From 9bf64d4f668ea1a95eea9435275520dd161e5d81 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 28 Dec 2020 12:56:21 +0100 Subject: [PATCH] 5.4-stable patches added patches: clk-ingenic-fix-divider-calculation-with-div-tables.patch clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch clk-tegra-do-not-return-0-on-failure.patch device-dax-core-fix-memory-leak-when-rmmod-dax.ko.patch dma-buf-dma-resv-respect-num_fences-when-initializing-the-shared-fence-list.patch drm-amd-display-fix-memory-leaks-in-s3-resume.patch drm-amd-display-honor-the-offset-for-plane-0.patch drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch drm-i915-fix-mismatch-between-misplaced-vma-check-and-vma-insert.patch iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch iio-adc-ti-ads124s08-fix-alignment-and-data-leak-issues.patch iio-adc-ti-ads124s08-fix-buffer-being-too-long.patch iio-buffer-fix-demux-update.patch iio-imu-bmi160-fix-too-large-a-buffer.patch iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch iio-pressure-mpl3115-force-alignment-of-buffer.patch jfs-fix-array-index-bounds-check-in-dbadjtree.patch libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch md-cluster-block-reshape-with-remote-resync-job.patch md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch mtd-rawnand-meson-fix-meson_nfc_dma_buffer_release-arguments.patch mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch mtd-spinand-fix-oob-read.patch pci-fix-pci_slot_release-null-pointer-dereference.patch pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch regulator-axp20x-fix-dldo2-voltage-control-register-mask-for-axp22x.patch revert-ring-buffer-remove-have_64bit_aligned_access.patch rtc-ep93xx-fix-null-pointer-dereference-in-ep93xx_rtc_read_time.patch scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch scsi-qla2xxx-fix-crash-during-driver-load-on-big-endian-machines.patch soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch spi-atmel-quadspi-disable-clock-in-probe-error-path.patch spi-atmel-quadspi-fix-ahb-memory-accesses.patch spi-atmel-quadspi-fix-use-after-free-on-unbind.patch spi-davinci-fix-use-after-free-on-unbind.patch spi-fsl-fix-use-of-spisel_boot-signal-on-mpc8309.patch spi-gpio-don-t-leak-spi-master-in-probe-error-path.patch spi-mt7621-disable-clock-in-probe-error-path.patch spi-mt7621-don-t-leak-spi-master-in-probe-error-path.patch spi-mxic-don-t-leak-spi-master-in-probe-error-path.patch spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch spi-pxa2xx-fix-use-after-free-on-unbind.patch spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch spi-spi-sh-fix-use-after-free-on-unbind.patch spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch spi-synquacer-disable-clock-in-probe-error-path.patch xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch xen-xenbus-allow-watches-discard-events-before-queueing.patch xen-xenbus-count-pending-messages-for-each-watch.patch xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch xenbus-xenbus_backend-disallow-pending-watch-messages.patch --- ...-divider-calculation-with-div-tables.patch | 55 ++++ ...3700-fix-the-xtal-mode-pin-to-mpp1_9.patch | 43 +++ ...clk-tegra-do-not-return-0-on-failure.patch | 43 +++ ...re-fix-memory-leak-when-rmmod-dax.ko.patch | 56 ++++ ...n-initializing-the-shared-fence-list.patch | 42 +++ ...isplay-fix-memory-leaks-in-s3-resume.patch | 40 +++ ...display-honor-the-offset-for-plane-0.patch | 76 +++++ ...e-use-in-drm_dp_aux_dev_get_by_minor.patch | 151 +++++++++ ...n-misplaced-vma-check-and-vma-insert.patch | 53 ++++ ...e-on-error-in-rockchip_saradc_resume.patch | 36 +++ ...8-fix-alignment-and-data-leak-issues.patch | 79 +++++ ...-ads124s08-fix-buffer-being-too-long.patch | 37 +++ queue-5.4/iio-buffer-fix-demux-update.patch | 53 ++++ ...io-imu-bmi160-fix-too-large-a-buffer.patch | 42 +++ ...tamp-alignment-and-prevent-data-leak.patch | 82 +++++ ...tamp-alignment-and-prevent-data-leak.patch | 77 +++++ ...0-fix-alignment-and-data-leak-issues.patch | 74 +++++ ...re-mpl3115-force-alignment-of-buffer.patch | 55 ++++ ...rray-index-bounds-check-in-dbadjtree.patch | 33 ++ ...idated-block-window-namespace-labels.patch | 65 ++++ ...block-reshape-with-remote-resync-job.patch | 78 +++++ ...adlock-when-node-is-doing-resync-job.patch | 293 ++++++++++++++++++ ...ix-parsing-of-part-names-with-colons.patch | 75 +++++ ...son_nfc_dma_buffer_release-arguments.patch | 34 ++ ...a-sync-on-flash_status-register-read.patch | 37 +++ queue-5.4/mtd-spinand-fix-oob-read.patch | 35 +++ ...lot_release-null-pointer-dereference.patch | 65 ++++ ...er-exit-in-sunxi_pinctrl_irq_handler.patch | 53 ++++ ...witch-events-on-acer-switch-alpha-12.patch | 44 +++ ...age-control-register-mask-for-axp22x.patch | 41 +++ ...fer-remove-have_64bit_aligned_access.patch | 109 +++++++ ...-dereference-in-ep93xx_rtc_read_time.patch | 91 ++++++ ...ing-context-in-lpfc_sli4_nvmet_alloc.patch | 102 ++++++ ...x-use-after-free-in-lpfc_rq_buf_free.patch | 46 +++ ...g-driver-load-on-big-endian-machines.patch | 89 ++++++ queue-5.4/series | 58 ++++ ...safely-acquire-spinlock-without-irqs.patch | 55 ++++ ...pi-disable-clock-in-probe-error-path.patch | 38 +++ ...tmel-quadspi-fix-ahb-memory-accesses.patch | 67 ++++ ...quadspi-fix-use-after-free-on-unbind.patch | 87 ++++++ ...davinci-fix-use-after-free-on-unbind.patch | 43 +++ ...use-of-spisel_boot-signal-on-mpc8309.patch | 62 ++++ ...-leak-spi-master-in-probe-error-path.patch | 94 ++++++ ...21-disable-clock-in-probe-error-path.patch | 47 +++ ...-leak-spi-master-in-probe-error-path.patch | 64 ++++ ...-leak-spi-master-in-probe-error-path.patch | 55 ++++ ...eak-dma-channels-in-probe-error-path.patch | 35 +++ ...-pxa2xx-fix-use-after-free-on-unbind.patch | 51 +++ ...-leak-spi-master-in-probe-error-path.patch | 39 +++ ...-leak-spi-master-in-probe-error-path.patch | 61 ++++ ...-spi-sh-fix-use-after-free-on-unbind.patch | 78 +++++ ..._runtime_disable-in-probe-error-path.patch | 45 +++ ...er-disable-clock-in-probe-error-path.patch | 94 ++++++ ...g-xenblkd-to-null-after-kthread_stop.patch | 52 ++++ ...allback-support-in-xenbus_watch_path.patch | 140 +++++++++ ...tches-discard-events-before-queueing.patch | 115 +++++++ ...ount-pending-messages-for-each-watch.patch | 108 +++++++ ...e-support-will_handle-watch-callback.patch | 50 +++ ...kend-disallow-pending-watch-messages.patch | 56 ++++ 59 files changed, 3978 insertions(+) create mode 100644 queue-5.4/clk-ingenic-fix-divider-calculation-with-div-tables.patch create mode 100644 queue-5.4/clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch create mode 100644 queue-5.4/clk-tegra-do-not-return-0-on-failure.patch create mode 100644 queue-5.4/device-dax-core-fix-memory-leak-when-rmmod-dax.ko.patch create mode 100644 queue-5.4/dma-buf-dma-resv-respect-num_fences-when-initializing-the-shared-fence-list.patch create mode 100644 queue-5.4/drm-amd-display-fix-memory-leaks-in-s3-resume.patch create mode 100644 queue-5.4/drm-amd-display-honor-the-offset-for-plane-0.patch create mode 100644 queue-5.4/drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch create mode 100644 queue-5.4/drm-i915-fix-mismatch-between-misplaced-vma-check-and-vma-insert.patch create mode 100644 queue-5.4/iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch create mode 100644 queue-5.4/iio-adc-ti-ads124s08-fix-alignment-and-data-leak-issues.patch create mode 100644 queue-5.4/iio-adc-ti-ads124s08-fix-buffer-being-too-long.patch create mode 100644 queue-5.4/iio-buffer-fix-demux-update.patch create mode 100644 queue-5.4/iio-imu-bmi160-fix-too-large-a-buffer.patch create mode 100644 queue-5.4/iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch create mode 100644 queue-5.4/iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch create mode 100644 queue-5.4/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch create mode 100644 queue-5.4/iio-pressure-mpl3115-force-alignment-of-buffer.patch create mode 100644 queue-5.4/jfs-fix-array-index-bounds-check-in-dbadjtree.patch create mode 100644 queue-5.4/libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch create mode 100644 queue-5.4/md-cluster-block-reshape-with-remote-resync-job.patch create mode 100644 queue-5.4/md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch create mode 100644 queue-5.4/mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch create mode 100644 queue-5.4/mtd-rawnand-meson-fix-meson_nfc_dma_buffer_release-arguments.patch create mode 100644 queue-5.4/mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch create mode 100644 queue-5.4/mtd-spinand-fix-oob-read.patch create mode 100644 queue-5.4/pci-fix-pci_slot_release-null-pointer-dereference.patch create mode 100644 queue-5.4/pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch create mode 100644 queue-5.4/platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch create mode 100644 queue-5.4/regulator-axp20x-fix-dldo2-voltage-control-register-mask-for-axp22x.patch create mode 100644 queue-5.4/revert-ring-buffer-remove-have_64bit_aligned_access.patch create mode 100644 queue-5.4/rtc-ep93xx-fix-null-pointer-dereference-in-ep93xx_rtc_read_time.patch create mode 100644 queue-5.4/scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch create mode 100644 queue-5.4/scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch create mode 100644 queue-5.4/scsi-qla2xxx-fix-crash-during-driver-load-on-big-endian-machines.patch create mode 100644 queue-5.4/soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch create mode 100644 queue-5.4/spi-atmel-quadspi-disable-clock-in-probe-error-path.patch create mode 100644 queue-5.4/spi-atmel-quadspi-fix-ahb-memory-accesses.patch create mode 100644 queue-5.4/spi-atmel-quadspi-fix-use-after-free-on-unbind.patch create mode 100644 queue-5.4/spi-davinci-fix-use-after-free-on-unbind.patch create mode 100644 queue-5.4/spi-fsl-fix-use-of-spisel_boot-signal-on-mpc8309.patch create mode 100644 queue-5.4/spi-gpio-don-t-leak-spi-master-in-probe-error-path.patch create mode 100644 queue-5.4/spi-mt7621-disable-clock-in-probe-error-path.patch create mode 100644 queue-5.4/spi-mt7621-don-t-leak-spi-master-in-probe-error-path.patch create mode 100644 queue-5.4/spi-mxic-don-t-leak-spi-master-in-probe-error-path.patch create mode 100644 queue-5.4/spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch create mode 100644 queue-5.4/spi-pxa2xx-fix-use-after-free-on-unbind.patch create mode 100644 queue-5.4/spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch create mode 100644 queue-5.4/spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch create mode 100644 queue-5.4/spi-spi-sh-fix-use-after-free-on-unbind.patch create mode 100644 queue-5.4/spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch create mode 100644 queue-5.4/spi-synquacer-disable-clock-in-probe-error-path.patch create mode 100644 queue-5.4/xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch create mode 100644 queue-5.4/xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch create mode 100644 queue-5.4/xen-xenbus-allow-watches-discard-events-before-queueing.patch create mode 100644 queue-5.4/xen-xenbus-count-pending-messages-for-each-watch.patch create mode 100644 queue-5.4/xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch create mode 100644 queue-5.4/xenbus-xenbus_backend-disallow-pending-watch-messages.patch diff --git a/queue-5.4/clk-ingenic-fix-divider-calculation-with-div-tables.patch b/queue-5.4/clk-ingenic-fix-divider-calculation-with-div-tables.patch new file mode 100644 index 00000000000..ce05f7eb5c0 --- /dev/null +++ b/queue-5.4/clk-ingenic-fix-divider-calculation-with-div-tables.patch @@ -0,0 +1,55 @@ +From 11a163f2c7d6a9f27ce144cd7e367a81c851621a Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Sat, 12 Dec 2020 13:57:33 +0000 +Subject: clk: ingenic: Fix divider calculation with div tables + +From: Paul Cercueil + +commit 11a163f2c7d6a9f27ce144cd7e367a81c851621a upstream. + +The previous code assumed that a higher hardware value always resulted +in a bigger divider, which is correct for the regular clocks, but is +an invalid assumption when a divider table is provided for the clock. + +Perfect example of this is the PLL0_HALF clock, which applies a /2 +divider with the hardware value 0, and a /1 divider otherwise. + +Fixes: a9fa2893fcc6 ("clk: ingenic: Add support for divider tables") +Cc: # 5.2 +Signed-off-by: Paul Cercueil +Link: https://lore.kernel.org/r/20201212135733.38050-1-paul@crapouillou.net +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/ingenic/cgu.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/clk/ingenic/cgu.c ++++ b/drivers/clk/ingenic/cgu.c +@@ -393,15 +393,21 @@ static unsigned int + ingenic_clk_calc_hw_div(const struct ingenic_cgu_clk_info *clk_info, + unsigned int div) + { +- unsigned int i; ++ unsigned int i, best_i = 0, best = (unsigned int)-1; + + for (i = 0; i < (1 << clk_info->div.bits) + && clk_info->div.div_table[i]; i++) { +- if (clk_info->div.div_table[i] >= div) +- return i; ++ if (clk_info->div.div_table[i] >= div && ++ clk_info->div.div_table[i] < best) { ++ best = clk_info->div.div_table[i]; ++ best_i = i; ++ ++ if (div == best) ++ break; ++ } + } + +- return i - 1; ++ return best_i; + } + + static unsigned diff --git a/queue-5.4/clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch b/queue-5.4/clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch new file mode 100644 index 00000000000..297d58aa3a2 --- /dev/null +++ b/queue-5.4/clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch @@ -0,0 +1,43 @@ +From 6f37689cf6b38fff96de52e7f0d3e78f22803ba0 Mon Sep 17 00:00:00 2001 +From: Terry Zhou +Date: Fri, 6 Nov 2020 11:00:39 +0100 +Subject: clk: mvebu: a3700: fix the XTAL MODE pin to MPP1_9 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Terry Zhou + +commit 6f37689cf6b38fff96de52e7f0d3e78f22803ba0 upstream. + +There is an error in the current code that the XTAL MODE +pin was set to NB MPP1_31 which should be NB MPP1_9. +The latch register of NB MPP1_9 has different offset of 0x8. + +Signed-off-by: Terry Zhou +[pali: Fix pin name in commit message] +Signed-off-by: Pali Rohár +Fixes: 7ea8250406a6 ("clk: mvebu: Add the xtal clock for Armada 3700 SoC") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20201106100039.11385-1-pali@kernel.org +Reviewed-by: Marek Behún +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/mvebu/armada-37xx-xtal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/mvebu/armada-37xx-xtal.c ++++ b/drivers/clk/mvebu/armada-37xx-xtal.c +@@ -13,8 +13,8 @@ + #include + #include + +-#define NB_GPIO1_LATCH 0xC +-#define XTAL_MODE BIT(31) ++#define NB_GPIO1_LATCH 0x8 ++#define XTAL_MODE BIT(9) + + static int armada_3700_xtal_clock_probe(struct platform_device *pdev) + { diff --git a/queue-5.4/clk-tegra-do-not-return-0-on-failure.patch b/queue-5.4/clk-tegra-do-not-return-0-on-failure.patch new file mode 100644 index 00000000000..b1cbe43303d --- /dev/null +++ b/queue-5.4/clk-tegra-do-not-return-0-on-failure.patch @@ -0,0 +1,43 @@ +From 6160aca443148416994c022a35c77daeba948ea6 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Wed, 28 Oct 2020 17:48:20 -0700 +Subject: clk: tegra: Do not return 0 on failure + +From: Nicolin Chen + +commit 6160aca443148416994c022a35c77daeba948ea6 upstream. + +Return values from read_dt_param() will be either TRUE (1) or +FALSE (0), while dfll_fetch_pwm_params() returns 0 on success +or an ERR code on failure. + +So this patch fixes the bug of returning 0 on failure. + +Fixes: 36541f0499fe ("clk: tegra: dfll: support PWM regulator control") +Cc: +Signed-off-by: Nicolin Chen +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/tegra/clk-dfll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/tegra/clk-dfll.c ++++ b/drivers/clk/tegra/clk-dfll.c +@@ -1801,13 +1801,13 @@ static int dfll_fetch_pwm_params(struct + &td->reg_init_uV); + if (!ret) { + dev_err(td->dev, "couldn't get initialized voltage\n"); +- return ret; ++ return -EINVAL; + } + + ret = read_dt_param(td, "nvidia,pwm-period-nanoseconds", &pwm_period); + if (!ret) { + dev_err(td->dev, "couldn't get PWM period\n"); +- return ret; ++ return -EINVAL; + } + td->pwm_rate = (NSEC_PER_SEC / pwm_period) * (MAX_DFLL_VOLTAGES - 1); + diff --git a/queue-5.4/device-dax-core-fix-memory-leak-when-rmmod-dax.ko.patch b/queue-5.4/device-dax-core-fix-memory-leak-when-rmmod-dax.ko.patch new file mode 100644 index 00000000000..94f848dc47b --- /dev/null +++ b/queue-5.4/device-dax-core-fix-memory-leak-when-rmmod-dax.ko.patch @@ -0,0 +1,56 @@ +From 1aa574312518ef1d60d2dc62d58f7021db3b163a Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Tue, 1 Dec 2020 21:59:29 +0800 +Subject: device-dax/core: Fix memory leak when rmmod dax.ko + +From: Wang Hai + +commit 1aa574312518ef1d60d2dc62d58f7021db3b163a upstream. + +When I repeatedly modprobe and rmmod dax.ko, kmemleak report a +memory leak as follows: + +unreferenced object 0xffff9a5588c05088 (size 8): + comm "modprobe", pid 261, jiffies 4294693644 (age 42.063s) +... + backtrace: + [<00000000e007ced0>] kstrdup+0x35/0x70 + [<000000002ae73897>] kstrdup_const+0x3d/0x50 + [<000000002b00c9c3>] kvasprintf_const+0xbc/0xf0 + [<000000008023282f>] kobject_set_name_vargs+0x3b/0xd0 + [<00000000d2cbaa4e>] kobject_set_name+0x62/0x90 + [<00000000202e7a22>] bus_register+0x7f/0x2b0 + [<000000000b77792c>] 0xffffffffc02840f7 + [<000000002d5be5ac>] 0xffffffffc02840b4 + [<00000000dcafb7cd>] do_one_initcall+0x58/0x240 + [<00000000049fe480>] do_init_module+0x56/0x1e2 + [<0000000022671491>] load_module+0x2517/0x2840 + [<000000001a2201cb>] __do_sys_finit_module+0x9c/0xe0 + [<000000003eb304e7>] do_syscall_64+0x33/0x40 + [<0000000051c5fd06>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +When rmmod dax is executed, dax_bus_exit() is missing. This patch +can fix this bug. + +Fixes: 9567da0b408a ("device-dax: Introduce bus + driver model") +Cc: +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20201201135929.66530-1-wanghai38@huawei.com +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dax/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/dax/super.c ++++ b/drivers/dax/super.c +@@ -720,6 +720,7 @@ err_chrdev: + + static void __exit dax_core_exit(void) + { ++ dax_bus_exit(); + unregister_chrdev_region(dax_devt, MINORMASK+1); + ida_destroy(&dax_minor_ida); + dax_fs_exit(); diff --git a/queue-5.4/dma-buf-dma-resv-respect-num_fences-when-initializing-the-shared-fence-list.patch b/queue-5.4/dma-buf-dma-resv-respect-num_fences-when-initializing-the-shared-fence-list.patch new file mode 100644 index 00000000000..b5c54c22483 --- /dev/null +++ b/queue-5.4/dma-buf-dma-resv-respect-num_fences-when-initializing-the-shared-fence-list.patch @@ -0,0 +1,42 @@ +From bf8975837dac156c33a4d15d46602700998cb6dd Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Tue, 24 Nov 2020 12:57:07 +0100 +Subject: dma-buf/dma-resv: Respect num_fences when initializing the shared fence list. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maarten Lankhorst + +commit bf8975837dac156c33a4d15d46602700998cb6dd upstream. + +We hardcode the maximum number of shared fences to 4, instead of +respecting num_fences. Use a minimum of 4, but more if num_fences +is higher. + +This seems to have been an oversight when first implementing the +api. + +Fixes: 04a5faa8cbe5 ("reservation: update api and add some helpers") +Cc: # v3.17+ +Reported-by: Niranjana Vishwanathapura +Signed-off-by: Maarten Lankhorst +Reviewed-by: Thomas Hellström +Link: https://patchwork.freedesktop.org/patch/msgid/20201124115707.406917-1-maarten.lankhorst@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma-buf/dma-resv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma-buf/dma-resv.c ++++ b/drivers/dma-buf/dma-resv.c +@@ -161,7 +161,7 @@ int dma_resv_reserve_shared(struct dma_r + max = max(old->shared_count + num_fences, + old->shared_max * 2); + } else { +- max = 4; ++ max = max(4ul, roundup_pow_of_two(num_fences)); + } + + new = dma_resv_list_alloc(max); diff --git a/queue-5.4/drm-amd-display-fix-memory-leaks-in-s3-resume.patch b/queue-5.4/drm-amd-display-fix-memory-leaks-in-s3-resume.patch new file mode 100644 index 00000000000..54fe46859f4 --- /dev/null +++ b/queue-5.4/drm-amd-display-fix-memory-leaks-in-s3-resume.patch @@ -0,0 +1,40 @@ +From a135a1b4c4db1f3b8cbed9676a40ede39feb3362 Mon Sep 17 00:00:00 2001 +From: Stylon Wang +Date: Tue, 10 Nov 2020 15:40:06 +0800 +Subject: drm/amd/display: Fix memory leaks in S3 resume + +From: Stylon Wang + +commit a135a1b4c4db1f3b8cbed9676a40ede39feb3362 upstream. + +EDID parsing in S3 resume pushes new display modes +to probed_modes list but doesn't consolidate to actual +mode list. This creates a race condition when +amdgpu_dm_connector_ddc_get_modes() re-initializes the +list head without walking the list and results in memory leak. + +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=209987 +Acked-by: Harry Wentland +Acked-by: Alex Deucher +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Stylon Wang +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -1434,7 +1434,8 @@ amdgpu_dm_update_connector_after_detect( + + drm_connector_update_edid_property(connector, + aconnector->edid); +- drm_add_edid_modes(connector, aconnector->edid); ++ aconnector->num_modes = drm_add_edid_modes(connector, aconnector->edid); ++ drm_connector_list_update(connector); + + if (aconnector->dc_link->aux_mode) + drm_dp_cec_set_edid(&aconnector->dm_dp_aux.aux, diff --git a/queue-5.4/drm-amd-display-honor-the-offset-for-plane-0.patch b/queue-5.4/drm-amd-display-honor-the-offset-for-plane-0.patch new file mode 100644 index 00000000000..830eecdd79c --- /dev/null +++ b/queue-5.4/drm-amd-display-honor-the-offset-for-plane-0.patch @@ -0,0 +1,76 @@ +From be7b9b327e79cd2db07b659af599867b629b2f66 Mon Sep 17 00:00:00 2001 +From: Bas Nieuwenhuizen +Date: Sat, 21 Dec 2019 19:05:37 +0100 +Subject: drm/amd/display: Honor the offset for plane 0. + +From: Bas Nieuwenhuizen + +commit be7b9b327e79cd2db07b659af599867b629b2f66 upstream. + +With modifiers I'd like to support non-dedicated buffers for +images. + +Signed-off-by: Bas Nieuwenhuizen +Reviewed-by: Alex Deucher +Reviewed-by: Nicholas Kazlauskas +Cc: stable@vger.kernel.org # 5.1.0 +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2720,6 +2720,7 @@ fill_plane_dcc_attributes(struct amdgpu_ + struct dc *dc = adev->dm.dc; + struct dc_dcc_surface_param input; + struct dc_surface_dcc_cap output; ++ uint64_t plane_address = afb->address + afb->base.offsets[0]; + uint32_t offset = AMDGPU_TILING_GET(info, DCC_OFFSET_256B); + uint32_t i64b = AMDGPU_TILING_GET(info, DCC_INDEPENDENT_64B) != 0; + uint64_t dcc_address; +@@ -2763,7 +2764,7 @@ fill_plane_dcc_attributes(struct amdgpu_ + AMDGPU_TILING_GET(info, DCC_PITCH_MAX) + 1; + dcc->independent_64b_blks = i64b; + +- dcc_address = get_dcc_address(afb->address, info); ++ dcc_address = get_dcc_address(plane_address, info); + address->grph.meta_addr.low_part = lower_32_bits(dcc_address); + address->grph.meta_addr.high_part = upper_32_bits(dcc_address); + +@@ -2791,6 +2792,8 @@ fill_plane_buffer_attributes(struct amdg + memset(address, 0, sizeof(*address)); + + if (format < SURFACE_PIXEL_FORMAT_VIDEO_BEGIN) { ++ uint64_t addr = afb->address + fb->offsets[0]; ++ + plane_size->surface_size.x = 0; + plane_size->surface_size.y = 0; + plane_size->surface_size.width = fb->width; +@@ -2799,9 +2802,10 @@ fill_plane_buffer_attributes(struct amdg + fb->pitches[0] / fb->format->cpp[0]; + + address->type = PLN_ADDR_TYPE_GRAPHICS; +- address->grph.addr.low_part = lower_32_bits(afb->address); +- address->grph.addr.high_part = upper_32_bits(afb->address); ++ address->grph.addr.low_part = lower_32_bits(addr); ++ address->grph.addr.high_part = upper_32_bits(addr); + } else if (format < SURFACE_PIXEL_FORMAT_INVALID) { ++ uint64_t luma_addr = afb->address + fb->offsets[0]; + uint64_t chroma_addr = afb->address + fb->offsets[1]; + + plane_size->surface_size.x = 0; +@@ -2822,9 +2826,9 @@ fill_plane_buffer_attributes(struct amdg + + address->type = PLN_ADDR_TYPE_VIDEO_PROGRESSIVE; + address->video_progressive.luma_addr.low_part = +- lower_32_bits(afb->address); ++ lower_32_bits(luma_addr); + address->video_progressive.luma_addr.high_part = +- upper_32_bits(afb->address); ++ upper_32_bits(luma_addr); + address->video_progressive.chroma_addr.low_part = + lower_32_bits(chroma_addr); + address->video_progressive.chroma_addr.high_part = diff --git a/queue-5.4/drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch b/queue-5.4/drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch new file mode 100644 index 00000000000..0454d4a149b --- /dev/null +++ b/queue-5.4/drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch @@ -0,0 +1,151 @@ +From 73b62cdb93b68d7e2c1d373c6a411bc00c53e702 Mon Sep 17 00:00:00 2001 +From: Zwane Mwaikambo +Date: Mon, 12 Oct 2020 22:59:14 -0700 +Subject: drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() + +From: Zwane Mwaikambo + +commit 73b62cdb93b68d7e2c1d373c6a411bc00c53e702 upstream. + +I observed this when unplugging a DP monitor whilst a computer is asleep +and then waking it up. This left DP chardev nodes still being present on +the filesystem and accessing these device nodes caused an oops because +drm_dp_aux_dev_get_by_minor() assumes a device exists if it is opened. +This can also be reproduced by creating a device node with mknod(1) and +issuing an open(2) + +[166164.933198] BUG: kernel NULL pointer dereference, address: 0000000000000018 +[166164.933202] #PF: supervisor read access in kernel mode +[166164.933204] #PF: error_code(0x0000) - not-present page +[166164.933205] PGD 0 P4D 0 +[166164.933208] Oops: 0000 [#1] PREEMPT SMP NOPTI +[166164.933211] CPU: 4 PID: 99071 Comm: fwupd Tainted: G W +5.8.0-rc6+ #1 +[166164.933213] Hardware name: LENOVO 20RD002VUS/20RD002VUS, BIOS R16ET25W +(1.11 ) 04/21/2020 +[166164.933232] RIP: 0010:drm_dp_aux_dev_get_by_minor+0x29/0x70 +[drm_kms_helper] +[166164.933234] Code: 00 0f 1f 44 00 00 55 48 89 e5 41 54 41 89 fc 48 c7 +c7 60 01 a4 c0 e8 26 ab 30 d7 44 89 e6 48 c7 c7 80 01 a4 c0 e8 47 94 d6 d6 +<8b> 50 18 49 89 c4 48 8d 78 18 85 d2 74 33 8d 4a 01 89 d0 f0 0f b1 +[166164.933236] RSP: 0018:ffffb7d7c41cbbf0 EFLAGS: 00010246 +[166164.933237] RAX: 0000000000000000 RBX: ffff8a90001fe900 RCX: 0000000000000000 +[166164.933238] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffffffc0a40180 +[166164.933239] RBP: ffffb7d7c41cbbf8 R08: 0000000000000000 R09: ffff8a93e157d6d0 +[166164.933240] R10: 0000000000000000 R11: ffffffffc0a40188 R12: 0000000000000003 +[166164.933241] R13: ffff8a9402200e80 R14: ffff8a90001fe900 R15: 0000000000000000 +[166164.933244] FS: 00007f7fb041eb00(0000) GS:ffff8a9411500000(0000) +knlGS:0000000000000000 +[166164.933245] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[166164.933246] CR2: 0000000000000018 CR3: 00000000352c2003 CR4: 00000000003606e0 +[166164.933247] Call Trace: +[166164.933264] auxdev_open+0x1b/0x40 [drm_kms_helper] +[166164.933278] chrdev_open+0xa7/0x1c0 +[166164.933282] ? cdev_put.part.0+0x20/0x20 +[166164.933287] do_dentry_open+0x161/0x3c0 +[166164.933291] vfs_open+0x2d/0x30 +[166164.933297] path_openat+0xb27/0x10e0 +[166164.933306] ? atime_needs_update+0x73/0xd0 +[166164.933309] do_filp_open+0x91/0x100 +[166164.933313] ? __alloc_fd+0xb2/0x150 +[166164.933316] do_sys_openat2+0x210/0x2d0 +[166164.933318] do_sys_open+0x46/0x80 +[166164.933320] __x64_sys_openat+0x20/0x30 +[166164.933328] do_syscall_64+0x52/0xc0 +[166164.933336] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +(gdb) disassemble drm_dp_aux_dev_get_by_minor+0x29 +Dump of assembler code for function drm_dp_aux_dev_get_by_minor: + 0x0000000000017b10 <+0>: callq 0x17b15 + 0x0000000000017b15 <+5>: push %rbp + 0x0000000000017b16 <+6>: mov %rsp,%rbp + 0x0000000000017b19 <+9>: push %r12 + 0x0000000000017b1b <+11>: mov %edi,%r12d + 0x0000000000017b1e <+14>: mov $0x0,%rdi + 0x0000000000017b25 <+21>: callq 0x17b2a + 0x0000000000017b2a <+26>: mov %r12d,%esi + 0x0000000000017b2d <+29>: mov $0x0,%rdi + 0x0000000000017b34 <+36>: callq 0x17b39 + 0x0000000000017b39 <+41>: mov 0x18(%rax),%edx <========= + 0x0000000000017b3c <+44>: mov %rax,%r12 + 0x0000000000017b3f <+47>: lea 0x18(%rax),%rdi + 0x0000000000017b43 <+51>: test %edx,%edx + 0x0000000000017b45 <+53>: je 0x17b7a + 0x0000000000017b47 <+55>: lea 0x1(%rdx),%ecx + 0x0000000000017b4a <+58>: mov %edx,%eax + 0x0000000000017b4c <+60>: lock cmpxchg %ecx,(%rdi) + 0x0000000000017b50 <+64>: jne 0x17b76 + 0x0000000000017b52 <+66>: test %edx,%edx + 0x0000000000017b54 <+68>: js 0x17b6d + 0x0000000000017b56 <+70>: test %ecx,%ecx + 0x0000000000017b58 <+72>: js 0x17b6d + 0x0000000000017b5a <+74>: mov $0x0,%rdi + 0x0000000000017b61 <+81>: callq 0x17b66 + 0x0000000000017b66 <+86>: mov %r12,%rax + 0x0000000000017b69 <+89>: pop %r12 + 0x0000000000017b6b <+91>: pop %rbp + 0x0000000000017b6c <+92>: retq + 0x0000000000017b6d <+93>: xor %esi,%esi + 0x0000000000017b6f <+95>: callq 0x17b74 + 0x0000000000017b74 <+100>: jmp 0x17b5a + 0x0000000000017b76 <+102>: mov %eax,%edx + 0x0000000000017b78 <+104>: jmp 0x17b43 + 0x0000000000017b7a <+106>: xor %r12d,%r12d + 0x0000000000017b7d <+109>: jmp 0x17b5a +End of assembler dump. + +(gdb) list *drm_dp_aux_dev_get_by_minor+0x29 +0x17b39 is in drm_dp_aux_dev_get_by_minor (drivers/gpu/drm/drm_dp_aux_dev.c:65). +60 static struct drm_dp_aux_dev *drm_dp_aux_dev_get_by_minor(unsigned index) +61 { +62 struct drm_dp_aux_dev *aux_dev = NULL; +63 +64 mutex_lock(&aux_idr_mutex); +65 aux_dev = idr_find(&aux_idr, index); +66 if (!kref_get_unless_zero(&aux_dev->refcount)) +67 aux_dev = NULL; +68 mutex_unlock(&aux_idr_mutex); +69 +(gdb) p/x &((struct drm_dp_aux_dev *)(0x0))->refcount +$8 = 0x18 + +Looking at the caller, checks on the minor are pushed down to +drm_dp_aux_dev_get_by_minor() + +static int auxdev_open(struct inode *inode, struct file *file) +{ + unsigned int minor = iminor(inode); + struct drm_dp_aux_dev *aux_dev; + + aux_dev = drm_dp_aux_dev_get_by_minor(minor); <==== + if (!aux_dev) + return -ENODEV; + + file->private_data = aux_dev; + return 0; +} + +Fixes: e94cb37b34eb ("drm/dp: Add a drm_aux-dev module for reading/writing dpcd registers.") +Cc: # v4.6+ +Signed-off-by: Zwane Mwaikambo +Reviewed-by: Lyude Paul +[added Cc to stable] +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/alpine.DEB.2.21.2010122231070.38717@montezuma.home +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_aux_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_dp_aux_dev.c ++++ b/drivers/gpu/drm/drm_dp_aux_dev.c +@@ -63,7 +63,7 @@ static struct drm_dp_aux_dev *drm_dp_aux + + mutex_lock(&aux_idr_mutex); + aux_dev = idr_find(&aux_idr, index); +- if (!kref_get_unless_zero(&aux_dev->refcount)) ++ if (aux_dev && !kref_get_unless_zero(&aux_dev->refcount)) + aux_dev = NULL; + mutex_unlock(&aux_idr_mutex); + diff --git a/queue-5.4/drm-i915-fix-mismatch-between-misplaced-vma-check-and-vma-insert.patch b/queue-5.4/drm-i915-fix-mismatch-between-misplaced-vma-check-and-vma-insert.patch new file mode 100644 index 00000000000..b45f9942487 --- /dev/null +++ b/queue-5.4/drm-i915-fix-mismatch-between-misplaced-vma-check-and-vma-insert.patch @@ -0,0 +1,53 @@ +From 0e53656ad8abc99e0a80c3de611e593ebbf55829 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Wed, 16 Dec 2020 09:29:51 +0000 +Subject: drm/i915: Fix mismatch between misplaced vma check and vma insert + +From: Chris Wilson + +commit 0e53656ad8abc99e0a80c3de611e593ebbf55829 upstream. + +When inserting a VMA, we restrict the placement to the low 4G unless the +caller opts into using the full range. This was done to allow usersapce +the opportunity to transition slowly from a 32b address space, and to +avoid breaking inherent 32b assumptions of some commands. + +However, for insert we limited ourselves to 4G-4K, but on verification +we allowed the full 4G. This causes some attempts to bind a new buffer +to sporadically fail with -ENOSPC, but at other times be bound +successfully. + +commit 48ea1e32c39d ("drm/i915/gen9: Set PIN_ZONE_4G end to 4GB - 1 +page") suggests that there is a genuine problem with stateless addressing +that cannot utilize the last page in 4G and so we purposefully excluded +it. This means that the quick pin pass may cause us to utilize a buggy +placement. + +Reported-by: CQ Tang +Testcase: igt/gem_exec_params/larger-than-life-batch +Fixes: 48ea1e32c39d ("drm/i915/gen9: Set PIN_ZONE_4G end to 4GB - 1 page") +Signed-off-by: Chris Wilson +Cc: CQ Tang +Reviewed-by: CQ Tang +Reviewed-by: Matthew Auld +Cc: # v4.5+ +Link: https://patchwork.freedesktop.org/patch/msgid/20201216092951.7124-1-chris@chris-wilson.co.uk +(cherry picked from commit 5f22cc0b134ab702d7f64b714e26018f7288ffee) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c +@@ -367,7 +367,7 @@ eb_vma_misplaced(const struct drm_i915_g + return true; + + if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS) && +- (vma->node.start + vma->node.size - 1) >> 32) ++ (vma->node.start + vma->node.size + 4095) >> 32) + return true; + + if (flags & __EXEC_OBJECT_NEEDS_MAP && diff --git a/queue-5.4/iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch b/queue-5.4/iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch new file mode 100644 index 00000000000..e75d85afa55 --- /dev/null +++ b/queue-5.4/iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch @@ -0,0 +1,36 @@ +From 560c6b914c6ec7d9d9a69fddbb5bf3bf71433e8b Mon Sep 17 00:00:00 2001 +From: Qinglang Miao +Date: Tue, 3 Nov 2020 20:07:43 +0800 +Subject: iio: adc: rockchip_saradc: fix missing clk_disable_unprepare() on error in rockchip_saradc_resume + +From: Qinglang Miao + +commit 560c6b914c6ec7d9d9a69fddbb5bf3bf71433e8b upstream. + +Fix the missing clk_disable_unprepare() of info->pclk +before return from rockchip_saradc_resume in the error +handling case when fails to prepare and enable info->clk. + +Suggested-by: Robin Murphy +Fixes: 44d6f2ef94f9 ("iio: adc: add driver for Rockchip saradc") +Signed-off-by: Qinglang Miao +Cc: +Link: https://lore.kernel.org/r/20201103120743.110662-1-miaoqinglang@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/rockchip_saradc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/rockchip_saradc.c ++++ b/drivers/iio/adc/rockchip_saradc.c +@@ -372,7 +372,7 @@ static int rockchip_saradc_resume(struct + + ret = clk_prepare_enable(info->clk); + if (ret) +- return ret; ++ clk_disable_unprepare(info->pclk); + + return ret; + } diff --git a/queue-5.4/iio-adc-ti-ads124s08-fix-alignment-and-data-leak-issues.patch b/queue-5.4/iio-adc-ti-ads124s08-fix-alignment-and-data-leak-issues.patch new file mode 100644 index 00000000000..e94c5b2e7ca --- /dev/null +++ b/queue-5.4/iio-adc-ti-ads124s08-fix-alignment-and-data-leak-issues.patch @@ -0,0 +1,79 @@ +From 1e405bc2512f80a903ddd6ba8740cee885238d7f Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:42 +0100 +Subject: iio:adc:ti-ads124s08: Fix alignment and data leak issues. + +From: Jonathan Cameron + +commit 1e405bc2512f80a903ddd6ba8740cee885238d7f upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv() data with alignment +explicitly requested. This data is allocated with kzalloc() so no +data can leak apart from previous readings. + +In this driver the timestamp can end up in various different locations +depending on what other channels are enabled. As a result, we don't +use a structure to specify it's position as that would be misleading. + +Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Cc: Dan Murphy +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-9-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-ads124s08.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/iio/adc/ti-ads124s08.c ++++ b/drivers/iio/adc/ti-ads124s08.c +@@ -97,6 +97,14 @@ struct ads124s_private { + struct gpio_desc *reset_gpio; + struct spi_device *spi; + struct mutex lock; ++ /* ++ * Used to correctly align data. ++ * Ensure timestamp is naturally aligned. ++ * Note that the full buffer length may not be needed if not ++ * all channels are enabled, as long as the alignment of the ++ * timestamp is maintained. ++ */ ++ u32 buffer[ADS124S08_MAX_CHANNELS + sizeof(s64)/sizeof(u32)] __aligned(8); + u8 data[5] ____cacheline_aligned; + }; + +@@ -270,7 +278,6 @@ static irqreturn_t ads124s_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct ads124s_private *priv = iio_priv(indio_dev); +- u32 buffer[ADS124S08_MAX_CHANNELS + sizeof(s64)/sizeof(u32)]; + int scan_index, j = 0; + int ret; + +@@ -285,7 +292,7 @@ static irqreturn_t ads124s_trigger_handl + if (ret) + dev_err(&priv->spi->dev, "Start ADC conversions failed\n"); + +- buffer[j] = ads124s_read(indio_dev, scan_index); ++ priv->buffer[j] = ads124s_read(indio_dev, scan_index); + ret = ads124s_write_cmd(indio_dev, ADS124S08_STOP_CONV); + if (ret) + dev_err(&priv->spi->dev, "Stop ADC conversions failed\n"); +@@ -293,7 +300,7 @@ static irqreturn_t ads124s_trigger_handl + j++; + } + +- iio_push_to_buffers_with_timestamp(indio_dev, buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, priv->buffer, + pf->timestamp); + + iio_trigger_notify_done(indio_dev->trig); diff --git a/queue-5.4/iio-adc-ti-ads124s08-fix-buffer-being-too-long.patch b/queue-5.4/iio-adc-ti-ads124s08-fix-buffer-being-too-long.patch new file mode 100644 index 00000000000..08a7d460254 --- /dev/null +++ b/queue-5.4/iio-adc-ti-ads124s08-fix-buffer-being-too-long.patch @@ -0,0 +1,37 @@ +From b0bd27f02d768e3a861c4e6c27f8e369720e6c25 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:41 +0100 +Subject: iio:adc:ti-ads124s08: Fix buffer being too long. + +From: Jonathan Cameron + +commit b0bd27f02d768e3a861c4e6c27f8e369720e6c25 upstream. + +The buffer is expressed as a u32 array, yet the extra space for +the s64 timestamp was expressed as sizeof(s64)/sizeof(u16). +This will result in 2 extra u32 elements. +Fix by dividing by sizeof(u32). + +Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code") +Signed-off-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Cc: Dan Murphy +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-8-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-ads124s08.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ti-ads124s08.c ++++ b/drivers/iio/adc/ti-ads124s08.c +@@ -270,7 +270,7 @@ static irqreturn_t ads124s_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct ads124s_private *priv = iio_priv(indio_dev); +- u32 buffer[ADS124S08_MAX_CHANNELS + sizeof(s64)/sizeof(u16)]; ++ u32 buffer[ADS124S08_MAX_CHANNELS + sizeof(s64)/sizeof(u32)]; + int scan_index, j = 0; + int ret; + diff --git a/queue-5.4/iio-buffer-fix-demux-update.patch b/queue-5.4/iio-buffer-fix-demux-update.patch new file mode 100644 index 00000000000..ea34a9237fc --- /dev/null +++ b/queue-5.4/iio-buffer-fix-demux-update.patch @@ -0,0 +1,53 @@ +From 19ef7b70ca9487773c29b449adf0c70f540a0aab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Thu, 12 Nov 2020 15:43:22 +0100 +Subject: iio: buffer: Fix demux update +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 19ef7b70ca9487773c29b449adf0c70f540a0aab upstream. + +When updating the buffer demux, we will skip a scan element from the +device in the case `in_ind != out_ind` and we enter the while loop. +in_ind should only be refreshed with `find_next_bit()` in the end of the +loop. + +Note, to cause problems we need a situation where we are skippig over +an element (channel not enabled) that happens to not have the same size +as the next element. Whilst this is a possible situation we haven't +actually identified any cases in mainline where it happens as most drivers +have consistent channel storage sizes with the exception of the timestamp +which is the last element and hence never skipped over. + +Fixes: 5ada4ea9be16 ("staging:iio: add demux optionally to path from device to buffer") +Signed-off-by: Nuno Sá +Link: https://lore.kernel.org/r/20201112144323.28887-1-nuno.sa@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-buffer.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -845,12 +845,12 @@ static int iio_buffer_update_demux(struc + indio_dev->masklength, + in_ind + 1); + while (in_ind != out_ind) { +- in_ind = find_next_bit(indio_dev->active_scan_mask, +- indio_dev->masklength, +- in_ind + 1); + length = iio_storage_bytes_for_si(indio_dev, in_ind); + /* Make sure we are aligned */ + in_loc = roundup(in_loc, length) + length; ++ in_ind = find_next_bit(indio_dev->active_scan_mask, ++ indio_dev->masklength, ++ in_ind + 1); + } + length = iio_storage_bytes_for_si(indio_dev, in_ind); + out_loc = roundup(out_loc, length); diff --git a/queue-5.4/iio-imu-bmi160-fix-too-large-a-buffer.patch b/queue-5.4/iio-imu-bmi160-fix-too-large-a-buffer.patch new file mode 100644 index 00000000000..34db8b510f4 --- /dev/null +++ b/queue-5.4/iio-imu-bmi160-fix-too-large-a-buffer.patch @@ -0,0 +1,42 @@ +From dc7de42d6b50a07b37feeba4c6b5136290fcee81 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:38 +0100 +Subject: iio:imu:bmi160: Fix too large a buffer. + +From: Jonathan Cameron + +commit dc7de42d6b50a07b37feeba4c6b5136290fcee81 upstream. + +The comment implies this device has 3 sensor types, but it only +has an accelerometer and a gyroscope (both 3D). As such the +buffer does not need to be as long as stated. + +Note I've separated this from the following patch which fixes +the alignment for passing to iio_push_to_buffers_with_timestamp() +as they are different issues even if they affect the same line +of code. + +Signed-off-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Cc: Daniel Baluta +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-5-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/bmi160/bmi160_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/imu/bmi160/bmi160_core.c ++++ b/drivers/iio/imu/bmi160/bmi160_core.c +@@ -411,8 +411,8 @@ static irqreturn_t bmi160_trigger_handle + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct bmi160_data *data = iio_priv(indio_dev); +- __le16 buf[16]; +- /* 3 sens x 3 axis x __le16 + 3 x __le16 pad + 4 x __le16 tstamp */ ++ __le16 buf[12]; ++ /* 2 sens x 3 axis x __le16 + 2 x __le16 pad + 4 x __le16 tstamp */ + int i, ret, j = 0, base = BMI160_REG_DATA_MAGN_XOUT_L; + __le16 sample; + diff --git a/queue-5.4/iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch b/queue-5.4/iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch new file mode 100644 index 00000000000..65118d702d4 --- /dev/null +++ b/queue-5.4/iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch @@ -0,0 +1,82 @@ +From a61817216bcc755eabbcb1cf281d84ccad267ed1 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:35 +0100 +Subject: iio:light:rpr0521: Fix timestamp alignment and prevent data leak. + +From: Jonathan Cameron + +commit a61817216bcc755eabbcb1cf281d84ccad267ed1 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv(). +This data is allocated with kzalloc() so no data can leak apart +from previous readings and in this case the status byte from the device. + +The forced alignment of ts is not necessary in this case but it +potentially makes the code less fragile. + +>From personal communications with Mikko: + +We could probably split the reading of the int register, but it +would mean a significant performance cost of 20 i2c clock cycles. + +Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer") +Signed-off-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Cc: Mikko Koivunen +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-2-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/rpr0521.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/iio/light/rpr0521.c ++++ b/drivers/iio/light/rpr0521.c +@@ -194,6 +194,17 @@ struct rpr0521_data { + bool pxs_need_dis; + + struct regmap *regmap; ++ ++ /* ++ * Ensure correct naturally aligned timestamp. ++ * Note that the read will put garbage data into ++ * the padding but this should not be a problem ++ */ ++ struct { ++ __le16 channels[3]; ++ u8 garbage; ++ s64 ts __aligned(8); ++ } scan; + }; + + static IIO_CONST_ATTR(in_intensity_scale_available, RPR0521_ALS_SCALE_AVAIL); +@@ -449,8 +460,6 @@ static irqreturn_t rpr0521_trigger_consu + struct rpr0521_data *data = iio_priv(indio_dev); + int err; + +- u8 buffer[16]; /* 3 16-bit channels + padding + ts */ +- + /* Use irq timestamp when reasonable. */ + if (iio_trigger_using_own(indio_dev) && data->irq_timestamp) { + pf->timestamp = data->irq_timestamp; +@@ -461,11 +470,11 @@ static irqreturn_t rpr0521_trigger_consu + pf->timestamp = iio_get_time_ns(indio_dev); + + err = regmap_bulk_read(data->regmap, RPR0521_REG_PXS_DATA, +- &buffer, ++ data->scan.channels, + (3 * 2) + 1); /* 3 * 16-bit + (discarded) int clear reg. */ + if (!err) + iio_push_to_buffers_with_timestamp(indio_dev, +- buffer, pf->timestamp); ++ &data->scan, pf->timestamp); + else + dev_err(&data->client->dev, + "Trigger consumer can't read from sensor.\n"); diff --git a/queue-5.4/iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch b/queue-5.4/iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch new file mode 100644 index 00000000000..9b3a9a9611f --- /dev/null +++ b/queue-5.4/iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch @@ -0,0 +1,77 @@ +From d837a996f57c29a985177bc03b0e599082047f27 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:36 +0100 +Subject: iio:light:st_uvis25: Fix timestamp alignment and prevent data leak. + +From: Jonathan Cameron + +commit d837a996f57c29a985177bc03b0e599082047f27 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv() + +This data is allocated with kzalloc() so no data can leak apart +from previous readings. + +A local unsigned int variable is used for the regmap call so it +is clear there is no potential issue with writing into the padding +of the structure. + +Fixes: 3025c8688c1e ("iio: light: add support for UVIS25 sensor") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Acked-by: Lorenzo Bianconi +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-3-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/st_uvis25.h | 5 +++++ + drivers/iio/light/st_uvis25_core.c | 8 +++++--- + 2 files changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/iio/light/st_uvis25.h ++++ b/drivers/iio/light/st_uvis25.h +@@ -27,6 +27,11 @@ struct st_uvis25_hw { + struct iio_trigger *trig; + bool enabled; + int irq; ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ u8 chan; ++ s64 ts __aligned(8); ++ } scan; + }; + + extern const struct dev_pm_ops st_uvis25_pm_ops; +--- a/drivers/iio/light/st_uvis25_core.c ++++ b/drivers/iio/light/st_uvis25_core.c +@@ -234,17 +234,19 @@ static const struct iio_buffer_setup_ops + + static irqreturn_t st_uvis25_buffer_handler_thread(int irq, void *p) + { +- u8 buffer[ALIGN(sizeof(u8), sizeof(s64)) + sizeof(s64)]; + struct iio_poll_func *pf = p; + struct iio_dev *iio_dev = pf->indio_dev; + struct st_uvis25_hw *hw = iio_priv(iio_dev); ++ unsigned int val; + int err; + +- err = regmap_read(hw->regmap, ST_UVIS25_REG_OUT_ADDR, (int *)buffer); ++ err = regmap_read(hw->regmap, ST_UVIS25_REG_OUT_ADDR, &val); + if (err < 0) + goto out; + +- iio_push_to_buffers_with_timestamp(iio_dev, buffer, ++ hw->scan.chan = val; ++ ++ iio_push_to_buffers_with_timestamp(iio_dev, &hw->scan, + iio_get_time_ns(iio_dev)); + + out: diff --git a/queue-5.4/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch b/queue-5.4/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch new file mode 100644 index 00000000000..467bcb9f30f --- /dev/null +++ b/queue-5.4/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch @@ -0,0 +1,74 @@ +From 89deb1334252ea4a8491d47654811e28b0790364 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:37 +0100 +Subject: iio:magnetometer:mag3110: Fix alignment and data leak issues. + +From: Jonathan Cameron + +commit 89deb1334252ea4a8491d47654811e28b0790364 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv() data. +This data is allocated with kzalloc() so no data can leak apart from +previous readings. + +The explicit alignment of ts is not necessary in this case but +does make the code slightly less fragile so I have included it. + +Fixes: 39631b5f9584 ("iio: Add Freescale mag3110 magnetometer driver") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-4-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/magnetometer/mag3110.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/iio/magnetometer/mag3110.c ++++ b/drivers/iio/magnetometer/mag3110.c +@@ -56,6 +56,12 @@ struct mag3110_data { + int sleep_val; + struct regulator *vdd_reg; + struct regulator *vddio_reg; ++ /* Ensure natural alignment of timestamp */ ++ struct { ++ __be16 channels[3]; ++ u8 temperature; ++ s64 ts __aligned(8); ++ } scan; + }; + + static int mag3110_request(struct mag3110_data *data) +@@ -387,10 +393,9 @@ static irqreturn_t mag3110_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct mag3110_data *data = iio_priv(indio_dev); +- u8 buffer[16]; /* 3 16-bit channels + 1 byte temp + padding + ts */ + int ret; + +- ret = mag3110_read(data, (__be16 *) buffer); ++ ret = mag3110_read(data, data->scan.channels); + if (ret < 0) + goto done; + +@@ -399,10 +404,10 @@ static irqreturn_t mag3110_trigger_handl + MAG3110_DIE_TEMP); + if (ret < 0) + goto done; +- buffer[6] = ret; ++ data->scan.temperature = ret; + } + +- iio_push_to_buffers_with_timestamp(indio_dev, buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + iio_get_time_ns(indio_dev)); + + done: diff --git a/queue-5.4/iio-pressure-mpl3115-force-alignment-of-buffer.patch b/queue-5.4/iio-pressure-mpl3115-force-alignment-of-buffer.patch new file mode 100644 index 00000000000..59e1300dea1 --- /dev/null +++ b/queue-5.4/iio-pressure-mpl3115-force-alignment-of-buffer.patch @@ -0,0 +1,55 @@ +From 198cf32f0503d2ad60d320b95ef6fb8243db857f Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:40 +0100 +Subject: iio:pressure:mpl3115: Force alignment of buffer + +From: Jonathan Cameron + +commit 198cf32f0503d2ad60d320b95ef6fb8243db857f upstream. + +Whilst this is another case of the issue Lars reported with +an array of elements of smaller than 8 bytes being passed +to iio_push_to_buffers_with_timestamp(), the solution here is +a bit different from the other cases and relies on __aligned +working on the stack (true since 4.6?) + +This one is unusual. We have to do an explicit memset() each time +as we are reading 3 bytes into a potential 4 byte channel which +may sometimes be a 2 byte channel depending on what is enabled. +As such, moving the buffer to the heap in the iio_priv structure +doesn't save us much. We can't use a nice explicit structure +on the stack either as the data channels have different storage +sizes and are all separately controlled. + +Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Reviewed-by: Alexandru Ardelean +Cc: Peter Meerwald +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-7-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/pressure/mpl3115.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/iio/pressure/mpl3115.c ++++ b/drivers/iio/pressure/mpl3115.c +@@ -144,7 +144,14 @@ static irqreturn_t mpl3115_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct mpl3115_data *data = iio_priv(indio_dev); +- u8 buffer[16]; /* 32-bit channel + 16-bit channel + padding + ts */ ++ /* ++ * 32-bit channel + 16-bit channel + padding + ts ++ * Note that it is possible for only one of the first 2 ++ * channels to be enabled. If that happens, the first element ++ * of the buffer may be either 16 or 32-bits. As such we cannot ++ * use a simple structure definition to express this data layout. ++ */ ++ u8 buffer[16] __aligned(8); + int ret, pos = 0; + + mutex_lock(&data->lock); diff --git a/queue-5.4/jfs-fix-array-index-bounds-check-in-dbadjtree.patch b/queue-5.4/jfs-fix-array-index-bounds-check-in-dbadjtree.patch new file mode 100644 index 00000000000..86d97eef2cd --- /dev/null +++ b/queue-5.4/jfs-fix-array-index-bounds-check-in-dbadjtree.patch @@ -0,0 +1,33 @@ +From c61b3e4839007668360ed8b87d7da96d2e59fc6c Mon Sep 17 00:00:00 2001 +From: Dave Kleikamp +Date: Fri, 13 Nov 2020 14:58:46 -0600 +Subject: jfs: Fix array index bounds check in dbAdjTree + +From: Dave Kleikamp + +commit c61b3e4839007668360ed8b87d7da96d2e59fc6c upstream. + +Bounds checking tools can flag a bug in dbAdjTree() for an array index +out of bounds in dmt_stree. Since dmt_stree can refer to the stree in +both structures dmaptree and dmapctl, use the larger array to eliminate +the false positive. + +Signed-off-by: Dave Kleikamp +Reported-by: butt3rflyh4ck +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jfs/jfs_dmap.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jfs/jfs_dmap.h ++++ b/fs/jfs/jfs_dmap.h +@@ -183,7 +183,7 @@ typedef union dmtree { + #define dmt_leafidx t1.leafidx + #define dmt_height t1.height + #define dmt_budmin t1.budmin +-#define dmt_stree t1.stree ++#define dmt_stree t2.stree + + /* + * on-disk aggregate disk allocation map descriptor. diff --git a/queue-5.4/libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch b/queue-5.4/libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch new file mode 100644 index 00000000000..252e0bea428 --- /dev/null +++ b/queue-5.4/libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch @@ -0,0 +1,65 @@ +From 2dd2a1740ee19cd2636d247276cf27bfa434b0e2 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Fri, 20 Nov 2020 08:50:07 -0800 +Subject: libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels + +From: Dan Williams + +commit 2dd2a1740ee19cd2636d247276cf27bfa434b0e2 upstream. + +A recent change to ndctl to attempt to reconfigure namespaces in place +uncovered a label accounting problem in block-window-type namespaces. +The ndctl "create.sh" test is able to trigger this signature: + + WARNING: CPU: 34 PID: 9167 at drivers/nvdimm/label.c:1100 __blk_label_update+0x9a3/0xbc0 [libnvdimm] + [..] + RIP: 0010:__blk_label_update+0x9a3/0xbc0 [libnvdimm] + [..] + Call Trace: + uuid_store+0x21b/0x2f0 [libnvdimm] + kernfs_fop_write+0xcf/0x1c0 + vfs_write+0xcc/0x380 + ksys_write+0x68/0xe0 + +When allocated capacity for a namespace is renamed (new UUID) the labels +with the old UUID need to be deleted. The ndctl behavior to always +destroy namespaces on reconfiguration hid this problem. + +The immediate impact of this bug is limited since block-window-type +namespaces only seem to exist in the specification and not in any +shipping products. However, the label handling code is being reused for +other technologies like CXL region labels, so there is a benefit to +making sure both vertical labels sets (block-window) and horizontal +label sets (pmem) have a functional reference implementation in +libnvdimm. + +Fixes: c4703ce11c23 ("libnvdimm/namespace: Fix label tracking error") +Cc: +Cc: Vishal Verma +Cc: Dave Jiang +Cc: Ira Weiny +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/label.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/nvdimm/label.c ++++ b/drivers/nvdimm/label.c +@@ -980,6 +980,15 @@ static int __blk_label_update(struct nd_ + } + } + ++ /* release slots associated with any invalidated UUIDs */ ++ mutex_lock(&nd_mapping->lock); ++ list_for_each_entry_safe(label_ent, e, &nd_mapping->labels, list) ++ if (test_and_clear_bit(ND_LABEL_REAP, &label_ent->flags)) { ++ reap_victim(nd_mapping, label_ent); ++ list_move(&label_ent->list, &list); ++ } ++ mutex_unlock(&nd_mapping->lock); ++ + /* + * Find the resource associated with the first label in the set + * per the v1.2 namespace specification. diff --git a/queue-5.4/md-cluster-block-reshape-with-remote-resync-job.patch b/queue-5.4/md-cluster-block-reshape-with-remote-resync-job.patch new file mode 100644 index 00000000000..3610ba25068 --- /dev/null +++ b/queue-5.4/md-cluster-block-reshape-with-remote-resync-job.patch @@ -0,0 +1,78 @@ +From a8da01f79c89755fad55ed0ea96e8d2103242a72 Mon Sep 17 00:00:00 2001 +From: Zhao Heming +Date: Thu, 19 Nov 2020 19:41:33 +0800 +Subject: md/cluster: block reshape with remote resync job + +From: Zhao Heming + +commit a8da01f79c89755fad55ed0ea96e8d2103242a72 upstream. + +Reshape request should be blocked with ongoing resync job. In cluster +env, a node can start resync job even if the resync cmd isn't executed +on it, e.g., user executes "mdadm --grow" on node A, sometimes node B +will start resync job. However, current update_raid_disks() only check +local recovery status, which is incomplete. As a result, we see user will +execute "mdadm --grow" successfully on local, while the remote node deny +to do reshape job when it doing resync job. The inconsistent handling +cause array enter unexpected status. If user doesn't observe this issue +and continue executing mdadm cmd, the array doesn't work at last. + +Fix this issue by blocking reshape request. When node executes "--grow" +and detects ongoing resync, it should stop and report error to user. + +The following script reproduces the issue with ~100% probability. +(two nodes share 3 iSCSI luns: sdg/sdh/sdi. Each lun size is 1GB) +``` + # on node1, node2 is the remote node. +ssh root@node2 "mdadm -S --scan" +mdadm -S --scan +for i in {g,h,i};do dd if=/dev/zero of=/dev/sd$i oflag=direct bs=1M \ +count=20; done + +mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sdg /dev/sdh +ssh root@node2 "mdadm -A /dev/md0 /dev/sdg /dev/sdh" + +sleep 5 + +mdadm --manage --add /dev/md0 /dev/sdi +mdadm --wait /dev/md0 +mdadm --grow --raid-devices=3 /dev/md0 + +mdadm /dev/md0 --fail /dev/sdg +mdadm /dev/md0 --remove /dev/sdg +mdadm --grow --raid-devices=2 /dev/md0 +``` + +Cc: stable@vger.kernel.org +Signed-off-by: Zhao Heming +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7052,6 +7052,7 @@ static int update_raid_disks(struct mdde + return -EINVAL; + if (mddev->sync_thread || + test_bit(MD_RECOVERY_RUNNING, &mddev->recovery) || ++ test_bit(MD_RESYNCING_REMOTE, &mddev->recovery) || + mddev->reshape_position != MaxSector) + return -EBUSY; + +@@ -9423,8 +9424,11 @@ static void check_sb_changes(struct mdde + } + } + +- if (mddev->raid_disks != le32_to_cpu(sb->raid_disks)) +- update_raid_disks(mddev, le32_to_cpu(sb->raid_disks)); ++ if (mddev->raid_disks != le32_to_cpu(sb->raid_disks)) { ++ ret = update_raid_disks(mddev, le32_to_cpu(sb->raid_disks)); ++ if (ret) ++ pr_warn("md: updating array disks failed. %d\n", ret); ++ } + + /* + * Since mddev->delta_disks has already updated in update_raid_disks, diff --git a/queue-5.4/md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch b/queue-5.4/md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch new file mode 100644 index 00000000000..1186e2892b7 --- /dev/null +++ b/queue-5.4/md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch @@ -0,0 +1,293 @@ +From bca5b0658020be90b6b504ca514fd80110204f71 Mon Sep 17 00:00:00 2001 +From: Zhao Heming +Date: Thu, 19 Nov 2020 19:41:34 +0800 +Subject: md/cluster: fix deadlock when node is doing resync job + +From: Zhao Heming + +commit bca5b0658020be90b6b504ca514fd80110204f71 upstream. + +md-cluster uses MD_CLUSTER_SEND_LOCK to make node can exclusively send msg. +During sending msg, node can concurrently receive msg from another node. +When node does resync job, grab token_lockres:EX may trigger a deadlock: +``` +nodeA nodeB +-------------------- -------------------- +a. +send METADATA_UPDATED +held token_lockres:EX + b. + md_do_sync + resync_info_update + send RESYNCING + + set MD_CLUSTER_SEND_LOCK + + wait for holding token_lockres:EX + + c. + mdadm /dev/md0 --remove /dev/sdg + + held reconfig_mutex + + send REMOVE + + wait_event(MD_CLUSTER_SEND_LOCK) + + d. + recv_daemon //METADATA_UPDATED from A + process_metadata_update + + (mddev_trylock(mddev) || + MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD) + //this time, both return false forever +``` +Explaination: +a. A send METADATA_UPDATED + This will block another node to send msg + +b. B does sync jobs, which will send RESYNCING at intervals. + This will be block for holding token_lockres:EX lock. + +c. B do "mdadm --remove", which will send REMOVE. + This will be blocked by step : MD_CLUSTER_SEND_LOCK is 1. + +d. B recv METADATA_UPDATED msg, which send from A in step . + This will be blocked by step : holding mddev lock, it makes + wait_event can't hold mddev lock. (btw, + MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD keep ZERO in this scenario.) + +There is a similar deadlock in commit 0ba959774e93 +("md-cluster: use sync way to handle METADATA_UPDATED msg") +In that commit, step c is "update sb". This patch step c is +"mdadm --remove". + +For fixing this issue, we can refer the solution of function: +metadata_update_start. Which does the same grab lock_token action. +lock_comm can use the same steps to avoid deadlock. By moving +MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD from lock_token to lock_comm. +It enlarge a little bit window of MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, +but it is safe & can break deadlock. + +Repro steps (I only triggered 3 times with hundreds tests): + +two nodes share 3 iSCSI luns: sdg/sdh/sdi. Each lun size is 1GB. +``` +ssh root@node2 "mdadm -S --scan" +mdadm -S --scan +for i in {g,h,i};do dd if=/dev/zero of=/dev/sd$i oflag=direct bs=1M \ +count=20; done + +mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sdg /dev/sdh \ + --bitmap-chunk=1M +ssh root@node2 "mdadm -A /dev/md0 /dev/sdg /dev/sdh" + +sleep 5 + +mkfs.xfs /dev/md0 +mdadm --manage --add /dev/md0 /dev/sdi +mdadm --wait /dev/md0 +mdadm --grow --raid-devices=3 /dev/md0 + +mdadm /dev/md0 --fail /dev/sdg +mdadm /dev/md0 --remove /dev/sdg +mdadm --grow --raid-devices=2 /dev/md0 +``` + +test script will hung when executing "mdadm --remove". + +``` + # dump stacks by "echo t > /proc/sysrq-trigger" +md0_cluster_rec D 0 5329 2 0x80004000 +Call Trace: + __schedule+0x1f6/0x560 + ? _cond_resched+0x2d/0x40 + ? schedule+0x4a/0xb0 + ? process_metadata_update.isra.0+0xdb/0x140 [md_cluster] + ? wait_woken+0x80/0x80 + ? process_recvd_msg+0x113/0x1d0 [md_cluster] + ? recv_daemon+0x9e/0x120 [md_cluster] + ? md_thread+0x94/0x160 [md_mod] + ? wait_woken+0x80/0x80 + ? md_congested+0x30/0x30 [md_mod] + ? kthread+0x115/0x140 + ? __kthread_bind_mask+0x60/0x60 + ? ret_from_fork+0x1f/0x40 + +mdadm D 0 5423 1 0x00004004 +Call Trace: + __schedule+0x1f6/0x560 + ? __schedule+0x1fe/0x560 + ? schedule+0x4a/0xb0 + ? lock_comm.isra.0+0x7b/0xb0 [md_cluster] + ? wait_woken+0x80/0x80 + ? remove_disk+0x4f/0x90 [md_cluster] + ? hot_remove_disk+0xb1/0x1b0 [md_mod] + ? md_ioctl+0x50c/0xba0 [md_mod] + ? wait_woken+0x80/0x80 + ? blkdev_ioctl+0xa2/0x2a0 + ? block_ioctl+0x39/0x40 + ? ksys_ioctl+0x82/0xc0 + ? __x64_sys_ioctl+0x16/0x20 + ? do_syscall_64+0x5f/0x150 + ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +md0_resync D 0 5425 2 0x80004000 +Call Trace: + __schedule+0x1f6/0x560 + ? schedule+0x4a/0xb0 + ? dlm_lock_sync+0xa1/0xd0 [md_cluster] + ? wait_woken+0x80/0x80 + ? lock_token+0x2d/0x90 [md_cluster] + ? resync_info_update+0x95/0x100 [md_cluster] + ? raid1_sync_request+0x7d3/0xa40 [raid1] + ? md_do_sync.cold+0x737/0xc8f [md_mod] + ? md_thread+0x94/0x160 [md_mod] + ? md_congested+0x30/0x30 [md_mod] + ? kthread+0x115/0x140 + ? __kthread_bind_mask+0x60/0x60 + ? ret_from_fork+0x1f/0x40 +``` + +At last, thanks for Xiao's solution. + +Cc: stable@vger.kernel.org +Signed-off-by: Zhao Heming +Suggested-by: Xiao Ni +Reviewed-by: Xiao Ni +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md-cluster.c | 67 +++++++++++++++++++++++++++--------------------- + drivers/md/md.c | 6 ++-- + 2 files changed, 42 insertions(+), 31 deletions(-) + +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -664,9 +664,27 @@ out: + * Takes the lock on the TOKEN lock resource so no other + * node can communicate while the operation is underway. + */ +-static int lock_token(struct md_cluster_info *cinfo, bool mddev_locked) ++static int lock_token(struct md_cluster_info *cinfo) + { +- int error, set_bit = 0; ++ int error; ++ ++ error = dlm_lock_sync(cinfo->token_lockres, DLM_LOCK_EX); ++ if (error) { ++ pr_err("md-cluster(%s:%d): failed to get EX on TOKEN (%d)\n", ++ __func__, __LINE__, error); ++ } else { ++ /* Lock the receive sequence */ ++ mutex_lock(&cinfo->recv_mutex); ++ } ++ return error; ++} ++ ++/* lock_comm() ++ * Sets the MD_CLUSTER_SEND_LOCK bit to lock the send channel. ++ */ ++static int lock_comm(struct md_cluster_info *cinfo, bool mddev_locked) ++{ ++ int rv, set_bit = 0; + struct mddev *mddev = cinfo->mddev; + + /* +@@ -677,34 +695,19 @@ static int lock_token(struct md_cluster_ + */ + if (mddev_locked && !test_bit(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, + &cinfo->state)) { +- error = test_and_set_bit_lock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, ++ rv = test_and_set_bit_lock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, + &cinfo->state); +- WARN_ON_ONCE(error); ++ WARN_ON_ONCE(rv); + md_wakeup_thread(mddev->thread); + set_bit = 1; + } +- error = dlm_lock_sync(cinfo->token_lockres, DLM_LOCK_EX); +- if (set_bit) +- clear_bit_unlock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, &cinfo->state); + +- if (error) +- pr_err("md-cluster(%s:%d): failed to get EX on TOKEN (%d)\n", +- __func__, __LINE__, error); +- +- /* Lock the receive sequence */ +- mutex_lock(&cinfo->recv_mutex); +- return error; +-} +- +-/* lock_comm() +- * Sets the MD_CLUSTER_SEND_LOCK bit to lock the send channel. +- */ +-static int lock_comm(struct md_cluster_info *cinfo, bool mddev_locked) +-{ + wait_event(cinfo->wait, + !test_and_set_bit(MD_CLUSTER_SEND_LOCK, &cinfo->state)); +- +- return lock_token(cinfo, mddev_locked); ++ rv = lock_token(cinfo); ++ if (set_bit) ++ clear_bit_unlock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, &cinfo->state); ++ return rv; + } + + static void unlock_comm(struct md_cluster_info *cinfo) +@@ -784,9 +787,11 @@ static int sendmsg(struct md_cluster_inf + { + int ret; + +- lock_comm(cinfo, mddev_locked); +- ret = __sendmsg(cinfo, cmsg); +- unlock_comm(cinfo); ++ ret = lock_comm(cinfo, mddev_locked); ++ if (!ret) { ++ ret = __sendmsg(cinfo, cmsg); ++ unlock_comm(cinfo); ++ } + return ret; + } + +@@ -1061,7 +1066,7 @@ static int metadata_update_start(struct + return 0; + } + +- ret = lock_token(cinfo, 1); ++ ret = lock_token(cinfo); + clear_bit_unlock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, &cinfo->state); + return ret; + } +@@ -1255,7 +1260,10 @@ static void update_size(struct mddev *md + int raid_slot = -1; + + md_update_sb(mddev, 1); +- lock_comm(cinfo, 1); ++ if (lock_comm(cinfo, 1)) { ++ pr_err("%s: lock_comm failed\n", __func__); ++ return; ++ } + + memset(&cmsg, 0, sizeof(cmsg)); + cmsg.type = cpu_to_le32(METADATA_UPDATED); +@@ -1407,7 +1415,8 @@ static int add_new_disk(struct mddev *md + cmsg.type = cpu_to_le32(NEWDISK); + memcpy(cmsg.uuid, uuid, 16); + cmsg.raid_slot = cpu_to_le32(rdev->desc_nr); +- lock_comm(cinfo, 1); ++ if (lock_comm(cinfo, 1)) ++ return -EAGAIN; + ret = __sendmsg(cinfo, &cmsg); + if (ret) { + unlock_comm(cinfo); +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6721,8 +6721,10 @@ static int hot_remove_disk(struct mddev + goto busy; + + kick_rdev: +- if (mddev_is_clustered(mddev)) +- md_cluster_ops->remove_disk(mddev, rdev); ++ if (mddev_is_clustered(mddev)) { ++ if (md_cluster_ops->remove_disk(mddev, rdev)) ++ goto busy; ++ } + + md_kick_rdev_from_array(rdev); + set_bit(MD_SB_CHANGE_DEVS, &mddev->sb_flags); diff --git a/queue-5.4/mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch b/queue-5.4/mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch new file mode 100644 index 00000000000..8a4f06e8ef7 --- /dev/null +++ b/queue-5.4/mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch @@ -0,0 +1,75 @@ +From 639a82434f16a6df0ce0e7c8595976f1293940fd Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Tue, 24 Nov 2020 07:25:06 +0100 +Subject: mtd: parser: cmdline: Fix parsing of part-names with colons + +From: Sven Eckelmann + +commit 639a82434f16a6df0ce0e7c8595976f1293940fd upstream. + +Some devices (especially QCA ones) are already using hardcoded partition +names with colons in it. The OpenMesh A62 for example provides following +mtd relevant information via cmdline: + + root=31:11 mtdparts=spi0.0:256k(0:SBL1),128k(0:MIBIB),384k(0:QSEE),64k(0:CDT),64k(0:DDRPARAMS),64k(0:APPSBLENV),512k(0:APPSBL),64k(0:ART),64k(custom),64k(0:KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) rootfsname=rootfs rootwait + +The change to split only on the last colon between mtd-id and partitions +will cause newpart to see following string for the first partition: + + KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) + +Such a partition list cannot be parsed and thus the device fails to boot. + +Avoid this behavior by making sure that the start of the first part-name +("(") will also be the last byte the mtd-id split algorithm is using for +its colon search. + +Fixes: eb13fa022741 ("mtd: parser: cmdline: Support MTD names containing one or more colons") +Cc: stable@vger.kernel.org +Cc: Ron Minnich +Signed-off-by: Sven Eckelmann +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20201124062506.185392-1-sven@narfation.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/parsers/cmdlinepart.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/parsers/cmdlinepart.c ++++ b/drivers/mtd/parsers/cmdlinepart.c +@@ -218,7 +218,7 @@ static int mtdpart_setup_real(char *s) + struct cmdline_mtd_partition *this_mtd; + struct mtd_partition *parts; + int mtd_id_len, num_parts; +- char *p, *mtd_id, *semicol; ++ char *p, *mtd_id, *semicol, *open_parenth; + + /* + * Replace the first ';' by a NULL char so strrchr can work +@@ -228,6 +228,14 @@ static int mtdpart_setup_real(char *s) + if (semicol) + *semicol = '\0'; + ++ /* ++ * make sure that part-names with ":" will not be handled as ++ * part of the mtd-id with an ":" ++ */ ++ open_parenth = strchr(s, '('); ++ if (open_parenth) ++ *open_parenth = '\0'; ++ + mtd_id = s; + + /* +@@ -237,6 +245,10 @@ static int mtdpart_setup_real(char *s) + */ + p = strrchr(s, ':'); + ++ /* Restore the '(' now. */ ++ if (open_parenth) ++ *open_parenth = '('; ++ + /* Restore the ';' now. */ + if (semicol) + *semicol = ';'; diff --git a/queue-5.4/mtd-rawnand-meson-fix-meson_nfc_dma_buffer_release-arguments.patch b/queue-5.4/mtd-rawnand-meson-fix-meson_nfc_dma_buffer_release-arguments.patch new file mode 100644 index 00000000000..8b580664768 --- /dev/null +++ b/queue-5.4/mtd-rawnand-meson-fix-meson_nfc_dma_buffer_release-arguments.patch @@ -0,0 +1,34 @@ +From c13d845e9a69580424d40b7b101c37d4f71bcd63 Mon Sep 17 00:00:00 2001 +From: Sergei Antonov +Date: Wed, 28 Oct 2020 12:49:40 +0300 +Subject: mtd: rawnand: meson: fix meson_nfc_dma_buffer_release() arguments + +From: Sergei Antonov + +commit c13d845e9a69580424d40b7b101c37d4f71bcd63 upstream. + +Arguments 'infolen' and 'datalen' to meson_nfc_dma_buffer_release() were mixed up. + +Fixes: 8fae856c53500 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller") +Cc: stable@vger.kernel.org +Signed-off-by: Sergei Antonov +Acked-by: Liang Yang +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20201028094940.11765-1-saproj@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/meson_nand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/meson_nand.c ++++ b/drivers/mtd/nand/raw/meson_nand.c +@@ -510,7 +510,7 @@ static int meson_nfc_dma_buffer_setup(st + } + + static void meson_nfc_dma_buffer_release(struct nand_chip *nand, +- int infolen, int datalen, ++ int datalen, int infolen, + enum dma_data_direction dir) + { + struct meson_nfc *nfc = nand_get_controller_data(nand); diff --git a/queue-5.4/mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch b/queue-5.4/mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch new file mode 100644 index 00000000000..782ec5fb019 --- /dev/null +++ b/queue-5.4/mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch @@ -0,0 +1,37 @@ +From bc3686021122de953858a5be4cbf6e3f1d821e79 Mon Sep 17 00:00:00 2001 +From: Praveenkumar I +Date: Fri, 9 Oct 2020 13:37:52 +0530 +Subject: mtd: rawnand: qcom: Fix DMA sync on FLASH_STATUS register read + +From: Praveenkumar I + +commit bc3686021122de953858a5be4cbf6e3f1d821e79 upstream. + +After each codeword NAND_FLASH_STATUS is read for possible operational +failures. But there is no DMA sync for CPU operation before reading it +and this leads to incorrect or older copy of DMA buffer in reg_read_buf. + +This patch adds the DMA sync on reg_read_buf for CPU before reading it. + +Fixes: 5bc36b2bf6e2 ("mtd: rawnand: qcom: check for operation errors in case of raw read") +Cc: stable@vger.kernel.org +Signed-off-by: Praveenkumar I +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/1602230872-25616-1-git-send-email-ipkumar@codeaurora.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/qcom_nandc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/nand/raw/qcom_nandc.c ++++ b/drivers/mtd/nand/raw/qcom_nandc.c +@@ -1570,6 +1570,8 @@ static int check_flash_errors(struct qco + struct qcom_nand_controller *nandc = get_qcom_nand_controller(chip); + int i; + ++ nandc_read_buffer_sync(nandc, true); ++ + for (i = 0; i < cw_cnt; i++) { + u32 flash = le32_to_cpu(nandc->reg_read_buf[i]); + diff --git a/queue-5.4/mtd-spinand-fix-oob-read.patch b/queue-5.4/mtd-spinand-fix-oob-read.patch new file mode 100644 index 00000000000..892ae806ce7 --- /dev/null +++ b/queue-5.4/mtd-spinand-fix-oob-read.patch @@ -0,0 +1,35 @@ +From 868cbe2a6dcee451bd8f87cbbb2a73cf463b57e5 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 1 Oct 2020 12:20:13 +0200 +Subject: mtd: spinand: Fix OOB read + +From: Miquel Raynal + +commit 868cbe2a6dcee451bd8f87cbbb2a73cf463b57e5 upstream. + +So far OOB have never been used in SPI-NAND, add the missing memcpy to +make it work properly. + +Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs") +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20201001102014.20100-6-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/spi/core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -317,6 +317,10 @@ static int spinand_write_to_cache_op(str + buf += ret; + } + ++ if (req->ooblen) ++ memcpy(req->oobbuf.in, spinand->oobbuf + req->ooboffs, ++ req->ooblen); ++ + return 0; + } + diff --git a/queue-5.4/pci-fix-pci_slot_release-null-pointer-dereference.patch b/queue-5.4/pci-fix-pci_slot_release-null-pointer-dereference.patch new file mode 100644 index 00000000000..61ec3d129e2 --- /dev/null +++ b/queue-5.4/pci-fix-pci_slot_release-null-pointer-dereference.patch @@ -0,0 +1,65 @@ +From 4684709bf81a2d98152ed6b610e3d5c403f9bced Mon Sep 17 00:00:00 2001 +From: Jubin Zhong +Date: Wed, 2 Dec 2020 10:33:42 +0800 +Subject: PCI: Fix pci_slot_release() NULL pointer dereference + +From: Jubin Zhong + +commit 4684709bf81a2d98152ed6b610e3d5c403f9bced upstream. + +If kobject_init_and_add() fails, pci_slot_release() is called to delete +slot->list from parent->slots. But slot->list hasn't been initialized +yet, so we dereference a NULL pointer: + + Unable to handle kernel NULL pointer dereference at virtual address +00000000 + ... + CPU: 10 PID: 1 Comm: swapper/0 Not tainted 4.4.240 #197 + task: ffffeb398a45ef10 task.stack: ffffeb398a470000 + PC is at __list_del_entry_valid+0x5c/0xb0 + LR is at pci_slot_release+0x84/0xe4 + ... + __list_del_entry_valid+0x5c/0xb0 + pci_slot_release+0x84/0xe4 + kobject_put+0x184/0x1c4 + pci_create_slot+0x17c/0x1b4 + __pci_hp_initialize+0x68/0xa4 + pciehp_probe+0x1a4/0x2fc + pcie_port_probe_service+0x58/0x84 + driver_probe_device+0x320/0x470 + +Initialize slot->list before calling kobject_init_and_add() to avoid this. + +Fixes: 8a94644b440e ("PCI: Fix pci_create_slot() reference count leak") +Link: https://lore.kernel.org/r/1606876422-117457-1-git-send-email-zhongjubin@huawei.com +Signed-off-by: Jubin Zhong +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v5.9+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/slot.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pci/slot.c ++++ b/drivers/pci/slot.c +@@ -308,6 +308,9 @@ placeholder: + goto err; + } + ++ INIT_LIST_HEAD(&slot->list); ++ list_add(&slot->list, &parent->slots); ++ + err = kobject_init_and_add(&slot->kobj, &pci_slot_ktype, NULL, + "%s", slot_name); + if (err) { +@@ -315,9 +318,6 @@ placeholder: + goto err; + } + +- INIT_LIST_HEAD(&slot->list); +- list_add(&slot->list, &parent->slots); +- + down_read(&pci_bus_sem); + list_for_each_entry(dev, &parent->devices, bus_list) + if (PCI_SLOT(dev->devfn) == slot_nr) diff --git a/queue-5.4/pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch b/queue-5.4/pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch new file mode 100644 index 00000000000..74e7144d713 --- /dev/null +++ b/queue-5.4/pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch @@ -0,0 +1,53 @@ +From a1158e36f876f6269978a4176e3a1d48d27fe7a1 Mon Sep 17 00:00:00 2001 +From: Yangtao Li +Date: Tue, 10 Nov 2020 14:24:40 +0800 +Subject: pinctrl: sunxi: Always call chained_irq_{enter, exit} in sunxi_pinctrl_irq_handler + +From: Yangtao Li + +commit a1158e36f876f6269978a4176e3a1d48d27fe7a1 upstream. + +It is found on many allwinner soc that there is a low probability that +the interrupt status cannot be read in sunxi_pinctrl_irq_handler. This +will cause the interrupt status of a gpio bank to always be active on +gic, preventing gic from responding to other spi interrupts correctly. + +So we should call the chained_irq_* each time enter sunxi_pinctrl_irq_handler(). + +Signed-off-by: Yangtao Li +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/85263ce8b058e80cea25c6ad6383eb256ce96cc8.1604988979.git.frank@allwinnertech.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/sunxi/pinctrl-sunxi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c +@@ -1130,20 +1130,22 @@ static void sunxi_pinctrl_irq_handler(st + if (bank == pctl->desc->irq_banks) + return; + ++ chained_irq_enter(chip, desc); ++ + reg = sunxi_irq_status_reg_from_bank(pctl->desc, bank); + val = readl(pctl->membase + reg); + + if (val) { + int irqoffset; + +- chained_irq_enter(chip, desc); + for_each_set_bit(irqoffset, &val, IRQ_PER_BANK) { + int pin_irq = irq_find_mapping(pctl->domain, + bank * IRQ_PER_BANK + irqoffset); + generic_handle_irq(pin_irq); + } +- chained_irq_exit(chip, desc); + } ++ ++ chained_irq_exit(chip, desc); + } + + static int sunxi_pinctrl_add_function(struct sunxi_pinctrl *pctl, diff --git a/queue-5.4/platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch b/queue-5.4/platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch new file mode 100644 index 00000000000..84fdc9e54ff --- /dev/null +++ b/queue-5.4/platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch @@ -0,0 +1,44 @@ +From fe6000990394639ed374cb76c313be3640714f47 Mon Sep 17 00:00:00 2001 +From: Carlos Garnacho +Date: Tue, 1 Dec 2020 14:57:27 +0100 +Subject: platform/x86: intel-vbtn: Allow switch events on Acer Switch Alpha 12 + +From: Carlos Garnacho + +commit fe6000990394639ed374cb76c313be3640714f47 upstream. + +This 2-in-1 model (Product name: Switch SA5-271) features a SW_TABLET_MODE +that works as it would be expected, both when detaching the keyboard and +when folding it behind the tablet body. + +It used to work until the introduction of the allow list at +commit 8169bd3e6e193 ("platform/x86: intel-vbtn: Switch to an allow-list +for SW_TABLET_MODE reporting"). Add this model to it, so that the Virtual +Buttons device announces the EV_SW features again. + +Fixes: 8169bd3e6e193 ("platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting") +Cc: stable@vger.kernel.org +Signed-off-by: Carlos Garnacho +Link: https://lore.kernel.org/r/20201201135727.212917-1-carlosg@gnome.org +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/intel-vbtn.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -203,6 +203,12 @@ static const struct dmi_system_id dmi_sw + DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion 13 x360 PC"), + }, + }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Switch SA5-271"), ++ }, ++ }, + {} /* Array terminator */ + }; + diff --git a/queue-5.4/regulator-axp20x-fix-dldo2-voltage-control-register-mask-for-axp22x.patch b/queue-5.4/regulator-axp20x-fix-dldo2-voltage-control-register-mask-for-axp22x.patch new file mode 100644 index 00000000000..e8f4955c74b --- /dev/null +++ b/queue-5.4/regulator-axp20x-fix-dldo2-voltage-control-register-mask-for-axp22x.patch @@ -0,0 +1,41 @@ +From 291de1d102fafef0798cdad9666cd4f8da7da7cc Mon Sep 17 00:00:00 2001 +From: DingHua Ma +Date: Tue, 1 Dec 2020 08:10:00 +0800 +Subject: regulator: axp20x: Fix DLDO2 voltage control register mask for AXP22x + +From: DingHua Ma + +commit 291de1d102fafef0798cdad9666cd4f8da7da7cc upstream. + +When I use the axp20x chip to power my SDIO device on the 5.4 kernel, +the output voltage of DLDO2 is wrong. After comparing the register +manual and source code of the chip, I found that the mask bit of the +driver register of the port was wrong. I fixed this error by modifying +the mask register of the source code. This error seems to be a copy +error of the macro when writing the code. Now the voltage output of +the DLDO2 port of axp20x is correct. My development environment is +Allwinner A40I of arm architecture, and the kernel version is 5.4. + +Signed-off-by: DingHua Ma +Reviewed-by: Chen-Yu Tsai +Cc: +Fixes: db4a555f7c4c ("regulator: axp20x: use defines for masks") +Link: https://lore.kernel.org/r/20201201001000.22302-1-dinghua.ma.sz@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/axp20x-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/regulator/axp20x-regulator.c ++++ b/drivers/regulator/axp20x-regulator.c +@@ -596,7 +596,7 @@ static const struct regulator_desc axp22 + AXP22X_DLDO1_V_OUT, AXP22X_DLDO1_V_OUT_MASK, + AXP22X_PWR_OUT_CTRL2, AXP22X_PWR_OUT_DLDO1_MASK), + AXP_DESC(AXP22X, DLDO2, "dldo2", "dldoin", 700, 3300, 100, +- AXP22X_DLDO2_V_OUT, AXP22X_PWR_OUT_DLDO2_MASK, ++ AXP22X_DLDO2_V_OUT, AXP22X_DLDO2_V_OUT_MASK, + AXP22X_PWR_OUT_CTRL2, AXP22X_PWR_OUT_DLDO2_MASK), + AXP_DESC(AXP22X, DLDO3, "dldo3", "dldoin", 700, 3300, 100, + AXP22X_DLDO3_V_OUT, AXP22X_DLDO3_V_OUT_MASK, diff --git a/queue-5.4/revert-ring-buffer-remove-have_64bit_aligned_access.patch b/queue-5.4/revert-ring-buffer-remove-have_64bit_aligned_access.patch new file mode 100644 index 00000000000..9bd6387db60 --- /dev/null +++ b/queue-5.4/revert-ring-buffer-remove-have_64bit_aligned_access.patch @@ -0,0 +1,109 @@ +From adab66b71abfe206a020f11e561f4df41f0b2aba Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Mon, 14 Dec 2020 12:33:51 -0500 +Subject: Revert: "ring-buffer: Remove HAVE_64BIT_ALIGNED_ACCESS" + +From: Steven Rostedt (VMware) + +commit adab66b71abfe206a020f11e561f4df41f0b2aba upstream. + +It was believed that metag was the only architecture that required the ring +buffer to keep 8 byte words aligned on 8 byte architectures, and with its +removal, it was assumed that the ring buffer code did not need to handle +this case. It appears that sparc64 also requires this. + +The following was reported on a sparc64 boot up: + + kernel: futex hash table entries: 65536 (order: 9, 4194304 bytes, linear) + kernel: Running postponed tracer tests: + kernel: Testing tracer function: + kernel: Kernel unaligned access at TPC[552a20] trace_function+0x40/0x140 + kernel: Kernel unaligned access at TPC[552a24] trace_function+0x44/0x140 + kernel: Kernel unaligned access at TPC[552a20] trace_function+0x40/0x140 + kernel: Kernel unaligned access at TPC[552a24] trace_function+0x44/0x140 + kernel: Kernel unaligned access at TPC[552a20] trace_function+0x40/0x140 + kernel: PASSED + +Need to put back the 64BIT aligned code for the ring buffer. + +Link: https://lore.kernel.org/r/CADxRZqzXQRYgKc=y-KV=S_yHL+Y8Ay2mh5ezeZUnpRvg+syWKw@mail.gmail.com + +Cc: stable@vger.kernel.org +Fixes: 86b3de60a0b6 ("ring-buffer: Remove HAVE_64BIT_ALIGNED_ACCESS") +Reported-by: Anatoly Pugachev +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + arch/Kconfig | 16 ++++++++++++++++ + kernel/trace/ring_buffer.c | 17 +++++++++++++---- + 2 files changed, 29 insertions(+), 4 deletions(-) + +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -131,6 +131,22 @@ config UPROBES + managed by the kernel and kept transparent to the probed + application. ) + ++config HAVE_64BIT_ALIGNED_ACCESS ++ def_bool 64BIT && !HAVE_EFFICIENT_UNALIGNED_ACCESS ++ help ++ Some architectures require 64 bit accesses to be 64 bit ++ aligned, which also requires structs containing 64 bit values ++ to be 64 bit aligned too. This includes some 32 bit ++ architectures which can do 64 bit accesses, as well as 64 bit ++ architectures without unaligned access. ++ ++ This symbol should be selected by an architecture if 64 bit ++ accesses are required to be 64 bit aligned in this way even ++ though it is not a 64 bit architecture. ++ ++ See Documentation/unaligned-memory-access.txt for more ++ information on the topic of unaligned memory accesses. ++ + config HAVE_EFFICIENT_UNALIGNED_ACCESS + bool + help +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -129,7 +129,16 @@ int ring_buffer_print_entry_header(struc + #define RB_ALIGNMENT 4U + #define RB_MAX_SMALL_DATA (RB_ALIGNMENT * RINGBUF_TYPE_DATA_TYPE_LEN_MAX) + #define RB_EVNT_MIN_SIZE 8U /* two 32bit words */ +-#define RB_ALIGN_DATA __aligned(RB_ALIGNMENT) ++ ++#ifndef CONFIG_HAVE_64BIT_ALIGNED_ACCESS ++# define RB_FORCE_8BYTE_ALIGNMENT 0 ++# define RB_ARCH_ALIGNMENT RB_ALIGNMENT ++#else ++# define RB_FORCE_8BYTE_ALIGNMENT 1 ++# define RB_ARCH_ALIGNMENT 8U ++#endif ++ ++#define RB_ALIGN_DATA __aligned(RB_ARCH_ALIGNMENT) + + /* define RINGBUF_TYPE_DATA for 'case RINGBUF_TYPE_DATA:' */ + #define RINGBUF_TYPE_DATA 0 ... RINGBUF_TYPE_DATA_TYPE_LEN_MAX +@@ -2367,7 +2376,7 @@ rb_update_event(struct ring_buffer_per_c + + event->time_delta = delta; + length -= RB_EVNT_HDR_SIZE; +- if (length > RB_MAX_SMALL_DATA) { ++ if (length > RB_MAX_SMALL_DATA || RB_FORCE_8BYTE_ALIGNMENT) { + event->type_len = 0; + event->array[0] = length; + } else +@@ -2382,11 +2391,11 @@ static unsigned rb_calculate_event_lengt + if (!length) + length++; + +- if (length > RB_MAX_SMALL_DATA) ++ if (length > RB_MAX_SMALL_DATA || RB_FORCE_8BYTE_ALIGNMENT) + length += sizeof(event.array[0]); + + length += RB_EVNT_HDR_SIZE; +- length = ALIGN(length, RB_ALIGNMENT); ++ length = ALIGN(length, RB_ARCH_ALIGNMENT); + + /* + * In case the time delta is larger than the 27 bits for it diff --git a/queue-5.4/rtc-ep93xx-fix-null-pointer-dereference-in-ep93xx_rtc_read_time.patch b/queue-5.4/rtc-ep93xx-fix-null-pointer-dereference-in-ep93xx_rtc_read_time.patch new file mode 100644 index 00000000000..a785bcc1305 --- /dev/null +++ b/queue-5.4/rtc-ep93xx-fix-null-pointer-dereference-in-ep93xx_rtc_read_time.patch @@ -0,0 +1,91 @@ +From 00c33482bb6110bce8110daa351f9b3baf4df7dc Mon Sep 17 00:00:00 2001 +From: Nikita Shubin +Date: Tue, 1 Dec 2020 12:55:07 +0300 +Subject: rtc: ep93xx: Fix NULL pointer dereference in ep93xx_rtc_read_time + +From: Nikita Shubin + +commit 00c33482bb6110bce8110daa351f9b3baf4df7dc upstream. + +Mismatch in probe platform_set_drvdata set's and method's that call +dev_get_platdata will result in "Unable to handle kernel NULL pointer +dereference", let's use according method for getting driver data after +platform_set_drvdata. + +8<--- cut here --- +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +pgd = (ptrval) +[00000000] *pgd=00000000 +Internal error: Oops: 5 [#1] ARM +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Not tainted 5.9.10-00003-g723e101e0037-dirty #4 +Hardware name: Technologic Systems TS-72xx SBC +PC is at ep93xx_rtc_read_time+0xc/0x2c +LR is at __rtc_read_time+0x4c/0x8c +[...] +[] (ep93xx_rtc_read_time) from [] (__rtc_read_time+0x4c/0x8c) +[] (__rtc_read_time) from [] (rtc_read_time+0x2c/0x4c) +[] (rtc_read_time) from [] (__rtc_read_alarm+0x28/0x358) +[] (__rtc_read_alarm) from [] (__rtc_register_device+0x124/0x2ec) +[] (__rtc_register_device) from [] (ep93xx_rtc_probe+0xa4/0xac) +[] (ep93xx_rtc_probe) from [] (platform_drv_probe+0x24/0x5c) +[] (platform_drv_probe) from [] (really_probe+0x218/0x374) +[] (really_probe) from [] (device_driver_attach+0x44/0x60) +[] (device_driver_attach) from [] (__driver_attach+0xb4/0xc0) +[] (__driver_attach) from [] (bus_for_each_dev+0x68/0xac) +[] (bus_for_each_dev) from [] (driver_attach+0x18/0x24) +[] (driver_attach) from [] (bus_add_driver+0x150/0x1b4) +[] (bus_add_driver) from [] (driver_register+0xb0/0xf4) +[] (driver_register) from [] (__platform_driver_register+0x30/0x48) +[] (__platform_driver_register) from [] (ep93xx_rtc_driver_init+0x10/0x1c) +[] (ep93xx_rtc_driver_init) from [] (do_one_initcall+0x7c/0x1c0) +[] (do_one_initcall) from [] (kernel_init_freeable+0x168/0x1ac) +[] (kernel_init_freeable) from [] (kernel_init+0x8/0xf4) +[] (kernel_init) from [] (ret_from_fork+0x14/0x34) +Exception stack(0xc441dfb0 to 0xc441dff8) +dfa0: 00000000 00000000 00000000 00000000 +dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 +Code: e12fff1e e92d4010 e590303c e1a02001 (e5933000) +---[ end trace c914d6030eaa95c8 ]--- + +Fixes: b809d192eb98 ("rtc: ep93xx: stop setting platform_data") +Signed-off-by: Nikita Shubin +Signed-off-by: Alexandre Belloni +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20201201095507.10317-1-nikita.shubin@maquefel.me +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-ep93xx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/rtc/rtc-ep93xx.c ++++ b/drivers/rtc/rtc-ep93xx.c +@@ -33,7 +33,7 @@ struct ep93xx_rtc { + static int ep93xx_rtc_get_swcomp(struct device *dev, unsigned short *preload, + unsigned short *delete) + { +- struct ep93xx_rtc *ep93xx_rtc = dev_get_platdata(dev); ++ struct ep93xx_rtc *ep93xx_rtc = dev_get_drvdata(dev); + unsigned long comp; + + comp = readl(ep93xx_rtc->mmio_base + EP93XX_RTC_SWCOMP); +@@ -51,7 +51,7 @@ static int ep93xx_rtc_get_swcomp(struct + + static int ep93xx_rtc_read_time(struct device *dev, struct rtc_time *tm) + { +- struct ep93xx_rtc *ep93xx_rtc = dev_get_platdata(dev); ++ struct ep93xx_rtc *ep93xx_rtc = dev_get_drvdata(dev); + unsigned long time; + + time = readl(ep93xx_rtc->mmio_base + EP93XX_RTC_DATA); +@@ -62,7 +62,7 @@ static int ep93xx_rtc_read_time(struct d + + static int ep93xx_rtc_set_time(struct device *dev, struct rtc_time *tm) + { +- struct ep93xx_rtc *ep93xx_rtc = dev_get_platdata(dev); ++ struct ep93xx_rtc *ep93xx_rtc = dev_get_drvdata(dev); + unsigned long secs = rtc_tm_to_time64(tm); + + writel(secs + 1, ep93xx_rtc->mmio_base + EP93XX_RTC_LOAD); diff --git a/queue-5.4/scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch b/queue-5.4/scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch new file mode 100644 index 00000000000..db7d58529cb --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch @@ -0,0 +1,102 @@ +From 62e3a931db60daf94fdb3159d685a5bc6ad4d0cf Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Tue, 20 Oct 2020 13:27:11 -0700 +Subject: scsi: lpfc: Fix invalid sleeping context in lpfc_sli4_nvmet_alloc() + +From: James Smart + +commit 62e3a931db60daf94fdb3159d685a5bc6ad4d0cf upstream. + +The following calltrace was seen: + +BUG: sleeping function called from invalid context at mm/slab.h:494 +... +Call Trace: + dump_stack+0x9a/0xf0 + ___might_sleep.cold.63+0x13d/0x178 + slab_pre_alloc_hook+0x6a/0x90 + kmem_cache_alloc_trace+0x3a/0x2d0 + lpfc_sli4_nvmet_alloc+0x4c/0x280 [lpfc] + lpfc_post_rq_buffer+0x2e7/0xa60 [lpfc] + lpfc_sli4_hba_setup+0x6b4c/0xa4b0 [lpfc] + lpfc_pci_probe_one_s4.isra.15+0x14f8/0x2280 [lpfc] + lpfc_pci_probe_one+0x260/0x2880 [lpfc] + local_pci_probe+0xd4/0x180 + work_for_cpu_fn+0x51/0xa0 + process_one_work+0x8f0/0x17b0 + worker_thread+0x536/0xb50 + kthread+0x30c/0x3d0 + ret_from_fork+0x3a/0x50 + +A prior patch introduced a spin_lock_irqsave(hbalock) in the +lpfc_post_rq_buffer() routine. Call trace is seen as the hbalock is held +with interrupts disabled during a GFP_KERNEL allocation in +lpfc_sli4_nvmet_alloc(). + +Fix by reordering locking so that hbalock not held when calling +sli4_nvmet_alloc() (aka rqb_buf_list()). + +Link: https://lore.kernel.org/r/20201020202719.54726-2-james.smart@broadcom.com +Fixes: 411de511c694 ("scsi: lpfc: Fix RQ empty firmware trap") +Cc: # v4.17+ +Co-developed-by: Dick Kennedy +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_mem.c | 4 +--- + drivers/scsi/lpfc/lpfc_sli.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_mem.c ++++ b/drivers/scsi/lpfc/lpfc_mem.c +@@ -593,8 +593,6 @@ lpfc_sli4_rb_free(struct lpfc_hba *phba, + * Description: Allocates a DMA-mapped receive buffer from the lpfc_hrb_pool PCI + * pool along a non-DMA-mapped container for it. + * +- * Notes: Not interrupt-safe. Must be called with no locks held. +- * + * Returns: + * pointer to HBQ on success + * NULL on failure +@@ -604,7 +602,7 @@ lpfc_sli4_nvmet_alloc(struct lpfc_hba *p + { + struct rqb_dmabuf *dma_buf; + +- dma_buf = kzalloc(sizeof(struct rqb_dmabuf), GFP_KERNEL); ++ dma_buf = kzalloc(sizeof(*dma_buf), GFP_KERNEL); + if (!dma_buf) + return NULL; + +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -7102,12 +7102,16 @@ lpfc_post_rq_buffer(struct lpfc_hba *phb + struct rqb_dmabuf *rqb_buffer; + LIST_HEAD(rqb_buf_list); + +- spin_lock_irqsave(&phba->hbalock, flags); + rqbp = hrq->rqbp; + for (i = 0; i < count; i++) { ++ spin_lock_irqsave(&phba->hbalock, flags); + /* IF RQ is already full, don't bother */ +- if (rqbp->buffer_count + i >= rqbp->entry_count - 1) ++ if (rqbp->buffer_count + i >= rqbp->entry_count - 1) { ++ spin_unlock_irqrestore(&phba->hbalock, flags); + break; ++ } ++ spin_unlock_irqrestore(&phba->hbalock, flags); ++ + rqb_buffer = rqbp->rqb_alloc_buffer(phba); + if (!rqb_buffer) + break; +@@ -7116,6 +7120,8 @@ lpfc_post_rq_buffer(struct lpfc_hba *phb + rqb_buffer->idx = idx; + list_add_tail(&rqb_buffer->hbuf.list, &rqb_buf_list); + } ++ ++ spin_lock_irqsave(&phba->hbalock, flags); + while (!list_empty(&rqb_buf_list)) { + list_remove_head(&rqb_buf_list, rqb_buffer, struct rqb_dmabuf, + hbuf.list); diff --git a/queue-5.4/scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch b/queue-5.4/scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch new file mode 100644 index 00000000000..7b8fe1ebab6 --- /dev/null +++ b/queue-5.4/scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch @@ -0,0 +1,46 @@ +From e5785d3ec32f5f44dd88cd7b398e496742630469 Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Tue, 20 Oct 2020 13:27:13 -0700 +Subject: scsi: lpfc: Re-fix use after free in lpfc_rq_buf_free() + +From: James Smart + +commit e5785d3ec32f5f44dd88cd7b398e496742630469 upstream. + +Commit 9816ef6ecbc1 ("scsi: lpfc: Use after free in lpfc_rq_buf_free()") +was made to correct a use after free condition in lpfc_rq_buf_free(). +Unfortunately, a subsequent patch cut on a tree without the fix +inadvertently reverted the fix. + +Put the fix back: Move the freeing of the rqb_entry to after the print +function that references it. + +Link: https://lore.kernel.org/r/20201020202719.54726-4-james.smart@broadcom.com +Fixes: 411de511c694 ("scsi: lpfc: Fix RQ empty firmware trap") +Cc: # v4.17+ +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_mem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/lpfc/lpfc_mem.c ++++ b/drivers/scsi/lpfc/lpfc_mem.c +@@ -725,7 +725,6 @@ lpfc_rq_buf_free(struct lpfc_hba *phba, + drqe.address_hi = putPaddrHigh(rqb_entry->dbuf.phys); + rc = lpfc_sli4_rq_put(rqb_entry->hrq, rqb_entry->drq, &hrqe, &drqe); + if (rc < 0) { +- (rqbp->rqb_free_buffer)(phba, rqb_entry); + lpfc_printf_log(phba, KERN_ERR, LOG_INIT, + "6409 Cannot post to HRQ %d: %x %x %x " + "DRQ %x %x\n", +@@ -735,6 +734,7 @@ lpfc_rq_buf_free(struct lpfc_hba *phba, + rqb_entry->hrq->entry_count, + rqb_entry->drq->host_index, + rqb_entry->drq->hba_index); ++ (rqbp->rqb_free_buffer)(phba, rqb_entry); + } else { + list_add_tail(&rqb_entry->hbuf.list, &rqbp->rqb_buffer_list); + rqbp->buffer_count++; diff --git a/queue-5.4/scsi-qla2xxx-fix-crash-during-driver-load-on-big-endian-machines.patch b/queue-5.4/scsi-qla2xxx-fix-crash-during-driver-load-on-big-endian-machines.patch new file mode 100644 index 00000000000..091e2f85b20 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-crash-during-driver-load-on-big-endian-machines.patch @@ -0,0 +1,89 @@ +From 8de309e7299a00b3045fb274f82b326f356404f0 Mon Sep 17 00:00:00 2001 +From: Arun Easi +Date: Wed, 2 Dec 2020 05:23:04 -0800 +Subject: scsi: qla2xxx: Fix crash during driver load on big endian machines + +From: Arun Easi + +commit 8de309e7299a00b3045fb274f82b326f356404f0 upstream. + +Crash stack: + [576544.715489] Unable to handle kernel paging request for data at address 0xd00000000f970000 + [576544.715497] Faulting instruction address: 0xd00000000f880f64 + [576544.715503] Oops: Kernel access of bad area, sig: 11 [#1] + [576544.715506] SMP NR_CPUS=2048 NUMA pSeries + : + [576544.715703] NIP [d00000000f880f64] .qla27xx_fwdt_template_valid+0x94/0x100 [qla2xxx] + [576544.715722] LR [d00000000f7952dc] .qla24xx_load_risc_flash+0x2fc/0x590 [qla2xxx] + [576544.715726] Call Trace: + [576544.715731] [c0000004d0ffb000] [c0000006fe02c350] 0xc0000006fe02c350 (unreliable) + [576544.715750] [c0000004d0ffb080] [d00000000f7952dc] .qla24xx_load_risc_flash+0x2fc/0x590 [qla2xxx] + [576544.715770] [c0000004d0ffb170] [d00000000f7aa034] .qla81xx_load_risc+0x84/0x1a0 [qla2xxx] + [576544.715789] [c0000004d0ffb210] [d00000000f79f7c8] .qla2x00_setup_chip+0xc8/0x910 [qla2xxx] + [576544.715808] [c0000004d0ffb300] [d00000000f7a631c] .qla2x00_initialize_adapter+0x4dc/0xb00 [qla2xxx] + [576544.715826] [c0000004d0ffb3e0] [d00000000f78ce28] .qla2x00_probe_one+0xf08/0x2200 [qla2xxx] + +Link: https://lore.kernel.org/r/20201202132312.19966-8-njavali@marvell.com +Fixes: f73cb695d3ec ("[SCSI] qla2xxx: Add support for ISP2071.") +Cc: stable@vger.kernel.org +Reviewed-by: Himanshu Madhani +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_tmpl.c | 9 +++++---- + drivers/scsi/qla2xxx/qla_tmpl.h | 2 +- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_tmpl.c ++++ b/drivers/scsi/qla2xxx/qla_tmpl.c +@@ -910,7 +910,8 @@ qla27xx_template_checksum(void *p, ulong + static inline int + qla27xx_verify_template_checksum(struct qla27xx_fwdt_template *tmp) + { +- return qla27xx_template_checksum(tmp, tmp->template_size) == 0; ++ return qla27xx_template_checksum(tmp, ++ le32_to_cpu(tmp->template_size)) == 0; + } + + static inline int +@@ -926,7 +927,7 @@ qla27xx_execute_fwdt_template(struct scs + ulong len = 0; + + if (qla27xx_fwdt_template_valid(tmp)) { +- len = tmp->template_size; ++ len = le32_to_cpu(tmp->template_size); + tmp = memcpy(buf, tmp, len); + ql27xx_edit_template(vha, tmp); + qla27xx_walk_template(vha, tmp, buf, &len); +@@ -942,7 +943,7 @@ qla27xx_fwdt_calculate_dump_size(struct + ulong len = 0; + + if (qla27xx_fwdt_template_valid(tmp)) { +- len = tmp->template_size; ++ len = le32_to_cpu(tmp->template_size); + qla27xx_walk_template(vha, tmp, NULL, &len); + } + +@@ -954,7 +955,7 @@ qla27xx_fwdt_template_size(void *p) + { + struct qla27xx_fwdt_template *tmp = p; + +- return tmp->template_size; ++ return le32_to_cpu(tmp->template_size); + } + + int +--- a/drivers/scsi/qla2xxx/qla_tmpl.h ++++ b/drivers/scsi/qla2xxx/qla_tmpl.h +@@ -13,7 +13,7 @@ + struct __packed qla27xx_fwdt_template { + __le32 template_type; + __le32 entry_offset; +- uint32_t template_size; ++ __le32 template_size; + uint32_t count; /* borrow field for running/residual count */ + + __le32 entry_count; diff --git a/queue-5.4/series b/queue-5.4/series index df3543a1bea..693ab290573 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -394,3 +394,61 @@ smb3-avoid-confusing-warning-message-on-mount-to-azure.patch ubifs-wbuf-don-t-leak-kernel-memory-to-flash.patch jffs2-fix-gc-exit-abnormally.patch jffs2-fix-ignoring-mounting-options-problem-during-remounting.patch +jfs-fix-array-index-bounds-check-in-dbadjtree.patch +drm-amd-display-honor-the-offset-for-plane-0.patch +drm-amd-display-fix-memory-leaks-in-s3-resume.patch +drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch +drm-i915-fix-mismatch-between-misplaced-vma-check-and-vma-insert.patch +spi-pxa2xx-fix-use-after-free-on-unbind.patch +spi-spi-sh-fix-use-after-free-on-unbind.patch +spi-atmel-quadspi-fix-use-after-free-on-unbind.patch +spi-davinci-fix-use-after-free-on-unbind.patch +spi-fsl-fix-use-of-spisel_boot-signal-on-mpc8309.patch +spi-gpio-don-t-leak-spi-master-in-probe-error-path.patch +spi-mxic-don-t-leak-spi-master-in-probe-error-path.patch +spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch +spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch +spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch +spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch +spi-synquacer-disable-clock-in-probe-error-path.patch +spi-mt7621-disable-clock-in-probe-error-path.patch +spi-mt7621-don-t-leak-spi-master-in-probe-error-path.patch +spi-atmel-quadspi-disable-clock-in-probe-error-path.patch +spi-atmel-quadspi-fix-ahb-memory-accesses.patch +soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch +mtd-spinand-fix-oob-read.patch +mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch +mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch +mtd-rawnand-meson-fix-meson_nfc_dma_buffer_release-arguments.patch +scsi-qla2xxx-fix-crash-during-driver-load-on-big-endian-machines.patch +scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch +scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch +iio-buffer-fix-demux-update.patch +iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch +iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch +iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch +iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch +iio-pressure-mpl3115-force-alignment-of-buffer.patch +iio-imu-bmi160-fix-too-large-a-buffer.patch +iio-adc-ti-ads124s08-fix-buffer-being-too-long.patch +iio-adc-ti-ads124s08-fix-alignment-and-data-leak-issues.patch +md-cluster-block-reshape-with-remote-resync-job.patch +md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch +pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch +clk-ingenic-fix-divider-calculation-with-div-tables.patch +clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch +clk-tegra-do-not-return-0-on-failure.patch +device-dax-core-fix-memory-leak-when-rmmod-dax.ko.patch +dma-buf-dma-resv-respect-num_fences-when-initializing-the-shared-fence-list.patch +xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch +xen-xenbus-allow-watches-discard-events-before-queueing.patch +xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch +xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch +xen-xenbus-count-pending-messages-for-each-watch.patch +xenbus-xenbus_backend-disallow-pending-watch-messages.patch +libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch +platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch +pci-fix-pci_slot_release-null-pointer-dereference.patch +regulator-axp20x-fix-dldo2-voltage-control-register-mask-for-axp22x.patch +rtc-ep93xx-fix-null-pointer-dereference-in-ep93xx_rtc_read_time.patch +revert-ring-buffer-remove-have_64bit_aligned_access.patch diff --git a/queue-5.4/soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch b/queue-5.4/soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch new file mode 100644 index 00000000000..f8e9a664c01 --- /dev/null +++ b/queue-5.4/soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch @@ -0,0 +1,55 @@ +From fc3e62e25c3896855b7c3d72df19ca6be3459c9f Mon Sep 17 00:00:00 2001 +From: Evan Green +Date: Tue, 29 Sep 2020 13:30:57 -0700 +Subject: soc: qcom: smp2p: Safely acquire spinlock without IRQs + +From: Evan Green + +commit fc3e62e25c3896855b7c3d72df19ca6be3459c9f upstream. + +smp2p_update_bits() should disable interrupts when it acquires its +spinlock. This is important because without the _irqsave, a priority +inversion can occur. + +This function is called both with interrupts enabled in +qcom_q6v5_request_stop(), and with interrupts disabled in +ipa_smp2p_panic_notifier(). IRQ handling of spinlocks should be +consistent to avoid the panic notifier deadlocking because it's +sitting on the thread that's already got the lock via _request_stop(). + +Found via lockdep. + +Cc: stable@vger.kernel.org +Fixes: 50e99641413e7 ("soc: qcom: smp2p: Qualcomm Shared Memory Point to Point") +Reviewed-by: Bjorn Andersson +Reviewed-by: Stephen Boyd +Signed-off-by: Evan Green +Link: https://lore.kernel.org/r/20200929133040.RESEND.1.Ideabf6dcdfc577cf39ce3d95b0e4aa1ac8b38f0c@changeid +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/soc/qcom/smp2p.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/soc/qcom/smp2p.c ++++ b/drivers/soc/qcom/smp2p.c +@@ -318,15 +318,16 @@ static int qcom_smp2p_inbound_entry(stru + static int smp2p_update_bits(void *data, u32 mask, u32 value) + { + struct smp2p_entry *entry = data; ++ unsigned long flags; + u32 orig; + u32 val; + +- spin_lock(&entry->lock); ++ spin_lock_irqsave(&entry->lock, flags); + val = orig = readl(entry->value); + val &= ~mask; + val |= value; + writel(val, entry->value); +- spin_unlock(&entry->lock); ++ spin_unlock_irqrestore(&entry->lock, flags); + + if (val != orig) + qcom_smp2p_kick(entry->smp2p); diff --git a/queue-5.4/spi-atmel-quadspi-disable-clock-in-probe-error-path.patch b/queue-5.4/spi-atmel-quadspi-disable-clock-in-probe-error-path.patch new file mode 100644 index 00000000000..84ea28c5ea7 --- /dev/null +++ b/queue-5.4/spi-atmel-quadspi-disable-clock-in-probe-error-path.patch @@ -0,0 +1,38 @@ +From 0e685017c7ba1a2fe9f6f1e7a9302890747d934c Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 8 Nov 2020 23:41:00 +0100 +Subject: spi: atmel-quadspi: Disable clock in probe error path + +From: Lukas Wunner + +commit 0e685017c7ba1a2fe9f6f1e7a9302890747d934c upstream. + +If the call to of_device_get_match_data() fails on probe of the Atmel +QuadSPI driver, the clock "aq->pclk" is erroneously not unprepared and +disabled. Fix it. + +Fixes: 2e5c88887358 ("spi: atmel-quadspi: add support for sam9x60 qspi controller") +Signed-off-by: Lukas Wunner +Cc: # v5.1+ +Cc: Tudor Ambarus +Cc: Boris Brezillon +Reviewed-by: Tudor Ambarus +Link: https://lore.kernel.org/r/8f8dc2815aa97b2378528f08f923bf81e19611f0.1604874488.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/atmel-quadspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/atmel-quadspi.c ++++ b/drivers/spi/atmel-quadspi.c +@@ -510,7 +510,7 @@ static int atmel_qspi_probe(struct platf + if (!aq->caps) { + dev_err(&pdev->dev, "Could not retrieve QSPI caps\n"); + err = -EINVAL; +- goto exit; ++ goto disable_pclk; + } + + if (aq->caps->has_qspick) { diff --git a/queue-5.4/spi-atmel-quadspi-fix-ahb-memory-accesses.patch b/queue-5.4/spi-atmel-quadspi-fix-ahb-memory-accesses.patch new file mode 100644 index 00000000000..6383865931b --- /dev/null +++ b/queue-5.4/spi-atmel-quadspi-fix-ahb-memory-accesses.patch @@ -0,0 +1,67 @@ +From cac8c821059639b015586abf61623c62cc549a13 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Mon, 7 Dec 2020 15:59:56 +0200 +Subject: spi: atmel-quadspi: Fix AHB memory accesses + +From: Tudor Ambarus + +commit cac8c821059639b015586abf61623c62cc549a13 upstream. + +Following error was seen when mounting a 16MByte ubifs: +UBIFS error (ubi0:0 pid 1893): check_lpt_type.constprop.6: invalid type (15) in LPT node type + +QSPI_IFR.TFRTYP was not set correctly. When data transfer is enabled +and one wants to access the serial memory through AHB in order to: + - read in the serial memory, but not a memory data, for example + a JEDEC-ID, QSPI_IFR.TFRTYP must be written to '0' (both sama5d2 + and sam9x60). + - read in the serial memory, and particularly a memory data, + TFRTYP must be written to '1' (both sama5d2 and sam9x60). + - write in the serial memory, but not a memory data, for example + writing the configuration or the QSPI_SR, TFRTYP must be written + to '2' for sama5d2 and to '0' for sam9x60. + - write in the serial memory in particular to program a memory data, + TFRTYP must be written to '3' for sama5d2 and to '1' for sam9x60. + +Fix the setting of the QSPI_IFR.TFRTYP field. + +Fixes: 2d30ac5ed633 ("mtd: spi-nor: atmel-quadspi: Use spi-mem interface for atmel-quadspi driver") +Cc: # v5.0+ +Reported-by: Tom Burkart +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20201207135959.154124-2-tudor.ambarus@microchip.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/atmel-quadspi.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/spi/atmel-quadspi.c ++++ b/drivers/spi/atmel-quadspi.c +@@ -284,10 +284,14 @@ static int atmel_qspi_set_cfg(struct atm + if (dummy_cycles) + ifr |= QSPI_IFR_NBDUM(dummy_cycles); + +- /* Set data enable */ +- if (op->data.nbytes) ++ /* Set data enable and data transfer type. */ ++ if (op->data.nbytes) { + ifr |= QSPI_IFR_DATAEN; + ++ if (op->addr.nbytes) ++ ifr |= QSPI_IFR_TFRTYP_MEM; ++ } ++ + /* + * If the QSPI controller is set in regular SPI mode, set it in + * Serial Memory Mode (SMM). +@@ -312,7 +316,7 @@ static int atmel_qspi_set_cfg(struct atm + writel_relaxed(icr, aq->regs + QSPI_WICR); + writel_relaxed(ifr, aq->regs + QSPI_IFR); + } else { +- if (op->data.dir == SPI_MEM_DATA_OUT) ++ if (op->data.nbytes && op->data.dir == SPI_MEM_DATA_OUT) + ifr |= QSPI_IFR_SAMA5D2_WRITE_TRSFR; + + /* Set QSPI Instruction Frame registers */ diff --git a/queue-5.4/spi-atmel-quadspi-fix-use-after-free-on-unbind.patch b/queue-5.4/spi-atmel-quadspi-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..c6798b59e1f --- /dev/null +++ b/queue-5.4/spi-atmel-quadspi-fix-use-after-free-on-unbind.patch @@ -0,0 +1,87 @@ +From c7b884561cb5b641f3dbba950094110794119a6d Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:17 +0100 +Subject: spi: atmel-quadspi: Fix use-after-free on unbind + +From: Lukas Wunner + +commit c7b884561cb5b641f3dbba950094110794119a6d upstream. + +atmel_qspi_remove() accesses the driver's private data after calling +spi_unregister_controller() even though that function releases the last +reference on the spi_controller and thereby frees the private data. + +Fix by switching over to the new devm_spi_alloc_master() helper which +keeps the private data accessible until the driver has unbound. + +Fixes: 2d30ac5ed633 ("mtd: spi-nor: atmel-quadspi: Use spi-mem interface for atmel-quadspi driver") +Signed-off-by: Lukas Wunner +Cc: # v5.0+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v5.0+ +Cc: Piotr Bugalski +Link: https://lore.kernel.org/r/4b05c65cf6f1ea3251484fe9a00b4c65478a1ae3.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/atmel-quadspi.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +--- a/drivers/spi/atmel-quadspi.c ++++ b/drivers/spi/atmel-quadspi.c +@@ -454,7 +454,7 @@ static int atmel_qspi_probe(struct platf + struct resource *res; + int irq, err = 0; + +- ctrl = spi_alloc_master(&pdev->dev, sizeof(*aq)); ++ ctrl = devm_spi_alloc_master(&pdev->dev, sizeof(*aq)); + if (!ctrl) + return -ENOMEM; + +@@ -476,8 +476,7 @@ static int atmel_qspi_probe(struct platf + aq->regs = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(aq->regs)) { + dev_err(&pdev->dev, "missing registers\n"); +- err = PTR_ERR(aq->regs); +- goto exit; ++ return PTR_ERR(aq->regs); + } + + /* Map the AHB memory */ +@@ -485,8 +484,7 @@ static int atmel_qspi_probe(struct platf + aq->mem = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(aq->mem)) { + dev_err(&pdev->dev, "missing AHB memory\n"); +- err = PTR_ERR(aq->mem); +- goto exit; ++ return PTR_ERR(aq->mem); + } + + aq->mmap_size = resource_size(res); +@@ -498,15 +496,14 @@ static int atmel_qspi_probe(struct platf + + if (IS_ERR(aq->pclk)) { + dev_err(&pdev->dev, "missing peripheral clock\n"); +- err = PTR_ERR(aq->pclk); +- goto exit; ++ return PTR_ERR(aq->pclk); + } + + /* Enable the peripheral clock */ + err = clk_prepare_enable(aq->pclk); + if (err) { + dev_err(&pdev->dev, "failed to enable the peripheral clock\n"); +- goto exit; ++ return err; + } + + aq->caps = of_device_get_match_data(&pdev->dev); +@@ -557,8 +554,6 @@ disable_qspick: + clk_disable_unprepare(aq->qspick); + disable_pclk: + clk_disable_unprepare(aq->pclk); +-exit: +- spi_controller_put(ctrl); + + return err; + } diff --git a/queue-5.4/spi-davinci-fix-use-after-free-on-unbind.patch b/queue-5.4/spi-davinci-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..2a80c7787df --- /dev/null +++ b/queue-5.4/spi-davinci-fix-use-after-free-on-unbind.patch @@ -0,0 +1,43 @@ +From 373afef350a93519b4b8d636b0895da8650b714b Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:01 +0100 +Subject: spi: davinci: Fix use-after-free on unbind + +From: Lukas Wunner + +commit 373afef350a93519b4b8d636b0895da8650b714b upstream. + +davinci_spi_remove() accesses the driver's private data after it's been +freed with spi_master_put(). + +Fix by moving the spi_master_put() to the end of the function. + +Fixes: fe5fd2540947 ("spi: davinci: Use dma_request_chan() for requesting DMA channel") +Signed-off-by: Lukas Wunner +Acked-by: Peter Ujfalusi +Cc: # v4.7+ +Link: https://lore.kernel.org/r/412f7eb1cf8990e0a3a2153f4c577298deab623e.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-davinci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-davinci.c ++++ b/drivers/spi/spi-davinci.c +@@ -1040,13 +1040,13 @@ static int davinci_spi_remove(struct pla + spi_bitbang_stop(&dspi->bitbang); + + clk_disable_unprepare(dspi->clk); +- spi_master_put(master); + + if (dspi->dma_rx) { + dma_release_channel(dspi->dma_rx); + dma_release_channel(dspi->dma_tx); + } + ++ spi_master_put(master); + return 0; + } + diff --git a/queue-5.4/spi-fsl-fix-use-of-spisel_boot-signal-on-mpc8309.patch b/queue-5.4/spi-fsl-fix-use-of-spisel_boot-signal-on-mpc8309.patch new file mode 100644 index 00000000000..25270a34e32 --- /dev/null +++ b/queue-5.4/spi-fsl-fix-use-of-spisel_boot-signal-on-mpc8309.patch @@ -0,0 +1,62 @@ +From 122541f2b10897b08f7f7e6db5f1eb693e51f0a1 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Fri, 27 Nov 2020 16:29:47 +0100 +Subject: spi: fsl: fix use of spisel_boot signal on MPC8309 + +From: Rasmus Villemoes + +commit 122541f2b10897b08f7f7e6db5f1eb693e51f0a1 upstream. + +Commit 0f0581b24bd0 ("spi: fsl: Convert to use CS GPIO descriptors") +broke the use of the SPISEL_BOOT signal as a chip select on the +MPC8309. + +pdata->max_chipselect, which becomes master->num_chipselect, must be +initialized to take into account the possibility that there's one more +chip select in use than the number of GPIO chip selects. + +Cc: stable@vger.kernel.org # v5.4+ +Cc: Christophe Leroy +Cc: Linus Walleij +Fixes: 0f0581b24bd0 ("spi: fsl: Convert to use CS GPIO descriptors") +Signed-off-by: Rasmus Villemoes +Link: https://lore.kernel.org/r/20201127152947.376-1-rasmus.villemoes@prevas.dk +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-fsl-spi.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/spi/spi-fsl-spi.c ++++ b/drivers/spi/spi-fsl-spi.c +@@ -717,10 +717,11 @@ static int of_fsl_spi_probe(struct platf + type = fsl_spi_get_type(&ofdev->dev); + if (type == TYPE_FSL) { + struct fsl_spi_platform_data *pdata = dev_get_platdata(dev); ++ bool spisel_boot = false; + #if IS_ENABLED(CONFIG_FSL_SOC) + struct mpc8xxx_spi_probe_info *pinfo = to_of_pinfo(pdata); +- bool spisel_boot = of_property_read_bool(np, "fsl,spisel_boot"); + ++ spisel_boot = of_property_read_bool(np, "fsl,spisel_boot"); + if (spisel_boot) { + pinfo->immr_spi_cs = ioremap(get_immrbase() + IMMR_SPI_CS_OFFSET, 4); + if (!pinfo->immr_spi_cs) { +@@ -737,10 +738,14 @@ static int of_fsl_spi_probe(struct platf + * supported on the GRLIB variant. + */ + ret = gpiod_count(dev, "cs"); +- if (ret <= 0) ++ if (ret < 0) ++ ret = 0; ++ if (ret == 0 && !spisel_boot) { + pdata->max_chipselect = 1; +- else ++ } else { ++ pdata->max_chipselect = ret + spisel_boot; + pdata->cs_control = fsl_spi_cs_control; ++ } + } + + ret = of_address_to_resource(np, 0, &mem); diff --git a/queue-5.4/spi-gpio-don-t-leak-spi-master-in-probe-error-path.patch b/queue-5.4/spi-gpio-don-t-leak-spi-master-in-probe-error-path.patch new file mode 100644 index 00000000000..00de6a6bd31 --- /dev/null +++ b/queue-5.4/spi-gpio-don-t-leak-spi-master-in-probe-error-path.patch @@ -0,0 +1,94 @@ +From 7174dc655ef0578877b0b4598e69619d2be28b4d Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:09 +0100 +Subject: spi: gpio: Don't leak SPI master in probe error path + +From: Lukas Wunner + +commit 7174dc655ef0578877b0b4598e69619d2be28b4d upstream. + +If the call to devm_spi_register_master() fails on probe of the GPIO SPI +driver, the spi_master struct is erroneously not freed: + +After allocating the spi_master, its reference count is 1. The driver +unconditionally decrements the reference count on unbind using a devm +action. Before calling devm_spi_register_master(), the driver +unconditionally increments the reference count because on success, +that function will decrement the reference count on unbind. However on +failure, devm_spi_register_master() does *not* decrement the reference +count, so the spi_master is leaked. + +The issue was introduced by commits 8b797490b4db ("spi: gpio: Make sure +spi_master_put() is called in every error path") and 79567c1a321e ("spi: +gpio: Use devm_spi_register_master()"), which sought to plug leaks +introduced by 9b00bc7b901f ("spi: spi-gpio: Rewrite to use GPIO +descriptors") but missed this remaining leak. + +The situation was later aggravated by commit d3b0ffa1d75d ("spi: gpio: +prevent memory leak in spi_gpio_probe"), which introduced a +use-after-free because it releases a reference on the spi_master if +devm_add_action_or_reset() fails even though the function already +does that. + +Fix by switching over to the new devm_spi_alloc_master() helper. + +Fixes: 9b00bc7b901f ("spi: spi-gpio: Rewrite to use GPIO descriptors") +Signed-off-by: Lukas Wunner +Reviewed-by: Linus Walleij +Cc: # v4.17+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v5.1-: 8b797490b4db: spi: gpio: Make sure spi_master_put() is called in every error path +Cc: # v5.1-: 45beec351998: spi: bitbang: Introduce spi_bitbang_init() +Cc: # v5.1-: 79567c1a321e: spi: gpio: Use devm_spi_register_master() +Cc: # v5.4-: d3b0ffa1d75d: spi: gpio: prevent memory leak in spi_gpio_probe +Cc: # v4.17+ +Cc: Navid Emamdoost +Cc: Andrey Smirnov +Link: https://lore.kernel.org/r/86eaed27431c3d709e3748eb76ceecbfc790dd37.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-gpio.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +--- a/drivers/spi/spi-gpio.c ++++ b/drivers/spi/spi-gpio.c +@@ -350,11 +350,6 @@ static int spi_gpio_probe_pdata(struct p + return 0; + } + +-static void spi_gpio_put(void *data) +-{ +- spi_master_put(data); +-} +- + static int spi_gpio_probe(struct platform_device *pdev) + { + int status; +@@ -366,16 +361,10 @@ static int spi_gpio_probe(struct platfor + + of_id = of_match_device(spi_gpio_dt_ids, &pdev->dev); + +- master = spi_alloc_master(dev, sizeof(*spi_gpio)); ++ master = devm_spi_alloc_master(dev, sizeof(*spi_gpio)); + if (!master) + return -ENOMEM; + +- status = devm_add_action_or_reset(&pdev->dev, spi_gpio_put, master); +- if (status) { +- spi_master_put(master); +- return status; +- } +- + if (of_id) + status = spi_gpio_probe_dt(pdev, master); + else +@@ -435,7 +424,7 @@ static int spi_gpio_probe(struct platfor + if (status) + return status; + +- return devm_spi_register_master(&pdev->dev, spi_master_get(master)); ++ return devm_spi_register_master(&pdev->dev, master); + } + + MODULE_ALIAS("platform:" DRIVER_NAME); diff --git a/queue-5.4/spi-mt7621-disable-clock-in-probe-error-path.patch b/queue-5.4/spi-mt7621-disable-clock-in-probe-error-path.patch new file mode 100644 index 00000000000..dff8e99a898 --- /dev/null +++ b/queue-5.4/spi-mt7621-disable-clock-in-probe-error-path.patch @@ -0,0 +1,47 @@ +From 24f7033405abe195224ec793dbc3d7a27dec0b98 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:13 +0100 +Subject: spi: mt7621: Disable clock in probe error path + +From: Lukas Wunner + +commit 24f7033405abe195224ec793dbc3d7a27dec0b98 upstream. + +Commit 702b15cb9712 ("spi: mt7621: fix missing clk_disable_unprepare() +on error in mt7621_spi_probe") sought to disable the SYS clock on probe +errors, but only did so for 2 of 3 potentially failing calls: The clock +needs to be disabled on failure of devm_spi_register_controller() as +well. + +Moreover, the commit purports to fix a bug in commit cbd66c626e16 ("spi: +mt7621: Move SPI driver out of staging") but in reality the bug has +existed since the driver was first introduced. + +Fixes: 1ab7f2a43558 ("staging: mt7621-spi: add mt7621 support") +Signed-off-by: Lukas Wunner +Cc: # v4.17+: 702b15cb9712: spi: mt7621: fix missing clk_disable_unprepare() on error in mt7621_spi_probe +Cc: # v4.17+ +Cc: Qinglang Miao +Link: https://lore.kernel.org/r/36ad42760087952fb7c10aae7d2628547c26a7ec.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-mt7621.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-mt7621.c ++++ b/drivers/spi/spi-mt7621.c +@@ -382,7 +382,11 @@ static int mt7621_spi_probe(struct platf + return ret; + } + +- return devm_spi_register_controller(&pdev->dev, master); ++ ret = devm_spi_register_controller(&pdev->dev, master); ++ if (ret) ++ clk_disable_unprepare(clk); ++ ++ return ret; + } + + static int mt7621_spi_remove(struct platform_device *pdev) diff --git a/queue-5.4/spi-mt7621-don-t-leak-spi-master-in-probe-error-path.patch b/queue-5.4/spi-mt7621-don-t-leak-spi-master-in-probe-error-path.patch new file mode 100644 index 00000000000..1fa9602f9fc --- /dev/null +++ b/queue-5.4/spi-mt7621-don-t-leak-spi-master-in-probe-error-path.patch @@ -0,0 +1,64 @@ +From 46b5c4fb87ce8211e0f9b0383dbde72c3652d2ba Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:14 +0100 +Subject: spi: mt7621: Don't leak SPI master in probe error path + +From: Lukas Wunner + +commit 46b5c4fb87ce8211e0f9b0383dbde72c3652d2ba upstream. + +If the calls to device_reset() or devm_spi_register_controller() fail on +probe of the MediaTek MT7621 SPI driver, the spi_controller struct is +erroneously not freed. Fix by switching over to the new +devm_spi_alloc_master() helper. + +Additionally, there's an ordering issue in mt7621_spi_remove() wherein +the spi_controller is unregistered after disabling the SYS clock. +The correct order is to call spi_unregister_controller() *before* this +teardown step because bus accesses may still be ongoing until that +function returns. + +All of these bugs have existed since the driver was first introduced, +so it seems fair to fix them together in a single commit. + +Fixes: 1ab7f2a43558 ("staging: mt7621-spi: add mt7621 support") +Signed-off-by: Lukas Wunner +Reviewed-by: Stefan Roese +Cc: # v4.17+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v4.17+ +Link: https://lore.kernel.org/r/72b680796149f5fcda0b3f530ffb7ee73b04f224.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-mt7621.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-mt7621.c ++++ b/drivers/spi/spi-mt7621.c +@@ -350,7 +350,7 @@ static int mt7621_spi_probe(struct platf + if (status) + return status; + +- master = spi_alloc_master(&pdev->dev, sizeof(*rs)); ++ master = devm_spi_alloc_master(&pdev->dev, sizeof(*rs)); + if (!master) { + dev_info(&pdev->dev, "master allocation failed\n"); + clk_disable_unprepare(clk); +@@ -382,7 +382,7 @@ static int mt7621_spi_probe(struct platf + return ret; + } + +- ret = devm_spi_register_controller(&pdev->dev, master); ++ ret = spi_register_controller(master); + if (ret) + clk_disable_unprepare(clk); + +@@ -397,6 +397,7 @@ static int mt7621_spi_remove(struct plat + master = dev_get_drvdata(&pdev->dev); + rs = spi_controller_get_devdata(master); + ++ spi_unregister_controller(master); + clk_disable_unprepare(rs->clk); + + return 0; diff --git a/queue-5.4/spi-mxic-don-t-leak-spi-master-in-probe-error-path.patch b/queue-5.4/spi-mxic-don-t-leak-spi-master-in-probe-error-path.patch new file mode 100644 index 00000000000..807888a5aaa --- /dev/null +++ b/queue-5.4/spi-mxic-don-t-leak-spi-master-in-probe-error-path.patch @@ -0,0 +1,55 @@ +From cc53711b2191cf3b3210283ae89bf0abb98c70a3 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:07 +0100 +Subject: spi: mxic: Don't leak SPI master in probe error path + +From: Lukas Wunner + +commit cc53711b2191cf3b3210283ae89bf0abb98c70a3 upstream. + +If the calls to devm_clk_get() or devm_ioremap_resource() fail on probe +of the Macronix SPI driver, the spi_master struct is erroneously not freed. + +Fix by switching over to the new devm_spi_alloc_master() helper. + +Fixes: b942d80b0a39 ("spi: Add MXIC controller driver") +Signed-off-by: Lukas Wunner +Cc: # v5.0+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v5.0+ +Cc: Mason Yang +Link: https://lore.kernel.org/r/4fa6857806e7e75741c05d057ac9df3564460114.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-mxic.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/drivers/spi/spi-mxic.c ++++ b/drivers/spi/spi-mxic.c +@@ -528,7 +528,7 @@ static int mxic_spi_probe(struct platfor + struct mxic_spi *mxic; + int ret; + +- master = spi_alloc_master(&pdev->dev, sizeof(struct mxic_spi)); ++ master = devm_spi_alloc_master(&pdev->dev, sizeof(struct mxic_spi)); + if (!master) + return -ENOMEM; + +@@ -573,15 +573,9 @@ static int mxic_spi_probe(struct platfor + ret = spi_register_master(master); + if (ret) { + dev_err(&pdev->dev, "spi_register_master failed\n"); +- goto err_put_master; ++ pm_runtime_disable(&pdev->dev); + } + +- return 0; +- +-err_put_master: +- spi_master_put(master); +- pm_runtime_disable(&pdev->dev); +- + return ret; + } + diff --git a/queue-5.4/spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch b/queue-5.4/spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch new file mode 100644 index 00000000000..53b4c2129e2 --- /dev/null +++ b/queue-5.4/spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch @@ -0,0 +1,35 @@ +From c575e9113bff5e024d75481613faed5ef9d465b2 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 8 Nov 2020 23:41:00 +0100 +Subject: spi: pic32: Don't leak DMA channels in probe error path + +From: Lukas Wunner + +commit c575e9113bff5e024d75481613faed5ef9d465b2 upstream. + +If the calls to devm_request_irq() or devm_spi_register_master() fail +on probe of the PIC32 SPI driver, the DMA channels requested by +pic32_spi_dma_prep() are erroneously not released. Plug the leak. + +Fixes: 1bcb9f8ceb67 ("spi: spi-pic32: Add PIC32 SPI master driver") +Signed-off-by: Lukas Wunner +Cc: # v4.7+ +Cc: Purna Chandra Mandal +Link: https://lore.kernel.org/r/9624250e3a7aa61274b38219a62375bac1def637.1604874488.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-pic32.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/spi/spi-pic32.c ++++ b/drivers/spi/spi-pic32.c +@@ -825,6 +825,7 @@ static int pic32_spi_probe(struct platfo + return 0; + + err_bailout: ++ pic32_spi_dma_unprep(pic32s); + clk_disable_unprepare(pic32s->clk); + err_master: + spi_master_put(master); diff --git a/queue-5.4/spi-pxa2xx-fix-use-after-free-on-unbind.patch b/queue-5.4/spi-pxa2xx-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..8f302badd2d --- /dev/null +++ b/queue-5.4/spi-pxa2xx-fix-use-after-free-on-unbind.patch @@ -0,0 +1,51 @@ +From 5626308bb94d9f930aa5f7c77327df4c6daa7759 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:05 +0100 +Subject: spi: pxa2xx: Fix use-after-free on unbind + +From: Lukas Wunner + +commit 5626308bb94d9f930aa5f7c77327df4c6daa7759 upstream. + +pxa2xx_spi_remove() accesses the driver's private data after calling +spi_unregister_controller() even though that function releases the last +reference on the spi_controller and thereby frees the private data. + +Fix by switching over to the new devm_spi_alloc_master/slave() helper +which keeps the private data accessible until the driver has unbound. + +Fixes: 32e5b57232c0 ("spi: pxa2xx: Fix controller unregister order") +Signed-off-by: Lukas Wunner +Cc: # v2.6.17+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v2.6.17+: 32e5b57232c0: spi: pxa2xx: Fix controller unregister order +Cc: # v2.6.17+ +Link: https://lore.kernel.org/r/5764b04d4a6e43069ebb7808f64c2f774ac6f193.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-pxa2xx.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -1675,9 +1675,9 @@ static int pxa2xx_spi_probe(struct platf + } + + if (platform_info->is_slave) +- controller = spi_alloc_slave(dev, sizeof(struct driver_data)); ++ controller = devm_spi_alloc_slave(dev, sizeof(*drv_data)); + else +- controller = spi_alloc_master(dev, sizeof(struct driver_data)); ++ controller = devm_spi_alloc_master(dev, sizeof(*drv_data)); + + if (!controller) { + dev_err(&pdev->dev, "cannot alloc spi_controller\n"); +@@ -1900,7 +1900,6 @@ out_error_dma_irq_alloc: + free_irq(ssp->irq, drv_data); + + out_error_controller_alloc: +- spi_controller_put(controller); + pxa_ssp_free(ssp); + return status; + } diff --git a/queue-5.4/spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch b/queue-5.4/spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch new file mode 100644 index 00000000000..2e293672925 --- /dev/null +++ b/queue-5.4/spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch @@ -0,0 +1,39 @@ +From a4729c3506c3eb1a6ca5c0289f4e7cafa4115065 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:10 +0100 +Subject: spi: rb4xx: Don't leak SPI master in probe error path + +From: Lukas Wunner + +commit a4729c3506c3eb1a6ca5c0289f4e7cafa4115065 upstream. + +If the calls to devm_clk_get(), devm_spi_register_master() or +clk_prepare_enable() fail on probe of the Mikrotik RB4xx SPI driver, +the spi_master struct is erroneously not freed. + +Fix by switching over to the new devm_spi_alloc_master() helper. + +Fixes: 05aec357871f ("spi: Add SPI driver for Mikrotik RB4xx series boards") +Signed-off-by: Lukas Wunner +Cc: # v4.2+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v4.2+ +Cc: Bert Vermeulen +Link: https://lore.kernel.org/r/369bf26d71927f60943b1d9d8f51810f00b0237d.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-rb4xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-rb4xx.c ++++ b/drivers/spi/spi-rb4xx.c +@@ -142,7 +142,7 @@ static int rb4xx_spi_probe(struct platfo + if (IS_ERR(spi_base)) + return PTR_ERR(spi_base); + +- master = spi_alloc_master(&pdev->dev, sizeof(*rbspi)); ++ master = devm_spi_alloc_master(&pdev->dev, sizeof(*rbspi)); + if (!master) + return -ENOMEM; + diff --git a/queue-5.4/spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch b/queue-5.4/spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch new file mode 100644 index 00000000000..91a02a72177 --- /dev/null +++ b/queue-5.4/spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch @@ -0,0 +1,61 @@ +From 5b8c88462d83331dacb48aeaec8388117fef82e0 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:11 +0100 +Subject: spi: sc18is602: Don't leak SPI master in probe error path + +From: Lukas Wunner + +commit 5b8c88462d83331dacb48aeaec8388117fef82e0 upstream. + +If the call to devm_gpiod_get_optional() fails on probe of the NXP +SC18IS602/603 SPI driver, the spi_master struct is erroneously not freed. + +Fix by switching over to the new devm_spi_alloc_master() helper. + +Fixes: f99008013e19 ("spi: sc18is602: Add reset control via gpio pin.") +Signed-off-by: Lukas Wunner +Cc: # v4.9+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v4.9+ +Cc: Phil Reid +Link: https://lore.kernel.org/r/d5f715527b894b91d530fe11a86f51b3184a4e1a.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sc18is602.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +--- a/drivers/spi/spi-sc18is602.c ++++ b/drivers/spi/spi-sc18is602.c +@@ -239,13 +239,12 @@ static int sc18is602_probe(struct i2c_cl + struct sc18is602_platform_data *pdata = dev_get_platdata(dev); + struct sc18is602 *hw; + struct spi_master *master; +- int error; + + if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C | + I2C_FUNC_SMBUS_WRITE_BYTE_DATA)) + return -EINVAL; + +- master = spi_alloc_master(dev, sizeof(struct sc18is602)); ++ master = devm_spi_alloc_master(dev, sizeof(struct sc18is602)); + if (!master) + return -ENOMEM; + +@@ -299,15 +298,7 @@ static int sc18is602_probe(struct i2c_cl + master->min_speed_hz = hw->freq / 128; + master->max_speed_hz = hw->freq / 4; + +- error = devm_spi_register_master(dev, master); +- if (error) +- goto error_reg; +- +- return 0; +- +-error_reg: +- spi_master_put(master); +- return error; ++ return devm_spi_register_master(dev, master); + } + + static const struct i2c_device_id sc18is602_id[] = { diff --git a/queue-5.4/spi-spi-sh-fix-use-after-free-on-unbind.patch b/queue-5.4/spi-spi-sh-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..f9c503033d9 --- /dev/null +++ b/queue-5.4/spi-spi-sh-fix-use-after-free-on-unbind.patch @@ -0,0 +1,78 @@ +From e77df3eca12be4b17f13cf9f215cff248c57d98f Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:04 +0100 +Subject: spi: spi-sh: Fix use-after-free on unbind + +From: Lukas Wunner + +commit e77df3eca12be4b17f13cf9f215cff248c57d98f upstream. + +spi_sh_remove() accesses the driver's private data after calling +spi_unregister_master() even though that function releases the last +reference on the spi_master and thereby frees the private data. + +Fix by switching over to the new devm_spi_alloc_master() helper which +keeps the private data accessible until the driver has unbound. + +Fixes: 680c1305e259 ("spi/spi_sh: use spi_unregister_master instead of spi_master_put in remove path") +Signed-off-by: Lukas Wunner +Cc: # v3.0+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v3.0+ +Cc: Axel Lin +Link: https://lore.kernel.org/r/6d97628b536baf01d5e3e39db61108f84d44c8b2.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sh.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/drivers/spi/spi-sh.c ++++ b/drivers/spi/spi-sh.c +@@ -440,7 +440,7 @@ static int spi_sh_probe(struct platform_ + if (irq < 0) + return irq; + +- master = spi_alloc_master(&pdev->dev, sizeof(struct spi_sh_data)); ++ master = devm_spi_alloc_master(&pdev->dev, sizeof(struct spi_sh_data)); + if (master == NULL) { + dev_err(&pdev->dev, "spi_alloc_master error.\n"); + return -ENOMEM; +@@ -458,16 +458,14 @@ static int spi_sh_probe(struct platform_ + break; + default: + dev_err(&pdev->dev, "No support width\n"); +- ret = -ENODEV; +- goto error1; ++ return -ENODEV; + } + ss->irq = irq; + ss->master = master; + ss->addr = devm_ioremap(&pdev->dev, res->start, resource_size(res)); + if (ss->addr == NULL) { + dev_err(&pdev->dev, "ioremap error.\n"); +- ret = -ENOMEM; +- goto error1; ++ return -ENOMEM; + } + INIT_LIST_HEAD(&ss->queue); + spin_lock_init(&ss->lock); +@@ -477,7 +475,7 @@ static int spi_sh_probe(struct platform_ + ret = request_irq(irq, spi_sh_irq, 0, "spi_sh", ss); + if (ret < 0) { + dev_err(&pdev->dev, "request_irq error\n"); +- goto error1; ++ return ret; + } + + master->num_chipselect = 2; +@@ -496,9 +494,6 @@ static int spi_sh_probe(struct platform_ + + error3: + free_irq(irq, ss); +- error1: +- spi_master_put(master); +- + return ret; + } + diff --git a/queue-5.4/spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch b/queue-5.4/spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch new file mode 100644 index 00000000000..36886dc7353 --- /dev/null +++ b/queue-5.4/spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch @@ -0,0 +1,45 @@ +From 5ef76dac0f2c26aeae4ee79eb830280f16d5aceb Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 8 Nov 2020 23:41:00 +0100 +Subject: spi: st-ssc4: Fix unbalanced pm_runtime_disable() in probe error path + +From: Lukas Wunner + +commit 5ef76dac0f2c26aeae4ee79eb830280f16d5aceb upstream. + +If the calls to devm_platform_ioremap_resource(), irq_of_parse_and_map() +or devm_request_irq() fail on probe of the ST SSC4 SPI driver, the +runtime PM disable depth is incremented even though it was not +decremented before. Fix it. + +Fixes: cd050abeba2a ("spi: st-ssc4: add missed pm_runtime_disable") +Signed-off-by: Lukas Wunner +Cc: # v5.5+ +Cc: Chuhong Yuan +Link: https://lore.kernel.org/r/fbe8768c30dc829e2d77eabe7be062ca22f84024.1604874488.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-st-ssc4.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-st-ssc4.c ++++ b/drivers/spi/spi-st-ssc4.c +@@ -375,13 +375,14 @@ static int spi_st_probe(struct platform_ + ret = devm_spi_register_master(&pdev->dev, master); + if (ret) { + dev_err(&pdev->dev, "Failed to register master\n"); +- goto clk_disable; ++ goto rpm_disable; + } + + return 0; + +-clk_disable: ++rpm_disable: + pm_runtime_disable(&pdev->dev); ++clk_disable: + clk_disable_unprepare(spi_st->clk); + put_master: + spi_master_put(master); diff --git a/queue-5.4/spi-synquacer-disable-clock-in-probe-error-path.patch b/queue-5.4/spi-synquacer-disable-clock-in-probe-error-path.patch new file mode 100644 index 00000000000..ee0852f72c6 --- /dev/null +++ b/queue-5.4/spi-synquacer-disable-clock-in-probe-error-path.patch @@ -0,0 +1,94 @@ +From 8853b2503014aca5c793d2c7f0aabc990b32bdad Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 8 Nov 2020 23:41:00 +0100 +Subject: spi: synquacer: Disable clock in probe error path + +From: Lukas Wunner + +commit 8853b2503014aca5c793d2c7f0aabc990b32bdad upstream. + +If the calls to platform_get_irq() or devm_request_irq() fail on probe +of the SynQuacer SPI driver, the clock "sspi->clk" is erroneously not +unprepared and disabled. + +If the clock rate "master->max_speed_hz" cannot be determined, the same +happens and in addition the spi_master struct is not freed. + +Fix it. + +Fixes: b0823ee35cf9 ("spi: Add spi driver for Socionext SynQuacer platform") +Signed-off-by: Lukas Wunner +Cc: # v5.3+ +Cc: Masahisa Kojima +Link: https://lore.kernel.org/r/232281df1ab91d8f0f553a62d5f97fc264ace4da.1604874488.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-synquacer.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/spi/spi-synquacer.c ++++ b/drivers/spi/spi-synquacer.c +@@ -658,7 +658,8 @@ static int synquacer_spi_probe(struct pl + + if (!master->max_speed_hz) { + dev_err(&pdev->dev, "missing clock source\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto disable_clk; + } + master->min_speed_hz = master->max_speed_hz / 254; + +@@ -671,7 +672,7 @@ static int synquacer_spi_probe(struct pl + rx_irq = platform_get_irq(pdev, 0); + if (rx_irq <= 0) { + ret = rx_irq; +- goto put_spi; ++ goto disable_clk; + } + snprintf(sspi->rx_irq_name, SYNQUACER_HSSPI_IRQ_NAME_MAX, "%s-rx", + dev_name(&pdev->dev)); +@@ -679,13 +680,13 @@ static int synquacer_spi_probe(struct pl + 0, sspi->rx_irq_name, sspi); + if (ret) { + dev_err(&pdev->dev, "request rx_irq failed (%d)\n", ret); +- goto put_spi; ++ goto disable_clk; + } + + tx_irq = platform_get_irq(pdev, 1); + if (tx_irq <= 0) { + ret = tx_irq; +- goto put_spi; ++ goto disable_clk; + } + snprintf(sspi->tx_irq_name, SYNQUACER_HSSPI_IRQ_NAME_MAX, "%s-tx", + dev_name(&pdev->dev)); +@@ -693,7 +694,7 @@ static int synquacer_spi_probe(struct pl + 0, sspi->tx_irq_name, sspi); + if (ret) { + dev_err(&pdev->dev, "request tx_irq failed (%d)\n", ret); +- goto put_spi; ++ goto disable_clk; + } + + master->dev.of_node = np; +@@ -711,7 +712,7 @@ static int synquacer_spi_probe(struct pl + + ret = synquacer_spi_enable(master); + if (ret) +- goto fail_enable; ++ goto disable_clk; + + pm_runtime_set_active(sspi->dev); + pm_runtime_enable(sspi->dev); +@@ -724,7 +725,7 @@ static int synquacer_spi_probe(struct pl + + disable_pm: + pm_runtime_disable(sspi->dev); +-fail_enable: ++disable_clk: + clk_disable_unprepare(sspi->clk); + put_spi: + spi_master_put(master); diff --git a/queue-5.4/xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch b/queue-5.4/xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch new file mode 100644 index 00000000000..908ebe51c64 --- /dev/null +++ b/queue-5.4/xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch @@ -0,0 +1,52 @@ +From 1c728719a4da6e654afb9cc047164755072ed7c9 Mon Sep 17 00:00:00 2001 +From: Pawel Wieczorkiewicz +Date: Mon, 14 Dec 2020 10:25:57 +0100 +Subject: xen-blkback: set ring->xenblkd to NULL after kthread_stop() + +From: Pawel Wieczorkiewicz + +commit 1c728719a4da6e654afb9cc047164755072ed7c9 upstream. + +When xen_blkif_disconnect() is called, the kernel thread behind the +block interface is stopped by calling kthread_stop(ring->xenblkd). +The ring->xenblkd thread pointer being non-NULL determines if the +thread has been already stopped. +Normally, the thread's function xen_blkif_schedule() sets the +ring->xenblkd to NULL, when the thread's main loop ends. + +However, when the thread has not been started yet (i.e. +wake_up_process() has not been called on it), the xen_blkif_schedule() +function would not be called yet. + +In such case the kthread_stop() call returns -EINTR and the +ring->xenblkd remains dangling. +When this happens, any consecutive call to xen_blkif_disconnect (for +example in frontend_changed() callback) leads to a kernel crash in +kthread_stop() (e.g. NULL pointer dereference in exit_creds()). + +This is XSA-350. + +Cc: # 4.12 +Fixes: a24fa22ce22a ("xen/blkback: don't use xen_blkif_get() in xen-blkback kthread") +Reported-by: Olivier Benjamin +Reported-by: Pawel Wieczorkiewicz +Signed-off-by: Pawel Wieczorkiewicz +Reviewed-by: Julien Grall +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/xenbus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/block/xen-blkback/xenbus.c ++++ b/drivers/block/xen-blkback/xenbus.c +@@ -256,6 +256,7 @@ static int xen_blkif_disconnect(struct x + + if (ring->xenblkd) { + kthread_stop(ring->xenblkd); ++ ring->xenblkd = NULL; + wake_up(&ring->shutdown_wq); + } + diff --git a/queue-5.4/xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch b/queue-5.4/xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch new file mode 100644 index 00000000000..35af8782294 --- /dev/null +++ b/queue-5.4/xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch @@ -0,0 +1,140 @@ +From 2e85d32b1c865bec703ce0c962221a5e955c52c2 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 14 Dec 2020 10:04:18 +0100 +Subject: xen/xenbus: Add 'will_handle' callback support in xenbus_watch_path() + +From: SeongJae Park + +commit 2e85d32b1c865bec703ce0c962221a5e955c52c2 upstream. + +Some code does not directly make 'xenbus_watch' object and call +'register_xenbus_watch()' but use 'xenbus_watch_path()' instead. This +commit adds support of 'will_handle' callback in the +'xenbus_watch_path()' and it's wrapper, 'xenbus_watch_pathfmt()'. + +This is part of XSA-349 + +Cc: stable@vger.kernel.org +Signed-off-by: SeongJae Park +Reported-by: Michael Kurth +Reported-by: Pawel Wieczorkiewicz +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/xenbus.c | 3 ++- + drivers/net/xen-netback/xenbus.c | 2 +- + drivers/xen/xen-pciback/xenbus.c | 2 +- + drivers/xen/xenbus/xenbus_client.c | 9 +++++++-- + drivers/xen/xenbus/xenbus_probe.c | 2 +- + include/xen/xenbus.h | 6 +++++- + 6 files changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/block/xen-blkback/xenbus.c ++++ b/drivers/block/xen-blkback/xenbus.c +@@ -644,7 +644,8 @@ static int xen_blkbk_probe(struct xenbus + /* setup back pointer */ + be->blkif->be = be; + +- err = xenbus_watch_pathfmt(dev, &be->backend_watch, backend_changed, ++ err = xenbus_watch_pathfmt(dev, &be->backend_watch, NULL, ++ backend_changed, + "%s/%s", dev->nodename, "physical-device"); + if (err) + goto fail; +--- a/drivers/net/xen-netback/xenbus.c ++++ b/drivers/net/xen-netback/xenbus.c +@@ -979,7 +979,7 @@ static void connect(struct backend_info + xenvif_carrier_on(be->vif); + + unregister_hotplug_status_watch(be); +- err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, ++ err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, NULL, + hotplug_status_changed, + "%s/%s", dev->nodename, "hotplug-status"); + if (!err) +--- a/drivers/xen/xen-pciback/xenbus.c ++++ b/drivers/xen/xen-pciback/xenbus.c +@@ -688,7 +688,7 @@ static int xen_pcibk_xenbus_probe(struct + + /* watch the backend node for backend configuration information */ + err = xenbus_watch_path(dev, dev->nodename, &pdev->be_watch, +- xen_pcibk_be_watch); ++ NULL, xen_pcibk_be_watch); + if (err) + goto out; + +--- a/drivers/xen/xenbus/xenbus_client.c ++++ b/drivers/xen/xenbus/xenbus_client.c +@@ -114,19 +114,22 @@ EXPORT_SYMBOL_GPL(xenbus_strstate); + */ + int xenbus_watch_path(struct xenbus_device *dev, const char *path, + struct xenbus_watch *watch, ++ bool (*will_handle)(struct xenbus_watch *, ++ const char *, const char *), + void (*callback)(struct xenbus_watch *, + const char *, const char *)) + { + int err; + + watch->node = path; +- watch->will_handle = NULL; ++ watch->will_handle = will_handle; + watch->callback = callback; + + err = register_xenbus_watch(watch); + + if (err) { + watch->node = NULL; ++ watch->will_handle = NULL; + watch->callback = NULL; + xenbus_dev_fatal(dev, err, "adding watch on %s", path); + } +@@ -153,6 +156,8 @@ EXPORT_SYMBOL_GPL(xenbus_watch_path); + */ + int xenbus_watch_pathfmt(struct xenbus_device *dev, + struct xenbus_watch *watch, ++ bool (*will_handle)(struct xenbus_watch *, ++ const char *, const char *), + void (*callback)(struct xenbus_watch *, + const char *, const char *), + const char *pathfmt, ...) +@@ -169,7 +174,7 @@ int xenbus_watch_pathfmt(struct xenbus_d + xenbus_dev_fatal(dev, -ENOMEM, "allocating path for watch"); + return -ENOMEM; + } +- err = xenbus_watch_path(dev, path, watch, callback); ++ err = xenbus_watch_path(dev, path, watch, will_handle, callback); + + if (err) + kfree(path); +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -136,7 +136,7 @@ static int watch_otherend(struct xenbus_ + container_of(dev->dev.bus, struct xen_bus_type, bus); + + return xenbus_watch_pathfmt(dev, &dev->otherend_watch, +- bus->otherend_changed, ++ NULL, bus->otherend_changed, + "%s/%s", dev->otherend, "state"); + } + +--- a/include/xen/xenbus.h ++++ b/include/xen/xenbus.h +@@ -199,10 +199,14 @@ void xenbus_probe(struct work_struct *); + + int xenbus_watch_path(struct xenbus_device *dev, const char *path, + struct xenbus_watch *watch, ++ bool (*will_handle)(struct xenbus_watch *, ++ const char *, const char *), + void (*callback)(struct xenbus_watch *, + const char *, const char *)); +-__printf(4, 5) ++__printf(5, 6) + int xenbus_watch_pathfmt(struct xenbus_device *dev, struct xenbus_watch *watch, ++ bool (*will_handle)(struct xenbus_watch *, ++ const char *, const char *), + void (*callback)(struct xenbus_watch *, + const char *, const char *), + const char *pathfmt, ...); diff --git a/queue-5.4/xen-xenbus-allow-watches-discard-events-before-queueing.patch b/queue-5.4/xen-xenbus-allow-watches-discard-events-before-queueing.patch new file mode 100644 index 00000000000..ba24968d540 --- /dev/null +++ b/queue-5.4/xen-xenbus-allow-watches-discard-events-before-queueing.patch @@ -0,0 +1,115 @@ +From fed1755b118147721f2c87b37b9d66e62c39b668 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 14 Dec 2020 10:02:45 +0100 +Subject: xen/xenbus: Allow watches discard events before queueing + +From: SeongJae Park + +commit fed1755b118147721f2c87b37b9d66e62c39b668 upstream. + +If handling logics of watch events are slower than the events enqueue +logic and the events can be created from the guests, the guests could +trigger memory pressure by intensively inducing the events, because it +will create a huge number of pending events that exhausting the memory. + +Fortunately, some watch events could be ignored, depending on its +handler callback. For example, if the callback has interest in only one +single path, the watch wouldn't want multiple pending events. Or, some +watches could ignore events to same path. + +To let such watches to volutarily help avoiding the memory pressure +situation, this commit introduces new watch callback, 'will_handle'. If +it is not NULL, it will be called for each new event just before +enqueuing it. Then, if the callback returns false, the event will be +discarded. No watch is using the callback for now, though. + +This is part of XSA-349 + +Cc: stable@vger.kernel.org +Signed-off-by: SeongJae Park +Reported-by: Michael Kurth +Reported-by: Pawel Wieczorkiewicz +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/xen-netback/xenbus.c | 4 ++++ + drivers/xen/xenbus/xenbus_client.c | 1 + + drivers/xen/xenbus/xenbus_xs.c | 5 ++++- + include/xen/xenbus.h | 7 +++++++ + 4 files changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/net/xen-netback/xenbus.c ++++ b/drivers/net/xen-netback/xenbus.c +@@ -713,12 +713,14 @@ static int xen_register_credit_watch(str + return -ENOMEM; + snprintf(node, maxlen, "%s/rate", dev->nodename); + vif->credit_watch.node = node; ++ vif->credit_watch.will_handle = NULL; + vif->credit_watch.callback = xen_net_rate_changed; + err = register_xenbus_watch(&vif->credit_watch); + if (err) { + pr_err("Failed to set watcher %s\n", vif->credit_watch.node); + kfree(node); + vif->credit_watch.node = NULL; ++ vif->credit_watch.will_handle = NULL; + vif->credit_watch.callback = NULL; + } + return err; +@@ -765,6 +767,7 @@ static int xen_register_mcast_ctrl_watch + snprintf(node, maxlen, "%s/request-multicast-control", + dev->otherend); + vif->mcast_ctrl_watch.node = node; ++ vif->mcast_ctrl_watch.will_handle = NULL; + vif->mcast_ctrl_watch.callback = xen_mcast_ctrl_changed; + err = register_xenbus_watch(&vif->mcast_ctrl_watch); + if (err) { +@@ -772,6 +775,7 @@ static int xen_register_mcast_ctrl_watch + vif->mcast_ctrl_watch.node); + kfree(node); + vif->mcast_ctrl_watch.node = NULL; ++ vif->mcast_ctrl_watch.will_handle = NULL; + vif->mcast_ctrl_watch.callback = NULL; + } + return err; +--- a/drivers/xen/xenbus/xenbus_client.c ++++ b/drivers/xen/xenbus/xenbus_client.c +@@ -120,6 +120,7 @@ int xenbus_watch_path(struct xenbus_devi + int err; + + watch->node = path; ++ watch->will_handle = NULL; + watch->callback = callback; + + err = register_xenbus_watch(watch); +--- a/drivers/xen/xenbus/xenbus_xs.c ++++ b/drivers/xen/xenbus/xenbus_xs.c +@@ -705,7 +705,10 @@ int xs_watch_msg(struct xs_watch_event * + + spin_lock(&watches_lock); + event->handle = find_watch(event->token); +- if (event->handle != NULL) { ++ if (event->handle != NULL && ++ (!event->handle->will_handle || ++ event->handle->will_handle(event->handle, ++ event->path, event->token))) { + spin_lock(&watch_events_lock); + list_add_tail(&event->list, &watch_events); + wake_up(&watch_events_waitq); +--- a/include/xen/xenbus.h ++++ b/include/xen/xenbus.h +@@ -59,6 +59,13 @@ struct xenbus_watch + /* Path being watched. */ + const char *node; + ++ /* ++ * Called just before enqueing new event while a spinlock is held. ++ * The event will be discarded if this callback returns false. ++ */ ++ bool (*will_handle)(struct xenbus_watch *, ++ const char *path, const char *token); ++ + /* Callback (executed in a process context with no locks held). */ + void (*callback)(struct xenbus_watch *, + const char *path, const char *token); diff --git a/queue-5.4/xen-xenbus-count-pending-messages-for-each-watch.patch b/queue-5.4/xen-xenbus-count-pending-messages-for-each-watch.patch new file mode 100644 index 00000000000..dc33f040fd4 --- /dev/null +++ b/queue-5.4/xen-xenbus-count-pending-messages-for-each-watch.patch @@ -0,0 +1,108 @@ +From 3dc86ca6b4c8cfcba9da7996189d1b5a358a94fc Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 14 Dec 2020 10:07:13 +0100 +Subject: xen/xenbus: Count pending messages for each watch + +From: SeongJae Park + +commit 3dc86ca6b4c8cfcba9da7996189d1b5a358a94fc upstream. + +This commit adds a counter of pending messages for each watch in the +struct. It is used to skip unnecessary pending messages lookup in +'unregister_xenbus_watch()'. It could also be used in 'will_handle' +callback. + +This is part of XSA-349 + +Cc: stable@vger.kernel.org +Signed-off-by: SeongJae Park +Reported-by: Michael Kurth +Reported-by: Pawel Wieczorkiewicz +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus_xs.c | 29 ++++++++++++++++++----------- + include/xen/xenbus.h | 2 ++ + 2 files changed, 20 insertions(+), 11 deletions(-) + +--- a/drivers/xen/xenbus/xenbus_xs.c ++++ b/drivers/xen/xenbus/xenbus_xs.c +@@ -711,6 +711,7 @@ int xs_watch_msg(struct xs_watch_event * + event->path, event->token))) { + spin_lock(&watch_events_lock); + list_add_tail(&event->list, &watch_events); ++ event->handle->nr_pending++; + wake_up(&watch_events_waitq); + spin_unlock(&watch_events_lock); + } else +@@ -768,6 +769,8 @@ int register_xenbus_watch(struct xenbus_ + + sprintf(token, "%lX", (long)watch); + ++ watch->nr_pending = 0; ++ + down_read(&xs_watch_rwsem); + + spin_lock(&watches_lock); +@@ -817,11 +820,14 @@ void unregister_xenbus_watch(struct xenb + + /* Cancel pending watch events. */ + spin_lock(&watch_events_lock); +- list_for_each_entry_safe(event, tmp, &watch_events, list) { +- if (event->handle != watch) +- continue; +- list_del(&event->list); +- kfree(event); ++ if (watch->nr_pending) { ++ list_for_each_entry_safe(event, tmp, &watch_events, list) { ++ if (event->handle != watch) ++ continue; ++ list_del(&event->list); ++ kfree(event); ++ } ++ watch->nr_pending = 0; + } + spin_unlock(&watch_events_lock); + +@@ -868,7 +874,6 @@ void xs_suspend_cancel(void) + + static int xenwatch_thread(void *unused) + { +- struct list_head *ent; + struct xs_watch_event *event; + + xenwatch_pid = current->pid; +@@ -883,13 +888,15 @@ static int xenwatch_thread(void *unused) + mutex_lock(&xenwatch_mutex); + + spin_lock(&watch_events_lock); +- ent = watch_events.next; +- if (ent != &watch_events) +- list_del(ent); ++ event = list_first_entry_or_null(&watch_events, ++ struct xs_watch_event, list); ++ if (event) { ++ list_del(&event->list); ++ event->handle->nr_pending--; ++ } + spin_unlock(&watch_events_lock); + +- if (ent != &watch_events) { +- event = list_entry(ent, struct xs_watch_event, list); ++ if (event) { + event->handle->callback(event->handle, event->path, + event->token); + kfree(event); +--- a/include/xen/xenbus.h ++++ b/include/xen/xenbus.h +@@ -59,6 +59,8 @@ struct xenbus_watch + /* Path being watched. */ + const char *node; + ++ unsigned int nr_pending; ++ + /* + * Called just before enqueing new event while a spinlock is held. + * The event will be discarded if this callback returns false. diff --git a/queue-5.4/xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch b/queue-5.4/xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch new file mode 100644 index 00000000000..264d933d99a --- /dev/null +++ b/queue-5.4/xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch @@ -0,0 +1,50 @@ +From be987200fbaceaef340872841d4f7af2c5ee8dc3 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 14 Dec 2020 10:05:47 +0100 +Subject: xen/xenbus/xen_bus_type: Support will_handle watch callback + +From: SeongJae Park + +commit be987200fbaceaef340872841d4f7af2c5ee8dc3 upstream. + +This commit adds support of the 'will_handle' watch callback for +'xen_bus_type' users. + +This is part of XSA-349 + +Cc: stable@vger.kernel.org +Signed-off-by: SeongJae Park +Reported-by: Michael Kurth +Reported-by: Pawel Wieczorkiewicz +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus.h | 2 ++ + drivers/xen/xenbus/xenbus_probe.c | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus.h ++++ b/drivers/xen/xenbus/xenbus.h +@@ -44,6 +44,8 @@ struct xen_bus_type { + int (*get_bus_id)(char bus_id[XEN_BUS_ID_SIZE], const char *nodename); + int (*probe)(struct xen_bus_type *bus, const char *type, + const char *dir); ++ bool (*otherend_will_handle)(struct xenbus_watch *watch, ++ const char *path, const char *token); + void (*otherend_changed)(struct xenbus_watch *watch, const char *path, + const char *token); + struct bus_type bus; +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -136,7 +136,8 @@ static int watch_otherend(struct xenbus_ + container_of(dev->dev.bus, struct xen_bus_type, bus); + + return xenbus_watch_pathfmt(dev, &dev->otherend_watch, +- NULL, bus->otherend_changed, ++ bus->otherend_will_handle, ++ bus->otherend_changed, + "%s/%s", dev->otherend, "state"); + } + diff --git a/queue-5.4/xenbus-xenbus_backend-disallow-pending-watch-messages.patch b/queue-5.4/xenbus-xenbus_backend-disallow-pending-watch-messages.patch new file mode 100644 index 00000000000..13c6a851eeb --- /dev/null +++ b/queue-5.4/xenbus-xenbus_backend-disallow-pending-watch-messages.patch @@ -0,0 +1,56 @@ +From 9996bd494794a2fe393e97e7a982388c6249aa76 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 14 Dec 2020 10:08:40 +0100 +Subject: xenbus/xenbus_backend: Disallow pending watch messages + +From: SeongJae Park + +commit 9996bd494794a2fe393e97e7a982388c6249aa76 upstream. + +'xenbus_backend' watches 'state' of devices, which is writable by +guests. Hence, if guests intensively updates it, dom0 will have lots of +pending events that exhausting memory of dom0. In other words, guests +can trigger dom0 memory pressure. This is known as XSA-349. However, +the watch callback of it, 'frontend_changed()', reads only 'state', so +doesn't need to have the pending events. + +To avoid the problem, this commit disallows pending watch messages for +'xenbus_backend' using the 'will_handle()' watch callback. + +This is part of XSA-349 + +Cc: stable@vger.kernel.org +Signed-off-by: SeongJae Park +Reported-by: Michael Kurth +Reported-by: Pawel Wieczorkiewicz +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus_probe_backend.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/xen/xenbus/xenbus_probe_backend.c ++++ b/drivers/xen/xenbus/xenbus_probe_backend.c +@@ -180,6 +180,12 @@ static int xenbus_probe_backend(struct x + return err; + } + ++static bool frontend_will_handle(struct xenbus_watch *watch, ++ const char *path, const char *token) ++{ ++ return watch->nr_pending == 0; ++} ++ + static void frontend_changed(struct xenbus_watch *watch, + const char *path, const char *token) + { +@@ -191,6 +197,7 @@ static struct xen_bus_type xenbus_backen + .levels = 3, /* backend/type// */ + .get_bus_id = backend_bus_id, + .probe = xenbus_probe_backend, ++ .otherend_will_handle = frontend_will_handle, + .otherend_changed = frontend_changed, + .bus = { + .name = "xen-backend", -- 2.47.3