From: Sasha Levin Date: Fri, 26 Jun 2020 18:07:35 +0000 (-0400) Subject: Fixes for 5.7 X-Git-Tag: v5.7.7~61^2~9 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e3dbc06cb978a12705a9156ac20a9c26ab31c0f3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.7 Signed-off-by: Sasha Levin --- diff --git a/queue-5.7/alsa-usb-audio-fix-potential-use-after-free-of-strea.patch b/queue-5.7/alsa-usb-audio-fix-potential-use-after-free-of-strea.patch new file mode 100644 index 00000000000..1d9771105ec --- /dev/null +++ b/queue-5.7/alsa-usb-audio-fix-potential-use-after-free-of-strea.patch @@ -0,0 +1,42 @@ +From a416b25097d2e0c3444727c97839d0d4f6579652 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 14:09:21 +0200 +Subject: ALSA: usb-audio: Fix potential use-after-free of streams + +From: Takashi Iwai + +[ Upstream commit ff58bbc7b9704a5869204176f804eff57307fef0 ] + +With the recent full-duplex support of implicit feedback streams, an +endpoint can be still running after closing the capture stream as long +as the playback stream with the sync-endpoint is running. In such a +state, the URBs are still be handled and they may call retire_data_urb +callback, which tries to transfer the data from the PCM buffer. Since +the PCM stream gets closed, this may lead to use-after-free. + +This patch adds the proper clearance of the callback at stopping the +capture stream for addressing the possible UAF above. + +Fixes: 10ce77e4817f ("ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback") +Link: https://lore.kernel.org/r/20200616120921.12249-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/pcm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index d61c2f1095b5c..3411e27eb64bb 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -1782,6 +1782,7 @@ static int snd_usb_substream_capture_trigger(struct snd_pcm_substream *substream + return 0; + case SNDRV_PCM_TRIGGER_STOP: + stop_endpoints(subs); ++ subs->data_endpoint->retire_data_urb = NULL; + subs->running = 0; + return 0; + case SNDRV_PCM_TRIGGER_PAUSE_PUSH: +-- +2.25.1 + diff --git a/queue-5.7/btrfs-fix-a-block-group-ref-counter-leak-after-failu.patch b/queue-5.7/btrfs-fix-a-block-group-ref-counter-leak-after-failu.patch new file mode 100644 index 00000000000..2f5c9ffccad --- /dev/null +++ b/queue-5.7/btrfs-fix-a-block-group-ref-counter-leak-after-failu.patch @@ -0,0 +1,119 @@ +From 36e3ce46cfd956b9e8225e44f4a86728839de9c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2020 19:12:06 +0100 +Subject: btrfs: fix a block group ref counter leak after failure to remove + block group + +From: Filipe Manana + +[ Upstream commit 9fecd13202f520f3f25d5b1c313adb740fe19773 ] + +When removing a block group, if we fail to delete the block group's item +from the extent tree, we jump to the 'out' label and end up decrementing +the block group's reference count once only (by 1), resulting in a counter +leak because the block group at that point was already removed from the +block group cache rbtree - so we have to decrement the reference count +twice, once for the rbtree and once for our lookup at the start of the +function. + +There is a second bug where if removing the free space tree entries (the +call to remove_block_group_free_space()) fails we end up jumping to the +'out_put_group' label but end up decrementing the reference count only +once, when we should have done it twice, since we have already removed +the block group from the block group cache rbtree. This happens because +the reference count decrement for the rbtree reference happens after +attempting to remove the free space tree entries, which is far away from +the place where we remove the block group from the rbtree. + +To make things less error prone, decrement the reference count for the +rbtree immediately after removing the block group from it. This also +eleminates the need for two different exit labels on error, renaming +'out_put_label' to just 'out' and removing the old 'out'. + +Fixes: f6033c5e333238 ("btrfs: fix block group leak when removing fails") +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Nikolay Borisov +Reviewed-by: Anand Jain +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/block-group.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c +index 233c5663f2332..0c17f18b47940 100644 +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -916,7 +916,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, + path = btrfs_alloc_path(); + if (!path) { + ret = -ENOMEM; +- goto out_put_group; ++ goto out; + } + + /* +@@ -954,7 +954,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, + ret = btrfs_orphan_add(trans, BTRFS_I(inode)); + if (ret) { + btrfs_add_delayed_iput(inode); +- goto out_put_group; ++ goto out; + } + clear_nlink(inode); + /* One for the block groups ref */ +@@ -977,13 +977,13 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, + + ret = btrfs_search_slot(trans, tree_root, &key, path, -1, 1); + if (ret < 0) +- goto out_put_group; ++ goto out; + if (ret > 0) + btrfs_release_path(path); + if (ret == 0) { + ret = btrfs_del_item(trans, tree_root, path); + if (ret) +- goto out_put_group; ++ goto out; + btrfs_release_path(path); + } + +@@ -992,6 +992,9 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, + &fs_info->block_group_cache_tree); + RB_CLEAR_NODE(&block_group->cache_node); + ++ /* Once for the block groups rbtree */ ++ btrfs_put_block_group(block_group); ++ + if (fs_info->first_logical_byte == block_group->start) + fs_info->first_logical_byte = (u64)-1; + spin_unlock(&fs_info->block_group_cache_lock); +@@ -1102,10 +1105,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, + + ret = remove_block_group_free_space(trans, block_group); + if (ret) +- goto out_put_group; +- +- /* Once for the block groups rbtree */ +- btrfs_put_block_group(block_group); ++ goto out; + + ret = btrfs_search_slot(trans, root, &key, path, -1, 1); + if (ret > 0) +@@ -1128,10 +1128,9 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, + free_extent_map(em); + } + +-out_put_group: ++out: + /* Once for the lookup reference */ + btrfs_put_block_group(block_group); +-out: + if (remove_rsv) + btrfs_delayed_refs_rsv_release(fs_info, 1); + btrfs_free_path(path); +-- +2.25.1 + diff --git a/queue-5.7/fix-a-braino-in-sparc32-fix-register-window-handling.patch b/queue-5.7/fix-a-braino-in-sparc32-fix-register-window-handling.patch new file mode 100644 index 00000000000..6b8feae84c2 --- /dev/null +++ b/queue-5.7/fix-a-braino-in-sparc32-fix-register-window-handling.patch @@ -0,0 +1,46 @@ +From 40d2d2efc4b719a0bb6f7a4604d517fdad4be2a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jun 2020 23:44:24 -0400 +Subject: fix a braino in "sparc32: fix register window handling in + genregs32_[gs]et()" + +From: Al Viro + +[ Upstream commit 9d964e1b82d8182184153b70174f445ea616f053 ] + +lost npc in PTRACE_SETREGSET, breaking PTRACE_SETREGS as well + +Fixes: cf51e129b968 "sparc32: fix register window handling in genregs32_[gs]et()" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/ptrace_32.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/sparc/kernel/ptrace_32.c b/arch/sparc/kernel/ptrace_32.c +index 60f7205ebe40d..646dd58169ecb 100644 +--- a/arch/sparc/kernel/ptrace_32.c ++++ b/arch/sparc/kernel/ptrace_32.c +@@ -168,12 +168,17 @@ static int genregs32_set(struct task_struct *target, + if (ret || !count) + return ret; + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, +- ®s->y, ++ ®s->npc, + 34 * sizeof(u32), 35 * sizeof(u32)); + if (ret || !count) + return ret; ++ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, ++ ®s->y, ++ 35 * sizeof(u32), 36 * sizeof(u32)); ++ if (ret || !count) ++ return ret; + return user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, +- 35 * sizeof(u32), 38 * sizeof(u32)); ++ 36 * sizeof(u32), 38 * sizeof(u32)); + } + + static int fpregs32_get(struct task_struct *target, +-- +2.25.1 + diff --git a/queue-5.7/genetlink-clean-up-family-attributes-allocations.patch b/queue-5.7/genetlink-clean-up-family-attributes-allocations.patch new file mode 100644 index 00000000000..59d9d2c4ce4 --- /dev/null +++ b/queue-5.7/genetlink-clean-up-family-attributes-allocations.patch @@ -0,0 +1,143 @@ +From e094c4558abe690203838e73d736e2c19d53b67a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jun 2020 00:16:55 -0700 +Subject: genetlink: clean up family attributes allocations + +From: Cong Wang + +[ Upstream commit b65ce380b754e77fbfdcfc83fd6e29c8ceedf431 ] + +genl_family_rcv_msg_attrs_parse() and genl_family_rcv_msg_attrs_free() +take a boolean parameter to determine whether allocate/free the family +attrs. This is unnecessary as we can just check family->parallel_ops. +More importantly, callers would not need to worry about pairing these +parameters correctly after this patch. + +And this fixes a memory leak, as after commit c36f05559104 +("genetlink: fix memory leaks in genl_family_rcv_msg_dumpit()") +we call genl_family_rcv_msg_attrs_parse() for both parallel and +non-parallel cases. + +Fixes: c36f05559104 ("genetlink: fix memory leaks in genl_family_rcv_msg_dumpit()") +Reported-by: Ido Schimmel +Signed-off-by: Cong Wang +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netlink/genetlink.c | 28 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 16 deletions(-) + +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c +index bcbba0bef1c2a..9c1c27f3a0894 100644 +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -474,8 +474,7 @@ genl_family_rcv_msg_attrs_parse(const struct genl_family *family, + struct netlink_ext_ack *extack, + const struct genl_ops *ops, + int hdrlen, +- enum genl_validate_flags no_strict_flag, +- bool parallel) ++ enum genl_validate_flags no_strict_flag) + { + enum netlink_validation validate = ops->validate & no_strict_flag ? + NL_VALIDATE_LIBERAL : +@@ -486,7 +485,7 @@ genl_family_rcv_msg_attrs_parse(const struct genl_family *family, + if (!family->maxattr) + return NULL; + +- if (parallel) { ++ if (family->parallel_ops) { + attrbuf = kmalloc_array(family->maxattr + 1, + sizeof(struct nlattr *), GFP_KERNEL); + if (!attrbuf) +@@ -498,7 +497,7 @@ genl_family_rcv_msg_attrs_parse(const struct genl_family *family, + err = __nlmsg_parse(nlh, hdrlen, attrbuf, family->maxattr, + family->policy, validate, extack); + if (err) { +- if (parallel) ++ if (family->parallel_ops) + kfree(attrbuf); + return ERR_PTR(err); + } +@@ -506,10 +505,9 @@ genl_family_rcv_msg_attrs_parse(const struct genl_family *family, + } + + static void genl_family_rcv_msg_attrs_free(const struct genl_family *family, +- struct nlattr **attrbuf, +- bool parallel) ++ struct nlattr **attrbuf) + { +- if (parallel) ++ if (family->parallel_ops) + kfree(attrbuf); + } + +@@ -537,15 +535,14 @@ static int genl_start(struct netlink_callback *cb) + + attrs = genl_family_rcv_msg_attrs_parse(ctx->family, ctx->nlh, ctx->extack, + ops, ctx->hdrlen, +- GENL_DONT_VALIDATE_DUMP_STRICT, +- true); ++ GENL_DONT_VALIDATE_DUMP_STRICT); + if (IS_ERR(attrs)) + return PTR_ERR(attrs); + + no_attrs: + info = genl_dumpit_info_alloc(); + if (!info) { +- kfree(attrs); ++ genl_family_rcv_msg_attrs_free(ctx->family, attrs); + return -ENOMEM; + } + info->family = ctx->family; +@@ -562,7 +559,7 @@ static int genl_start(struct netlink_callback *cb) + } + + if (rc) { +- kfree(attrs); ++ genl_family_rcv_msg_attrs_free(info->family, info->attrs); + genl_dumpit_info_free(info); + cb->data = NULL; + } +@@ -591,7 +588,7 @@ static int genl_lock_done(struct netlink_callback *cb) + rc = ops->done(cb); + genl_unlock(); + } +- genl_family_rcv_msg_attrs_free(info->family, info->attrs, false); ++ genl_family_rcv_msg_attrs_free(info->family, info->attrs); + genl_dumpit_info_free(info); + return rc; + } +@@ -604,7 +601,7 @@ static int genl_parallel_done(struct netlink_callback *cb) + + if (ops->done) + rc = ops->done(cb); +- genl_family_rcv_msg_attrs_free(info->family, info->attrs, true); ++ genl_family_rcv_msg_attrs_free(info->family, info->attrs); + genl_dumpit_info_free(info); + return rc; + } +@@ -671,8 +668,7 @@ static int genl_family_rcv_msg_doit(const struct genl_family *family, + + attrbuf = genl_family_rcv_msg_attrs_parse(family, nlh, extack, + ops, hdrlen, +- GENL_DONT_VALIDATE_STRICT, +- family->parallel_ops); ++ GENL_DONT_VALIDATE_STRICT); + if (IS_ERR(attrbuf)) + return PTR_ERR(attrbuf); + +@@ -698,7 +694,7 @@ static int genl_family_rcv_msg_doit(const struct genl_family *family, + family->post_doit(ops, skb, &info); + + out: +- genl_family_rcv_msg_attrs_free(family, attrbuf, family->parallel_ops); ++ genl_family_rcv_msg_attrs_free(family, attrbuf); + + return err; + } +-- +2.25.1 + diff --git a/queue-5.7/nvmet-cleanups-the-loop-in-nvmet_async_events_proces.patch b/queue-5.7/nvmet-cleanups-the-loop-in-nvmet_async_events_proces.patch new file mode 100644 index 00000000000..9dce3c41a6d --- /dev/null +++ b/queue-5.7/nvmet-cleanups-the-loop-in-nvmet_async_events_proces.patch @@ -0,0 +1,55 @@ +From 1725913607b1bedd6041e11bf44bc132659acc25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 13:59:55 -0500 +Subject: nvmet: cleanups the loop in nvmet_async_events_process + +From: David Milburn + +[ Upstream commit 1cdf9f7670a7d74e27177d5c390c2f8b3b9ba338 ] + +Based-on-a-patch-by: Christoph Hellwig +Tested-by: Yi Zhang +Signed-off-by: David Milburn +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index aa5ca222c6f59..ac7ae031ce78d 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -134,15 +134,10 @@ static void nvmet_async_events_process(struct nvmet_ctrl *ctrl, u16 status) + struct nvmet_async_event *aen; + struct nvmet_req *req; + +- while (1) { +- mutex_lock(&ctrl->lock); +- aen = list_first_entry_or_null(&ctrl->async_events, +- struct nvmet_async_event, entry); +- if (!aen || !ctrl->nr_async_event_cmds) { +- mutex_unlock(&ctrl->lock); +- break; +- } +- ++ mutex_lock(&ctrl->lock); ++ while (ctrl->nr_async_event_cmds && !list_empty(&ctrl->async_events)) { ++ aen = list_first_entry(&ctrl->async_events, ++ struct nvmet_async_event, entry); + req = ctrl->async_event_cmds[--ctrl->nr_async_event_cmds]; + if (status == 0) + nvmet_set_result(req, nvmet_async_event_result(aen)); +@@ -152,7 +147,9 @@ static void nvmet_async_events_process(struct nvmet_ctrl *ctrl, u16 status) + + mutex_unlock(&ctrl->lock); + nvmet_req_complete(req, status); ++ mutex_lock(&ctrl->lock); + } ++ mutex_unlock(&ctrl->lock); + } + + static void nvmet_async_events_free(struct nvmet_ctrl *ctrl) +-- +2.25.1 + diff --git a/queue-5.7/nvmet-fail-outstanding-host-posted-aen-req.patch b/queue-5.7/nvmet-fail-outstanding-host-posted-aen-req.patch new file mode 100644 index 00000000000..db2f713868a --- /dev/null +++ b/queue-5.7/nvmet-fail-outstanding-host-posted-aen-req.patch @@ -0,0 +1,142 @@ +From 6c91cb6b93e7b9959c5be4af1fb4e0fec85e06f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2020 16:55:14 -0700 +Subject: nvmet: fail outstanding host posted AEN req + +From: Chaitanya Kulkarni + +[ Upstream commit 819f7b88b48fd2bce932cfe3a38bf8fcefbcabe7 ] + +In function nvmet_async_event_process() we only process AENs iff +there is an open slot on the ctrl->async_event_cmds[] && aen +event list posted by the target is not empty. This keeps host +posted AEN outstanding if target generated AEN list is empty. +We do cleanup the target generated entries from the aen list in +nvmet_ctrl_free()-> nvmet_async_events_free() but we don't +process AEN posted by the host. This leads to following problem :- + +When processing admin sq at the time of nvmet_sq_destroy() holds +an extra percpu reference(atomic value = 1), so in the following code +path after switching to atomic rcu, release function (nvmet_sq_free()) +is not getting called which blocks the sq->free_done in +nvmet_sq_destroy() :- + +nvmet_sq_destroy() + percpu_ref_kill_and_confirm() + - __percpu_ref_switch_mode() + -- __percpu_ref_switch_to_atomic() + --- call_rcu() -> percpu_ref_switch_to_atomic_rcu() + ---- /* calls switch callback */ + - percpu_ref_put() + -- percpu_ref_put_many(ref, 1) + --- else if (unlikely(atomic_long_sub_and_test(nr, &ref->count))) + ---- ref->release(ref); <---- Not called. + +This results in indefinite hang:- + + void nvmet_sq_destroy(struct nvmet_sq *sq) +... + if (ctrl && ctrl->sqs && ctrl->sqs[0] == sq) { + nvmet_async_events_process(ctrl, status); + percpu_ref_put(&sq->ref); + } + percpu_ref_kill_and_confirm(&sq->ref, nvmet_confirm_sq); + wait_for_completion(&sq->confirm_done); + wait_for_completion(&sq->free_done); <-- Hang here + +Which breaks the further disconnect sequence. This problem seems to be +introduced after commit 64f5e9cdd711b ("nvmet: fix memory leak when +removing namespaces and controllers concurrently"). + +This patch processes ctrl->async_event_cmds[] in the admin sq destroy() +context irrespetive of aen_list. Also we get rid of the controller's +aen_list processing in the nvmet_sq_destroy() context and just ignore +ctrl->aen_list. + +This results in nvmet_async_events_process() being called from workqueue +context so we adjust the code accordingly. + +Fixes: 64f5e9cdd711 ("nvmet: fix memory leak when removing namespaces and controllers concurrently ") +Signed-off-by: Chaitanya Kulkarni +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index ac7ae031ce78d..96deaf3484662 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -129,7 +129,22 @@ static u32 nvmet_async_event_result(struct nvmet_async_event *aen) + return aen->event_type | (aen->event_info << 8) | (aen->log_page << 16); + } + +-static void nvmet_async_events_process(struct nvmet_ctrl *ctrl, u16 status) ++static void nvmet_async_events_failall(struct nvmet_ctrl *ctrl) ++{ ++ u16 status = NVME_SC_INTERNAL | NVME_SC_DNR; ++ struct nvmet_req *req; ++ ++ mutex_lock(&ctrl->lock); ++ while (ctrl->nr_async_event_cmds) { ++ req = ctrl->async_event_cmds[--ctrl->nr_async_event_cmds]; ++ mutex_unlock(&ctrl->lock); ++ nvmet_req_complete(req, status); ++ mutex_lock(&ctrl->lock); ++ } ++ mutex_unlock(&ctrl->lock); ++} ++ ++static void nvmet_async_events_process(struct nvmet_ctrl *ctrl) + { + struct nvmet_async_event *aen; + struct nvmet_req *req; +@@ -139,14 +154,13 @@ static void nvmet_async_events_process(struct nvmet_ctrl *ctrl, u16 status) + aen = list_first_entry(&ctrl->async_events, + struct nvmet_async_event, entry); + req = ctrl->async_event_cmds[--ctrl->nr_async_event_cmds]; +- if (status == 0) +- nvmet_set_result(req, nvmet_async_event_result(aen)); ++ nvmet_set_result(req, nvmet_async_event_result(aen)); + + list_del(&aen->entry); + kfree(aen); + + mutex_unlock(&ctrl->lock); +- nvmet_req_complete(req, status); ++ nvmet_req_complete(req, 0); + mutex_lock(&ctrl->lock); + } + mutex_unlock(&ctrl->lock); +@@ -169,7 +183,7 @@ static void nvmet_async_event_work(struct work_struct *work) + struct nvmet_ctrl *ctrl = + container_of(work, struct nvmet_ctrl, async_event_work); + +- nvmet_async_events_process(ctrl, 0); ++ nvmet_async_events_process(ctrl); + } + + void nvmet_add_async_event(struct nvmet_ctrl *ctrl, u8 event_type, +@@ -752,7 +766,6 @@ static void nvmet_confirm_sq(struct percpu_ref *ref) + + void nvmet_sq_destroy(struct nvmet_sq *sq) + { +- u16 status = NVME_SC_INTERNAL | NVME_SC_DNR; + struct nvmet_ctrl *ctrl = sq->ctrl; + + /* +@@ -760,7 +773,7 @@ void nvmet_sq_destroy(struct nvmet_sq *sq) + * queue doesn't have outstanding requests on it. + */ + if (ctrl && ctrl->sqs && ctrl->sqs[0] == sq) +- nvmet_async_events_process(ctrl, status); ++ nvmet_async_events_failall(ctrl); + percpu_ref_kill_and_confirm(&sq->ref, nvmet_confirm_sq); + wait_for_completion(&sq->confirm_done); + wait_for_completion(&sq->free_done); +-- +2.25.1 + diff --git a/queue-5.7/revert-i2c-tegra-fix-suspending-in-active-runtime-pm.patch b/queue-5.7/revert-i2c-tegra-fix-suspending-in-active-runtime-pm.patch new file mode 100644 index 00000000000..d0ce4b72f6c --- /dev/null +++ b/queue-5.7/revert-i2c-tegra-fix-suspending-in-active-runtime-pm.patch @@ -0,0 +1,55 @@ +From 6b01634c9557e2413dd0e99f4f7c6f5980937f5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 13:31:58 +0200 +Subject: Revert "i2c: tegra: Fix suspending in active runtime PM state" + +From: Thierry Reding + +[ Upstream commit 78ad73421831247e46c31899a7bead02740e4bef ] + +This reverts commit 9f42de8d4ec2304f10bbc51dc0484f3503d61196. + +It's not safe to use pm_runtime_force_{suspend,resume}(), especially +during the noirq phase of suspend. See also the guidance provided in +commit 1e2ef05bb8cf ("PM: Limit race conditions between runtime PM +and system sleep (v2)"). + +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-tegra.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c +index 4c4d17ddc96b9..7c88611c732c4 100644 +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -1769,14 +1769,9 @@ static int tegra_i2c_remove(struct platform_device *pdev) + static int __maybe_unused tegra_i2c_suspend(struct device *dev) + { + struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev); +- int err; + + i2c_mark_adapter_suspended(&i2c_dev->adapter); + +- err = pm_runtime_force_suspend(dev); +- if (err < 0) +- return err; +- + return 0; + } + +@@ -1797,10 +1792,6 @@ static int __maybe_unused tegra_i2c_resume(struct device *dev) + if (err) + return err; + +- err = pm_runtime_force_resume(dev); +- if (err < 0) +- return err; +- + i2c_mark_adapter_resumed(&i2c_dev->adapter); + + return 0; +-- +2.25.1 + diff --git a/queue-5.7/series b/queue-5.7/series index 527592dfea3..6293615f0b4 100644 --- a/queue-5.7/series +++ b/queue-5.7/series @@ -1,2 +1,9 @@ spi-spi-fsl-dspi-free-dma-memory-with-matching-function.patch block-bio-integrity-don-t-free-buf-if-bio_integrity_add_page-failed.patch +genetlink-clean-up-family-attributes-allocations.patch +nvmet-cleanups-the-loop-in-nvmet_async_events_proces.patch +nvmet-fail-outstanding-host-posted-aen-req.patch +fix-a-braino-in-sparc32-fix-register-window-handling.patch +alsa-usb-audio-fix-potential-use-after-free-of-strea.patch +revert-i2c-tegra-fix-suspending-in-active-runtime-pm.patch +btrfs-fix-a-block-group-ref-counter-leak-after-failu.patch