From f512e8fbda62eddb37696274d51847bbfa573d45 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 18 May 2020 15:42:16 +0200 Subject: [PATCH] 5.4-stable patches added patches: arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch arm-dts-imx6dl-yapp4-fix-ursa-board-ethernet-connection.patch cifs-fix-leaked-reference-on-requeued-write.patch drm-amd-display-add-basic-atomic-check-for-cursor-plane.patch make-the-reducing-compressed-framebufer-size-message-be-drm_info_once.patch powerpc-32s-fix-build-failure-with-config_ppc_kuap_debug.patch usb-cdns3-gadget-prev_req-trb-is-null-for-ep0.patch usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch x86-fix-early-boot-crash-on-gcc-10-third-try.patch --- ...-dts-dra7-fix-bus_dma_limit-for-pcie.patch | 59 +++++++ ...d-s-rdk-fix-the-i2c1-pinctrl-entries.patch | 43 ++++++ ...4-fix-ursa-board-ethernet-connection.patch | 39 +++++ ...x-leaked-reference-on-requeued-write.patch | 40 +++++ ...-basic-atomic-check-for-cursor-plane.patch | 72 +++++++++ ...ebufer-size-message-be-drm_info_once.patch | 50 ++++++ ...d-failure-with-config_ppc_kuap_debug.patch | 35 +++++ queue-5.4/series | 11 ++ ...-gadget-prev_req-trb-is-null-for-ep0.patch | 97 ++++++++++++ ...gal-array-access-in-binding-with-udc.patch | 75 +++++++++ ...ep-runtime-active-when-removing-host.patch | 2 - ...when-enqueuing-trbs-from-urb-sg-list.patch | 74 +++++++++ ...early-boot-crash-on-gcc-10-third-try.patch | 144 ++++++++++++++++++ 13 files changed, 739 insertions(+), 2 deletions(-) create mode 100644 queue-5.4/arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch create mode 100644 queue-5.4/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch create mode 100644 queue-5.4/arm-dts-imx6dl-yapp4-fix-ursa-board-ethernet-connection.patch create mode 100644 queue-5.4/cifs-fix-leaked-reference-on-requeued-write.patch create mode 100644 queue-5.4/drm-amd-display-add-basic-atomic-check-for-cursor-plane.patch create mode 100644 queue-5.4/make-the-reducing-compressed-framebufer-size-message-be-drm_info_once.patch create mode 100644 queue-5.4/powerpc-32s-fix-build-failure-with-config_ppc_kuap_debug.patch create mode 100644 queue-5.4/usb-cdns3-gadget-prev_req-trb-is-null-for-ep0.patch create mode 100644 queue-5.4/usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch create mode 100644 queue-5.4/usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch create mode 100644 queue-5.4/x86-fix-early-boot-crash-on-gcc-10-third-try.patch diff --git a/queue-5.4/arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch b/queue-5.4/arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch new file mode 100644 index 00000000000..e2e2659a268 --- /dev/null +++ b/queue-5.4/arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch @@ -0,0 +1,59 @@ +From 90d4d3f4ea45370d482fa609dbae4d2281b4074f Mon Sep 17 00:00:00 2001 +From: Kishon Vijay Abraham I +Date: Fri, 17 Apr 2020 12:13:40 +0530 +Subject: ARM: dts: dra7: Fix bus_dma_limit for PCIe + +From: Kishon Vijay Abraham I + +commit 90d4d3f4ea45370d482fa609dbae4d2281b4074f upstream. + +Even though commit cfb5d65f2595 ("ARM: dts: dra7: Add bus_dma_limit +for L3 bus") added bus_dma_limit for L3 bus, the PCIe controller +gets incorrect value of bus_dma_limit. + +Fix it by adding empty dma-ranges property to axi@0 and axi@1 +(parent device tree node of PCIe controller). + +Cc: stable@kernel.org +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/dra7.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/dra7.dtsi ++++ b/arch/arm/boot/dts/dra7.dtsi +@@ -172,6 +172,7 @@ + #address-cells = <1>; + ranges = <0x51000000 0x51000000 0x3000 + 0x0 0x20000000 0x10000000>; ++ dma-ranges; + /** + * To enable PCI endpoint mode, disable the pcie1_rc + * node and enable pcie1_ep mode. +@@ -185,7 +186,6 @@ + device_type = "pci"; + ranges = <0x81000000 0 0 0x03000 0 0x00010000 + 0x82000000 0 0x20013000 0x13000 0 0xffed000>; +- dma-ranges = <0x02000000 0x0 0x00000000 0x00000000 0x1 0x00000000>; + bus-range = <0x00 0xff>; + #interrupt-cells = <1>; + num-lanes = <1>; +@@ -230,6 +230,7 @@ + #address-cells = <1>; + ranges = <0x51800000 0x51800000 0x3000 + 0x0 0x30000000 0x10000000>; ++ dma-ranges; + status = "disabled"; + pcie2_rc: pcie@51800000 { + reg = <0x51800000 0x2000>, <0x51802000 0x14c>, <0x1000 0x2000>; +@@ -240,7 +241,6 @@ + device_type = "pci"; + ranges = <0x81000000 0 0 0x03000 0 0x00010000 + 0x82000000 0 0x30013000 0x13000 0 0xffed000>; +- dma-ranges = <0x02000000 0x0 0x00000000 0x00000000 0x1 0x00000000>; + bus-range = <0x00 0xff>; + #interrupt-cells = <1>; + num-lanes = <1>; diff --git a/queue-5.4/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch b/queue-5.4/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch new file mode 100644 index 00000000000..3851bc305c4 --- /dev/null +++ b/queue-5.4/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch @@ -0,0 +1,43 @@ +From 0caf34350a25907515d929a9c77b9b206aac6d1e Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 27 Mar 2020 10:36:24 -0300 +Subject: ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries + +From: Fabio Estevam + +commit 0caf34350a25907515d929a9c77b9b206aac6d1e upstream. + +The I2C2 pins are already used and the following errors are seen: + +imx27-pinctrl 10015000.iomuxc: pin MX27_PAD_I2C2_SDA already requested by 10012000.i2c; cannot claim for 1001d000.i2c +imx27-pinctrl 10015000.iomuxc: pin-69 (1001d000.i2c) status -22 +imx27-pinctrl 10015000.iomuxc: could not request pin 69 (MX27_PAD_I2C2_SDA) from group i2c2grp on device 10015000.iomuxc +imx-i2c 1001d000.i2c: Error applying setting, reverse things back +imx-i2c: probe of 1001d000.i2c failed with error -22 + +Fix it by adding the correct I2C1 IOMUX entries for the pinctrl_i2c1 group. + +Cc: +Fixes: 61664d0b432a ("ARM: dts: imx27 phyCARD-S pinctrl") +Signed-off-by: Fabio Estevam +Reviewed-by: Stefan Riedmueller +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts ++++ b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts +@@ -75,8 +75,8 @@ + imx27-phycard-s-rdk { + pinctrl_i2c1: i2c1grp { + fsl,pins = < +- MX27_PAD_I2C2_SDA__I2C2_SDA 0x0 +- MX27_PAD_I2C2_SCL__I2C2_SCL 0x0 ++ MX27_PAD_I2C_DATA__I2C_DATA 0x0 ++ MX27_PAD_I2C_CLK__I2C_CLK 0x0 + >; + }; + diff --git a/queue-5.4/arm-dts-imx6dl-yapp4-fix-ursa-board-ethernet-connection.patch b/queue-5.4/arm-dts-imx6dl-yapp4-fix-ursa-board-ethernet-connection.patch new file mode 100644 index 00000000000..028ae829c7b --- /dev/null +++ b/queue-5.4/arm-dts-imx6dl-yapp4-fix-ursa-board-ethernet-connection.patch @@ -0,0 +1,39 @@ +From cbe63a8358310244e6007398bd2c7c70c7fd51cd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Vok=C3=A1=C4=8D?= +Date: Tue, 17 Mar 2020 09:46:28 +0100 +Subject: ARM: dts: imx6dl-yapp4: Fix Ursa board Ethernet connection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Vokáč + +commit cbe63a8358310244e6007398bd2c7c70c7fd51cd upstream. + +The Y Soft yapp4 platform supports up to two Ethernet ports. +The Ursa board though has only one Ethernet port populated and that is +the port@2. Since the introduction of this platform into mainline a wrong +port was deleted and the Ethernet could never work. Fix this by deleting +the correct port node. + +Fixes: 87489ec3a77f ("ARM: dts: imx: Add Y Soft IOTA Draco, Hydra and Ursa boards") +Cc: stable@vger.kernel.org +Signed-off-by: Michal Vokáč +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx6dl-yapp4-ursa.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/imx6dl-yapp4-ursa.dts ++++ b/arch/arm/boot/dts/imx6dl-yapp4-ursa.dts +@@ -38,7 +38,7 @@ + }; + + &switch_ports { +- /delete-node/ port@2; ++ /delete-node/ port@3; + }; + + &touchscreen { diff --git a/queue-5.4/cifs-fix-leaked-reference-on-requeued-write.patch b/queue-5.4/cifs-fix-leaked-reference-on-requeued-write.patch new file mode 100644 index 00000000000..02058e8ffdb --- /dev/null +++ b/queue-5.4/cifs-fix-leaked-reference-on-requeued-write.patch @@ -0,0 +1,40 @@ +From a48137996063d22ffba77e077425f49873856ca5 Mon Sep 17 00:00:00 2001 +From: Adam McCoy +Date: Wed, 13 May 2020 11:53:30 +0000 +Subject: cifs: fix leaked reference on requeued write + +From: Adam McCoy + +commit a48137996063d22ffba77e077425f49873856ca5 upstream. + +Failed async writes that are requeued may not clean up a refcount +on the file, which can result in a leaked open. This scenario arises +very reliably when using persistent handles and a reconnect occurs +while writing. + +cifs_writev_requeue only releases the reference if the write fails +(rc != 0). The server->ops->async_writev operation will take its own +reference, so the initial reference can always be released. + +Signed-off-by: Adam McCoy +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifssmb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -2135,8 +2135,8 @@ cifs_writev_requeue(struct cifs_writedat + } + } + ++ kref_put(&wdata2->refcount, cifs_writedata_release); + if (rc) { +- kref_put(&wdata2->refcount, cifs_writedata_release); + if (is_retryable_error(rc)) + continue; + i += nr_pages; diff --git a/queue-5.4/drm-amd-display-add-basic-atomic-check-for-cursor-plane.patch b/queue-5.4/drm-amd-display-add-basic-atomic-check-for-cursor-plane.patch new file mode 100644 index 00000000000..539efc93d51 --- /dev/null +++ b/queue-5.4/drm-amd-display-add-basic-atomic-check-for-cursor-plane.patch @@ -0,0 +1,72 @@ +From 626bf90fe03fa080d8df06bb0397c95c53ae8e27 Mon Sep 17 00:00:00 2001 +From: Simon Ser +Date: Mon, 30 Mar 2020 09:23:21 +0000 +Subject: drm/amd/display: add basic atomic check for cursor plane + +From: Simon Ser + +commit 626bf90fe03fa080d8df06bb0397c95c53ae8e27 upstream. + +This patch adds a basic cursor check when an atomic test-only commit is +performed. The position and size of the cursor plane is checked. + +This should fix user-space relying on atomic checks to assign buffers to +planes. + +Signed-off-by: Simon Ser +Reported-by: Roman Gilg +References: https://github.com/emersion/libliftoff/issues/46 +Cc: Alex Deucher +Cc: Harry Wentland +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 26 ++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -6921,6 +6921,7 @@ static int dm_update_plane_state(struct + struct drm_crtc_state *old_crtc_state, *new_crtc_state; + struct dm_crtc_state *dm_new_crtc_state, *dm_old_crtc_state; + struct dm_plane_state *dm_new_plane_state, *dm_old_plane_state; ++ struct amdgpu_crtc *new_acrtc; + bool needs_reset; + int ret = 0; + +@@ -6930,9 +6931,30 @@ static int dm_update_plane_state(struct + dm_new_plane_state = to_dm_plane_state(new_plane_state); + dm_old_plane_state = to_dm_plane_state(old_plane_state); + +- /*TODO Implement atomic check for cursor plane */ +- if (plane->type == DRM_PLANE_TYPE_CURSOR) ++ /*TODO Implement better atomic check for cursor plane */ ++ if (plane->type == DRM_PLANE_TYPE_CURSOR) { ++ if (!enable || !new_plane_crtc || ++ drm_atomic_plane_disabling(plane->state, new_plane_state)) ++ return 0; ++ ++ new_acrtc = to_amdgpu_crtc(new_plane_crtc); ++ ++ if ((new_plane_state->crtc_w > new_acrtc->max_cursor_width) || ++ (new_plane_state->crtc_h > new_acrtc->max_cursor_height)) { ++ DRM_DEBUG_ATOMIC("Bad cursor size %d x %d\n", ++ new_plane_state->crtc_w, new_plane_state->crtc_h); ++ return -EINVAL; ++ } ++ ++ if (new_plane_state->crtc_x <= -new_acrtc->max_cursor_width || ++ new_plane_state->crtc_y <= -new_acrtc->max_cursor_height) { ++ DRM_DEBUG_ATOMIC("Bad cursor position %d, %d\n", ++ new_plane_state->crtc_x, new_plane_state->crtc_y); ++ return -EINVAL; ++ } ++ + return 0; ++ } + + needs_reset = should_reset_plane(state, plane, old_plane_state, + new_plane_state); diff --git a/queue-5.4/make-the-reducing-compressed-framebufer-size-message-be-drm_info_once.patch b/queue-5.4/make-the-reducing-compressed-framebufer-size-message-be-drm_info_once.patch new file mode 100644 index 00000000000..e045141e1ef --- /dev/null +++ b/queue-5.4/make-the-reducing-compressed-framebufer-size-message-be-drm_info_once.patch @@ -0,0 +1,50 @@ +From 82152d424b6cb6fc1ede7d03d69c04e786688740 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 6 Jul 2018 15:04:24 -0400 +Subject: Make the "Reducing compressed framebufer size" message be DRM_INFO_ONCE() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Jones + +commit 82152d424b6cb6fc1ede7d03d69c04e786688740 upstream. + +This was sort of annoying me: + +random:~$ dmesg | tail -1 +[523884.039227] [drm] Reducing the compressed framebuffer size. This may lead to less power savings than a non-reduced-size. Try to increase stolen memory size if available in BIOS. +random:~$ dmesg | grep -c "Reducing the compressed" +47 + +This patch makes it DRM_INFO_ONCE() just like the similar message +farther down in that function is pr_info_once(). + +Cc: stable@vger.kernel.org +Signed-off-by: Peter Jones +Acked-by: Rodrigo Vivi +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1745 +Link: https://patchwork.freedesktop.org/patch/msgid/20180706190424.29194-1-pjones@redhat.com +[vsyrjala: Rebase due to per-device logging] +Signed-off-by: Ville Syrjälä +(cherry picked from commit 6b7fc6a3e6af4ff5773949d0fed70d8e7f68d5ce) +[Rodrigo: port back to DRM_INFO_ONCE] +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/display/intel_fbc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_fbc.c ++++ b/drivers/gpu/drm/i915/display/intel_fbc.c +@@ -504,8 +504,7 @@ static int intel_fbc_alloc_cfb(struct in + if (!ret) + goto err_llb; + else if (ret > 1) { +- DRM_INFO("Reducing the compressed framebuffer size. This may lead to less power savings than a non-reduced-size. Try to increase stolen memory size if available in BIOS.\n"); +- ++ DRM_INFO_ONCE("Reducing the compressed framebuffer size. This may lead to less power savings than a non-reduced-size. Try to increase stolen memory size if available in BIOS.\n"); + } + + fbc->threshold = ret; diff --git a/queue-5.4/powerpc-32s-fix-build-failure-with-config_ppc_kuap_debug.patch b/queue-5.4/powerpc-32s-fix-build-failure-with-config_ppc_kuap_debug.patch new file mode 100644 index 00000000000..fe54c9826bd --- /dev/null +++ b/queue-5.4/powerpc-32s-fix-build-failure-with-config_ppc_kuap_debug.patch @@ -0,0 +1,35 @@ +From 4833ce06e6855d526234618b746ffb71d6612c9a Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Mon, 20 Apr 2020 07:47:05 +0000 +Subject: powerpc/32s: Fix build failure with CONFIG_PPC_KUAP_DEBUG + +From: Christophe Leroy + +commit 4833ce06e6855d526234618b746ffb71d6612c9a upstream. + +gpr2 is not a parametre of kuap_check(), it doesn't exist. + +Use gpr instead. + +Fixes: a68c31fc01ef ("powerpc/32s: Implement Kernel Userspace Access Protection") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/ea599546f2a7771bde551393889e44e6b2632332.1587368807.git.christophe.leroy@c-s.fr +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/book3s/32/kup.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/book3s/32/kup.h ++++ b/arch/powerpc/include/asm/book3s/32/kup.h +@@ -75,7 +75,7 @@ + + .macro kuap_check current, gpr + #ifdef CONFIG_PPC_KUAP_DEBUG +- lwz \gpr2, KUAP(thread) ++ lwz \gpr, KUAP(thread) + 999: twnei \gpr, 0 + EMIT_BUG_ENTRY 999b, __FILE__, __LINE__, (BUGFLAG_WARNING | BUGFLAG_ONCE) + #endif diff --git a/queue-5.4/series b/queue-5.4/series index c681eec0d26..2589b738251 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -108,3 +108,14 @@ alsa-rawmidi-fix-racy-buffer-resize-under-concurrent-accesses.patch alsa-usb-audio-add-control-message-quirk-delay-for-kingston-hyperx-headset.patch usb-core-hub-limit-hub_quirk_disable_autosuspend-to-usb5534b.patch usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch +usb-cdns3-gadget-prev_req-trb-is-null-for-ep0.patch +usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch +usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch +make-the-reducing-compressed-framebufer-size-message-be-drm_info_once.patch +arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch +arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch +arm-dts-imx6dl-yapp4-fix-ursa-board-ethernet-connection.patch +drm-amd-display-add-basic-atomic-check-for-cursor-plane.patch +powerpc-32s-fix-build-failure-with-config_ppc_kuap_debug.patch +cifs-fix-leaked-reference-on-requeued-write.patch +x86-fix-early-boot-crash-on-gcc-10-third-try.patch diff --git a/queue-5.4/usb-cdns3-gadget-prev_req-trb-is-null-for-ep0.patch b/queue-5.4/usb-cdns3-gadget-prev_req-trb-is-null-for-ep0.patch new file mode 100644 index 00000000000..b6a56d87062 --- /dev/null +++ b/queue-5.4/usb-cdns3-gadget-prev_req-trb-is-null-for-ep0.patch @@ -0,0 +1,97 @@ +From 95cd7dc47abd71d1a0c9c43594ff2fa32552f46c Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Thu, 30 Apr 2020 15:07:13 +0800 +Subject: usb: cdns3: gadget: prev_req->trb is NULL for ep0 + +From: Peter Chen + +commit 95cd7dc47abd71d1a0c9c43594ff2fa32552f46c upstream. + +And there are no multiple TRBs on EP0 and WA1 workaround, +so it doesn't need to change TRB for EP0. It fixes below oops. + +configfs-gadget gadget: high-speed config #1: b +android_work: sent uevent USB_STATE=CONFIGURED +Unable to handle kernel read from unreadable memory at virtual address 0000000000000008 +Mem abort info: +android_work: sent uevent USB_STATE=DISCONNECTED + ESR = 0x96000004 + EC = 0x25: DABT (current EL), IL = 32 bits + + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 +Data abort info: + ISV = 0, ISS = 0x00000004 + CM = 0, WnR = 0 +user pgtable: 4k pages, 48-bit VAs, pgdp=00000008b5bb7000 +[0000000000000008] pgd=0000000000000000 +Internal error: Oops: 96000004 [#1] PREEMPT SMP +Modules linked in: +CPU: 2 PID: 430 Comm: HwBinder:401_1 Not tainted 5.4.24-06071-g6fa8921409c1-dirty #77 +Hardware name: Freescale i.MX8QXP MEK (DT) +pstate: 60400085 (nZCv daIf +PAN -UAO) +pc : cdns3_gadget_ep_dequeue+0x1d4/0x270 +lr : cdns3_gadget_ep_dequeue+0x48/0x270 +sp : ffff800012763ba0 +x29: ffff800012763ba0 x28: ffff00082c653c00 +x27: 0000000000000000 x26: ffff000068fa7b00 +x25: ffff0000699b2000 x24: ffff00082c6ac000 +x23: ffff000834f0a480 x22: ffff000834e87b9c +x21: 0000000000000000 x20: ffff000834e87800 +x19: ffff000069eddc00 x18: 0000000000000000 +x17: 0000000000000000 x16: 0000000000000000 +x15: 0000000000000000 x14: 0000000000000000 +x13: 0000000000000000 x12: 0000000000000001 +x11: ffff80001180fbe8 x10: 0000000000000001 +x9 : ffff800012101558 x8 : 0000000000000001 +x7 : 0000000000000006 x6 : ffff000835d9c668 +x5 : ffff000834f0a4c8 x4 : 0000000096000000 +x3 : 0000000000001810 x2 : 0000000000000000 +x1 : ffff800024bd001c x0 : 0000000000000001 +Call trace: + cdns3_gadget_ep_dequeue+0x1d4/0x270 + usb_ep_dequeue+0x34/0xf8 + composite_dev_cleanup+0x154/0x170 + configfs_composite_unbind+0x6c/0xa8 + usb_gadget_remove_driver+0x44/0x70 + usb_gadget_unregister_driver+0x74/0xe0 + unregister_gadget+0x28/0x58 + gadget_dev_desc_UDC_store+0x80/0x110 + configfs_write_file+0x1e0/0x2a0 + __vfs_write+0x48/0x90 + vfs_write+0xe4/0x1c8 + ksys_write+0x78/0x100 + __arm64_sys_write+0x24/0x30 + el0_svc_common.constprop.0+0x74/0x168 + el0_svc_handler+0x34/0xa0 + el0_svc+0x8/0xc +Code: 52830203 b9407660 f94042e4 11000400 (b9400841) +---[ end trace 1574516e4c1772ca ]--- +Kernel panic - not syncing: Fatal exception +SMP: stopping secondary CPUs +Kernel Offset: disabled +CPU features: 0x0002,20002008 +Memory Limit: none +Rebooting in 5 seconds.. + +Fixes: f616c3bda47e ("usb: cdns3: Fix dequeue implementation") +Cc: stable +Signed-off-by: Peter Chen +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/cdns3/gadget.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/cdns3/gadget.c ++++ b/drivers/usb/cdns3/gadget.c +@@ -2105,7 +2105,7 @@ found: + link_trb = priv_req->trb; + + /* Update ring only if removed request is on pending_req_list list */ +- if (req_on_hw_ring) { ++ if (req_on_hw_ring && link_trb) { + link_trb->buffer = TRB_BUFFER(priv_ep->trb_pool_dma + + ((priv_req->end_trb + 1) * TRB_SIZE)); + link_trb->control = (link_trb->control & TRB_CYCLE) | diff --git a/queue-5.4/usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch b/queue-5.4/usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch new file mode 100644 index 00000000000..19732650e7a --- /dev/null +++ b/queue-5.4/usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch @@ -0,0 +1,75 @@ +From 15753588bcd4bbffae1cca33c8ced5722477fe1f Mon Sep 17 00:00:00 2001 +From: Kyungtae Kim +Date: Sun, 10 May 2020 05:43:34 +0000 +Subject: USB: gadget: fix illegal array access in binding with UDC + +From: Kyungtae Kim + +commit 15753588bcd4bbffae1cca33c8ced5722477fe1f upstream. + +FuzzUSB (a variant of syzkaller) found an illegal array access +using an incorrect index while binding a gadget with UDC. + +Reference: https://www.spinics.net/lists/linux-usb/msg194331.html + +This bug occurs when a size variable used for a buffer +is misused to access its strcpy-ed buffer. +Given a buffer along with its size variable (taken from user input), +from which, a new buffer is created using kstrdup(). +Due to the original buffer containing 0 value in the middle, +the size of the kstrdup-ed buffer becomes smaller than that of the original. +So accessing the kstrdup-ed buffer with the same size variable +triggers memory access violation. + +The fix makes sure no zero value in the buffer, +by comparing the strlen() of the orignal buffer with the size variable, +so that the access to the kstrdup-ed buffer is safe. + +BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200 +drivers/usb/gadget/configfs.c:266 +Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208 + +CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xce/0x128 lib/dump_stack.c:118 + print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 + __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:641 + __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132 + gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266 + flush_write_buffer fs/configfs/file.c:251 [inline] + configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283 + __vfs_write+0x85/0x110 fs/read_write.c:494 + vfs_write+0x1cd/0x510 fs/read_write.c:558 + ksys_write+0x18a/0x220 fs/read_write.c:611 + __do_sys_write fs/read_write.c:623 [inline] + __se_sys_write fs/read_write.c:620 [inline] + __x64_sys_write+0x73/0xb0 fs/read_write.c:620 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Signed-off-by: Kyungtae Kim +Reported-and-tested-by: Kyungtae Kim +Cc: Felipe Balbi +Cc: stable +Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01 +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/configfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -260,6 +260,9 @@ static ssize_t gadget_dev_desc_UDC_store + char *name; + int ret; + ++ if (strlen(page) < len) ++ return -EOVERFLOW; ++ + name = kstrdup(page, GFP_KERNEL); + if (!name) + return -ENOMEM; diff --git a/queue-5.4/usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch b/queue-5.4/usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch index 2036842014f..224021a64f8 100644 --- a/queue-5.4/usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch +++ b/queue-5.4/usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch @@ -108,8 +108,6 @@ Signed-off-by: Li Jun Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20200514110432.25564-3-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Greg Kroah-Hartman - --- drivers/usb/host/xhci-plat.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/queue-5.4/usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch b/queue-5.4/usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch new file mode 100644 index 00000000000..401d6014972 --- /dev/null +++ b/queue-5.4/usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch @@ -0,0 +1,74 @@ +From 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a Mon Sep 17 00:00:00 2001 +From: Sriharsha Allenki +Date: Thu, 14 May 2020 14:04:31 +0300 +Subject: usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list + +From: Sriharsha Allenki + +commit 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a upstream. + +On platforms with IOMMU enabled, multiple SGs can be coalesced into one +by the IOMMU driver. In that case the SG list processing as part of the +completion of a urb on a bulk endpoint can result into a NULL pointer +dereference with the below stack dump. + +<6> Unable to handle kernel NULL pointer dereference at virtual address 0000000c +<6> pgd = c0004000 +<6> [0000000c] *pgd=00000000 +<6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM +<2> PC is at xhci_queue_bulk_tx+0x454/0x80c +<2> LR is at xhci_queue_bulk_tx+0x44c/0x80c +<2> pc : [] lr : [] psr: 000000d3 +<2> sp : ca337c80 ip : 00000000 fp : ffffffff +<2> r10: 00000000 r9 : 50037000 r8 : 00004000 +<2> r7 : 00000000 r6 : 00004000 r5 : 00000000 r4 : 00000000 +<2> r3 : 00000000 r2 : 00000082 r1 : c2c1a200 r0 : 00000000 +<2> Flags: nzcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none +<2> Control: 10c0383d Table: b412c06a DAC: 00000051 +<6> Process usb-storage (pid: 5961, stack limit = 0xca336210) + +<2> [] (xhci_queue_bulk_tx) +<2> [] (xhci_urb_enqueue) +<2> [] (usb_hcd_submit_urb) +<2> [] (usb_sg_wait) +<2> [] (usb_stor_bulk_transfer_sglist) +<2> [] (usb_stor_bulk_srb) +<2> [] (usb_stor_Bulk_transport) +<2> [] (usb_stor_invoke_transport) +<2> [] (usb_stor_control_thread) +<2> [] (kthread) + +The above NULL pointer dereference is the result of block_len and the +sent_len set to zero after the first SG of the list when IOMMU driver +is enabled. Because of this the loop of processing the SGs has run +more than num_sgs which resulted in a sg_next on the last SG of the +list which has SG_END set. + +Fix this by check for the sg before any attributes of the sg are +accessed. + +[modified reason for null pointer dereference in commit message subject -Mathias] +Fixes: f9c589e142d04 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer") +Cc: stable@vger.kernel.org +Signed-off-by: Sriharsha Allenki +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20200514110432.25564-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -3421,8 +3421,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd * + /* New sg entry */ + --num_sgs; + sent_len -= block_len; +- if (num_sgs != 0) { +- sg = sg_next(sg); ++ sg = sg_next(sg); ++ if (num_sgs != 0 && sg) { + block_len = sg_dma_len(sg); + addr = (u64) sg_dma_address(sg); + addr += sent_len; diff --git a/queue-5.4/x86-fix-early-boot-crash-on-gcc-10-third-try.patch b/queue-5.4/x86-fix-early-boot-crash-on-gcc-10-third-try.patch new file mode 100644 index 00000000000..2e1607a6e9e --- /dev/null +++ b/queue-5.4/x86-fix-early-boot-crash-on-gcc-10-third-try.patch @@ -0,0 +1,144 @@ +From a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Wed, 22 Apr 2020 18:11:30 +0200 +Subject: x86: Fix early boot crash on gcc-10, third try +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +commit a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e upstream. + +... or the odyssey of trying to disable the stack protector for the +function which generates the stack canary value. + +The whole story started with Sergei reporting a boot crash with a kernel +built with gcc-10: + + Kernel panic — not syncing: stack-protector: Kernel stack is corrupted in: start_secondary + CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5—00235—gfffb08b37df9 #139 + Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M—D3H, BIOS F12 11/14/2013 + Call Trace: + dump_stack + panic + ? start_secondary + __stack_chk_fail + start_secondary + secondary_startup_64 + -—-[ end Kernel panic — not syncing: stack—protector: Kernel stack is corrupted in: start_secondary + +This happens because gcc-10 tail-call optimizes the last function call +in start_secondary() - cpu_startup_entry() - and thus emits a stack +canary check which fails because the canary value changes after the +boot_init_stack_canary() call. + +To fix that, the initial attempt was to mark the one function which +generates the stack canary with: + + __attribute__((optimize("-fno-stack-protector"))) ... start_secondary(void *unused) + +however, using the optimize attribute doesn't work cumulatively +as the attribute does not add to but rather replaces previously +supplied optimization options - roughly all -fxxx options. + +The key one among them being -fno-omit-frame-pointer and thus leading to +not present frame pointer - frame pointer which the kernel needs. + +The next attempt to prevent compilers from tail-call optimizing +the last function call cpu_startup_entry(), shy of carving out +start_secondary() into a separate compilation unit and building it with +-fno-stack-protector, was to add an empty asm(""). + +This current solution was short and sweet, and reportedly, is supported +by both compilers but we didn't get very far this time: future (LTO?) +optimization passes could potentially eliminate this, which leads us +to the third attempt: having an actual memory barrier there which the +compiler cannot ignore or move around etc. + +That should hold for a long time, but hey we said that about the other +two solutions too so... + +Reported-by: Sergei Trofimovich +Signed-off-by: Borislav Petkov +Tested-by: Kalle Valo +Cc: +Link: https://lkml.kernel.org/r/20200314164451.346497-1-slyfox@gentoo.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/stackprotector.h | 7 ++++++- + arch/x86/kernel/smpboot.c | 8 ++++++++ + arch/x86/xen/smp_pv.c | 1 + + include/linux/compiler.h | 6 ++++++ + init/main.c | 2 ++ + 5 files changed, 23 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/stackprotector.h ++++ b/arch/x86/include/asm/stackprotector.h +@@ -55,8 +55,13 @@ + /* + * Initialize the stackprotector canary value. + * +- * NOTE: this must only be called from functions that never return, ++ * NOTE: this must only be called from functions that never return + * and it must always be inlined. ++ * ++ * In addition, it should be called from a compilation unit for which ++ * stack protector is disabled. Alternatively, the caller should not end ++ * with a function call which gets tail-call optimized as that would ++ * lead to checking a modified canary value. + */ + static __always_inline void boot_init_stack_canary(void) + { +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -262,6 +262,14 @@ static void notrace start_secondary(void + + wmb(); + cpu_startup_entry(CPUHP_AP_ONLINE_IDLE); ++ ++ /* ++ * Prevent tail call to cpu_startup_entry() because the stack protector ++ * guard has been changed a couple of function calls up, in ++ * boot_init_stack_canary() and must not be checked before tail calling ++ * another function. ++ */ ++ prevent_tail_call_optimization(); + } + + /** +--- a/arch/x86/xen/smp_pv.c ++++ b/arch/x86/xen/smp_pv.c +@@ -92,6 +92,7 @@ asmlinkage __visible void cpu_bringup_an + cpu_bringup(); + boot_init_stack_canary(); + cpu_startup_entry(CPUHP_AP_ONLINE_IDLE); ++ prevent_tail_call_optimization(); + } + + void xen_smp_intr_free_pv(unsigned int cpu) +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -356,4 +356,10 @@ static inline void *offset_to_ptr(const + /* &a[0] degrades to a pointer: a different type from an array */ + #define __must_be_array(a) BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0])) + ++/* ++ * This is needed in functions which generate the stack canary, see ++ * arch/x86/kernel/smpboot.c::start_secondary() for an example. ++ */ ++#define prevent_tail_call_optimization() mb() ++ + #endif /* __LINUX_COMPILER_H */ +--- a/init/main.c ++++ b/init/main.c +@@ -782,6 +782,8 @@ asmlinkage __visible void __init start_k + + /* Do the rest non-__init'ed, we're now alive */ + arch_call_rest_init(); ++ ++ prevent_tail_call_optimization(); + } + + /* Call all constructor functions linked into the kernel. */ -- 2.47.3