From b6fa65fbfbd55b8336376255c83891bedaeae19f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 8 Feb 2021 11:47:23 +0100 Subject: [PATCH] 5.4-stable patches added patches: drm-amd-display-revert-fix-edid-parsing-after-resume-from-suspend.patch mmc-core-limit-retries-when-analyse-of-sdio-tuples-fails.patch nvme-pci-avoid-the-deepest-sleep-state-on-kingston-a2000-ssds.patch smb3-fix-crediting-for-compounding-when-only-one-request-in-flight.patch smb3-fix-out-of-bounds-bug-in-smb2_negotiate.patch --- ...id-parsing-after-resume-from-suspend.patch | 34 ++++++++ ...es-when-analyse-of-sdio-tuples-fails.patch | 50 ++++++++++++ ...t-sleep-state-on-kingston-a2000-ssds.patch | 81 +++++++++++++++++++ queue-5.4/series | 5 ++ ...ding-when-only-one-request-in-flight.patch | 57 +++++++++++++ ...-out-of-bounds-bug-in-smb2_negotiate.patch | 64 +++++++++++++++ 6 files changed, 291 insertions(+) create mode 100644 queue-5.4/drm-amd-display-revert-fix-edid-parsing-after-resume-from-suspend.patch create mode 100644 queue-5.4/mmc-core-limit-retries-when-analyse-of-sdio-tuples-fails.patch create mode 100644 queue-5.4/nvme-pci-avoid-the-deepest-sleep-state-on-kingston-a2000-ssds.patch create mode 100644 queue-5.4/smb3-fix-crediting-for-compounding-when-only-one-request-in-flight.patch create mode 100644 queue-5.4/smb3-fix-out-of-bounds-bug-in-smb2_negotiate.patch diff --git a/queue-5.4/drm-amd-display-revert-fix-edid-parsing-after-resume-from-suspend.patch b/queue-5.4/drm-amd-display-revert-fix-edid-parsing-after-resume-from-suspend.patch new file mode 100644 index 00000000000..3de955f1425 --- /dev/null +++ b/queue-5.4/drm-amd-display-revert-fix-edid-parsing-after-resume-from-suspend.patch @@ -0,0 +1,34 @@ +From 1a10e5244778169a5a53a527d7830cf0438132a1 Mon Sep 17 00:00:00 2001 +From: Stylon Wang +Date: Tue, 5 Jan 2021 11:29:34 +0800 +Subject: drm/amd/display: Revert "Fix EDID parsing after resume from suspend" + +From: Stylon Wang + +commit 1a10e5244778169a5a53a527d7830cf0438132a1 upstream. + +This reverts commit b24bdc37d03a0478189e20a50286092840f414fa. +It caused memory leak after S3 on 4K HDMI displays. + +Signed-off-by: Stylon Wang +Reviewed-by: Rodrigo Siqueira +Acked-by: Anson Jacob +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -1434,8 +1434,6 @@ amdgpu_dm_update_connector_after_detect( + + drm_connector_update_edid_property(connector, + aconnector->edid); +- drm_add_edid_modes(connector, aconnector->edid); +- + if (aconnector->dc_link->aux_mode) + drm_dp_cec_set_edid(&aconnector->dm_dp_aux.aux, + aconnector->edid); diff --git a/queue-5.4/mmc-core-limit-retries-when-analyse-of-sdio-tuples-fails.patch b/queue-5.4/mmc-core-limit-retries-when-analyse-of-sdio-tuples-fails.patch new file mode 100644 index 00000000000..f50fb2b818e --- /dev/null +++ b/queue-5.4/mmc-core-limit-retries-when-analyse-of-sdio-tuples-fails.patch @@ -0,0 +1,50 @@ +From f92e04f764b86e55e522988e6f4b6082d19a2721 Mon Sep 17 00:00:00 2001 +From: Fengnan Chang +Date: Sat, 23 Jan 2021 11:32:31 +0800 +Subject: mmc: core: Limit retries when analyse of SDIO tuples fails + +From: Fengnan Chang + +commit f92e04f764b86e55e522988e6f4b6082d19a2721 upstream. + +When analysing tuples fails we may loop indefinitely to retry. Let's avoid +this by using a 10s timeout and bail if not completed earlier. + +Signed-off-by: Fengnan Chang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210123033230.36442-1-fengnanchang@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sdio_cis.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mmc/core/sdio_cis.c ++++ b/drivers/mmc/core/sdio_cis.c +@@ -20,6 +20,8 @@ + #include "sdio_cis.h" + #include "sdio_ops.h" + ++#define SDIO_READ_CIS_TIMEOUT_MS (10 * 1000) /* 10s */ ++ + static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func, + const unsigned char *buf, unsigned size) + { +@@ -266,6 +268,8 @@ static int sdio_read_cis(struct mmc_card + + do { + unsigned char tpl_code, tpl_link; ++ unsigned long timeout = jiffies + ++ msecs_to_jiffies(SDIO_READ_CIS_TIMEOUT_MS); + + ret = mmc_io_rw_direct(card, 0, 0, ptr++, 0, &tpl_code); + if (ret) +@@ -318,6 +322,8 @@ static int sdio_read_cis(struct mmc_card + prev = &this->next; + + if (ret == -ENOENT) { ++ if (time_after(jiffies, timeout)) ++ break; + /* warn about unknown tuples */ + pr_warn_ratelimited("%s: queuing unknown" + " CIS tuple 0x%02x (%u bytes)\n", diff --git a/queue-5.4/nvme-pci-avoid-the-deepest-sleep-state-on-kingston-a2000-ssds.patch b/queue-5.4/nvme-pci-avoid-the-deepest-sleep-state-on-kingston-a2000-ssds.patch new file mode 100644 index 00000000000..249fd1d984c --- /dev/null +++ b/queue-5.4/nvme-pci-avoid-the-deepest-sleep-state-on-kingston-a2000-ssds.patch @@ -0,0 +1,81 @@ +From 538e4a8c571efdf131834431e0c14808bcfb1004 Mon Sep 17 00:00:00 2001 +From: Thorsten Leemhuis +Date: Fri, 29 Jan 2021 06:24:42 +0100 +Subject: nvme-pci: avoid the deepest sleep state on Kingston A2000 SSDs + +From: Thorsten Leemhuis + +commit 538e4a8c571efdf131834431e0c14808bcfb1004 upstream. + +Some Kingston A2000 NVMe SSDs sooner or later get confused and stop +working when they use the deepest APST sleep while running Linux. The +system then crashes and one has to cold boot it to get the SSD working +again. + +Kingston seems to known about this since at least mid-September 2020: +https://bbs.archlinux.org/viewtopic.php?pid=1926994#p1926994 + +Someone working for a German company representing Kingston to the German +press confirmed to me Kingston engineering is aware of the issue and +investigating; the person stated that to their current knowledge only +the deepest APST sleep state causes trouble. Therefore, make Linux avoid +it for now by applying the NVME_QUIRK_NO_DEEPEST_PS to this SSD. + +I have two such SSDs, but it seems the problem doesn't occur with them. +I hence couldn't verify if this patch really fixes the problem, but all +the data in front of me suggests it should. + +This patch can easily be reverted or improved upon if a better solution +surfaces. + +FWIW, there are many reports about the issue scattered around the web; +most of the users disabled APST completely to make things work, some +just made Linux avoid the deepest sleep state: + +https://bugzilla.kernel.org/show_bug.cgi?id=195039#c65 +https://bugzilla.kernel.org/show_bug.cgi?id=195039#c73 +https://bugzilla.kernel.org/show_bug.cgi?id=195039#c74 +https://bugzilla.kernel.org/show_bug.cgi?id=195039#c78 +https://bugzilla.kernel.org/show_bug.cgi?id=195039#c79 +https://bugzilla.kernel.org/show_bug.cgi?id=195039#c80 +https://askubuntu.com/questions/1222049/nvmekingston-a2000-sometimes-stops-giving-response-in-ubuntu-18-04dell-inspir +https://community.acer.com/en/discussion/604326/m-2-nvme-ssd-aspire-517-51g-issue-compatibility-kingston-a2000-linux-ubuntu + +For the record, some data from 'nvme id-ctrl /dev/nvme0' + +NVME Identify Controller: +vid : 0x2646 +ssvid : 0x2646 +mn : KINGSTON SA2000M81000G +fr : S5Z42105 +[...] +ps 0 : mp:9.00W operational enlat:0 exlat:0 rrt:0 rrl:0 + rwt:0 rwl:0 idle_power:- active_power:- +ps 1 : mp:4.60W operational enlat:0 exlat:0 rrt:1 rrl:1 + rwt:1 rwl:1 idle_power:- active_power:- +ps 2 : mp:3.80W operational enlat:0 exlat:0 rrt:2 rrl:2 + rwt:2 rwl:2 idle_power:- active_power:- +ps 3 : mp:0.0450W non-operational enlat:2000 exlat:2000 rrt:3 rrl:3 + rwt:3 rwl:3 idle_power:- active_power:- +ps 4 : mp:0.0040W non-operational enlat:15000 exlat:15000 rrt:4 rrl:4 + rwt:4 rwl:4 idle_power:- active_power:- + +Cc: stable@vger.kernel.org # 4.14+ +Signed-off-by: Thorsten Leemhuis +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3161,6 +3161,8 @@ static const struct pci_device_id nvme_i + { PCI_DEVICE(0x1c5c, 0x1504), /* SK Hynix PC400 */ + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) }, ++ { PCI_DEVICE(0x2646, 0x2263), /* KINGSTON A2000 NVMe SSD */ ++ .driver_data = NVME_QUIRK_NO_DEEPEST_PS, }, + { PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2001), + .driver_data = NVME_QUIRK_SINGLE_VECTOR }, + { PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2003) }, diff --git a/queue-5.4/series b/queue-5.4/series index e3f30cc18d3..b88d9bfea66 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -37,3 +37,8 @@ libnvdimm-dimm-avoid-race-between-probe-and-available_slots_show.patch genirq-msi-activate-multi-msi-early-when-msi_flag_activate_early-is-set.patch xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch cifs-report-error-instead-of-invalid-when-revalidating-a-dentry-fails.patch +smb3-fix-out-of-bounds-bug-in-smb2_negotiate.patch +smb3-fix-crediting-for-compounding-when-only-one-request-in-flight.patch +mmc-core-limit-retries-when-analyse-of-sdio-tuples-fails.patch +drm-amd-display-revert-fix-edid-parsing-after-resume-from-suspend.patch +nvme-pci-avoid-the-deepest-sleep-state-on-kingston-a2000-ssds.patch diff --git a/queue-5.4/smb3-fix-crediting-for-compounding-when-only-one-request-in-flight.patch b/queue-5.4/smb3-fix-crediting-for-compounding-when-only-one-request-in-flight.patch new file mode 100644 index 00000000000..d3ac6756f2a --- /dev/null +++ b/queue-5.4/smb3-fix-crediting-for-compounding-when-only-one-request-in-flight.patch @@ -0,0 +1,57 @@ +From 91792bb8089b63b7b780251eb83939348ac58a64 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Tue, 2 Feb 2021 22:34:32 -0600 +Subject: smb3: fix crediting for compounding when only one request in flight + +From: Pavel Shilovsky + +commit 91792bb8089b63b7b780251eb83939348ac58a64 upstream. + +Currently we try to guess if a compound request is going to +succeed waiting for credits or not based on the number of +requests in flight. This approach doesn't work correctly +all the time because there may be only one request in +flight which is going to bring multiple credits satisfying +the compound request. + +Change the behavior to fail a request only if there are no requests +in flight at all and proceed waiting for credits otherwise. + +Cc: # 5.1+ +Signed-off-by: Pavel Shilovsky +Reviewed-by: Tom Talpey +Reviewed-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/transport.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -659,10 +659,22 @@ wait_for_compound_request(struct TCP_Ser + spin_lock(&server->req_lock); + if (*credits < num) { + /* +- * Return immediately if not too many requests in flight since +- * we will likely be stuck on waiting for credits. ++ * If the server is tight on resources or just gives us less ++ * credits for other reasons (e.g. requests are coming out of ++ * order and the server delays granting more credits until it ++ * processes a missing mid) and we exhausted most available ++ * credits there may be situations when we try to send ++ * a compound request but we don't have enough credits. At this ++ * point the client needs to decide if it should wait for ++ * additional credits or fail the request. If at least one ++ * request is in flight there is a high probability that the ++ * server will return enough credits to satisfy this compound ++ * request. ++ * ++ * Return immediately if no requests in flight since we will be ++ * stuck on waiting for credits. + */ +- if (server->in_flight < num - *credits) { ++ if (server->in_flight == 0) { + spin_unlock(&server->req_lock); + return -ENOTSUPP; + } diff --git a/queue-5.4/smb3-fix-out-of-bounds-bug-in-smb2_negotiate.patch b/queue-5.4/smb3-fix-out-of-bounds-bug-in-smb2_negotiate.patch new file mode 100644 index 00000000000..04d5fe5872d --- /dev/null +++ b/queue-5.4/smb3-fix-out-of-bounds-bug-in-smb2_negotiate.patch @@ -0,0 +1,64 @@ +From 8d8d1dbefc423d42d626cf5b81aac214870ebaab Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 1 Feb 2021 20:36:54 -0600 +Subject: smb3: Fix out-of-bounds bug in SMB2_negotiate() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gustavo A. R. Silva + +commit 8d8d1dbefc423d42d626cf5b81aac214870ebaab upstream. + +While addressing some warnings generated by -Warray-bounds, I found this +bug that was introduced back in 2017: + + CC [M] fs/cifs/smb2pdu.o +fs/cifs/smb2pdu.c: In function ‘SMB2_negotiate’: +fs/cifs/smb2pdu.c:822:16: warning: array subscript 1 is above array bounds +of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds] + 822 | req->Dialects[1] = cpu_to_le16(SMB30_PROT_ID); + | ~~~~~~~~~~~~~^~~ +fs/cifs/smb2pdu.c:823:16: warning: array subscript 2 is above array bounds +of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds] + 823 | req->Dialects[2] = cpu_to_le16(SMB302_PROT_ID); + | ~~~~~~~~~~~~~^~~ +fs/cifs/smb2pdu.c:824:16: warning: array subscript 3 is above array bounds +of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds] + 824 | req->Dialects[3] = cpu_to_le16(SMB311_PROT_ID); + | ~~~~~~~~~~~~~^~~ +fs/cifs/smb2pdu.c:816:16: warning: array subscript 1 is above array bounds +of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds] + 816 | req->Dialects[1] = cpu_to_le16(SMB302_PROT_ID); + | ~~~~~~~~~~~~~^~~ + +At the time, the size of array _Dialects_ was changed from 1 to 3 in struct +validate_negotiate_info_req, and then in 2019 it was changed from 3 to 4, +but those changes were never made in struct smb2_negotiate_req, which has +led to a 3 and a half years old out-of-bounds bug in function +SMB2_negotiate() (fs/cifs/smb2pdu.c). + +Fix this by increasing the size of array _Dialects_ in struct +smb2_negotiate_req to 4. + +Fixes: 9764c02fcbad ("SMB3: Add support for multidialect negotiate (SMB2.1 and later)") +Fixes: d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -227,7 +227,7 @@ struct smb2_negotiate_req { + __le32 NegotiateContextOffset; /* SMB3.1.1 only. MBZ earlier */ + __le16 NegotiateContextCount; /* SMB3.1.1 only. MBZ earlier */ + __le16 Reserved2; +- __le16 Dialects[1]; /* One dialect (vers=) at a time for now */ ++ __le16 Dialects[4]; /* BB expand this if autonegotiate > 4 dialects */ + } __packed; + + /* Dialects */ -- 2.47.3