From d0aff809f379b2de414d88a3685c59eaa90e1721 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 17 May 2021 10:27:51 +0200 Subject: [PATCH] 5.4-stable patches added patches: cdc-wdm-untangle-a-circular-dependency-between-callback-and-softint.patch iio-gyro-mpu3050-fix-reported-temperature-value.patch iio-tsl2583-fix-division-by-a-zero-lux_val.patch kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch xhci-add-reset-resume-quirk-for-amd-xhci-controller.patch xhci-do-not-use-gfp_kernel-in-potentially-atomic-context.patch --- ...endency-between-callback-and-softint.patch | 105 ++++++++++++++++++ ...u3050-fix-reported-temperature-value.patch | 59 ++++++++++ ...l2583-fix-division-by-a-zero-lux_val.patch | 45 ++++++++ ...-pvclock_gtod_work-on-module-removal.patch | 44 ++++++++ queue-5.4/series | 6 + ...resume-quirk-for-amd-xhci-controller.patch | 38 +++++++ ...kernel-in-potentially-atomic-context.patch | 58 ++++++++++ 7 files changed, 355 insertions(+) create mode 100644 queue-5.4/cdc-wdm-untangle-a-circular-dependency-between-callback-and-softint.patch create mode 100644 queue-5.4/iio-gyro-mpu3050-fix-reported-temperature-value.patch create mode 100644 queue-5.4/iio-tsl2583-fix-division-by-a-zero-lux_val.patch create mode 100644 queue-5.4/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch create mode 100644 queue-5.4/xhci-add-reset-resume-quirk-for-amd-xhci-controller.patch create mode 100644 queue-5.4/xhci-do-not-use-gfp_kernel-in-potentially-atomic-context.patch diff --git a/queue-5.4/cdc-wdm-untangle-a-circular-dependency-between-callback-and-softint.patch b/queue-5.4/cdc-wdm-untangle-a-circular-dependency-between-callback-and-softint.patch new file mode 100644 index 00000000000..d414ce16ff5 --- /dev/null +++ b/queue-5.4/cdc-wdm-untangle-a-circular-dependency-between-callback-and-softint.patch @@ -0,0 +1,105 @@ +From 18abf874367456540846319574864e6ff32752e2 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Mon, 26 Apr 2021 11:26:22 +0200 +Subject: cdc-wdm: untangle a circular dependency between callback and softint + +From: Oliver Neukum + +commit 18abf874367456540846319574864e6ff32752e2 upstream. + +We have a cycle of callbacks scheduling works which submit +URBs with those callbacks. This needs to be blocked, stopped +and unblocked to untangle the circle. + +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20210426092622.20433-1-oneukum@suse.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-wdm.c | 30 ++++++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 8 deletions(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -321,12 +321,23 @@ exit: + + } + +-static void kill_urbs(struct wdm_device *desc) ++static void poison_urbs(struct wdm_device *desc) + { + /* the order here is essential */ +- usb_kill_urb(desc->command); +- usb_kill_urb(desc->validity); +- usb_kill_urb(desc->response); ++ usb_poison_urb(desc->command); ++ usb_poison_urb(desc->validity); ++ usb_poison_urb(desc->response); ++} ++ ++static void unpoison_urbs(struct wdm_device *desc) ++{ ++ /* ++ * the order here is not essential ++ * it is symmetrical just to be nice ++ */ ++ usb_unpoison_urb(desc->response); ++ usb_unpoison_urb(desc->validity); ++ usb_unpoison_urb(desc->command); + } + + static void free_urbs(struct wdm_device *desc) +@@ -741,11 +752,12 @@ static int wdm_release(struct inode *ino + if (!desc->count) { + if (!test_bit(WDM_DISCONNECTING, &desc->flags)) { + dev_dbg(&desc->intf->dev, "wdm_release: cleanup\n"); +- kill_urbs(desc); ++ poison_urbs(desc); + spin_lock_irq(&desc->iuspin); + desc->resp_count = 0; + spin_unlock_irq(&desc->iuspin); + desc->manage_power(desc->intf, 0); ++ unpoison_urbs(desc); + } else { + /* must avoid dev_printk here as desc->intf is invalid */ + pr_debug(KBUILD_MODNAME " %s: device gone - cleaning up\n", __func__); +@@ -1036,9 +1048,9 @@ static void wdm_disconnect(struct usb_in + wake_up_all(&desc->wait); + mutex_lock(&desc->rlock); + mutex_lock(&desc->wlock); ++ poison_urbs(desc); + cancel_work_sync(&desc->rxwork); + cancel_work_sync(&desc->service_outs_intr); +- kill_urbs(desc); + mutex_unlock(&desc->wlock); + mutex_unlock(&desc->rlock); + +@@ -1079,9 +1091,10 @@ static int wdm_suspend(struct usb_interf + set_bit(WDM_SUSPENDING, &desc->flags); + spin_unlock_irq(&desc->iuspin); + /* callback submits work - order is essential */ +- kill_urbs(desc); ++ poison_urbs(desc); + cancel_work_sync(&desc->rxwork); + cancel_work_sync(&desc->service_outs_intr); ++ unpoison_urbs(desc); + } + if (!PMSG_IS_AUTO(message)) { + mutex_unlock(&desc->wlock); +@@ -1139,7 +1152,7 @@ static int wdm_pre_reset(struct usb_inte + wake_up_all(&desc->wait); + mutex_lock(&desc->rlock); + mutex_lock(&desc->wlock); +- kill_urbs(desc); ++ poison_urbs(desc); + cancel_work_sync(&desc->rxwork); + cancel_work_sync(&desc->service_outs_intr); + return 0; +@@ -1150,6 +1163,7 @@ static int wdm_post_reset(struct usb_int + struct wdm_device *desc = wdm_find_device(intf); + int rv; + ++ unpoison_urbs(desc); + clear_bit(WDM_OVERFLOW, &desc->flags); + clear_bit(WDM_RESETTING, &desc->flags); + rv = recover_from_urb_loss(desc); diff --git a/queue-5.4/iio-gyro-mpu3050-fix-reported-temperature-value.patch b/queue-5.4/iio-gyro-mpu3050-fix-reported-temperature-value.patch new file mode 100644 index 00000000000..28930426992 --- /dev/null +++ b/queue-5.4/iio-gyro-mpu3050-fix-reported-temperature-value.patch @@ -0,0 +1,59 @@ +From f73c730774d88a14d7b60feee6d0e13570f99499 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Fri, 23 Apr 2021 05:09:59 +0300 +Subject: iio: gyro: mpu3050: Fix reported temperature value + +From: Dmitry Osipenko + +commit f73c730774d88a14d7b60feee6d0e13570f99499 upstream. + +The raw temperature value is a 16-bit signed integer. The sign casting +is missing in the code, which results in a wrong temperature reported +by userspace tools, fix it. + +Cc: stable@vger.kernel.org +Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope") +Datasheet: https://www.cdiweb.com/datasheets/invensense/mpu-3000a.pdf +Tested-by: Maxim Schwalm # Asus TF700T +Tested-by: Svyatoslav Ryhel # Asus TF201 +Reported-by: Svyatoslav Ryhel +Reviewed-by: Andy Shevchenko +Reviewed-by: Linus Walleij +Signed-off-by: Dmitry Osipenko +Acked-by: Jean-Baptiste Maneyrol +Link: https://lore.kernel.org/r/20210423020959.5023-1-digetx@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/mpu3050-core.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/iio/gyro/mpu3050-core.c ++++ b/drivers/iio/gyro/mpu3050-core.c +@@ -271,7 +271,16 @@ static int mpu3050_read_raw(struct iio_d + case IIO_CHAN_INFO_OFFSET: + switch (chan->type) { + case IIO_TEMP: +- /* The temperature scaling is (x+23000)/280 Celsius */ ++ /* ++ * The temperature scaling is (x+23000)/280 Celsius ++ * for the "best fit straight line" temperature range ++ * of -30C..85C. The 23000 includes room temperature ++ * offset of +35C, 280 is the precision scale and x is ++ * the 16-bit signed integer reported by hardware. ++ * ++ * Temperature value itself represents temperature of ++ * the sensor die. ++ */ + *val = 23000; + return IIO_VAL_INT; + default: +@@ -328,7 +337,7 @@ static int mpu3050_read_raw(struct iio_d + goto out_read_raw_unlock; + } + +- *val = be16_to_cpu(raw_val); ++ *val = (s16)be16_to_cpu(raw_val); + ret = IIO_VAL_INT; + + goto out_read_raw_unlock; diff --git a/queue-5.4/iio-tsl2583-fix-division-by-a-zero-lux_val.patch b/queue-5.4/iio-tsl2583-fix-division-by-a-zero-lux_val.patch new file mode 100644 index 00000000000..f3485a258ba --- /dev/null +++ b/queue-5.4/iio-tsl2583-fix-division-by-a-zero-lux_val.patch @@ -0,0 +1,45 @@ +From af0e1871d79cfbb91f732d2c6fa7558e45c31038 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 7 May 2021 19:30:41 +0100 +Subject: iio: tsl2583: Fix division by a zero lux_val + +From: Colin Ian King + +commit af0e1871d79cfbb91f732d2c6fa7558e45c31038 upstream. + +The lux_val returned from tsl2583_get_lux can potentially be zero, +so check for this to avoid a division by zero and an overflowed +gain_trim_val. + +Fixes clang scan-build warning: + +drivers/iio/light/tsl2583.c:345:40: warning: Either the +condition 'lux_val<0' is redundant or there is division +by zero at line 345. [zerodivcond] + +Fixes: ac4f6eee8fe8 ("staging: iio: TAOS tsl258x: Device driver") +Signed-off-by: Colin Ian King +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/tsl2583.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/iio/light/tsl2583.c ++++ b/drivers/iio/light/tsl2583.c +@@ -341,6 +341,14 @@ static int tsl2583_als_calibrate(struct + return lux_val; + } + ++ /* Avoid division by zero of lux_value later on */ ++ if (lux_val == 0) { ++ dev_err(&chip->client->dev, ++ "%s: lux_val of 0 will produce out of range trim_value\n", ++ __func__); ++ return -ENODATA; ++ } ++ + gain_trim_val = (unsigned int)(((chip->als_settings.als_cal_target) + * chip->als_settings.als_gain_trim) / lux_val); + if ((gain_trim_val < 250) || (gain_trim_val > 4000)) { diff --git a/queue-5.4/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch b/queue-5.4/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch new file mode 100644 index 00000000000..1ad17263698 --- /dev/null +++ b/queue-5.4/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch @@ -0,0 +1,44 @@ +From 594b27e677b35f9734b1969d175ebc6146741109 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 5 May 2021 23:48:17 +0200 +Subject: KVM: x86: Cancel pvclock_gtod_work on module removal + +From: Thomas Gleixner + +commit 594b27e677b35f9734b1969d175ebc6146741109 upstream. + +Nothing prevents the following: + + pvclock_gtod_notify() + queue_work(system_long_wq, &pvclock_gtod_work); + ... + remove_module(kvm); + ... + work_queue_run() + pvclock_gtod_work() <- UAF + +Ditto for any other operation on that workqueue list head which touches +pvclock_gtod_work after module removal. + +Cancel the work in kvm_arch_exit() to prevent that. + +Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes") +Signed-off-by: Thomas Gleixner +Message-Id: <87czu4onry.ffs@nanos.tec.linutronix.de> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -7356,6 +7356,7 @@ void kvm_arch_exit(void) + cpuhp_remove_state_nocalls(CPUHP_AP_X86_KVM_CLK_ONLINE); + #ifdef CONFIG_X86_64 + pvclock_gtod_unregister_notifier(&pvclock_gtod_notifier); ++ cancel_work_sync(&pvclock_gtod_work); + #endif + kvm_x86_ops = NULL; + kvm_mmu_module_exit(); diff --git a/queue-5.4/series b/queue-5.4/series index 7d8db065afd..8a50c4a95e6 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -116,3 +116,9 @@ usb-xhci-increase-timeout-for-hc-halt.patch usb-dwc2-fix-gadget-dma-unmap-direction.patch usb-core-hub-fix-race-condition-about-trsmrcy-of-resume.patch usb-dwc3-gadget-return-success-always-for-kick-transfer-in-ep-queue.patch +xhci-do-not-use-gfp_kernel-in-potentially-atomic-context.patch +xhci-add-reset-resume-quirk-for-amd-xhci-controller.patch +iio-gyro-mpu3050-fix-reported-temperature-value.patch +iio-tsl2583-fix-division-by-a-zero-lux_val.patch +cdc-wdm-untangle-a-circular-dependency-between-callback-and-softint.patch +kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch diff --git a/queue-5.4/xhci-add-reset-resume-quirk-for-amd-xhci-controller.patch b/queue-5.4/xhci-add-reset-resume-quirk-for-amd-xhci-controller.patch new file mode 100644 index 00000000000..2487fc8aea7 --- /dev/null +++ b/queue-5.4/xhci-add-reset-resume-quirk-for-amd-xhci-controller.patch @@ -0,0 +1,38 @@ +From 3c128781d8da463761495aaf8898c9ecb4e71528 Mon Sep 17 00:00:00 2001 +From: Sandeep Singh +Date: Wed, 12 May 2021 11:08:16 +0300 +Subject: xhci: Add reset resume quirk for AMD xhci controller. + +From: Sandeep Singh + +commit 3c128781d8da463761495aaf8898c9ecb4e71528 upstream. + +One of AMD xhci controller require reset on resume. +Occasionally AMD xhci controller does not respond to +Stop endpoint command. +Once the issue happens controller goes into bad state +and in that case controller needs to be reset. + +Cc: +Signed-off-by: Sandeep Singh +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20210512080816.866037-6-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -153,8 +153,10 @@ static void xhci_pci_quirks(struct devic + (pdev->device == 0x15e0 || pdev->device == 0x15e1)) + xhci->quirks |= XHCI_SNPS_BROKEN_SUSPEND; + +- if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x15e5) ++ if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x15e5) { + xhci->quirks |= XHCI_DISABLE_SPARSE; ++ xhci->quirks |= XHCI_RESET_ON_RESUME; ++ } + + if (pdev->vendor == PCI_VENDOR_ID_AMD) + xhci->quirks |= XHCI_TRUST_TX_LENGTH; diff --git a/queue-5.4/xhci-do-not-use-gfp_kernel-in-potentially-atomic-context.patch b/queue-5.4/xhci-do-not-use-gfp_kernel-in-potentially-atomic-context.patch new file mode 100644 index 00000000000..1114ce2d1cf --- /dev/null +++ b/queue-5.4/xhci-do-not-use-gfp_kernel-in-potentially-atomic-context.patch @@ -0,0 +1,58 @@ +From dda32c00c9a0fa103b5d54ef72c477b7aa993679 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Wed, 12 May 2021 11:08:14 +0300 +Subject: xhci: Do not use GFP_KERNEL in (potentially) atomic context + +From: Christophe JAILLET + +commit dda32c00c9a0fa103b5d54ef72c477b7aa993679 upstream. + +'xhci_urb_enqueue()' is passed a 'mem_flags' argument, because "URBs may be +submitted in interrupt context" (see comment related to 'usb_submit_urb()' +in 'drivers/usb/core/urb.c') + +So this flag should be used in all the calling chain. +Up to now, 'xhci_check_maxpacket()' which is only called from +'xhci_urb_enqueue()', uses GFP_KERNEL. + +Be safe and pass the mem_flags to this function as well. + +Fixes: ddba5cd0aeff ("xhci: Use command structures when queuing commands on the command ring") +Cc: +Signed-off-by: Christophe JAILLET +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20210512080816.866037-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1397,7 +1397,7 @@ static int xhci_configure_endpoint(struc + * we need to issue an evaluate context command and wait on it. + */ + static int xhci_check_maxpacket(struct xhci_hcd *xhci, unsigned int slot_id, +- unsigned int ep_index, struct urb *urb) ++ unsigned int ep_index, struct urb *urb, gfp_t mem_flags) + { + struct xhci_container_ctx *out_ctx; + struct xhci_input_control_ctx *ctrl_ctx; +@@ -1428,7 +1428,7 @@ static int xhci_check_maxpacket(struct x + * changes max packet sizes. + */ + +- command = xhci_alloc_command(xhci, true, GFP_KERNEL); ++ command = xhci_alloc_command(xhci, true, mem_flags); + if (!command) + return -ENOMEM; + +@@ -1524,7 +1524,7 @@ static int xhci_urb_enqueue(struct usb_h + */ + if (urb->dev->speed == USB_SPEED_FULL) { + ret = xhci_check_maxpacket(xhci, slot_id, +- ep_index, urb); ++ ep_index, urb, mem_flags); + if (ret < 0) { + xhci_urb_free_priv(urb_priv); + urb->hcpriv = NULL; -- 2.47.3