From 9b99ee939b9f48d666b3759229a44d9d3f09b699 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 31 May 2020 22:48:47 -0400 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- ...p-fix-a-left-shifting-1-by-31-ub-bug.patch | 47 +++ ...ixer-volume-quirk-for-ess-technology.patch | 52 +++ ...3-1-use-unified-assembler-in-headers.patch | 148 +++++++++ ...-imx-correct-b850v3-clock-assignment.patch | 43 +++ ...dts-imx6q-bx50v3-add-internal-switch.patch | 102 ++++++ ...50v3-set-display-interface-clock-par.patch | 122 +++++++ ...olidate-uaccess-asm-to-asm-uaccess-a.patch | 302 ++++++++++++++++++ ...dacr-mismatch-with-nested-exceptions.patch | 120 +++++++ ...grate-uaccess_save-and-uaccess_resto.patch | 78 +++++ ...et-cap_ambient-in-cap_bprm_set_creds.patch | 52 +++ ...allocate-initialized-memory-in-fill_.patch | 45 +++ ...ect_put-when-kobject_init_and_add-fa.patch | 82 +++++ ...ric-topology.h-guard-cpumask_of_node.patch | 48 +++ ...-input_flush_device-on-release-not-f.patch | 75 +++++ ...d-thinkpad-s230u-to-i8042-nomux-list.patch | 63 ++++ ...d-thinkpad-s230u-to-i8042-reset-list.patch | 60 ++++ ...rmi4-fix-error-return-code-in-rmi_dr.patch | 38 +++ ...uchscreen-add-support-for-bonxeon-tp.patch | 37 +++ ...ustom-init-packet-for-xbox-one-s-con.patch | 59 ++++ ...ence-count-leak-in-iommu_group_alloc.patch | 38 +++ ...ool-overlay-and-cache-logic-on-redir.patch | 49 +++ ...m_bug_on-pageslab-from-page_mapcount.patch | 99 ++++++ queue-4.9/series | 22 ++ 23 files changed, 1781 insertions(+) create mode 100644 queue-4.9/alsa-hwdep-fix-a-left-shifting-1-by-31-ub-bug.patch create mode 100644 queue-4.9/alsa-usb-audio-mixer-volume-quirk-for-ess-technology.patch create mode 100644 queue-4.9/arm-8843-1-use-unified-assembler-in-headers.patch create mode 100644 queue-4.9/arm-dts-imx-correct-b850v3-clock-assignment.patch create mode 100644 queue-4.9/arm-dts-imx6q-bx50v3-add-internal-switch.patch create mode 100644 queue-4.9/arm-dts-imx6q-bx50v3-set-display-interface-clock-par.patch create mode 100644 queue-4.9/arm-uaccess-consolidate-uaccess-asm-to-asm-uaccess-a.patch create mode 100644 queue-4.9/arm-uaccess-fix-dacr-mismatch-with-nested-exceptions.patch create mode 100644 queue-4.9/arm-uaccess-integrate-uaccess_save-and-uaccess_resto.patch create mode 100644 queue-4.9/exec-always-set-cap_ambient-in-cap_bprm_set_creds.patch create mode 100644 queue-4.9/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch create mode 100644 queue-4.9/ib-qib-call-kobject_put-when-kobject_init_and_add-fa.patch create mode 100644 queue-4.9/include-asm-generic-topology.h-guard-cpumask_of_node.patch create mode 100644 queue-4.9/input-evdev-call-input_flush_device-on-release-not-f.patch create mode 100644 queue-4.9/input-i8042-add-thinkpad-s230u-to-i8042-nomux-list.patch create mode 100644 queue-4.9/input-i8042-add-thinkpad-s230u-to-i8042-reset-list.patch create mode 100644 queue-4.9/input-synaptics-rmi4-fix-error-return-code-in-rmi_dr.patch create mode 100644 queue-4.9/input-usbtouchscreen-add-support-for-bonxeon-tp.patch create mode 100644 queue-4.9/input-xpad-add-custom-init-packet-for-xbox-one-s-con.patch create mode 100644 queue-4.9/iommu-fix-reference-count-leak-in-iommu_group_alloc.patch create mode 100644 queue-4.9/libceph-ignore-pool-overlay-and-cache-logic-on-redir.patch create mode 100644 queue-4.9/mm-remove-vm_bug_on-pageslab-from-page_mapcount.patch diff --git a/queue-4.9/alsa-hwdep-fix-a-left-shifting-1-by-31-ub-bug.patch b/queue-4.9/alsa-hwdep-fix-a-left-shifting-1-by-31-ub-bug.patch new file mode 100644 index 00000000000..91fe5a9b3ea --- /dev/null +++ b/queue-4.9/alsa-hwdep-fix-a-left-shifting-1-by-31-ub-bug.patch @@ -0,0 +1,47 @@ +From 37fece63fc2ef61ad6279a59efe1e36a43bd0e5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 May 2020 00:39:21 +0000 +Subject: ALSA: hwdep: fix a left shifting 1 by 31 UB bug + +From: Changming Liu + +[ Upstream commit fb8cd6481ffd126f35e9e146a0dcf0c4e8899f2e ] + +The "info.index" variable can be 31 in "1 << info.index". +This might trigger an undefined behavior since 1 is signed. + +Fix this by casting 1 to 1u just to be sure "1u << 31" is defined. + +Signed-off-by: Changming Liu +Cc: +Link: https://lore.kernel.org/r/BL0PR06MB4548170B842CB055C9AF695DE5B00@BL0PR06MB4548.namprd06.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/hwdep.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/core/hwdep.c b/sound/core/hwdep.c +index 36d2416f90d9..96b737adf4d2 100644 +--- a/sound/core/hwdep.c ++++ b/sound/core/hwdep.c +@@ -228,14 +228,14 @@ static int snd_hwdep_dsp_load(struct snd_hwdep *hw, + if (copy_from_user(&info, _info, sizeof(info))) + return -EFAULT; + /* check whether the dsp was already loaded */ +- if (hw->dsp_loaded & (1 << info.index)) ++ if (hw->dsp_loaded & (1u << info.index)) + return -EBUSY; + if (!access_ok(VERIFY_READ, info.image, info.length)) + return -EFAULT; + err = hw->ops.dsp_load(hw, &info); + if (err < 0) + return err; +- hw->dsp_loaded |= (1 << info.index); ++ hw->dsp_loaded |= (1u << info.index); + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.9/alsa-usb-audio-mixer-volume-quirk-for-ess-technology.patch b/queue-4.9/alsa-usb-audio-mixer-volume-quirk-for-ess-technology.patch new file mode 100644 index 00000000000..eb04e22660a --- /dev/null +++ b/queue-4.9/alsa-usb-audio-mixer-volume-quirk-for-ess-technology.patch @@ -0,0 +1,52 @@ +From fa8073298b9d8d480015de0faacbaf54704a5362 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 May 2020 14:26:13 +0800 +Subject: ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC + +From: Chris Chiu + +[ Upstream commit 4020d1ccbe55bdf67b31d718d2400506eaf4b43f ] + +The Asus USB DAC is a USB type-C audio dongle for connecting to +the headset and headphone. The volume minimum value -23040 which +is 0xa600 in hexadecimal with the resolution value 1 indicates +this should be endianness issue caused by the firmware bug. Add +a volume quirk to fix the volume control problem. + +Also fixes this warning: + Warning! Unlikely big volume range (=23040), cval->res is probably wrong. + [5] FU [Headset Capture Volume] ch = 1, val = -23040/0/1 + Warning! Unlikely big volume range (=23040), cval->res is probably wrong. + [7] FU [Headset Playback Volume] ch = 1, val = -23040/0/1 + +Signed-off-by: Chris Chiu +Cc: +Link: https://lore.kernel.org/r/20200526062613.55401-1-chiu@endlessm.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index e2f62362a0b0..024864ce3f76 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -980,6 +980,14 @@ static void volume_control_quirks(struct usb_mixer_elem_info *cval, + cval->res = 384; + } + break; ++ case USB_ID(0x0495, 0x3042): /* ESS Technology Asus USB DAC */ ++ if ((strstr(kctl->id.name, "Playback Volume") != NULL) || ++ strstr(kctl->id.name, "Capture Volume") != NULL) { ++ cval->min >>= 8; ++ cval->max = 0; ++ cval->res = 1; ++ } ++ break; + } + } + +-- +2.25.1 + diff --git a/queue-4.9/arm-8843-1-use-unified-assembler-in-headers.patch b/queue-4.9/arm-8843-1-use-unified-assembler-in-headers.patch new file mode 100644 index 00000000000..0a94546e6b1 --- /dev/null +++ b/queue-4.9/arm-8843-1-use-unified-assembler-in-headers.patch @@ -0,0 +1,148 @@ +From eea60ff4d4e95ee775c7455b3abaa9c8546c95fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Feb 2019 00:56:58 +0100 +Subject: ARM: 8843/1: use unified assembler in headers + +From: Stefan Agner + +[ Upstream commit c001899a5d6c2d7a0f3b75b2307ddef137fb46a6 ] + +Use unified assembler syntax (UAL) in headers. Divided syntax is +considered deprecated. This will also allow to build the kernel +using LLVM's integrated assembler. + +Signed-off-by: Stefan Agner +Acked-by: Nicolas Pitre +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/assembler.h | 12 ++++++------ + arch/arm/include/asm/vfpmacros.h | 8 ++++---- + arch/arm/lib/bitops.h | 8 ++++---- + 3 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h +index 7d727506096f..c9ed0b0e0737 100644 +--- a/arch/arm/include/asm/assembler.h ++++ b/arch/arm/include/asm/assembler.h +@@ -372,9 +372,9 @@ THUMB( orr \reg , \reg , #PSR_T_BIT ) + .macro usraccoff, instr, reg, ptr, inc, off, cond, abort, t=TUSER() + 9999: + .if \inc == 1 +- \instr\cond\()b\()\t\().w \reg, [\ptr, #\off] ++ \instr\()b\t\cond\().w \reg, [\ptr, #\off] + .elseif \inc == 4 +- \instr\cond\()\t\().w \reg, [\ptr, #\off] ++ \instr\t\cond\().w \reg, [\ptr, #\off] + .else + .error "Unsupported inc macro argument" + .endif +@@ -413,9 +413,9 @@ THUMB( orr \reg , \reg , #PSR_T_BIT ) + .rept \rept + 9999: + .if \inc == 1 +- \instr\cond\()b\()\t \reg, [\ptr], #\inc ++ \instr\()b\t\cond \reg, [\ptr], #\inc + .elseif \inc == 4 +- \instr\cond\()\t \reg, [\ptr], #\inc ++ \instr\t\cond \reg, [\ptr], #\inc + .else + .error "Unsupported inc macro argument" + .endif +@@ -456,7 +456,7 @@ THUMB( orr \reg , \reg , #PSR_T_BIT ) + .macro check_uaccess, addr:req, size:req, limit:req, tmp:req, bad:req + #ifndef CONFIG_CPU_USE_DOMAINS + adds \tmp, \addr, #\size - 1 +- sbcccs \tmp, \tmp, \limit ++ sbcscc \tmp, \tmp, \limit + bcs \bad + #ifdef CONFIG_CPU_SPECTRE + movcs \addr, #0 +@@ -470,7 +470,7 @@ THUMB( orr \reg , \reg , #PSR_T_BIT ) + sub \tmp, \limit, #1 + subs \tmp, \tmp, \addr @ tmp = limit - 1 - addr + addhs \tmp, \tmp, #1 @ if (tmp >= 0) { +- subhss \tmp, \tmp, \size @ tmp = limit - (addr + size) } ++ subshs \tmp, \tmp, \size @ tmp = limit - (addr + size) } + movlo \addr, #0 @ if (tmp < 0) addr = NULL + csdb + #endif +diff --git a/arch/arm/include/asm/vfpmacros.h b/arch/arm/include/asm/vfpmacros.h +index 301c1db3e99b..66748c04aed2 100644 +--- a/arch/arm/include/asm/vfpmacros.h ++++ b/arch/arm/include/asm/vfpmacros.h +@@ -28,13 +28,13 @@ + ldr \tmp, =elf_hwcap @ may not have MVFR regs + ldr \tmp, [\tmp, #0] + tst \tmp, #HWCAP_VFPD32 +- ldcnel p11, cr0, [\base],#32*4 @ FLDMIAD \base!, {d16-d31} ++ ldclne p11, cr0, [\base],#32*4 @ FLDMIAD \base!, {d16-d31} + addeq \base, \base, #32*4 @ step over unused register space + #else + VFPFMRX \tmp, MVFR0 @ Media and VFP Feature Register 0 + and \tmp, \tmp, #MVFR0_A_SIMD_MASK @ A_SIMD field + cmp \tmp, #2 @ 32 x 64bit registers? +- ldceql p11, cr0, [\base],#32*4 @ FLDMIAD \base!, {d16-d31} ++ ldcleq p11, cr0, [\base],#32*4 @ FLDMIAD \base!, {d16-d31} + addne \base, \base, #32*4 @ step over unused register space + #endif + #endif +@@ -52,13 +52,13 @@ + ldr \tmp, =elf_hwcap @ may not have MVFR regs + ldr \tmp, [\tmp, #0] + tst \tmp, #HWCAP_VFPD32 +- stcnel p11, cr0, [\base],#32*4 @ FSTMIAD \base!, {d16-d31} ++ stclne p11, cr0, [\base],#32*4 @ FSTMIAD \base!, {d16-d31} + addeq \base, \base, #32*4 @ step over unused register space + #else + VFPFMRX \tmp, MVFR0 @ Media and VFP Feature Register 0 + and \tmp, \tmp, #MVFR0_A_SIMD_MASK @ A_SIMD field + cmp \tmp, #2 @ 32 x 64bit registers? +- stceql p11, cr0, [\base],#32*4 @ FSTMIAD \base!, {d16-d31} ++ stcleq p11, cr0, [\base],#32*4 @ FSTMIAD \base!, {d16-d31} + addne \base, \base, #32*4 @ step over unused register space + #endif + #endif +diff --git a/arch/arm/lib/bitops.h b/arch/arm/lib/bitops.h +index 7d807cfd8ef5..d9c32b822eda 100644 +--- a/arch/arm/lib/bitops.h ++++ b/arch/arm/lib/bitops.h +@@ -6,7 +6,7 @@ + ENTRY( \name ) + UNWIND( .fnstart ) + ands ip, r1, #3 +- strneb r1, [ip] @ assert word-aligned ++ strbne r1, [ip] @ assert word-aligned + mov r2, #1 + and r3, r0, #31 @ Get bit offset + mov r0, r0, lsr #5 +@@ -31,7 +31,7 @@ ENDPROC(\name ) + ENTRY( \name ) + UNWIND( .fnstart ) + ands ip, r1, #3 +- strneb r1, [ip] @ assert word-aligned ++ strbne r1, [ip] @ assert word-aligned + mov r2, #1 + and r3, r0, #31 @ Get bit offset + mov r0, r0, lsr #5 +@@ -61,7 +61,7 @@ ENDPROC(\name ) + ENTRY( \name ) + UNWIND( .fnstart ) + ands ip, r1, #3 +- strneb r1, [ip] @ assert word-aligned ++ strbne r1, [ip] @ assert word-aligned + and r2, r0, #31 + mov r0, r0, lsr #5 + mov r3, #1 +@@ -88,7 +88,7 @@ ENDPROC(\name ) + ENTRY( \name ) + UNWIND( .fnstart ) + ands ip, r1, #3 +- strneb r1, [ip] @ assert word-aligned ++ strbne r1, [ip] @ assert word-aligned + and r3, r0, #31 + mov r0, r0, lsr #5 + save_and_disable_irqs ip +-- +2.25.1 + diff --git a/queue-4.9/arm-dts-imx-correct-b850v3-clock-assignment.patch b/queue-4.9/arm-dts-imx-correct-b850v3-clock-assignment.patch new file mode 100644 index 00000000000..a1da9883ef5 --- /dev/null +++ b/queue-4.9/arm-dts-imx-correct-b850v3-clock-assignment.patch @@ -0,0 +1,43 @@ +From 4ba8560edf4985f5dee3aa57bc45557fabbcbc8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2017 15:43:37 +0200 +Subject: ARM: dts: imx: Correct B850v3 clock assignment + +From: Martyn Welch + +[ Upstream commit 1d0c7bb20c083a6e810d2142545b5606f8131080 ] + +The IPU that drives HDMI must have its pre_sel set to pll2_pfd_396m +to avoid stepping on the LVDS output's toes, as the PLL can't be clocked +to the pixel clock and to the LVDS serial clock (3.5*pixel clock) at the +same time. + +As we are using ipu1_di0 and ipu2_di0, ensure both are switched to +to pll2_pfd2_396m to avoid issues. The LDB driver will switch the +required IPU to ldb_di1 when it uses it to drive LVDS. + +Signed-off-by: Martyn Welch +Signed-off-by: Romain Perier +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6q-b850v3.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6q-b850v3.dts b/arch/arm/boot/dts/imx6q-b850v3.dts +index 167f7446722a..e5e9a16155d9 100644 +--- a/arch/arm/boot/dts/imx6q-b850v3.dts ++++ b/arch/arm/boot/dts/imx6q-b850v3.dts +@@ -57,7 +57,7 @@ + assigned-clocks = <&clks IMX6QDL_CLK_LDB_DI0_SEL>, + <&clks IMX6QDL_CLK_LDB_DI1_SEL>, + <&clks IMX6QDL_CLK_IPU1_DI0_PRE_SEL>, +- <&clks IMX6QDL_CLK_IPU1_DI1_PRE_SEL>; ++ <&clks IMX6QDL_CLK_IPU2_DI0_PRE_SEL>; + assigned-clock-parents = <&clks IMX6QDL_CLK_PLL5_VIDEO_DIV>, + <&clks IMX6QDL_CLK_PLL5_VIDEO_DIV>, + <&clks IMX6QDL_CLK_PLL2_PFD2_396M>, +-- +2.25.1 + diff --git a/queue-4.9/arm-dts-imx6q-bx50v3-add-internal-switch.patch b/queue-4.9/arm-dts-imx6q-bx50v3-add-internal-switch.patch new file mode 100644 index 00000000000..eae3faca787 --- /dev/null +++ b/queue-4.9/arm-dts-imx6q-bx50v3-add-internal-switch.patch @@ -0,0 +1,102 @@ +From fd644091735e8bf34cf73b61bd7183ecec23ccec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jan 2018 16:03:47 +0100 +Subject: ARM: dts: imx6q-bx50v3: Add internal switch + +From: Sebastian Reichel + +[ Upstream commit e26dead442689a861358f33126210b0f8de615a9 ] + +B850v3, B650v3 and B450v3 all have a GPIO bit banged MDIO bus to +communicate with a Marvell switch. On all devices the switch is +connected to a PCI based network card, which needs to be referenced +by DT, so this also adds the common PCI root node. + +Signed-off-by: Sebastian Reichel +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6q-bx50v3.dtsi | 62 +++++++++++++++++++++++++++++ + 1 file changed, 62 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6q-bx50v3.dtsi b/arch/arm/boot/dts/imx6q-bx50v3.dtsi +index e4a415fd899b..ff8928a0b406 100644 +--- a/arch/arm/boot/dts/imx6q-bx50v3.dtsi ++++ b/arch/arm/boot/dts/imx6q-bx50v3.dtsi +@@ -92,6 +92,56 @@ + mux-int-port = <1>; + mux-ext-port = <4>; + }; ++ ++ aliases { ++ mdio-gpio0 = &mdio0; ++ }; ++ ++ mdio0: mdio-gpio { ++ compatible = "virtual,mdio-gpio"; ++ gpios = <&gpio2 5 GPIO_ACTIVE_HIGH>, /* mdc */ ++ <&gpio2 7 GPIO_ACTIVE_HIGH>; /* mdio */ ++ ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ switch@0 { ++ compatible = "marvell,mv88e6085"; /* 88e6240*/ ++ #address-cells = <1>; ++ #size-cells = <0>; ++ reg = <0>; ++ ++ switch_ports: ports { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ }; ++ ++ mdio { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ switchphy0: switchphy@0 { ++ reg = <0>; ++ }; ++ ++ switchphy1: switchphy@1 { ++ reg = <1>; ++ }; ++ ++ switchphy2: switchphy@2 { ++ reg = <2>; ++ }; ++ ++ switchphy3: switchphy@3 { ++ reg = <3>; ++ }; ++ ++ switchphy4: switchphy@4 { ++ reg = <4>; ++ }; ++ }; ++ }; ++ }; + }; + + &ecspi5 { +@@ -299,3 +349,15 @@ + tcxo-clock-frequency = <26000000>; + }; + }; ++ ++&pcie { ++ /* Synopsys, Inc. Device */ ++ pci_root: root@0,0 { ++ compatible = "pci16c3,abcd"; ++ reg = <0x00000000 0 0 0 0>; ++ ++ #address-cells = <3>; ++ #size-cells = <2>; ++ #interrupt-cells = <1>; ++ }; ++}; +-- +2.25.1 + diff --git a/queue-4.9/arm-dts-imx6q-bx50v3-set-display-interface-clock-par.patch b/queue-4.9/arm-dts-imx6q-bx50v3-set-display-interface-clock-par.patch new file mode 100644 index 00000000000..00aefab013a --- /dev/null +++ b/queue-4.9/arm-dts-imx6q-bx50v3-set-display-interface-clock-par.patch @@ -0,0 +1,122 @@ +From 9d14c25f57b516fd2eb890920d72212118aa8910 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 May 2020 19:02:37 +0200 +Subject: ARM: dts/imx6q-bx50v3: Set display interface clock parents + +From: Robert Beckett + +[ Upstream commit 665e7c73a7724a393b4ec92d1ae1e029925ef2b7 ] + +Avoid LDB and IPU DI clocks both using the same parent. LDB requires +pasthrough clock to avoid breaking timing while IPU DI does not. + +Force IPU DI clocks to use IMX6QDL_CLK_PLL2_PFD0_352M as parent +and LDB to use IMX6QDL_CLK_PLL5_VIDEO_DIV. + +This fixes an issue where attempting atomic modeset while using +HDMI and display port at the same time causes LDB clock programming +to destroy the programming of HDMI that was done during the same +modeset. + +Cc: stable@vger.kernel.org +Signed-off-by: Robert Beckett +[Use IMX6QDL_CLK_PLL2_PFD0_352M instead of IMX6QDL_CLK_PLL2_PFD2_396M + originally chosen by Robert Beckett to avoid affecting eMMC clock + by DRM atomic updates] +Signed-off-by: Ian Ray +[Squash Robert's and Ian's commits for bisectability, update patch + description and add stable tag] +Signed-off-by: Sebastian Reichel +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6q-b450v3.dts | 7 ------- + arch/arm/boot/dts/imx6q-b650v3.dts | 7 ------- + arch/arm/boot/dts/imx6q-b850v3.dts | 11 ----------- + arch/arm/boot/dts/imx6q-bx50v3.dtsi | 15 +++++++++++++++ + 4 files changed, 15 insertions(+), 25 deletions(-) + +diff --git a/arch/arm/boot/dts/imx6q-b450v3.dts b/arch/arm/boot/dts/imx6q-b450v3.dts +index 78bfc1a307d6..ebc6e10f8624 100644 +--- a/arch/arm/boot/dts/imx6q-b450v3.dts ++++ b/arch/arm/boot/dts/imx6q-b450v3.dts +@@ -65,13 +65,6 @@ + }; + }; + +-&clks { +- assigned-clocks = <&clks IMX6QDL_CLK_LDB_DI0_SEL>, +- <&clks IMX6QDL_CLK_LDB_DI1_SEL>; +- assigned-clock-parents = <&clks IMX6QDL_CLK_PLL3_USB_OTG>, +- <&clks IMX6QDL_CLK_PLL3_USB_OTG>; +-}; +- + &ldb { + status = "okay"; + +diff --git a/arch/arm/boot/dts/imx6q-b650v3.dts b/arch/arm/boot/dts/imx6q-b650v3.dts +index d85388725426..681aa612e07f 100644 +--- a/arch/arm/boot/dts/imx6q-b650v3.dts ++++ b/arch/arm/boot/dts/imx6q-b650v3.dts +@@ -65,13 +65,6 @@ + }; + }; + +-&clks { +- assigned-clocks = <&clks IMX6QDL_CLK_LDB_DI0_SEL>, +- <&clks IMX6QDL_CLK_LDB_DI1_SEL>; +- assigned-clock-parents = <&clks IMX6QDL_CLK_PLL3_USB_OTG>, +- <&clks IMX6QDL_CLK_PLL3_USB_OTG>; +-}; +- + &ldb { + status = "okay"; + +diff --git a/arch/arm/boot/dts/imx6q-b850v3.dts b/arch/arm/boot/dts/imx6q-b850v3.dts +index e5e9a16155d9..8596df4078e9 100644 +--- a/arch/arm/boot/dts/imx6q-b850v3.dts ++++ b/arch/arm/boot/dts/imx6q-b850v3.dts +@@ -53,17 +53,6 @@ + }; + }; + +-&clks { +- assigned-clocks = <&clks IMX6QDL_CLK_LDB_DI0_SEL>, +- <&clks IMX6QDL_CLK_LDB_DI1_SEL>, +- <&clks IMX6QDL_CLK_IPU1_DI0_PRE_SEL>, +- <&clks IMX6QDL_CLK_IPU2_DI0_PRE_SEL>; +- assigned-clock-parents = <&clks IMX6QDL_CLK_PLL5_VIDEO_DIV>, +- <&clks IMX6QDL_CLK_PLL5_VIDEO_DIV>, +- <&clks IMX6QDL_CLK_PLL2_PFD2_396M>, +- <&clks IMX6QDL_CLK_PLL2_PFD2_396M>; +-}; +- + &ldb { + fsl,dual-channel; + status = "okay"; +diff --git a/arch/arm/boot/dts/imx6q-bx50v3.dtsi b/arch/arm/boot/dts/imx6q-bx50v3.dtsi +index ff8928a0b406..cee0e19f180f 100644 +--- a/arch/arm/boot/dts/imx6q-bx50v3.dtsi ++++ b/arch/arm/boot/dts/imx6q-bx50v3.dtsi +@@ -361,3 +361,18 @@ + #interrupt-cells = <1>; + }; + }; ++ ++&clks { ++ assigned-clocks = <&clks IMX6QDL_CLK_LDB_DI0_SEL>, ++ <&clks IMX6QDL_CLK_LDB_DI1_SEL>, ++ <&clks IMX6QDL_CLK_IPU1_DI0_PRE_SEL>, ++ <&clks IMX6QDL_CLK_IPU1_DI1_PRE_SEL>, ++ <&clks IMX6QDL_CLK_IPU2_DI0_PRE_SEL>, ++ <&clks IMX6QDL_CLK_IPU2_DI1_PRE_SEL>; ++ assigned-clock-parents = <&clks IMX6QDL_CLK_PLL5_VIDEO_DIV>, ++ <&clks IMX6QDL_CLK_PLL5_VIDEO_DIV>, ++ <&clks IMX6QDL_CLK_PLL2_PFD0_352M>, ++ <&clks IMX6QDL_CLK_PLL2_PFD0_352M>, ++ <&clks IMX6QDL_CLK_PLL2_PFD0_352M>, ++ <&clks IMX6QDL_CLK_PLL2_PFD0_352M>; ++}; +-- +2.25.1 + diff --git a/queue-4.9/arm-uaccess-consolidate-uaccess-asm-to-asm-uaccess-a.patch b/queue-4.9/arm-uaccess-consolidate-uaccess-asm-to-asm-uaccess-a.patch new file mode 100644 index 00000000000..3783a65a997 --- /dev/null +++ b/queue-4.9/arm-uaccess-consolidate-uaccess-asm-to-asm-uaccess-a.patch @@ -0,0 +1,302 @@ +From 5fdd29e7beddf9834319bba2ec9b73c1a0988561 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 May 2020 13:03:54 +0100 +Subject: ARM: uaccess: consolidate uaccess asm to asm/uaccess-asm.h + +From: Russell King + +[ Upstream commit 747ffc2fcf969eff9309d7f2d1d61cb8b9e1bb40 ] + +Consolidate the user access assembly code to asm/uaccess-asm.h. This +moves the csdb, check_uaccess, uaccess_mask_range_ptr, uaccess_enable, +uaccess_disable, uaccess_save, uaccess_restore macros, and creates two +new ones for exception entry and exit - uaccess_entry and uaccess_exit. + +This makes the uaccess_save and uaccess_restore macros private to +asm/uaccess-asm.h. + +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/assembler.h | 75 +------------------- + arch/arm/include/asm/uaccess-asm.h | 106 +++++++++++++++++++++++++++++ + arch/arm/kernel/entry-armv.S | 11 +-- + arch/arm/kernel/entry-header.S | 9 +-- + 4 files changed, 112 insertions(+), 89 deletions(-) + create mode 100644 arch/arm/include/asm/uaccess-asm.h + +diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h +index c9ed0b0e0737..1cd39b1229eb 100644 +--- a/arch/arm/include/asm/assembler.h ++++ b/arch/arm/include/asm/assembler.h +@@ -21,11 +21,11 @@ + #endif + + #include +-#include + #include + #include + #include + #include ++#include + + #define IOMEM(x) (x) + +@@ -445,79 +445,6 @@ THUMB( orr \reg , \reg , #PSR_T_BIT ) + .size \name , . - \name + .endm + +- .macro csdb +-#ifdef CONFIG_THUMB2_KERNEL +- .inst.w 0xf3af8014 +-#else +- .inst 0xe320f014 +-#endif +- .endm +- +- .macro check_uaccess, addr:req, size:req, limit:req, tmp:req, bad:req +-#ifndef CONFIG_CPU_USE_DOMAINS +- adds \tmp, \addr, #\size - 1 +- sbcscc \tmp, \tmp, \limit +- bcs \bad +-#ifdef CONFIG_CPU_SPECTRE +- movcs \addr, #0 +- csdb +-#endif +-#endif +- .endm +- +- .macro uaccess_mask_range_ptr, addr:req, size:req, limit:req, tmp:req +-#ifdef CONFIG_CPU_SPECTRE +- sub \tmp, \limit, #1 +- subs \tmp, \tmp, \addr @ tmp = limit - 1 - addr +- addhs \tmp, \tmp, #1 @ if (tmp >= 0) { +- subshs \tmp, \tmp, \size @ tmp = limit - (addr + size) } +- movlo \addr, #0 @ if (tmp < 0) addr = NULL +- csdb +-#endif +- .endm +- +- .macro uaccess_disable, tmp, isb=1 +-#ifdef CONFIG_CPU_SW_DOMAIN_PAN +- /* +- * Whenever we re-enter userspace, the domains should always be +- * set appropriately. +- */ +- mov \tmp, #DACR_UACCESS_DISABLE +- mcr p15, 0, \tmp, c3, c0, 0 @ Set domain register +- .if \isb +- instr_sync +- .endif +-#endif +- .endm +- +- .macro uaccess_enable, tmp, isb=1 +-#ifdef CONFIG_CPU_SW_DOMAIN_PAN +- /* +- * Whenever we re-enter userspace, the domains should always be +- * set appropriately. +- */ +- mov \tmp, #DACR_UACCESS_ENABLE +- mcr p15, 0, \tmp, c3, c0, 0 +- .if \isb +- instr_sync +- .endif +-#endif +- .endm +- +- .macro uaccess_save, tmp +-#ifdef CONFIG_CPU_SW_DOMAIN_PAN +- mrc p15, 0, \tmp, c3, c0, 0 +- str \tmp, [sp, #SVC_DACR] +-#endif +- .endm +- +- .macro uaccess_restore +-#ifdef CONFIG_CPU_SW_DOMAIN_PAN +- ldr r0, [sp, #SVC_DACR] +- mcr p15, 0, r0, c3, c0, 0 +-#endif +- .endm +- + .irp c,,eq,ne,cs,cc,mi,pl,vs,vc,hi,ls,ge,lt,gt,le,hs,lo + .macro ret\c, reg + #if __LINUX_ARM_ARCH__ < 6 +diff --git a/arch/arm/include/asm/uaccess-asm.h b/arch/arm/include/asm/uaccess-asm.h +new file mode 100644 +index 000000000000..d475e3e8145d +--- /dev/null ++++ b/arch/arm/include/asm/uaccess-asm.h +@@ -0,0 +1,106 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#ifndef __ASM_UACCESS_ASM_H__ ++#define __ASM_UACCESS_ASM_H__ ++ ++#include ++#include ++#include ++#include ++ ++ .macro csdb ++#ifdef CONFIG_THUMB2_KERNEL ++ .inst.w 0xf3af8014 ++#else ++ .inst 0xe320f014 ++#endif ++ .endm ++ ++ .macro check_uaccess, addr:req, size:req, limit:req, tmp:req, bad:req ++#ifndef CONFIG_CPU_USE_DOMAINS ++ adds \tmp, \addr, #\size - 1 ++ sbcscc \tmp, \tmp, \limit ++ bcs \bad ++#ifdef CONFIG_CPU_SPECTRE ++ movcs \addr, #0 ++ csdb ++#endif ++#endif ++ .endm ++ ++ .macro uaccess_mask_range_ptr, addr:req, size:req, limit:req, tmp:req ++#ifdef CONFIG_CPU_SPECTRE ++ sub \tmp, \limit, #1 ++ subs \tmp, \tmp, \addr @ tmp = limit - 1 - addr ++ addhs \tmp, \tmp, #1 @ if (tmp >= 0) { ++ subshs \tmp, \tmp, \size @ tmp = limit - (addr + size) } ++ movlo \addr, #0 @ if (tmp < 0) addr = NULL ++ csdb ++#endif ++ .endm ++ ++ .macro uaccess_disable, tmp, isb=1 ++#ifdef CONFIG_CPU_SW_DOMAIN_PAN ++ /* ++ * Whenever we re-enter userspace, the domains should always be ++ * set appropriately. ++ */ ++ mov \tmp, #DACR_UACCESS_DISABLE ++ mcr p15, 0, \tmp, c3, c0, 0 @ Set domain register ++ .if \isb ++ instr_sync ++ .endif ++#endif ++ .endm ++ ++ .macro uaccess_enable, tmp, isb=1 ++#ifdef CONFIG_CPU_SW_DOMAIN_PAN ++ /* ++ * Whenever we re-enter userspace, the domains should always be ++ * set appropriately. ++ */ ++ mov \tmp, #DACR_UACCESS_ENABLE ++ mcr p15, 0, \tmp, c3, c0, 0 ++ .if \isb ++ instr_sync ++ .endif ++#endif ++ .endm ++ ++ .macro uaccess_save, tmp ++#ifdef CONFIG_CPU_SW_DOMAIN_PAN ++ mrc p15, 0, \tmp, c3, c0, 0 ++ str \tmp, [sp, #SVC_DACR] ++#endif ++ .endm ++ ++ .macro uaccess_restore ++#ifdef CONFIG_CPU_SW_DOMAIN_PAN ++ ldr r0, [sp, #SVC_DACR] ++ mcr p15, 0, r0, c3, c0, 0 ++#endif ++ .endm ++ ++ /* ++ * Save the address limit on entry to a privileged exception and ++ * if using PAN, save and disable usermode access. ++ */ ++ .macro uaccess_entry, tsk, tmp0, tmp1, tmp2, disable ++ ldr \tmp0, [\tsk, #TI_ADDR_LIMIT] ++ mov \tmp1, #TASK_SIZE ++ str \tmp1, [\tsk, #TI_ADDR_LIMIT] ++ str \tmp0, [sp, #SVC_ADDR_LIMIT] ++ uaccess_save \tmp0 ++ .if \disable ++ uaccess_disable \tmp0 ++ .endif ++ .endm ++ ++ /* Restore the user access state previously saved by uaccess_entry */ ++ .macro uaccess_exit, tsk, tmp0, tmp1 ++ ldr \tmp1, [sp, #SVC_ADDR_LIMIT] ++ uaccess_restore ++ str \tmp1, [\tsk, #TI_ADDR_LIMIT] ++ .endm ++ ++#endif /* __ASM_UACCESS_ASM_H__ */ +diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S +index 9f157e7c51e7..efffca3c66e7 100644 +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include "entry-header.S" + #include +@@ -186,15 +187,7 @@ ENDPROC(__und_invalid) + stmia r7, {r2 - r6} + + get_thread_info tsk +- ldr r0, [tsk, #TI_ADDR_LIMIT] +- mov r1, #TASK_SIZE +- str r1, [tsk, #TI_ADDR_LIMIT] +- str r0, [sp, #SVC_ADDR_LIMIT] +- +- uaccess_save r0 +- .if \uaccess +- uaccess_disable r0 +- .endif ++ uaccess_entry tsk, r0, r1, r2, \uaccess + + .if \trace + #ifdef CONFIG_TRACE_IRQFLAGS +diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S +index fa7c6e5c17e7..f9287e65722e 100644 +--- a/arch/arm/kernel/entry-header.S ++++ b/arch/arm/kernel/entry-header.S +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + #include + + @ Bad Abort numbers +@@ -215,9 +216,7 @@ + blne trace_hardirqs_off + #endif + .endif +- ldr r1, [sp, #SVC_ADDR_LIMIT] +- uaccess_restore +- str r1, [tsk, #TI_ADDR_LIMIT] ++ uaccess_exit tsk, r0, r1 + + #ifndef CONFIG_THUMB2_KERNEL + @ ARM mode SVC restore +@@ -261,9 +260,7 @@ + @ on the stack remains correct). + @ + .macro svc_exit_via_fiq +- ldr r1, [sp, #SVC_ADDR_LIMIT] +- uaccess_restore +- str r1, [tsk, #TI_ADDR_LIMIT] ++ uaccess_exit tsk, r0, r1 + #ifndef CONFIG_THUMB2_KERNEL + @ ARM mode restore + mov r0, sp +-- +2.25.1 + diff --git a/queue-4.9/arm-uaccess-fix-dacr-mismatch-with-nested-exceptions.patch b/queue-4.9/arm-uaccess-fix-dacr-mismatch-with-nested-exceptions.patch new file mode 100644 index 00000000000..58dde84bcc1 --- /dev/null +++ b/queue-4.9/arm-uaccess-fix-dacr-mismatch-with-nested-exceptions.patch @@ -0,0 +1,120 @@ +From fc0dd68e7e6e390ede71af1dbf81281614f7ace0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 May 2020 13:24:07 +0100 +Subject: ARM: uaccess: fix DACR mismatch with nested exceptions + +From: Russell King + +[ Upstream commit 71f8af1110101facfad68989ff91f88f8e2c3e22 ] + +Tomas Paukrt reports that his SAM9X60 based system (ARM926, ARMv5TJ) +fails to fix up alignment faults, eventually resulting in a kernel +oops. + +The problem occurs when using CONFIG_CPU_USE_DOMAINS with commit +e6978e4bf181 ("ARM: save and reset the address limit when entering an +exception"). This is because the address limit is set back to +TASK_SIZE on exception entry, and, although it is restored on exception +exit, the domain register is not. + +Hence, this sequence can occur: + + interrupt + pt_regs->addr_limit = addr_limit // USER_DS + addr_limit = USER_DS + alignment exception + __probe_kernel_read() + old_fs = get_fs() // USER_DS + set_fs(KERNEL_DS) + addr_limit = KERNEL_DS + dacr.kernel = DOMAIN_MANAGER + interrupt + pt_regs->addr_limit = addr_limit // KERNEL_DS + addr_limit = USER_DS + alignment exception + __probe_kernel_read() + old_fs = get_fs() // USER_DS + set_fs(KERNEL_DS) + addr_limit = KERNEL_DS + dacr.kernel = DOMAIN_MANAGER + ... + set_fs(old_fs) + addr_limit = USER_DS + dacr.kernel = DOMAIN_CLIENT + ... + addr_limit = pt_regs->addr_limit // KERNEL_DS + interrupt returns + +At this point, addr_limit is correctly restored to KERNEL_DS for +__probe_kernel_read() to continue execution, but dacr.kernel is not, +it has been reset by the set_fs(old_fs) to DOMAIN_CLIENT. + +This would not have happened prior to the mentioned commit, because +addr_limit would remain KERNEL_DS, so get_fs() would have returned +KERNEL_DS, and so would correctly nest. + +This commit fixes the problem by also saving the DACR on exception +entry if either CONFIG_CPU_SW_DOMAIN_PAN or CONFIG_CPU_USE_DOMAINS are +enabled, and resetting the DACR appropriately on exception entry to +match addr_limit and PAN settings. + +Fixes: e6978e4bf181 ("ARM: save and reset the address limit when entering an exception") +Reported-by: Tomas Paukrt +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/uaccess-asm.h | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/include/asm/uaccess-asm.h b/arch/arm/include/asm/uaccess-asm.h +index e46468b91eaa..907571fd05c6 100644 +--- a/arch/arm/include/asm/uaccess-asm.h ++++ b/arch/arm/include/asm/uaccess-asm.h +@@ -67,15 +67,21 @@ + #endif + .endm + +-#ifdef CONFIG_CPU_SW_DOMAIN_PAN ++#if defined(CONFIG_CPU_SW_DOMAIN_PAN) || defined(CONFIG_CPU_USE_DOMAINS) + #define DACR(x...) x + #else + #define DACR(x...) + #endif + + /* +- * Save the address limit on entry to a privileged exception and +- * if using PAN, save and disable usermode access. ++ * Save the address limit on entry to a privileged exception. ++ * ++ * If we are using the DACR for kernel access by the user accessors ++ * (CONFIG_CPU_USE_DOMAINS=y), always reset the DACR kernel domain ++ * back to client mode, whether or not \disable is set. ++ * ++ * If we are using SW PAN, set the DACR user domain to no access ++ * if \disable is set. + */ + .macro uaccess_entry, tsk, tmp0, tmp1, tmp2, disable + ldr \tmp1, [\tsk, #TI_ADDR_LIMIT] +@@ -84,8 +90,17 @@ + DACR( mrc p15, 0, \tmp0, c3, c0, 0) + DACR( str \tmp0, [sp, #SVC_DACR]) + str \tmp1, [sp, #SVC_ADDR_LIMIT] +- .if \disable +- uaccess_disable \tmp0 ++ .if \disable && IS_ENABLED(CONFIG_CPU_SW_DOMAIN_PAN) ++ /* kernel=client, user=no access */ ++ mov \tmp2, #DACR_UACCESS_DISABLE ++ mcr p15, 0, \tmp2, c3, c0, 0 ++ instr_sync ++ .elseif IS_ENABLED(CONFIG_CPU_USE_DOMAINS) ++ /* kernel=client */ ++ bic \tmp2, \tmp0, #domain_mask(DOMAIN_KERNEL) ++ orr \tmp2, \tmp2, #domain_val(DOMAIN_KERNEL, DOMAIN_CLIENT) ++ mcr p15, 0, \tmp2, c3, c0, 0 ++ instr_sync + .endif + .endm + +-- +2.25.1 + diff --git a/queue-4.9/arm-uaccess-integrate-uaccess_save-and-uaccess_resto.patch b/queue-4.9/arm-uaccess-integrate-uaccess_save-and-uaccess_resto.patch new file mode 100644 index 00000000000..a46aab99028 --- /dev/null +++ b/queue-4.9/arm-uaccess-integrate-uaccess_save-and-uaccess_resto.patch @@ -0,0 +1,78 @@ +From 1deb9ca0ee67350299e989a3121e804fb803b2c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 May 2020 13:14:09 +0100 +Subject: ARM: uaccess: integrate uaccess_save and uaccess_restore + +From: Russell King + +[ Upstream commit 8ede890b0bcebe8c760aacfe20e934d98c3dc6aa ] + +Integrate uaccess_save / uaccess_restore macros into the new +uaccess_entry / uaccess_exit macros respectively. + +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/uaccess-asm.h | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/arch/arm/include/asm/uaccess-asm.h b/arch/arm/include/asm/uaccess-asm.h +index d475e3e8145d..e46468b91eaa 100644 +--- a/arch/arm/include/asm/uaccess-asm.h ++++ b/arch/arm/include/asm/uaccess-asm.h +@@ -67,30 +67,23 @@ + #endif + .endm + +- .macro uaccess_save, tmp + #ifdef CONFIG_CPU_SW_DOMAIN_PAN +- mrc p15, 0, \tmp, c3, c0, 0 +- str \tmp, [sp, #SVC_DACR] +-#endif +- .endm +- +- .macro uaccess_restore +-#ifdef CONFIG_CPU_SW_DOMAIN_PAN +- ldr r0, [sp, #SVC_DACR] +- mcr p15, 0, r0, c3, c0, 0 ++#define DACR(x...) x ++#else ++#define DACR(x...) + #endif +- .endm + + /* + * Save the address limit on entry to a privileged exception and + * if using PAN, save and disable usermode access. + */ + .macro uaccess_entry, tsk, tmp0, tmp1, tmp2, disable +- ldr \tmp0, [\tsk, #TI_ADDR_LIMIT] +- mov \tmp1, #TASK_SIZE +- str \tmp1, [\tsk, #TI_ADDR_LIMIT] +- str \tmp0, [sp, #SVC_ADDR_LIMIT] +- uaccess_save \tmp0 ++ ldr \tmp1, [\tsk, #TI_ADDR_LIMIT] ++ mov \tmp2, #TASK_SIZE ++ str \tmp2, [\tsk, #TI_ADDR_LIMIT] ++ DACR( mrc p15, 0, \tmp0, c3, c0, 0) ++ DACR( str \tmp0, [sp, #SVC_DACR]) ++ str \tmp1, [sp, #SVC_ADDR_LIMIT] + .if \disable + uaccess_disable \tmp0 + .endif +@@ -99,8 +92,11 @@ + /* Restore the user access state previously saved by uaccess_entry */ + .macro uaccess_exit, tsk, tmp0, tmp1 + ldr \tmp1, [sp, #SVC_ADDR_LIMIT] +- uaccess_restore ++ DACR( ldr \tmp0, [sp, #SVC_DACR]) + str \tmp1, [\tsk, #TI_ADDR_LIMIT] ++ DACR( mcr p15, 0, \tmp0, c3, c0, 0) + .endm + ++#undef DACR ++ + #endif /* __ASM_UACCESS_ASM_H__ */ +-- +2.25.1 + diff --git a/queue-4.9/exec-always-set-cap_ambient-in-cap_bprm_set_creds.patch b/queue-4.9/exec-always-set-cap_ambient-in-cap_bprm_set_creds.patch new file mode 100644 index 00000000000..b8bc51c9980 --- /dev/null +++ b/queue-4.9/exec-always-set-cap_ambient-in-cap_bprm_set_creds.patch @@ -0,0 +1,52 @@ +From 03f92687d734fc3ff9a97cf201fe4c38128effd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2020 12:56:15 -0500 +Subject: exec: Always set cap_ambient in cap_bprm_set_creds + +From: Eric W. Biederman + +[ Upstream commit a4ae32c71fe90794127b32d26d7ad795813b502e ] + +An invariant of cap_bprm_set_creds is that every field in the new cred +structure that cap_bprm_set_creds might set, needs to be set every +time to ensure the fields does not get a stale value. + +The field cap_ambient is not set every time cap_bprm_set_creds is +called, which means that if there is a suid or sgid script with an +interpreter that has neither the suid nor the sgid bits set the +interpreter should be able to accept ambient credentials. +Unfortuantely because cap_ambient is not reset to it's original value +the interpreter can not accept ambient credentials. + +Given that the ambient capability set is expected to be controlled by +the caller, I don't think this is particularly serious. But it is +definitely worth fixing so the code works correctly. + +I have tested to verify my reading of the code is correct and the +interpreter of a sgid can receive ambient capabilities with this +change and cannot receive ambient capabilities without this change. + +Cc: stable@vger.kernel.org +Cc: Andy Lutomirski +Fixes: 58319057b784 ("capabilities: ambient capabilities") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +--- + security/commoncap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/commoncap.c b/security/commoncap.c +index 8df676fbd393..b86aca8d6798 100644 +--- a/security/commoncap.c ++++ b/security/commoncap.c +@@ -497,6 +497,7 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) + int ret; + kuid_t root_uid; + ++ new->cap_ambient = old->cap_ambient; + if (WARN_ON(!cap_ambient_invariant_ok(old))) + return -EPERM; + +-- +2.25.1 + diff --git a/queue-4.9/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch b/queue-4.9/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch new file mode 100644 index 00000000000..e9a8198f4c5 --- /dev/null +++ b/queue-4.9/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch @@ -0,0 +1,45 @@ +From c5b1ae55585cd7c95d06da5f5fde27f7da661049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 22:20:52 -0700 +Subject: fs/binfmt_elf.c: allocate initialized memory in + fill_thread_core_info() + +From: Alexander Potapenko + +[ Upstream commit 1d605416fb7175e1adf094251466caa52093b413 ] + +KMSAN reported uninitialized data being written to disk when dumping +core. As a result, several kilobytes of kmalloc memory may be written +to the core file and then read by a non-privileged user. + +Reported-by: sam +Signed-off-by: Alexander Potapenko +Signed-off-by: Andrew Morton +Acked-by: Kees Cook +Cc: Al Viro +Cc: Alexey Dobriyan +Cc: +Link: http://lkml.kernel.org/r/20200419100848.63472-1-glider@google.com +Link: https://github.com/google/kmsan/issues/76 +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index e78553d51837..73cd7482c1fa 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -1721,7 +1721,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t, + (!regset->active || regset->active(t->task, regset) > 0)) { + int ret; + size_t size = regset->n * regset->size; +- void *data = kmalloc(size, GFP_KERNEL); ++ void *data = kzalloc(size, GFP_KERNEL); + if (unlikely(!data)) + return 0; + ret = regset->get(t->task, regset, +-- +2.25.1 + diff --git a/queue-4.9/ib-qib-call-kobject_put-when-kobject_init_and_add-fa.patch b/queue-4.9/ib-qib-call-kobject_put-when-kobject_init_and_add-fa.patch new file mode 100644 index 00000000000..dc6c64e03ed --- /dev/null +++ b/queue-4.9/ib-qib-call-kobject_put-when-kobject_init_and_add-fa.patch @@ -0,0 +1,82 @@ +From da66fe545342144a3304877342b5a8739246ddb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2020 23:13:28 -0400 +Subject: IB/qib: Call kobject_put() when kobject_init_and_add() fails + +From: Kaike Wan + +[ Upstream commit a35cd6447effd5c239b564c80fa109d05ff3d114 ] + +When kobject_init_and_add() returns an error in the function +qib_create_port_files(), the function kobject_put() is not called for the +corresponding kobject, which potentially leads to memory leak. + +This patch fixes the issue by calling kobject_put() even if +kobject_init_and_add() fails. In addition, the ppd->diagc_kobj is released +along with other kobjects when the sysfs is unregistered. + +Fixes: f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters") +Link: https://lore.kernel.org/r/20200512031328.189865.48627.stgit@awfm-01.aw.intel.com +Cc: +Suggested-by: Lin Yi +Reviewed-by: Mike Marciniszyn +Signed-off-by: Kaike Wan +Signed-off-by: Dennis Dalessandro +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qib/qib_sysfs.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/qib/qib_sysfs.c b/drivers/infiniband/hw/qib/qib_sysfs.c +index 8ce0f6eef89e..b9d653afff8b 100644 +--- a/drivers/infiniband/hw/qib/qib_sysfs.c ++++ b/drivers/infiniband/hw/qib/qib_sysfs.c +@@ -756,7 +756,7 @@ int qib_create_port_files(struct ib_device *ibdev, u8 port_num, + qib_dev_err(dd, + "Skipping linkcontrol sysfs info, (err %d) port %u\n", + ret, port_num); +- goto bail; ++ goto bail_link; + } + kobject_uevent(&ppd->pport_kobj, KOBJ_ADD); + +@@ -766,7 +766,7 @@ int qib_create_port_files(struct ib_device *ibdev, u8 port_num, + qib_dev_err(dd, + "Skipping sl2vl sysfs info, (err %d) port %u\n", + ret, port_num); +- goto bail_link; ++ goto bail_sl; + } + kobject_uevent(&ppd->sl2vl_kobj, KOBJ_ADD); + +@@ -776,7 +776,7 @@ int qib_create_port_files(struct ib_device *ibdev, u8 port_num, + qib_dev_err(dd, + "Skipping diag_counters sysfs info, (err %d) port %u\n", + ret, port_num); +- goto bail_sl; ++ goto bail_diagc; + } + kobject_uevent(&ppd->diagc_kobj, KOBJ_ADD); + +@@ -789,7 +789,7 @@ int qib_create_port_files(struct ib_device *ibdev, u8 port_num, + qib_dev_err(dd, + "Skipping Congestion Control sysfs info, (err %d) port %u\n", + ret, port_num); +- goto bail_diagc; ++ goto bail_cc; + } + + kobject_uevent(&ppd->pport_cc_kobj, KOBJ_ADD); +@@ -871,6 +871,7 @@ void qib_verbs_unregister_sysfs(struct qib_devdata *dd) + &cc_table_bin_attr); + kobject_put(&ppd->pport_cc_kobj); + } ++ kobject_put(&ppd->diagc_kobj); + kobject_put(&ppd->sl2vl_kobj); + kobject_put(&ppd->pport_kobj); + } +-- +2.25.1 + diff --git a/queue-4.9/include-asm-generic-topology.h-guard-cpumask_of_node.patch b/queue-4.9/include-asm-generic-topology.h-guard-cpumask_of_node.patch new file mode 100644 index 00000000000..4189ac042a5 --- /dev/null +++ b/queue-4.9/include-asm-generic-topology.h-guard-cpumask_of_node.patch @@ -0,0 +1,48 @@ +From e9d999b13386de06338d39a685714542ab1c3740 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 22:20:55 -0700 +Subject: include/asm-generic/topology.h: guard cpumask_of_node() macro + argument + +From: Arnd Bergmann + +[ Upstream commit 4377748c7b5187c3342a60fa2ceb60c8a57a8488 ] + +drivers/hwmon/amd_energy.c:195:15: error: invalid operands to binary expression ('void' and 'int') + (channel - data->nr_cpus)); + ~~~~~~~~~^~~~~~~~~~~~~~~~~ +include/asm-generic/topology.h:51:42: note: expanded from macro 'cpumask_of_node' + #define cpumask_of_node(node) ((void)node, cpu_online_mask) + ^~~~ +include/linux/cpumask.h:618:72: note: expanded from macro 'cpumask_first_and' + #define cpumask_first_and(src1p, src2p) cpumask_next_and(-1, (src1p), (src2p)) + ^~~~~ + +Fixes: f0b848ce6fe9 ("cpumask: Introduce cpumask_of_{node,pcibus} to replace {node,pcibus}_to_cpumask") +Fixes: 8abee9566b7e ("hwmon: Add amd_energy driver to report energy counters") +Signed-off-by: Arnd Bergmann +Signed-off-by: Andrew Morton +Acked-by: Guenter Roeck +Link: http://lkml.kernel.org/r/20200527134623.930247-1-arnd@arndb.de +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/asm-generic/topology.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/asm-generic/topology.h b/include/asm-generic/topology.h +index 5d2add1a6c96..864fcfa1df41 100644 +--- a/include/asm-generic/topology.h ++++ b/include/asm-generic/topology.h +@@ -51,7 +51,7 @@ + #ifdef CONFIG_NEED_MULTIPLE_NODES + #define cpumask_of_node(node) ((node) == 0 ? cpu_online_mask : cpu_none_mask) + #else +- #define cpumask_of_node(node) ((void)node, cpu_online_mask) ++ #define cpumask_of_node(node) ((void)(node), cpu_online_mask) + #endif + #endif + #ifndef pcibus_to_node +-- +2.25.1 + diff --git a/queue-4.9/input-evdev-call-input_flush_device-on-release-not-f.patch b/queue-4.9/input-evdev-call-input_flush_device-on-release-not-f.patch new file mode 100644 index 00000000000..7cc4607f212 --- /dev/null +++ b/queue-4.9/input-evdev-call-input_flush_device-on-release-not-f.patch @@ -0,0 +1,75 @@ +From c7f37ee4eb387352aceb481880725229dfad016c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Apr 2020 13:45:12 -0700 +Subject: Input: evdev - call input_flush_device() on release(), not flush() + +From: Brendan Shanks + +[ Upstream commit 09264098ff153f60866039d60b31d39b66f55a31 ] + +input_flush_device() should only be called once the struct file is being +released and no open descriptors remain, but evdev_flush() was calling +it whenever a file descriptor was closed. + +This caused uploaded force-feedback effects to be erased when a process +did a dup()/close() on the event FD, called system(), etc. + +Call input_flush_device() from evdev_release() instead. + +Reported-by: Mathieu Maret +Signed-off-by: Brendan Shanks +Link: https://lore.kernel.org/r/20200421231003.7935-1-bshanks@codeweavers.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/evdev.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c +index e9ae3d500a55..700f018df668 100644 +--- a/drivers/input/evdev.c ++++ b/drivers/input/evdev.c +@@ -342,20 +342,6 @@ static int evdev_fasync(int fd, struct file *file, int on) + return fasync_helper(fd, file, on, &client->fasync); + } + +-static int evdev_flush(struct file *file, fl_owner_t id) +-{ +- struct evdev_client *client = file->private_data; +- struct evdev *evdev = client->evdev; +- +- mutex_lock(&evdev->mutex); +- +- if (evdev->exist && !client->revoked) +- input_flush_device(&evdev->handle, file); +- +- mutex_unlock(&evdev->mutex); +- return 0; +-} +- + static void evdev_free(struct device *dev) + { + struct evdev *evdev = container_of(dev, struct evdev, dev); +@@ -469,6 +455,10 @@ static int evdev_release(struct inode *inode, struct file *file) + unsigned int i; + + mutex_lock(&evdev->mutex); ++ ++ if (evdev->exist && !client->revoked) ++ input_flush_device(&evdev->handle, file); ++ + evdev_ungrab(evdev, client); + mutex_unlock(&evdev->mutex); + +@@ -1331,7 +1321,6 @@ static const struct file_operations evdev_fops = { + .compat_ioctl = evdev_ioctl_compat, + #endif + .fasync = evdev_fasync, +- .flush = evdev_flush, + .llseek = no_llseek, + }; + +-- +2.25.1 + diff --git a/queue-4.9/input-i8042-add-thinkpad-s230u-to-i8042-nomux-list.patch b/queue-4.9/input-i8042-add-thinkpad-s230u-to-i8042-nomux-list.patch new file mode 100644 index 00000000000..de406e31b4c --- /dev/null +++ b/queue-4.9/input-i8042-add-thinkpad-s230u-to-i8042-nomux-list.patch @@ -0,0 +1,63 @@ +From 121488cdb86dcb1bbafc354572785f4c2ca31b3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Apr 2020 10:02:19 -0700 +Subject: Input: i8042 - add ThinkPad S230u to i8042 nomux list + +From: Kevin Locke + +[ Upstream commit 18931506465a762ffd3f4803d36a18d336a67da9 ] + +On the Lenovo ThinkPad Twist S230u (3347-4HU) with BIOS version +"GDETC1WW (1.81 ) 06/27/2019", whether booted in UEFI or Legacy/CSM mode +the keyboard, Synaptics TouchPad, and TrackPoint either do not function +or stop functioning a few minutes after boot. This problem has been +noted before, perhaps only occurring on BIOS 1.57 and +later.[1][2][3][4][5] + +This model does not have an external PS/2 port, so mux does not appear +to be useful. + +Odds of a BIOS fix appear to be low: 1.57 was released over 6 years ago +and although the [BIOS changelog] notes "Fixed an issue of UEFI +touchpad/trackpoint/keyboard/touchscreen" in 1.58, it appears to be +insufficient. + +Adding 33474HU to the nomux list avoids the issue on my system. + +[1]: https://bugs.launchpad.net/bugs/1210748 +[2]: https://bbs.archlinux.org/viewtopic.php?pid=1360425 +[3]: https://forums.linuxmint.com/viewtopic.php?f=46&t=41200 +[4]: https://forums.linuxmint.com/viewtopic.php?f=49&t=157115 +[5]: https://forums.lenovo.com/topic/findpost/27/1337119 +[BIOS changelog]: https://download.lenovo.com/pccbbs/mobiles/gduj33uc.txt + +Signed-off-by: Kevin Locke +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/feb8a8339a67025dab3850e6377eb6f3a0e782ba.1587400635.git.kevin@kevinlocke.name +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index a4e76084a2af..42330024da2f 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -545,6 +545,13 @@ static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5738"), + }, + }, ++ { ++ /* Lenovo ThinkPad Twist S230u */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "33474HU"), ++ }, ++ }, + { } + }; + +-- +2.25.1 + diff --git a/queue-4.9/input-i8042-add-thinkpad-s230u-to-i8042-reset-list.patch b/queue-4.9/input-i8042-add-thinkpad-s230u-to-i8042-reset-list.patch new file mode 100644 index 00000000000..11b34fc28e7 --- /dev/null +++ b/queue-4.9/input-i8042-add-thinkpad-s230u-to-i8042-reset-list.patch @@ -0,0 +1,60 @@ +From 3ac236ada7f1ecbdb31d990831afdc828008929d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 18:07:20 -0700 +Subject: Input: i8042 - add ThinkPad S230u to i8042 reset list + +From: Kevin Locke + +[ Upstream commit 2712c91a54a1058d55c284152b4d93c979b67be6 ] + +On the Lenovo ThinkPad Twist S230u (3347-4HU) with BIOS version +"GDETC1WW (1.81 ) 06/27/2019", the keyboard, Synaptics TouchPad, and +TrackPoint either do not function or stop functioning a few minutes +after boot. This problem has been noted before, perhaps only occurring +with BIOS 1.57 and later.[1][2][3][4][5] + +Odds of a BIOS fix appear to be low: 1.57 was released over 6 years ago +and although the [BIOS changelog] notes "Fixed an issue of UEFI +touchpad/trackpoint/keyboard/touchscreen" in 1.58, it appears to be +insufficient. + +Setting i8042.reset=1 or adding 33474HU to the reset list avoids the +issue on my system from either warm or cold boot. + +[1]: https://bugs.launchpad.net/bugs/1210748 +[2]: https://bbs.archlinux.org/viewtopic.php?pid=1360425 +[3]: https://forums.linuxmint.com/viewtopic.php?f=46&t=41200 +[4]: https://forums.linuxmint.com/viewtopic.php?f=49&t=157115 +[5]: https://forums.lenovo.com/topic/findpost/27/1337119 +[BIOS changelog]: https://download.lenovo.com/pccbbs/mobiles/gduj33uc.txt + +Signed-off-by: Kevin Locke +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/94f384b0f75f90f71425d7dce7ac82c59ddb87a8.1587702636.git.kevin@kevinlocke.name +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h +index 42330024da2f..d15fd73dbd80 100644 +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -745,6 +745,13 @@ static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"), + }, + }, ++ { ++ /* Lenovo ThinkPad Twist S230u */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "33474HU"), ++ }, ++ }, + { } + }; + +-- +2.25.1 + diff --git a/queue-4.9/input-synaptics-rmi4-fix-error-return-code-in-rmi_dr.patch b/queue-4.9/input-synaptics-rmi4-fix-error-return-code-in-rmi_dr.patch new file mode 100644 index 00000000000..95c6770b6ba --- /dev/null +++ b/queue-4.9/input-synaptics-rmi4-fix-error-return-code-in-rmi_dr.patch @@ -0,0 +1,38 @@ +From 8759411f5c159940d439c48e1b50b23bd3743e26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 16:09:53 -0700 +Subject: Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() + +From: Wei Yongjun + +[ Upstream commit 5caab2da63207d6d631007f592f5219459e3454d ] + +Fix to return a negative error code from the input_register_device() +error handling case instead of 0, as done elsewhere in this function. + +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20200428134948.78343-1-weiyongjun1@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/rmi4/rmi_driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c +index 65038dcc7613..677edbf870a7 100644 +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -991,7 +991,8 @@ static int rmi_driver_probe(struct device *dev) + if (data->input) { + rmi_driver_set_input_name(rmi_dev, data->input); + if (!rmi_dev->xport->input) { +- if (input_register_device(data->input)) { ++ retval = input_register_device(data->input); ++ if (retval) { + dev_err(dev, "%s: Failed to register input device.\n", + __func__); + goto err_destroy_functions; +-- +2.25.1 + diff --git a/queue-4.9/input-usbtouchscreen-add-support-for-bonxeon-tp.patch b/queue-4.9/input-usbtouchscreen-add-support-for-bonxeon-tp.patch new file mode 100644 index 00000000000..e86d2195913 --- /dev/null +++ b/queue-4.9/input-usbtouchscreen-add-support-for-bonxeon-tp.patch @@ -0,0 +1,37 @@ +From 7e97223aca5834032e2f2dbca42e02535cec326e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Apr 2020 21:17:12 -0700 +Subject: Input: usbtouchscreen - add support for BonXeon TP + +From: James Hilliard + +[ Upstream commit e3b4f94ef52ae1592cbe199bd38dbdc0d58b2217 ] + +Based on available information this uses the singletouch irtouch +protocol. This is tested and confirmed to be fully functional on +the BonXeon TP hardware I have. + +Signed-off-by: James Hilliard +Link: https://lore.kernel.org/r/20200413184217.55700-1-james.hilliard1@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/usbtouchscreen.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/touchscreen/usbtouchscreen.c b/drivers/input/touchscreen/usbtouchscreen.c +index 2c41107240de..499402a975b3 100644 +--- a/drivers/input/touchscreen/usbtouchscreen.c ++++ b/drivers/input/touchscreen/usbtouchscreen.c +@@ -197,6 +197,7 @@ static const struct usb_device_id usbtouch_devices[] = { + #endif + + #ifdef CONFIG_TOUCHSCREEN_USB_IRTOUCH ++ {USB_DEVICE(0x255e, 0x0001), .driver_info = DEVTYPE_IRTOUCH}, + {USB_DEVICE(0x595a, 0x0001), .driver_info = DEVTYPE_IRTOUCH}, + {USB_DEVICE(0x6615, 0x0001), .driver_info = DEVTYPE_IRTOUCH}, + {USB_DEVICE(0x6615, 0x0012), .driver_info = DEVTYPE_IRTOUCH_HIRES}, +-- +2.25.1 + diff --git a/queue-4.9/input-xpad-add-custom-init-packet-for-xbox-one-s-con.patch b/queue-4.9/input-xpad-add-custom-init-packet-for-xbox-one-s-con.patch new file mode 100644 index 00000000000..4b445c39491 --- /dev/null +++ b/queue-4.9/input-xpad-add-custom-init-packet-for-xbox-one-s-con.patch @@ -0,0 +1,59 @@ +From d198e0ddd0139020de9219072f6c96054a6c25c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Apr 2020 14:13:09 -0700 +Subject: Input: xpad - add custom init packet for Xbox One S controllers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Patron + +[ Upstream commit 764f7f911bf72450c51eb74cbb262ad9933741d8 ] + +Sending [ 0x05, 0x20, 0x00, 0x0f, 0x06 ] packet for Xbox One S controllers +fixes an issue where controller is stuck in Bluetooth mode and not sending +any inputs. + +Signed-off-by: Łukasz Patron +Reviewed-by: Cameron Gutman +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200422075206.18229-1-priv.luk@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/joystick/xpad.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c +index 26476a64e663..54a6691d7d87 100644 +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -475,6 +475,16 @@ static const u8 xboxone_fw2015_init[] = { + 0x05, 0x20, 0x00, 0x01, 0x00 + }; + ++/* ++ * This packet is required for Xbox One S (0x045e:0x02ea) ++ * and Xbox One Elite Series 2 (0x045e:0x0b00) pads to ++ * initialize the controller that was previously used in ++ * Bluetooth mode. ++ */ ++static const u8 xboxone_s_init[] = { ++ 0x05, 0x20, 0x00, 0x0f, 0x06 ++}; ++ + /* + * This packet is required for the Titanfall 2 Xbox One pads + * (0x0e6f:0x0165) to finish initialization and for Hori pads +@@ -533,6 +543,8 @@ static const struct xboxone_init_packet xboxone_init_packets[] = { + XBOXONE_INIT_PKT(0x0e6f, 0x0165, xboxone_hori_init), + XBOXONE_INIT_PKT(0x0f0d, 0x0067, xboxone_hori_init), + XBOXONE_INIT_PKT(0x0000, 0x0000, xboxone_fw2015_init), ++ XBOXONE_INIT_PKT(0x045e, 0x02ea, xboxone_s_init), ++ XBOXONE_INIT_PKT(0x045e, 0x0b00, xboxone_s_init), + XBOXONE_INIT_PKT(0x0e6f, 0x0000, xboxone_pdp_init1), + XBOXONE_INIT_PKT(0x0e6f, 0x0000, xboxone_pdp_init2), + XBOXONE_INIT_PKT(0x24c6, 0x541a, xboxone_rumblebegin_init), +-- +2.25.1 + diff --git a/queue-4.9/iommu-fix-reference-count-leak-in-iommu_group_alloc.patch b/queue-4.9/iommu-fix-reference-count-leak-in-iommu_group_alloc.patch new file mode 100644 index 00000000000..8e9cffb181a --- /dev/null +++ b/queue-4.9/iommu-fix-reference-count-leak-in-iommu_group_alloc.patch @@ -0,0 +1,38 @@ +From 28affc633a7845fd92c44f403735bafee9962dad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 16:00:19 -0500 +Subject: iommu: Fix reference count leak in iommu_group_alloc. + +From: Qiushi Wu + +[ Upstream commit 7cc31613734c4870ae32f5265d576ef296621343 ] + +kobject_init_and_add() takes reference even when it fails. +Thus, when kobject_init_and_add() returns an error, +kobject_put() must be called to properly clean up the kobject. + +Fixes: d72e31c93746 ("iommu: IOMMU Groups") +Signed-off-by: Qiushi Wu +Link: https://lore.kernel.org/r/20200527210020.6522-1-wu000273@umn.edu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c +index dbcc13efaf3c..d609e14bb904 100644 +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -195,7 +195,7 @@ struct iommu_group *iommu_group_alloc(void) + NULL, "%d", group->id); + if (ret) { + ida_simple_remove(&iommu_group_ida, group->id); +- kfree(group); ++ kobject_put(&group->kobj); + return ERR_PTR(ret); + } + +-- +2.25.1 + diff --git a/queue-4.9/libceph-ignore-pool-overlay-and-cache-logic-on-redir.patch b/queue-4.9/libceph-ignore-pool-overlay-and-cache-logic-on-redir.patch new file mode 100644 index 00000000000..b2a21e65364 --- /dev/null +++ b/queue-4.9/libceph-ignore-pool-overlay-and-cache-logic-on-redir.patch @@ -0,0 +1,49 @@ +From 62496453783eca90f4e626f51ec502b9f9447499 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 16:03:09 +0800 +Subject: libceph: ignore pool overlay and cache logic on redirects + +From: Jerry Lee + +[ Upstream commit 890bd0f8997ae6ac0a367dd5146154a3963306dd ] + +OSD client should ignore cache/overlay flag if got redirect reply. +Otherwise, the client hangs when the cache tier is in forward mode. + +[ idryomov: Redirects are effectively deprecated and no longer + used or tested. The original tiering modes based on redirects + are inherently flawed because redirects can race and reorder, + potentially resulting in data corruption. The new proxy and + readproxy tiering modes should be used instead of forward and + readforward. Still marking for stable as obviously correct, + though. ] + +Cc: stable@vger.kernel.org +URL: https://tracker.ceph.com/issues/23296 +URL: https://tracker.ceph.com/issues/36406 +Signed-off-by: Jerry Lee +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + net/ceph/osd_client.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c +index 70ccb0716fc5..4fd679b30b19 100644 +--- a/net/ceph/osd_client.c ++++ b/net/ceph/osd_client.c +@@ -2879,7 +2879,9 @@ static void handle_reply(struct ceph_osd *osd, struct ceph_msg *msg) + * supported. + */ + req->r_t.target_oloc.pool = m.redirect.oloc.pool; +- req->r_flags |= CEPH_OSD_FLAG_REDIRECTED; ++ req->r_flags |= CEPH_OSD_FLAG_REDIRECTED | ++ CEPH_OSD_FLAG_IGNORE_OVERLAY | ++ CEPH_OSD_FLAG_IGNORE_CACHE; + req->r_tid = 0; + __submit_request(req, false); + goto out_unlock_osdc; +-- +2.25.1 + diff --git a/queue-4.9/mm-remove-vm_bug_on-pageslab-from-page_mapcount.patch b/queue-4.9/mm-remove-vm_bug_on-pageslab-from-page_mapcount.patch new file mode 100644 index 00000000000..b36f2c550e7 --- /dev/null +++ b/queue-4.9/mm-remove-vm_bug_on-pageslab-from-page_mapcount.patch @@ -0,0 +1,99 @@ +From 5a128f0ff5b5dcb1a031d71d31545efad42429db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 22:20:47 -0700 +Subject: mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() + +From: Konstantin Khlebnikov + +[ Upstream commit 6988f31d558aa8c744464a7f6d91d34ada48ad12 ] + +Replace superfluous VM_BUG_ON() with comment about correct usage. + +Technically reverts commit 1d148e218a0d ("mm: add VM_BUG_ON_PAGE() to +page_mapcount()"), but context lines have changed. + +Function isolate_migratepages_block() runs some checks out of lru_lock +when choose pages for migration. After checking PageLRU() it checks +extra page references by comparing page_count() and page_mapcount(). +Between these two checks page could be removed from lru, freed and taken +by slab. + +As a result this race triggers VM_BUG_ON(PageSlab()) in page_mapcount(). +Race window is tiny. For certain workload this happens around once a +year. + + page:ffffea0105ca9380 count:1 mapcount:0 mapping:ffff88ff7712c180 index:0x0 compound_mapcount: 0 + flags: 0x500000000008100(slab|head) + raw: 0500000000008100 dead000000000100 dead000000000200 ffff88ff7712c180 + raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 + page dumped because: VM_BUG_ON_PAGE(PageSlab(page)) + ------------[ cut here ]------------ + kernel BUG at ./include/linux/mm.h:628! + invalid opcode: 0000 [#1] SMP NOPTI + CPU: 77 PID: 504 Comm: kcompactd1 Tainted: G W 4.19.109-27 #1 + Hardware name: Yandex T175-N41-Y3N/MY81-EX0-Y3N, BIOS R05 06/20/2019 + RIP: 0010:isolate_migratepages_block+0x986/0x9b0 + +The code in isolate_migratepages_block() was added in commit +119d6d59dcc0 ("mm, compaction: avoid isolating pinned pages") before +adding VM_BUG_ON into page_mapcount(). + +This race has been predicted in 2015 by Vlastimil Babka (see link +below). + +[akpm@linux-foundation.org: comment tweaks, per Hugh] +Fixes: 1d148e218a0d ("mm: add VM_BUG_ON_PAGE() to page_mapcount()") +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Andrew Morton +Acked-by: Hugh Dickins +Acked-by: Kirill A. Shutemov +Acked-by: Vlastimil Babka +Cc: David Rientjes +Cc: +Link: http://lkml.kernel.org/r/159032779896.957378.7852761411265662220.stgit@buzz +Link: https://lore.kernel.org/lkml/557710E1.6060103@suse.cz/ +Link: https://lore.kernel.org/linux-mm/158937872515.474360.5066096871639561424.stgit@buzz/T/ (v1) +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/mm.h | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index ca6f213fa4f0..7a4c035b187f 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -504,6 +504,11 @@ static inline int is_vmalloc_or_module_addr(const void *x) + + extern void kvfree(const void *addr); + ++/* ++ * Mapcount of compound page as a whole, does not include mapped sub-pages. ++ * ++ * Must be called only for compound pages or any their tail sub-pages. ++ */ + static inline int compound_mapcount(struct page *page) + { + VM_BUG_ON_PAGE(!PageCompound(page), page); +@@ -523,10 +528,16 @@ static inline void page_mapcount_reset(struct page *page) + + int __page_mapcount(struct page *page); + ++/* ++ * Mapcount of 0-order page; when compound sub-page, includes ++ * compound_mapcount(). ++ * ++ * Result is undefined for pages which cannot be mapped into userspace. ++ * For example SLAB or special types of pages. See function page_has_type(). ++ * They use this place in struct page differently. ++ */ + static inline int page_mapcount(struct page *page) + { +- VM_BUG_ON_PAGE(PageSlab(page), page); +- + if (unlikely(PageCompound(page))) + return __page_mapcount(page); + return atomic_read(&page->_mapcount) + 1; +-- +2.25.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 9663407fc36..39833c678c5 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -17,3 +17,25 @@ gfs2-don-t-call-quota_unhold-if-quotas-are-not-locke.patch cachefiles-fix-race-between-read_waiter-and-read_cop.patch usb-gadget-legacy-fix-redundant-initialization-warni.patch cifs-fix-null-pointer-check-in-cifs_read.patch +input-usbtouchscreen-add-support-for-bonxeon-tp.patch +input-i8042-add-thinkpad-s230u-to-i8042-nomux-list.patch +input-evdev-call-input_flush_device-on-release-not-f.patch +input-xpad-add-custom-init-packet-for-xbox-one-s-con.patch +input-i8042-add-thinkpad-s230u-to-i8042-reset-list.patch +input-synaptics-rmi4-fix-error-return-code-in-rmi_dr.patch +arm-8843-1-use-unified-assembler-in-headers.patch +arm-uaccess-consolidate-uaccess-asm-to-asm-uaccess-a.patch +arm-uaccess-integrate-uaccess_save-and-uaccess_resto.patch +arm-uaccess-fix-dacr-mismatch-with-nested-exceptions.patch +ib-qib-call-kobject_put-when-kobject_init_and_add-fa.patch +arm-dts-imx-correct-b850v3-clock-assignment.patch +arm-dts-imx6q-bx50v3-add-internal-switch.patch +arm-dts-imx6q-bx50v3-set-display-interface-clock-par.patch +alsa-hwdep-fix-a-left-shifting-1-by-31-ub-bug.patch +alsa-usb-audio-mixer-volume-quirk-for-ess-technology.patch +exec-always-set-cap_ambient-in-cap_bprm_set_creds.patch +libceph-ignore-pool-overlay-and-cache-logic-on-redir.patch +mm-remove-vm_bug_on-pageslab-from-page_mapcount.patch +fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch +include-asm-generic-topology.h-guard-cpumask_of_node.patch +iommu-fix-reference-count-leak-in-iommu_group_alloc.patch -- 2.47.3