From 95b1c782cf853db43a13af7fdddafa436ff88840 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 4 Apr 2021 22:09:51 -0400 Subject: [PATCH] Fixes for 5.11 Signed-off-by: Sasha Levin --- ...-for-extcon_register_notifier_all-fu.patch | 59 +++++++++ ...rror-handling-in-extcon_dev_register.patch | 35 ++++++ ...x-a-use-after-free-bug-in-nosy_ioctl.patch | 119 ++++++++++++++++++ ...10-svc-reset-command_reconfig_flag_p.patch | 37 ++++++ ...s64-use-the-correct-storage-key-valu.patch | 103 +++++++++++++++ ...mobility-handle-premature-return-fro.patch | 103 +++++++++++++++ ...mobility-use-struct-for-shared-state.patch | 70 +++++++++++ queue-5.11/series | 9 ++ ...ble-dis_ux_susphy_quirk-for-intel-me.patch | 40 ++++++ ...v_fb-fix-a-double-free-in-hvfb_probe.patch | 60 +++++++++ 10 files changed, 635 insertions(+) create mode 100644 queue-5.11/extcon-add-stubs-for-extcon_register_notifier_all-fu.patch create mode 100644 queue-5.11/extcon-fix-error-handling-in-extcon_dev_register.patch create mode 100644 queue-5.11/firewire-nosy-fix-a-use-after-free-bug-in-nosy_ioctl.patch create mode 100644 queue-5.11/firmware-stratix10-svc-reset-command_reconfig_flag_p.patch create mode 100644 queue-5.11/powerpc-mm-book3s64-use-the-correct-storage-key-valu.patch create mode 100644 queue-5.11/powerpc-pseries-mobility-handle-premature-return-fro.patch create mode 100644 queue-5.11/powerpc-pseries-mobility-use-struct-for-shared-state.patch create mode 100644 queue-5.11/usb-dwc3-pci-enable-dis_ux_susphy_quirk-for-intel-me.patch create mode 100644 queue-5.11/video-hyperv_fb-fix-a-double-free-in-hvfb_probe.patch diff --git a/queue-5.11/extcon-add-stubs-for-extcon_register_notifier_all-fu.patch b/queue-5.11/extcon-add-stubs-for-extcon_register_notifier_all-fu.patch new file mode 100644 index 00000000000..da53f40a4b5 --- /dev/null +++ b/queue-5.11/extcon-add-stubs-for-extcon_register_notifier_all-fu.patch @@ -0,0 +1,59 @@ +From 7951869927dc372d5555d31cdf383d44307db760 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Dec 2020 09:52:52 +0100 +Subject: extcon: Add stubs for extcon_register_notifier_all() functions + +From: Krzysztof Kozlowski + +[ Upstream commit c9570d4a5efd04479b3cd09c39b571eb031d94f4 ] + +Add stubs for extcon_register_notifier_all() function for !CONFIG_EXTCON +case. This is useful for compile testing and for drivers which use +EXTCON but do not require it (therefore do not depend on CONFIG_EXTCON). + +Fixes: 815429b39d94 ("extcon: Add new extcon_register_notifier_all() to monitor all external connectors") +Reported-by: kernel test robot +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + include/linux/extcon.h | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/include/linux/extcon.h b/include/linux/extcon.h +index fd183fb9c20f..0c19010da77f 100644 +--- a/include/linux/extcon.h ++++ b/include/linux/extcon.h +@@ -271,6 +271,29 @@ static inline void devm_extcon_unregister_notifier(struct device *dev, + struct extcon_dev *edev, unsigned int id, + struct notifier_block *nb) { } + ++static inline int extcon_register_notifier_all(struct extcon_dev *edev, ++ struct notifier_block *nb) ++{ ++ return 0; ++} ++ ++static inline int extcon_unregister_notifier_all(struct extcon_dev *edev, ++ struct notifier_block *nb) ++{ ++ return 0; ++} ++ ++static inline int devm_extcon_register_notifier_all(struct device *dev, ++ struct extcon_dev *edev, ++ struct notifier_block *nb) ++{ ++ return 0; ++} ++ ++static inline void devm_extcon_unregister_notifier_all(struct device *dev, ++ struct extcon_dev *edev, ++ struct notifier_block *nb) { } ++ + static inline struct extcon_dev *extcon_get_extcon_dev(const char *extcon_name) + { + return ERR_PTR(-ENODEV); +-- +2.30.2 + diff --git a/queue-5.11/extcon-fix-error-handling-in-extcon_dev_register.patch b/queue-5.11/extcon-fix-error-handling-in-extcon_dev_register.patch new file mode 100644 index 00000000000..1f6d71addbc --- /dev/null +++ b/queue-5.11/extcon-fix-error-handling-in-extcon_dev_register.patch @@ -0,0 +1,35 @@ +From 41cf224b7f9b147a85643f91abd804707ef4b218 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jan 2021 16:10:55 +0800 +Subject: extcon: Fix error handling in extcon_dev_register + +From: Dinghao Liu + +[ Upstream commit d3bdd1c3140724967ca4136755538fa7c05c2b4e ] + +When devm_kcalloc() fails, we should execute device_unregister() +to unregister edev->dev from system. + +Fixes: 046050f6e623e ("extcon: Update the prototype of extcon_register_notifier() with enum extcon") +Signed-off-by: Dinghao Liu +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c +index 0a6438cbb3f3..e7a9561a826d 100644 +--- a/drivers/extcon/extcon.c ++++ b/drivers/extcon/extcon.c +@@ -1241,6 +1241,7 @@ int extcon_dev_register(struct extcon_dev *edev) + sizeof(*edev->nh), GFP_KERNEL); + if (!edev->nh) { + ret = -ENOMEM; ++ device_unregister(&edev->dev); + goto err_dev; + } + +-- +2.30.2 + diff --git a/queue-5.11/firewire-nosy-fix-a-use-after-free-bug-in-nosy_ioctl.patch b/queue-5.11/firewire-nosy-fix-a-use-after-free-bug-in-nosy_ioctl.patch new file mode 100644 index 00000000000..44c359ddba0 --- /dev/null +++ b/queue-5.11/firewire-nosy-fix-a-use-after-free-bug-in-nosy_ioctl.patch @@ -0,0 +1,119 @@ +From 1c639aacf695f0413e3943adae5b295db7b177bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Apr 2021 06:58:36 +0000 +Subject: firewire: nosy: Fix a use-after-free bug in nosy_ioctl() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zheyu Ma + +[ Upstream commit 829933ef05a951c8ff140e814656d73e74915faf ] + +For each device, the nosy driver allocates a pcilynx structure. +A use-after-free might happen in the following scenario: + + 1. Open nosy device for the first time and call ioctl with command + NOSY_IOC_START, then a new client A will be malloced and added to + doubly linked list. + 2. Open nosy device for the second time and call ioctl with command + NOSY_IOC_START, then a new client B will be malloced and added to + doubly linked list. + 3. Call ioctl with command NOSY_IOC_START for client A, then client A + will be readded to the doubly linked list. Now the doubly linked + list is messed up. + 4. Close the first nosy device and nosy_release will be called. In + nosy_release, client A will be unlinked and freed. + 5. Close the second nosy device, and client A will be referenced, + resulting in UAF. + +The root cause of this bug is that the element in the doubly linked list +is reentered into the list. + +Fix this bug by adding a check before inserting a client. If a client +is already in the linked list, don't insert it. + +The following KASAN report reveals it: + + BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210 + Write of size 8 at addr ffff888102ad7360 by task poc + CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 + Call Trace: + nosy_release+0x1ea/0x210 + __fput+0x1e2/0x840 + task_work_run+0xe8/0x180 + exit_to_user_mode_prepare+0x114/0x120 + syscall_exit_to_user_mode+0x1d/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + Allocated by task 337: + nosy_open+0x154/0x4d0 + misc_open+0x2ec/0x410 + chrdev_open+0x20d/0x5a0 + do_dentry_open+0x40f/0xe80 + path_openat+0x1cf9/0x37b0 + do_filp_open+0x16d/0x390 + do_sys_openat2+0x11d/0x360 + __x64_sys_open+0xfd/0x1a0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + Freed by task 337: + kfree+0x8f/0x210 + nosy_release+0x158/0x210 + __fput+0x1e2/0x840 + task_work_run+0xe8/0x180 + exit_to_user_mode_prepare+0x114/0x120 + syscall_exit_to_user_mode+0x1d/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128 + The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380) + +[ Modified to use 'list_empty()' inside proper lock - Linus ] + +Link: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/ +Reported-and-tested-by: 马哲宇 (Zheyu Ma) +Signed-off-by: Zheyu Ma +Cc: Greg Kroah-Hartman +Cc: Stefan Richter +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/firewire/nosy.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c +index 5fd6a60b6741..88ed971e32c0 100644 +--- a/drivers/firewire/nosy.c ++++ b/drivers/firewire/nosy.c +@@ -346,6 +346,7 @@ nosy_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + struct client *client = file->private_data; + spinlock_t *client_list_lock = &client->lynx->client_list_lock; + struct nosy_stats stats; ++ int ret; + + switch (cmd) { + case NOSY_IOC_GET_STATS: +@@ -360,11 +361,15 @@ nosy_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + return 0; + + case NOSY_IOC_START: ++ ret = -EBUSY; + spin_lock_irq(client_list_lock); +- list_add_tail(&client->link, &client->lynx->client_list); ++ if (list_empty(&client->link)) { ++ list_add_tail(&client->link, &client->lynx->client_list); ++ ret = 0; ++ } + spin_unlock_irq(client_list_lock); + +- return 0; ++ return ret; + + case NOSY_IOC_STOP: + spin_lock_irq(client_list_lock); +-- +2.30.2 + diff --git a/queue-5.11/firmware-stratix10-svc-reset-command_reconfig_flag_p.patch b/queue-5.11/firmware-stratix10-svc-reset-command_reconfig_flag_p.patch new file mode 100644 index 00000000000..fdd17103ffb --- /dev/null +++ b/queue-5.11/firmware-stratix10-svc-reset-command_reconfig_flag_p.patch @@ -0,0 +1,37 @@ +From 4ba1733ce80e0be6876df47cd2ff74e46cd6a76c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Feb 2021 16:20:27 -0600 +Subject: firmware: stratix10-svc: reset COMMAND_RECONFIG_FLAG_PARTIAL to 0 + +From: Richard Gong + +[ Upstream commit 2e8496f31d0be8f43849b2980b069f3a9805d047 ] + +Clean up COMMAND_RECONFIG_FLAG_PARTIAL flag by resetting it to 0, which +aligns with the firmware settings. + +Fixes: 36847f9e3e56 ("firmware: stratix10-svc: correct reconfig flag and timeout values") +Signed-off-by: Richard Gong +Reviewed-by: Tom Rix +Signed-off-by: Moritz Fischer +Signed-off-by: Sasha Levin +--- + include/linux/firmware/intel/stratix10-svc-client.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/firmware/intel/stratix10-svc-client.h b/include/linux/firmware/intel/stratix10-svc-client.h +index a93d85932eb9..f843c6a10cf3 100644 +--- a/include/linux/firmware/intel/stratix10-svc-client.h ++++ b/include/linux/firmware/intel/stratix10-svc-client.h +@@ -56,7 +56,7 @@ + * COMMAND_RECONFIG_FLAG_PARTIAL: + * Set to FPGA configuration type (full or partial). + */ +-#define COMMAND_RECONFIG_FLAG_PARTIAL 1 ++#define COMMAND_RECONFIG_FLAG_PARTIAL 0 + + /** + * Timeout settings for service clients: +-- +2.30.2 + diff --git a/queue-5.11/powerpc-mm-book3s64-use-the-correct-storage-key-valu.patch b/queue-5.11/powerpc-mm-book3s64-use-the-correct-storage-key-valu.patch new file mode 100644 index 00000000000..c4ff13ca56d --- /dev/null +++ b/queue-5.11/powerpc-mm-book3s64-use-the-correct-storage-key-valu.patch @@ -0,0 +1,103 @@ +From b6c449c3350fd85cafcc2140a59018a19096d7cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Mar 2021 12:37:55 +0530 +Subject: powerpc/mm/book3s64: Use the correct storage key value when calling + H_PROTECT + +From: Aneesh Kumar K.V + +[ Upstream commit 53f1d31708f6240e4615b0927df31f182e389e2f ] + +H_PROTECT expects the flag value to include flags: + AVPN, pp0, pp1, pp2, key0-key4, Noexec, CMO Option flags + +This patch updates hpte_updatepp() to fetch the storage key value from +the linux page table and use the same in H_PROTECT hcall. + +native_hpte_updatepp() is not updated because the kernel doesn't clear +the existing storage key value there. The kernel also doesn't use +hpte_updatepp() callback for updating storage keys. + +This fixes the below kernel crash observed with KUAP enabled. + + BUG: Unable to handle kernel data access on write at 0xc009fffffc440000 + Faulting instruction address: 0xc0000000000b7030 + Key fault AMR: 0xfcffffffffffffff IAMR: 0xc0000077bc498100 + Found HPTE: v = 0x40070adbb6fffc05 r = 0x1ffffffffff1194 + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + ... + CFAR: c000000000010100 DAR: c009fffffc440000 DSISR: 02200000 IRQMASK: 0 + ... + NIP memset+0x68/0x104 + LR pcpu_alloc+0x54c/0xb50 + Call Trace: + pcpu_alloc+0x55c/0xb50 (unreliable) + blk_stat_alloc_callback+0x94/0x150 + blk_mq_init_allocated_queue+0x64/0x560 + blk_mq_init_queue+0x54/0xb0 + scsi_mq_alloc_queue+0x30/0xa0 + scsi_alloc_sdev+0x1cc/0x300 + scsi_probe_and_add_lun+0xb50/0x1020 + __scsi_scan_target+0x17c/0x790 + scsi_scan_channel+0x90/0xe0 + scsi_scan_host_selected+0x148/0x1f0 + do_scan_async+0x2c/0x2a0 + async_run_entry_fn+0x78/0x220 + process_one_work+0x264/0x540 + worker_thread+0xa8/0x600 + kthread+0x190/0x1a0 + ret_from_kernel_thread+0x5c/0x6c + +With KUAP enabled the kernel uses storage key 3 for all its +translations. But as shown by the debug print, in this specific case we +have the hash page table entry created with key value 0. + + Found HPTE: v = 0x40070adbb6fffc05 r = 0x1ffffffffff1194 + +and DSISR indicates a key fault. + +This can happen due to parallel fault on the same EA by different CPUs: + + CPU 0 CPU 1 + fault on X + + H_PAGE_BUSY set + fault on X + + finish fault handling and + clear H_PAGE_BUSY + check for H_PAGE_BUSY + continue with fault handling. + +This implies CPU1 will end up calling hpte_updatepp for address X and +the kernel updated the hash pte entry with key 0 + +Fixes: d94b827e89dc ("powerpc/book3s64/kuap: Use Key 3 for kernel mapping with hash translation") +Reported-by: Murilo Opsfelder Araujo +Signed-off-by: Aneesh Kumar K.V +Debugged-by: Michael Ellerman +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210326070755.304625-1-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/lpar.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c +index 764170fdb0f7..3805519a6469 100644 +--- a/arch/powerpc/platforms/pseries/lpar.c ++++ b/arch/powerpc/platforms/pseries/lpar.c +@@ -887,7 +887,8 @@ static long pSeries_lpar_hpte_updatepp(unsigned long slot, + + want_v = hpte_encode_avpn(vpn, psize, ssize); + +- flags = (newpp & 7) | H_AVPN; ++ flags = (newpp & (HPTE_R_PP | HPTE_R_N | HPTE_R_KEY_LO)) | H_AVPN; ++ flags |= (newpp & HPTE_R_KEY_HI) >> 48; + if (mmu_has_feature(MMU_FTR_KERNEL_RO)) + /* Move pp0 into bit 8 (IBM 55) */ + flags |= (newpp & HPTE_R_PP0) >> 55; +-- +2.30.2 + diff --git a/queue-5.11/powerpc-pseries-mobility-handle-premature-return-fro.patch b/queue-5.11/powerpc-pseries-mobility-handle-premature-return-fro.patch new file mode 100644 index 00000000000..1cb440c1de5 --- /dev/null +++ b/queue-5.11/powerpc-pseries-mobility-handle-premature-return-fro.patch @@ -0,0 +1,103 @@ +From 38e5a8a88e001162663409153e6b0d5024cdd2d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 03:00:45 -0500 +Subject: powerpc/pseries/mobility: handle premature return from H_JOIN + +From: Nathan Lynch + +[ Upstream commit 274cb1ca2e7ce02cab56f5f4c61a74aeb566f931 ] + +The pseries join/suspend sequence in its current form was written with +the assumption that it was the only user of H_PROD and that it needn't +handle spurious successful returns from H_JOIN. That's wrong; +powerpc's paravirt spinlock code uses H_PROD, and CPUs entering +do_join() can be woken prematurely from H_JOIN with a status of +H_SUCCESS as a result. This causes all CPUs to exit the sequence +early, preventing suspend from occurring at all. + +Add a 'done' boolean flag to the pseries_suspend_info struct, and have +the waking thread set it before waking the other threads. Threads +which receive H_SUCCESS from H_JOIN retry if the 'done' flag is still +unset. + +Fixes: 9327dc0aeef3 ("powerpc/pseries/mobility: use stop_machine for join/suspend") +Signed-off-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210315080045.460331-3-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/mobility.c | 26 ++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c +index a6739ce9feac..e83e0891272d 100644 +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -458,9 +458,12 @@ static int do_suspend(void) + * or if an error is received from H_JOIN. The thread which performs + * the first increment (i.e. sets it to 1) is responsible for + * waking the other threads. ++ * @done: False if join/suspend is in progress. True if the operation is ++ * complete (successful or not). + */ + struct pseries_suspend_info { + atomic_t counter; ++ bool done; + }; + + static int do_join(void *arg) +@@ -470,6 +473,7 @@ static int do_join(void *arg) + long hvrc; + int ret; + ++retry: + /* Must ensure MSR.EE off for H_JOIN. */ + hard_irq_disable(); + hvrc = plpar_hcall_norets(H_JOIN); +@@ -485,8 +489,20 @@ static int do_join(void *arg) + case H_SUCCESS: + /* + * The suspend is complete and this cpu has received a +- * prod. ++ * prod, or we've received a stray prod from unrelated ++ * code (e.g. paravirt spinlocks) and we need to join ++ * again. ++ * ++ * This barrier orders the return from H_JOIN above vs ++ * the load of info->done. It pairs with the barrier ++ * in the wakeup/prod path below. + */ ++ smp_mb(); ++ if (READ_ONCE(info->done) == false) { ++ pr_info_ratelimited("premature return from H_JOIN on CPU %i, retrying", ++ smp_processor_id()); ++ goto retry; ++ } + ret = 0; + break; + case H_BAD_MODE: +@@ -500,6 +516,13 @@ static int do_join(void *arg) + + if (atomic_inc_return(counter) == 1) { + pr_info("CPU %u waking all threads\n", smp_processor_id()); ++ WRITE_ONCE(info->done, true); ++ /* ++ * This barrier orders the store to info->done vs subsequent ++ * H_PRODs to wake the other CPUs. It pairs with the barrier ++ * in the H_SUCCESS case above. ++ */ ++ smp_mb(); + prod_others(); + } + /* +@@ -553,6 +576,7 @@ static int pseries_suspend(u64 handle) + + info = (struct pseries_suspend_info) { + .counter = ATOMIC_INIT(0), ++ .done = false, + }; + + ret = stop_machine(do_join, &info, cpu_online_mask); +-- +2.30.2 + diff --git a/queue-5.11/powerpc-pseries-mobility-use-struct-for-shared-state.patch b/queue-5.11/powerpc-pseries-mobility-use-struct-for-shared-state.patch new file mode 100644 index 00000000000..5ab835b3ac6 --- /dev/null +++ b/queue-5.11/powerpc-pseries-mobility-use-struct-for-shared-state.patch @@ -0,0 +1,70 @@ +From a33b58f9a1a3b25fd0e036664ddcb411b59d7c90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 03:00:44 -0500 +Subject: powerpc/pseries/mobility: use struct for shared state + +From: Nathan Lynch + +[ Upstream commit e834df6cfc71d8e5ce2c27a0184145ea125c3f0f ] + +The atomic_t counter is the only shared state for the join/suspend +sequence so far, but that will change. Contain it in a +struct (pseries_suspend_info), and document its intended use. No +functional change. + +Signed-off-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210315080045.460331-2-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/mobility.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c +index ea4d6a660e0d..a6739ce9feac 100644 +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -452,9 +452,21 @@ static int do_suspend(void) + return ret; + } + ++/** ++ * struct pseries_suspend_info - State shared between CPUs for join/suspend. ++ * @counter: Threads are to increment this upon resuming from suspend ++ * or if an error is received from H_JOIN. The thread which performs ++ * the first increment (i.e. sets it to 1) is responsible for ++ * waking the other threads. ++ */ ++struct pseries_suspend_info { ++ atomic_t counter; ++}; ++ + static int do_join(void *arg) + { +- atomic_t *counter = arg; ++ struct pseries_suspend_info *info = arg; ++ atomic_t *counter = &info->counter; + long hvrc; + int ret; + +@@ -535,11 +547,15 @@ static int pseries_suspend(u64 handle) + int ret; + + while (true) { +- atomic_t counter = ATOMIC_INIT(0); ++ struct pseries_suspend_info info; + unsigned long vasi_state; + int vasi_err; + +- ret = stop_machine(do_join, &counter, cpu_online_mask); ++ info = (struct pseries_suspend_info) { ++ .counter = ATOMIC_INIT(0), ++ }; ++ ++ ret = stop_machine(do_join, &info, cpu_online_mask); + if (ret == 0) + break; + /* +-- +2.30.2 + diff --git a/queue-5.11/series b/queue-5.11/series index 048681a41dc..651354b3169 100644 --- a/queue-5.11/series +++ b/queue-5.11/series @@ -119,3 +119,12 @@ kvm-x86-mmu-use-atomic-ops-to-set-sptes-in-tdp-mmu-m.patch kvm-x86-compile-out-tdp-mmu-on-32-bit-systems.patch kvm-x86-mmu-ensure-tlbs-are-flushed-for-tdp-mmu-duri.patch kbuild-add-resolve_btfids-clean-to-root-clean-target.patch +extcon-add-stubs-for-extcon_register_notifier_all-fu.patch +extcon-fix-error-handling-in-extcon_dev_register.patch +firmware-stratix10-svc-reset-command_reconfig_flag_p.patch +powerpc-pseries-mobility-use-struct-for-shared-state.patch +powerpc-pseries-mobility-handle-premature-return-fro.patch +usb-dwc3-pci-enable-dis_ux_susphy_quirk-for-intel-me.patch +video-hyperv_fb-fix-a-double-free-in-hvfb_probe.patch +powerpc-mm-book3s64-use-the-correct-storage-key-valu.patch +firewire-nosy-fix-a-use-after-free-bug-in-nosy_ioctl.patch diff --git a/queue-5.11/usb-dwc3-pci-enable-dis_ux_susphy_quirk-for-intel-me.patch b/queue-5.11/usb-dwc3-pci-enable-dis_ux_susphy_quirk-for-intel-me.patch new file mode 100644 index 00000000000..cbab04fc44d --- /dev/null +++ b/queue-5.11/usb-dwc3-pci-enable-dis_ux_susphy_quirk-for-intel-me.patch @@ -0,0 +1,40 @@ +From 4979ad4f9cbd1e6f8cab0f3defb494124665c9fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 14:52:44 +0200 +Subject: usb: dwc3: pci: Enable dis_uX_susphy_quirk for Intel Merrifield + +From: Andy Shevchenko + +[ Upstream commit b522f830d35189e0283fa4d5b4b3ef8d7a78cfcb ] + +It seems that on Intel Merrifield platform the USB PHY shouldn't be suspended. +Otherwise it can't be enabled by simply change the cable in the connector. + +Enable corresponding quirk for the platform in question. + +Fixes: e5f4ca3fce90 ("usb: dwc3: ulpi: Fix USB2.0 HS/FS/LS PHY suspend regression") +Suggested-by: Serge Semin +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210322125244.79407-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index bae6a70664c8..598daed8086f 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -118,6 +118,8 @@ static const struct property_entry dwc3_pci_intel_properties[] = { + static const struct property_entry dwc3_pci_mrfld_properties[] = { + PROPERTY_ENTRY_STRING("dr_mode", "otg"), + PROPERTY_ENTRY_STRING("linux,extcon-name", "mrfld_bcove_pwrsrc"), ++ PROPERTY_ENTRY_BOOL("snps,dis_u3_susphy_quirk"), ++ PROPERTY_ENTRY_BOOL("snps,dis_u2_susphy_quirk"), + PROPERTY_ENTRY_BOOL("linux,sysdev_is_parent"), + {} + }; +-- +2.30.2 + diff --git a/queue-5.11/video-hyperv_fb-fix-a-double-free-in-hvfb_probe.patch b/queue-5.11/video-hyperv_fb-fix-a-double-free-in-hvfb_probe.patch new file mode 100644 index 00000000000..186d83d3365 --- /dev/null +++ b/queue-5.11/video-hyperv_fb-fix-a-double-free-in-hvfb_probe.patch @@ -0,0 +1,60 @@ +From 5be5befb43d9d73072053f94e309ef69bf2c7361 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 03:37:24 -0700 +Subject: video: hyperv_fb: Fix a double free in hvfb_probe + +From: Lv Yunlong + +[ Upstream commit 37df9f3fedb6aeaff5564145e8162aab912c9284 ] + +Function hvfb_probe() calls hvfb_getmem(), expecting upon return that +info->apertures is either NULL or points to memory that should be freed +by framebuffer_release(). But hvfb_getmem() is freeing the memory and +leaving the pointer non-NULL, resulting in a double free if an error +occurs or later if hvfb_remove() is called. + +Fix this by removing all kfree(info->apertures) calls in hvfb_getmem(). +This will allow framebuffer_release() to free the memory, which follows +the pattern of other fbdev drivers. + +Fixes: 3a6fb6c4255c ("video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs.") +Signed-off-by: Lv Yunlong +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20210324103724.4189-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/hyperv_fb.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c +index c8b0ae676809..4dc9077dd2ac 100644 +--- a/drivers/video/fbdev/hyperv_fb.c ++++ b/drivers/video/fbdev/hyperv_fb.c +@@ -1031,7 +1031,6 @@ static int hvfb_getmem(struct hv_device *hdev, struct fb_info *info) + PCI_DEVICE_ID_HYPERV_VIDEO, NULL); + if (!pdev) { + pr_err("Unable to find PCI Hyper-V video\n"); +- kfree(info->apertures); + return -ENODEV; + } + +@@ -1129,7 +1128,6 @@ getmem_done: + } else { + pci_dev_put(pdev); + } +- kfree(info->apertures); + + return 0; + +@@ -1141,7 +1139,6 @@ err2: + err1: + if (!gen2vm) + pci_dev_put(pdev); +- kfree(info->apertures); + + return -ENOMEM; + } +-- +2.30.2 + -- 2.47.3