++ * transfers here, and avoid allowing of request queuing. ++ */ ++ dwc->connected = false; ++ + /* + * WORKAROUND: DWC3 revisions <1.88a have an issue which + * would cause a missing Disconnect Event if there's a +-- +2.30.2 + diff --git a/queue-5.4/usb-gadget-f_uac1-validate-input-parameters.patch b/queue-5.4/usb-gadget-f_uac1-validate-input-parameters.patch new file mode 100644 index 00000000000..d6a40be9680 --- /dev/null +++ b/queue-5.4/usb-gadget-f_uac1-validate-input-parameters.patch @@ -0,0 +1,113 @@ +From 702436979c787473285586588514dd67d45f987f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 13:49:34 +0200 +Subject: usb: gadget: f_uac1: validate input parameters + +From: Ruslan Bilovol + +[ Upstream commit a59c68a6a3d1b18e2494f526eb19893a34fa6ec6 ] + +Currently user can configure UAC1 function with +parameters that violate UAC1 spec or are not supported +by UAC1 gadget implementation. + +This can lead to incorrect behavior if such gadget +is connected to the host - like enumeration failure +or other issues depending on host's UAC1 driver +implementation, bringing user to a long hours +of debugging the issue. + +Instead of silently accept these parameters, throw +an error if they are not valid. + +Signed-off-by: Ruslan Bilovol +Link: https://lore.kernel.org/r/1614599375-8803-5-git-send-email-ruslan.bilovol@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_uac1.c | 43 ++++++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +diff --git a/drivers/usb/gadget/function/f_uac1.c b/drivers/usb/gadget/function/f_uac1.c +index 560382e0a8f3..e65f474ad7b3 100644 +--- a/drivers/usb/gadget/function/f_uac1.c ++++ b/drivers/usb/gadget/function/f_uac1.c +@@ -19,6 +19,9 @@ + #include "u_audio.h" + #include "u_uac1.h" + ++/* UAC1 spec: 3.7.2.3 Audio Channel Cluster Format */ ++#define UAC1_CHANNEL_MASK 0x0FFF ++ + struct f_uac1 { + struct g_audio g_audio; + u8 ac_intf, as_in_intf, as_out_intf; +@@ -30,6 +33,11 @@ static inline struct f_uac1 *func_to_uac1(struct usb_function *f) + return container_of(f, struct f_uac1, g_audio.func); + } + ++static inline struct f_uac1_opts *g_audio_to_uac1_opts(struct g_audio *audio) ++{ ++ return container_of(audio->func.fi, struct f_uac1_opts, func_inst); ++} ++ + /* + * DESCRIPTORS ... most are static, but strings and full + * configuration descriptors are built on demand. +@@ -505,11 +513,42 @@ static void f_audio_disable(struct usb_function *f) + + /*-------------------------------------------------------------------------*/ + ++static int f_audio_validate_opts(struct g_audio *audio, struct device *dev) ++{ ++ struct f_uac1_opts *opts = g_audio_to_uac1_opts(audio); ++ ++ if (!opts->p_chmask && !opts->c_chmask) { ++ dev_err(dev, "Error: no playback and capture channels\n"); ++ return -EINVAL; ++ } else if (opts->p_chmask & ~UAC1_CHANNEL_MASK) { ++ dev_err(dev, "Error: unsupported playback channels mask\n"); ++ return -EINVAL; ++ } else if (opts->c_chmask & ~UAC1_CHANNEL_MASK) { ++ dev_err(dev, "Error: unsupported capture channels mask\n"); ++ return -EINVAL; ++ } else if ((opts->p_ssize < 1) || (opts->p_ssize > 4)) { ++ dev_err(dev, "Error: incorrect playback sample size\n"); ++ return -EINVAL; ++ } else if ((opts->c_ssize < 1) || (opts->c_ssize > 4)) { ++ dev_err(dev, "Error: incorrect capture sample size\n"); ++ return -EINVAL; ++ } else if (!opts->p_srate) { ++ dev_err(dev, "Error: incorrect playback sampling rate\n"); ++ return -EINVAL; ++ } else if (!opts->c_srate) { ++ dev_err(dev, "Error: incorrect capture sampling rate\n"); ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + /* audio function driver setup/binding */ + static int f_audio_bind(struct usb_configuration *c, struct usb_function *f) + { + struct usb_composite_dev *cdev = c->cdev; + struct usb_gadget *gadget = cdev->gadget; ++ struct device *dev = &gadget->dev; + struct f_uac1 *uac1 = func_to_uac1(f); + struct g_audio *audio = func_to_g_audio(f); + struct f_uac1_opts *audio_opts; +@@ -519,6 +558,10 @@ static int f_audio_bind(struct usb_configuration *c, struct usb_function *f) + int rate; + int status; + ++ status = f_audio_validate_opts(audio, dev); ++ if (status) ++ return status; ++ + audio_opts = container_of(f->fi, struct f_uac1_opts, func_inst); + + us = usb_gstrings_attach(cdev, uac1_strings, ARRAY_SIZE(strings_uac1)); +-- +2.30.2 + diff --git a/queue-5.4/usb-gadget-f_uac2-validate-input-parameters.patch b/queue-5.4/usb-gadget-f_uac2-validate-input-parameters.patch new file mode 100644 index 00000000000..7c8fa1e49d1 --- /dev/null +++ b/queue-5.4/usb-gadget-f_uac2-validate-input-parameters.patch @@ -0,0 +1,100 @@ +From 7bfa9df46acfc22c17e22bf935ad9c7d0d5f9354 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 13:49:33 +0200 +Subject: usb: gadget: f_uac2: validate input parameters + +From: Ruslan Bilovol + +[ Upstream commit 3713d5ceb04d5ab6a5e2b86dfca49170053f3a5e ] + +Currently user can configure UAC2 function with +parameters that violate UAC2 spec or are not supported +by UAC2 gadget implementation. + +This can lead to incorrect behavior if such gadget +is connected to the host - like enumeration failure +or other issues depending on host's UAC2 driver +implementation, bringing user to a long hours +of debugging the issue. + +Instead of silently accept these parameters, throw +an error if they are not valid. + +Signed-off-by: Ruslan Bilovol +Link: https://lore.kernel.org/r/1614599375-8803-4-git-send-email-ruslan.bilovol@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_uac2.c | 39 ++++++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c +index 6f03e944e0e3..dd960cea642f 100644 +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -14,6 +14,9 @@ + #include "u_audio.h" + #include "u_uac2.h" + ++/* UAC2 spec: 4.1 Audio Channel Cluster Descriptor */ ++#define UAC2_CHANNEL_MASK 0x07FFFFFF ++ + /* + * The driver implements a simple UAC_2 topology. + * USB-OUT -> IT_1 -> OT_3 -> ALSA_Capture +@@ -604,6 +607,36 @@ static void setup_descriptor(struct f_uac2_opts *opts) + hs_audio_desc[i] = NULL; + } + ++static int afunc_validate_opts(struct g_audio *agdev, struct device *dev) ++{ ++ struct f_uac2_opts *opts = g_audio_to_uac2_opts(agdev); ++ ++ if (!opts->p_chmask && !opts->c_chmask) { ++ dev_err(dev, "Error: no playback and capture channels\n"); ++ return -EINVAL; ++ } else if (opts->p_chmask & ~UAC2_CHANNEL_MASK) { ++ dev_err(dev, "Error: unsupported playback channels mask\n"); ++ return -EINVAL; ++ } else if (opts->c_chmask & ~UAC2_CHANNEL_MASK) { ++ dev_err(dev, "Error: unsupported capture channels mask\n"); ++ return -EINVAL; ++ } else if ((opts->p_ssize < 1) || (opts->p_ssize > 4)) { ++ dev_err(dev, "Error: incorrect playback sample size\n"); ++ return -EINVAL; ++ } else if ((opts->c_ssize < 1) || (opts->c_ssize > 4)) { ++ dev_err(dev, "Error: incorrect capture sample size\n"); ++ return -EINVAL; ++ } else if (!opts->p_srate) { ++ dev_err(dev, "Error: incorrect playback sampling rate\n"); ++ return -EINVAL; ++ } else if (!opts->c_srate) { ++ dev_err(dev, "Error: incorrect capture sampling rate\n"); ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static int + afunc_bind(struct usb_configuration *cfg, struct usb_function *fn) + { +@@ -612,11 +645,13 @@ afunc_bind(struct usb_configuration *cfg, struct usb_function *fn) + struct usb_composite_dev *cdev = cfg->cdev; + struct usb_gadget *gadget = cdev->gadget; + struct device *dev = &gadget->dev; +- struct f_uac2_opts *uac2_opts; ++ struct f_uac2_opts *uac2_opts = g_audio_to_uac2_opts(agdev); + struct usb_string *us; + int ret; + +- uac2_opts = container_of(fn->fi, struct f_uac2_opts, func_inst); ++ ret = afunc_validate_opts(agdev, dev); ++ if (ret) ++ return ret; + + us = usb_gstrings_attach(cdev, fn_strings, ARRAY_SIZE(strings_fn)); + if (IS_ERR(us)) +-- +2.30.2 + diff --git a/queue-5.4/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch b/queue-5.4/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch new file mode 100644 index 00000000000..c7f2f882e00 --- /dev/null +++ b/queue-5.4/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch @@ -0,0 +1,52 @@ +From 49794ca9080606570c60222441cedbef1346028c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Mar 2021 13:53:38 +0100 +Subject: usb: gadget: uvc: add bInterval checking for HS mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pawel Laszczak + +[ Upstream commit 26adde04acdff14a1f28d4a5dce46a8513a3038b ] + +Patch adds extra checking for bInterval passed by configfs. +The 5.6.4 chapter of USB Specification (rev. 2.0) say: +"A high-bandwidth endpoint must specify a period of 1x125 µs +(i.e., a bInterval value of 1)." + +The issue was observed during testing UVC class on CV. +I treat this change as improvement because we can control +bInterval by configfs. + +Reviewed-by: Peter Chen +Reviewed-by: Laurent Pinchart +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20210308125338.4824-1-pawell@gli-login.cadence.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_uvc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c +index fb0a892687c0..79ecdbb936c1 100644 +--- a/drivers/usb/gadget/function/f_uvc.c ++++ b/drivers/usb/gadget/function/f_uvc.c +@@ -633,7 +633,12 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) + + uvc_hs_streaming_ep.wMaxPacketSize = + cpu_to_le16(max_packet_size | ((max_packet_mult - 1) << 11)); +- uvc_hs_streaming_ep.bInterval = opts->streaming_interval; ++ ++ /* A high-bandwidth endpoint must specify a bInterval value of 1 */ ++ if (max_packet_mult > 1) ++ uvc_hs_streaming_ep.bInterval = 1; ++ else ++ uvc_hs_streaming_ep.bInterval = opts->streaming_interval; + + uvc_ss_streaming_ep.wMaxPacketSize = cpu_to_le16(max_packet_size); + uvc_ss_streaming_ep.bInterval = opts->streaming_interval; +-- +2.30.2 + diff --git a/queue-5.4/usb-musb-fix-pm-reference-leak-in-musb_irq_work.patch b/queue-5.4/usb-musb-fix-pm-reference-leak-in-musb_irq_work.patch new file mode 100644 index 00000000000..6a48fe38ce6 --- /dev/null +++ b/queue-5.4/usb-musb-fix-pm-reference-leak-in-musb_irq_work.patch @@ -0,0 +1,39 @@ +From 9157c15ee6dd580c99d37d20d75e8924a6811668 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 17:18:36 +0800 +Subject: usb: musb: fix PM reference leak in musb_irq_work() + +From: Bixuan Cui + +[ Upstream commit 9535b99533904e9bc1607575aa8e9539a55435d7 ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +thus a pairing decrement is needed. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Reported-by: Hulk Robot +Signed-off-by: Bixuan Cui +Link: https://lore.kernel.org/r/20210408091836.55227-1-cuibixuan@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/musb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c +index 166f68f639c2..70ef603f7bb9 100644 +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -1932,7 +1932,7 @@ static void musb_irq_work(struct work_struct *data) + struct musb *musb = container_of(data, struct musb, irq_work.work); + int error; + +- error = pm_runtime_get_sync(musb->controller); ++ error = pm_runtime_resume_and_get(musb->controller); + if (error < 0) { + dev_err(musb->controller, "Could not enable: %i\n", error); + +-- +2.30.2 + diff --git a/queue-5.4/usb-webcam-invalid-size-of-processing-unit-descripto.patch b/queue-5.4/usb-webcam-invalid-size-of-processing-unit-descripto.patch new file mode 100644 index 00000000000..6aba4006d9b --- /dev/null +++ b/queue-5.4/usb-webcam-invalid-size-of-processing-unit-descripto.patch @@ -0,0 +1,75 @@ +From f8b49faab1707bdcf394aadc771c0476ab83cb2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 08:17:48 +0100 +Subject: usb: webcam: Invalid size of Processing Unit Descriptor + +From: Pawel Laszczak + +[ Upstream commit 6a154ec9ef6762c774cd2b50215c7a8f0f08a862 ] + +According with USB Device Class Definition for Video Device the +Processing Unit Descriptor bLength should be 12 (10 + bmControlSize), +but it has 11. + +Invalid length caused that Processing Unit Descriptor Test Video form +CV tool failed. To fix this issue patch adds bmVideoStandards into +uvc_processing_unit_descriptor structure. + +The bmVideoStandards field was added in UVC 1.1 and it wasn't part of +UVC 1.0a. + +Reviewed-by: Laurent Pinchart +Signed-off-by: Pawel Laszczak +Reviewed-by: Peter Chen +Link: https://lore.kernel.org/r/20210315071748.29706-1-pawell@gli-login.cadence.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_uvc.c | 1 + + drivers/usb/gadget/legacy/webcam.c | 1 + + include/uapi/linux/usb/video.h | 3 ++- + 3 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c +index 79ecdbb936c1..c03b67aab1a8 100644 +--- a/drivers/usb/gadget/function/f_uvc.c ++++ b/drivers/usb/gadget/function/f_uvc.c +@@ -822,6 +822,7 @@ static struct usb_function_instance *uvc_alloc_inst(void) + pd->bmControls[0] = 1; + pd->bmControls[1] = 0; + pd->iProcessing = 0; ++ pd->bmVideoStandards = 0; + + od = &opts->uvc_output_terminal; + od->bLength = UVC_DT_OUTPUT_TERMINAL_SIZE; +diff --git a/drivers/usb/gadget/legacy/webcam.c b/drivers/usb/gadget/legacy/webcam.c +index a9f8eb8e1c76..2c9eab2b863d 100644 +--- a/drivers/usb/gadget/legacy/webcam.c ++++ b/drivers/usb/gadget/legacy/webcam.c +@@ -125,6 +125,7 @@ static const struct uvc_processing_unit_descriptor uvc_processing = { + .bmControls[0] = 1, + .bmControls[1] = 0, + .iProcessing = 0, ++ .bmVideoStandards = 0, + }; + + static const struct uvc_output_terminal_descriptor uvc_output_terminal = { +diff --git a/include/uapi/linux/usb/video.h b/include/uapi/linux/usb/video.h +index d854cb19c42c..bfdae12cdacf 100644 +--- a/include/uapi/linux/usb/video.h ++++ b/include/uapi/linux/usb/video.h +@@ -302,9 +302,10 @@ struct uvc_processing_unit_descriptor { + __u8 bControlSize; + __u8 bmControls[2]; + __u8 iProcessing; ++ __u8 bmVideoStandards; + } __attribute__((__packed__)); + +-#define UVC_DT_PROCESSING_UNIT_SIZE(n) (9+(n)) ++#define UVC_DT_PROCESSING_UNIT_SIZE(n) (10+(n)) + + /* 3.7.2.6. Extension Unit Descriptor */ + struct uvc_extension_unit_descriptor { +-- +2.30.2 + diff --git a/queue-5.4/usb-xhci-fix-port-minor-revision.patch b/queue-5.4/usb-xhci-fix-port-minor-revision.patch new file mode 100644 index 00000000000..221c638e47e --- /dev/null +++ b/queue-5.4/usb-xhci-fix-port-minor-revision.patch @@ -0,0 +1,51 @@ +From 6b60fa57e4673103d3af81a52bc45ec458695915 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 19:43:21 -0800 +Subject: usb: xhci: Fix port minor revision + +From: Thinh Nguyen + +[ Upstream commit 64364bc912c01b33bba6c22e3ccb849bfca96398 ] + +Some hosts incorrectly use sub-minor version for minor version (i.e. +0x02 instead of 0x20 for bcdUSB 0x320 and 0x01 for bcdUSB 0x310). +Currently the xHCI driver works around this by just checking for minor +revision > 0x01 for USB 3.1 everywhere. With the addition of USB 3.2, +checking this gets a bit cumbersome. Since there is no USB release with +bcdUSB 0x301 to 0x309, we can assume that sub-minor version 01 to 09 is +incorrect. Let's try to fix this and use the minor revision that matches +with the USB/xHCI spec to help with the version checking within the +driver. + +Acked-by: Mathias Nyman +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/ed330e95a19dc367819c5b4d78bf7a541c35aa0a.1615432770.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mem.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 9764122c9cdf..7f9f302a73cd 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -2134,6 +2134,15 @@ static void xhci_add_in_port(struct xhci_hcd *xhci, unsigned int num_ports, + + if (major_revision == 0x03) { + rhub = &xhci->usb3_rhub; ++ /* ++ * Some hosts incorrectly use sub-minor version for minor ++ * version (i.e. 0x02 instead of 0x20 for bcdUSB 0x320 and 0x01 ++ * for bcdUSB 0x310). Since there is no USB release with sub ++ * minor version 0x301 to 0x309, we can assume that they are ++ * incorrect and fix it here. ++ */ ++ if (minor_revision > 0x00 && minor_revision < 0x10) ++ minor_revision <<= 4; + } else if (major_revision <= 0x02) { + rhub = &xhci->usb2_rhub; + } else { +-- +2.30.2 + diff --git a/queue-5.4/usb-xhci-mtk-support-quirk-to-disable-usb2-lpm.patch b/queue-5.4/usb-xhci-mtk-support-quirk-to-disable-usb2-lpm.patch new file mode 100644 index 00000000000..5edfde9b5b1 --- /dev/null +++ b/queue-5.4/usb-xhci-mtk-support-quirk-to-disable-usb2-lpm.patch @@ -0,0 +1,58 @@ +From a872a2d19656531aa8236d9adbbe5e46499bc9c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 17:05:53 +0800 +Subject: usb: xhci-mtk: support quirk to disable usb2 lpm + +From: Chunfeng Yun + +[ Upstream commit bee1f89aad2a51cd3339571bc8eadbb0dc88a683 ] + +The xHCI driver support usb2 HW LPM by default, here add support +XHCI_HW_LPM_DISABLE quirk, then we can disable usb2 lpm when +need it. + +Signed-off-by: Chunfeng Yun +Link: https://lore.kernel.org/r/1617181553-3503-4-git-send-email-chunfeng.yun@mediatek.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mtk.c | 3 +++ + drivers/usb/host/xhci-mtk.h | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/usb/host/xhci-mtk.c b/drivers/usb/host/xhci-mtk.c +index 5fc3ea6d46c5..5c0eb35cd007 100644 +--- a/drivers/usb/host/xhci-mtk.c ++++ b/drivers/usb/host/xhci-mtk.c +@@ -397,6 +397,8 @@ static void xhci_mtk_quirks(struct device *dev, struct xhci_hcd *xhci) + xhci->quirks |= XHCI_SPURIOUS_SUCCESS; + if (mtk->lpm_support) + xhci->quirks |= XHCI_LPM_SUPPORT; ++ if (mtk->u2_lpm_disable) ++ xhci->quirks |= XHCI_HW_LPM_DISABLE; + + /* + * MTK xHCI 0.96: PSA is 1 by default even if doesn't support stream, +@@ -469,6 +471,7 @@ static int xhci_mtk_probe(struct platform_device *pdev) + return ret; + + mtk->lpm_support = of_property_read_bool(node, "usb3-lpm-capable"); ++ mtk->u2_lpm_disable = of_property_read_bool(node, "usb2-lpm-disable"); + /* optional property, ignore the error if it does not exist */ + of_property_read_u32(node, "mediatek,u3p-dis-msk", + &mtk->u3p_dis_msk); +diff --git a/drivers/usb/host/xhci-mtk.h b/drivers/usb/host/xhci-mtk.h +index 734c5513aa1b..d9f438d078da 100644 +--- a/drivers/usb/host/xhci-mtk.h ++++ b/drivers/usb/host/xhci-mtk.h +@@ -150,6 +150,7 @@ struct xhci_hcd_mtk { + struct phy **phys; + int num_phys; + bool lpm_support; ++ bool u2_lpm_disable; + /* usb remote wakeup */ + bool uwk_en; + struct regmap *uwk; +-- +2.30.2 + diff --git a/queue-5.4/x86-build-propagate-clang_flags-to-realmode_flags.patch b/queue-5.4/x86-build-propagate-clang_flags-to-realmode_flags.patch new file mode 100644 index 00000000000..21b30caaaf6 --- /dev/null +++ b/queue-5.4/x86-build-propagate-clang_flags-to-realmode_flags.patch @@ -0,0 +1,66 @@ +From 1fca5d83c5577c9890e8c81f5ee024cf96468674 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 17:04:33 -0700 +Subject: x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John Millikin + +[ Upstream commit 8abe7fc26ad8f28bfdf78adbed56acd1fa93f82d ] + +When cross-compiling with Clang, the `$(CLANG_FLAGS)' variable +contains additional flags needed to build C and assembly sources +for the target platform. Normally this variable is automatically +included in `$(KBUILD_CFLAGS)' via the top-level Makefile. + +The x86 real-mode makefile builds `$(REALMODE_CFLAGS)' from a +plain assignment and therefore drops the Clang flags. This causes +Clang to not recognize x86-specific assembler directives: + +  arch/x86/realmode/rm/header.S:36:1: error: unknown directive +  .type real_mode_header STT_OBJECT ; .size real_mode_header, .-real_mode_header +  ^ + +Explicit propagation of `$(CLANG_FLAGS)' to `$(REALMODE_CFLAGS)', +which is inherited by real-mode make rules, fixes cross-compilation +with Clang for x86 targets. + +Relevant flags: + +* `--target' sets the target architecture when cross-compiling. This +  flag must be set for both compilation and assembly (`KBUILD_AFLAGS') +  to support architecture-specific assembler directives. + +* `-no-integrated-as' tells clang to assemble with GNU Assembler +  instead of its built-in LLVM assembler. This flag is set by default +  unless `LLVM_IAS=1' is set, because the LLVM assembler can't yet +  parse certain GNU extensions. + +Signed-off-by: John Millikin +Signed-off-by: Nathan Chancellor +Signed-off-by: Borislav Petkov +Acked-by: Ard Biesheuvel +Tested-by: Sedat Dilek +Link: https://lkml.kernel.org/r/20210326000435.4785-2-nathan@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index 59942e349e5f..69f0cb01c666 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -40,6 +40,7 @@ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -ffreestanding + REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -fno-stack-protector) + REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -Wno-address-of-packed-member) + REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), $(cc_stack_align4)) ++REALMODE_CFLAGS += $(CLANG_FLAGS) + export REALMODE_CFLAGS + + # BITS is used as extension for files which are available in a 32 bit +-- +2.30.2 + diff --git a/queue-5.4/xhci-check-control-context-is-valid-before-dereferen.patch b/queue-5.4/xhci-check-control-context-is-valid-before-dereferen.patch new file mode 100644 index 00000000000..f50bbace525 --- /dev/null +++ b/queue-5.4/xhci-check-control-context-is-valid-before-dereferen.patch @@ -0,0 +1,42 @@ +From d43fa5edb5a05c6f8278fc7e4c4dd6f1f4d3bf64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 10:02:06 +0300 +Subject: xhci: check control context is valid before dereferencing it. + +From: Mathias Nyman + +[ Upstream commit 597899d2f7c5619c87185ee7953d004bd37fd0eb ] + +Don't dereference ctrl_ctx before checking it's valid. +Issue reported by Klockwork + +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20210406070208.3406266-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index b5080bc1689e..143e4002e561 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -3227,6 +3227,14 @@ static void xhci_endpoint_reset(struct usb_hcd *hcd, + + /* config ep command clears toggle if add and drop ep flags are set */ + ctrl_ctx = xhci_get_input_control_ctx(cfg_cmd->in_ctx); ++ if (!ctrl_ctx) { ++ spin_unlock_irqrestore(&xhci->lock, flags); ++ xhci_free_command(xhci, cfg_cmd); ++ xhci_warn(xhci, "%s: Could not get input context, bad type.\n", ++ __func__); ++ goto cleanup; ++ } ++ + xhci_setup_input_ctx_for_config_ep(xhci, cfg_cmd->in_ctx, vdev->out_ctx, + ctrl_ctx, ep_flag, ep_flag); + xhci_endpoint_copy(xhci, cfg_cmd->in_ctx, vdev->out_ctx, ep_index); +-- +2.30.2 + diff --git a/queue-5.4/xhci-fix-potential-array-out-of-bounds-with-several-.patch b/queue-5.4/xhci-fix-potential-array-out-of-bounds-with-several-.patch new file mode 100644 index 00000000000..ae28cea8af2 --- /dev/null +++ b/queue-5.4/xhci-fix-potential-array-out-of-bounds-with-several-.patch @@ -0,0 +1,54 @@ +From d9a1e8787a5fb45d5b11981e8d77a96ccfd92cc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 10:02:07 +0300 +Subject: xhci: fix potential array out of bounds with several interrupters + +From: Mathias Nyman + +[ Upstream commit 286fd02fd54b6acab65809549cf5fb3f2a886696 ] + +The Max Interrupters supported by the controller is given in a 10bit +wide bitfield, but the driver uses a fixed 128 size array to index these +interrupters. + +Klockwork reports a possible array out of bounds case which in theory +is possible. In practice this hasn't been hit as a common number of Max +Interrupters for new controllers is 8, not even close to 128. + +This needs to be fixed anyway + +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20210406070208.3406266-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 143e4002e561..de05ac9d3ae1 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -228,6 +228,7 @@ static void xhci_zero_64b_regs(struct xhci_hcd *xhci) + struct device *dev = xhci_to_hcd(xhci)->self.sysdev; + int err, i; + u64 val; ++ u32 intrs; + + /* + * Some Renesas controllers get into a weird state if they are +@@ -266,7 +267,10 @@ static void xhci_zero_64b_regs(struct xhci_hcd *xhci) + if (upper_32_bits(val)) + xhci_write_64(xhci, 0, &xhci->op_regs->cmd_ring); + +- for (i = 0; i < HCS_MAX_INTRS(xhci->hcs_params1); i++) { ++ intrs = min_t(u32, HCS_MAX_INTRS(xhci->hcs_params1), ++ ARRAY_SIZE(xhci->run_regs->ir_set)); ++ ++ for (i = 0; i < intrs; i++) { + struct xhci_intr_reg __iomem *ir; + + ir = &xhci->run_regs->ir_set[i]; +-- +2.30.2 +