LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH 5.4 000/168] 5.4.25-stable review
@ 2020-03-10 12:37 Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 001/168] block, bfq: get a ref to a group when adding it to a service tree Greg Kroah-Hartman
                   ` (169 more replies)
  0 siblings, 170 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 5.4.25 release.
There are 168 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu, 12 Mar 2020 12:34:10 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.25-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.4.25-rc1

Jason A. Donenfeld <Jason@zx2c4.com>
    efi: READ_ONCE rng seed size before munmap

Ard Biesheuvel <ardb@kernel.org>
    efi/x86: Handle by-ref arguments covering multiple pages in mixed mode

Ard Biesheuvel <ardb@kernel.org>
    efi/x86: Align GUIDs to their size in the mixed mode runtime wrapper

Desnes A. Nunes do Rosario <desnesn@linux.ibm.com>
    powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems

Sherry Sun <sherry.sun@nxp.com>
    EDAC/synopsys: Do not print an error with back-to-back snprintf() calls

Tony Lindgren <tony@atomide.com>
    bus: ti-sysc: Fix 1-wire reset quirk

Christian Hewitt <christianshewitt@gmail.com>
    arm64: dts: meson: fix gxm-khadas-vim2 wifi

Dan Carpenter <dan.carpenter@oracle.com>
    dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()

Cong Wang <xiyou.wangcong@gmail.com>
    dma-buf: free dmabuf->name in dma_buf_release()

Dan Carpenter <dan.carpenter@oracle.com>
    hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()

Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
    ARM: dts: imx7-colibri: Fix frequency for sd/mmc

Johan Hovold <johan@kernel.org>
    ARM: dts: imx6dl-colibri-eval-v3: fix sram compatible properties

Suman Anna <s-anna@ti.com>
    ARM: dts: dra7xx-clocks: Fixup IPU1 mux clock parent source

Suman Anna <s-anna@ti.com>
    ARM: dts: am437x-idk-evm: Fix incorrect OPP node names

Ahmad Fatoum <a.fatoum@pengutronix.de>
    ARM: imx: build v7_cpu_resume() unconditionally

Dennis Dalessandro <dennis.dalessandro@intel.com>
    IB/hfi1, qib: Ensure RCU is locked when accessing list

Jason Gunthorpe <jgg@ziepe.ca>
    RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()

Fabrice Gasnier <fabrice.gasnier@st.com>
    regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling

Maor Gottlieb <maorg@mellanox.com>
    RDMA/core: Fix protection fault in ib_mr_pool_destroy

Bernard Metzler <bmt@zurich.ibm.com>
    RDMA/iwcm: Fix iwcm work deallocation

Bernard Metzler <bmt@zurich.ibm.com>
    RDMA/siw: Fix failure handling during device creation

Mark Zhang <markz@mellanox.com>
    RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing

Max Gurtovoy <maxg@mellanox.com>
    RDMA/rw: Fix error flow during RDMA context initialization

Parav Pandit <parav@mellanox.com>
    Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow"

Leonard Crestez <leonard.crestez@nxp.com>
    soc: imx-scu: Align imx sc msg structs to 4

Leonard Crestez <leonard.crestez@nxp.com>
    firmware: imx: Align imx_sc_msg_req_cpu_start to 4

Leonard Crestez <leonard.crestez@nxp.com>
    firmware: imx: scu-pd: Align imx sc msg structs to 4

Leonard Crestez <leonard.crestez@nxp.com>
    firmware: imx: misc: Align imx sc msg structs to 4

Fabio Estevam <festevam@gmail.com>
    arm64: dts: imx8qxp-mek: Remove unexisting Ethernet PHY

Marco Felsch <m.felsch@pengutronix.de>
    ARM: dts: imx6: phycore-som: fix emmc supply

Tony Lindgren <tony@atomide.com>
    phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval

Tony Lindgren <tony@atomide.com>
    phy: mapphone-mdm6600: Fix timeouts by adding wake-up handling

Dan Carpenter <dan.carpenter@oracle.com>
    drm/i915/selftests: Fix return in assert_mmap_offset()

Matt Roper <matthew.d.roper@intel.com>
    drm/i915: Program MBUS with rmw during initialization

Jernej Skrabec <jernej.skrabec@siol.net>
    drm/sun4i: de2/de3: Remove unsupported VI layer formats

Jernej Skrabec <jernej.skrabec@siol.net>
    drm/sun4i: Fix DE2 VI layer format support

Jernej Skrabec <jernej.skrabec@siol.net>
    drm/sun4i: Add separate DE3 VI layer formats

John Stultz <john.stultz@linaro.org>
    drm: kirin: Revert "Fix for hikey620 display offset problem"

Tomeu Vizoso <tomeu.vizoso@collabora.com>
    drm/panfrost: Don't try to map on error faults

Tudor Ambarus <tudor.ambarus@microchip.com>
    spi: atmel-quadspi: fix possible MMIO window size overrun

Charles Keepax <ckeepax@opensource.cirrus.com>
    ASoC: dapm: Correct DAPM handling of active widgets during shutdown

Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
    ASoC: Intel: Skylake: Fix available clock counter incrementation

Matthias Reichl <hias@horus.com>
    ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path

Takashi Iwai <tiwai@suse.de>
    ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/mm: Fix missing KUAP disable in flush_coherent_icache()

Alastair D'Silva <alastair@d-silva.org>
    powerpc: Convert flush_icache_range & friends to C

Alastair D'Silva <alastair@d-silva.org>
    powerpc: define helpers to get L1 icache sizes

Takashi Iwai <tiwai@suse.de>
    ASoC: intel: skl: Fix possible buffer overflow in debug outputs

Takashi Iwai <tiwai@suse.de>
    ASoC: intel: skl: Fix pin debug prints

Dan Carpenter <dan.carpenter@oracle.com>
    ASoC: SOF: Fix snd_sof_ipc_stream_posn()

Dragos Tarcatu <dragos_tarcatu@mentor.com>
    ASoC: topology: Fix memleak in soc_tplg_manifest_load()

Dragos Tarcatu <dragos_tarcatu@mentor.com>
    ASoC: topology: Fix memleak in soc_tplg_link_elems_load()

John Bates <jbates@chromium.org>
    drm/virtio: fix resource id creation race

Gerd Hoffmann <kraxel@redhat.com>
    drm/virtio: make resource id workaround runtime switchable.

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    spi: bcm63xx-hsspi: Really keep pll clk enabled

Vladimir Oltean <olteanv@gmail.com>
    ARM: dts: ls1021a: Restore MDIO compatible to gianfar

Guillaume La Roque <glaroque@baylibre.com>
    arm64: dts: meson-sm1-sei610: add missing interrupt-names

Hou Tao <houtao1@huawei.com>
    dm: fix congested_fn for request-based device

Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
    dm zoned: Fix reference counter initial value of chunk works

Mikulas Patocka <mpatocka@redhat.com>
    dm writecache: verify watermark during resume

Mikulas Patocka <mpatocka@redhat.com>
    dm: report suspended device during destroy

Mikulas Patocka <mpatocka@redhat.com>
    dm cache: fix a crash due to incorrect work item cancelling

Mikulas Patocka <mpatocka@redhat.com>
    dm integrity: fix invalid table returned due to argument count mismatch

Mikulas Patocka <mpatocka@redhat.com>
    dm integrity: fix a deadlock due to offloading to an incorrect workqueue

Mikulas Patocka <mpatocka@redhat.com>
    dm integrity: fix recalculation when moving from journal mode to bitmap mode

Dmitry Osipenko <digetx@gmail.com>
    dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list

Dmitry Osipenko <digetx@gmail.com>
    dmaengine: tegra-apb: Fix use-after-free

Frieder Schrempf <frieder.schrempf@kontron.de>
    dmaengine: imx-sdma: Fix the event id check to include RX event for UART6

Martin Fuzzey <martin.fuzzey@flowbird.group>
    dmaengine: imx-sdma: fix context cache

Gerald Schaefer <gerald.schaefer@de.ibm.com>
    s390/mm: fix panic in gup_fast on large pud

Niklas Schnelle <schnelle@linux.ibm.com>
    s390/pci: Fix unexpected write combine on resource

Sean Christopherson <sean.j.christopherson@intel.com>
    x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes

Lukas Wunner <lukas@wunner.de>
    spi: spidev: Fix CS polarity if GPIO descriptors are used

Adrian Hunter <adrian.hunter@intel.com>
    perf arm-spe: Fix endless record after being terminated

Wei Li <liwei391@huawei.com>
    perf cs-etm: Fix endless record after being terminated

Wei Li <liwei391@huawei.com>
    perf intel-bts: Fix endless record after being terminated

Wei Li <liwei391@huawei.com>
    perf intel-pt: Fix endless record after being terminated

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    media: v4l2-mem2mem.c: fix broken links

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    media: vicodec: process all 4 components for RGB32 formats

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    media: mc-entity.c: use & to check pad flags, not ==

Ezequiel Garcia <ezequiel@collabora.com>
    media: hantro: Fix broken media controller links

Jiri Slaby <jslaby@suse.cz>
    vt: selection, push sel_lock up

Jiri Slaby <jslaby@suse.cz>
    vt: selection, push console lock down

Jiri Slaby <jslaby@suse.cz>
    vt: selection, close sel_buffer race

Jay Dolan <jay.dolan@accesio.com>
    serial: 8250_exar: add support for ACCES cards

Michael Walle <michael@walle.cc>
    tty: serial: fsl_lpuart: free IDs allocated by IDA

tangbin <tangbin@cmss.chinamobile.com>
    tty:serial:mvebu-uart:fix a wrong return

Faiz Abbas <faiz_abbas@ti.com>
    arm: dts: dra76x: Fix mmc3 max-frequency

Ley Foon Tan <ley.foon.tan@intel.com>
    arm64: dts: socfpga: agilex: Fix gmac compatible

Omar Sandoval <osandov@fb.com>
    btrfs: fix RAID direct I/O reads with alternate csums

OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    fat: fix uninit-memory access for partial initialized inode

Vlastimil Babka <vbabka@suse.cz>
    mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled

Huang Ying <ying.huang@intel.com>
    mm: fix possible PMD dirty bit lost in set_pmd_migration_entry()

Mel Gorman <mgorman@techsingularity.net>
    mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa

Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
    vgacon: Fix a UAF in vgacon_invert_region

Eugeniu Rosca <erosca@de.adit-jv.com>
    usb: core: port: do error out if usb_autopm_get_interface() fails

Eugeniu Rosca <erosca@de.adit-jv.com>
    usb: core: hub: do error out if usb_autopm_get_interface() fails

Eugeniu Rosca <erosca@de.adit-jv.com>
    usb: core: hub: fix unhandled return by employing a void function

Peter Chen <peter.chen@nxp.com>
    usb: cdns3: gadget: toggle cycle bit before reset endpoint

Peter Chen <peter.chen@nxp.com>
    usb: cdns3: gadget: link trb should point to next request

Pratham Pratap <prathampratap@codeaurora.org>
    usb: dwc3: gadget: Update chain bit correctly when using sg list

Dan Lazewatsky <dlaz@chromium.org>
    usb: quirks: add NO_LPM quirk for Logitech Screen Share

Jim Lin <jilin@nvidia.com>
    usb: storage: Add quirk for Samsung Fit flash

Aurelien Aptel <aaptel@suse.com>
    cifs: fix rename() by ensuring source handle opened with DELETE bit

Ronnie Sahlberg <lsahlber@redhat.com>
    cifs: don't leak -EAGAIN for stat() during reconnect

Jian-Hong Pan <jian-hong@endlessm.com>
    ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294

Christian Lachner <gladiac@gmail.com>
    ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master

Kailang Yang <kailang@realtek.com>
    ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1

Kailang Yang <kailang@realtek.com>
    ALSA: hda/realtek - Add Headset Mic supported

Christian Brauner <christian.brauner@ubuntu.com>
    binder: prevent UAF for binderfs devices II

Christian Brauner <christian.brauner@ubuntu.com>
    binder: prevent UAF for binderfs devices

Leonard Crestez <leonard.crestez@nxp.com>
    firmware: imx: scu: Ensure sequential TX

Hangbin Liu <liuhangbin@gmail.com>
    selftests: forwarding: vxlan_bridge_1d: use more proper tos value

Randy Dunlap <rdunlap@infradead.org>
    arch/csky: fix some Kconfig typos

Guo Ren <guoren@linux.alibaba.com>
    csky: Fixup compile warning for three unimplemented syscalls

Guo Ren <guoren@linux.alibaba.com>
    csky: Fixup ftrace modify panic

Guo Ren <guoren@linux.alibaba.com>
    csky/smp: Fixup boot failed when CONFIG_SMP

Guo Ren <guoren@linux.alibaba.com>
    csky: Set regs->usp to kernel sp, when the exception is from kernel

Guo Ren <guoren@linux.alibaba.com>
    csky/mm: Fixup export invalid_pte_table symbol

Tim Harvey <tharvey@gateworks.com>
    net: thunderx: workaround BGX TX Underflow issue

Kees Cook <keescook@chromium.org>
    x86/xen: Distribute switch variables for initialization

Michal Swiatkowski <michal.swiatkowski@intel.com>
    ice: Don't tell the OS that link is going down

Keith Busch <kbusch@kernel.org>
    nvme: Fix uninitialized-variable warning

Julian Wiedmann <jwi@linux.ibm.com>
    s390/qdio: fill SL with absolute addresses

H.J. Lu <hjl.tools@gmail.com>
    x86/boot/compressed: Don't declare __force_order in kaslr_64.c

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    nvme-pci: Use single IRQ vector for old Apple models

Shyjumon N <shyjumon.n@intel.com>
    nvme/pci: Add sleep quirk for Samsung and Toshiba drives

Kai-Heng Feng <kai.heng.feng@canonical.com>
    iommu/amd: Disable IOMMU on Stoney Ridge systems

Hamdan Igbaria <hamdani@mellanox.com>
    net/mlx5: DR, Fix matching on vport gvmi

Javier Martinez Canillas <javierm@redhat.com>
    efi: Only print errors about failing to get certs if EFI vars are found

Masahiro Yamada <masahiroy@kernel.org>
    s390: make 'install' not depend on vmlinux

Vasily Averin <vvs@virtuozzo.com>
    s390/cio: cio_ignore_proc_seq_next should increase position index

Marco Felsch <m.felsch@pengutronix.de>
    watchdog: da9062: do not ping the hw during stop()

Paul Cercueil <paul@crapouillou.net>
    net: ethernet: dm9000: Handle -EPROBE_DEFER in dm9000_parse_dt()

Marek Vasut <marex@denx.de>
    net: ks8851-ml: Fix 16-bit IO operation

Marek Vasut <marex@denx.de>
    net: ks8851-ml: Fix 16-bit data access

Marek Vasut <marex@denx.de>
    net: ks8851-ml: Remove 8-bit bus accessors

Igor Russkikh <irusskikh@marvell.com>
    net: atlantic: check rpc result and wait for rpc address

Hangbin Liu <liuhangbin@gmail.com>
    selftests: forwarding: vxlan_bridge_1d: fix tos value

Hangbin Liu <liuhangbin@gmail.com>
    selftests: forwarding: use proto icmp for {gretap, ip6gretap}_mac testing

Harigovindan P <harigovi@codeaurora.org>
    drm/msm/dsi/pll: call vco set rate explicitly

Harigovindan P <harigovi@codeaurora.org>
    drm/msm/dsi: save pll state before dsi host is powered off

Tomas Henzl <thenzl@redhat.com>
    scsi: megaraid_sas: silence a warning

Stephan Gerhold <stephan@gerhold.net>
    drm/modes: Allow DRM_MODE_ROTATE_0 when applying video mode parameters

Stephan Gerhold <stephan@gerhold.net>
    drm/modes: Make sure to parse valid rotation value from cmdline

John Stultz <john.stultz@linaro.org>
    drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI

Brian Masney <masneyb@onstation.org>
    drm/msm/mdp5: rate limit pp done timeout warnings

Oded Gabbay <oded.gabbay@gmail.com>
    habanalabs: patched cb equals user cb in device memset

Omer Shpigelman <oshpigelman@habana.ai>
    habanalabs: do not halt CoreSight during hard reset

Oded Gabbay <oded.gabbay@gmail.com>
    habanalabs: halt the engines before hard-reset

Sergey Organov <sorganov@gmail.com>
    usb: gadget: serial: fix Tx stall after buffer overflow

Lars-Peter Clausen <lars@metafoo.de>
    usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags

Jack Pham <jackp@codeaurora.org>
    usb: gadget: composite: Support more than 500mA MaxPower

Jiri Benc <jbenc@redhat.com>
    selftests: fix too long argument

Daniel Golle <daniel@makrotopia.org>
    serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE

Kai Vehmanen <kai.vehmanen@linux.intel.com>
    ALSA: hda: do not override bus codec_mask in link_get()

Cengiz Can <cengiz@kernel.wtf>
    blktrace: fix dereference after null check

Masami Hiramatsu <mhiramat@kernel.org>
    kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic

Masahiro Yamada <masahiroy@kernel.org>
    kbuild: fix 'No such file or directory' warning when cleaning

Nathan Chancellor <natechancellor@gmail.com>
    RDMA/core: Fix use of logical OR in get_new_pps

Maor Gottlieb <maorg@mellanox.com>
    RDMA/core: Fix pkey and port assignment in get_new_pps

Theodore Ts'o <tytso@mit.edu>
    dm thin metadata: fix lockdep complaint

Aaro Koskinen <aaro.koskinen@nokia.com>
    net: stmmac: fix notifier registration

Florian Fainelli <f.fainelli@gmail.com>
    net: dsa: bcm_sf2: Forcibly configure IMP port for 1Gb/sec

Hui Wang <hui.wang@canonical.com>
    ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1

Paolo Valente <paolo.valente@linaro.org>
    block, bfq: do not insert oom queue into position tree

Paolo Valente <paolo.valente@linaro.org>
    block, bfq: get extra ref to prevent a queue from being freed during a group move

Paolo Valente <paolo.valente@linaro.org>
    block, bfq: get a ref to a group when adding it to a service tree


-------------

Diffstat:

 Makefile                                           |   4 +-
 arch/arm/boot/dts/am437x-idk-evm.dts               |   4 +-
 arch/arm/boot/dts/dra76x.dtsi                      |   5 +
 arch/arm/boot/dts/dra7xx-clocks.dtsi               |  12 +-
 arch/arm/boot/dts/imx6dl-colibri-eval-v3.dts       |   4 +-
 arch/arm/boot/dts/imx6qdl-phytec-phycore-som.dtsi  |   1 -
 arch/arm/boot/dts/imx7-colibri.dtsi                |   1 -
 arch/arm/boot/dts/ls1021a.dtsi                     |   4 +-
 arch/arm/mach-imx/Makefile                         |   2 +
 arch/arm/mach-imx/common.h                         |   4 +-
 arch/arm/mach-imx/resume-imx6.S                    |  24 ++++
 arch/arm/mach-imx/suspend-imx6.S                   |  14 --
 .../boot/dts/amlogic/meson-gxm-khadas-vim2.dts     |   2 +-
 arch/arm64/boot/dts/amlogic/meson-sm1-sei610.dts   |   1 +
 arch/arm64/boot/dts/freescale/imx8qxp-mek.dts      |   5 -
 arch/arm64/boot/dts/intel/socfpga_agilex.dtsi      |   6 +-
 arch/csky/Kconfig                                  |   2 +-
 arch/csky/abiv1/inc/abi/entry.h                    |  19 ++-
 arch/csky/abiv2/inc/abi/entry.h                    |  11 ++
 arch/csky/include/uapi/asm/unistd.h                |   3 +
 arch/csky/kernel/atomic.S                          |   8 +-
 arch/csky/kernel/smp.c                             |   2 +-
 arch/csky/mm/Makefile                              |   2 +
 arch/csky/mm/init.c                                |   1 +
 arch/powerpc/include/asm/cache.h                   |  55 +++++---
 arch/powerpc/include/asm/cacheflush.h              |  36 +++--
 arch/powerpc/kernel/cputable.c                     |   4 +-
 arch/powerpc/kernel/misc_32.S                      | 120 ----------------
 arch/powerpc/kernel/misc_64.S                      | 102 --------------
 arch/powerpc/mm/mem.c                              | 152 ++++++++++++++++++++-
 arch/s390/Makefile                                 |   2 +-
 arch/s390/boot/Makefile                            |   2 +-
 arch/s390/include/asm/pgtable.h                    |   6 +
 arch/s390/include/asm/qdio.h                       |   2 +-
 arch/s390/pci/pci.c                                |   4 +-
 arch/x86/boot/compressed/kaslr_64.c                |   3 -
 arch/x86/kernel/cpu/common.c                       |   2 +-
 arch/x86/platform/efi/efi_64.c                     |  70 ++++++----
 arch/x86/xen/enlighten_pv.c                        |   7 +-
 block/bfq-cgroup.c                                 |  10 +-
 block/bfq-iosched.c                                |   4 +
 block/bfq-iosched.h                                |   1 +
 block/bfq-wf2q.c                                   |  12 +-
 drivers/android/binder.c                           |   9 ++
 drivers/android/binder_internal.h                  |   2 +
 drivers/android/binderfs.c                         |   7 +-
 drivers/bus/ti-sysc.c                              |   4 +-
 drivers/dma-buf/dma-buf.c                          |   1 +
 drivers/dma/coh901318.c                            |   4 -
 drivers/dma/imx-sdma.c                             |   5 +-
 drivers/dma/tegra20-apb-dma.c                      |   6 +-
 drivers/edac/synopsys_edac.c                       |  22 +--
 drivers/firmware/efi/efi.c                         |   4 +-
 drivers/firmware/imx/imx-scu.c                     |  27 ++++
 drivers/firmware/imx/misc.c                        |   8 +-
 drivers/firmware/imx/scu-pd.c                      |   2 +-
 drivers/gpu/drm/drm_client_modeset.c               |   3 +-
 drivers/gpu/drm/drm_modes.c                        |   7 +
 drivers/gpu/drm/hisilicon/kirin/kirin_ade_reg.h    |   1 -
 drivers/gpu/drm/hisilicon/kirin/kirin_drm_ade.c    |  20 ---
 drivers/gpu/drm/i915/display/intel_display_power.c |  16 ++-
 drivers/gpu/drm/i915/gem/selftests/i915_gem_mman.c |   2 +-
 drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c          |   4 +-
 drivers/gpu/drm/msm/dsi/dsi_manager.c              |   7 +-
 drivers/gpu/drm/msm/dsi/phy/dsi_phy.c              |   4 -
 drivers/gpu/drm/msm/dsi/pll/dsi_pll_10nm.c         |   6 +
 drivers/gpu/drm/panfrost/panfrost_mmu.c            |  44 +++---
 drivers/gpu/drm/selftests/drm_cmdline_selftests.h  |   1 +
 .../gpu/drm/selftests/test-drm_cmdline_parser.c    |  15 +-
 drivers/gpu/drm/sun4i/sun8i_mixer.c                | 104 ++++++++++++--
 drivers/gpu/drm/sun4i/sun8i_mixer.h                |  11 ++
 drivers/gpu/drm/sun4i/sun8i_vi_layer.c             |  66 +++++++--
 drivers/gpu/drm/virtio/virtgpu_object.c            |  44 +++---
 drivers/hwmon/adt7462.c                            |   2 +-
 drivers/infiniband/core/cm.c                       |   1 +
 drivers/infiniband/core/cma.c                      |  15 +-
 drivers/infiniband/core/core_priv.h                |  15 ++
 drivers/infiniband/core/iwcm.c                     |   4 +-
 drivers/infiniband/core/nldev.c                    |   2 +
 drivers/infiniband/core/rw.c                       |  31 +++--
 drivers/infiniband/core/security.c                 |  14 +-
 drivers/infiniband/core/uverbs_cmd.c               |  10 --
 drivers/infiniband/core/verbs.c                    |  10 --
 drivers/infiniband/hw/hfi1/verbs.c                 |   4 +-
 drivers/infiniband/hw/qib/qib_verbs.c              |   2 +
 drivers/infiniband/sw/siw/siw_main.c               |   6 +-
 drivers/iommu/amd_iommu_init.c                     |  13 +-
 drivers/md/dm-cache-target.c                       |   4 +-
 drivers/md/dm-integrity.c                          |  50 ++++---
 drivers/md/dm-thin-metadata.c                      |   2 +-
 drivers/md/dm-writecache.c                         |  14 +-
 drivers/md/dm-zoned-target.c                       |   8 +-
 drivers/md/dm.c                                    |  22 +--
 drivers/media/mc/mc-entity.c                       |   4 +-
 drivers/media/platform/vicodec/codec-v4l2-fwht.c   |  34 ++---
 drivers/media/v4l2-core/v4l2-mem2mem.c             |   4 +-
 drivers/misc/habanalabs/device.c                   |   5 +-
 drivers/misc/habanalabs/goya/goya.c                |  44 +++++-
 drivers/net/dsa/bcm_sf2.c                          |   3 +-
 .../aquantia/atlantic/hw_atl/hw_atl_utils.c        |  19 ++-
 drivers/net/ethernet/cavium/thunder/thunder_bgx.c  |  62 ++++++++-
 drivers/net/ethernet/cavium/thunder/thunder_bgx.h  |   9 ++
 drivers/net/ethernet/davicom/dm9000.c              |   2 +
 drivers/net/ethernet/intel/ice/ice_ethtool.c       |   7 -
 .../ethernet/mellanox/mlx5/core/steering/dr_ste.c  |   5 +-
 drivers/net/ethernet/micrel/ks8851_mll.c           |  53 ++-----
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c  |  13 +-
 drivers/nvme/host/core.c                           |   2 +-
 drivers/nvme/host/pci.c                            |  15 +-
 drivers/phy/motorola/phy-mapphone-mdm6600.c        |  27 +++-
 drivers/regulator/stm32-vrefbuf.c                  |   3 +-
 drivers/s390/cio/blacklist.c                       |   5 +-
 drivers/s390/cio/qdio_setup.c                      |   3 +-
 drivers/s390/net/qeth_core_main.c                  |  23 ++--
 drivers/scsi/megaraid/megaraid_sas_fusion.c        |   5 +-
 drivers/soc/imx/soc-imx-scu.c                      |   2 +-
 drivers/spi/atmel-quadspi.c                        |  11 ++
 drivers/spi/spi-bcm63xx-hsspi.c                    |   1 -
 drivers/spi/spidev.c                               |   5 +
 drivers/staging/media/hantro/hantro_drv.c          |   4 +-
 drivers/staging/speakup/selection.c                |   2 -
 drivers/tty/serial/8250/8250_exar.c                |  33 +++++
 drivers/tty/serial/ar933x_uart.c                   |   8 ++
 drivers/tty/serial/fsl_lpuart.c                    |  39 ++++--
 drivers/tty/serial/mvebu-uart.c                    |   2 +-
 drivers/tty/vt/selection.c                         |  26 +++-
 drivers/tty/vt/vt.c                                |   2 -
 drivers/usb/cdns3/gadget.c                         |  19 ++-
 drivers/usb/core/hub.c                             |   8 +-
 drivers/usb/core/port.c                            |  10 +-
 drivers/usb/core/quirks.c                          |   3 +
 drivers/usb/dwc3/gadget.c                          |   9 +-
 drivers/usb/gadget/composite.c                     |  24 +++-
 drivers/usb/gadget/function/f_fs.c                 |   5 +-
 drivers/usb/gadget/function/u_serial.c             |   4 +-
 drivers/usb/storage/unusual_devs.h                 |   6 +
 drivers/video/console/vgacon.c                     |   3 +
 drivers/watchdog/da9062_wdt.c                      |   7 -
 fs/btrfs/inode.c                                   |   4 +-
 fs/cifs/cifsglob.h                                 |   7 +
 fs/cifs/cifsproto.h                                |   5 +-
 fs/cifs/cifssmb.c                                  |   3 +-
 fs/cifs/file.c                                     |  19 ++-
 fs/cifs/inode.c                                    |  12 +-
 fs/cifs/smb1ops.c                                  |   2 +-
 fs/cifs/smb2inode.c                                |   4 +-
 fs/cifs/smb2ops.c                                  |   3 +-
 fs/cifs/smb2pdu.c                                  |   1 +
 fs/fat/inode.c                                     |  19 +--
 include/linux/mm.h                                 |   4 +
 kernel/kprobes.c                                   |  67 +++++----
 kernel/trace/blktrace.c                            |   5 +-
 mm/huge_memory.c                                   |   3 +-
 mm/memory_hotplug.c                                |   8 +-
 mm/mprotect.c                                      |  38 +++++-
 security/integrity/platform_certs/load_uefi.c      |  40 ++++--
 sound/hda/ext/hdac_ext_controller.c                |   9 +-
 sound/pci/hda/patch_realtek.c                      |  31 ++++-
 sound/soc/codecs/pcm512x.c                         |   8 +-
 sound/soc/intel/skylake/skl-debug.c                |  32 +++--
 sound/soc/intel/skylake/skl-ssp-clk.c              |   4 +-
 sound/soc/soc-dapm.c                               |   2 +-
 sound/soc/soc-pcm.c                                |  16 +--
 sound/soc/soc-topology.c                           |  17 ++-
 sound/soc/sof/ipc.c                                |   2 +-
 tools/perf/arch/arm/util/cs-etm.c                  |   5 +-
 tools/perf/arch/arm64/util/arm-spe.c               |   5 +-
 tools/perf/arch/x86/util/intel-bts.c               |   5 +-
 tools/perf/arch/x86/util/intel-pt.c                |   5 +-
 tools/testing/selftests/lib.mk                     |  23 ++--
 .../testing/selftests/net/forwarding/mirror_gre.sh |  25 ++--
 .../selftests/net/forwarding/vxlan_bridge_1d.sh    |   6 +-
 usr/include/Makefile                               |   2 +-
 173 files changed, 1543 insertions(+), 898 deletions(-)



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 001/168] block, bfq: get a ref to a group when adding it to a service tree
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 002/168] block, bfq: get extra ref to prevent a queue from being freed during a group move Greg Kroah-Hartman
                   ` (168 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleksandr Natalenko, Chris Evich,
	Paolo Valente, Jens Axboe, Sasha Levin

From: Paolo Valente <paolo.valente@linaro.org>

[ Upstream commit db37a34c563bf4692b36990ae89005c031385e52 ]

BFQ schedules generic entities, which may represent either bfq_queues
or groups of bfq_queues. When an entity is inserted into a service
tree, a reference must be taken, to make sure that the entity does not
disappear while still referred in the tree. Unfortunately, such a
reference is mistakenly taken only if the entity represents a
bfq_queue. This commit takes a reference also in case the entity
represents a group.

Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Tested-by: Chris Evich <cevich@redhat.com>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/bfq-cgroup.c  |  2 +-
 block/bfq-iosched.h |  1 +
 block/bfq-wf2q.c    | 12 ++++++++++--
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
index 86a607cf19a10..0999d56bc4d19 100644
--- a/block/bfq-cgroup.c
+++ b/block/bfq-cgroup.c
@@ -332,7 +332,7 @@ static void bfqg_put(struct bfq_group *bfqg)
 		kfree(bfqg);
 }
 
-static void bfqg_and_blkg_get(struct bfq_group *bfqg)
+void bfqg_and_blkg_get(struct bfq_group *bfqg)
 {
 	/* see comments in bfq_bic_update_cgroup for why refcounting bfqg */
 	bfqg_get(bfqg);
diff --git a/block/bfq-iosched.h b/block/bfq-iosched.h
index 5d1a519640f6a..e0e4a413d43a5 100644
--- a/block/bfq-iosched.h
+++ b/block/bfq-iosched.h
@@ -978,6 +978,7 @@ struct bfq_group *bfq_find_set_group(struct bfq_data *bfqd,
 struct blkcg_gq *bfqg_to_blkg(struct bfq_group *bfqg);
 struct bfq_group *bfqq_group(struct bfq_queue *bfqq);
 struct bfq_group *bfq_create_group_hierarchy(struct bfq_data *bfqd, int node);
+void bfqg_and_blkg_get(struct bfq_group *bfqg);
 void bfqg_and_blkg_put(struct bfq_group *bfqg);
 
 #ifdef CONFIG_BFQ_GROUP_IOSCHED
diff --git a/block/bfq-wf2q.c b/block/bfq-wf2q.c
index 05f0bf4a1144d..44079147e396e 100644
--- a/block/bfq-wf2q.c
+++ b/block/bfq-wf2q.c
@@ -536,7 +536,9 @@ static void bfq_get_entity(struct bfq_entity *entity)
 		bfqq->ref++;
 		bfq_log_bfqq(bfqq->bfqd, bfqq, "get_entity: %p %d",
 			     bfqq, bfqq->ref);
-	}
+	} else
+		bfqg_and_blkg_get(container_of(entity, struct bfq_group,
+					       entity));
 }
 
 /**
@@ -650,8 +652,14 @@ static void bfq_forget_entity(struct bfq_service_tree *st,
 
 	entity->on_st = false;
 	st->wsum -= entity->weight;
-	if (bfqq && !is_in_service)
+	if (is_in_service)
+		return;
+
+	if (bfqq)
 		bfq_put_queue(bfqq);
+	else
+		bfqg_and_blkg_put(container_of(entity, struct bfq_group,
+					       entity));
 }
 
 /**
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 002/168] block, bfq: get extra ref to prevent a queue from being freed during a group move
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 001/168] block, bfq: get a ref to a group when adding it to a service tree Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 003/168] block, bfq: do not insert oom queue into position tree Greg Kroah-Hartman
                   ` (167 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Evich, Oleksandr Natalenko,
	Paolo Valente, Jens Axboe, Sasha Levin

From: Paolo Valente <paolo.valente@linaro.org>

[ Upstream commit ecedd3d7e19911ab8fe42f17b77c0a30fe7f4db3 ]

In bfq_bfqq_move(), the bfq_queue, say Q, to be moved to a new group
may happen to be deactivated in the scheduling data structures of the
source group (and then activated in the destination group). If Q is
referred only by the data structures in the source group when the
deactivation happens, then Q is freed upon the deactivation.

This commit addresses this issue by getting an extra reference before
the possible deactivation, and releasing this extra reference after Q
has been moved.

Tested-by: Chris Evich <cevich@redhat.com>
Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/bfq-cgroup.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
index 0999d56bc4d19..ead6e42832982 100644
--- a/block/bfq-cgroup.c
+++ b/block/bfq-cgroup.c
@@ -634,6 +634,12 @@ void bfq_bfqq_move(struct bfq_data *bfqd, struct bfq_queue *bfqq,
 		bfq_bfqq_expire(bfqd, bfqd->in_service_queue,
 				false, BFQQE_PREEMPTED);
 
+	/*
+	 * get extra reference to prevent bfqq from being freed in
+	 * next possible deactivate
+	 */
+	bfqq->ref++;
+
 	if (bfq_bfqq_busy(bfqq))
 		bfq_deactivate_bfqq(bfqd, bfqq, false, false);
 	else if (entity->on_st)
@@ -653,6 +659,8 @@ void bfq_bfqq_move(struct bfq_data *bfqd, struct bfq_queue *bfqq,
 
 	if (!bfqd->in_service_queue && !bfqd->rq_in_driver)
 		bfq_schedule_dispatch(bfqd);
+	/* release extra ref taken above */
+	bfq_put_queue(bfqq);
 }
 
 /**
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 003/168] block, bfq: do not insert oom queue into position tree
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 001/168] block, bfq: get a ref to a group when adding it to a service tree Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 002/168] block, bfq: get extra ref to prevent a queue from being freed during a group move Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 004/168] ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 Greg Kroah-Hartman
                   ` (166 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Patrick Dung, Oleksandr Natalenko,
	Paolo Valente, Jens Axboe, Sasha Levin

From: Paolo Valente <paolo.valente@linaro.org>

[ Upstream commit 32c59e3a9a5a0b180dd015755d6d18ca31e55935 ]

BFQ maintains an ordered list, implemented with an RB tree, of
head-request positions of non-empty bfq_queues. This position tree,
inherited from CFQ, is used to find bfq_queues that contain I/O close
to each other. BFQ merges these bfq_queues into a single shared queue,
if this boosts throughput on the device at hand.

There is however a special-purpose bfq_queue that does not participate
in queue merging, the oom bfq_queue. Yet, also this bfq_queue could be
wrongly added to the position tree. So bfqq_find_close() could return
the oom bfq_queue, which is a source of further troubles in an
out-of-memory situation. This commit prevents the oom bfq_queue from
being inserted into the position tree.

Tested-by: Patrick Dung <patdung100@gmail.com>
Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/bfq-iosched.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
index 5498d05b873d3..955daa29303a8 100644
--- a/block/bfq-iosched.c
+++ b/block/bfq-iosched.c
@@ -614,6 +614,10 @@ bfq_pos_tree_add_move(struct bfq_data *bfqd, struct bfq_queue *bfqq)
 		bfqq->pos_root = NULL;
 	}
 
+	/* oom_bfqq does not participate in queue merging */
+	if (bfqq == &bfqd->oom_bfqq)
+		return;
+
 	/*
 	 * bfqq cannot be merged any longer (see comments in
 	 * bfq_setup_cooperator): no point in adding bfqq into the
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 004/168] ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 003/168] block, bfq: do not insert oom queue into position tree Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 005/168] net: dsa: bcm_sf2: Forcibly configure IMP port for 1Gb/sec Greg Kroah-Hartman
                   ` (165 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hui Wang, Takashi Iwai, Sasha Levin

From: Hui Wang <hui.wang@canonical.com>

[ Upstream commit c37c0ab029569a75fd180edb03d411e7a28a936f ]

Need to chain the THINKPAD_ACPI, otherwise the mute led will not
work.

Fixes: d2cd795c4ece ("ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen")
Cc: <stable@vger.kernel.org>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Link: https://lore.kernel.org/r/20200219052306.24935-1-hui.wang@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/pci/hda/patch_realtek.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 4f78b40831d8c..00e2ba38a7cf6 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6684,6 +6684,8 @@ static const struct hda_fixup alc269_fixups[] = {
 	[ALC285_FIXUP_SPEAKER2_TO_DAC1] = {
 		.type = HDA_FIXUP_FUNC,
 		.v.func = alc285_fixup_speaker2_to_dac1,
+		.chained = true,
+		.chain_id = ALC269_FIXUP_THINKPAD_ACPI
 	},
 	[ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
 		.type = HDA_FIXUP_PINS,
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 005/168] net: dsa: bcm_sf2: Forcibly configure IMP port for 1Gb/sec
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 004/168] ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 006/168] net: stmmac: fix notifier registration Greg Kroah-Hartman
                   ` (164 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, Vivien Didelot,
	David S. Miller, Sasha Levin

From: Florian Fainelli <f.fainelli@gmail.com>

[ Upstream commit 98c5f7d44fef309e692c24c6d71131ee0f0871fb ]

We are still experiencing some packet loss with the existing advanced
congestion buffering (ACB) settings with the IMP port configured for
2Gb/sec, so revert to conservative link speeds that do not produce
packet loss until this is resolved.

Fixes: 8f1880cbe8d0 ("net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec")
Fixes: de34d7084edd ("net: dsa: bcm_sf2: Only 7278 supports 2Gb/sec IMP port")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/bcm_sf2.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
index fecd5e674e04c..46dc913da852d 100644
--- a/drivers/net/dsa/bcm_sf2.c
+++ b/drivers/net/dsa/bcm_sf2.c
@@ -69,8 +69,7 @@ static void bcm_sf2_imp_setup(struct dsa_switch *ds, int port)
 		/* Force link status for IMP port */
 		reg = core_readl(priv, offset);
 		reg |= (MII_SW_OR | LINK_STS);
-		if (priv->type == BCM7278_DEVICE_ID)
-			reg |= GMII_SPEED_UP_2G;
+		reg &= ~GMII_SPEED_UP_2G;
 		core_writel(priv, reg, offset);
 
 		/* Enable Broadcast, Multicast, Unicast forwarding to IMP port */
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 006/168] net: stmmac: fix notifier registration
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 005/168] net: dsa: bcm_sf2: Forcibly configure IMP port for 1Gb/sec Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 007/168] dm thin metadata: fix lockdep complaint Greg Kroah-Hartman
                   ` (163 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aaro Koskinen, David S. Miller, Sasha Levin

From: Aaro Koskinen <aaro.koskinen@nokia.com>

[ Upstream commit 474a31e13a4e9749fb3ee55794d69d0f17ee0998 ]

We cannot register the same netdev notifier multiple times when probing
stmmac devices. Register the notifier only once in module init, and also
make debugfs creation/deletion safe against simultaneous notifier call.

Fixes: 481a7d154cbb ("stmmac: debugfs entry name is not be changed when udev rename device name.")
Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 582176d869c35..89a6ae2b17e35 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -4208,6 +4208,8 @@ static void stmmac_init_fs(struct net_device *dev)
 {
 	struct stmmac_priv *priv = netdev_priv(dev);
 
+	rtnl_lock();
+
 	/* Create per netdev entries */
 	priv->dbgfs_dir = debugfs_create_dir(dev->name, stmmac_fs_dir);
 
@@ -4219,14 +4221,13 @@ static void stmmac_init_fs(struct net_device *dev)
 	debugfs_create_file("dma_cap", 0444, priv->dbgfs_dir, dev,
 			    &stmmac_dma_cap_fops);
 
-	register_netdevice_notifier(&stmmac_notifier);
+	rtnl_unlock();
 }
 
 static void stmmac_exit_fs(struct net_device *dev)
 {
 	struct stmmac_priv *priv = netdev_priv(dev);
 
-	unregister_netdevice_notifier(&stmmac_notifier);
 	debugfs_remove_recursive(priv->dbgfs_dir);
 }
 #endif /* CONFIG_DEBUG_FS */
@@ -4728,14 +4729,14 @@ int stmmac_dvr_remove(struct device *dev)
 
 	netdev_info(priv->dev, "%s: removing driver", __func__);
 
-#ifdef CONFIG_DEBUG_FS
-	stmmac_exit_fs(ndev);
-#endif
 	stmmac_stop_all_dma(priv);
 
 	stmmac_mac_set(priv, priv->ioaddr, false);
 	netif_carrier_off(ndev);
 	unregister_netdev(ndev);
+#ifdef CONFIG_DEBUG_FS
+	stmmac_exit_fs(ndev);
+#endif
 	phylink_destroy(priv->phylink);
 	if (priv->plat->stmmac_rst)
 		reset_control_assert(priv->plat->stmmac_rst);
@@ -4955,6 +4956,7 @@ static int __init stmmac_init(void)
 	/* Create debugfs main directory if it doesn't exist yet */
 	if (!stmmac_fs_dir)
 		stmmac_fs_dir = debugfs_create_dir(STMMAC_RESOURCE_NAME, NULL);
+	register_netdevice_notifier(&stmmac_notifier);
 #endif
 
 	return 0;
@@ -4963,6 +4965,7 @@ static int __init stmmac_init(void)
 static void __exit stmmac_exit(void)
 {
 #ifdef CONFIG_DEBUG_FS
+	unregister_netdevice_notifier(&stmmac_notifier);
 	debugfs_remove_recursive(stmmac_fs_dir);
 #endif
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 007/168] dm thin metadata: fix lockdep complaint
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 006/168] net: stmmac: fix notifier registration Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 008/168] RDMA/core: Fix pkey and port assignment in get_new_pps Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Theodore Tso, Mike Snitzer, Sasha Levin

From: Theodore Ts'o <tytso@mit.edu>

[ Upstream commit 3918e0667bbac99400b44fa5aef3f8be2eeada4a ]

[ 3934.173244] ======================================================
[ 3934.179572] WARNING: possible circular locking dependency detected
[ 3934.185884] 5.4.21-xfstests #1 Not tainted
[ 3934.190151] ------------------------------------------------------
[ 3934.196673] dmsetup/8897 is trying to acquire lock:
[ 3934.201688] ffffffffbce82b18 (shrinker_rwsem){++++}, at: unregister_shrinker+0x22/0x80
[ 3934.210268]
               but task is already holding lock:
[ 3934.216489] ffff92a10cc5e1d0 (&pmd->root_lock){++++}, at: dm_pool_metadata_close+0xba/0x120
[ 3934.225083]
               which lock already depends on the new lock.

[ 3934.564165] Chain exists of:
                 shrinker_rwsem --> &journal->j_checkpoint_mutex --> &pmd->root_lock

For a more detailed lockdep report, please see:

	https://lore.kernel.org/r/20200220234519.GA620489@mit.edu

We shouldn't need to hold the lock while are just tearing down and
freeing the whole metadata pool structure.

Fixes: 44d8ebf436399a4 ("dm thin metadata: use pool locking at end of dm_pool_metadata_close")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/md/dm-thin-metadata.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
index 8bb723f1a569a..4cd8868f80040 100644
--- a/drivers/md/dm-thin-metadata.c
+++ b/drivers/md/dm-thin-metadata.c
@@ -960,9 +960,9 @@ int dm_pool_metadata_close(struct dm_pool_metadata *pmd)
 			DMWARN("%s: __commit_transaction() failed, error = %d",
 			       __func__, r);
 	}
+	pmd_write_unlock(pmd);
 	if (!pmd->fail_io)
 		__destroy_persistent_data_objects(pmd);
-	pmd_write_unlock(pmd);
 
 	kfree(pmd);
 	return 0;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 008/168] RDMA/core: Fix pkey and port assignment in get_new_pps
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 007/168] dm thin metadata: fix lockdep complaint Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 009/168] RDMA/core: Fix use of logical OR " Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maor Gottlieb, Leon Romanovsky,
	Mike Marciniszyn, Jason Gunthorpe, Sasha Levin

From: Maor Gottlieb <maorg@mellanox.com>

[ Upstream commit 801b67f3eaafd3f2ec8b65d93142d4ffedba85df ]

When port is part of the modify mask, then we should take it from the
qp_attr and not from the old pps. Same for PKEY. Otherwise there are
panics in some configurations:

  RIP: 0010:get_pkey_idx_qp_list+0x50/0x80 [ib_core]
  Code: c7 18 e8 13 04 30 ef 0f b6 43 06 48 69 c0 b8 00 00 00 48 03 85 a0 04 00 00 48 8b 50 20 48 8d 48 20 48 39 ca 74 1a 0f b7 73 04 <66> 39 72 10 75 08 eb 10 66 39 72 10 74 0a 48 8b 12 48 39 ca 75 f2
  RSP: 0018:ffffafb3480932f0 EFLAGS: 00010203
  RAX: ffff98059ababa10 RBX: ffff980d926e8cc0 RCX: ffff98059ababa30
  RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff98059ababa28
  RBP: ffff98059b940000 R08: 00000000000310c0 R09: ffff97fe47c07480
  R10: 0000000000000036 R11: 0000000000000200 R12: 0000000000000071
  R13: ffff98059b940000 R14: ffff980d87f948a0 R15: 0000000000000000
  FS:  00007f88deb31740(0000) GS:ffff98059f600000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000010 CR3: 0000000853e26001 CR4: 00000000001606e0
  Call Trace:
   port_pkey_list_insert+0x3d/0x1b0 [ib_core]
   ? kmem_cache_alloc_trace+0x215/0x220
   ib_security_modify_qp+0x226/0x3a0 [ib_core]
   _ib_modify_qp+0xcf/0x390 [ib_core]
   ipoib_init_qp+0x7f/0x200 [ib_ipoib]
   ? rvt_modify_port+0xd0/0xd0 [rdmavt]
   ? ib_find_pkey+0x99/0xf0 [ib_core]
   ipoib_ib_dev_open_default+0x1a/0x200 [ib_ipoib]
   ipoib_ib_dev_open+0x96/0x130 [ib_ipoib]
   ipoib_open+0x44/0x130 [ib_ipoib]
   __dev_open+0xd1/0x160
   __dev_change_flags+0x1ab/0x1f0
   dev_change_flags+0x23/0x60
   do_setlink+0x328/0xe30
   ? __nla_validate_parse+0x54/0x900
   __rtnl_newlink+0x54e/0x810
   ? __alloc_pages_nodemask+0x17d/0x320
   ? page_fault+0x30/0x50
   ? _cond_resched+0x15/0x30
   ? kmem_cache_alloc_trace+0x1c8/0x220
   rtnl_newlink+0x43/0x60
   rtnetlink_rcv_msg+0x28f/0x350
   ? kmem_cache_alloc+0x1fb/0x200
   ? _cond_resched+0x15/0x30
   ? __kmalloc_node_track_caller+0x24d/0x2d0
   ? rtnl_calcit.isra.31+0x120/0x120
   netlink_rcv_skb+0xcb/0x100
   netlink_unicast+0x1e0/0x340
   netlink_sendmsg+0x317/0x480
   ? __check_object_size+0x48/0x1d0
   sock_sendmsg+0x65/0x80
   ____sys_sendmsg+0x223/0x260
   ? copy_msghdr_from_user+0xdc/0x140
   ___sys_sendmsg+0x7c/0xc0
   ? skb_dequeue+0x57/0x70
   ? __inode_wait_for_writeback+0x75/0xe0
   ? fsnotify_grab_connector+0x45/0x80
   ? __dentry_kill+0x12c/0x180
   __sys_sendmsg+0x58/0xa0
   do_syscall_64+0x5b/0x200
   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x7f88de467f10

Link: https://lore.kernel.org/r/20200227125728.100551-1-leon@kernel.org
Cc: <stable@vger.kernel.org>
Fixes: 1dd017882e01 ("RDMA/core: Fix protection fault in get_pkey_idx_qp_list")
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Tested-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/core/security.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/core/security.c b/drivers/infiniband/core/security.c
index 2b4d80393bd0d..9e27ca18d3270 100644
--- a/drivers/infiniband/core/security.c
+++ b/drivers/infiniband/core/security.c
@@ -340,11 +340,15 @@ static struct ib_ports_pkeys *get_new_pps(const struct ib_qp *qp,
 		return NULL;
 
 	if (qp_attr_mask & IB_QP_PORT)
-		new_pps->main.port_num =
-			(qp_pps) ? qp_pps->main.port_num : qp_attr->port_num;
+		new_pps->main.port_num = qp_attr->port_num;
+	else if (qp_pps)
+		new_pps->main.port_num = qp_pps->main.port_num;
+
 	if (qp_attr_mask & IB_QP_PKEY_INDEX)
-		new_pps->main.pkey_index = (qp_pps) ? qp_pps->main.pkey_index :
-						      qp_attr->pkey_index;
+		new_pps->main.pkey_index = qp_attr->pkey_index;
+	else if (qp_pps)
+		new_pps->main.pkey_index = qp_pps->main.pkey_index;
+
 	if ((qp_attr_mask & IB_QP_PKEY_INDEX) && (qp_attr_mask & IB_QP_PORT))
 		new_pps->main.state = IB_PORT_PKEY_VALID;
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 009/168] RDMA/core: Fix use of logical OR in get_new_pps
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 008/168] RDMA/core: Fix pkey and port assignment in get_new_pps Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 010/168] kbuild: fix No such file or directory warning when cleaning Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Nathan Chancellor,
	Leon Romanovsky, Jason Gunthorpe, Sasha Levin

From: Nathan Chancellor <natechancellor@gmail.com>

[ Upstream commit 4ca501d6aaf21de31541deac35128bbea8427aa6 ]

Clang warns:

../drivers/infiniband/core/security.c:351:41: warning: converting the
enum constant to a boolean [-Wint-in-bool-context]
        if (!(qp_attr_mask & (IB_QP_PKEY_INDEX || IB_QP_PORT)) && qp_pps) {
                                               ^
1 warning generated.

A bitwise OR should have been used instead.

Fixes: 1dd017882e01 ("RDMA/core: Fix protection fault in get_pkey_idx_qp_list")
Link: https://lore.kernel.org/r/20200217204318.13609-1-natechancellor@gmail.com
Link: https://github.com/ClangBuiltLinux/linux/issues/889
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/core/security.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/security.c b/drivers/infiniband/core/security.c
index 9e27ca18d3270..2d5608315dc80 100644
--- a/drivers/infiniband/core/security.c
+++ b/drivers/infiniband/core/security.c
@@ -352,7 +352,7 @@ static struct ib_ports_pkeys *get_new_pps(const struct ib_qp *qp,
 	if ((qp_attr_mask & IB_QP_PKEY_INDEX) && (qp_attr_mask & IB_QP_PORT))
 		new_pps->main.state = IB_PORT_PKEY_VALID;
 
-	if (!(qp_attr_mask & (IB_QP_PKEY_INDEX || IB_QP_PORT)) && qp_pps) {
+	if (!(qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) && qp_pps) {
 		new_pps->main.port_num = qp_pps->main.port_num;
 		new_pps->main.pkey_index = qp_pps->main.pkey_index;
 		if (qp_pps->main.state != IB_PORT_PKEY_NOT_VALID)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 010/168] kbuild: fix No such file or directory warning when cleaning
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 009/168] RDMA/core: Fix use of logical OR " Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 011/168] kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kbuild test robot, Masahiro Yamada,
	Sasha Levin

From: Masahiro Yamada <masahiroy@kernel.org>

[ Upstream commit cf6b58ab2d55f5a143c88c219c8e66ff0720fa69 ]

Since commit fcbb8461fd23 ("kbuild: remove header compile test"),
'make clean' with O= option in the pristine source tree emits
'No such file or directory' warning.

$ git clean -d -f -x
$ make O=foo clean
make[1]: Entering directory '/home/masahiro/linux/foo'
find: ‘usr/include’: No such file or directory
make[1]: Leaving directory '/home/masahiro/linux/foo'

Fixes: fcbb8461fd23 ("kbuild: remove header compile test")
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 usr/include/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/include/Makefile b/usr/include/Makefile
index 47cb91d3a51d2..e2840579156a9 100644
--- a/usr/include/Makefile
+++ b/usr/include/Makefile
@@ -99,7 +99,7 @@ endif
 # asm-generic/*.h is used by asm/*.h, and should not be included directly
 header-test- += asm-generic/%
 
-extra-y := $(patsubst $(obj)/%.h,%.hdrtest, $(shell find $(obj) -name '*.h'))
+extra-y := $(patsubst $(obj)/%.h,%.hdrtest, $(shell find $(obj) -name '*.h' 2>/dev/null))
 
 quiet_cmd_hdrtest = HDRTEST $<
       cmd_hdrtest = \
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 011/168] kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 010/168] kbuild: fix No such file or directory warning when cleaning Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 012/168] blktrace: fix dereference after null check Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masami Hiramatsu,
	Steven Rostedt (VMware),
	Alexei Starovoitov, Peter Zijlstra, Thomas Gleixner, bristot,
	Ingo Molnar, Sasha Levin

From: Masami Hiramatsu <mhiramat@kernel.org>

[ Upstream commit e4add247789e4ba5e08ad8256183ce2e211877d4 ]

optimize_kprobe() and unoptimize_kprobe() cancels if a given kprobe
is on the optimizing_list or unoptimizing_list already. However, since
the following commit:

  f66c0447cca1 ("kprobes: Set unoptimized flag after unoptimizing code")

modified the update timing of the KPROBE_FLAG_OPTIMIZED, it doesn't
work as expected anymore.

The optimized_kprobe could be in the following states:

- [optimizing]: Before inserting jump instruction
  op.kp->flags has KPROBE_FLAG_OPTIMIZED and
  op->list is not empty.

- [optimized]: jump inserted
  op.kp->flags has KPROBE_FLAG_OPTIMIZED and
  op->list is empty.

- [unoptimizing]: Before removing jump instruction (including unused
  optprobe)
  op.kp->flags has KPROBE_FLAG_OPTIMIZED and
  op->list is not empty.

- [unoptimized]: jump removed
  op.kp->flags doesn't have KPROBE_FLAG_OPTIMIZED and
  op->list is empty.

Current code mis-expects [unoptimizing] state doesn't have
KPROBE_FLAG_OPTIMIZED, and that can cause incorrect results.

To fix this, introduce optprobe_queued_unopt() to distinguish [optimizing]
and [unoptimizing] states and fixes the logic in optimize_kprobe() and
unoptimize_kprobe().

[ mingo: Cleaned up the changelog and the code a bit. ]

Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: bristot@redhat.com
Fixes: f66c0447cca1 ("kprobes: Set unoptimized flag after unoptimizing code")
Link: https://lkml.kernel.org/r/157840814418.7181.13478003006386303481.stgit@devnote2
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/kprobes.c | 67 +++++++++++++++++++++++++++++++-----------------
 1 file changed, 43 insertions(+), 24 deletions(-)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 34e28b236d680..2625c241ac00f 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -612,6 +612,18 @@ void wait_for_kprobe_optimizer(void)
 	mutex_unlock(&kprobe_mutex);
 }
 
+static bool optprobe_queued_unopt(struct optimized_kprobe *op)
+{
+	struct optimized_kprobe *_op;
+
+	list_for_each_entry(_op, &unoptimizing_list, list) {
+		if (op == _op)
+			return true;
+	}
+
+	return false;
+}
+
 /* Optimize kprobe if p is ready to be optimized */
 static void optimize_kprobe(struct kprobe *p)
 {
@@ -633,17 +645,21 @@ static void optimize_kprobe(struct kprobe *p)
 		return;
 
 	/* Check if it is already optimized. */
-	if (op->kp.flags & KPROBE_FLAG_OPTIMIZED)
+	if (op->kp.flags & KPROBE_FLAG_OPTIMIZED) {
+		if (optprobe_queued_unopt(op)) {
+			/* This is under unoptimizing. Just dequeue the probe */
+			list_del_init(&op->list);
+		}
 		return;
+	}
 	op->kp.flags |= KPROBE_FLAG_OPTIMIZED;
 
-	if (!list_empty(&op->list))
-		/* This is under unoptimizing. Just dequeue the probe */
-		list_del_init(&op->list);
-	else {
-		list_add(&op->list, &optimizing_list);
-		kick_kprobe_optimizer();
-	}
+	/* On unoptimizing/optimizing_list, op must have OPTIMIZED flag */
+	if (WARN_ON_ONCE(!list_empty(&op->list)))
+		return;
+
+	list_add(&op->list, &optimizing_list);
+	kick_kprobe_optimizer();
 }
 
 /* Short cut to direct unoptimizing */
@@ -665,30 +681,33 @@ static void unoptimize_kprobe(struct kprobe *p, bool force)
 		return; /* This is not an optprobe nor optimized */
 
 	op = container_of(p, struct optimized_kprobe, kp);
-	if (!kprobe_optimized(p)) {
-		/* Unoptimized or unoptimizing case */
-		if (force && !list_empty(&op->list)) {
-			/*
-			 * Only if this is unoptimizing kprobe and forced,
-			 * forcibly unoptimize it. (No need to unoptimize
-			 * unoptimized kprobe again :)
-			 */
-			list_del_init(&op->list);
-			force_unoptimize_kprobe(op);
-		}
+	if (!kprobe_optimized(p))
 		return;
-	}
 
 	if (!list_empty(&op->list)) {
-		/* Dequeue from the optimization queue */
-		list_del_init(&op->list);
+		if (optprobe_queued_unopt(op)) {
+			/* Queued in unoptimizing queue */
+			if (force) {
+				/*
+				 * Forcibly unoptimize the kprobe here, and queue it
+				 * in the freeing list for release afterwards.
+				 */
+				force_unoptimize_kprobe(op);
+				list_move(&op->list, &freeing_list);
+			}
+		} else {
+			/* Dequeue from the optimizing queue */
+			list_del_init(&op->list);
+			op->kp.flags &= ~KPROBE_FLAG_OPTIMIZED;
+		}
 		return;
 	}
+
 	/* Optimized kprobe case */
-	if (force)
+	if (force) {
 		/* Forcibly update the code: this is a special case */
 		force_unoptimize_kprobe(op);
-	else {
+	} else {
 		list_add(&op->list, &unoptimizing_list);
 		kick_kprobe_optimizer();
 	}
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 012/168] blktrace: fix dereference after null check
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 011/168] kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 013/168] ALSA: hda: do not override bus codec_mask in link_get() Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ming Lei, Bob Liu,
	Steven Rostedt (VMware),
	Cengiz Can, Jens Axboe, Sasha Levin

From: Cengiz Can <cengiz@kernel.wtf>

[ Upstream commit 153031a301bb07194e9c37466cfce8eacb977621 ]

There was a recent change in blktrace.c that added a RCU protection to
`q->blk_trace` in order to fix a use-after-free issue during access.

However the change missed an edge case that can lead to dereferencing of
`bt` pointer even when it's NULL:

Coverity static analyzer marked this as a FORWARD_NULL issue with CID
1460458.

```
/kernel/trace/blktrace.c: 1904 in sysfs_blk_trace_attr_store()
1898            ret = 0;
1899            if (bt == NULL)
1900                    ret = blk_trace_setup_queue(q, bdev);
1901
1902            if (ret == 0) {
1903                    if (attr == &dev_attr_act_mask)
>>>     CID 1460458:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "bt".
1904                            bt->act_mask = value;
1905                    else if (attr == &dev_attr_pid)
1906                            bt->pid = value;
1907                    else if (attr == &dev_attr_start_lba)
1908                            bt->start_lba = value;
1909                    else if (attr == &dev_attr_end_lba)
```

Added a reassignment with RCU annotation to fix the issue.

Fixes: c780e86dd48 ("blktrace: Protect q->blk_trace with RCU")
Cc: stable@vger.kernel.org
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Bob Liu <bob.liu@oracle.com>
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Cengiz Can <cengiz@kernel.wtf>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/trace/blktrace.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index 4b2ad374167bc..e7e483cdbea61 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -1888,8 +1888,11 @@ static ssize_t sysfs_blk_trace_attr_store(struct device *dev,
 	}
 
 	ret = 0;
-	if (bt == NULL)
+	if (bt == NULL) {
 		ret = blk_trace_setup_queue(q, bdev);
+		bt = rcu_dereference_protected(q->blk_trace,
+				lockdep_is_held(&q->blk_trace_mutex));
+	}
 
 	if (ret == 0) {
 		if (attr == &dev_attr_act_mask)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 013/168] ALSA: hda: do not override bus codec_mask in link_get()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 012/168] blktrace: fix dereference after null check Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 014/168] serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kai Vehmanen, Ranjani Sridharan,
	Pierre-Louis Bossart, Takashi Iwai, Mark Brown, Sasha Levin

From: Kai Vehmanen <kai.vehmanen@linux.intel.com>

[ Upstream commit 43bcb1c0507858cdc95e425017dcc33f8105df39 ]

snd_hdac_ext_bus_link_get() does not work correctly in case
there are multiple codecs on the bus. It unconditionally
resets the bus->codec_mask value. As per documentation in
hdaudio.h and existing use in client code, this field should
be used to store bit flag of detected codecs on the bus.

By overwriting value of the codec_mask, information on all
detected codecs is lost. No current user of hdac is impacted,
but use of bus->codec_mask is planned in future patches
for SOF.

Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200206200223.7715-1-kai.vehmanen@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/hda/ext/hdac_ext_controller.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/sound/hda/ext/hdac_ext_controller.c b/sound/hda/ext/hdac_ext_controller.c
index cfab60d88c921..09ff209df4a30 100644
--- a/sound/hda/ext/hdac_ext_controller.c
+++ b/sound/hda/ext/hdac_ext_controller.c
@@ -254,6 +254,7 @@ EXPORT_SYMBOL_GPL(snd_hdac_ext_bus_link_power_down_all);
 int snd_hdac_ext_bus_link_get(struct hdac_bus *bus,
 				struct hdac_ext_link *link)
 {
+	unsigned long codec_mask;
 	int ret = 0;
 
 	mutex_lock(&bus->lock);
@@ -280,9 +281,11 @@ int snd_hdac_ext_bus_link_get(struct hdac_bus *bus,
 		 *  HDA spec section 4.3 - Codec Discovery
 		 */
 		udelay(521);
-		bus->codec_mask = snd_hdac_chip_readw(bus, STATESTS);
-		dev_dbg(bus->dev, "codec_mask = 0x%lx\n", bus->codec_mask);
-		snd_hdac_chip_writew(bus, STATESTS, bus->codec_mask);
+		codec_mask = snd_hdac_chip_readw(bus, STATESTS);
+		dev_dbg(bus->dev, "codec_mask = 0x%lx\n", codec_mask);
+		snd_hdac_chip_writew(bus, STATESTS, codec_mask);
+		if (!bus->codec_mask)
+			bus->codec_mask = codec_mask;
 	}
 
 	mutex_unlock(&bus->lock);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 014/168] serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 013/168] ALSA: hda: do not override bus codec_mask in link_get() Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 015/168] selftests: fix too long argument Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chuanhong Guo, Daniel Golle, Sasha Levin

From: Daniel Golle <daniel@makrotopia.org>

[ Upstream commit 87c5cbf71ecbb9e289d60a2df22eb686c70bf196 ]

On AR934x this UART is usually not initialized by the bootloader
as it is only used as a secondary serial port while the primary
UART is a newly introduced NS16550-compatible.
In order to make use of the ar933x-uart on AR934x without RTS/CTS
hardware flow control, one needs to set the
UART_CS_{RX,TX}_READY_ORIDE bits as other than on AR933x where this
UART is used as primary/console, the bootloader on AR934x typically
doesn't set those bits.
Setting them explicitely on AR933x should not do any harm, so just
set them unconditionally.

Tested-by: Chuanhong Guo <gch981213@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Link: https://lore.kernel.org/r/20200207095335.GA179836@makrotopia.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/ar933x_uart.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/tty/serial/ar933x_uart.c b/drivers/tty/serial/ar933x_uart.c
index 3bdd56a1021b2..ea12f10610b64 100644
--- a/drivers/tty/serial/ar933x_uart.c
+++ b/drivers/tty/serial/ar933x_uart.c
@@ -286,6 +286,10 @@ static void ar933x_uart_set_termios(struct uart_port *port,
 	ar933x_uart_rmw_set(up, AR933X_UART_CS_REG,
 			    AR933X_UART_CS_HOST_INT_EN);
 
+	/* enable RX and TX ready overide */
+	ar933x_uart_rmw_set(up, AR933X_UART_CS_REG,
+		AR933X_UART_CS_TX_READY_ORIDE | AR933X_UART_CS_RX_READY_ORIDE);
+
 	/* reenable the UART */
 	ar933x_uart_rmw(up, AR933X_UART_CS_REG,
 			AR933X_UART_CS_IF_MODE_M << AR933X_UART_CS_IF_MODE_S,
@@ -418,6 +422,10 @@ static int ar933x_uart_startup(struct uart_port *port)
 	ar933x_uart_rmw_set(up, AR933X_UART_CS_REG,
 			    AR933X_UART_CS_HOST_INT_EN);
 
+	/* enable RX and TX ready overide */
+	ar933x_uart_rmw_set(up, AR933X_UART_CS_REG,
+		AR933X_UART_CS_TX_READY_ORIDE | AR933X_UART_CS_RX_READY_ORIDE);
+
 	/* Enable RX interrupts */
 	up->ier = AR933X_UART_INT_RX_VALID;
 	ar933x_uart_write(up, AR933X_UART_INT_EN_REG, up->ier);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 015/168] selftests: fix too long argument
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 014/168] serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 016/168] usb: gadget: composite: Support more than 500mA MaxPower Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yauheni Kaliuta, Jiri Benc,
	Shuah Khan, Sasha Levin

From: Jiri Benc <jbenc@redhat.com>

[ Upstream commit c363eb48ada5cf732b3f489fab799fc881097842 ]

With some shells, the command construed for install of bpf selftests becomes
too large due to long list of files:

make[1]: execvp: /bin/sh: Argument list too long
make[1]: *** [../lib.mk:73: install] Error 127

Currently, each of the file lists is replicated three times in the command:
in the shell 'if' condition, in the 'echo' and in the 'rsync'. Reduce that
by one instance by using make conditionals and separate the echo and rsync
into two shell commands. (One would be inclined to just remove the '@' at
the beginning of the rsync command and let 'make' echo it by itself;
unfortunately, it appears that the '@' in the front of mkdir silences output
also for the following commands.)

Also, separate handling of each of the lists to its own shell command.

The semantics of the makefile is unchanged before and after the patch. The
ability of individual test directories to override INSTALL_RULE is retained.

Reported-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
Tested-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/lib.mk | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk
index 1c8a1963d03f8..3ed0134a764d4 100644
--- a/tools/testing/selftests/lib.mk
+++ b/tools/testing/selftests/lib.mk
@@ -83,17 +83,20 @@ else
 	$(call RUN_TESTS, $(TEST_GEN_PROGS) $(TEST_CUSTOM_PROGS) $(TEST_PROGS))
 endif
 
+define INSTALL_SINGLE_RULE
+	$(if $(INSTALL_LIST),@mkdir -p $(INSTALL_PATH))
+	$(if $(INSTALL_LIST),@echo rsync -a $(INSTALL_LIST) $(INSTALL_PATH)/)
+	$(if $(INSTALL_LIST),@rsync -a $(INSTALL_LIST) $(INSTALL_PATH)/)
+endef
+
 define INSTALL_RULE
-	@if [ "X$(TEST_PROGS)$(TEST_PROGS_EXTENDED)$(TEST_FILES)" != "X" ]; then					\
-		mkdir -p ${INSTALL_PATH};										\
-		echo "rsync -a $(TEST_PROGS) $(TEST_PROGS_EXTENDED) $(TEST_FILES) $(INSTALL_PATH)/";	\
-		rsync -a $(TEST_PROGS) $(TEST_PROGS_EXTENDED) $(TEST_FILES) $(INSTALL_PATH)/;		\
-	fi
-	@if [ "X$(TEST_GEN_PROGS)$(TEST_CUSTOM_PROGS)$(TEST_GEN_PROGS_EXTENDED)$(TEST_GEN_FILES)" != "X" ]; then					\
-		mkdir -p ${INSTALL_PATH};										\
-		echo "rsync -a $(TEST_GEN_PROGS) $(TEST_CUSTOM_PROGS) $(TEST_GEN_PROGS_EXTENDED) $(TEST_GEN_FILES) $(INSTALL_PATH)/";	\
-		rsync -a $(TEST_GEN_PROGS) $(TEST_CUSTOM_PROGS) $(TEST_GEN_PROGS_EXTENDED) $(TEST_GEN_FILES) $(INSTALL_PATH)/;		\
-	fi
+	$(eval INSTALL_LIST = $(TEST_PROGS)) $(INSTALL_SINGLE_RULE)
+	$(eval INSTALL_LIST = $(TEST_PROGS_EXTENDED)) $(INSTALL_SINGLE_RULE)
+	$(eval INSTALL_LIST = $(TEST_FILES)) $(INSTALL_SINGLE_RULE)
+	$(eval INSTALL_LIST = $(TEST_GEN_PROGS)) $(INSTALL_SINGLE_RULE)
+	$(eval INSTALL_LIST = $(TEST_CUSTOM_PROGS)) $(INSTALL_SINGLE_RULE)
+	$(eval INSTALL_LIST = $(TEST_GEN_PROGS_EXTENDED)) $(INSTALL_SINGLE_RULE)
+	$(eval INSTALL_LIST = $(TEST_GEN_FILES)) $(INSTALL_SINGLE_RULE)
 endef
 
 install: all
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 016/168] usb: gadget: composite: Support more than 500mA MaxPower
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 015/168] selftests: fix too long argument Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 017/168] usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jack Pham, Felipe Balbi, Sasha Levin

From: Jack Pham <jackp@codeaurora.org>

[ Upstream commit a2035411fa1d1206cea7d5dfe833e78481844a76 ]

USB 3.x SuperSpeed peripherals can draw up to 900mA of VBUS power
when in configured state. However, if a configuration wanting to
take advantage of this is added with MaxPower greater than 500
(currently possible if using a ConfigFS gadget) the composite
driver fails to accommodate this for a couple reasons:

 - usb_gadget_vbus_draw() when called from set_config() and
   composite_resume() will be passed the MaxPower value without
   regard for the current connection speed, resulting in a
   violation for USB 2.0 since the max is 500mA.

 - the bMaxPower of the configuration descriptor would be
   incorrectly encoded, again if the connection speed is only
   at USB 2.0 or below, likely wrapping around U8_MAX since
   the 2mA multiplier corresponds to a maximum of 510mA.

Fix these by adding checks against the current gadget->speed
when the c->MaxPower value is used (set_config() and
composite_resume()) and appropriately limit based on whether
it is currently at a low-/full-/high- or super-speed connection.

Because 900 is not divisible by 8, with the round-up division
currently used in encode_bMaxPower() a MaxPower of 900mA will
result in an encoded value of 0x71. When a host stack (including
Linux and Windows) enumerates this on a single port root hub, it
reads this value back and decodes (multiplies by 8) to get 904mA
which is strictly greater than 900mA that is typically budgeted
for that port, causing it to reject the configuration. Instead,
we should be using the round-down behavior of normal integral
division so that 900 / 8 -> 0x70 or 896mA to stay within range.
And we might as well change it for the high/full/low case as well
for consistency.

N.B. USB 3.2 Gen N x 2 allows for up to 1500mA but there doesn't
seem to be any any peripheral controller supported by Linux that
does two lane operation, so for now keeping the clamp at 900
should be fine.

Signed-off-by: Jack Pham <jackp@codeaurora.org>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/gadget/composite.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 0d45d7a4f9493..d7871636fced8 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -438,9 +438,13 @@ static u8 encode_bMaxPower(enum usb_device_speed speed,
 	if (!val)
 		return 0;
 	if (speed < USB_SPEED_SUPER)
-		return DIV_ROUND_UP(val, 2);
+		return min(val, 500U) / 2;
 	else
-		return DIV_ROUND_UP(val, 8);
+		/*
+		 * USB 3.x supports up to 900mA, but since 900 isn't divisible
+		 * by 8 the integral division will effectively cap to 896mA.
+		 */
+		return min(val, 900U) / 8;
 }
 
 static int config_buf(struct usb_configuration *config,
@@ -852,6 +856,10 @@ static int set_config(struct usb_composite_dev *cdev,
 
 	/* when we return, be sure our power usage is valid */
 	power = c->MaxPower ? c->MaxPower : CONFIG_USB_GADGET_VBUS_DRAW;
+	if (gadget->speed < USB_SPEED_SUPER)
+		power = min(power, 500U);
+	else
+		power = min(power, 900U);
 done:
 	usb_gadget_vbus_draw(gadget, power);
 	if (result >= 0 && cdev->delayed_status)
@@ -2278,7 +2286,7 @@ void composite_resume(struct usb_gadget *gadget)
 {
 	struct usb_composite_dev	*cdev = get_gadget_data(gadget);
 	struct usb_function		*f;
-	u16				maxpower;
+	unsigned			maxpower;
 
 	/* REVISIT:  should we have config level
 	 * suspend/resume callbacks?
@@ -2292,10 +2300,14 @@ void composite_resume(struct usb_gadget *gadget)
 				f->resume(f);
 		}
 
-		maxpower = cdev->config->MaxPower;
+		maxpower = cdev->config->MaxPower ?
+			cdev->config->MaxPower : CONFIG_USB_GADGET_VBUS_DRAW;
+		if (gadget->speed < USB_SPEED_SUPER)
+			maxpower = min(maxpower, 500U);
+		else
+			maxpower = min(maxpower, 900U);
 
-		usb_gadget_vbus_draw(gadget, maxpower ?
-			maxpower : CONFIG_USB_GADGET_VBUS_DRAW);
+		usb_gadget_vbus_draw(gadget, maxpower);
 	}
 
 	cdev->suspended = 0;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 017/168] usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 016/168] usb: gadget: composite: Support more than 500mA MaxPower Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 018/168] usb: gadget: serial: fix Tx stall after buffer overflow Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Nazarewicz,
	Lars-Peter Clausen, Alexandru Ardelean, Felipe Balbi,
	Sasha Levin

From: Lars-Peter Clausen <lars@metafoo.de>

[ Upstream commit 43d565727a3a6fd24e37c7c2116475106af71806 ]

ffs_aio_cancel() can be called from both interrupt and thread context. Make
sure that the current IRQ state is saved and restored by using
spin_{un,}lock_irq{save,restore}().

Otherwise undefined behavior might occur.

Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/gadget/function/f_fs.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index ced2581cf99fe..a9a711e046148 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1162,18 +1162,19 @@ static int ffs_aio_cancel(struct kiocb *kiocb)
 {
 	struct ffs_io_data *io_data = kiocb->private;
 	struct ffs_epfile *epfile = kiocb->ki_filp->private_data;
+	unsigned long flags;
 	int value;
 
 	ENTER();
 
-	spin_lock_irq(&epfile->ffs->eps_lock);
+	spin_lock_irqsave(&epfile->ffs->eps_lock, flags);
 
 	if (likely(io_data && io_data->ep && io_data->req))
 		value = usb_ep_dequeue(io_data->ep, io_data->req);
 	else
 		value = -EINVAL;
 
-	spin_unlock_irq(&epfile->ffs->eps_lock);
+	spin_unlock_irqrestore(&epfile->ffs->eps_lock, flags);
 
 	return value;
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 018/168] usb: gadget: serial: fix Tx stall after buffer overflow
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 017/168] usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 019/168] habanalabs: halt the engines before hard-reset Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Organov,
	Michał Mirosław, Felipe Balbi, Sasha Levin

From: Sergey Organov <sorganov@gmail.com>

[ Upstream commit e4bfded56cf39b8d02733c1e6ef546b97961e18a ]

Symptom: application opens /dev/ttyGS0 and starts sending (writing) to
it while either USB cable is not connected, or nobody listens on the
other side of the cable. If driver circular buffer overflows before
connection is established, no data will be written to the USB layer
until/unless /dev/ttyGS0 is closed and re-opened again by the
application (the latter besides having no means of being notified about
the event of establishing of the connection.)

Fix: on open and/or connect, kick Tx to flush circular buffer data to
USB layer.

Signed-off-by: Sergey Organov <sorganov@gmail.com>
Reviewed-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/gadget/function/u_serial.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c
index bb1e2e1d00769..038c445a4e9b5 100644
--- a/drivers/usb/gadget/function/u_serial.c
+++ b/drivers/usb/gadget/function/u_serial.c
@@ -560,8 +560,10 @@ static int gs_start_io(struct gs_port *port)
 	port->n_read = 0;
 	started = gs_start_rx(port);
 
-	/* unblock any pending writes into our circular buffer */
 	if (started) {
+		gs_start_tx(port);
+		/* Unblock any pending writes into our circular buffer, in case
+		 * we didn't in gs_start_tx() */
 		tty_wakeup(port->port.tty);
 	} else {
 		gs_free_requests(ep, head, &port->read_allocated);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 019/168] habanalabs: halt the engines before hard-reset
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 018/168] usb: gadget: serial: fix Tx stall after buffer overflow Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 020/168] habanalabs: do not halt CoreSight during hard reset Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomer Tayar, Oded Gabbay, Sasha Levin

From: Oded Gabbay <oded.gabbay@gmail.com>

[ Upstream commit 908087ffbe896c100ed73d5f0ce11a5b7264af4a ]

The driver must halt the engines before doing hard-reset, otherwise the
device can go into undefined state. There is a place where the driver
didn't do that and this patch fixes it.

Reviewed-by: Tomer Tayar <ttayar@habana.ai>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/misc/habanalabs/device.c    |  1 +
 drivers/misc/habanalabs/goya/goya.c | 42 +++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/drivers/misc/habanalabs/device.c b/drivers/misc/habanalabs/device.c
index 459fee70a597a..eb9c07833a517 100644
--- a/drivers/misc/habanalabs/device.c
+++ b/drivers/misc/habanalabs/device.c
@@ -1185,6 +1185,7 @@ int hl_device_init(struct hl_device *hdev, struct class *hclass)
 	if (hdev->asic_funcs->get_hw_state(hdev) == HL_DEVICE_HW_STATE_DIRTY) {
 		dev_info(hdev->dev,
 			"H/W state is dirty, must reset before initializing\n");
+		hdev->asic_funcs->halt_engines(hdev, true);
 		hdev->asic_funcs->hw_fini(hdev, true);
 	}
 
diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c
index fe3574a83b7c3..1e97f6d77e3da 100644
--- a/drivers/misc/habanalabs/goya/goya.c
+++ b/drivers/misc/habanalabs/goya/goya.c
@@ -869,6 +869,11 @@ void goya_init_dma_qmans(struct hl_device *hdev)
  */
 static void goya_disable_external_queues(struct hl_device *hdev)
 {
+	struct goya_device *goya = hdev->asic_specific;
+
+	if (!(goya->hw_cap_initialized & HW_CAP_DMA))
+		return;
+
 	WREG32(mmDMA_QM_0_GLBL_CFG0, 0);
 	WREG32(mmDMA_QM_1_GLBL_CFG0, 0);
 	WREG32(mmDMA_QM_2_GLBL_CFG0, 0);
@@ -930,6 +935,11 @@ static int goya_stop_external_queues(struct hl_device *hdev)
 {
 	int rc, retval = 0;
 
+	struct goya_device *goya = hdev->asic_specific;
+
+	if (!(goya->hw_cap_initialized & HW_CAP_DMA))
+		return retval;
+
 	rc = goya_stop_queue(hdev,
 			mmDMA_QM_0_GLBL_CFG1,
 			mmDMA_QM_0_CP_STS,
@@ -1719,9 +1729,18 @@ void goya_init_tpc_qmans(struct hl_device *hdev)
  */
 static void goya_disable_internal_queues(struct hl_device *hdev)
 {
+	struct goya_device *goya = hdev->asic_specific;
+
+	if (!(goya->hw_cap_initialized & HW_CAP_MME))
+		goto disable_tpc;
+
 	WREG32(mmMME_QM_GLBL_CFG0, 0);
 	WREG32(mmMME_CMDQ_GLBL_CFG0, 0);
 
+disable_tpc:
+	if (!(goya->hw_cap_initialized & HW_CAP_TPC))
+		return;
+
 	WREG32(mmTPC0_QM_GLBL_CFG0, 0);
 	WREG32(mmTPC0_CMDQ_GLBL_CFG0, 0);
 
@@ -1757,8 +1776,12 @@ static void goya_disable_internal_queues(struct hl_device *hdev)
  */
 static int goya_stop_internal_queues(struct hl_device *hdev)
 {
+	struct goya_device *goya = hdev->asic_specific;
 	int rc, retval = 0;
 
+	if (!(goya->hw_cap_initialized & HW_CAP_MME))
+		goto stop_tpc;
+
 	/*
 	 * Each queue (QMAN) is a separate H/W logic. That means that each
 	 * QMAN can be stopped independently and failure to stop one does NOT
@@ -1785,6 +1808,10 @@ static int goya_stop_internal_queues(struct hl_device *hdev)
 		retval = -EIO;
 	}
 
+stop_tpc:
+	if (!(goya->hw_cap_initialized & HW_CAP_TPC))
+		return retval;
+
 	rc = goya_stop_queue(hdev,
 			mmTPC0_QM_GLBL_CFG1,
 			mmTPC0_QM_CP_STS,
@@ -1950,6 +1977,11 @@ static int goya_stop_internal_queues(struct hl_device *hdev)
 
 static void goya_dma_stall(struct hl_device *hdev)
 {
+	struct goya_device *goya = hdev->asic_specific;
+
+	if (!(goya->hw_cap_initialized & HW_CAP_DMA))
+		return;
+
 	WREG32(mmDMA_QM_0_GLBL_CFG1, 1 << DMA_QM_0_GLBL_CFG1_DMA_STOP_SHIFT);
 	WREG32(mmDMA_QM_1_GLBL_CFG1, 1 << DMA_QM_1_GLBL_CFG1_DMA_STOP_SHIFT);
 	WREG32(mmDMA_QM_2_GLBL_CFG1, 1 << DMA_QM_2_GLBL_CFG1_DMA_STOP_SHIFT);
@@ -1959,6 +1991,11 @@ static void goya_dma_stall(struct hl_device *hdev)
 
 static void goya_tpc_stall(struct hl_device *hdev)
 {
+	struct goya_device *goya = hdev->asic_specific;
+
+	if (!(goya->hw_cap_initialized & HW_CAP_TPC))
+		return;
+
 	WREG32(mmTPC0_CFG_TPC_STALL, 1 << TPC0_CFG_TPC_STALL_V_SHIFT);
 	WREG32(mmTPC1_CFG_TPC_STALL, 1 << TPC1_CFG_TPC_STALL_V_SHIFT);
 	WREG32(mmTPC2_CFG_TPC_STALL, 1 << TPC2_CFG_TPC_STALL_V_SHIFT);
@@ -1971,6 +2008,11 @@ static void goya_tpc_stall(struct hl_device *hdev)
 
 static void goya_mme_stall(struct hl_device *hdev)
 {
+	struct goya_device *goya = hdev->asic_specific;
+
+	if (!(goya->hw_cap_initialized & HW_CAP_MME))
+		return;
+
 	WREG32(mmMME_STALL, 0xFFFFFFFF);
 }
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 020/168] habanalabs: do not halt CoreSight during hard reset
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 019/168] habanalabs: halt the engines before hard-reset Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 021/168] habanalabs: patched cb equals user cb in device memset Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Omer Shpigelman, Oded Gabbay, Sasha Levin

From: Omer Shpigelman <oshpigelman@habana.ai>

[ Upstream commit a37e47192dfa98f79a0cd5ab991c224b5980c982 ]

During hard reset we must not write to the device.
Hence avoid halting CoreSight during user context close if it is done
during hard reset.
In addition, we must not re-enable clock gating afterwards as it was
deliberately disabled in the beginning of the hard reset flow.

Signed-off-by: Omer Shpigelman <oshpigelman@habana.ai>
Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/misc/habanalabs/device.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/misc/habanalabs/device.c b/drivers/misc/habanalabs/device.c
index eb9c07833a517..a7a4fed4d8995 100644
--- a/drivers/misc/habanalabs/device.c
+++ b/drivers/misc/habanalabs/device.c
@@ -600,7 +600,9 @@ int hl_device_set_debug_mode(struct hl_device *hdev, bool enable)
 			goto out;
 		}
 
-		hdev->asic_funcs->halt_coresight(hdev);
+		if (!hdev->hard_reset_pending)
+			hdev->asic_funcs->halt_coresight(hdev);
+
 		hdev->in_debug = 0;
 
 		goto out;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 021/168] habanalabs: patched cb equals user cb in device memset
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 020/168] habanalabs: do not halt CoreSight during hard reset Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 022/168] drm/msm/mdp5: rate limit pp done timeout warnings Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oded Gabbay, Sasha Levin

From: Oded Gabbay <oded.gabbay@gmail.com>

[ Upstream commit cf01514c5c6efa2d521d35e68dff2e0674d08e91 ]

During device memory memset, the driver allocates and use a CB (command
buffer). To reuse existing code, it keeps a pointer to the CB in two
variables, user_cb and patched_cb. Therefore, there is no need to "put"
both the user_cb and patched_cb, as it will cause an underflow of the
refcnt of the CB.

Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/misc/habanalabs/goya/goya.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c
index 1e97f6d77e3da..13b39fd97429a 100644
--- a/drivers/misc/habanalabs/goya/goya.c
+++ b/drivers/misc/habanalabs/goya/goya.c
@@ -4666,8 +4666,6 @@ static int goya_memset_device_memory(struct hl_device *hdev, u64 addr, u64 size,
 
 	rc = goya_send_job_on_qman0(hdev, job);
 
-	hl_cb_put(job->patched_cb);
-
 	hl_debugfs_remove_job(hdev, job);
 	kfree(job);
 	cb->cs_cnt--;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 022/168] drm/msm/mdp5: rate limit pp done timeout warnings
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 021/168] habanalabs: patched cb equals user cb in device memset Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 023/168] drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Masney, Rob Clark, Sasha Levin

From: Brian Masney <masneyb@onstation.org>

[ Upstream commit ef8c9809acb0805c991bba8bdd4749fc46d44a98 ]

Add rate limiting of the 'pp done time out' warnings since these
warnings can quickly fill the dmesg buffer.

Signed-off-by: Brian Masney <masneyb@onstation.org>
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c
index eb0b4b7dc7cc7..03c6d6157e4d0 100644
--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c
+++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c
@@ -1112,8 +1112,8 @@ static void mdp5_crtc_wait_for_pp_done(struct drm_crtc *crtc)
 	ret = wait_for_completion_timeout(&mdp5_crtc->pp_completion,
 						msecs_to_jiffies(50));
 	if (ret == 0)
-		dev_warn(dev->dev, "pp done time out, lm=%d\n",
-			 mdp5_cstate->pipeline.mixer->lm);
+		dev_warn_ratelimited(dev->dev, "pp done time out, lm=%d\n",
+				     mdp5_cstate->pipeline.mixer->lm);
 }
 
 static void mdp5_crtc_wait_for_flush_done(struct drm_crtc *crtc)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 023/168] drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 022/168] drm/msm/mdp5: rate limit pp done timeout warnings Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 024/168] drm/modes: Make sure to parse valid rotation value from cmdline Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rob Clark, Sean Paul, Sami Tolvanen,
	Todd Kjos, Alistair Delva, Amit Pundir, Sumit Semwal, freedreno,
	clang-built-linux, John Stultz, Nick Desaulniers, Rob Clark,
	Sasha Levin

From: John Stultz <john.stultz@linaro.org>

[ Upstream commit 7fd2dfc3694922eb7ace4801b7208cf9f62ebc7d ]

I was hitting kCFI crashes when building with clang, and after
some digging finally narrowed it down to the
dsi_mgr_connector_mode_valid() function being implemented as
returning an int, instead of an enum drm_mode_status.

This patch fixes it, and appeases the opaque word of the kCFI
gods (seriously, clang inlining everything makes the kCFI
backtraces only really rough estimates of where things went
wrong).

Thanks as always to Sami for his help narrowing this down.

Cc: Rob Clark <robdclark@gmail.com>
Cc: Sean Paul <sean@poorly.run>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Todd Kjos <tkjos@google.com>
Cc: Alistair Delva <adelva@google.com>
Cc: Amit Pundir <amit.pundir@linaro.org>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: freedreno@lists.freedesktop.org
Cc: clang-built-linux@googlegroups.com
Signed-off-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Tested-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/msm/dsi/dsi_manager.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/msm/dsi/dsi_manager.c b/drivers/gpu/drm/msm/dsi/dsi_manager.c
index 271aa7bbca925..355a60b4a536f 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_manager.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_manager.c
@@ -336,7 +336,7 @@ static int dsi_mgr_connector_get_modes(struct drm_connector *connector)
 	return num;
 }
 
-static int dsi_mgr_connector_mode_valid(struct drm_connector *connector,
+static enum drm_mode_status dsi_mgr_connector_mode_valid(struct drm_connector *connector,
 				struct drm_display_mode *mode)
 {
 	int id = dsi_mgr_connector_get_id(connector);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 024/168] drm/modes: Make sure to parse valid rotation value from cmdline
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 023/168] drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 025/168] drm/modes: Allow DRM_MODE_ROTATE_0 when applying video mode parameters Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephan Gerhold, Maxime Ripard, Sasha Levin

From: Stephan Gerhold <stephan@gerhold.net>

[ Upstream commit e6980a727154b793adb218fbc7b4d6af52a7e364 ]

A rotation value should have exactly one rotation angle.
At the moment there is no validation for this when parsing video=
parameters from the command line. This causes problems later on
when we try to combine the command line rotation with the panel
orientation.

To make sure that we generate a valid rotation value:
  - Set DRM_MODE_ROTATE_0 by default (if no rotate= option is set)
  - Validate that there is exactly one rotation angle set
    (i.e. specifying the rotate= option multiple times is invalid)

Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Link: https://patchwork.freedesktop.org/patch/msgid/20200117153429.54700-2-stephan@gerhold.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/drm_modes.c                       |  7 +++++++
 drivers/gpu/drm/selftests/drm_cmdline_selftests.h |  1 +
 .../gpu/drm/selftests/test-drm_cmdline_parser.c   | 15 +++++++++++++--
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index 88232698d7a00..3fd35e6b9d535 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1672,6 +1672,13 @@ static int drm_mode_parse_cmdline_options(char *str, size_t len,
 		}
 	}
 
+	if (!(rotation & DRM_MODE_ROTATE_MASK))
+		rotation |= DRM_MODE_ROTATE_0;
+
+	/* Make sure there is exactly one rotation defined */
+	if (!is_power_of_2(rotation & DRM_MODE_ROTATE_MASK))
+		return -EINVAL;
+
 	mode->rotation_reflection = rotation;
 
 	return 0;
diff --git a/drivers/gpu/drm/selftests/drm_cmdline_selftests.h b/drivers/gpu/drm/selftests/drm_cmdline_selftests.h
index 6d61a0eb5d64f..84e6bc050bf2c 100644
--- a/drivers/gpu/drm/selftests/drm_cmdline_selftests.h
+++ b/drivers/gpu/drm/selftests/drm_cmdline_selftests.h
@@ -53,6 +53,7 @@ cmdline_test(drm_cmdline_test_rotate_0)
 cmdline_test(drm_cmdline_test_rotate_90)
 cmdline_test(drm_cmdline_test_rotate_180)
 cmdline_test(drm_cmdline_test_rotate_270)
+cmdline_test(drm_cmdline_test_rotate_multiple)
 cmdline_test(drm_cmdline_test_rotate_invalid_val)
 cmdline_test(drm_cmdline_test_rotate_truncated)
 cmdline_test(drm_cmdline_test_hmirror)
diff --git a/drivers/gpu/drm/selftests/test-drm_cmdline_parser.c b/drivers/gpu/drm/selftests/test-drm_cmdline_parser.c
index 013de9d27c35d..035f86c5d6482 100644
--- a/drivers/gpu/drm/selftests/test-drm_cmdline_parser.c
+++ b/drivers/gpu/drm/selftests/test-drm_cmdline_parser.c
@@ -856,6 +856,17 @@ static int drm_cmdline_test_rotate_270(void *ignored)
 	return 0;
 }
 
+static int drm_cmdline_test_rotate_multiple(void *ignored)
+{
+	struct drm_cmdline_mode mode = { };
+
+	FAIL_ON(drm_mode_parse_command_line_for_connector("720x480,rotate=0,rotate=90",
+							  &no_connector,
+							  &mode));
+
+	return 0;
+}
+
 static int drm_cmdline_test_rotate_invalid_val(void *ignored)
 {
 	struct drm_cmdline_mode mode = { };
@@ -888,7 +899,7 @@ static int drm_cmdline_test_hmirror(void *ignored)
 	FAIL_ON(!mode.specified);
 	FAIL_ON(mode.xres != 720);
 	FAIL_ON(mode.yres != 480);
-	FAIL_ON(mode.rotation_reflection != DRM_MODE_REFLECT_X);
+	FAIL_ON(mode.rotation_reflection != (DRM_MODE_ROTATE_0 | DRM_MODE_REFLECT_X));
 
 	FAIL_ON(mode.refresh_specified);
 
@@ -913,7 +924,7 @@ static int drm_cmdline_test_vmirror(void *ignored)
 	FAIL_ON(!mode.specified);
 	FAIL_ON(mode.xres != 720);
 	FAIL_ON(mode.yres != 480);
-	FAIL_ON(mode.rotation_reflection != DRM_MODE_REFLECT_Y);
+	FAIL_ON(mode.rotation_reflection != (DRM_MODE_ROTATE_0 | DRM_MODE_REFLECT_Y));
 
 	FAIL_ON(mode.refresh_specified);
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 025/168] drm/modes: Allow DRM_MODE_ROTATE_0 when applying video mode parameters
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 024/168] drm/modes: Make sure to parse valid rotation value from cmdline Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 026/168] scsi: megaraid_sas: silence a warning Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephan Gerhold, Maxime Ripard, Sasha Levin

From: Stephan Gerhold <stephan@gerhold.net>

[ Upstream commit 5c320b6ce7510653bce68cecf80cf5b2d67e907f ]

At the moment, only DRM_MODE_ROTATE_180 is allowed when we try to apply
the rotation from the video mode parameters. It is also useful to allow
DRM_MODE_ROTATE_0 in case there is only a reflect option in the video mode
parameter (e.g. video=540x960,reflect_x).

DRM_MODE_ROTATE_0 means "no rotation" and should therefore not require
any special handling, so we can just add it to the if condition.

Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Link: https://patchwork.freedesktop.org/patch/msgid/20200117153429.54700-3-stephan@gerhold.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/drm_client_modeset.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_client_modeset.c b/drivers/gpu/drm/drm_client_modeset.c
index 12e748b202d6f..18cb88b9105e4 100644
--- a/drivers/gpu/drm/drm_client_modeset.c
+++ b/drivers/gpu/drm/drm_client_modeset.c
@@ -952,7 +952,8 @@ bool drm_client_rotation(struct drm_mode_set *modeset, unsigned int *rotation)
 	 * depending on the hardware this may require the framebuffer
 	 * to be in a specific tiling format.
 	 */
-	if ((*rotation & DRM_MODE_ROTATE_MASK) != DRM_MODE_ROTATE_180 ||
+	if (((*rotation & DRM_MODE_ROTATE_MASK) != DRM_MODE_ROTATE_0 &&
+	     (*rotation & DRM_MODE_ROTATE_MASK) != DRM_MODE_ROTATE_180) ||
 	    !plane->rotation_property)
 		return false;
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 026/168] scsi: megaraid_sas: silence a warning
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 025/168] drm/modes: Allow DRM_MODE_ROTATE_0 when applying video mode parameters Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 027/168] drm/msm/dsi: save pll state before dsi host is powered off Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomas Henzl, Sumit Saxena,
	Lee Duncan, Martin K. Petersen, Sasha Levin

From: Tomas Henzl <thenzl@redhat.com>

[ Upstream commit 0e99b2c625da181aebf1a3d13493e3f7a5057a9c ]

Add a flag to DMA memory allocation to silence a warning.

This driver allocates DMA memory for IO frames. This allocation may exceed
MAX_ORDER pages for few megaraid_sas controllers (controllers with very
high queue depth). Consequently, the driver has logic to keep reducing the
controller queue depth until the DMA memory allocation succeeds.

On impacted megaraid_sas controllers there would be multiple DMA allocation
failures until driver settled on an allocation that fit. These failed DMA
allocation requests caused stack traces in system logs. These were not
harmful and this patch silences those warnings/stack traces.

[mkp: clarified commit desc]

Link: https://lore.kernel.org/r/20200204152413.7107-1-thenzl@redhat.com
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Acked-by: Sumit Saxena <sumit.saxena@broadcom.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c
index 46bc062d873ef..d868388018053 100644
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -594,7 +594,8 @@ megasas_alloc_request_fusion(struct megasas_instance *instance)
 
 	fusion->io_request_frames =
 			dma_pool_alloc(fusion->io_request_frames_pool,
-				GFP_KERNEL, &fusion->io_request_frames_phys);
+				GFP_KERNEL | __GFP_NOWARN,
+				&fusion->io_request_frames_phys);
 	if (!fusion->io_request_frames) {
 		if (instance->max_fw_cmds >= (MEGASAS_REDUCE_QD_COUNT * 2)) {
 			instance->max_fw_cmds -= MEGASAS_REDUCE_QD_COUNT;
@@ -632,7 +633,7 @@ megasas_alloc_request_fusion(struct megasas_instance *instance)
 
 		fusion->io_request_frames =
 			dma_pool_alloc(fusion->io_request_frames_pool,
-				       GFP_KERNEL,
+				       GFP_KERNEL | __GFP_NOWARN,
 				       &fusion->io_request_frames_phys);
 
 		if (!fusion->io_request_frames) {
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 027/168] drm/msm/dsi: save pll state before dsi host is powered off
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 026/168] scsi: megaraid_sas: silence a warning Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 028/168] drm/msm/dsi/pll: call vco set rate explicitly Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harigovindan P, Rob Clark, Sasha Levin

From: Harigovindan P <harigovi@codeaurora.org>

[ Upstream commit a1028dcfd0dd97884072288d0c8ed7f30399b528 ]

Save pll state before dsi host is powered off. Without this change
some register values gets resetted.

Signed-off-by: Harigovindan P <harigovi@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/msm/dsi/dsi_manager.c | 5 +++++
 drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 ----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/msm/dsi/dsi_manager.c b/drivers/gpu/drm/msm/dsi/dsi_manager.c
index 355a60b4a536f..73127948f54d9 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_manager.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_manager.c
@@ -479,6 +479,7 @@ static void dsi_mgr_bridge_post_disable(struct drm_bridge *bridge)
 	struct msm_dsi *msm_dsi1 = dsi_mgr_get_dsi(DSI_1);
 	struct mipi_dsi_host *host = msm_dsi->host;
 	struct drm_panel *panel = msm_dsi->panel;
+	struct msm_dsi_pll *src_pll;
 	bool is_dual_dsi = IS_DUAL_DSI();
 	int ret;
 
@@ -519,6 +520,10 @@ static void dsi_mgr_bridge_post_disable(struct drm_bridge *bridge)
 								id, ret);
 	}
 
+	/* Save PLL status if it is a clock source */
+	src_pll = msm_dsi_phy_get_pll(msm_dsi->phy);
+	msm_dsi_pll_save_state(src_pll);
+
 	ret = msm_dsi_host_power_off(host);
 	if (ret)
 		pr_err("%s: host %d power off failed,%d\n", __func__, id, ret);
diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
index 3522863a4984f..21519229fe73a 100644
--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
+++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
@@ -724,10 +724,6 @@ void msm_dsi_phy_disable(struct msm_dsi_phy *phy)
 	if (!phy || !phy->cfg->ops.disable)
 		return;
 
-	/* Save PLL status if it is a clock source */
-	if (phy->usecase != MSM_DSI_PHY_SLAVE)
-		msm_dsi_pll_save_state(phy->pll);
-
 	phy->cfg->ops.disable(phy);
 
 	dsi_phy_regulator_disable(phy);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 028/168] drm/msm/dsi/pll: call vco set rate explicitly
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 027/168] drm/msm/dsi: save pll state before dsi host is powered off Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 029/168] selftests: forwarding: use proto icmp for {gretap, ip6gretap}_mac testing Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harigovindan P, Jeffrey Hugo,
	Rob Clark, Sasha Levin

From: Harigovindan P <harigovi@codeaurora.org>

[ Upstream commit c6659785dfb3f8d75f1fe637e4222ff8178f5280 ]

For a given byte clock, if VCO recalc value is exactly same as
vco set rate value, vco_set_rate does not get called assuming
VCO is already set to required value. But Due to GDSC toggle,
VCO values are erased in the HW. To make sure VCO is programmed
correctly, we forcefully call set_rate from vco_prepare.

Signed-off-by: Harigovindan P <harigovi@codeaurora.org>
Reviewed-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/msm/dsi/pll/dsi_pll_10nm.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/drm/msm/dsi/pll/dsi_pll_10nm.c b/drivers/gpu/drm/msm/dsi/pll/dsi_pll_10nm.c
index 8f6100db90ed4..aa9385d5bfff9 100644
--- a/drivers/gpu/drm/msm/dsi/pll/dsi_pll_10nm.c
+++ b/drivers/gpu/drm/msm/dsi/pll/dsi_pll_10nm.c
@@ -411,6 +411,12 @@ static int dsi_pll_10nm_vco_prepare(struct clk_hw *hw)
 	if (pll_10nm->slave)
 		dsi_pll_enable_pll_bias(pll_10nm->slave);
 
+	rc = dsi_pll_10nm_vco_set_rate(hw,pll_10nm->vco_current_rate, 0);
+	if (rc) {
+		pr_err("vco_set_rate failed, rc=%d\n", rc);
+		return rc;
+	}
+
 	/* Start PLL */
 	pll_write(pll_10nm->phy_cmn_mmio + REG_DSI_10nm_PHY_CMN_PLL_CNTRL,
 		  0x01);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 029/168] selftests: forwarding: use proto icmp for {gretap, ip6gretap}_mac testing
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 028/168] drm/msm/dsi/pll: call vco set rate explicitly Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 030/168] selftests: forwarding: vxlan_bridge_1d: fix tos value Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hangbin Liu, Petr Machata,
	David S. Miller, Sasha Levin

From: Hangbin Liu <liuhangbin@gmail.com>

[ Upstream commit e8023b030ce1748930e2dc76353a262fe47d4745 ]

For tc ip_proto filter, when we extract the flow via __skb_flow_dissect()
without flag FLOW_DISSECTOR_F_STOP_AT_ENCAP, we will continue extract to
the inner proto.

So for GRE + ICMP messages, we should not track GRE proto, but inner ICMP
proto.

For test mirror_gre.sh, it may make user confused if we capture ICMP
message on $h3(since the flow is GRE message). So I move the capture
dev to h3-gt{4,6}, and only capture ICMP message.

Before the fix:
]# ./mirror_gre.sh
TEST: ingress mirror to gretap (skip_hw)                            [ OK ]
TEST: egress mirror to gretap (skip_hw)                             [ OK ]
TEST: ingress mirror to ip6gretap (skip_hw)                         [ OK ]
TEST: egress mirror to ip6gretap (skip_hw)                          [ OK ]
TEST: ingress mirror to gretap: envelope MAC (skip_hw)              [FAIL]
 Expected to capture 10 packets, got 0.
TEST: egress mirror to gretap: envelope MAC (skip_hw)               [FAIL]
 Expected to capture 10 packets, got 0.
TEST: ingress mirror to ip6gretap: envelope MAC (skip_hw)           [FAIL]
 Expected to capture 10 packets, got 0.
TEST: egress mirror to ip6gretap: envelope MAC (skip_hw)            [FAIL]
 Expected to capture 10 packets, got 0.
TEST: two simultaneously configured mirrors (skip_hw)               [ OK ]
WARN: Could not test offloaded functionality

After fix:
]# ./mirror_gre.sh
TEST: ingress mirror to gretap (skip_hw)                            [ OK ]
TEST: egress mirror to gretap (skip_hw)                             [ OK ]
TEST: ingress mirror to ip6gretap (skip_hw)                         [ OK ]
TEST: egress mirror to ip6gretap (skip_hw)                          [ OK ]
TEST: ingress mirror to gretap: envelope MAC (skip_hw)              [ OK ]
TEST: egress mirror to gretap: envelope MAC (skip_hw)               [ OK ]
TEST: ingress mirror to ip6gretap: envelope MAC (skip_hw)           [ OK ]
TEST: egress mirror to ip6gretap: envelope MAC (skip_hw)            [ OK ]
TEST: two simultaneously configured mirrors (skip_hw)               [ OK ]
WARN: Could not test offloaded functionality

Fixes: ba8d39871a10 ("selftests: forwarding: Add test for mirror to gretap")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Petr Machata <pmachata@gmail.com>
Tested-by: Petr Machata <pmachata@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../selftests/net/forwarding/mirror_gre.sh    | 25 ++++++++++---------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/tools/testing/selftests/net/forwarding/mirror_gre.sh b/tools/testing/selftests/net/forwarding/mirror_gre.sh
index e6fd7a18c655f..0266443601bc0 100755
--- a/tools/testing/selftests/net/forwarding/mirror_gre.sh
+++ b/tools/testing/selftests/net/forwarding/mirror_gre.sh
@@ -63,22 +63,23 @@ test_span_gre_mac()
 {
 	local tundev=$1; shift
 	local direction=$1; shift
-	local prot=$1; shift
 	local what=$1; shift
 
-	local swp3mac=$(mac_get $swp3)
-	local h3mac=$(mac_get $h3)
+	case "$direction" in
+	ingress) local src_mac=$(mac_get $h1); local dst_mac=$(mac_get $h2)
+		;;
+	egress) local src_mac=$(mac_get $h2); local dst_mac=$(mac_get $h1)
+		;;
+	esac
 
 	RET=0
 
 	mirror_install $swp1 $direction $tundev "matchall $tcflags"
-	tc filter add dev $h3 ingress pref 77 prot $prot \
-		flower ip_proto 0x2f src_mac $swp3mac dst_mac $h3mac \
-		action pass
+	icmp_capture_install h3-${tundev} "src_mac $src_mac dst_mac $dst_mac"
 
-	mirror_test v$h1 192.0.2.1 192.0.2.2 $h3 77 10
+	mirror_test v$h1 192.0.2.1 192.0.2.2 h3-${tundev} 100 10
 
-	tc filter del dev $h3 ingress pref 77
+	icmp_capture_uninstall h3-${tundev}
 	mirror_uninstall $swp1 $direction
 
 	log_test "$direction $what: envelope MAC ($tcflags)"
@@ -120,14 +121,14 @@ test_ip6gretap()
 
 test_gretap_mac()
 {
-	test_span_gre_mac gt4 ingress ip "mirror to gretap"
-	test_span_gre_mac gt4 egress ip "mirror to gretap"
+	test_span_gre_mac gt4 ingress "mirror to gretap"
+	test_span_gre_mac gt4 egress "mirror to gretap"
 }
 
 test_ip6gretap_mac()
 {
-	test_span_gre_mac gt6 ingress ipv6 "mirror to ip6gretap"
-	test_span_gre_mac gt6 egress ipv6 "mirror to ip6gretap"
+	test_span_gre_mac gt6 ingress "mirror to ip6gretap"
+	test_span_gre_mac gt6 egress "mirror to ip6gretap"
 }
 
 test_all()
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 030/168] selftests: forwarding: vxlan_bridge_1d: fix tos value
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 029/168] selftests: forwarding: use proto icmp for {gretap, ip6gretap}_mac testing Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 031/168] net: atlantic: check rpc result and wait for rpc address Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hangbin Liu, David S. Miller, Sasha Levin

From: Hangbin Liu <liuhangbin@gmail.com>

[ Upstream commit 4e867c9a50ff1a07ed0b86c3b1c8bc773933d728 ]

After commit 71130f29979c ("vxlan: fix tos value before xmit") we start
strict vxlan xmit tos value by RT_TOS(), which limits the tos value less
than 0x1E. With current value 0x40 the test will failed with "v1: Expected
to capture 10 packets, got 0". So let's choose a smaller tos value for
testing.

Fixes: d417ecf533fe ("selftests: forwarding: vxlan_bridge_1d: Add a TOS test")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh b/tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh
index bb10e33690b25..353613fc19475 100755
--- a/tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh
+++ b/tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh
@@ -516,9 +516,9 @@ test_tos()
 	RET=0
 
 	tc filter add dev v1 egress pref 77 prot ip \
-		flower ip_tos 0x40 action pass
-	vxlan_ping_test $h1 192.0.2.3 "-Q 0x40" v1 egress 77 10
-	vxlan_ping_test $h1 192.0.2.3 "-Q 0x30" v1 egress 77 0
+		flower ip_tos 0x11 action pass
+	vxlan_ping_test $h1 192.0.2.3 "-Q 0x11" v1 egress 77 10
+	vxlan_ping_test $h1 192.0.2.3 "-Q 0x12" v1 egress 77 0
 	tc filter del dev v1 egress pref 77 prot ip
 
 	log_test "VXLAN: envelope TOS inheritance"
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 031/168] net: atlantic: check rpc result and wait for rpc address
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 030/168] selftests: forwarding: vxlan_bridge_1d: fix tos value Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 032/168] net: ks8851-ml: Remove 8-bit bus accessors Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Bogdanov, Igor Russkikh,
	David S. Miller, Sasha Levin

From: Igor Russkikh <irusskikh@marvell.com>

[ Upstream commit e7b5f97e6574dc4918e375d5f8d24ec31653cd6d ]

Artificial HW reliability tests revealed a possible hangup in
the driver. Normally, when device disappears from bus, all
register reads returns 0xFFFFFFFF.

At remote procedure invocation towards FW there is a logic
where result is compared with -1 in a loop.
That caused an infinite loop if hardware due to some issues
disappears from bus.

Add extra result checks to prevent this.

Signed-off-by: Dmitry Bogdanov <dbogdanov@marvell.com>
Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../aquantia/atlantic/hw_atl/hw_atl_utils.c   | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
index 52646855495ed..873f9865f0d15 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
@@ -22,6 +22,7 @@
 #define HW_ATL_MIF_ADDR         0x0208U
 #define HW_ATL_MIF_VAL          0x020CU
 
+#define HW_ATL_MPI_RPC_ADDR     0x0334U
 #define HW_ATL_RPC_CONTROL_ADR  0x0338U
 #define HW_ATL_RPC_STATE_ADR    0x033CU
 
@@ -48,15 +49,14 @@
 #define FORCE_FLASHLESS 0
 
 static int hw_atl_utils_ver_match(u32 ver_expected, u32 ver_actual);
-
 static int hw_atl_utils_mpi_set_state(struct aq_hw_s *self,
 				      enum hal_atl_utils_fw_state_e state);
-
 static u32 hw_atl_utils_get_mpi_mbox_tid(struct aq_hw_s *self);
 static u32 hw_atl_utils_mpi_get_state(struct aq_hw_s *self);
 static u32 hw_atl_utils_mif_cmd_get(struct aq_hw_s *self);
 static u32 hw_atl_utils_mif_addr_get(struct aq_hw_s *self);
 static u32 hw_atl_utils_rpc_state_get(struct aq_hw_s *self);
+static u32 aq_fw1x_rpc_get(struct aq_hw_s *self);
 
 int hw_atl_utils_initfw(struct aq_hw_s *self, const struct aq_fw_ops **fw_ops)
 {
@@ -413,6 +413,10 @@ static int hw_atl_utils_init_ucp(struct aq_hw_s *self,
 					self, self->mbox_addr,
 					self->mbox_addr != 0U,
 					1000U, 10000U);
+	err = readx_poll_timeout_atomic(aq_fw1x_rpc_get, self,
+					self->rpc_addr,
+					self->rpc_addr != 0U,
+					1000U, 100000U);
 
 	return err;
 }
@@ -469,6 +473,12 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self,
 						self, fw.val,
 						sw.tid == fw.tid,
 						1000U, 100000U);
+		if (err < 0)
+			goto err_exit;
+
+		err = aq_hw_err_from_flags(self);
+		if (err < 0)
+			goto err_exit;
 
 		if (fw.len == 0xFFFFU) {
 			err = hw_atl_utils_fw_rpc_call(self, sw.len);
@@ -950,6 +960,11 @@ static u32 hw_atl_utils_rpc_state_get(struct aq_hw_s *self)
 	return aq_hw_read_reg(self, HW_ATL_RPC_STATE_ADR);
 }
 
+static u32 aq_fw1x_rpc_get(struct aq_hw_s *self)
+{
+	return aq_hw_read_reg(self, HW_ATL_MPI_RPC_ADDR);
+}
+
 const struct aq_fw_ops aq_fw_1x_ops = {
 	.init = hw_atl_utils_mpi_create,
 	.deinit = hw_atl_fw1x_deinit,
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 032/168] net: ks8851-ml: Remove 8-bit bus accessors
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 031/168] net: atlantic: check rpc result and wait for rpc address Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:37 ` [PATCH 5.4 033/168] net: ks8851-ml: Fix 16-bit data access Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, David S. Miller,
	Lukas Wunner, Petr Stetiar, YueHaibing, Sasha Levin

From: Marek Vasut <marex@denx.de>

[ Upstream commit 69233bba6543a37755158ca3382765387b8078df ]

This driver is mixing 8-bit and 16-bit bus accessors for reasons unknown,
however the speculation is that this was some sort of attempt to support
the 8-bit bus mode.

As per the KS8851-16MLL documentation, all two registers accessed via the
8-bit accessors are internally 16-bit registers, so reading them using
16-bit accessors is fine. The KS_CCR read can be converted to 16-bit read
outright, as it is already a concatenation of two 8-bit reads of that
register. The KS_RXQCR accesses are 8-bit only, however writing the top
8 bits of the register is OK as well, since the driver caches the entire
16-bit register value anyway.

Finally, the driver is not used by any hardware in the kernel right now.
The only hardware available to me is one with 16-bit bus, so I have no
way to test the 8-bit bus mode, however it is unlikely this ever really
worked anyway. If the 8-bit bus mode is ever required, it can be easily
added by adjusting the 16-bit accessors to do 2 consecutive accesses,
which is how this should have been done from the beginning.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: David S. Miller <davem@davemloft.net>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Petr Stetiar <ynezz@true.cz>
Cc: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/micrel/ks8851_mll.c | 45 +++---------------------
 1 file changed, 5 insertions(+), 40 deletions(-)

diff --git a/drivers/net/ethernet/micrel/ks8851_mll.c b/drivers/net/ethernet/micrel/ks8851_mll.c
index a41a90c589db2..e2fb20154511e 100644
--- a/drivers/net/ethernet/micrel/ks8851_mll.c
+++ b/drivers/net/ethernet/micrel/ks8851_mll.c
@@ -156,24 +156,6 @@ static int msg_enable;
  * chip is busy transferring packet data (RX/TX FIFO accesses).
  */
 
-/**
- * ks_rdreg8 - read 8 bit register from device
- * @ks	  : The chip information
- * @offset: The register address
- *
- * Read a 8bit register from the chip, returning the result
- */
-static u8 ks_rdreg8(struct ks_net *ks, int offset)
-{
-	u16 data;
-	u8 shift_bit = offset & 0x03;
-	u8 shift_data = (offset & 1) << 3;
-	ks->cmd_reg_cache = (u16) offset | (u16)(BE0 << shift_bit);
-	iowrite16(ks->cmd_reg_cache, ks->hw_addr_cmd);
-	data  = ioread16(ks->hw_addr);
-	return (u8)(data >> shift_data);
-}
-
 /**
  * ks_rdreg16 - read 16 bit register from device
  * @ks	  : The chip information
@@ -189,22 +171,6 @@ static u16 ks_rdreg16(struct ks_net *ks, int offset)
 	return ioread16(ks->hw_addr);
 }
 
-/**
- * ks_wrreg8 - write 8bit register value to chip
- * @ks: The chip information
- * @offset: The register address
- * @value: The value to write
- *
- */
-static void ks_wrreg8(struct ks_net *ks, int offset, u8 value)
-{
-	u8  shift_bit = (offset & 0x03);
-	u16 value_write = (u16)(value << ((offset & 1) << 3));
-	ks->cmd_reg_cache = (u16)offset | (BE0 << shift_bit);
-	iowrite16(ks->cmd_reg_cache, ks->hw_addr_cmd);
-	iowrite16(value_write, ks->hw_addr);
-}
-
 /**
  * ks_wrreg16 - write 16bit register value to chip
  * @ks: The chip information
@@ -324,8 +290,7 @@ static void ks_read_config(struct ks_net *ks)
 	u16 reg_data = 0;
 
 	/* Regardless of bus width, 8 bit read should always work.*/
-	reg_data = ks_rdreg8(ks, KS_CCR) & 0x00FF;
-	reg_data |= ks_rdreg8(ks, KS_CCR+1) << 8;
+	reg_data = ks_rdreg16(ks, KS_CCR);
 
 	/* addr/data bus are multiplexed */
 	ks->sharedbus = (reg_data & CCR_SHARED) == CCR_SHARED;
@@ -429,7 +394,7 @@ static inline void ks_read_qmu(struct ks_net *ks, u16 *buf, u32 len)
 
 	/* 1. set sudo DMA mode */
 	ks_wrreg16(ks, KS_RXFDPR, RXFDPR_RXFPAI);
-	ks_wrreg8(ks, KS_RXQCR, (ks->rc_rxqcr | RXQCR_SDA) & 0xff);
+	ks_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA);
 
 	/* 2. read prepend data */
 	/**
@@ -446,7 +411,7 @@ static inline void ks_read_qmu(struct ks_net *ks, u16 *buf, u32 len)
 	ks_inblk(ks, buf, ALIGN(len, 4));
 
 	/* 4. reset sudo DMA Mode */
-	ks_wrreg8(ks, KS_RXQCR, ks->rc_rxqcr);
+	ks_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr);
 }
 
 /**
@@ -679,13 +644,13 @@ static void ks_write_qmu(struct ks_net *ks, u8 *pdata, u16 len)
 	ks->txh.txw[1] = cpu_to_le16(len);
 
 	/* 1. set sudo-DMA mode */
-	ks_wrreg8(ks, KS_RXQCR, (ks->rc_rxqcr | RXQCR_SDA) & 0xff);
+	ks_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA);
 	/* 2. write status/lenth info */
 	ks_outblk(ks, ks->txh.txw, 4);
 	/* 3. write pkt data */
 	ks_outblk(ks, (u16 *)pdata, ALIGN(len, 4));
 	/* 4. reset sudo-DMA mode */
-	ks_wrreg8(ks, KS_RXQCR, ks->rc_rxqcr);
+	ks_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr);
 	/* 5. Enqueue Tx(move the pkt from TX buffer into TXQ) */
 	ks_wrreg16(ks, KS_TXQCR, TXQCR_METFE);
 	/* 6. wait until TXQCR_METFE is auto-cleared */
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 033/168] net: ks8851-ml: Fix 16-bit data access
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 032/168] net: ks8851-ml: Remove 8-bit bus accessors Greg Kroah-Hartman
@ 2020-03-10 12:37 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 034/168] net: ks8851-ml: Fix 16-bit IO operation Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:37 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, David S. Miller,
	Lukas Wunner, Petr Stetiar, YueHaibing, Sasha Levin

From: Marek Vasut <marex@denx.de>

[ Upstream commit edacb098ea9c31589276152f09b4439052c0f2b1 ]

The packet data written to and read from Micrel KSZ8851-16MLLI must be
byte-swapped in 16-bit mode, add this byte-swapping.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: David S. Miller <davem@davemloft.net>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Petr Stetiar <ynezz@true.cz>
Cc: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/micrel/ks8851_mll.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/micrel/ks8851_mll.c b/drivers/net/ethernet/micrel/ks8851_mll.c
index e2fb20154511e..5ae206ae5d2b3 100644
--- a/drivers/net/ethernet/micrel/ks8851_mll.c
+++ b/drivers/net/ethernet/micrel/ks8851_mll.c
@@ -197,7 +197,7 @@ static inline void ks_inblk(struct ks_net *ks, u16 *wptr, u32 len)
 {
 	len >>= 1;
 	while (len--)
-		*wptr++ = (u16)ioread16(ks->hw_addr);
+		*wptr++ = be16_to_cpu(ioread16(ks->hw_addr));
 }
 
 /**
@@ -211,7 +211,7 @@ static inline void ks_outblk(struct ks_net *ks, u16 *wptr, u32 len)
 {
 	len >>= 1;
 	while (len--)
-		iowrite16(*wptr++, ks->hw_addr);
+		iowrite16(cpu_to_be16(*wptr++), ks->hw_addr);
 }
 
 static void ks_disable_int(struct ks_net *ks)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 034/168] net: ks8851-ml: Fix 16-bit IO operation
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2020-03-10 12:37 ` [PATCH 5.4 033/168] net: ks8851-ml: Fix 16-bit data access Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 035/168] net: ethernet: dm9000: Handle -EPROBE_DEFER in dm9000_parse_dt() Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, David S. Miller,
	Lukas Wunner, Petr Stetiar, YueHaibing, Sasha Levin

From: Marek Vasut <marex@denx.de>

[ Upstream commit 58292104832fef6cb4a89f736012c0e0724c3442 ]

The Micrel KSZ8851-16MLLI datasheet DS00002357B page 12 states that
BE[3:0] signals are active high. This contradicts the measurements
of the behavior of the actual chip, where these signals behave as
active low. For example, to read the CIDER register, the bus must
expose 0xc0c0 during the address phase, which means BE[3:0]=4'b1100.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: David S. Miller <davem@davemloft.net>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Petr Stetiar <ynezz@true.cz>
Cc: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/micrel/ks8851_mll.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/micrel/ks8851_mll.c b/drivers/net/ethernet/micrel/ks8851_mll.c
index 5ae206ae5d2b3..1c9e70c8cc30f 100644
--- a/drivers/net/ethernet/micrel/ks8851_mll.c
+++ b/drivers/net/ethernet/micrel/ks8851_mll.c
@@ -166,7 +166,7 @@ static int msg_enable;
 
 static u16 ks_rdreg16(struct ks_net *ks, int offset)
 {
-	ks->cmd_reg_cache = (u16)offset | ((BE1 | BE0) << (offset & 0x02));
+	ks->cmd_reg_cache = (u16)offset | ((BE3 | BE2) >> (offset & 0x02));
 	iowrite16(ks->cmd_reg_cache, ks->hw_addr_cmd);
 	return ioread16(ks->hw_addr);
 }
@@ -181,7 +181,7 @@ static u16 ks_rdreg16(struct ks_net *ks, int offset)
 
 static void ks_wrreg16(struct ks_net *ks, int offset, u16 value)
 {
-	ks->cmd_reg_cache = (u16)offset | ((BE1 | BE0) << (offset & 0x02));
+	ks->cmd_reg_cache = (u16)offset | ((BE3 | BE2) >> (offset & 0x02));
 	iowrite16(ks->cmd_reg_cache, ks->hw_addr_cmd);
 	iowrite16(value, ks->hw_addr);
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 035/168] net: ethernet: dm9000: Handle -EPROBE_DEFER in dm9000_parse_dt()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 034/168] net: ks8851-ml: Fix 16-bit IO operation Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 036/168] watchdog: da9062: do not ping the hw during stop() Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, H. Nikolaus Schaller,
	Mathieu Malaterre, Paul Cercueil, Andrew Lunn, David S. Miller,
	Sasha Levin

From: Paul Cercueil <paul@crapouillou.net>

[ Upstream commit 9a6a0dea16177ccaecc116f560232e63bec115f1 ]

The call to of_get_mac_address() can return -EPROBE_DEFER, for instance
when the MAC address is read from a NVMEM driver that did not probe yet.

Cc: H. Nikolaus Schaller <hns@goldelico.com>
Cc: Mathieu Malaterre <malat@debian.org>
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/davicom/dm9000.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/davicom/dm9000.c b/drivers/net/ethernet/davicom/dm9000.c
index cce90b5925d93..70060c51854fd 100644
--- a/drivers/net/ethernet/davicom/dm9000.c
+++ b/drivers/net/ethernet/davicom/dm9000.c
@@ -1405,6 +1405,8 @@ static struct dm9000_plat_data *dm9000_parse_dt(struct device *dev)
 	mac_addr = of_get_mac_address(np);
 	if (!IS_ERR(mac_addr))
 		ether_addr_copy(pdata->dev_addr, mac_addr);
+	else if (PTR_ERR(mac_addr) == -EPROBE_DEFER)
+		return ERR_CAST(mac_addr);
 
 	return pdata;
 }
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 036/168] watchdog: da9062: do not ping the hw during stop()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 035/168] net: ethernet: dm9000: Handle -EPROBE_DEFER in dm9000_parse_dt() Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 037/168] s390/cio: cio_ignore_proc_seq_next should increase position index Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marco Felsch, Guenter Roeck,
	Wim Van Sebroeck, Sasha Levin

From: Marco Felsch <m.felsch@pengutronix.de>

[ Upstream commit e9a0e65eda3f78d0b04ec6136c591c000cbc3b76 ]

The da9062 hw has a minimum ping cool down phase of at least 200ms. The
driver takes that into account by setting the min_hw_heartbeat_ms to
300ms and the core guarantees that the hw limit is observed for the
ping() calls. But the core can't guarantee the required minimum ping
cool down phase if a stop() command is send immediately after the ping()
command. So it is not allowed to ping the watchdog within the stop()
command as the driver does. Remove the ping can be done without doubts
because the watchdog gets disabled anyway and a (re)start resets the
watchdog counter too.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20200120091729.16256-1-m.felsch@pengutronix.de
[groeck: Updated description]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/watchdog/da9062_wdt.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/drivers/watchdog/da9062_wdt.c b/drivers/watchdog/da9062_wdt.c
index e149e66a6ea9f..e92f38fcb7a4a 100644
--- a/drivers/watchdog/da9062_wdt.c
+++ b/drivers/watchdog/da9062_wdt.c
@@ -94,13 +94,6 @@ static int da9062_wdt_stop(struct watchdog_device *wdd)
 	struct da9062_watchdog *wdt = watchdog_get_drvdata(wdd);
 	int ret;
 
-	ret = da9062_reset_watchdog_timer(wdt);
-	if (ret) {
-		dev_err(wdt->hw->dev, "Failed to ping the watchdog (err = %d)\n",
-			ret);
-		return ret;
-	}
-
 	ret = regmap_update_bits(wdt->hw->regmap,
 				 DA9062AA_CONTROL_D,
 				 DA9062AA_TWDSCALE_MASK,
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 037/168] s390/cio: cio_ignore_proc_seq_next should increase position index
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 036/168] watchdog: da9062: do not ping the hw during stop() Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 038/168] s390: make install not depend on vmlinux Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cornelia Huck, Christian Borntraeger,
	Vasily Averin, Vasily Gorbik, Sasha Levin

From: Vasily Averin <vvs@virtuozzo.com>

[ Upstream commit 8b101a5e14f2161869636ff9cb4907b7749dc0c2 ]

if seq_file .next fuction does not change position index,
read after some lseek can generate unexpected output.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=206283
Link: https://lore.kernel.org/r/d44c53a7-9bc1-15c7-6d4a-0c10cb9dffce@virtuozzo.com
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/s390/cio/blacklist.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/s390/cio/blacklist.c b/drivers/s390/cio/blacklist.c
index 2a3f874a21d54..9cebff8e8d740 100644
--- a/drivers/s390/cio/blacklist.c
+++ b/drivers/s390/cio/blacklist.c
@@ -303,8 +303,10 @@ static void *
 cio_ignore_proc_seq_next(struct seq_file *s, void *it, loff_t *offset)
 {
 	struct ccwdev_iter *iter;
+	loff_t p = *offset;
 
-	if (*offset >= (__MAX_SUBCHANNEL + 1) * (__MAX_SSID + 1))
+	(*offset)++;
+	if (p >= (__MAX_SUBCHANNEL + 1) * (__MAX_SSID + 1))
 		return NULL;
 	iter = it;
 	if (iter->devno == __MAX_SUBCHANNEL) {
@@ -314,7 +316,6 @@ cio_ignore_proc_seq_next(struct seq_file *s, void *it, loff_t *offset)
 			return NULL;
 	} else
 		iter->devno++;
-	(*offset)++;
 	return iter;
 }
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 038/168] s390: make install not depend on vmlinux
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 037/168] s390/cio: cio_ignore_proc_seq_next should increase position index Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 039/168] efi: Only print errors about failing to get certs if EFI vars are found Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Vasily Gorbik, Sasha Levin

From: Masahiro Yamada <masahiroy@kernel.org>

[ Upstream commit 94e90f727f7424d827256023cace829cad6896f4 ]

For the same reason as commit 19514fc665ff ("arm, kbuild: make "make
install" not depend on vmlinux"), the install targets should never
trigger the rebuild of the kernel.

The variable, CONFIGURE, is not set by anyone. Remove it as well.

Link: https://lkml.kernel.org/r/20200216144829.27023-1-masahiroy@kernel.org
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/Makefile      | 2 +-
 arch/s390/boot/Makefile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/s390/Makefile b/arch/s390/Makefile
index 9ce1baeac2b25..2faaf456956a6 100644
--- a/arch/s390/Makefile
+++ b/arch/s390/Makefile
@@ -146,7 +146,7 @@ all: bzImage
 #KBUILD_IMAGE is necessary for packaging targets like rpm-pkg, deb-pkg...
 KBUILD_IMAGE	:= $(boot)/bzImage
 
-install: vmlinux
+install:
 	$(Q)$(MAKE) $(build)=$(boot) $@
 
 bzImage: vmlinux
diff --git a/arch/s390/boot/Makefile b/arch/s390/boot/Makefile
index e2c47d3a1c891..0ff9261c915e3 100644
--- a/arch/s390/boot/Makefile
+++ b/arch/s390/boot/Makefile
@@ -70,7 +70,7 @@ $(obj)/compressed/vmlinux: $(obj)/startup.a FORCE
 $(obj)/startup.a: $(OBJECTS) FORCE
 	$(call if_changed,ar)
 
-install: $(CONFIGURE) $(obj)/bzImage
+install:
 	sh -x  $(srctree)/$(obj)/install.sh $(KERNELRELEASE) $(obj)/bzImage \
 	      System.map "$(INSTALL_PATH)"
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 039/168] efi: Only print errors about failing to get certs if EFI vars are found
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 038/168] s390: make install not depend on vmlinux Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 040/168] net/mlx5: DR, Fix matching on vport gvmi Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede,
	Javier Martinez Canillas, Ard Biesheuvel, Mimi Zohar,
	Sasha Levin

From: Javier Martinez Canillas <javierm@redhat.com>

[ Upstream commit 3be54d558c75562e42bc83d665df024bd79d399b ]

If CONFIG_LOAD_UEFI_KEYS is enabled, the kernel attempts to load the certs
from the db, dbx and MokListRT EFI variables into the appropriate keyrings.

But it just assumes that the variables will be present and prints an error
if the certs can't be loaded, even when is possible that the variables may
not exist. For example the MokListRT variable will only be present if shim
is used.

So only print an error message about failing to get the certs list from an
EFI variable if this is found. Otherwise these printed errors just pollute
the kernel log ring buffer with confusing messages like the following:

[    5.427251] Couldn't get size: 0x800000000000000e
[    5.427261] MODSIGN: Couldn't get UEFI db list
[    5.428012] Couldn't get size: 0x800000000000000e
[    5.428023] Couldn't get UEFI MokListRT

Reported-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Tested-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 security/integrity/platform_certs/load_uefi.c | 40 ++++++++++++-------
 1 file changed, 26 insertions(+), 14 deletions(-)

diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 81b19c52832ba..020fc7a11ef0e 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -39,16 +39,18 @@ static __init bool uefi_check_ignore_db(void)
  * Get a certificate list blob from the named EFI variable.
  */
 static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
-				  unsigned long *size)
+				  unsigned long *size, efi_status_t *status)
 {
-	efi_status_t status;
 	unsigned long lsize = 4;
 	unsigned long tmpdb[4];
 	void *db;
 
-	status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
-	if (status != EFI_BUFFER_TOO_SMALL) {
-		pr_err("Couldn't get size: 0x%lx\n", status);
+	*status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
+	if (*status == EFI_NOT_FOUND)
+		return NULL;
+
+	if (*status != EFI_BUFFER_TOO_SMALL) {
+		pr_err("Couldn't get size: 0x%lx\n", *status);
 		return NULL;
 	}
 
@@ -56,10 +58,10 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
 	if (!db)
 		return NULL;
 
-	status = efi.get_variable(name, guid, NULL, &lsize, db);
-	if (status != EFI_SUCCESS) {
+	*status = efi.get_variable(name, guid, NULL, &lsize, db);
+	if (*status != EFI_SUCCESS) {
 		kfree(db);
-		pr_err("Error reading db var: 0x%lx\n", status);
+		pr_err("Error reading db var: 0x%lx\n", *status);
 		return NULL;
 	}
 
@@ -144,6 +146,7 @@ static int __init load_uefi_certs(void)
 	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
 	void *db = NULL, *dbx = NULL, *mok = NULL;
 	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+	efi_status_t status;
 	int rc = 0;
 
 	if (!efi.get_variable)
@@ -153,9 +156,12 @@ static int __init load_uefi_certs(void)
 	 * an error if we can't get them.
 	 */
 	if (!uefi_check_ignore_db()) {
-		db = get_cert_list(L"db", &secure_var, &dbsize);
+		db = get_cert_list(L"db", &secure_var, &dbsize, &status);
 		if (!db) {
-			pr_err("MODSIGN: Couldn't get UEFI db list\n");
+			if (status == EFI_NOT_FOUND)
+				pr_debug("MODSIGN: db variable wasn't found\n");
+			else
+				pr_err("MODSIGN: Couldn't get UEFI db list\n");
 		} else {
 			rc = parse_efi_signature_list("UEFI:db",
 					db, dbsize, get_handler_for_db);
@@ -166,9 +172,12 @@ static int __init load_uefi_certs(void)
 		}
 	}
 
-	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+	mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
 	if (!mok) {
-		pr_info("Couldn't get UEFI MokListRT\n");
+		if (status == EFI_NOT_FOUND)
+			pr_debug("MokListRT variable wasn't found\n");
+		else
+			pr_info("Couldn't get UEFI MokListRT\n");
 	} else {
 		rc = parse_efi_signature_list("UEFI:MokListRT",
 					      mok, moksize, get_handler_for_db);
@@ -177,9 +186,12 @@ static int __init load_uefi_certs(void)
 		kfree(mok);
 	}
 
-	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
+	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
 	if (!dbx) {
-		pr_info("Couldn't get UEFI dbx list\n");
+		if (status == EFI_NOT_FOUND)
+			pr_debug("dbx variable wasn't found\n");
+		else
+			pr_info("Couldn't get UEFI dbx list\n");
 	} else {
 		rc = parse_efi_signature_list("UEFI:dbx",
 					      dbx, dbxsize,
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 040/168] net/mlx5: DR, Fix matching on vport gvmi
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 039/168] efi: Only print errors about failing to get certs if EFI vars are found Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 041/168] iommu/amd: Disable IOMMU on Stoney Ridge systems Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hamdan Igbaria, Alex Vesker,
	Saeed Mahameed, Sasha Levin

From: Hamdan Igbaria <hamdani@mellanox.com>

[ Upstream commit 52d214976d4f64504c1bbb52d47b46a5a3d5ee42 ]

Set vport gvmi in the tag, only when source gvmi is set in the bit mask.

Fixes: 26d688e3 ("net/mlx5: DR, Add Steering entry (STE) utilities")
Signed-off-by: Hamdan Igbaria <hamdani@mellanox.com>
Reviewed-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c
index 2739ed2a29111..841abe75652c9 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c
@@ -2257,7 +2257,9 @@ static int dr_ste_build_src_gvmi_qpn_tag(struct mlx5dr_match_param *value,
 	struct mlx5dr_cmd_vport_cap *vport_cap;
 	struct mlx5dr_domain *dmn = sb->dmn;
 	struct mlx5dr_cmd_caps *caps;
+	u8 *bit_mask = sb->bit_mask;
 	u8 *tag = hw_ste->tag;
+	bool source_gvmi_set;
 
 	DR_STE_SET_TAG(src_gvmi_qp, tag, source_qp, misc, source_sqn);
 
@@ -2278,7 +2280,8 @@ static int dr_ste_build_src_gvmi_qpn_tag(struct mlx5dr_match_param *value,
 	if (!vport_cap)
 		return -EINVAL;
 
-	if (vport_cap->vport_gvmi)
+	source_gvmi_set = MLX5_GET(ste_src_gvmi_qp, bit_mask, source_gvmi);
+	if (vport_cap->vport_gvmi && source_gvmi_set)
 		MLX5_SET(ste_src_gvmi_qp, tag, source_gvmi, vport_cap->vport_gvmi);
 
 	misc->source_eswitch_owner_vhca_id = 0;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 041/168] iommu/amd: Disable IOMMU on Stoney Ridge systems
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 040/168] net/mlx5: DR, Fix matching on vport gvmi Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 042/168] nvme/pci: Add sleep quirk for Samsung and Toshiba drives Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alex Deucher, Kai-Heng Feng,
	Joerg Roedel, Sasha Levin

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

[ Upstream commit 3dfee47b215e49788cfc80e474820ea2e948c031 ]

Serious screen flickering when Stoney Ridge outputs to a 4K monitor.

Use identity-mapping and PCI ATS doesn't help this issue.

According to Alex Deucher, IOMMU isn't enabled on Windows, so let's do
the same here to avoid screen flickering on 4K monitor.

Cc: Alex Deucher <alexander.deucher@amd.com>
Bug: https://gitlab.freedesktop.org/drm/amd/issues/961
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iommu/amd_iommu_init.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
index d7cbca8bf2cd4..b5ae9f7c0510b 100644
--- a/drivers/iommu/amd_iommu_init.c
+++ b/drivers/iommu/amd_iommu_init.c
@@ -2533,6 +2533,7 @@ static int __init early_amd_iommu_init(void)
 	struct acpi_table_header *ivrs_base;
 	acpi_status status;
 	int i, remap_cache_sz, ret = 0;
+	u32 pci_id;
 
 	if (!amd_iommu_detected)
 		return -ENODEV;
@@ -2620,6 +2621,16 @@ static int __init early_amd_iommu_init(void)
 	if (ret)
 		goto out;
 
+	/* Disable IOMMU if there's Stoney Ridge graphics */
+	for (i = 0; i < 32; i++) {
+		pci_id = read_pci_config(0, i, 0, 0);
+		if ((pci_id & 0xffff) == 0x1002 && (pci_id >> 16) == 0x98e4) {
+			pr_info("Disable IOMMU on Stoney Ridge\n");
+			amd_iommu_disabled = true;
+			break;
+		}
+	}
+
 	/* Disable any previously enabled IOMMUs */
 	if (!is_kdump_kernel() || amd_iommu_disabled)
 		disable_iommus();
@@ -2728,7 +2739,7 @@ static int __init state_next(void)
 		ret = early_amd_iommu_init();
 		init_state = ret ? IOMMU_INIT_ERROR : IOMMU_ACPI_FINISHED;
 		if (init_state == IOMMU_ACPI_FINISHED && amd_iommu_disabled) {
-			pr_info("AMD IOMMU disabled on kernel command-line\n");
+			pr_info("AMD IOMMU disabled\n");
 			init_state = IOMMU_CMDLINE_DISABLED;
 			ret = -EINVAL;
 		}
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 042/168] nvme/pci: Add sleep quirk for Samsung and Toshiba drives
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 041/168] iommu/amd: Disable IOMMU on Stoney Ridge systems Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 043/168] nvme-pci: Use single IRQ vector for old Apple models Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Derrick, Christoph Hellwig,
	Shyjumon N, Keith Busch, Sasha Levin

From: Shyjumon N <shyjumon.n@intel.com>

[ Upstream commit 1fae37accfc5872af3905d4ba71dc6ab15829be7 ]

The Samsung SSD SM981/PM981 and Toshiba SSD KBG40ZNT256G on the Lenovo
C640 platform experience runtime resume issues when the SSDs are kept in
sleep/suspend mode for long time.

This patch applies the 'Simple Suspend' quirk to these configurations.
With this patch, the issue had not been observed in a 1+ day test.

Reviewed-by: Jon Derrick <jonathan.derrick@intel.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Shyjumon N <shyjumon.n@intel.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/pci.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 570c75c92e293..c8e55674cf937 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -2753,6 +2753,18 @@ static unsigned long check_vendor_combination_bug(struct pci_dev *pdev)
 		    (dmi_match(DMI_BOARD_NAME, "PRIME B350M-A") ||
 		     dmi_match(DMI_BOARD_NAME, "PRIME Z370-A")))
 			return NVME_QUIRK_NO_APST;
+	} else if ((pdev->vendor == 0x144d && (pdev->device == 0xa801 ||
+		    pdev->device == 0xa808 || pdev->device == 0xa809)) ||
+		   (pdev->vendor == 0x1e0f && pdev->device == 0x0001)) {
+		/*
+		 * Forcing to use host managed nvme power settings for
+		 * lowest idle power with quick resume latency on
+		 * Samsung and Toshiba SSDs based on suspend behavior
+		 * on Coffee Lake board for LENOVO C640
+		 */
+		if ((dmi_match(DMI_BOARD_VENDOR, "LENOVO")) &&
+		     dmi_match(DMI_BOARD_NAME, "LNVNB161216"))
+			return NVME_QUIRK_SIMPLE_SUSPEND;
 	}
 
 	return 0;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 043/168] nvme-pci: Use single IRQ vector for old Apple models
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 042/168] nvme/pci: Add sleep quirk for Samsung and Toshiba drives Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 044/168] x86/boot/compressed: Dont declare __force_order in kaslr_64.c Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin Herrenschmidt, Leif Liddy,
	Andy Shevchenko, Keith Busch, Sasha Levin

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

[ Upstream commit 98f7b86a0becc1154b1a6df6e75c9695dfd87e0d ]

People reported that old Apple machines are not working properly
if the non-first IRQ vector is in use.

Set quirk for that models to limit IRQ to use first vector only.

Based on original patch by GitHub user npx001.

Link: https://github.com/Dunedan/mbp-2016-linux/issues/9
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Leif Liddy <leif.liddy@gmail.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/pci.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index c8e55674cf937..cd64ddb129e5b 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -3126,7 +3126,8 @@ static const struct pci_device_id nvme_id_table[] = {
 		.driver_data = NVME_QUIRK_NO_DEEPEST_PS |
 				NVME_QUIRK_IGNORE_DEV_SUBNQN, },
 	{ PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) },
-	{ PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2001) },
+	{ PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2001),
+		.driver_data = NVME_QUIRK_SINGLE_VECTOR },
 	{ PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2003) },
 	{ PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2005),
 		.driver_data = NVME_QUIRK_SINGLE_VECTOR |
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 044/168] x86/boot/compressed: Dont declare __force_order in kaslr_64.c
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 043/168] nvme-pci: Use single IRQ vector for old Apple models Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 045/168] s390/qdio: fill SL with absolute addresses Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, H.J. Lu, Borislav Petkov, Sasha Levin

From: H.J. Lu <hjl.tools@gmail.com>

[ Upstream commit df6d4f9db79c1a5d6f48b59db35ccd1e9ff9adfc ]

GCC 10 changed the default to -fno-common, which leads to

    LD      arch/x86/boot/compressed/vmlinux
  ld: arch/x86/boot/compressed/pgtable_64.o:(.bss+0x0): multiple definition of `__force_order'; \
    arch/x86/boot/compressed/kaslr_64.o:(.bss+0x0): first defined here
  make[2]: *** [arch/x86/boot/compressed/Makefile:119: arch/x86/boot/compressed/vmlinux] Error 1

Since __force_order is already provided in pgtable_64.c, there is no
need to declare __force_order in kaslr_64.c.

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/20200124181811.4780-1-hjl.tools@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/boot/compressed/kaslr_64.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr_64.c b/arch/x86/boot/compressed/kaslr_64.c
index 748456c365f46..9557c5a15b91e 100644
--- a/arch/x86/boot/compressed/kaslr_64.c
+++ b/arch/x86/boot/compressed/kaslr_64.c
@@ -29,9 +29,6 @@
 #define __PAGE_OFFSET __PAGE_OFFSET_BASE
 #include "../../mm/ident_map.c"
 
-/* Used by pgtable.h asm code to force instruction serialization. */
-unsigned long __force_order;
-
 /* Used to track our page table allocation area. */
 struct alloc_pgt_data {
 	unsigned char *pgt_buf;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 045/168] s390/qdio: fill SL with absolute addresses
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 044/168] x86/boot/compressed: Dont declare __force_order in kaslr_64.c Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 046/168] nvme: Fix uninitialized-variable warning Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Julian Wiedmann, Alexandra Winter,
	Benjamin Block, Vasily Gorbik, Sasha Levin, Steffen Maier

From: Julian Wiedmann <jwi@linux.ibm.com>

[ Upstream commit e9091ffd6a0aaced111b5d6ead5eaab5cd7101bc ]

As the comment says, sl->sbal holds an absolute address. qeth currently
solves this through wild casting, while zfcp doesn't care.

Handle this properly in the code that actually builds the SL.

Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Reviewed-by: Steffen Maier <maier@linux.ibm.com> [for qdio]
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/include/asm/qdio.h      |  2 +-
 drivers/s390/cio/qdio_setup.c     |  3 ++-
 drivers/s390/net/qeth_core_main.c | 23 +++++++++++------------
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/arch/s390/include/asm/qdio.h b/arch/s390/include/asm/qdio.h
index e3f238e8c6116..4f35b1055f30a 100644
--- a/arch/s390/include/asm/qdio.h
+++ b/arch/s390/include/asm/qdio.h
@@ -227,7 +227,7 @@ struct qdio_buffer {
  * @sbal: absolute SBAL address
  */
 struct sl_element {
-	unsigned long sbal;
+	u64 sbal;
 } __attribute__ ((packed));
 
 /**
diff --git a/drivers/s390/cio/qdio_setup.c b/drivers/s390/cio/qdio_setup.c
index cd164886132fd..ee0b3c5862110 100644
--- a/drivers/s390/cio/qdio_setup.c
+++ b/drivers/s390/cio/qdio_setup.c
@@ -8,6 +8,7 @@
 #include <linux/kernel.h>
 #include <linux/slab.h>
 #include <linux/export.h>
+#include <linux/io.h>
 #include <asm/qdio.h>
 
 #include "cio.h"
@@ -207,7 +208,7 @@ static void setup_storage_lists(struct qdio_q *q, struct qdio_irq *irq_ptr,
 
 	/* fill in sl */
 	for (j = 0; j < QDIO_MAX_BUFFERS_PER_Q; j++)
-		q->sl->element[j].sbal = (unsigned long)q->sbal[j];
+		q->sl->element[j].sbal = virt_to_phys(q->sbal[j]);
 }
 
 static void setup_queues(struct qdio_irq *irq_ptr,
diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
index 23852888eb2ca..b727d1e34523e 100644
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -4716,10 +4716,10 @@ static void qeth_qdio_establish_cq(struct qeth_card *card,
 	if (card->options.cq == QETH_CQ_ENABLED) {
 		int offset = QDIO_MAX_BUFFERS_PER_Q *
 			     (card->qdio.no_in_queues - 1);
-		for (i = 0; i < QDIO_MAX_BUFFERS_PER_Q; ++i) {
-			in_sbal_ptrs[offset + i] = (struct qdio_buffer *)
-				virt_to_phys(card->qdio.c_q->bufs[i].buffer);
-		}
+
+		for (i = 0; i < QDIO_MAX_BUFFERS_PER_Q; i++)
+			in_sbal_ptrs[offset + i] =
+				card->qdio.c_q->bufs[i].buffer;
 
 		queue_start_poll[card->qdio.no_in_queues - 1] = NULL;
 	}
@@ -4753,10 +4753,9 @@ static int qeth_qdio_establish(struct qeth_card *card)
 		rc = -ENOMEM;
 		goto out_free_qib_param;
 	}
-	for (i = 0; i < QDIO_MAX_BUFFERS_PER_Q; ++i) {
-		in_sbal_ptrs[i] = (struct qdio_buffer *)
-			virt_to_phys(card->qdio.in_q->bufs[i].buffer);
-	}
+
+	for (i = 0; i < QDIO_MAX_BUFFERS_PER_Q; i++)
+		in_sbal_ptrs[i] = card->qdio.in_q->bufs[i].buffer;
 
 	queue_start_poll = kcalloc(card->qdio.no_in_queues, sizeof(void *),
 				   GFP_KERNEL);
@@ -4777,11 +4776,11 @@ static int qeth_qdio_establish(struct qeth_card *card)
 		rc = -ENOMEM;
 		goto out_free_queue_start_poll;
 	}
+
 	for (i = 0, k = 0; i < card->qdio.no_out_queues; ++i)
-		for (j = 0; j < QDIO_MAX_BUFFERS_PER_Q; ++j, ++k) {
-			out_sbal_ptrs[k] = (struct qdio_buffer *)virt_to_phys(
-				card->qdio.out_qs[i]->bufs[j]->buffer);
-		}
+		for (j = 0; j < QDIO_MAX_BUFFERS_PER_Q; j++, k++)
+			out_sbal_ptrs[k] =
+				card->qdio.out_qs[i]->bufs[j]->buffer;
 
 	memset(&init_data, 0, sizeof(struct qdio_initialize));
 	init_data.cdev                   = CARD_DDEV(card);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 046/168] nvme: Fix uninitialized-variable warning
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 045/168] s390/qdio: fill SL with absolute addresses Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 047/168] ice: Dont tell the OS that link is going down Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Christoph Hellwig,
	Keith Busch, Sasha Levin

From: Keith Busch <kbusch@kernel.org>

[ Upstream commit 15755854d53b4bbb0bb37a0fce66f0156cfc8a17 ]

gcc may detect a false positive on nvme using an unintialized variable
if setting features fails. Since this is not a fast path, explicitly
initialize this variable to suppress the warning.

Reported-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 7dacfd102a992..b8fe42f4b3c5b 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1161,8 +1161,8 @@ static int nvme_identify_ns(struct nvme_ctrl *ctrl,
 static int nvme_features(struct nvme_ctrl *dev, u8 op, unsigned int fid,
 		unsigned int dword11, void *buffer, size_t buflen, u32 *result)
 {
+	union nvme_result res = { 0 };
 	struct nvme_command c;
-	union nvme_result res;
 	int ret;
 
 	memset(&c, 0, sizeof(c));
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 047/168] ice: Dont tell the OS that link is going down
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 046/168] nvme: Fix uninitialized-variable warning Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 048/168] x86/xen: Distribute switch variables for initialization Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Swiatkowski, Andrew Bowers,
	Jeff Kirsher, Sasha Levin

From: Michal Swiatkowski <michal.swiatkowski@intel.com>

[ Upstream commit 8a55c08d3bbc9ffc9639f69f742e59ebd99f913b ]

Remove code that tell the OS that link is going down when user
change flow control via ethtool. When link is up it isn't certain
that link goes down after 0x0605 aq command. If link doesn't go
down, OS thinks that link is down, but physical link is up. To
reset this state user have to take interface down and up.

If link goes down after 0x0605 command, FW send information
about that and after that driver tells the OS that the link goes
down. So this code in ethtool is unnecessary.

Signed-off-by: Michal Swiatkowski <michal.swiatkowski@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/ice/ice_ethtool.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
index 1fe9f6050635d..62673e27af0e8 100644
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -2916,13 +2916,6 @@ ice_set_pauseparam(struct net_device *netdev, struct ethtool_pauseparam *pause)
 	else
 		return -EINVAL;
 
-	/* Tell the OS link is going down, the link will go back up when fw
-	 * says it is ready asynchronously
-	 */
-	ice_print_link_msg(vsi, false);
-	netif_carrier_off(netdev);
-	netif_tx_stop_all_queues(netdev);
-
 	/* Set the FC mode and only restart AN if link is up */
 	status = ice_set_fc(pi, &aq_failures, link_up);
 
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 048/168] x86/xen: Distribute switch variables for initialization
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 047/168] ice: Dont tell the OS that link is going down Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 049/168] net: thunderx: workaround BGX TX Underflow issue Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kees Cook, Juergen Gross,
	Boris Ostrovsky, Sasha Levin

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 9038ec99ceb94fb8d93ade5e236b2928f0792c7c ]

Variables declared in a switch statement before any case statements
cannot be automatically initialized with compiler instrumentation (as
they are not part of any execution flow). With GCC's proposed automatic
stack variable initialization feature, this triggers a warning (and they
don't get initialized). Clang's automatic stack variable initialization
(via CONFIG_INIT_STACK_ALL=y) doesn't throw a warning, but it also
doesn't initialize such variables[1]. Note that these warnings (or silent
skipping) happen before the dead-store elimination optimization phase,
so even when the automatic initializations are later elided in favor of
direct initializations, the warnings remain.

To avoid these problems, move such variables into the "case" where
they're used or lift them up into the main function body.

arch/x86/xen/enlighten_pv.c: In function ‘xen_write_msr_safe’:
arch/x86/xen/enlighten_pv.c:904:12: warning: statement will never be executed [-Wswitch-unreachable]
  904 |   unsigned which;
      |            ^~~~~

[1] https://bugs.llvm.org/show_bug.cgi?id=44916

Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20200220062318.69299-1-keescook@chromium.org
Reviewed-by: Juergen Gross <jgross@suse.com>
[boris: made @which an 'unsigned int']
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/xen/enlighten_pv.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
index 6ea215cdeadac..6d4d8a5700b71 100644
--- a/arch/x86/xen/enlighten_pv.c
+++ b/arch/x86/xen/enlighten_pv.c
@@ -905,14 +905,15 @@ static u64 xen_read_msr_safe(unsigned int msr, int *err)
 static int xen_write_msr_safe(unsigned int msr, unsigned low, unsigned high)
 {
 	int ret;
+#ifdef CONFIG_X86_64
+	unsigned int which;
+	u64 base;
+#endif
 
 	ret = 0;
 
 	switch (msr) {
 #ifdef CONFIG_X86_64
-		unsigned which;
-		u64 base;
-
 	case MSR_FS_BASE:		which = SEGBASE_FS; goto set;
 	case MSR_KERNEL_GS_BASE:	which = SEGBASE_GS_USER; goto set;
 	case MSR_GS_BASE:		which = SEGBASE_GS_KERNEL; goto set;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 049/168] net: thunderx: workaround BGX TX Underflow issue
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 048/168] x86/xen: Distribute switch variables for initialization Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 050/168] csky/mm: Fixup export invalid_pte_table symbol Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tim Harvey, Robert Jones,
	David S. Miller, Sasha Levin

From: Tim Harvey <tharvey@gateworks.com>

[ Upstream commit 971617c3b761c876d686a2188220a33898c90e99 ]

While it is not yet understood why a TX underflow can easily occur
for SGMII interfaces resulting in a TX wedge. It has been found that
disabling/re-enabling the LMAC resolves the issue.

Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Robert Jones <rjones@gateworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../net/ethernet/cavium/thunder/thunder_bgx.c | 62 ++++++++++++++++++-
 .../net/ethernet/cavium/thunder/thunder_bgx.h |  9 +++
 2 files changed, 68 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
index 6cc100e7d5c07..76ff42ec3ae5e 100644
--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
@@ -410,10 +410,19 @@ void bgx_lmac_rx_tx_enable(int node, int bgx_idx, int lmacid, bool enable)
 	lmac = &bgx->lmac[lmacid];
 
 	cfg = bgx_reg_read(bgx, lmacid, BGX_CMRX_CFG);
-	if (enable)
+	if (enable) {
 		cfg |= CMR_PKT_RX_EN | CMR_PKT_TX_EN;
-	else
+
+		/* enable TX FIFO Underflow interrupt */
+		bgx_reg_modify(bgx, lmacid, BGX_GMP_GMI_TXX_INT_ENA_W1S,
+			       GMI_TXX_INT_UNDFLW);
+	} else {
 		cfg &= ~(CMR_PKT_RX_EN | CMR_PKT_TX_EN);
+
+		/* Disable TX FIFO Underflow interrupt */
+		bgx_reg_modify(bgx, lmacid, BGX_GMP_GMI_TXX_INT_ENA_W1C,
+			       GMI_TXX_INT_UNDFLW);
+	}
 	bgx_reg_write(bgx, lmacid, BGX_CMRX_CFG, cfg);
 
 	if (bgx->is_rgx)
@@ -1535,6 +1544,48 @@ static int bgx_init_phy(struct bgx *bgx)
 	return bgx_init_of_phy(bgx);
 }
 
+static irqreturn_t bgx_intr_handler(int irq, void *data)
+{
+	struct bgx *bgx = (struct bgx *)data;
+	u64 status, val;
+	int lmac;
+
+	for (lmac = 0; lmac < bgx->lmac_count; lmac++) {
+		status = bgx_reg_read(bgx, lmac, BGX_GMP_GMI_TXX_INT);
+		if (status & GMI_TXX_INT_UNDFLW) {
+			pci_err(bgx->pdev, "BGX%d lmac%d UNDFLW\n",
+				bgx->bgx_id, lmac);
+			val = bgx_reg_read(bgx, lmac, BGX_CMRX_CFG);
+			val &= ~CMR_EN;
+			bgx_reg_write(bgx, lmac, BGX_CMRX_CFG, val);
+			val |= CMR_EN;
+			bgx_reg_write(bgx, lmac, BGX_CMRX_CFG, val);
+		}
+		/* clear interrupts */
+		bgx_reg_write(bgx, lmac, BGX_GMP_GMI_TXX_INT, status);
+	}
+
+	return IRQ_HANDLED;
+}
+
+static void bgx_register_intr(struct pci_dev *pdev)
+{
+	struct bgx *bgx = pci_get_drvdata(pdev);
+	int ret;
+
+	ret = pci_alloc_irq_vectors(pdev, BGX_LMAC_VEC_OFFSET,
+				    BGX_LMAC_VEC_OFFSET, PCI_IRQ_ALL_TYPES);
+	if (ret < 0) {
+		pci_err(pdev, "Req for #%d msix vectors failed\n",
+			BGX_LMAC_VEC_OFFSET);
+		return;
+	}
+	ret = pci_request_irq(pdev, GMPX_GMI_TX_INT, bgx_intr_handler, NULL,
+			      bgx, "BGX%d", bgx->bgx_id);
+	if (ret)
+		pci_free_irq(pdev, GMPX_GMI_TX_INT, bgx);
+}
+
 static int bgx_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 {
 	int err;
@@ -1550,7 +1601,7 @@ static int bgx_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 
 	pci_set_drvdata(pdev, bgx);
 
-	err = pci_enable_device(pdev);
+	err = pcim_enable_device(pdev);
 	if (err) {
 		dev_err(dev, "Failed to enable PCI device\n");
 		pci_set_drvdata(pdev, NULL);
@@ -1604,6 +1655,8 @@ static int bgx_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 
 	bgx_init_hw(bgx);
 
+	bgx_register_intr(pdev);
+
 	/* Enable all LMACs */
 	for (lmac = 0; lmac < bgx->lmac_count; lmac++) {
 		err = bgx_lmac_enable(bgx, lmac);
@@ -1620,6 +1673,7 @@ static int bgx_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 
 err_enable:
 	bgx_vnic[bgx->bgx_id] = NULL;
+	pci_free_irq(pdev, GMPX_GMI_TX_INT, bgx);
 err_release_regions:
 	pci_release_regions(pdev);
 err_disable_device:
@@ -1637,6 +1691,8 @@ static void bgx_remove(struct pci_dev *pdev)
 	for (lmac = 0; lmac < bgx->lmac_count; lmac++)
 		bgx_lmac_disable(bgx, lmac);
 
+	pci_free_irq(pdev, GMPX_GMI_TX_INT, bgx);
+
 	bgx_vnic[bgx->bgx_id] = NULL;
 	pci_release_regions(pdev);
 	pci_disable_device(pdev);
diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.h b/drivers/net/ethernet/cavium/thunder/thunder_bgx.h
index 25888706bdcd1..cdea493921857 100644
--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.h
+++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.h
@@ -180,6 +180,15 @@
 #define BGX_GMP_GMI_TXX_BURST		0x38228
 #define BGX_GMP_GMI_TXX_MIN_PKT		0x38240
 #define BGX_GMP_GMI_TXX_SGMII_CTL	0x38300
+#define BGX_GMP_GMI_TXX_INT		0x38500
+#define BGX_GMP_GMI_TXX_INT_W1S		0x38508
+#define BGX_GMP_GMI_TXX_INT_ENA_W1C	0x38510
+#define BGX_GMP_GMI_TXX_INT_ENA_W1S	0x38518
+#define  GMI_TXX_INT_PTP_LOST			BIT_ULL(4)
+#define  GMI_TXX_INT_LATE_COL			BIT_ULL(3)
+#define  GMI_TXX_INT_XSDEF			BIT_ULL(2)
+#define  GMI_TXX_INT_XSCOL			BIT_ULL(1)
+#define  GMI_TXX_INT_UNDFLW			BIT_ULL(0)
 
 #define BGX_MSIX_VEC_0_29_ADDR		0x400000 /* +(0..29) << 4 */
 #define BGX_MSIX_VEC_0_29_CTL		0x400008
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 050/168] csky/mm: Fixup export invalid_pte_table symbol
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 049/168] net: thunderx: workaround BGX TX Underflow issue Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 051/168] csky: Set regs->usp to kernel sp, when the exception is from kernel Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guo Ren, Mo Qihui, Zhange Jian, Sasha Levin

From: Guo Ren <guoren@linux.alibaba.com>

[ Upstream commit 7f4a567332f035ab16b29010fbd04a0f10183c77 ]

There is no present bit in csky pmd hardware, so we need to prepare invalid_pte_table
for empty pmd entry and the functions (pmd_none & pmd_present) in pgtable.h need
invalid_pte_talbe to get result. If a module use these functions, we need export the
symbol for it.

Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
Cc: Mo Qihui <qihui.mo@verisilicon.com>
Cc: Zhange Jian <zhang_jian5@dahuatech.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/csky/mm/init.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/csky/mm/init.c b/arch/csky/mm/init.c
index d4c2292ea46bc..00e96278b3776 100644
--- a/arch/csky/mm/init.c
+++ b/arch/csky/mm/init.c
@@ -31,6 +31,7 @@
 
 pgd_t swapper_pg_dir[PTRS_PER_PGD] __page_aligned_bss;
 pte_t invalid_pte_table[PTRS_PER_PTE] __page_aligned_bss;
+EXPORT_SYMBOL(invalid_pte_table);
 unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)]
 						__page_aligned_bss;
 EXPORT_SYMBOL(empty_zero_page);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 051/168] csky: Set regs->usp to kernel sp, when the exception is from kernel
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 050/168] csky/mm: Fixup export invalid_pte_table symbol Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 052/168] csky/smp: Fixup boot failed when CONFIG_SMP Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Guo Ren, Sasha Levin

From: Guo Ren <guoren@linux.alibaba.com>

[ Upstream commit f8e17c17b81070f38062dce79ca7f4541851dadd ]

In the past, we didn't care about kernel sp when saving pt_reg. But in some
cases, we still need pt_reg->usp to represent the kernel stack before enter
exception.

For cmpxhg in atomic.S, we need save and restore usp for above.

Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/csky/abiv1/inc/abi/entry.h | 19 ++++++++++++++-----
 arch/csky/abiv2/inc/abi/entry.h | 11 +++++++++++
 arch/csky/kernel/atomic.S       |  8 ++++++--
 3 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/arch/csky/abiv1/inc/abi/entry.h b/arch/csky/abiv1/inc/abi/entry.h
index 7ab78bd0f3b13..f35a9f3315ee6 100644
--- a/arch/csky/abiv1/inc/abi/entry.h
+++ b/arch/csky/abiv1/inc/abi/entry.h
@@ -16,14 +16,16 @@
 #define LSAVE_A4	40
 #define LSAVE_A5	44
 
+#define usp ss1
+
 .macro USPTOKSP
-	mtcr	sp, ss1
+	mtcr	sp, usp
 	mfcr	sp, ss0
 .endm
 
 .macro KSPTOUSP
 	mtcr	sp, ss0
-	mfcr	sp, ss1
+	mfcr	sp, usp
 .endm
 
 .macro	SAVE_ALL epc_inc
@@ -45,7 +47,13 @@
 	add	lr, r13
 	stw     lr, (sp, 8)
 
+	mov	lr, sp
+	addi	lr, 32
+	addi	lr, 32
+	addi	lr, 16
+	bt	2f
 	mfcr	lr, ss1
+2:
 	stw     lr, (sp, 16)
 
 	stw     a0, (sp, 20)
@@ -79,9 +87,10 @@
 	ldw     a0, (sp, 12)
 	mtcr    a0, epsr
 	btsti   a0, 31
+	bt      1f
 	ldw     a0, (sp, 16)
 	mtcr	a0, ss1
-
+1:
 	ldw     a0, (sp, 24)
 	ldw     a1, (sp, 28)
 	ldw     a2, (sp, 32)
@@ -102,9 +111,9 @@
 	addi	sp, 32
 	addi	sp, 8
 
-	bt      1f
+	bt      2f
 	KSPTOUSP
-1:
+2:
 	rte
 .endm
 
diff --git a/arch/csky/abiv2/inc/abi/entry.h b/arch/csky/abiv2/inc/abi/entry.h
index 9897a16b45e5d..94a7a58765dff 100644
--- a/arch/csky/abiv2/inc/abi/entry.h
+++ b/arch/csky/abiv2/inc/abi/entry.h
@@ -31,7 +31,13 @@
 
 	mfcr	lr, epsr
 	stw	lr, (sp, 12)
+	btsti   lr, 31
+	bf      1f
+	addi    lr, sp, 152
+	br	2f
+1:
 	mfcr	lr, usp
+2:
 	stw	lr, (sp, 16)
 
 	stw     a0, (sp, 20)
@@ -64,8 +70,10 @@
 	mtcr	a0, epc
 	ldw	a0, (sp, 12)
 	mtcr	a0, epsr
+	btsti   a0, 31
 	ldw	a0, (sp, 16)
 	mtcr	a0, usp
+	mtcr	a0, ss0
 
 #ifdef CONFIG_CPU_HAS_HILO
 	ldw	a0, (sp, 140)
@@ -86,6 +94,9 @@
 	addi    sp, 40
 	ldm     r16-r30, (sp)
 	addi    sp, 72
+	bf	1f
+	mfcr	sp, ss0
+1:
 	rte
 .endm
 
diff --git a/arch/csky/kernel/atomic.S b/arch/csky/kernel/atomic.S
index 5b84f11485aeb..3821ef9b75672 100644
--- a/arch/csky/kernel/atomic.S
+++ b/arch/csky/kernel/atomic.S
@@ -17,10 +17,12 @@ ENTRY(csky_cmpxchg)
 	mfcr	a3, epc
 	addi	a3, TRAP0_SIZE
 
-	subi    sp, 8
+	subi    sp, 16
 	stw     a3, (sp, 0)
 	mfcr    a3, epsr
 	stw     a3, (sp, 4)
+	mfcr	a3, usp
+	stw     a3, (sp, 8)
 
 	psrset	ee
 #ifdef CONFIG_CPU_HAS_LDSTEX
@@ -47,7 +49,9 @@ ENTRY(csky_cmpxchg)
 	mtcr	a3, epc
 	ldw     a3, (sp, 4)
 	mtcr	a3, epsr
-	addi	sp, 8
+	ldw     a3, (sp, 8)
+	mtcr	a3, usp
+	addi	sp, 16
 	KSPTOUSP
 	rte
 END(csky_cmpxchg)
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 052/168] csky/smp: Fixup boot failed when CONFIG_SMP
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 051/168] csky: Set regs->usp to kernel sp, when the exception is from kernel Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 053/168] csky: Fixup ftrace modify panic Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Guo Ren, Sasha Levin

From: Guo Ren <guoren@linux.alibaba.com>

[ Upstream commit c9492737b25ca32679ba3163609d938c9abfd508 ]

If we use a non-ipi-support interrupt controller, it will cause panic here.
We should let cpu up and work with CONFIG_SMP, when we use a non-ipi intc.

Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/csky/kernel/smp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/csky/kernel/smp.c b/arch/csky/kernel/smp.c
index b753d382e4cef..0bb0954d55709 100644
--- a/arch/csky/kernel/smp.c
+++ b/arch/csky/kernel/smp.c
@@ -120,7 +120,7 @@ void __init setup_smp_ipi(void)
 	int rc;
 
 	if (ipi_irq == 0)
-		panic("%s IRQ mapping failed\n", __func__);
+		return;
 
 	rc = request_percpu_irq(ipi_irq, handle_ipi, "IPI Interrupt",
 				&ipi_dummy_dev);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 053/168] csky: Fixup ftrace modify panic
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 052/168] csky/smp: Fixup boot failed when CONFIG_SMP Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 054/168] csky: Fixup compile warning for three unimplemented syscalls Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Guo Ren, Sasha Levin

From: Guo Ren <guoren@linux.alibaba.com>

[ Upstream commit 359ae00d12589c31cf103894d0f32588d523ca83 ]

During ftrace init, linux will replace all function prologues
(call_mcout) with nops, but it need flush_dcache and
invalidate_icache to make it work. So flush_cache functions
couldn't be nested called by ftrace framework.

Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/csky/mm/Makefile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/csky/mm/Makefile b/arch/csky/mm/Makefile
index c94ef64810986..efb7ebab342b3 100644
--- a/arch/csky/mm/Makefile
+++ b/arch/csky/mm/Makefile
@@ -1,8 +1,10 @@
 # SPDX-License-Identifier: GPL-2.0-only
 ifeq ($(CONFIG_CPU_HAS_CACHEV2),y)
 obj-y +=			cachev2.o
+CFLAGS_REMOVE_cachev2.o = $(CC_FLAGS_FTRACE)
 else
 obj-y +=			cachev1.o
+CFLAGS_REMOVE_cachev1.o = $(CC_FLAGS_FTRACE)
 endif
 
 obj-y +=			dma-mapping.o
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 054/168] csky: Fixup compile warning for three unimplemented syscalls
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 053/168] csky: Fixup ftrace modify panic Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 055/168] arch/csky: fix some Kconfig typos Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Guo Ren, Sasha Levin

From: Guo Ren <guoren@linux.alibaba.com>

[ Upstream commit 2305f60b76110cb3e8658a4ae85d1f7eb0c66a5b ]

Implement fstat64, fstatat64, clone3 syscalls to fixup
checksyscalls.sh compile warnings.

Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/csky/include/uapi/asm/unistd.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/csky/include/uapi/asm/unistd.h b/arch/csky/include/uapi/asm/unistd.h
index 211c983c7282d..ba40189297338 100644
--- a/arch/csky/include/uapi/asm/unistd.h
+++ b/arch/csky/include/uapi/asm/unistd.h
@@ -1,7 +1,10 @@
 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
 // Copyright (C) 2018 Hangzhou C-SKY Microsystems co.,ltd.
 
+#define __ARCH_WANT_STAT64
+#define __ARCH_WANT_NEW_STAT
 #define __ARCH_WANT_SYS_CLONE
+#define __ARCH_WANT_SYS_CLONE3
 #define __ARCH_WANT_SET_GET_RLIMIT
 #define __ARCH_WANT_TIME32_SYSCALLS
 #include <asm-generic/unistd.h>
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 055/168] arch/csky: fix some Kconfig typos
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 054/168] csky: Fixup compile warning for three unimplemented syscalls Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 056/168] selftests: forwarding: vxlan_bridge_1d: use more proper tos value Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Guo Ren, Guo Ren, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit bebd26ab623616728d6e72b5c74a47bfff5287d8 ]

Fix wording in help text for the CPU_HAS_LDSTEX symbol.

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/csky/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/csky/Kconfig b/arch/csky/Kconfig
index 3973847b5f42e..25de20e526e50 100644
--- a/arch/csky/Kconfig
+++ b/arch/csky/Kconfig
@@ -74,7 +74,7 @@ config CPU_HAS_TLBI
 config CPU_HAS_LDSTEX
 	bool
 	help
-	  For SMP, CPU needs "ldex&stex" instrcutions to atomic operations.
+	  For SMP, CPU needs "ldex&stex" instructions for atomic operations.
 
 config CPU_NEED_TLBSYNC
 	bool
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 056/168] selftests: forwarding: vxlan_bridge_1d: use more proper tos value
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 055/168] arch/csky: fix some Kconfig typos Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 057/168] firmware: imx: scu: Ensure sequential TX Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Petr Machata, Hangbin Liu,
	David S. Miller, Sasha Levin

From: Hangbin Liu <liuhangbin@gmail.com>

[ Upstream commit 9b64208f74fbd0e920475ecfe9326f8443fdc3a5 ]

0x11 and 0x12 set the ECN bits based on RFC2474, it would be better to avoid
that. 0x14 and 0x18 would be better and works as well.

Reported-by: Petr Machata <petrm@mellanox.com>
Fixes: 4e867c9a50ff ("selftests: forwarding: vxlan_bridge_1d: fix tos value")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh b/tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh
index 353613fc19475..ce6bea9675c07 100755
--- a/tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh
+++ b/tools/testing/selftests/net/forwarding/vxlan_bridge_1d.sh
@@ -516,9 +516,9 @@ test_tos()
 	RET=0
 
 	tc filter add dev v1 egress pref 77 prot ip \
-		flower ip_tos 0x11 action pass
-	vxlan_ping_test $h1 192.0.2.3 "-Q 0x11" v1 egress 77 10
-	vxlan_ping_test $h1 192.0.2.3 "-Q 0x12" v1 egress 77 0
+		flower ip_tos 0x14 action pass
+	vxlan_ping_test $h1 192.0.2.3 "-Q 0x14" v1 egress 77 10
+	vxlan_ping_test $h1 192.0.2.3 "-Q 0x18" v1 egress 77 0
 	tc filter del dev v1 egress pref 77 prot ip
 
 	log_test "VXLAN: envelope TOS inheritance"
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 057/168] firmware: imx: scu: Ensure sequential TX
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 056/168] selftests: forwarding: vxlan_bridge_1d: use more proper tos value Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 058/168] binder: prevent UAF for binderfs devices Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Leonard Crestez, Peng Fan,
	: Oleksij Rempel, Shawn Guo

From: Leonard Crestez <leonard.crestez@nxp.com>

commit 26d0fba29c96241de8a9d16f045b1de49875884c upstream.

SCU requires that all messages words are written sequentially but linux MU
driver implements multiple independent channels for each register so ordering
between different channels must be ensured by SCU API interface.

Wait for tx_done before every send to ensure that no queueing happens at the
mailbox channel level.

Fixes: edbee095fafb ("firmware: imx: add SCU firmware driver support")
Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
Cc: <stable@vger.kernel.org>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by:: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/imx/imx-scu.c |   27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

--- a/drivers/firmware/imx/imx-scu.c
+++ b/drivers/firmware/imx/imx-scu.c
@@ -29,6 +29,7 @@ struct imx_sc_chan {
 	struct mbox_client cl;
 	struct mbox_chan *ch;
 	int idx;
+	struct completion tx_done;
 };
 
 struct imx_sc_ipc {
@@ -100,6 +101,14 @@ int imx_scu_get_handle(struct imx_sc_ipc
 }
 EXPORT_SYMBOL(imx_scu_get_handle);
 
+/* Callback called when the word of a message is ack-ed, eg read by SCU */
+static void imx_scu_tx_done(struct mbox_client *cl, void *mssg, int r)
+{
+	struct imx_sc_chan *sc_chan = container_of(cl, struct imx_sc_chan, cl);
+
+	complete(&sc_chan->tx_done);
+}
+
 static void imx_scu_rx_callback(struct mbox_client *c, void *msg)
 {
 	struct imx_sc_chan *sc_chan = container_of(c, struct imx_sc_chan, cl);
@@ -143,6 +152,19 @@ static int imx_scu_ipc_write(struct imx_
 
 	for (i = 0; i < hdr->size; i++) {
 		sc_chan = &sc_ipc->chans[i % 4];
+
+		/*
+		 * SCU requires that all messages words are written
+		 * sequentially but linux MU driver implements multiple
+		 * independent channels for each register so ordering between
+		 * different channels must be ensured by SCU API interface.
+		 *
+		 * Wait for tx_done before every send to ensure that no
+		 * queueing happens at the mailbox channel level.
+		 */
+		wait_for_completion(&sc_chan->tx_done);
+		reinit_completion(&sc_chan->tx_done);
+
 		ret = mbox_send_message(sc_chan->ch, &data[i]);
 		if (ret < 0)
 			return ret;
@@ -225,6 +247,11 @@ static int imx_scu_probe(struct platform
 		cl->knows_txdone = true;
 		cl->rx_callback = imx_scu_rx_callback;
 
+		/* Initial tx_done completion as "done" */
+		cl->tx_done = imx_scu_tx_done;
+		init_completion(&sc_chan->tx_done);
+		complete(&sc_chan->tx_done);
+
 		sc_chan->sc_ipc = sc_ipc;
 		sc_chan->idx = i % 4;
 		sc_chan->ch = mbox_request_channel_byname(cl, chan_name);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 058/168] binder: prevent UAF for binderfs devices
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 057/168] firmware: imx: scu: Ensure sequential TX Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 059/168] binder: prevent UAF for binderfs devices II Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christian Brauner, Todd Kjos

From: Christian Brauner <christian.brauner@ubuntu.com>

commit 2669b8b0c798fbe1a31d49e07aa33233d469ad9b upstream.

On binder_release(), binder_defer_work(proc, BINDER_DEFERRED_RELEASE) is
called which punts the actual cleanup operation to a workqueue. At some
point, binder_deferred_func() will be called which will end up calling
binder_deferred_release() which will retrieve and cleanup the
binder_context attach to this struct binder_proc.

If we trace back where this binder_context is attached to binder_proc we
see that it is set in binder_open() and is taken from the struct
binder_device it is associated with. This obviously assumes that the
struct binder_device that context is attached to is _never_ freed. While
that might be true for devtmpfs binder devices it is most certainly
wrong for binderfs binder devices.

So, assume binder_open() is called on a binderfs binder devices. We now
stash away the struct binder_context associated with that struct
binder_devices:
	proc->context = &binder_dev->context;
	/* binderfs stashes devices in i_private */
	if (is_binderfs_device(nodp)) {
		binder_dev = nodp->i_private;
		info = nodp->i_sb->s_fs_info;
		binder_binderfs_dir_entry_proc = info->proc_log_dir;
	} else {
	.
	.
	.
	proc->context = &binder_dev->context;

Now let's assume that the binderfs instance for that binder devices is
shutdown via umount() and/or the mount namespace associated with it goes
away. As long as there is still an fd open for that binderfs binder
device things are fine. But let's assume we now close the last fd for
that binderfs binder device. Now binder_release() is called and punts to
the workqueue. Assume that the workqueue has quite a bit of stuff to do
and doesn't get to cleaning up the struct binder_proc and the associated
struct binder_context with it for that binderfs binder device right
away. In the meantime, the VFS is killing the super block and is
ultimately calling sb->evict_inode() which means it will call
binderfs_evict_inode() which does:

static void binderfs_evict_inode(struct inode *inode)
{
	struct binder_device *device = inode->i_private;
	struct binderfs_info *info = BINDERFS_I(inode);

	clear_inode(inode);

	if (!S_ISCHR(inode->i_mode) || !device)
		return;

	mutex_lock(&binderfs_minors_mutex);
	--info->device_count;
	ida_free(&binderfs_minors, device->miscdev.minor);
	mutex_unlock(&binderfs_minors_mutex);

	kfree(device->context.name);
	kfree(device);
}

thereby freeing the struct binder_device including struct
binder_context.

Now the workqueue finally has time to get around to cleaning up struct
binder_proc and is now trying to access the associate struct
binder_context. Since it's already freed it will OOPs.

Fix this by holding an additional reference to the inode that is only
released once the workqueue is done cleaning up struct binder_proc. This
is an easy alternative to introducing separate refcounting on struct
binder_device which we can always do later if it becomes necessary.

This is an alternative fix to 51d8a7eca677 ("binder: prevent UAF read in
print_binder_transaction_log_entry()").

Fixes: 3ad20fe393b3 ("binder: implement binderfs")
Fixes: 03e2e07e3814 ("binder: Make transaction_log available in binderfs")
Related : 51d8a7eca677 ("binder: prevent UAF read in print_binder_transaction_log_entry()")
Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/android/binder.c          |    5 ++++-
 drivers/android/binder_internal.h |   13 +++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -5223,7 +5223,7 @@ static int binder_open(struct inode *nod
 	proc->default_priority = task_nice(current);
 	/* binderfs stashes devices in i_private */
 	if (is_binderfs_device(nodp)) {
-		binder_dev = nodp->i_private;
+		binder_dev = binderfs_device_get(nodp->i_private);
 		info = nodp->i_sb->s_fs_info;
 		binder_binderfs_dir_entry_proc = info->proc_log_dir;
 	} else {
@@ -5407,6 +5407,7 @@ static int binder_node_release(struct bi
 static void binder_deferred_release(struct binder_proc *proc)
 {
 	struct binder_context *context = proc->context;
+	struct binder_device *device;
 	struct rb_node *n;
 	int threads, nodes, incoming_refs, outgoing_refs, active_transactions;
 
@@ -5486,6 +5487,8 @@ static void binder_deferred_release(stru
 		     outgoing_refs, active_transactions);
 
 	binder_proc_dec_tmpref(proc);
+	device = container_of(proc->context, struct binder_device, context);
+	binderfs_device_put(device);
 }
 
 static void binder_deferred_func(struct work_struct *work)
--- a/drivers/android/binder_internal.h
+++ b/drivers/android/binder_internal.h
@@ -35,6 +35,19 @@ struct binder_device {
 	struct inode *binderfs_inode;
 };
 
+static inline struct binder_device *binderfs_device_get(struct binder_device *dev)
+{
+	if (dev->binderfs_inode)
+		ihold(dev->binderfs_inode);
+	return dev;
+}
+
+static inline void binderfs_device_put(struct binder_device *dev)
+{
+	if (dev->binderfs_inode)
+		iput(dev->binderfs_inode);
+}
+
 /**
  * binderfs_mount_opts - mount options for binderfs
  * @max: maximum number of allocatable binderfs binder devices



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 059/168] binder: prevent UAF for binderfs devices II
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 058/168] binder: prevent UAF for binderfs devices Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 060/168] ALSA: hda/realtek - Add Headset Mic supported Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christian Brauner, Todd Kjos

From: Christian Brauner <christian.brauner@ubuntu.com>

commit f0fe2c0f050d31babcad7d65f1d550d462a40064 upstream.

This is a necessary follow up to the first fix I proposed and we merged
in 2669b8b0c79 ("binder: prevent UAF for binderfs devices"). I have been
overly optimistic that the simple fix I proposed would work. But alas,
ihold() + iput() won't work since the inodes won't survive the
destruction of the superblock.
So all we get with my prior fix is a different race with a tinier
race-window but it doesn't solve the issue. Fwiw, the problem lies with
generic_shutdown_super(). It even has this cozy Al-style comment:

          if (!list_empty(&sb->s_inodes)) {
                  printk("VFS: Busy inodes after unmount of %s. "
                     "Self-destruct in 5 seconds.  Have a nice day...\n",
                     sb->s_id);
          }

On binder_release(), binder_defer_work(proc, BINDER_DEFERRED_RELEASE) is
called which punts the actual cleanup operation to a workqueue. At some
point, binder_deferred_func() will be called which will end up calling
binder_deferred_release() which will retrieve and cleanup the
binder_context attach to this struct binder_proc.

If we trace back where this binder_context is attached to binder_proc we
see that it is set in binder_open() and is taken from the struct
binder_device it is associated with. This obviously assumes that the
struct binder_device that context is attached to is _never_ freed. While
that might be true for devtmpfs binder devices it is most certainly
wrong for binderfs binder devices.

So, assume binder_open() is called on a binderfs binder devices. We now
stash away the struct binder_context associated with that struct
binder_devices:
	proc->context = &binder_dev->context;
	/* binderfs stashes devices in i_private */
	if (is_binderfs_device(nodp)) {
		binder_dev = nodp->i_private;
		info = nodp->i_sb->s_fs_info;
		binder_binderfs_dir_entry_proc = info->proc_log_dir;
	} else {
	.
	.
	.
	proc->context = &binder_dev->context;

Now let's assume that the binderfs instance for that binder devices is
shutdown via umount() and/or the mount namespace associated with it goes
away. As long as there is still an fd open for that binderfs binder
device things are fine. But let's assume we now close the last fd for
that binderfs binder device. Now binder_release() is called and punts to
the workqueue. Assume that the workqueue has quite a bit of stuff to do
and doesn't get to cleaning up the struct binder_proc and the associated
struct binder_context with it for that binderfs binder device right
away. In the meantime, the VFS is killing the super block and is
ultimately calling sb->evict_inode() which means it will call
binderfs_evict_inode() which does:

static void binderfs_evict_inode(struct inode *inode)
{
	struct binder_device *device = inode->i_private;
	struct binderfs_info *info = BINDERFS_I(inode);

	clear_inode(inode);

	if (!S_ISCHR(inode->i_mode) || !device)
		return;

	mutex_lock(&binderfs_minors_mutex);
	--info->device_count;
	ida_free(&binderfs_minors, device->miscdev.minor);
	mutex_unlock(&binderfs_minors_mutex);

	kfree(device->context.name);
	kfree(device);
}

thereby freeing the struct binder_device including struct
binder_context.

Now the workqueue finally has time to get around to cleaning up struct
binder_proc and is now trying to access the associate struct
binder_context. Since it's already freed it will OOPs.

Fix this by introducing a refounct on binder devices.

This is an alternative fix to 51d8a7eca677 ("binder: prevent UAF read in
print_binder_transaction_log_entry()").

Fixes: 3ad20fe393b3 ("binder: implement binderfs")
Fixes: 2669b8b0c798 ("binder: prevent UAF for binderfs devices")
Fixes: 03e2e07e3814 ("binder: Make transaction_log available in binderfs")
Related : 51d8a7eca677 ("binder: prevent UAF read in print_binder_transaction_log_entry()")
Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20200303164340.670054-1-christian.brauner@ubuntu.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/android/binder.c          |   12 +++++++++---
 drivers/android/binder_internal.h |   15 ++-------------
 drivers/android/binderfs.c        |    7 +++++--
 3 files changed, 16 insertions(+), 18 deletions(-)

--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -5223,13 +5223,14 @@ static int binder_open(struct inode *nod
 	proc->default_priority = task_nice(current);
 	/* binderfs stashes devices in i_private */
 	if (is_binderfs_device(nodp)) {
-		binder_dev = binderfs_device_get(nodp->i_private);
+		binder_dev = nodp->i_private;
 		info = nodp->i_sb->s_fs_info;
 		binder_binderfs_dir_entry_proc = info->proc_log_dir;
 	} else {
 		binder_dev = container_of(filp->private_data,
 					  struct binder_device, miscdev);
 	}
+	refcount_inc(&binder_dev->ref);
 	proc->context = &binder_dev->context;
 	binder_alloc_init(&proc->alloc);
 
@@ -5424,6 +5425,12 @@ static void binder_deferred_release(stru
 		context->binder_context_mgr_node = NULL;
 	}
 	mutex_unlock(&context->context_mgr_node_lock);
+	device = container_of(proc->context, struct binder_device, context);
+	if (refcount_dec_and_test(&device->ref)) {
+		kfree(context->name);
+		kfree(device);
+	}
+	proc->context = NULL;
 	binder_inner_proc_lock(proc);
 	/*
 	 * Make sure proc stays alive after we
@@ -5487,8 +5494,6 @@ static void binder_deferred_release(stru
 		     outgoing_refs, active_transactions);
 
 	binder_proc_dec_tmpref(proc);
-	device = container_of(proc->context, struct binder_device, context);
-	binderfs_device_put(device);
 }
 
 static void binder_deferred_func(struct work_struct *work)
@@ -6082,6 +6087,7 @@ static int __init init_binder_device(con
 	binder_device->miscdev.minor = MISC_DYNAMIC_MINOR;
 	binder_device->miscdev.name = name;
 
+	refcount_set(&binder_device->ref, 1);
 	binder_device->context.binder_context_mgr_uid = INVALID_UID;
 	binder_device->context.name = name;
 	mutex_init(&binder_device->context.context_mgr_node_lock);
--- a/drivers/android/binder_internal.h
+++ b/drivers/android/binder_internal.h
@@ -8,6 +8,7 @@
 #include <linux/list.h>
 #include <linux/miscdevice.h>
 #include <linux/mutex.h>
+#include <linux/refcount.h>
 #include <linux/stddef.h>
 #include <linux/types.h>
 #include <linux/uidgid.h>
@@ -33,21 +34,9 @@ struct binder_device {
 	struct miscdevice miscdev;
 	struct binder_context context;
 	struct inode *binderfs_inode;
+	refcount_t ref;
 };
 
-static inline struct binder_device *binderfs_device_get(struct binder_device *dev)
-{
-	if (dev->binderfs_inode)
-		ihold(dev->binderfs_inode);
-	return dev;
-}
-
-static inline void binderfs_device_put(struct binder_device *dev)
-{
-	if (dev->binderfs_inode)
-		iput(dev->binderfs_inode);
-}
-
 /**
  * binderfs_mount_opts - mount options for binderfs
  * @max: maximum number of allocatable binderfs binder devices
--- a/drivers/android/binderfs.c
+++ b/drivers/android/binderfs.c
@@ -154,6 +154,7 @@ static int binderfs_binder_device_create
 	if (!name)
 		goto err;
 
+	refcount_set(&device->ref, 1);
 	device->binderfs_inode = inode;
 	device->context.binder_context_mgr_uid = INVALID_UID;
 	device->context.name = name;
@@ -257,8 +258,10 @@ static void binderfs_evict_inode(struct
 	ida_free(&binderfs_minors, device->miscdev.minor);
 	mutex_unlock(&binderfs_minors_mutex);
 
-	kfree(device->context.name);
-	kfree(device);
+	if (refcount_dec_and_test(&device->ref)) {
+		kfree(device->context.name);
+		kfree(device);
+	}
 }
 
 /**



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 060/168] ALSA: hda/realtek - Add Headset Mic supported
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 059/168] binder: prevent UAF for binderfs devices II Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 061/168] ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kailang Yang, Takashi Iwai

From: Kailang Yang <kailang@realtek.com>

commit 78def224f59c05d00e815be946ec229719ccf377 upstream.

Dell desktop platform supported headset Mic.
Add pin verb to enable headset Mic.
This platform only support fixed type headset for Iphone type.

Signed-off-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/b9da28d772ef43088791b0f3675929e7@realtek.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -7117,6 +7117,8 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB),
 	SND_PCI_QUIRK(0x1028, 0x097e, "Dell Precision", ALC289_FIXUP_DUAL_SPK),
 	SND_PCI_QUIRK(0x1028, 0x097d, "Dell Precision", ALC289_FIXUP_DUAL_SPK),
+	SND_PCI_QUIRK(0x1028, 0x098d, "Dell Precision", ALC233_FIXUP_ASUS_MIC_NO_PRESENCE),
+	SND_PCI_QUIRK(0x1028, 0x09bf, "Dell Precision", ALC233_FIXUP_ASUS_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 061/168] ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 060/168] ALSA: hda/realtek - Add Headset Mic supported Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 062/168] ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kailang Yang, Takashi Iwai

From: Kailang Yang <kailang@realtek.com>

commit 76f7dec08fd64e9e3ad0810a1a8a60b0a846d348 upstream.

ThinkPad want to support Headset Button control.
This patch will enable it.

Signed-off-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/7f0b7128f40f41f6b5582ff610adc33d@realtek.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5920,7 +5920,7 @@ enum {
 	ALC289_FIXUP_DUAL_SPK,
 	ALC294_FIXUP_SPK2_TO_DAC1,
 	ALC294_FIXUP_ASUS_DUAL_SPK,
-
+	ALC285_FIXUP_THINKPAD_HEADSET_JACK,
 };
 
 static const struct hda_fixup alc269_fixups[] = {
@@ -7042,7 +7042,12 @@ static const struct hda_fixup alc269_fix
 		.chained = true,
 		.chain_id = ALC294_FIXUP_SPK2_TO_DAC1
 	},
-
+	[ALC285_FIXUP_THINKPAD_HEADSET_JACK] = {
+		.type = HDA_FIXUP_FUNC,
+		.v.func = alc_fixup_headset_jack,
+		.chained = true,
+		.chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1
+	},
 };
 
 static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -7278,8 +7283,8 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
 	SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
 	SND_PCI_QUIRK(0x17aa, 0x225d, "Thinkpad T480", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
-	SND_PCI_QUIRK(0x17aa, 0x2292, "Thinkpad X1 Yoga 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1),
-	SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1),
+	SND_PCI_QUIRK(0x17aa, 0x2292, "Thinkpad X1 Yoga 7th", ALC285_FIXUP_THINKPAD_HEADSET_JACK),
+	SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_THINKPAD_HEADSET_JACK),
 	SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
 	SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
 	SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 062/168] ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 061/168] ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 063/168] ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christian Lachner, Takashi Iwai

From: Christian Lachner <gladiac@gmail.com>

commit 0d45e86d2267d5bdf7bbb631499788da1c27ceb2 upstream.

The Gigabyte X570 Aorus Master motherboard with ALC1220 codec
requires a similar workaround for Clevo laptops to enforce the
DAC/mixer connection path. Set up a quirk entry for that.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205275
Signed-off-by: Christian Lachner <gladiac@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200223092416.15016-2-gladiac@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -2447,6 +2447,7 @@ static const struct snd_pci_quirk alc882
 	SND_PCI_QUIRK(0x1071, 0x8258, "Evesham Voyaeger", ALC882_FIXUP_EAPD),
 	SND_PCI_QUIRK(0x1458, 0xa002, "Gigabyte EP45-DS3/Z87X-UD3H", ALC889_FIXUP_FRONT_HP_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1458, 0xa0b8, "Gigabyte AZ370-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS),
+	SND_PCI_QUIRK(0x1458, 0xa0cd, "Gigabyte X570 Aorus Master", ALC1220_FIXUP_CLEVO_P950),
 	SND_PCI_QUIRK(0x1462, 0x1228, "MSI-GP63", ALC1220_FIXUP_CLEVO_P950),
 	SND_PCI_QUIRK(0x1462, 0x1276, "MSI-GL73", ALC1220_FIXUP_CLEVO_P950),
 	SND_PCI_QUIRK(0x1462, 0x1293, "MSI-GP65", ALC1220_FIXUP_CLEVO_P950),



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 063/168] ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 062/168] ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 064/168] cifs: dont leak -EAGAIN for stat() during reconnect Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jian-Hong Pan, Kailang Yang, Takashi Iwai

From: Jian-Hong Pan <jian-hong@endlessm.com>

commit 8b33a134a9cc2a501f8fc731d91caef39237d495 upstream.

A headset on the laptop like ASUS B9450FA does not work, until quirk
ALC294_FIXUP_ASUS_HPE is applied.

Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
Signed-off-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200225072920.109199-1-jian-hong@endlessm.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5922,6 +5922,7 @@ enum {
 	ALC294_FIXUP_SPK2_TO_DAC1,
 	ALC294_FIXUP_ASUS_DUAL_SPK,
 	ALC285_FIXUP_THINKPAD_HEADSET_JACK,
+	ALC294_FIXUP_ASUS_HPE,
 };
 
 static const struct hda_fixup alc269_fixups[] = {
@@ -7049,6 +7050,17 @@ static const struct hda_fixup alc269_fix
 		.chained = true,
 		.chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1
 	},
+	[ALC294_FIXUP_ASUS_HPE] = {
+		.type = HDA_FIXUP_VERBS,
+		.v.verbs = (const struct hda_verb[]) {
+			/* Set EAPD high */
+			{ 0x20, AC_VERB_SET_COEF_INDEX, 0x0f },
+			{ 0x20, AC_VERB_SET_PROC_COEF, 0x7774 },
+			{ }
+		},
+		.chained = true,
+		.chain_id = ALC294_FIXUP_ASUS_HEADSET_MIC
+	},
 };
 
 static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -7214,6 +7226,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK),
 	SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC),
+	SND_PCI_QUIRK(0x1043, 0x19ce, "ASUS B9450FA", ALC294_FIXUP_ASUS_HPE),
 	SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW),
 	SND_PCI_QUIRK(0x1043, 0x1a30, "ASUS X705UD", ALC256_FIXUP_ASUS_MIC),
 	SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC),



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 064/168] cifs: dont leak -EAGAIN for stat() during reconnect
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 063/168] ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 065/168] cifs: fix rename() by ensuring source handle opened with DELETE bit Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ronnie Sahlberg, Steve French,
	Pavel Shilovsky, Aurelien Aptel

From: Ronnie Sahlberg <lsahlber@redhat.com>

commit fc513fac56e1b626ae48a74d7551d9c35c50129e upstream.

If from cifs_revalidate_dentry_attr() the SMB2/QUERY_INFO call fails with an
error, such as STATUS_SESSION_EXPIRED, causing the session to be reconnected
it is possible we will leak -EAGAIN back to the application even for
system calls such as stat() where this is not a valid error.

Fix this by re-trying the operation from within cifs_revalidate_dentry_attr()
if cifs_get_inode_info*() returns -EAGAIN.

This fixes stat() and possibly also other system calls that uses
cifs_revalidate_dentry*().

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/inode.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -2011,6 +2011,7 @@ int cifs_revalidate_dentry_attr(struct d
 	struct inode *inode = d_inode(dentry);
 	struct super_block *sb = dentry->d_sb;
 	char *full_path = NULL;
+	int count = 0;
 
 	if (inode == NULL)
 		return -ENOENT;
@@ -2032,15 +2033,18 @@ int cifs_revalidate_dentry_attr(struct d
 		 full_path, inode, inode->i_count.counter,
 		 dentry, cifs_get_time(dentry), jiffies);
 
+again:
 	if (cifs_sb_master_tcon(CIFS_SB(sb))->unix_ext)
 		rc = cifs_get_inode_info_unix(&inode, full_path, sb, xid);
 	else
 		rc = cifs_get_inode_info(&inode, full_path, NULL, sb,
 					 xid, NULL);
-
+	if (rc == -EAGAIN && count++ < 10)
+		goto again;
 out:
 	kfree(full_path);
 	free_xid(xid);
+
 	return rc;
 }
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 065/168] cifs: fix rename() by ensuring source handle opened with DELETE bit
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 064/168] cifs: dont leak -EAGAIN for stat() during reconnect Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 066/168] usb: storage: Add quirk for Samsung Fit flash Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aurelien Aptel, Steve French,
	Pavel Shilovsky, Paulo Alcantara (SUSE)

From: Aurelien Aptel <aaptel@suse.com>

commit 86f740f2aed5ea7fe1aa86dc2df0fb4ab0f71088 upstream.

To rename a file in SMB2 we open it with the DELETE access and do a
special SetInfo on it. If the handle is missing the DELETE bit the
server will fail the SetInfo with STATUS_ACCESS_DENIED.

We currently try to reuse any existing opened handle we have with
cifs_get_writable_path(). That function looks for handles with WRITE
access but doesn't check for DELETE, making rename() fail if it finds
a handle to reuse. Simple reproducer below.

To select handles with the DELETE bit, this patch adds a flag argument
to cifs_get_writable_path() and find_writable_file() and the existing
'bool fsuid_only' argument is converted to a flag.

The cifsFileInfo struct only stores the UNIX open mode but not the
original SMB access flags. Since the DELETE bit is not mapped in that
mode, this patch stores the access mask in cifs_fid on file open,
which is accessible from cifsFileInfo.

Simple reproducer:

	#include <stdio.h>
	#include <stdlib.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <fcntl.h>
	#include <unistd.h>
	#define E(s) perror(s), exit(1)

	int main(int argc, char *argv[])
	{
		int fd, ret;
		if (argc != 3) {
			fprintf(stderr, "Usage: %s A B\n"
			"create&open A in write mode, "
			"rename A to B, close A\n", argv[0]);
			return 0;
		}

		fd = openat(AT_FDCWD, argv[1], O_WRONLY|O_CREAT|O_SYNC, 0666);
		if (fd == -1) E("openat()");

		ret = rename(argv[1], argv[2]);
		if (ret) E("rename()");

		ret = close(fd);
		if (ret) E("close()");

		return ret;
	}

$ gcc -o bugrename bugrename.c
$ ./bugrename /mnt/a /mnt/b
rename(): Permission denied

Fixes: 8de9e86c67ba ("cifs: create a helper to find a writeable handle by path name")
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/cifsglob.h  |    7 +++++++
 fs/cifs/cifsproto.h |    5 +++--
 fs/cifs/cifssmb.c   |    3 ++-
 fs/cifs/file.c      |   19 ++++++++++++-------
 fs/cifs/inode.c     |    6 +++---
 fs/cifs/smb1ops.c   |    2 +-
 fs/cifs/smb2inode.c |    4 ++--
 fs/cifs/smb2ops.c   |    3 ++-
 fs/cifs/smb2pdu.c   |    1 +
 9 files changed, 33 insertions(+), 17 deletions(-)

--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1229,6 +1229,7 @@ struct cifs_fid {
 	__u64 volatile_fid;	/* volatile file id for smb2 */
 	__u8 lease_key[SMB2_LEASE_KEY_SIZE];	/* lease key for smb2 */
 	__u8 create_guid[16];
+	__u32 access;
 	struct cifs_pending_open *pending_open;
 	unsigned int epoch;
 #ifdef CONFIG_CIFS_DEBUG2
@@ -1700,6 +1701,12 @@ static inline bool is_retryable_error(in
 	return false;
 }
 
+
+/* cifs_get_writable_file() flags */
+#define FIND_WR_ANY         0
+#define FIND_WR_FSUID_ONLY  1
+#define FIND_WR_WITH_DELETE 2
+
 #define   MID_FREE 0
 #define   MID_REQUEST_ALLOCATED 1
 #define   MID_REQUEST_SUBMITTED 2
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -133,11 +133,12 @@ extern bool backup_cred(struct cifs_sb_i
 extern bool is_size_safe_to_change(struct cifsInodeInfo *, __u64 eof);
 extern void cifs_update_eof(struct cifsInodeInfo *cifsi, loff_t offset,
 			    unsigned int bytes_written);
-extern struct cifsFileInfo *find_writable_file(struct cifsInodeInfo *, bool);
+extern struct cifsFileInfo *find_writable_file(struct cifsInodeInfo *, int);
 extern int cifs_get_writable_file(struct cifsInodeInfo *cifs_inode,
-				  bool fsuid_only,
+				  int flags,
 				  struct cifsFileInfo **ret_file);
 extern int cifs_get_writable_path(struct cifs_tcon *tcon, const char *name,
+				  int flags,
 				  struct cifsFileInfo **ret_file);
 extern struct cifsFileInfo *find_readable_file(struct cifsInodeInfo *, bool);
 extern int cifs_get_readable_path(struct cifs_tcon *tcon, const char *name,
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -1489,6 +1489,7 @@ openRetry:
 	*oplock = rsp->OplockLevel;
 	/* cifs fid stays in le */
 	oparms->fid->netfid = rsp->Fid;
+	oparms->fid->access = desired_access;
 
 	/* Let caller know file was created so we can set the mode. */
 	/* Do we care about the CreateAction in any other cases? */
@@ -2112,7 +2113,7 @@ cifs_writev_requeue(struct cifs_writedat
 		wdata2->tailsz = tailsz;
 		wdata2->bytes = cur_len;
 
-		rc = cifs_get_writable_file(CIFS_I(inode), false,
+		rc = cifs_get_writable_file(CIFS_I(inode), FIND_WR_ANY,
 					    &wdata2->cfile);
 		if (!wdata2->cfile) {
 			cifs_dbg(VFS, "No writable handle to retry writepages rc=%d\n",
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -1916,7 +1916,7 @@ struct cifsFileInfo *find_readable_file(
 
 /* Return -EBADF if no handle is found and general rc otherwise */
 int
-cifs_get_writable_file(struct cifsInodeInfo *cifs_inode, bool fsuid_only,
+cifs_get_writable_file(struct cifsInodeInfo *cifs_inode, int flags,
 		       struct cifsFileInfo **ret_file)
 {
 	struct cifsFileInfo *open_file, *inv_file = NULL;
@@ -1924,7 +1924,8 @@ cifs_get_writable_file(struct cifsInodeI
 	bool any_available = false;
 	int rc = -EBADF;
 	unsigned int refind = 0;
-
+	bool fsuid_only = flags & FIND_WR_FSUID_ONLY;
+	bool with_delete = flags & FIND_WR_WITH_DELETE;
 	*ret_file = NULL;
 
 	/*
@@ -1956,6 +1957,8 @@ refind_writable:
 			continue;
 		if (fsuid_only && !uid_eq(open_file->uid, current_fsuid()))
 			continue;
+		if (with_delete && !(open_file->fid.access & DELETE))
+			continue;
 		if (OPEN_FMODE(open_file->f_flags) & FMODE_WRITE) {
 			if (!open_file->invalidHandle) {
 				/* found a good writable file */
@@ -2003,12 +2006,12 @@ refind_writable:
 }
 
 struct cifsFileInfo *
-find_writable_file(struct cifsInodeInfo *cifs_inode, bool fsuid_only)
+find_writable_file(struct cifsInodeInfo *cifs_inode, int flags)
 {
 	struct cifsFileInfo *cfile;
 	int rc;
 
-	rc = cifs_get_writable_file(cifs_inode, fsuid_only, &cfile);
+	rc = cifs_get_writable_file(cifs_inode, flags, &cfile);
 	if (rc)
 		cifs_dbg(FYI, "couldn't find writable handle rc=%d", rc);
 
@@ -2017,6 +2020,7 @@ find_writable_file(struct cifsInodeInfo
 
 int
 cifs_get_writable_path(struct cifs_tcon *tcon, const char *name,
+		       int flags,
 		       struct cifsFileInfo **ret_file)
 {
 	struct list_head *tmp;
@@ -2043,7 +2047,7 @@ cifs_get_writable_path(struct cifs_tcon
 		kfree(full_path);
 		cinode = CIFS_I(d_inode(cfile->dentry));
 		spin_unlock(&tcon->open_file_lock);
-		return cifs_get_writable_file(cinode, 0, ret_file);
+		return cifs_get_writable_file(cinode, flags, ret_file);
 	}
 
 	spin_unlock(&tcon->open_file_lock);
@@ -2120,7 +2124,8 @@ static int cifs_partialpagewrite(struct
 	if (mapping->host->i_size - offset < (loff_t)to)
 		to = (unsigned)(mapping->host->i_size - offset);
 
-	rc = cifs_get_writable_file(CIFS_I(mapping->host), false, &open_file);
+	rc = cifs_get_writable_file(CIFS_I(mapping->host), FIND_WR_ANY,
+				    &open_file);
 	if (!rc) {
 		bytes_written = cifs_write(open_file, open_file->pid,
 					   write_data, to - from, &offset);
@@ -2313,7 +2318,7 @@ retry:
 		if (cfile)
 			cifsFileInfo_put(cfile);
 
-		rc = cifs_get_writable_file(CIFS_I(inode), false, &cfile);
+		rc = cifs_get_writable_file(CIFS_I(inode), FIND_WR_ANY, &cfile);
 
 		/* in case of an error store it to return later */
 		if (rc)
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -2220,7 +2220,7 @@ cifs_set_file_size(struct inode *inode,
 	 * writebehind data than the SMB timeout for the SetPathInfo
 	 * request would allow
 	 */
-	open_file = find_writable_file(cifsInode, true);
+	open_file = find_writable_file(cifsInode, FIND_WR_FSUID_ONLY);
 	if (open_file) {
 		tcon = tlink_tcon(open_file->tlink);
 		server = tcon->ses->server;
@@ -2370,7 +2370,7 @@ cifs_setattr_unix(struct dentry *direntr
 		args->ctime = NO_CHANGE_64;
 
 	args->device = 0;
-	open_file = find_writable_file(cifsInode, true);
+	open_file = find_writable_file(cifsInode, FIND_WR_FSUID_ONLY);
 	if (open_file) {
 		u16 nfid = open_file->fid.netfid;
 		u32 npid = open_file->pid;
@@ -2473,7 +2473,7 @@ cifs_setattr_nounix(struct dentry *diren
 	rc = 0;
 
 	if (attrs->ia_valid & ATTR_MTIME) {
-		rc = cifs_get_writable_file(cifsInode, false, &wfile);
+		rc = cifs_get_writable_file(cifsInode, FIND_WR_ANY, &wfile);
 		if (!rc) {
 			tcon = tlink_tcon(wfile->tlink);
 			rc = tcon->ses->server->ops->flush(xid, tcon, &wfile->fid);
--- a/fs/cifs/smb1ops.c
+++ b/fs/cifs/smb1ops.c
@@ -767,7 +767,7 @@ smb_set_file_info(struct inode *inode, c
 	struct cifs_tcon *tcon;
 
 	/* if the file is already open for write, just use that fileid */
-	open_file = find_writable_file(cinode, true);
+	open_file = find_writable_file(cinode, FIND_WR_FSUID_ONLY);
 	if (open_file) {
 		fid.netfid = open_file->fid.netfid;
 		netpid = open_file->pid;
--- a/fs/cifs/smb2inode.c
+++ b/fs/cifs/smb2inode.c
@@ -525,7 +525,7 @@ smb2_mkdir_setinfo(struct inode *inode,
 	cifs_i = CIFS_I(inode);
 	dosattrs = cifs_i->cifsAttrs | ATTR_READONLY;
 	data.Attributes = cpu_to_le32(dosattrs);
-	cifs_get_writable_path(tcon, name, &cfile);
+	cifs_get_writable_path(tcon, name, FIND_WR_ANY, &cfile);
 	tmprc = smb2_compound_op(xid, tcon, cifs_sb, name,
 				 FILE_WRITE_ATTRIBUTES, FILE_CREATE,
 				 CREATE_NOT_FILE, ACL_NO_MODE,
@@ -581,7 +581,7 @@ smb2_rename_path(const unsigned int xid,
 {
 	struct cifsFileInfo *cfile;
 
-	cifs_get_writable_path(tcon, from_name, &cfile);
+	cifs_get_writable_path(tcon, from_name, FIND_WR_WITH_DELETE, &cfile);
 
 	return smb2_set_path_attr(xid, tcon, from_name, to_name,
 				  cifs_sb, DELETE, SMB2_OP_RENAME, cfile);
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1338,6 +1338,7 @@ smb2_set_fid(struct cifsFileInfo *cfile,
 
 	cfile->fid.persistent_fid = fid->persistent_fid;
 	cfile->fid.volatile_fid = fid->volatile_fid;
+	cfile->fid.access = fid->access;
 #ifdef CONFIG_CIFS_DEBUG2
 	cfile->fid.mid = fid->mid;
 #endif /* CIFS_DEBUG2 */
@@ -3162,7 +3163,7 @@ static loff_t smb3_llseek(struct file *f
 	 * some servers (Windows2016) will not reflect recent writes in
 	 * QUERY_ALLOCATED_RANGES until SMB2_flush is called.
 	 */
-	wrcfile = find_writable_file(cifsi, false);
+	wrcfile = find_writable_file(cifsi, FIND_WR_ANY);
 	if (wrcfile) {
 		filemap_write_and_wait(inode->i_mapping);
 		smb2_flush_file(xid, tcon, &wrcfile->fid);
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2650,6 +2650,7 @@ SMB2_open(const unsigned int xid, struct
 	atomic_inc(&tcon->num_remote_opens);
 	oparms->fid->persistent_fid = rsp->PersistentFileId;
 	oparms->fid->volatile_fid = rsp->VolatileFileId;
+	oparms->fid->access = oparms->desired_access;
 #ifdef CONFIG_CIFS_DEBUG2
 	oparms->fid->mid = le64_to_cpu(rsp->sync_hdr.MessageId);
 #endif /* CIFS_DEBUG2 */



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 066/168] usb: storage: Add quirk for Samsung Fit flash
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 065/168] cifs: fix rename() by ensuring source handle opened with DELETE bit Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 067/168] usb: quirks: add NO_LPM quirk for Logitech Screen Share Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jim Lin, Alan Stern

From: Jim Lin <jilin@nvidia.com>

commit 86d92f5465958752481269348d474414dccb1552 upstream.

Current driver has 240 (USB2.0) and 2048 (USB3.0) as max_sectors,
e.g., /sys/bus/scsi/devices/0:0:0:0/max_sectors

If data access times out, driver error handling will issue a port
reset.
Sometimes Samsung Fit (090C:1000) flash disk will not respond to
later Set Address or Get Descriptor command.

Adding this quirk to limit max_sectors to 64 sectors to avoid issue
occurring.

Signed-off-by: Jim Lin <jilin@nvidia.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1583158895-31342-1-git-send-email-jilin@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/storage/unusual_devs.h |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1258,6 +1258,12 @@ UNUSUAL_DEV( 0x090a, 0x1200, 0x0000, 0x9
 		USB_SC_RBC, USB_PR_BULK, NULL,
 		0 ),
 
+UNUSUAL_DEV(0x090c, 0x1000, 0x1100, 0x1100,
+		"Samsung",
+		"Flash Drive FIT",
+		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+		US_FL_MAX_SECTORS_64),
+
 /* aeb */
 UNUSUAL_DEV( 0x090c, 0x1132, 0x0000, 0xffff,
 		"Feiya",



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 067/168] usb: quirks: add NO_LPM quirk for Logitech Screen Share
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 066/168] usb: storage: Add quirk for Samsung Fit flash Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 068/168] usb: dwc3: gadget: Update chain bit correctly when using sg list Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Lazewatsky, Gustavo Padovan

From: Dan Lazewatsky <dlaz@chromium.org>

commit b96ed52d781a2026d0c0daa5787c6f3d45415862 upstream.

LPM on the device appears to cause xHCI host controllers to claim
that there isn't enough bandwidth to support additional devices.

Signed-off-by: Dan Lazewatsky <dlaz@chromium.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com>
Link: https://lore.kernel.org/r/20200226143438.1445-1-gustavo.padovan@collabora.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/quirks.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -231,6 +231,9 @@ static const struct usb_device_id usb_qu
 	/* Logitech PTZ Pro Camera */
 	{ USB_DEVICE(0x046d, 0x0853), .driver_info = USB_QUIRK_DELAY_INIT },
 
+	/* Logitech Screen Share */
+	{ USB_DEVICE(0x046d, 0x086c), .driver_info = USB_QUIRK_NO_LPM },
+
 	/* Logitech Quickcam Fusion */
 	{ USB_DEVICE(0x046d, 0x08c1), .driver_info = USB_QUIRK_RESET_RESUME },
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 068/168] usb: dwc3: gadget: Update chain bit correctly when using sg list
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 067/168] usb: quirks: add NO_LPM quirk for Logitech Screen Share Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 069/168] usb: cdns3: gadget: link trb should point to next request Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Felipe Balbi, Yang Fei, Thinh Nguyen,
	Tejas Joglekar, Andrzej Pietrasiewicz, Jack Pham, Todd Kjos,
	Linux USB List, Pratham Pratap, John Stultz

From: Pratham Pratap <prathampratap@codeaurora.org>

commit dad2aff3e827b112f27fa5e6f2bf87a110067c3f upstream.

If scatter-gather operation is allowed, a large USB request is split
into multiple TRBs. For preparing TRBs for sg list, driver iterates
over the list and creates TRB for each sg and mark the chain bit to
false for the last sg. The current IOMMU driver is clubbing the list
of sgs which shares a page boundary into one and giving it to USB driver.
With this the number of sgs mapped it not equal to the the number of sgs
passed. Because of this USB driver is not marking the chain bit to false
since it couldn't iterate to the last sg. This patch addresses this issue
by marking the chain bit to false if it is the last mapped sg.

At a practical level, this patch resolves USB transfer stalls
seen with adb on dwc3 based db845c, pixel3 and other qcom
hardware after functionfs gadget added scatter-gather support
around v4.20.

Credit also to Anurag Kumar Vulisha <anurag.kumar.vulisha@xilinx.com>
who implemented a very similar fix to this issue.

Cc: Felipe Balbi <balbi@kernel.org>
Cc: Yang Fei <fei.yang@intel.com>
Cc: Thinh Nguyen <thinhn@synopsys.com>
Cc: Tejas Joglekar <tejas.joglekar@synopsys.com>
Cc: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
Cc: Jack Pham <jackp@codeaurora.org>
Cc: Todd Kjos <tkjos@google.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Linux USB List <linux-usb@vger.kernel.org>
Cc: stable <stable@vger.kernel.org> #4.20+
Signed-off-by: Pratham Pratap <prathampratap@codeaurora.org>
[jstultz: Slight tweak to remove sg_is_last() usage, reworked
          commit message, minor comment tweak]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Link: https://lore.kernel.org/r/20200302214443.55783-1-john.stultz@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/dwc3/gadget.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1068,7 +1068,14 @@ static void dwc3_prepare_one_trb_sg(stru
 		unsigned int rem = length % maxp;
 		unsigned chain = true;
 
-		if (sg_is_last(s))
+		/*
+		 * IOMMU driver is coalescing the list of sgs which shares a
+		 * page boundary into one and giving it to USB driver. With
+		 * this the number of sgs mapped is not equal to the number of
+		 * sgs passed. So mark the chain bit to false if it isthe last
+		 * mapped sg.
+		 */
+		if (i == remaining - 1)
 			chain = false;
 
 		if (rem && usb_endpoint_dir_out(dep->endpoint.desc) && !chain) {



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 069/168] usb: cdns3: gadget: link trb should point to next request
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 068/168] usb: dwc3: gadget: Update chain bit correctly when using sg list Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 070/168] usb: cdns3: gadget: toggle cycle bit before reset endpoint Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Chen

From: Peter Chen <peter.chen@nxp.com>

commit 8a7c47fb7285b23ca259c888016513d5566fa9e8 upstream.

It has marked the dequeue trb as link trb, but its next segment
pointer is still itself, it causes the transfer can't go on. Fix
it by set its pointer as the trb address for the next request.

Fixes: f616c3bda47e ("usb: cdns3: Fix dequeue implementation")
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200219141455.23257-2-peter.chen@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/cdns3/gadget.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/cdns3/gadget.c
+++ b/drivers/usb/cdns3/gadget.c
@@ -2107,7 +2107,7 @@ found:
 	/* Update ring only if removed request is on pending_req_list list */
 	if (req_on_hw_ring) {
 		link_trb->buffer = TRB_BUFFER(priv_ep->trb_pool_dma +
-					      (priv_req->start_trb * TRB_SIZE));
+			((priv_req->end_trb + 1) * TRB_SIZE));
 		link_trb->control = (link_trb->control & TRB_CYCLE) |
 				    TRB_TYPE(TRB_LINK) | TRB_CHAIN;
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 070/168] usb: cdns3: gadget: toggle cycle bit before reset endpoint
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 069/168] usb: cdns3: gadget: link trb should point to next request Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 071/168] usb: core: hub: fix unhandled return by employing a void function Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Chen

From: Peter Chen <peter.chen@nxp.com>

commit 4bf2dd65135a2d7fe202f7c10d65b51bcf645ac6 upstream.

If there are TRBs pending during reset endpoint operation, the
DMA will advance after reset operation, but it isn't expected,
since the data is not yet available (For OUT, the data is not
yet available). After the data is ready, there won't be any
interrupt since the EP_TRADDR already points to next TRB entry
and doorbell is not set.

To fix it, it toggles cycle bit before reset operation, and restores
it after reset, it could avoid unexpected DMA advance due to
cycle bit is for software during the endpoint reset operation.

Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200219141455.23257-3-peter.chen@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/cdns3/gadget.c |   17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

--- a/drivers/usb/cdns3/gadget.c
+++ b/drivers/usb/cdns3/gadget.c
@@ -2152,11 +2152,21 @@ int __cdns3_gadget_ep_clear_halt(struct
 {
 	struct cdns3_device *priv_dev = priv_ep->cdns3_dev;
 	struct usb_request *request;
+	struct cdns3_request *priv_req;
+	struct cdns3_trb *trb = NULL;
 	int ret;
 	int val;
 
 	trace_cdns3_halt(priv_ep, 0, 0);
 
+	request = cdns3_next_request(&priv_ep->pending_req_list);
+	if (request) {
+		priv_req = to_cdns3_request(request);
+		trb = priv_req->trb;
+		if (trb)
+			trb->control = trb->control ^ TRB_CYCLE;
+	}
+
 	writel(EP_CMD_CSTALL | EP_CMD_EPRST, &priv_dev->regs->ep_cmd);
 
 	/* wait for EPRST cleared */
@@ -2167,10 +2177,11 @@ int __cdns3_gadget_ep_clear_halt(struct
 
 	priv_ep->flags &= ~(EP_STALLED | EP_STALL_PENDING);
 
-	request = cdns3_next_request(&priv_ep->pending_req_list);
-
-	if (request)
+	if (request) {
+		if (trb)
+			trb->control = trb->control ^ TRB_CYCLE;
 		cdns3_rearm_transfer(priv_ep, 1);
+	}
 
 	cdns3_start_all_request(priv_dev, priv_ep);
 	return ret;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 071/168] usb: core: hub: fix unhandled return by employing a void function
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 070/168] usb: cdns3: gadget: toggle cycle bit before reset endpoint Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 072/168] usb: core: hub: do error out if usb_autopm_get_interface() fails Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable

From: Eugeniu Rosca <erosca@de.adit-jv.com>

commit 63d6d7ed475c53dc1cabdfedf63de1fd8dcd72ee upstream.

Address below Coverity complaint (Feb 25, 2020, 8:06 AM CET):

---
 drivers/usb/core/hub.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1865,7 +1865,7 @@ static int hub_probe(struct usb_interfac
 
 	if (id->driver_info & HUB_QUIRK_DISABLE_AUTOSUSPEND) {
 		hub->quirk_disable_autosuspend = 1;
-		usb_autopm_get_interface(intf);
+		usb_autopm_get_interface_no_resume(intf);
 	}
 
 	if (hub_configure(hub, &desc->endpoint[0].desc) >= 0)



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 072/168] usb: core: hub: do error out if usb_autopm_get_interface() fails
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 071/168] usb: core: hub: fix unhandled return by employing a void function Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 073/168] usb: core: port: " Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, Eugeniu Rosca

From: Eugeniu Rosca <erosca@de.adit-jv.com>

commit 60e3f6e4ac5b0fda43dad01c32e09409ec710045 upstream.

Reviewing a fresh portion of coverity defects in USB core
(specifically CID 1458999), Alan Stern noted below in [1]:

On Tue, Feb 25, 2020 at 02:39:23PM -0500, Alan Stern wrote:
 > A revised search finds line 997 in drivers/usb/core/hub.c and lines
 > 216, 269 in drivers/usb/core/port.c.  (I didn't try looking in any
 > other directories.)  AFAICT all three of these should check the
 > return value, although a error message in the kernel log probably
 > isn't needed.

Factor out the usb_remove_device() change into a standalone patch to
allow conflict-free integration on top of the earliest stable branches.

[1] https://lore.kernel.org/lkml/Pine.LNX.4.44L0.2002251419120.1485-100000@iolanthe.rowland.org

Fixes: 253e05724f9230 ("USB: add a "remove hardware" sysfs attribute")
Cc: stable@vger.kernel.org # v2.6.33+
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20200226175036.14946-2-erosca@de.adit-jv.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/hub.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -987,13 +987,17 @@ int usb_remove_device(struct usb_device
 {
 	struct usb_hub *hub;
 	struct usb_interface *intf;
+	int ret;
 
 	if (!udev->parent)	/* Can't remove a root hub */
 		return -EINVAL;
 	hub = usb_hub_to_struct_hub(udev->parent);
 	intf = to_usb_interface(hub->intfdev);
 
-	usb_autopm_get_interface(intf);
+	ret = usb_autopm_get_interface(intf);
+	if (ret < 0)
+		return ret;
+
 	set_bit(udev->portnum, hub->removed_bits);
 	hub_port_logical_disconnect(hub, udev->portnum);
 	usb_autopm_put_interface(intf);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 073/168] usb: core: port: do error out if usb_autopm_get_interface() fails
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 072/168] usb: core: hub: do error out if usb_autopm_get_interface() fails Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 074/168] vgacon: Fix a UAF in vgacon_invert_region Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, Eugeniu Rosca

From: Eugeniu Rosca <erosca@de.adit-jv.com>

commit 1f8b39bc99a31759e97a0428a5c3f64802c1e61d upstream.

Reviewing a fresh portion of coverity defects in USB core
(specifically CID 1458999), Alan Stern noted below in [1]:

On Tue, Feb 25, 2020 at 02:39:23PM -0500, Alan Stern wrote:
 > A revised search finds line 997 in drivers/usb/core/hub.c and lines
 > 216, 269 in drivers/usb/core/port.c.  (I didn't try looking in any
 > other directories.)  AFAICT all three of these should check the
 > return value, although a error message in the kernel log probably
 > isn't needed.

Factor out the usb_port_runtime_{resume,suspend}() changes into a
standalone patch to allow conflict-free porting on top of stable v3.9+.

[1] https://lore.kernel.org/lkml/Pine.LNX.4.44L0.2002251419120.1485-100000@iolanthe.rowland.org

Fixes: 971fcd492cebf5 ("usb: add runtime pm support for usb port device")
Cc: stable@vger.kernel.org # v3.9+
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20200226175036.14946-3-erosca@de.adit-jv.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/port.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/usb/core/port.c
+++ b/drivers/usb/core/port.c
@@ -213,7 +213,10 @@ static int usb_port_runtime_resume(struc
 	if (!port_dev->is_superspeed && peer)
 		pm_runtime_get_sync(&peer->dev);
 
-	usb_autopm_get_interface(intf);
+	retval = usb_autopm_get_interface(intf);
+	if (retval < 0)
+		return retval;
+
 	retval = usb_hub_set_port_power(hdev, hub, port1, true);
 	msleep(hub_power_on_good_delay(hub));
 	if (udev && !retval) {
@@ -266,7 +269,10 @@ static int usb_port_runtime_suspend(stru
 	if (usb_port_block_power_off)
 		return -EBUSY;
 
-	usb_autopm_get_interface(intf);
+	retval = usb_autopm_get_interface(intf);
+	if (retval < 0)
+		return retval;
+
 	retval = usb_hub_set_port_power(hdev, hub, port1, false);
 	usb_clear_port_feature(hdev, port1, USB_PORT_FEAT_C_CONNECTION);
 	if (!port_dev->is_superspeed)



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 074/168] vgacon: Fix a UAF in vgacon_invert_region
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 073/168] usb: core: port: " Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 075/168] mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhang Xiaoxu, Daniel Vetter

From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>

commit 513dc792d6060d5ef572e43852683097a8420f56 upstream.

When syzkaller tests, there is a UAF:
  BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
    ffff880000100000
  Read of size 2 by task syz-executor.1/16489
  page:ffffea0000004000 count:0 mapcount:-127 mapping:          (null)
  index:0x0
  page flags: 0xfffff00000000()
  page dumped because: kasan: bad access detected
  CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
  Call Trace:
    [<ffffffffb119f309>] dump_stack+0x1e/0x20
    [<ffffffffb04af957>] kasan_report+0x577/0x950
    [<ffffffffb04ae652>] __asan_load2+0x62/0x80
    [<ffffffffb090f26d>] vgacon_invert_region+0x9d/0x110
    [<ffffffffb0a39d95>] invert_screen+0xe5/0x470
    [<ffffffffb0a21dcb>] set_selection+0x44b/0x12f0
    [<ffffffffb0a3bfae>] tioclinux+0xee/0x490
    [<ffffffffb0a1d114>] vt_ioctl+0xff4/0x2670
    [<ffffffffb0a0089a>] tty_ioctl+0x46a/0x1a10
    [<ffffffffb052db3d>] do_vfs_ioctl+0x5bd/0xc40
    [<ffffffffb052e2f2>] SyS_ioctl+0x132/0x170
    [<ffffffffb11c9b1b>] system_call_fastpath+0x22/0x27
    Memory state around the buggy address:
     ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00
     ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00 00
    >ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff

It can be reproduce in the linux mainline by the program:
  #include <stdio.h>
  #include <stdlib.h>
  #include <unistd.h>
  #include <fcntl.h>
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <sys/ioctl.h>
  #include <linux/vt.h>

  struct tiocl_selection {
    unsigned short xs;      /* X start */
    unsigned short ys;      /* Y start */
    unsigned short xe;      /* X end */
    unsigned short ye;      /* Y end */
    unsigned short sel_mode; /* selection mode */
  };

  #define TIOCL_SETSEL    2
  struct tiocl {
    unsigned char type;
    unsigned char pad;
    struct tiocl_selection sel;
  };

  int main()
  {
    int fd = 0;
    const char *dev = "/dev/char/4:1";

    struct vt_consize v = {0};
    struct tiocl tioc = {0};

    fd = open(dev, O_RDWR, 0);

    v.v_rows = 3346;
    ioctl(fd, VT_RESIZEX, &v);

    tioc.type = TIOCL_SETSEL;
    ioctl(fd, TIOCLINUX, &tioc);

    return 0;
  }

When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
the offset, it maybe larger than the vga_vram_size in vgacon driver, then
bad access.
Also, if set an larger screenbuf firstly, then set an more larger
screenbuf, when copy old_origin to new_origin, a bad access may happen.

So, If the screen size larger than vga_vram, resize screen should be
failed. This alse fix CVE-2020-8649 and CVE-2020-8647.

Linus pointed out that overflow checking seems absent. We're saved by
the existing bounds checks in vc_do_resize() with rather strict
limits:

	if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
		return -EINVAL;

Fixes: 0aec4867dca14 ("[PATCH] SVGATextMode fix")
Reference: CVE-2020-8647 and CVE-2020-8649
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[danvet: augment commit message to point out overflow safety]
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/video/console/vgacon.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1316,6 +1316,9 @@ static int vgacon_font_get(struct vc_dat
 static int vgacon_resize(struct vc_data *c, unsigned int width,
 			 unsigned int height, unsigned int user)
 {
+	if ((width << 1) * height > vga_vram_size)
+		return -EINVAL;
+
 	if (width % 2 || width > screen_info.orig_video_cols ||
 	    height > (screen_info.orig_video_lines * vga_default_font_height)/
 	    c->vc_font.height)



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 075/168] mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 074/168] vgacon: Fix a UAF in vgacon_invert_region Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 076/168] mm: fix possible PMD dirty bit lost in set_pmd_migration_entry() Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrew Morton, Rafael Aquini,
	Mel Gorman, Zi Yan, Kirill A. Shutemov, Vlastimil Babka,
	Michal Hocko, Linus Torvalds

From: Mel Gorman <mgorman@techsingularity.net>

commit 8b272b3cbbb50a6a8e62d8a15affd473a788e184 upstream.

: A user reported a bug against a distribution kernel while running a
: proprietary workload described as "memory intensive that is not swapping"
: that is expected to apply to mainline kernels.  The workload is
: read/write/modifying ranges of memory and checking the contents.  They
: reported that within a few hours that a bad PMD would be reported followed
: by a memory corruption where expected data was all zeros.  A partial
: report of the bad PMD looked like
:
:   [ 5195.338482] ../mm/pgtable-generic.c:33: bad pmd ffff8888157ba008(000002e0396009e2)
:   [ 5195.341184] ------------[ cut here ]------------
:   [ 5195.356880] kernel BUG at ../mm/pgtable-generic.c:35!
:   ....
:   [ 5195.410033] Call Trace:
:   [ 5195.410471]  [<ffffffff811bc75d>] change_protection_range+0x7dd/0x930
:   [ 5195.410716]  [<ffffffff811d4be8>] change_prot_numa+0x18/0x30
:   [ 5195.410918]  [<ffffffff810adefe>] task_numa_work+0x1fe/0x310
:   [ 5195.411200]  [<ffffffff81098322>] task_work_run+0x72/0x90
:   [ 5195.411246]  [<ffffffff81077139>] exit_to_usermode_loop+0x91/0xc2
:   [ 5195.411494]  [<ffffffff81003a51>] prepare_exit_to_usermode+0x31/0x40
:   [ 5195.411739]  [<ffffffff815e56af>] retint_user+0x8/0x10
:
: Decoding revealed that the PMD was a valid prot_numa PMD and the bad PMD
: was a false detection.  The bug does not trigger if automatic NUMA
: balancing or transparent huge pages is disabled.
:
: The bug is due a race in change_pmd_range between a pmd_trans_huge and
: pmd_nond_or_clear_bad check without any locks held.  During the
: pmd_trans_huge check, a parallel protection update under lock can have
: cleared the PMD and filled it with a prot_numa entry between the transhuge
: check and the pmd_none_or_clear_bad check.
:
: While this could be fixed with heavy locking, it's only necessary to make
: a copy of the PMD on the stack during change_pmd_range and avoid races.  A
: new helper is created for this as the check if quite subtle and the
: existing similar helpful is not suitable.  This passed 154 hours of
: testing (usually triggers between 20 minutes and 24 hours) without
: detecting bad PMDs or corruption.  A basic test of an autonuma-intensive
: workload showed no significant change in behaviour.

Although Mel withdrew the patch on the face of LKML comment
https://lkml.org/lkml/2017/4/10/922 the race window aforementioned is
still open, and we have reports of Linpack test reporting bad residuals
after the bad PMD warning is observed.  In addition to that, bad
rss-counter and non-zero pgtables assertions are triggered on mm teardown
for the task hitting the bad PMD.

 host kernel: mm/pgtable-generic.c:40: bad pmd 00000000b3152f68(8000000d2d2008e7)
 ....
 host kernel: BUG: Bad rss-counter state mm:00000000b583043d idx:1 val:512
 host kernel: BUG: non-zero pgtables_bytes on freeing mm: 4096

The issue is observed on a v4.18-based distribution kernel, but the race
window is expected to be applicable to mainline kernels, as well.

[akpm@linux-foundation.org: fix comment typo, per Rafael]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Rafael Aquini <aquini@redhat.com>
Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
Cc: <stable@vger.kernel.org>
Cc: Zi Yan <zi.yan@cs.rutgers.edu>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Michal Hocko <mhocko@suse.com>
Link: http://lkml.kernel.org/r/20200216191800.22423-1-aquini@redhat.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/mprotect.c |   38 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -161,6 +161,31 @@ static unsigned long change_pte_range(st
 	return pages;
 }
 
+/*
+ * Used when setting automatic NUMA hinting protection where it is
+ * critical that a numa hinting PMD is not confused with a bad PMD.
+ */
+static inline int pmd_none_or_clear_bad_unless_trans_huge(pmd_t *pmd)
+{
+	pmd_t pmdval = pmd_read_atomic(pmd);
+
+	/* See pmd_none_or_trans_huge_or_clear_bad for info on barrier */
+#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+	barrier();
+#endif
+
+	if (pmd_none(pmdval))
+		return 1;
+	if (pmd_trans_huge(pmdval))
+		return 0;
+	if (unlikely(pmd_bad(pmdval))) {
+		pmd_clear_bad(pmd);
+		return 1;
+	}
+
+	return 0;
+}
+
 static inline unsigned long change_pmd_range(struct vm_area_struct *vma,
 		pud_t *pud, unsigned long addr, unsigned long end,
 		pgprot_t newprot, int dirty_accountable, int prot_numa)
@@ -178,8 +203,17 @@ static inline unsigned long change_pmd_r
 		unsigned long this_pages;
 
 		next = pmd_addr_end(addr, end);
-		if (!is_swap_pmd(*pmd) && !pmd_trans_huge(*pmd) && !pmd_devmap(*pmd)
-				&& pmd_none_or_clear_bad(pmd))
+
+		/*
+		 * Automatic NUMA balancing walks the tables with mmap_sem
+		 * held for read. It's possible a parallel update to occur
+		 * between pmd_trans_huge() and a pmd_none_or_clear_bad()
+		 * check leading to a false positive and clearing.
+		 * Hence, it's necessary to atomically read the PMD value
+		 * for all the checks.
+		 */
+		if (!is_swap_pmd(*pmd) && !pmd_devmap(*pmd) &&
+		     pmd_none_or_clear_bad_unless_trans_huge(pmd))
 			goto next;
 
 		/* invoke the mmu notifier if the pmd is populated */



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 076/168] mm: fix possible PMD dirty bit lost in set_pmd_migration_entry()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 075/168] mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 077/168] mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrew Morton, Huang, Ying, Zi Yan,
	William Kucharski, Kirill A. Shutemov, Vlastimil Babka,
	Michal Hocko, Andrea Arcangeli, Linus Torvalds

From: Huang Ying <ying.huang@intel.com>

commit 8a8683ad9ba48b4b52a57f013513d1635c1ca5c4 upstream.

In set_pmd_migration_entry(), pmdp_invalidate() is used to change PMD
atomically.  But the PMD is read before that with an ordinary memory
reading.  If the THP (transparent huge page) is written between the PMD
reading and pmdp_invalidate(), the PMD dirty bit may be lost, and cause
data corruption.  The race window is quite small, but still possible in
theory, so need to be fixed.

The race is fixed via using the return value of pmdp_invalidate() to get
the original content of PMD, which is a read/modify/write atomic
operation.  So no THP writing can occur in between.

The race has been introduced when the THP migration support is added in
the commit 616b8371539a ("mm: thp: enable thp migration in generic path").
But this fix depends on the commit d52605d7cb30 ("mm: do not lose dirty
and accessed bits in pmdp_invalidate()").  So it's easy to be backported
after v4.16.  But the race window is really small, so it may be fine not
to backport the fix at all.

Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
Reviewed-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: William Kucharski <william.kucharski@oracle.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: <stable@vger.kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Link: http://lkml.kernel.org/r/20200220075220.2327056-1-ying.huang@intel.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/huge_memory.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -3032,8 +3032,7 @@ void set_pmd_migration_entry(struct page
 		return;
 
 	flush_cache_range(vma, address, address + HPAGE_PMD_SIZE);
-	pmdval = *pvmw->pmd;
-	pmdp_invalidate(vma, address, pvmw->pmd);
+	pmdval = pmdp_invalidate(vma, address, pvmw->pmd);
 	if (pmd_dirty(pmdval))
 		set_page_dirty(page);
 	entry = make_migration_entry(page, pmd_write(pmdval));



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 077/168] mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 076/168] mm: fix possible PMD dirty bit lost in set_pmd_migration_entry() Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 078/168] fat: fix uninit-memory access for partial initialized inode Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gerald Schaefer, Andrew Morton,
	Vlastimil Babka, David Hildenbrand, Joonsoo Kim, Qian Cai,
	Linus Torvalds

From: Vlastimil Babka <vbabka@suse.cz>

commit c87cbc1f007c4b46165f05ceca04e1973cda0b9c upstream.

Commit cd02cf1aceea ("mm/hotplug: fix an imbalance with DEBUG_PAGEALLOC")
fixed memory hotplug with debug_pagealloc enabled, where onlining a page
goes through page freeing, which removes the direct mapping.  Some arches
don't like when the page is not mapped in the first place, so
generic_online_page() maps it first.  This is somewhat wasteful, but
better than special casing page freeing fast paths.

The commit however missed that DEBUG_PAGEALLOC configured doesn't mean
it's actually enabled.  One has to test debug_pagealloc_enabled() since
031bc5743f15 ("mm/debug-pagealloc: make debug-pagealloc boottime
configurable"), or alternatively debug_pagealloc_enabled_static() since
8e57f8acbbd1 ("mm, debug_pagealloc: don't rely on static keys too early"),
but this is not done.

As a result, a s390 kernel with DEBUG_PAGEALLOC configured but not enabled
will crash:

Unable to handle kernel pointer dereference in virtual kernel address space
Failing address: 0000000000000000 TEID: 0000000000000483
Fault in home space mode while using kernel ASCE.
AS:0000001ece13400b R2:000003fff7fd000b R3:000003fff7fcc007 S:000003fff7fd7000 P:000000000000013d
Oops: 0004 ilc:2 [#1] SMP
CPU: 1 PID: 26015 Comm: chmem Kdump: loaded Tainted: GX 5.3.18-5-default #1 SLE15-SP2 (unreleased)
Krnl PSW : 0704e00180000000 0000001ecd281b9e (__kernel_map_pages+0x166/0x188)
R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
Krnl GPRS: 0000000000000000 0000000000000800 0000400b00000000 0000000000000100
0000000000000001 0000000000000000 0000000000000002 0000000000000100
0000001ece139230 0000001ecdd98d40 0000400b00000100 0000000000000000
000003ffa17e4000 001fffe0114f7d08 0000001ecd4d93ea 001fffe0114f7b20
Krnl Code: 0000001ecd281b8e: ec17ffff00d8 ahik %r1,%r7,-1
0000001ecd281b94: ec111dbc0355 risbg %r1,%r1,29,188,3
>0000001ecd281b9e: 94fb5006 ni 6(%r5),251
0000001ecd281ba2: 41505008 la %r5,8(%r5)
0000001ecd281ba6: ec51fffc6064 cgrj %r5,%r1,6,1ecd281b9e
0000001ecd281bac: 1a07 ar %r0,%r7
0000001ecd281bae: ec03ff584076 crj %r0,%r3,4,1ecd281a5e
Call Trace:
[<0000001ecd281b9e>] __kernel_map_pages+0x166/0x188
[<0000001ecd4d9516>] online_pages_range+0xf6/0x128
[<0000001ecd2a8186>] walk_system_ram_range+0x7e/0xd8
[<0000001ecda28aae>] online_pages+0x2fe/0x3f0
[<0000001ecd7d02a6>] memory_subsys_online+0x8e/0xc0
[<0000001ecd7add42>] device_online+0x5a/0xc8
[<0000001ecd7d0430>] state_store+0x88/0x118
[<0000001ecd5b9f62>] kernfs_fop_write+0xc2/0x200
[<0000001ecd5064b6>] vfs_write+0x176/0x1e0
[<0000001ecd50676a>] ksys_write+0xa2/0x100
[<0000001ecda315d4>] system_call+0xd8/0x2c8

Fix this by checking debug_pagealloc_enabled_static() before calling
kernel_map_pages(). Backports for kernel before 5.5 should use
debug_pagealloc_enabled() instead. Also add comments.

Fixes: cd02cf1aceea ("mm/hotplug: fix an imbalance with DEBUG_PAGEALLOC")
Reported-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: <stable@vger.kernel.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Qian Cai <cai@lca.pw>
Link: http://lkml.kernel.org/r/20200224094651.18257-1-vbabka@suse.cz
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/mm.h  |    4 ++++
 mm/memory_hotplug.c |    8 +++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2695,6 +2695,10 @@ static inline bool debug_pagealloc_enabl
 #if defined(CONFIG_DEBUG_PAGEALLOC) || defined(CONFIG_ARCH_HAS_SET_DIRECT_MAP)
 extern void __kernel_map_pages(struct page *page, int numpages, int enable);
 
+/*
+ * When called in DEBUG_PAGEALLOC context, the call should most likely be
+ * guarded by debug_pagealloc_enabled() or debug_pagealloc_enabled_static()
+ */
 static inline void
 kernel_map_pages(struct page *page, int numpages, int enable)
 {
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -598,7 +598,13 @@ EXPORT_SYMBOL_GPL(__online_page_free);
 
 static void generic_online_page(struct page *page, unsigned int order)
 {
-	kernel_map_pages(page, 1 << order, 1);
+	/*
+	 * Freeing the page with debug_pagealloc enabled will try to unmap it,
+	 * so we should map it first. This is better than introducing a special
+	 * case in page freeing fast path.
+	 */
+	if (debug_pagealloc_enabled_static())
+		kernel_map_pages(page, 1 << order, 1);
 	__free_pages_core(page, order);
 	totalram_pages_add(1UL << order);
 #ifdef CONFIG_HIGHMEM



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 078/168] fat: fix uninit-memory access for partial initialized inode
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 077/168] mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 079/168] btrfs: fix RAID direct I/O reads with alternate csums Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+9d82b8de2992579da5d0,
	Andrew Morton, OGAWA Hirofumi, Linus Torvalds

From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

commit bc87302a093f0eab45cd4e250c2021299f712ec6 upstream.

When get an error in the middle of reading an inode, some fields in the
inode might be still not initialized.  And then the evict_inode path may
access those fields via iput().

To fix, this makes sure that inode fields are initialized.

Reported-by: syzbot+9d82b8de2992579da5d0@syzkaller.appspotmail.com
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/871rqnreqx.fsf@mail.parknet.co.jp
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fat/inode.c |   19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

--- a/fs/fat/inode.c
+++ b/fs/fat/inode.c
@@ -749,6 +749,13 @@ static struct inode *fat_alloc_inode(str
 		return NULL;
 
 	init_rwsem(&ei->truncate_lock);
+	/* Zeroing to allow iput() even if partial initialized inode. */
+	ei->mmu_private = 0;
+	ei->i_start = 0;
+	ei->i_logstart = 0;
+	ei->i_attrs = 0;
+	ei->i_pos = 0;
+
 	return &ei->vfs_inode;
 }
 
@@ -1373,16 +1380,6 @@ out:
 	return 0;
 }
 
-static void fat_dummy_inode_init(struct inode *inode)
-{
-	/* Initialize this dummy inode to work as no-op. */
-	MSDOS_I(inode)->mmu_private = 0;
-	MSDOS_I(inode)->i_start = 0;
-	MSDOS_I(inode)->i_logstart = 0;
-	MSDOS_I(inode)->i_attrs = 0;
-	MSDOS_I(inode)->i_pos = 0;
-}
-
 static int fat_read_root(struct inode *inode)
 {
 	struct msdos_sb_info *sbi = MSDOS_SB(inode->i_sb);
@@ -1843,13 +1840,11 @@ int fat_fill_super(struct super_block *s
 	fat_inode = new_inode(sb);
 	if (!fat_inode)
 		goto out_fail;
-	fat_dummy_inode_init(fat_inode);
 	sbi->fat_inode = fat_inode;
 
 	fsinfo_inode = new_inode(sb);
 	if (!fsinfo_inode)
 		goto out_fail;
-	fat_dummy_inode_init(fsinfo_inode);
 	fsinfo_inode->i_ino = MSDOS_FSINFO_INO;
 	sbi->fsinfo_inode = fsinfo_inode;
 	insert_inode_hash(fsinfo_inode);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 079/168] btrfs: fix RAID direct I/O reads with alternate csums
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 078/168] fat: fix uninit-memory access for partial initialized inode Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 080/168] arm64: dts: socfpga: agilex: Fix gmac compatible Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Thumshirn, Omar Sandoval,
	David Sterba

From: Omar Sandoval <osandov@fb.com>

commit e7a04894c766daa4248cb736efee93550f2d5872 upstream.

btrfs_lookup_and_bind_dio_csum() does pointer arithmetic which assumes
32-bit checksums. If using a larger checksum, this leads to spurious
failures when a direct I/O read crosses a stripe. This is easy
to reproduce:

  # mkfs.btrfs -f --checksum blake2 -d raid0 /dev/vdc /dev/vdd
  ...
  # mount /dev/vdc /mnt
  # cd /mnt
  # dd if=/dev/urandom of=foo bs=1M count=1 status=none
  # dd if=foo of=/dev/null bs=1M iflag=direct status=none
  dd: error reading 'foo': Input/output error
  # dmesg | tail -1
  [  135.821568] BTRFS warning (device vdc): csum failed root 5 ino 257 off 421888 ...

Fix it by using the actual checksum size.

Fixes: 1e25a2e3ca0d ("btrfs: don't assume ordered sums to be 4 bytes")
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/inode.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -8426,6 +8426,7 @@ static inline blk_status_t btrfs_lookup_
 {
 	struct btrfs_io_bio *io_bio = btrfs_io_bio(bio);
 	struct btrfs_io_bio *orig_io_bio = btrfs_io_bio(dip->orig_bio);
+	u16 csum_size;
 	blk_status_t ret;
 
 	/*
@@ -8445,7 +8446,8 @@ static inline blk_status_t btrfs_lookup_
 
 	file_offset -= dip->logical_offset;
 	file_offset >>= inode->i_sb->s_blocksize_bits;
-	io_bio->csum = (u8 *)(((u32 *)orig_io_bio->csum) + file_offset);
+	csum_size = btrfs_super_csum_size(btrfs_sb(inode->i_sb)->super_copy);
+	io_bio->csum = orig_io_bio->csum + csum_size * file_offset;
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 080/168] arm64: dts: socfpga: agilex: Fix gmac compatible
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 079/168] btrfs: fix RAID direct I/O reads with alternate csums Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 081/168] arm: dts: dra76x: Fix mmc3 max-frequency Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ley Foon Tan, Dinh Nguyen

From: Ley Foon Tan <ley.foon.tan@intel.com>

commit 8c867387160e89c9ffd12459f38e56844312a7a7 upstream.

Fix gmac compatible string to "altr,socfpga-stmmac-a10-s10". Gmac for
Agilex should use same compatible as Stratix 10.

Fixes: 4b36daf9ada3 ("arm64: dts: agilex: Add initial support for Intel's Agilex SoCFPGA")
Cc: stable@vger.kernel.org
Signed-off-by: Ley Foon Tan <ley.foon.tan@intel.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/intel/socfpga_agilex.dtsi |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/arm64/boot/dts/intel/socfpga_agilex.dtsi
+++ b/arch/arm64/boot/dts/intel/socfpga_agilex.dtsi
@@ -82,7 +82,7 @@
 		ranges = <0 0 0 0xffffffff>;
 
 		gmac0: ethernet@ff800000 {
-			compatible = "altr,socfpga-stmmac", "snps,dwmac-3.74a", "snps,dwmac";
+			compatible = "altr,socfpga-stmmac-a10-s10", "snps,dwmac-3.74a", "snps,dwmac";
 			reg = <0xff800000 0x2000>;
 			interrupts = <0 90 4>;
 			interrupt-names = "macirq";
@@ -97,7 +97,7 @@
 		};
 
 		gmac1: ethernet@ff802000 {
-			compatible = "altr,socfpga-stmmac", "snps,dwmac-3.74a", "snps,dwmac";
+			compatible = "altr,socfpga-stmmac-a10-s10", "snps,dwmac-3.74a", "snps,dwmac";
 			reg = <0xff802000 0x2000>;
 			interrupts = <0 91 4>;
 			interrupt-names = "macirq";
@@ -112,7 +112,7 @@
 		};
 
 		gmac2: ethernet@ff804000 {
-			compatible = "altr,socfpga-stmmac", "snps,dwmac-3.74a", "snps,dwmac";
+			compatible = "altr,socfpga-stmmac-a10-s10", "snps,dwmac-3.74a", "snps,dwmac";
 			reg = <0xff804000 0x2000>;
 			interrupts = <0 92 4>;
 			interrupt-names = "macirq";



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 081/168] arm: dts: dra76x: Fix mmc3 max-frequency
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 080/168] arm64: dts: socfpga: agilex: Fix gmac compatible Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 082/168] tty:serial:mvebu-uart:fix a wrong return Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Faiz Abbas, Tony Lindgren

From: Faiz Abbas <faiz_abbas@ti.com>

commit fa63c0039787b8fbacf4d6a51e3ff44288f5b90b upstream.

dra76x is not affected by i887 which requires mmc3 node to be limited to
a max frequency of 64 MHz. Fix this by overwriting the correct value in
the the dra76 specific dtsi.

Fixes: 895bd4b3e5ec ("ARM: dts: Add support for dra76-evm")
Cc: stable@vger.kernel.org
Signed-off-by: Faiz Abbas <faiz_abbas@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/dra76x.dtsi |    5 +++++
 1 file changed, 5 insertions(+)

--- a/arch/arm/boot/dts/dra76x.dtsi
+++ b/arch/arm/boot/dts/dra76x.dtsi
@@ -86,3 +86,8 @@
 &usb4_tm {
 	status = "disabled";
 };
+
+&mmc3 {
+	/* dra76x is not affected by i887 */
+	max-frequency = <96000000>;
+};



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 082/168] tty:serial:mvebu-uart:fix a wrong return
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 081/168] arm: dts: dra76x: Fix mmc3 max-frequency Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 083/168] tty: serial: fsl_lpuart: free IDs allocated by IDA Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, tangbin, Jiri Slaby

From: tangbin <tangbin@cmss.chinamobile.com>

commit 4a3e208474204e879d22a310b244cb2f39e5b1f8 upstream.

in this place, the function should return a
negative value and the PTR_ERR already returns
a negative,so return -PTR_ERR() is wrong.

Signed-off-by: tangbin <tangbin@cmss.chinamobile.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Jiri Slaby <jslaby@suse.cz>
Link: https://lore.kernel.org/r/20200305013823.20976-1-tangbin@cmss.chinamobile.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/mvebu-uart.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/serial/mvebu-uart.c
+++ b/drivers/tty/serial/mvebu-uart.c
@@ -851,7 +851,7 @@ static int mvebu_uart_probe(struct platf
 
 	port->membase = devm_ioremap_resource(&pdev->dev, reg);
 	if (IS_ERR(port->membase))
-		return -PTR_ERR(port->membase);
+		return PTR_ERR(port->membase);
 
 	mvuart = devm_kzalloc(&pdev->dev, sizeof(struct mvebu_uart),
 			      GFP_KERNEL);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 083/168] tty: serial: fsl_lpuart: free IDs allocated by IDA
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 082/168] tty:serial:mvebu-uart:fix a wrong return Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 084/168] serial: 8250_exar: add support for ACCES cards Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Walle

From: Michael Walle <michael@walle.cc>

commit 2b2e71fe657510a6f71aa16ef0309fa6bc20ab3d upstream.

Since commit 3bc3206e1c0f ("serial: fsl_lpuart: Remove the alias node
dependence") the port line number can also be allocated by IDA, but in
case of an error the ID will no be removed again. More importantly, any
ID will be freed in remove(), even if it wasn't allocated but instead
fetched by of_alias_get_id(). If it was not allocated by IDA there will
be a warning:
  WARN(1, "ida_free called for id=%d which is not allocated.\n", id);

Move the ID allocation more to the end of the probe() so that we still
can use plain return in the first error cases.

Fixes: 3bc3206e1c0f ("serial: fsl_lpuart: Remove the alias node dependence")
Signed-off-by: Michael Walle <michael@walle.cc>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200303174306.6015-3-michael@walle.cc
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/fsl_lpuart.c |   39 ++++++++++++++++++++++++---------------
 1 file changed, 24 insertions(+), 15 deletions(-)

--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -268,6 +268,7 @@ struct lpuart_port {
 	int			rx_dma_rng_buf_len;
 	unsigned int		dma_tx_nents;
 	wait_queue_head_t	dma_wait;
+	bool			id_allocated;
 };
 
 struct lpuart_soc_data {
@@ -2382,19 +2383,6 @@ static int lpuart_probe(struct platform_
 	if (!sport)
 		return -ENOMEM;
 
-	ret = of_alias_get_id(np, "serial");
-	if (ret < 0) {
-		ret = ida_simple_get(&fsl_lpuart_ida, 0, UART_NR, GFP_KERNEL);
-		if (ret < 0) {
-			dev_err(&pdev->dev, "port line is full, add device failed\n");
-			return ret;
-		}
-	}
-	if (ret >= ARRAY_SIZE(lpuart_ports)) {
-		dev_err(&pdev->dev, "serial%d out of range\n", ret);
-		return -EINVAL;
-	}
-	sport->port.line = ret;
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
 	sport->port.membase = devm_ioremap_resource(&pdev->dev, res);
 	if (IS_ERR(sport->port.membase))
@@ -2435,9 +2423,25 @@ static int lpuart_probe(struct platform_
 		}
 	}
 
+	ret = of_alias_get_id(np, "serial");
+	if (ret < 0) {
+		ret = ida_simple_get(&fsl_lpuart_ida, 0, UART_NR, GFP_KERNEL);
+		if (ret < 0) {
+			dev_err(&pdev->dev, "port line is full, add device failed\n");
+			return ret;
+		}
+		sport->id_allocated = true;
+	}
+	if (ret >= ARRAY_SIZE(lpuart_ports)) {
+		dev_err(&pdev->dev, "serial%d out of range\n", ret);
+		ret = -EINVAL;
+		goto failed_out_of_range;
+	}
+	sport->port.line = ret;
+
 	ret = lpuart_enable_clks(sport);
 	if (ret)
-		return ret;
+		goto failed_clock_enable;
 	sport->port.uartclk = lpuart_get_baud_clk_rate(sport);
 
 	lpuart_ports[sport->port.line] = sport;
@@ -2487,6 +2491,10 @@ static int lpuart_probe(struct platform_
 failed_attach_port:
 failed_irq_request:
 	lpuart_disable_clks(sport);
+failed_clock_enable:
+failed_out_of_range:
+	if (sport->id_allocated)
+		ida_simple_remove(&fsl_lpuart_ida, sport->port.line);
 	return ret;
 }
 
@@ -2496,7 +2504,8 @@ static int lpuart_remove(struct platform
 
 	uart_remove_one_port(&lpuart_reg, &sport->port);
 
-	ida_simple_remove(&fsl_lpuart_ida, sport->port.line);
+	if (sport->id_allocated)
+		ida_simple_remove(&fsl_lpuart_ida, sport->port.line);
 
 	lpuart_disable_clks(sport);
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 084/168] serial: 8250_exar: add support for ACCES cards
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 083/168] tty: serial: fsl_lpuart: free IDs allocated by IDA Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 085/168] vt: selection, close sel_buffer race Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jay Dolan

From: Jay Dolan <jay.dolan@accesio.com>

commit 10c5ccc3c6d32f3d7d6c07de1d3f0f4b52f3e3ab upstream.

Add ACCES VIDs and PIDs that use the Exar chips

Signed-off-by: Jay Dolan <jay.dolan@accesio.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200305140504.22237-1-jay.dolan@accesio.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/8250/8250_exar.c |   33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

--- a/drivers/tty/serial/8250/8250_exar.c
+++ b/drivers/tty/serial/8250/8250_exar.c
@@ -25,6 +25,14 @@
 
 #include "8250.h"
 
+#define PCI_DEVICE_ID_ACCES_COM_2S		0x1052
+#define PCI_DEVICE_ID_ACCES_COM_4S		0x105d
+#define PCI_DEVICE_ID_ACCES_COM_8S		0x106c
+#define PCI_DEVICE_ID_ACCES_COM232_8		0x10a8
+#define PCI_DEVICE_ID_ACCES_COM_2SM		0x10d2
+#define PCI_DEVICE_ID_ACCES_COM_4SM		0x10db
+#define PCI_DEVICE_ID_ACCES_COM_8SM		0x10ea
+
 #define PCI_DEVICE_ID_COMMTECH_4224PCI335	0x0002
 #define PCI_DEVICE_ID_COMMTECH_4222PCI335	0x0004
 #define PCI_DEVICE_ID_COMMTECH_2324PCI335	0x000a
@@ -658,6 +666,22 @@ static int __maybe_unused exar_resume(st
 
 static SIMPLE_DEV_PM_OPS(exar_pci_pm, exar_suspend, exar_resume);
 
+static const struct exar8250_board acces_com_2x = {
+	.num_ports	= 2,
+	.setup		= pci_xr17c154_setup,
+};
+
+static const struct exar8250_board acces_com_4x = {
+	.num_ports	= 4,
+	.setup		= pci_xr17c154_setup,
+};
+
+static const struct exar8250_board acces_com_8x = {
+	.num_ports	= 8,
+	.setup		= pci_xr17c154_setup,
+};
+
+
 static const struct exar8250_board pbn_fastcom335_2 = {
 	.num_ports	= 2,
 	.setup		= pci_fastcom335_setup,
@@ -726,6 +750,15 @@ static const struct exar8250_board pbn_e
 	}
 
 static const struct pci_device_id exar_pci_tbl[] = {
+	EXAR_DEVICE(ACCESSIO, ACCES_COM_2S, acces_com_2x),
+	EXAR_DEVICE(ACCESSIO, ACCES_COM_4S, acces_com_4x),
+	EXAR_DEVICE(ACCESSIO, ACCES_COM_8S, acces_com_8x),
+	EXAR_DEVICE(ACCESSIO, ACCES_COM232_8, acces_com_8x),
+	EXAR_DEVICE(ACCESSIO, ACCES_COM_2SM, acces_com_2x),
+	EXAR_DEVICE(ACCESSIO, ACCES_COM_4SM, acces_com_4x),
+	EXAR_DEVICE(ACCESSIO, ACCES_COM_8SM, acces_com_8x),
+
+
 	CONNECT_DEVICE(XR17C152, UART_2_232, pbn_connect),
 	CONNECT_DEVICE(XR17C154, UART_4_232, pbn_connect),
 	CONNECT_DEVICE(XR17C158, UART_8_232, pbn_connect),



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 085/168] vt: selection, close sel_buffer race
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 084/168] serial: 8250_exar: add support for ACCES cards Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 086/168] vt: selection, push console lock down Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Slaby, syzbot+59997e8d5cbdc486e6f6

From: Jiri Slaby <jslaby@suse.cz>

commit 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 upstream.

syzkaller reported this UAF:
BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184

CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
...
 kasan_report+0xe/0x20 mm/kasan/common.c:634
 n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
 tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461
 paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372
 tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044
 vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364
 tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657
 vfs_ioctl fs/ioctl.c:47 [inline]

It is due to a race between parallel paste_selection (TIOCL_PASTESEL)
and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer,
while the other frees it and reallocates a new one for another
selection. Add a mutex to close this race.

The mutex takes care properly of sel_buffer and sel_buffer_lth only. The
other selection global variables (like sel_start, sel_end, and sel_cons)
are protected only in set_selection_user. The other functions need quite
some more work to close the races of the variables there. This is going
to happen later.

This likely fixes (I am unsure as there is no reproducer provided) bug
206361 too. It was marked as CVE-2020-8648.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/selection.c |   23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

--- a/drivers/tty/vt/selection.c
+++ b/drivers/tty/vt/selection.c
@@ -16,6 +16,7 @@
 #include <linux/tty.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
+#include <linux/mutex.h>
 #include <linux/slab.h>
 #include <linux/types.h>
 
@@ -45,6 +46,7 @@ static volatile int sel_start = -1; 	/*
 static int sel_end;
 static int sel_buffer_lth;
 static char *sel_buffer;
+static DEFINE_MUTEX(sel_lock);
 
 /* clear_selection, highlight and highlight_pointer can be called
    from interrupt (via scrollback/front) */
@@ -186,7 +188,7 @@ int set_selection_kernel(struct tiocl_se
 	char *bp, *obp;
 	int i, ps, pe, multiplier;
 	u32 c;
-	int mode;
+	int mode, ret = 0;
 
 	poke_blanked_console();
 
@@ -212,6 +214,7 @@ int set_selection_kernel(struct tiocl_se
 	if (ps > pe)	/* make sel_start <= sel_end */
 		swap(ps, pe);
 
+	mutex_lock(&sel_lock);
 	if (sel_cons != vc_cons[fg_console].d) {
 		clear_selection();
 		sel_cons = vc_cons[fg_console].d;
@@ -257,9 +260,10 @@ int set_selection_kernel(struct tiocl_se
 			break;
 		case TIOCL_SELPOINTER:
 			highlight_pointer(pe);
-			return 0;
+			goto unlock;
 		default:
-			return -EINVAL;
+			ret = -EINVAL;
+			goto unlock;
 	}
 
 	/* remove the pointer */
@@ -281,7 +285,7 @@ int set_selection_kernel(struct tiocl_se
 	else if (new_sel_start == sel_start)
 	{
 		if (new_sel_end == sel_end)	/* no action required */
-			return 0;
+			goto unlock;
 		else if (new_sel_end > sel_end)	/* extend to right */
 			highlight(sel_end + 2, new_sel_end);
 		else				/* contract from right */
@@ -309,7 +313,8 @@ int set_selection_kernel(struct tiocl_se
 	if (!bp) {
 		printk(KERN_WARNING "selection: kmalloc() failed\n");
 		clear_selection();
-		return -ENOMEM;
+		ret = -ENOMEM;
+		goto unlock;
 	}
 	kfree(sel_buffer);
 	sel_buffer = bp;
@@ -334,7 +339,9 @@ int set_selection_kernel(struct tiocl_se
 		}
 	}
 	sel_buffer_lth = bp - sel_buffer;
-	return 0;
+unlock:
+	mutex_unlock(&sel_lock);
+	return ret;
 }
 EXPORT_SYMBOL_GPL(set_selection_kernel);
 
@@ -364,6 +371,7 @@ int paste_selection(struct tty_struct *t
 	tty_buffer_lock_exclusive(&vc->port);
 
 	add_wait_queue(&vc->paste_wait, &wait);
+	mutex_lock(&sel_lock);
 	while (sel_buffer && sel_buffer_lth > pasted) {
 		set_current_state(TASK_INTERRUPTIBLE);
 		if (signal_pending(current)) {
@@ -371,7 +379,9 @@ int paste_selection(struct tty_struct *t
 			break;
 		}
 		if (tty_throttled(tty)) {
+			mutex_unlock(&sel_lock);
 			schedule();
+			mutex_lock(&sel_lock);
 			continue;
 		}
 		__set_current_state(TASK_RUNNING);
@@ -380,6 +390,7 @@ int paste_selection(struct tty_struct *t
 					      count);
 		pasted += count;
 	}
+	mutex_unlock(&sel_lock);
 	remove_wait_queue(&vc->paste_wait, &wait);
 	__set_current_state(TASK_RUNNING);
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 086/168] vt: selection, push console lock down
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 085/168] vt: selection, close sel_buffer race Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 087/168] vt: selection, push sel_lock up Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Slaby

From: Jiri Slaby <jslaby@suse.cz>

commit 4b70dd57a15d2f4685ac6e38056bad93e81e982f upstream.

We need to nest the console lock in sel_lock, so we have to push it down
a bit. Fortunately, the callers of set_selection_* just lock the console
lock around the function call. So moving it down is easy.

In the next patch, we switch the order.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race")
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200228115406.5735-1-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/speakup/selection.c |    2 --
 drivers/tty/vt/selection.c          |   13 ++++++++++++-
 drivers/tty/vt/vt.c                 |    2 --
 3 files changed, 12 insertions(+), 5 deletions(-)

--- a/drivers/staging/speakup/selection.c
+++ b/drivers/staging/speakup/selection.c
@@ -51,9 +51,7 @@ static void __speakup_set_selection(stru
 		goto unref;
 	}
 
-	console_lock();
 	set_selection_kernel(&sel, tty);
-	console_unlock();
 
 unref:
 	tty_kref_put(tty);
--- a/drivers/tty/vt/selection.c
+++ b/drivers/tty/vt/selection.c
@@ -181,7 +181,7 @@ int set_selection_user(const struct tioc
 	return set_selection_kernel(&v, tty);
 }
 
-int set_selection_kernel(struct tiocl_selection *v, struct tty_struct *tty)
+static int __set_selection_kernel(struct tiocl_selection *v, struct tty_struct *tty)
 {
 	struct vc_data *vc = vc_cons[fg_console].d;
 	int new_sel_start, new_sel_end, spc;
@@ -343,6 +343,17 @@ unlock:
 	mutex_unlock(&sel_lock);
 	return ret;
 }
+
+int set_selection_kernel(struct tiocl_selection *v, struct tty_struct *tty)
+{
+	int ret;
+
+	console_lock();
+	ret = __set_selection_kernel(v, tty);
+	console_unlock();
+
+	return ret;
+}
 EXPORT_SYMBOL_GPL(set_selection_kernel);
 
 /* Insert the contents of the selection buffer into the
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -3046,10 +3046,8 @@ int tioclinux(struct tty_struct *tty, un
 	switch (type)
 	{
 		case TIOCL_SETSEL:
-			console_lock();
 			ret = set_selection_user((struct tiocl_selection
 						 __user *)(p+1), tty);
-			console_unlock();
 			break;
 		case TIOCL_PASTESEL:
 			ret = paste_selection(tty);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 087/168] vt: selection, push sel_lock up
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 086/168] vt: selection, push console lock down Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 088/168] media: hantro: Fix broken media controller links Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Slaby, syzbot+26183d9746e62da329b8

From: Jiri Slaby <jslaby@suse.cz>

commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 upstream.

sel_lock cannot nest in the console lock. Thanks to syzkaller, the
kernel states firmly:

> WARNING: possible circular locking dependency detected
> 5.6.0-rc3-syzkaller #0 Not tainted
> ------------------------------------------------------
> syz-executor.4/20336 is trying to acquire lock:
> ffff8880a2e952a0 (&tty->termios_rwsem){++++}, at: tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136
>
> but task is already holding lock:
> ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374
>
> which lock already depends on the new lock.
>
> the existing dependency chain (in reverse order) is:
>
> -> #2 (sel_lock){+.+.}:
>        mutex_lock_nested+0x1b/0x30 kernel/locking/mutex.c:1118
>        set_selection_kernel+0x3b8/0x18a0 drivers/tty/vt/selection.c:217
>        set_selection_user+0x63/0x80 drivers/tty/vt/selection.c:181
>        tioclinux+0x103/0x530 drivers/tty/vt/vt.c:3050
>        vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364

This is ioctl(TIOCL_SETSEL).
Locks held on the path: console_lock -> sel_lock

> -> #1 (console_lock){+.+.}:
>        console_lock+0x46/0x70 kernel/printk/printk.c:2289
>        con_flush_chars+0x50/0x650 drivers/tty/vt/vt.c:3223
>        n_tty_write+0xeae/0x1200 drivers/tty/n_tty.c:2350
>        do_tty_write drivers/tty/tty_io.c:962 [inline]
>        tty_write+0x5a1/0x950 drivers/tty/tty_io.c:1046

This is write().
Locks held on the path: termios_rwsem -> console_lock

> -> #0 (&tty->termios_rwsem){++++}:
>        down_write+0x57/0x140 kernel/locking/rwsem.c:1534
>        tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136
>        mkiss_receive_buf+0x12aa/0x1340 drivers/net/hamradio/mkiss.c:902
>        tty_ldisc_receive_buf+0x12f/0x170 drivers/tty/tty_buffer.c:465
>        paste_selection+0x346/0x470 drivers/tty/vt/selection.c:389
>        tioclinux+0x121/0x530 drivers/tty/vt/vt.c:3055
>        vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364

This is ioctl(TIOCL_PASTESEL).
Locks held on the path: sel_lock -> termios_rwsem

> other info that might help us debug this:
>
> Chain exists of:
>   &tty->termios_rwsem --> console_lock --> sel_lock

Clearly. From the above, we have:
 console_lock -> sel_lock
 sel_lock -> termios_rwsem
 termios_rwsem -> console_lock

Fix this by reversing the console_lock -> sel_lock dependency in
ioctl(TIOCL_SETSEL). First, lock sel_lock, then console_lock.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: syzbot+26183d9746e62da329b8@syzkaller.appspotmail.com
Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race")
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200228115406.5735-2-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/selection.c |   16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

--- a/drivers/tty/vt/selection.c
+++ b/drivers/tty/vt/selection.c
@@ -214,7 +214,6 @@ static int __set_selection_kernel(struct
 	if (ps > pe)	/* make sel_start <= sel_end */
 		swap(ps, pe);
 
-	mutex_lock(&sel_lock);
 	if (sel_cons != vc_cons[fg_console].d) {
 		clear_selection();
 		sel_cons = vc_cons[fg_console].d;
@@ -260,10 +259,9 @@ static int __set_selection_kernel(struct
 			break;
 		case TIOCL_SELPOINTER:
 			highlight_pointer(pe);
-			goto unlock;
+			return 0;
 		default:
-			ret = -EINVAL;
-			goto unlock;
+			return -EINVAL;
 	}
 
 	/* remove the pointer */
@@ -285,7 +283,7 @@ static int __set_selection_kernel(struct
 	else if (new_sel_start == sel_start)
 	{
 		if (new_sel_end == sel_end)	/* no action required */
-			goto unlock;
+			return 0;
 		else if (new_sel_end > sel_end)	/* extend to right */
 			highlight(sel_end + 2, new_sel_end);
 		else				/* contract from right */
@@ -313,8 +311,7 @@ static int __set_selection_kernel(struct
 	if (!bp) {
 		printk(KERN_WARNING "selection: kmalloc() failed\n");
 		clear_selection();
-		ret = -ENOMEM;
-		goto unlock;
+		return -ENOMEM;
 	}
 	kfree(sel_buffer);
 	sel_buffer = bp;
@@ -339,8 +336,7 @@ static int __set_selection_kernel(struct
 		}
 	}
 	sel_buffer_lth = bp - sel_buffer;
-unlock:
-	mutex_unlock(&sel_lock);
+
 	return ret;
 }
 
@@ -348,9 +344,11 @@ int set_selection_kernel(struct tiocl_se
 {
 	int ret;
 
+	mutex_lock(&sel_lock);
 	console_lock();
 	ret = __set_selection_kernel(v, tty);
 	console_unlock();
+	mutex_unlock(&sel_lock);
 
 	return ret;
 }



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 088/168] media: hantro: Fix broken media controller links
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 087/168] vt: selection, push sel_lock up Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 089/168] media: mc-entity.c: use & to check pad flags, not == Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicolas Dufresne, Ezequiel Garcia,
	Nicolas Dufresne, Hans Verkuil, Mauro Carvalho Chehab

From: Ezequiel Garcia <ezequiel@collabora.com>

commit d171c45da874e3858a83e6377e00280a507fe2f2 upstream.

The driver currently creates a broken topology,
with a source-to-source link and a sink-to-sink
link instead of two source-to-sink links.

Reported-by: Nicolas Dufresne <nicolas@ndufresne.ca>
Cc: <stable@vger.kernel.org>      # for v5.3 and up
Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
Tested-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/media/hantro/hantro_drv.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/staging/media/hantro/hantro_drv.c
+++ b/drivers/staging/media/hantro/hantro_drv.c
@@ -553,13 +553,13 @@ static int hantro_attach_func(struct han
 		goto err_rel_entity1;
 
 	/* Connect the three entities */
-	ret = media_create_pad_link(&func->vdev.entity, 0, &func->proc, 1,
+	ret = media_create_pad_link(&func->vdev.entity, 0, &func->proc, 0,
 				    MEDIA_LNK_FL_IMMUTABLE |
 				    MEDIA_LNK_FL_ENABLED);
 	if (ret)
 		goto err_rel_entity2;
 
-	ret = media_create_pad_link(&func->proc, 0, &func->sink, 0,
+	ret = media_create_pad_link(&func->proc, 1, &func->sink, 0,
 				    MEDIA_LNK_FL_IMMUTABLE |
 				    MEDIA_LNK_FL_ENABLED);
 	if (ret)



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 089/168] media: mc-entity.c: use & to check pad flags, not ==
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 088/168] media: hantro: Fix broken media controller links Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 090/168] media: vicodec: process all 4 components for RGB32 formats Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Mauro Carvalho Chehab

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

commit 044041cd5227ec9ccf969f4bf1cc08bffe13b9d3 upstream.

These are bits so to test if a pad is a sink you use & but not ==.

It looks like the only reason this hasn't caused problems before is that
media_get_pad_index() is currently only used with pads that do not set the
MEDIA_PAD_FL_MUST_CONNECT flag. So a pad really had only the SINK or SOURCE
flag set and nothing else.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: <stable@vger.kernel.org>      # for v5.3 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/mc/mc-entity.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/media/mc/mc-entity.c
+++ b/drivers/media/mc/mc-entity.c
@@ -639,9 +639,9 @@ int media_get_pad_index(struct media_ent
 		return -EINVAL;
 
 	for (i = 0; i < entity->num_pads; i++) {
-		if (entity->pads[i].flags == MEDIA_PAD_FL_SINK)
+		if (entity->pads[i].flags & MEDIA_PAD_FL_SINK)
 			pad_is_sink = true;
-		else if (entity->pads[i].flags == MEDIA_PAD_FL_SOURCE)
+		else if (entity->pads[i].flags & MEDIA_PAD_FL_SOURCE)
 			pad_is_sink = false;
 		else
 			continue;	/* This is an error! */



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 090/168] media: vicodec: process all 4 components for RGB32 formats
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 089/168] media: mc-entity.c: use & to check pad flags, not == Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 091/168] media: v4l2-mem2mem.c: fix broken links Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Mauro Carvalho Chehab

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

commit 49a56266f96f2c6608373464af8755b431ef1513 upstream.

Only ARGB32-type pixelformat were assumed to have 4 components, which is
wrong since RGB32-type pixelformats may have an alpha channel, so they
should also assume 4 color components.

The XRGB32-type pixelformats really have only 3 color components, but this
complicated matters since that creates strides that are sometimes width * 3
and sometimes width * 4, and in fact this can result in buffer overflows.

Keep things simple by just always processing all 4 color components.

In the future we might want to optimize this again for the XRGB32-type
pixelformats, but for now keep it simple and robust.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: <stable@vger.kernel.org>      # for v5.4 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/platform/vicodec/codec-v4l2-fwht.c |   34 ++++++-----------------
 1 file changed, 9 insertions(+), 25 deletions(-)

--- a/drivers/media/platform/vicodec/codec-v4l2-fwht.c
+++ b/drivers/media/platform/vicodec/codec-v4l2-fwht.c
@@ -27,17 +27,17 @@ static const struct v4l2_fwht_pixfmt_inf
 	{ V4L2_PIX_FMT_BGR24,   3, 3, 1, 3, 3, 1, 1, 3, 1, FWHT_FL_PIXENC_RGB},
 	{ V4L2_PIX_FMT_RGB24,   3, 3, 1, 3, 3, 1, 1, 3, 1, FWHT_FL_PIXENC_RGB},
 	{ V4L2_PIX_FMT_HSV24,   3, 3, 1, 3, 3, 1, 1, 3, 1, FWHT_FL_PIXENC_HSV},
-	{ V4L2_PIX_FMT_BGR32,   4, 4, 1, 4, 4, 1, 1, 3, 1, FWHT_FL_PIXENC_RGB},
-	{ V4L2_PIX_FMT_XBGR32,  4, 4, 1, 4, 4, 1, 1, 3, 1, FWHT_FL_PIXENC_RGB},
+	{ V4L2_PIX_FMT_BGR32,   4, 4, 1, 4, 4, 1, 1, 4, 1, FWHT_FL_PIXENC_RGB},
+	{ V4L2_PIX_FMT_XBGR32,  4, 4, 1, 4, 4, 1, 1, 4, 1, FWHT_FL_PIXENC_RGB},
 	{ V4L2_PIX_FMT_ABGR32,  4, 4, 1, 4, 4, 1, 1, 4, 1, FWHT_FL_PIXENC_RGB},
-	{ V4L2_PIX_FMT_RGB32,   4, 4, 1, 4, 4, 1, 1, 3, 1, FWHT_FL_PIXENC_RGB},
-	{ V4L2_PIX_FMT_XRGB32,  4, 4, 1, 4, 4, 1, 1, 3, 1, FWHT_FL_PIXENC_RGB},
+	{ V4L2_PIX_FMT_RGB32,   4, 4, 1, 4, 4, 1, 1, 4, 1, FWHT_FL_PIXENC_RGB},
+	{ V4L2_PIX_FMT_XRGB32,  4, 4, 1, 4, 4, 1, 1, 4, 1, FWHT_FL_PIXENC_RGB},
 	{ V4L2_PIX_FMT_ARGB32,  4, 4, 1, 4, 4, 1, 1, 4, 1, FWHT_FL_PIXENC_RGB},
-	{ V4L2_PIX_FMT_BGRX32,  4, 4, 1, 4, 4, 1, 1, 3, 1, FWHT_FL_PIXENC_RGB},
+	{ V4L2_PIX_FMT_BGRX32,  4, 4, 1, 4, 4, 1, 1, 4, 1, FWHT_FL_PIXENC_RGB},
 	{ V4L2_PIX_FMT_BGRA32,  4, 4, 1, 4, 4, 1, 1, 4, 1, FWHT_FL_PIXENC_RGB},
-	{ V4L2_PIX_FMT_RGBX32,  4, 4, 1, 4, 4, 1, 1, 3, 1, FWHT_FL_PIXENC_RGB},
+	{ V4L2_PIX_FMT_RGBX32,  4, 4, 1, 4, 4, 1, 1, 4, 1, FWHT_FL_PIXENC_RGB},
 	{ V4L2_PIX_FMT_RGBA32,  4, 4, 1, 4, 4, 1, 1, 4, 1, FWHT_FL_PIXENC_RGB},
-	{ V4L2_PIX_FMT_HSV32,   4, 4, 1, 4, 4, 1, 1, 3, 1, FWHT_FL_PIXENC_HSV},
+	{ V4L2_PIX_FMT_HSV32,   4, 4, 1, 4, 4, 1, 1, 4, 1, FWHT_FL_PIXENC_HSV},
 	{ V4L2_PIX_FMT_GREY,    1, 1, 1, 1, 0, 1, 1, 1, 1, FWHT_FL_PIXENC_RGB},
 };
 
@@ -175,22 +175,14 @@ static int prepare_raw_frame(struct fwht
 	case V4L2_PIX_FMT_RGB32:
 	case V4L2_PIX_FMT_XRGB32:
 	case V4L2_PIX_FMT_HSV32:
-		rf->cr = rf->luma + 1;
-		rf->cb = rf->cr + 2;
-		rf->luma += 2;
-		break;
-	case V4L2_PIX_FMT_BGR32:
-	case V4L2_PIX_FMT_XBGR32:
-		rf->cb = rf->luma;
-		rf->cr = rf->cb + 2;
-		rf->luma++;
-		break;
 	case V4L2_PIX_FMT_ARGB32:
 		rf->alpha = rf->luma;
 		rf->cr = rf->luma + 1;
 		rf->cb = rf->cr + 2;
 		rf->luma += 2;
 		break;
+	case V4L2_PIX_FMT_BGR32:
+	case V4L2_PIX_FMT_XBGR32:
 	case V4L2_PIX_FMT_ABGR32:
 		rf->cb = rf->luma;
 		rf->cr = rf->cb + 2;
@@ -198,10 +190,6 @@ static int prepare_raw_frame(struct fwht
 		rf->alpha = rf->cr + 1;
 		break;
 	case V4L2_PIX_FMT_BGRX32:
-		rf->cb = rf->luma + 1;
-		rf->cr = rf->cb + 2;
-		rf->luma += 2;
-		break;
 	case V4L2_PIX_FMT_BGRA32:
 		rf->alpha = rf->luma;
 		rf->cb = rf->luma + 1;
@@ -209,10 +197,6 @@ static int prepare_raw_frame(struct fwht
 		rf->luma += 2;
 		break;
 	case V4L2_PIX_FMT_RGBX32:
-		rf->cr = rf->luma;
-		rf->cb = rf->cr + 2;
-		rf->luma++;
-		break;
 	case V4L2_PIX_FMT_RGBA32:
 		rf->alpha = rf->luma + 3;
 		rf->cr = rf->luma;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 091/168] media: v4l2-mem2mem.c: fix broken links
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 090/168] media: vicodec: process all 4 components for RGB32 formats Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 092/168] perf intel-pt: Fix endless record after being terminated Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Nicolas Dufresne,
	Mauro Carvalho Chehab

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

commit 316e730f1d8bb029fe6cec2468fb2a50424485b3 upstream.

The topology that v4l2_m2m_register_media_controller() creates for a
processing block actually created a source-to-source link and a sink-to-sink
link instead of two source-to-sink links.

Unfortunately v4l2-compliance never checked for such bad links, so this
went unreported for quite some time.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: Nicolas Dufresne <nicolas@ndufresne.ca>
Cc: <stable@vger.kernel.org>      # for v4.19 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/v4l2-core/v4l2-mem2mem.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/media/v4l2-core/v4l2-mem2mem.c
+++ b/drivers/media/v4l2-core/v4l2-mem2mem.c
@@ -809,12 +809,12 @@ int v4l2_m2m_register_media_controller(s
 		goto err_rel_entity1;
 
 	/* Connect the three entities */
-	ret = media_create_pad_link(m2m_dev->source, 0, &m2m_dev->proc, 1,
+	ret = media_create_pad_link(m2m_dev->source, 0, &m2m_dev->proc, 0,
 			MEDIA_LNK_FL_IMMUTABLE | MEDIA_LNK_FL_ENABLED);
 	if (ret)
 		goto err_rel_entity2;
 
-	ret = media_create_pad_link(&m2m_dev->proc, 0, &m2m_dev->sink, 0,
+	ret = media_create_pad_link(&m2m_dev->proc, 1, &m2m_dev->sink, 0,
 			MEDIA_LNK_FL_IMMUTABLE | MEDIA_LNK_FL_ENABLED);
 	if (ret)
 		goto err_rm_links0;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 092/168] perf intel-pt: Fix endless record after being terminated
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 091/168] media: v4l2-mem2mem.c: fix broken links Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:38 ` [PATCH 5.4 093/168] perf intel-bts: " Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wei Li, Jiri Olsa, Tan Xiaojun,
	Adrian Hunter, Arnaldo Carvalho de Melo

From: Wei Li <liwei391@huawei.com>

commit 2da4dd3d6973ffdfba4fa07f53240fda7ab22929 upstream.

In __cmd_record(), when receiving SIGINT(ctrl + c), a 'done' flag will
be set and the event list will be disabled by evlist__disable() once.

While in auxtrace_record.read_finish(), the related events will be
enabled again, if they are continuous, the recording seems to be endless.

If the intel_pt event is disabled, we don't enable it again here.

Before the patch:

  huawei@huawei-2288H-V5:~/linux-5.5-rc4/tools/perf$ ./perf record -e \
  intel_pt//u -p 46803
  ^C^C^C^C^C^C

After the patch:

  huawei@huawei-2288H-V5:~/linux-5.5-rc4/tools/perf$ ./perf record -e \
  intel_pt//u -p 48591
  ^C[ perf record: Woken up 0 times to write data ]
  Warning:
  AUX data lost 504 times out of 4816!

  [ perf record: Captured and wrote 2024.405 MB perf.data ]

Signed-off-by: Wei Li <liwei391@huawei.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Tan Xiaojun <tanxiaojun@huawei.com>
Cc: stable@vger.kernel.org # 5.4+
Link: http://lore.kernel.org/lkml/20200214132654.20395-2-adrian.hunter@intel.com
[ ahunter: removed redundant 'else' after 'return' ]
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/arch/x86/util/intel-pt.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/tools/perf/arch/x86/util/intel-pt.c
+++ b/tools/perf/arch/x86/util/intel-pt.c
@@ -1099,9 +1099,12 @@ static int intel_pt_read_finish(struct a
 	struct evsel *evsel;
 
 	evlist__for_each_entry(ptr->evlist, evsel) {
-		if (evsel->core.attr.type == ptr->intel_pt_pmu->type)
+		if (evsel->core.attr.type == ptr->intel_pt_pmu->type) {
+			if (evsel->disabled)
+				return 0;
 			return perf_evlist__enable_event_idx(ptr->evlist, evsel,
 							     idx);
+		}
 	}
 	return -EINVAL;
 }



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 093/168] perf intel-bts: Fix endless record after being terminated
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 092/168] perf intel-pt: Fix endless record after being terminated Greg Kroah-Hartman
@ 2020-03-10 12:38 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 094/168] perf cs-etm: " Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wei Li, Jiri Olsa, Tan Xiaojun,
	Adrian Hunter, Arnaldo Carvalho de Melo

From: Wei Li <liwei391@huawei.com>

commit 783fed2f35e2a6771c8dc6ee29b8c4b9930783ce upstream.

In __cmd_record(), when receiving SIGINT(ctrl + c), a 'done' flag will
be set and the event list will be disabled by evlist__disable() once.

While in auxtrace_record.read_finish(), the related events will be
enabled again, if they are continuous, the recording seems to be
endless.

If the intel_bts event is disabled, we don't enable it again here.

Note: This patch is NOT tested since i don't have such a machine with
intel_bts feature, but the code seems buggy same as arm-spe and
intel-pt.

Signed-off-by: Wei Li <liwei391@huawei.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Tan Xiaojun <tanxiaojun@huawei.com>
Cc: stable@vger.kernel.org # 5.4+
Link: http://lore.kernel.org/lkml/20200214132654.20395-3-adrian.hunter@intel.com
[ahunter: removed redundant 'else' after 'return']
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/arch/x86/util/intel-bts.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/tools/perf/arch/x86/util/intel-bts.c
+++ b/tools/perf/arch/x86/util/intel-bts.c
@@ -415,9 +415,12 @@ static int intel_bts_read_finish(struct
 	struct evsel *evsel;
 
 	evlist__for_each_entry(btsr->evlist, evsel) {
-		if (evsel->core.attr.type == btsr->intel_bts_pmu->type)
+		if (evsel->core.attr.type == btsr->intel_bts_pmu->type) {
+			if (evsel->disabled)
+				return 0;
 			return perf_evlist__enable_event_idx(btsr->evlist,
 							     evsel, idx);
+		}
 	}
 	return -EINVAL;
 }



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 094/168] perf cs-etm: Fix endless record after being terminated
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2020-03-10 12:38 ` [PATCH 5.4 093/168] perf intel-bts: " Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 095/168] perf arm-spe: " Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wei Li, Leo Yan, Mathieu Poirier,
	Jiri Olsa, Tan Xiaojun, Adrian Hunter, Arnaldo Carvalho de Melo

From: Wei Li <liwei391@huawei.com>

commit c9f2833cb472cf9e0a49b7bcdc210a96017a7bfd upstream.

In __cmd_record(), when receiving SIGINT(ctrl + c), a 'done' flag will
be set and the event list will be disabled by evlist__disable() once.

While in auxtrace_record.read_finish(), the related events will be
enabled again, if they are continuous, the recording seems to be
endless.

If the cs_etm event is disabled, we don't enable it again here.

Note: This patch is NOT tested since i don't have such a machine with
coresight feature, but the code seems buggy same as arm-spe and
intel-pt.

Tester notes:

Thanks for looping, Adrian.  Applied this patch and tested with
CoreSight on juno board, it works well.

Signed-off-by: Wei Li <liwei391@huawei.com>
Reviewed-by: Leo Yan <leo.yan@linaro.org>
Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Tested-by: Leo Yan <leo.yan@linaro.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Tan Xiaojun <tanxiaojun@huawei.com>
Cc: stable@vger.kernel.org # 5.4+
Link: http://lore.kernel.org/lkml/20200214132654.20395-4-adrian.hunter@intel.com
[ahunter: removed redundant 'else' after 'return']
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/arch/arm/util/cs-etm.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/tools/perf/arch/arm/util/cs-etm.c
+++ b/tools/perf/arch/arm/util/cs-etm.c
@@ -865,9 +865,12 @@ static int cs_etm_read_finish(struct aux
 	struct evsel *evsel;
 
 	evlist__for_each_entry(ptr->evlist, evsel) {
-		if (evsel->core.attr.type == ptr->cs_etm_pmu->type)
+		if (evsel->core.attr.type == ptr->cs_etm_pmu->type) {
+			if (evsel->disabled)
+				return 0;
 			return perf_evlist__enable_event_idx(ptr->evlist,
 							     evsel, idx);
+		}
 	}
 
 	return -EINVAL;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 095/168] perf arm-spe: Fix endless record after being terminated
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 094/168] perf cs-etm: " Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 096/168] spi: spidev: Fix CS polarity if GPIO descriptors are used Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa,
	Tan Xiaojun, Arnaldo Carvalho de Melo, Wei Li

From: Adrian Hunter <adrian.hunter@intel.com>

commit d6bc34c5ec18c3544c4b0d85963768dfbcd24184 upstream.

In __cmd_record(), when receiving SIGINT(ctrl + c), a 'done' flag will
be set and the event list will be disabled by evlist__disable() once.

While in auxtrace_record.read_finish(), the related events will be
enabled again, if they are continuous, the recording seems to be
endless.

If the event is disabled, don't enable it again here.

Based-on-patch-by: Wei Li <liwei391@huawei.com>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Tan Xiaojun <tanxiaojun@huawei.com>
Cc: stable@vger.kernel.org # 5.4+
Link: http://lore.kernel.org/lkml/20200214132654.20395-5-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/arch/arm64/util/arm-spe.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/tools/perf/arch/arm64/util/arm-spe.c
+++ b/tools/perf/arch/arm64/util/arm-spe.c
@@ -165,9 +165,12 @@ static int arm_spe_read_finish(struct au
 	struct evsel *evsel;
 
 	evlist__for_each_entry(sper->evlist, evsel) {
-		if (evsel->core.attr.type == sper->arm_spe_pmu->type)
+		if (evsel->core.attr.type == sper->arm_spe_pmu->type) {
+			if (evsel->disabled)
+				return 0;
 			return perf_evlist__enable_event_idx(sper->evlist,
 							     evsel, idx);
+		}
 	}
 	return -EINVAL;
 }



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 096/168] spi: spidev: Fix CS polarity if GPIO descriptors are used
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 095/168] perf arm-spe: " Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 097/168] x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Simon Han, Lukas Wunner,
	Linus Walleij, Mark Brown

From: Lukas Wunner <lukas@wunner.de>

commit 138c9c32f090894614899eca15e0bb7279f59865 upstream.

Commit f3186dd87669 ("spi: Optionally use GPIO descriptors for CS GPIOs")
amended of_spi_parse_dt() to always set SPI_CS_HIGH for SPI slaves whose
Chip Select is defined by a "cs-gpios" devicetree property.

This change broke userspace applications which issue an SPI_IOC_WR_MODE
ioctl() to an spidev:  Chip Select polarity will be incorrect unless the
application is changed to set SPI_CS_HIGH.  And once changed, it will be
incompatible with kernels not containing the commit.

Fix by setting SPI_CS_HIGH in spidev_ioctl() (under the same conditions
as in of_spi_parse_dt()).

Fixes: f3186dd87669 ("spi: Optionally use GPIO descriptors for CS GPIOs")
Reported-by: Simon Han <z.han@kunbus.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/fca3ba7cdc930cd36854666ceac4fbcf01b89028.1582027457.git.lukas@wunner.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org # v5.1+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/spi/spidev.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/spi/spidev.c
+++ b/drivers/spi/spidev.c
@@ -394,6 +394,7 @@ spidev_ioctl(struct file *filp, unsigned
 		else
 			retval = get_user(tmp, (u32 __user *)arg);
 		if (retval == 0) {
+			struct spi_controller *ctlr = spi->controller;
 			u32	save = spi->mode;
 
 			if (tmp & ~SPI_MODE_MASK) {
@@ -401,6 +402,10 @@ spidev_ioctl(struct file *filp, unsigned
 				break;
 			}
 
+			if (ctlr->use_gpio_descriptors && ctlr->cs_gpiods &&
+			    ctlr->cs_gpiods[spi->chip_select])
+				tmp |= SPI_CS_HIGH;
+
 			tmp |= spi->mode & ~SPI_MODE_MASK;
 			spi->mode = (u16)tmp;
 			retval = spi_setup(spi);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 097/168] x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 096/168] spi: spidev: Fix CS polarity if GPIO descriptors are used Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 098/168] s390/pci: Fix unexpected write combine on resource Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jacob Keller, Sean Christopherson,
	Borislav Petkov, Dave Hansen

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit 735a6dd02222d8d070c7bb748f25895239ca8c92 upstream.

Explicitly set X86_FEATURE_OSPKE via set_cpu_cap() instead of calling
get_cpu_cap() to pull the feature bit from CPUID after enabling CR4.PKE.
Invoking get_cpu_cap() effectively wipes out any {set,clear}_cpu_cap()
changes that were made between this_cpu->c_init() and setup_pku(), as
all non-synthetic feature words are reinitialized from the CPU's CPUID
values.

Blasting away capability updates manifests most visibility when running
on a VMX capable CPU, but with VMX disabled by BIOS.  To indicate that
VMX is disabled, init_ia32_feat_ctl() clears X86_FEATURE_VMX, using
clear_cpu_cap() instead of setup_clear_cpu_cap() so that KVM can report
which CPU is misconfigured (KVM needs to probe every CPU anyways).
Restoring X86_FEATURE_VMX from CPUID causes KVM to think VMX is enabled,
ultimately leading to an unexpected #GP when KVM attempts to do VMXON.

Arguably, init_ia32_feat_ctl() should use setup_clear_cpu_cap() and let
KVM figure out a different way to report the misconfigured CPU, but VMX
is not the only feature bit that is affected, i.e. there is precedent
that tweaking feature bits via {set,clear}_cpu_cap() after ->c_init()
is expected to work.  Most notably, x86_init_rdrand()'s clearing of
X86_FEATURE_RDRAND when RDRAND malfunctions is also overwritten.

Fixes: 0697694564c8 ("x86/mm/pkeys: Actually enable Memory Protection Keys in the CPU")
Reported-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Tested-by: Jacob Keller <jacob.e.keller@intel.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20200226231615.13664-1-sean.j.christopherson@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/common.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -464,7 +464,7 @@ static __always_inline void setup_pku(st
 	 * cpuid bit to be set.  We need to ensure that we
 	 * update that bit in this CPU's "cpu_info".
 	 */
-	get_cpu_cap(c);
+	set_cpu_cap(c, X86_FEATURE_OSPKE);
 }
 
 #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 098/168] s390/pci: Fix unexpected write combine on resource
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 097/168] x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 099/168] s390/mm: fix panic in gup_fast on large pud Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Niklas Schnelle, Pierre Morel, Vasily Gorbik

From: Niklas Schnelle <schnelle@linux.ibm.com>

commit df057c914a9c219ac8b8ed22caf7da2f80c1fe26 upstream.

In the initial MIO support introduced in

commit 71ba41c9b1d9 ("s390/pci: provide support for MIO instructions")

zpci_map_resource() and zpci_setup_resources() default to using the
mio_wb address as the resource's start address. This means users of the
mapping, which includes most drivers, will get write combining on PCI
Stores. This may lead to problems when drivers expect write through
behavior when not using an explicit ioremap_wc().

Cc: stable@vger.kernel.org
Fixes: 71ba41c9b1d9 ("s390/pci: provide support for MIO instructions")
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Reviewed-by: Pierre Morel <pmorel@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/pci/pci.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/s390/pci/pci.c
+++ b/arch/s390/pci/pci.c
@@ -423,7 +423,7 @@ static void zpci_map_resources(struct pc
 
 		if (zpci_use_mio(zdev))
 			pdev->resource[i].start =
-				(resource_size_t __force) zdev->bars[i].mio_wb;
+				(resource_size_t __force) zdev->bars[i].mio_wt;
 		else
 			pdev->resource[i].start = (resource_size_t __force)
 				pci_iomap_range_fh(pdev, i, 0, 0);
@@ -530,7 +530,7 @@ static int zpci_setup_bus_resources(stru
 			flags |= IORESOURCE_MEM_64;
 
 		if (zpci_use_mio(zdev))
-			addr = (unsigned long) zdev->bars[i].mio_wb;
+			addr = (unsigned long) zdev->bars[i].mio_wt;
 		else
 			addr = ZPCI_ADDR(entry);
 		size = 1UL << zdev->bars[i].size;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 099/168] s390/mm: fix panic in gup_fast on large pud
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 098/168] s390/pci: Fix unexpected write combine on resource Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 100/168] dmaengine: imx-sdma: fix context cache Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gerald Schaefer, Heiko Carstens,
	Vasily Gorbik

From: Gerald Schaefer <gerald.schaefer@de.ibm.com>

commit 582b4e55403e053d8a48ff687a05174da9cc3fb0 upstream.

On s390 there currently is no implementation of pud_write(). That was ok
as long as we had our own implementation of get_user_pages_fast() which
checked for pud protection by testing the bit directly w/o using
pud_write(). The other callers of pud_write() are not reachable on s390.

After commit 1a42010cdc26 ("s390/mm: convert to the generic
get_user_pages_fast code") we use the generic get_user_pages_fast(), which
does call pud_write() in pud_access_permitted() for FOLL_WRITE access on
a large pud. Without an s390 specific pud_write(), the generic version is
called, which contains a BUG() statement to remind us that we don't have a
proper implementation. This results in a kernel panic.

Fix this by providing an implementation of pud_write().

Cc: <stable@vger.kernel.org> # 5.2+
Fixes: 1a42010cdc26 ("s390/mm: convert to the generic get_user_pages_fast code")
Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/include/asm/pgtable.h |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/arch/s390/include/asm/pgtable.h
+++ b/arch/s390/include/asm/pgtable.h
@@ -756,6 +756,12 @@ static inline int pmd_write(pmd_t pmd)
 	return (pmd_val(pmd) & _SEGMENT_ENTRY_WRITE) != 0;
 }
 
+#define pud_write pud_write
+static inline int pud_write(pud_t pud)
+{
+	return (pud_val(pud) & _REGION3_ENTRY_WRITE) != 0;
+}
+
 static inline int pmd_dirty(pmd_t pmd)
 {
 	int dirty = 1;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 100/168] dmaengine: imx-sdma: fix context cache
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 099/168] s390/mm: fix panic in gup_fast on large pud Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 101/168] dmaengine: imx-sdma: Fix the event id check to include RX event for UART6 Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Fuzzey, Fabio Estevam, Vinod Koul

From: Martin Fuzzey <martin.fuzzey@flowbird.group>

commit d288bddd8374e0a043ac9dde64a1ae6a09411d74 upstream.

There is a DMA problem with the serial ports on i.MX6.

When the following sequence is performed:

1) Open a port
2) Write some data
3) Close the port
4) Open a *different* port
5) Write some data
6) Close the port

The second write sends nothing and the second close hangs.
If the first close() is omitted it works.

Adding logs to the the UART driver shows that the DMA is being setup but
the callback is never invoked for the second write.

This used to work in 4.19.

Git bisect leads to:
	ad0d92d: "dmaengine: imx-sdma: refine to load context only once"

This commit adds a "context_loaded" flag used to avoid unnecessary context
setups.
However the flag is only reset in sdma_channel_terminate_work(),
which is only invoked in a worker triggered by sdma_terminate_all() IF
there is an active descriptor.

So, if no active descriptor remains when the channel is terminated, the
flag is not reset and, when the channel is later reused the old context
is used.

Fix the problem by always resetting the flag in sdma_free_chan_resources().

Cc: stable@vger.kernel.org
Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
Fixes: ad0d92d7ba6a ("dmaengine: imx-sdma: refine to load context only once")
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Link: https://lore.kernel.org/r/1580305274-27274-1-git-send-email-martin.fuzzey@flowbird.group
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/dma/imx-sdma.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/dma/imx-sdma.c
+++ b/drivers/dma/imx-sdma.c
@@ -1335,6 +1335,7 @@ static void sdma_free_chan_resources(str
 
 	sdmac->event_id0 = 0;
 	sdmac->event_id1 = 0;
+	sdmac->context_loaded = false;
 
 	sdma_set_channel_priority(sdmac, 0);
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 101/168] dmaengine: imx-sdma: Fix the event id check to include RX event for UART6
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 100/168] dmaengine: imx-sdma: fix context cache Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 102/168] dmaengine: tegra-apb: Fix use-after-free Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Frieder Schrempf, Fabio Estevam, Vinod Koul

From: Frieder Schrempf <frieder.schrempf@kontron.de>

commit 25962e1a7f1d522f1b57ead2f266fab570042a70 upstream.

On i.MX6UL/ULL and i.MX6SX the DMA event id for the RX channel of
UART6 is '0'. To fix the broken DMA support for UART6, we change
the check for event_id0 to include '0' as a valid id.

Fixes: 1ec1e82f2510 ("dmaengine: Add Freescale i.MX SDMA support")
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20200225082139.7646-1-frieder.schrempf@kontron.de
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/dma/imx-sdma.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/dma/imx-sdma.c
+++ b/drivers/dma/imx-sdma.c
@@ -1328,7 +1328,7 @@ static void sdma_free_chan_resources(str
 
 	sdma_channel_synchronize(chan);
 
-	if (sdmac->event_id0)
+	if (sdmac->event_id0 >= 0)
 		sdma_event_disable(sdmac, sdmac->event_id0);
 	if (sdmac->event_id1)
 		sdma_event_disable(sdmac, sdmac->event_id1);
@@ -1629,7 +1629,7 @@ static int sdma_config(struct dma_chan *
 	memcpy(&sdmac->slave_config, dmaengine_cfg, sizeof(*dmaengine_cfg));
 
 	/* Set ENBLn earlier to make sure dma request triggered after that */
-	if (sdmac->event_id0) {
+	if (sdmac->event_id0 >= 0) {
 		if (sdmac->event_id0 >= sdmac->sdma->drvdata->num_events)
 			return -EINVAL;
 		sdma_event_enable(sdmac, sdmac->event_id0);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 102/168] dmaengine: tegra-apb: Fix use-after-free
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 101/168] dmaengine: imx-sdma: Fix the event id check to include RX event for UART6 Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 103/168] dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Jon Hunter, Vinod Koul

From: Dmitry Osipenko <digetx@gmail.com>

commit 94788af4ed039476ff3527b0e6a12c1dc42cb022 upstream.

I was doing some experiments with I2C and noticed that Tegra APB DMA
driver crashes sometime after I2C DMA transfer termination. The crash
happens because tegra_dma_terminate_all() bails out immediately if pending
list is empty, and thus, it doesn't release the half-completed descriptors
which are getting re-used before ISR tasklet kicks-in.

 tegra-i2c 7000c400.i2c: DMA transfer timeout
 elants_i2c 0-0010: elants_i2c_irq: failed to read data: -110
 ------------[ cut here ]------------
 WARNING: CPU: 0 PID: 142 at lib/list_debug.c:45 __list_del_entry_valid+0x45/0xac
 list_del corruption, ddbaac44->next is LIST_POISON1 (00000100)
 Modules linked in:
 CPU: 0 PID: 142 Comm: kworker/0:2 Not tainted 5.5.0-rc2-next-20191220-00175-gc3605715758d-dirty #538
 Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
 Workqueue: events_freezable_power_ thermal_zone_device_check
 [<c010e5c5>] (unwind_backtrace) from [<c010a1c5>] (show_stack+0x11/0x14)
 [<c010a1c5>] (show_stack) from [<c0973925>] (dump_stack+0x85/0x94)
 [<c0973925>] (dump_stack) from [<c011f529>] (__warn+0xc1/0xc4)
 [<c011f529>] (__warn) from [<c011f7e9>] (warn_slowpath_fmt+0x61/0x78)
 [<c011f7e9>] (warn_slowpath_fmt) from [<c042497d>] (__list_del_entry_valid+0x45/0xac)
 [<c042497d>] (__list_del_entry_valid) from [<c047a87f>] (tegra_dma_tasklet+0x5b/0x154)
 [<c047a87f>] (tegra_dma_tasklet) from [<c0124799>] (tasklet_action_common.constprop.0+0x41/0x7c)
 [<c0124799>] (tasklet_action_common.constprop.0) from [<c01022ab>] (__do_softirq+0xd3/0x2a8)
 [<c01022ab>] (__do_softirq) from [<c0124683>] (irq_exit+0x7b/0x98)
 [<c0124683>] (irq_exit) from [<c0168c19>] (__handle_domain_irq+0x45/0x80)
 [<c0168c19>] (__handle_domain_irq) from [<c043e429>] (gic_handle_irq+0x45/0x7c)
 [<c043e429>] (gic_handle_irq) from [<c0101aa5>] (__irq_svc+0x65/0x94)
 Exception stack(0xde2ebb90 to 0xde2ebbd8)

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200209163356.6439-2-digetx@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/dma/tegra20-apb-dma.c |    4 ----
 1 file changed, 4 deletions(-)

--- a/drivers/dma/tegra20-apb-dma.c
+++ b/drivers/dma/tegra20-apb-dma.c
@@ -756,10 +756,6 @@ static int tegra_dma_terminate_all(struc
 	bool was_busy;
 
 	spin_lock_irqsave(&tdc->lock, flags);
-	if (list_empty(&tdc->pending_sg_req)) {
-		spin_unlock_irqrestore(&tdc->lock, flags);
-		return 0;
-	}
 
 	if (!tdc->busy)
 		goto skip_dma_stop;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 103/168] dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 102/168] dmaengine: tegra-apb: Fix use-after-free Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 104/168] dm integrity: fix recalculation when moving from journal mode to bitmap mode Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Jon Hunter, Vinod Koul

From: Dmitry Osipenko <digetx@gmail.com>

commit c33ee1301c393a241d6424e36eff1071811b1064 upstream.

The interrupt handler puts a half-completed DMA descriptor on a free list
and then schedules tasklet to process bottom half of the descriptor that
executes client's callback, this creates possibility to pick up the busy
descriptor from the free list. Thus, let's disallow descriptor's re-use
until it is fully processed.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200209163356.6439-3-digetx@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/dma/tegra20-apb-dma.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/dma/tegra20-apb-dma.c
+++ b/drivers/dma/tegra20-apb-dma.c
@@ -281,7 +281,7 @@ static struct tegra_dma_desc *tegra_dma_
 
 	/* Do not allocate if desc are waiting for ack */
 	list_for_each_entry(dma_desc, &tdc->free_dma_desc, node) {
-		if (async_tx_test_ack(&dma_desc->txd)) {
+		if (async_tx_test_ack(&dma_desc->txd) && !dma_desc->cb_count) {
 			list_del(&dma_desc->node);
 			spin_unlock_irqrestore(&tdc->lock, flags);
 			dma_desc->txd.flags = 0;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 104/168] dm integrity: fix recalculation when moving from journal mode to bitmap mode
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 103/168] dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 105/168] dm integrity: fix a deadlock due to offloading to an incorrect workqueue Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer

From: Mikulas Patocka <mpatocka@redhat.com>

commit d5bdf66108419cdb39da361b58ded661c29ff66e upstream.

If we resume a device in bitmap mode and the on-disk format is in journal
mode, we must recalculate anything above ic->sb->recalc_sector. Otherwise,
there would be non-recalculated blocks which would cause I/O errors.

Fixes: 468dfca38b1a ("dm integrity: add a bitmap mode")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-integrity.c |   17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -2883,17 +2883,24 @@ static void dm_integrity_resume(struct d
 	} else {
 		replay_journal(ic);
 		if (ic->mode == 'B') {
-			int mode;
 			ic->sb->flags |= cpu_to_le32(SB_FLAG_DIRTY_BITMAP);
 			ic->sb->log2_blocks_per_bitmap_bit = ic->log2_blocks_per_bitmap_bit;
 			r = sync_rw_sb(ic, REQ_OP_WRITE, REQ_FUA);
 			if (unlikely(r))
 				dm_integrity_io_error(ic, "writing superblock", r);
 
-			mode = ic->recalculate_flag ? BITMAP_OP_SET : BITMAP_OP_CLEAR;
-			block_bitmap_op(ic, ic->journal, 0, ic->provided_data_sectors, mode);
-			block_bitmap_op(ic, ic->recalc_bitmap, 0, ic->provided_data_sectors, mode);
-			block_bitmap_op(ic, ic->may_write_bitmap, 0, ic->provided_data_sectors, mode);
+			block_bitmap_op(ic, ic->journal, 0, ic->provided_data_sectors, BITMAP_OP_CLEAR);
+			block_bitmap_op(ic, ic->recalc_bitmap, 0, ic->provided_data_sectors, BITMAP_OP_CLEAR);
+			block_bitmap_op(ic, ic->may_write_bitmap, 0, ic->provided_data_sectors, BITMAP_OP_CLEAR);
+			if (ic->sb->flags & cpu_to_le32(SB_FLAG_RECALCULATING) &&
+			    le64_to_cpu(ic->sb->recalc_sector) < ic->provided_data_sectors) {
+				block_bitmap_op(ic, ic->journal, le64_to_cpu(ic->sb->recalc_sector),
+						ic->provided_data_sectors - le64_to_cpu(ic->sb->recalc_sector), BITMAP_OP_SET);
+				block_bitmap_op(ic, ic->recalc_bitmap, le64_to_cpu(ic->sb->recalc_sector),
+						ic->provided_data_sectors - le64_to_cpu(ic->sb->recalc_sector), BITMAP_OP_SET);
+				block_bitmap_op(ic, ic->may_write_bitmap, le64_to_cpu(ic->sb->recalc_sector),
+						ic->provided_data_sectors - le64_to_cpu(ic->sb->recalc_sector), BITMAP_OP_SET);
+			}
 			rw_journal_sectors(ic, REQ_OP_WRITE, REQ_FUA | REQ_SYNC, 0,
 					   ic->n_bitmap_blocks * (BITMAP_BLOCK_SIZE >> SECTOR_SHIFT), NULL);
 		}



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 105/168] dm integrity: fix a deadlock due to offloading to an incorrect workqueue
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 104/168] dm integrity: fix recalculation when moving from journal mode to bitmap mode Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 106/168] dm integrity: fix invalid table returned due to argument count mismatch Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Heinz Mauelshagen, Mikulas Patocka,
	Mike Snitzer

From: Mikulas Patocka <mpatocka@redhat.com>

commit 53770f0ec5fd417429775ba006bc4abe14002335 upstream.

If we need to perform synchronous I/O in dm_integrity_map_continue(),
we must make sure that we are not in the map function - in order to
avoid the deadlock due to bio queuing in generic_make_request. To
avoid the deadlock, we offload the request to metadata_wq.

However, metadata_wq also processes metadata updates for write requests.
If there are too many requests that get offloaded to metadata_wq at the
beginning of dm_integrity_map_continue, the workqueue metadata_wq
becomes clogged and the system is incapable of processing any metadata
updates.

This causes a deadlock because all the requests that need to do metadata
updates wait for metadata_wq to proceed and metadata_wq waits inside
wait_and_add_new_range until some existing request releases its range
lock (which doesn't happen because the range lock is released after
metadata update).

In order to fix the deadlock, we create a new workqueue offload_wq and
offload requests to it - so that processing of offload_wq is independent
from processing of metadata_wq.

Fixes: 7eada909bfd7 ("dm: add integrity target")
Cc: stable@vger.kernel.org # v4.12+
Reported-by: Heinz Mauelshagen <heinzm@redhat.com>
Tested-by: Heinz Mauelshagen <heinzm@redhat.com>
Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-integrity.c |   19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -210,6 +210,7 @@ struct dm_integrity_c {
 	struct list_head wait_list;
 	wait_queue_head_t endio_wait;
 	struct workqueue_struct *wait_wq;
+	struct workqueue_struct *offload_wq;
 
 	unsigned char commit_seq;
 	commit_id_t commit_ids[N_COMMIT_IDS];
@@ -1434,7 +1435,7 @@ static void dec_in_flight(struct dm_inte
 			dio->range.logical_sector += dio->range.n_sectors;
 			bio_advance(bio, dio->range.n_sectors << SECTOR_SHIFT);
 			INIT_WORK(&dio->work, integrity_bio_wait);
-			queue_work(ic->wait_wq, &dio->work);
+			queue_work(ic->offload_wq, &dio->work);
 			return;
 		}
 		do_endio_flush(ic, dio);
@@ -1860,7 +1861,7 @@ static void dm_integrity_map_continue(st
 
 	if (need_sync_io && from_map) {
 		INIT_WORK(&dio->work, integrity_bio_wait);
-		queue_work(ic->metadata_wq, &dio->work);
+		queue_work(ic->offload_wq, &dio->work);
 		return;
 	}
 
@@ -2496,7 +2497,7 @@ static void bitmap_block_work(struct wor
 				    dio->range.n_sectors, BITMAP_OP_TEST_ALL_SET)) {
 			remove_range(ic, &dio->range);
 			INIT_WORK(&dio->work, integrity_bio_wait);
-			queue_work(ic->wait_wq, &dio->work);
+			queue_work(ic->offload_wq, &dio->work);
 		} else {
 			block_bitmap_op(ic, ic->journal, dio->range.logical_sector,
 					dio->range.n_sectors, BITMAP_OP_SET);
@@ -2519,7 +2520,7 @@ static void bitmap_block_work(struct wor
 
 		remove_range(ic, &dio->range);
 		INIT_WORK(&dio->work, integrity_bio_wait);
-		queue_work(ic->wait_wq, &dio->work);
+		queue_work(ic->offload_wq, &dio->work);
 	}
 
 	queue_delayed_work(ic->commit_wq, &ic->bitmap_flush_work, ic->bitmap_flush_interval);
@@ -3825,6 +3826,14 @@ static int dm_integrity_ctr(struct dm_ta
 		goto bad;
 	}
 
+	ic->offload_wq = alloc_workqueue("dm-integrity-offload", WQ_MEM_RECLAIM,
+					  METADATA_WORKQUEUE_MAX_ACTIVE);
+	if (!ic->offload_wq) {
+		ti->error = "Cannot allocate workqueue";
+		r = -ENOMEM;
+		goto bad;
+	}
+
 	ic->commit_wq = alloc_workqueue("dm-integrity-commit", WQ_MEM_RECLAIM, 1);
 	if (!ic->commit_wq) {
 		ti->error = "Cannot allocate workqueue";
@@ -4129,6 +4138,8 @@ static void dm_integrity_dtr(struct dm_t
 		destroy_workqueue(ic->metadata_wq);
 	if (ic->wait_wq)
 		destroy_workqueue(ic->wait_wq);
+	if (ic->offload_wq)
+		destroy_workqueue(ic->offload_wq);
 	if (ic->commit_wq)
 		destroy_workqueue(ic->commit_wq);
 	if (ic->writer_wq)



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 106/168] dm integrity: fix invalid table returned due to argument count mismatch
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 105/168] dm integrity: fix a deadlock due to offloading to an incorrect workqueue Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 107/168] dm cache: fix a crash due to incorrect work item cancelling Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ondrej Kozina, Mikulas Patocka, Mike Snitzer

From: Mikulas Patocka <mpatocka@redhat.com>

commit 7fc2e47f40dd77ab1fcbda6db89614a0173d89c7 upstream.

If the flag SB_FLAG_RECALCULATE is present in the superblock, but it was
not specified on the command line (i.e. ic->recalculate_flag is false),
dm-integrity would return invalid table line - the reported number of
arguments would not match the real number.

Fixes: 468dfca38b1a ("dm integrity: add a bitmap mode")
Cc: stable@vger.kernel.org # v5.2+
Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-integrity.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -2969,7 +2969,7 @@ static void dm_integrity_status(struct d
 			DMEMIT(" meta_device:%s", ic->meta_dev->name);
 		if (ic->sectors_per_block != 1)
 			DMEMIT(" block_size:%u", ic->sectors_per_block << SECTOR_SHIFT);
-		if (ic->recalculate_flag)
+		if (ic->sb->flags & cpu_to_le32(SB_FLAG_RECALCULATING))
 			DMEMIT(" recalculate");
 		DMEMIT(" journal_sectors:%u", ic->initial_sectors - SB_SECTORS);
 		DMEMIT(" interleave_sectors:%u", 1U << ic->sb->log2_interleave_sectors);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 107/168] dm cache: fix a crash due to incorrect work item cancelling
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 106/168] dm integrity: fix invalid table returned due to argument count mismatch Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 108/168] dm: report suspended device during destroy Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer

From: Mikulas Patocka <mpatocka@redhat.com>

commit 7cdf6a0aae1cccf5167f3f04ecddcf648b78e289 upstream.

The crash can be reproduced by running the lvm2 testsuite test
lvconvert-thin-external-cache.sh for several minutes, e.g.:
  while :; do make check T=shell/lvconvert-thin-external-cache.sh; done

The crash happens in this call chain:
do_waker -> policy_tick -> smq_tick -> end_hotspot_period -> clear_bitset
-> memset -> __memset -- which accesses an invalid pointer in the vmalloc
area.

The work entry on the workqueue is executed even after the bitmap was
freed. The problem is that cancel_delayed_work doesn't wait for the
running work item to finish, so the work item can continue running and
re-submitting itself even after cache_postsuspend. In order to make sure
that the work item won't be running, we must use cancel_delayed_work_sync.

Also, change flush_workqueue to drain_workqueue, so that if some work item
submits itself or another work item, we are properly waiting for both of
them.

Fixes: c6b4fcbad044 ("dm: add cache target")
Cc: stable@vger.kernel.org # v3.9
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-cache-target.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -2867,8 +2867,8 @@ static void cache_postsuspend(struct dm_
 	prevent_background_work(cache);
 	BUG_ON(atomic_read(&cache->nr_io_migrations));
 
-	cancel_delayed_work(&cache->waker);
-	flush_workqueue(cache->wq);
+	cancel_delayed_work_sync(&cache->waker);
+	drain_workqueue(cache->wq);
 	WARN_ON(cache->tracker.in_flight);
 
 	/*



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 108/168] dm: report suspended device during destroy
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 107/168] dm cache: fix a crash due to incorrect work item cancelling Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 109/168] dm writecache: verify watermark during resume Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Corey Marthaler, Mikulas Patocka,
	Mike Snitzer

From: Mikulas Patocka <mpatocka@redhat.com>

commit adc0daad366b62ca1bce3e2958a40b0b71a8b8b3 upstream.

The function dm_suspended returns true if the target is suspended.
However, when the target is being suspended during unload, it returns
false.

An example where this is a problem: the test "!dm_suspended(wc->ti)" in
writecache_writeback is not sufficient, because dm_suspended returns
zero while writecache_suspend is in progress.  As is, without an
enhanced dm_suspended, simply switching from flush_workqueue to
drain_workqueue still emits warnings:
workqueue writecache-writeback: drain_workqueue() isn't complete after 10 tries
workqueue writecache-writeback: drain_workqueue() isn't complete after 100 tries
workqueue writecache-writeback: drain_workqueue() isn't complete after 200 tries
workqueue writecache-writeback: drain_workqueue() isn't complete after 300 tries
workqueue writecache-writeback: drain_workqueue() isn't complete after 400 tries

writecache_suspend calls flush_workqueue(wc->writeback_wq) - this function
flushes the current work. However, the workqueue may re-queue itself and
flush_workqueue doesn't wait for re-queued works to finish. Because of
this - the function writecache_writeback continues execution after the
device was suspended and then concurrently with writecache_dtr, causing
a crash in writecache_writeback.

We must use drain_workqueue - that waits until the work and all re-queued
works finish.

As a prereq for switching to drain_workqueue, this commit fixes
dm_suspended to return true after the presuspend hook and before the
postsuspend hook - just like during a normal suspend. It allows
simplifying the dm-integrity and dm-writecache targets so that they
don't have to maintain suspended flags on their own.

With this change use of drain_workqueue() can be used effectively.  This
change was tested with the lvm2 testsuite and cryptsetup testsuite and
the are no regressions.

Fixes: 48debafe4f2f ("dm: add writecache target")
Cc: stable@vger.kernel.org # 4.18+
Reported-by: Corey Marthaler <cmarthal@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-integrity.c  |   12 +++++-------
 drivers/md/dm-writecache.c |    2 +-
 drivers/md/dm.c            |    1 +
 3 files changed, 7 insertions(+), 8 deletions(-)

--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -199,12 +199,13 @@ struct dm_integrity_c {
 	__u8 log2_blocks_per_bitmap_bit;
 
 	unsigned char mode;
-	int suspending;
 
 	int failed;
 
 	struct crypto_shash *internal_hash;
 
+	struct dm_target *ti;
+
 	/* these variables are locked with endio_wait.lock */
 	struct rb_root in_progress;
 	struct list_head wait_list;
@@ -2311,7 +2312,7 @@ static void integrity_writer(struct work
 	unsigned prev_free_sectors;
 
 	/* the following test is not needed, but it tests the replay code */
-	if (READ_ONCE(ic->suspending) && !ic->meta_dev)
+	if (unlikely(dm_suspended(ic->ti)) && !ic->meta_dev)
 		return;
 
 	spin_lock_irq(&ic->endio_wait.lock);
@@ -2372,7 +2373,7 @@ static void integrity_recalc(struct work
 
 next_chunk:
 
-	if (unlikely(READ_ONCE(ic->suspending)))
+	if (unlikely(dm_suspended(ic->ti)))
 		goto unlock_ret;
 
 	range.logical_sector = le64_to_cpu(ic->sb->recalc_sector);
@@ -2800,8 +2801,6 @@ static void dm_integrity_postsuspend(str
 
 	del_timer_sync(&ic->autocommit_timer);
 
-	WRITE_ONCE(ic->suspending, 1);
-
 	if (ic->recalc_wq)
 		drain_workqueue(ic->recalc_wq);
 
@@ -2830,8 +2829,6 @@ static void dm_integrity_postsuspend(str
 #endif
 	}
 
-	WRITE_ONCE(ic->suspending, 0);
-
 	BUG_ON(!RB_EMPTY_ROOT(&ic->in_progress));
 
 	ic->journal_uptodate = true;
@@ -3615,6 +3612,7 @@ static int dm_integrity_ctr(struct dm_ta
 	}
 	ti->private = ic;
 	ti->per_io_data_size = sizeof(struct dm_integrity_io);
+	ic->ti = ti;
 
 	ic->in_progress = RB_ROOT;
 	INIT_LIST_HEAD(&ic->wait_list);
--- a/drivers/md/dm-writecache.c
+++ b/drivers/md/dm-writecache.c
@@ -838,7 +838,7 @@ static void writecache_suspend(struct dm
 	}
 	wc_unlock(wc);
 
-	flush_workqueue(wc->writeback_wq);
+	drain_workqueue(wc->writeback_wq);
 
 	wc_lock(wc);
 	if (flush_on_suspend)
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2389,6 +2389,7 @@ static void __dm_destroy(struct mapped_d
 	map = dm_get_live_table(md, &srcu_idx);
 	if (!dm_suspended_md(md)) {
 		dm_table_presuspend_targets(map);
+		set_bit(DMF_SUSPENDED, &md->flags);
 		dm_table_postsuspend_targets(map);
 	}
 	/* dm_put_live_table must be before msleep, otherwise deadlock is possible */



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 109/168] dm writecache: verify watermark during resume
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 108/168] dm: report suspended device during destroy Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 110/168] dm zoned: Fix reference counter initial value of chunk works Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer

From: Mikulas Patocka <mpatocka@redhat.com>

commit 41c526c5af46d4c4dab7f72c99000b7fac0b9702 upstream.

Verify the watermark upon resume - so that if the target is reloaded
with lower watermark, it will start the cleanup process immediately.

Fixes: 48debafe4f2f ("dm: add writecache target")
Cc: stable@vger.kernel.org # 4.18+
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-writecache.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-writecache.c
+++ b/drivers/md/dm-writecache.c
@@ -625,6 +625,12 @@ static void writecache_add_to_freelist(s
 	wc->freelist_size++;
 }
 
+static inline void writecache_verify_watermark(struct dm_writecache *wc)
+{
+	if (unlikely(wc->freelist_size + wc->writeback_size <= wc->freelist_high_watermark))
+		queue_work(wc->writeback_wq, &wc->writeback_work);
+}
+
 static struct wc_entry *writecache_pop_from_freelist(struct dm_writecache *wc)
 {
 	struct wc_entry *e;
@@ -646,8 +652,8 @@ static struct wc_entry *writecache_pop_f
 		list_del(&e->lru);
 	}
 	wc->freelist_size--;
-	if (unlikely(wc->freelist_size + wc->writeback_size <= wc->freelist_high_watermark))
-		queue_work(wc->writeback_wq, &wc->writeback_work);
+
+	writecache_verify_watermark(wc);
 
 	return e;
 }
@@ -961,6 +967,8 @@ erase_this:
 		writecache_commit_flushed(wc, false);
 	}
 
+	writecache_verify_watermark(wc);
+
 	wc_unlock(wc);
 }
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 110/168] dm zoned: Fix reference counter initial value of chunk works
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 109/168] dm writecache: verify watermark during resume Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 111/168] dm: fix congested_fn for request-based device Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shinichiro Kawasaki, Damien Le Moal,
	Mike Snitzer

From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>

commit ee63634bae02e13c8c0df1209a6a0ca5326f3189 upstream.

Dm-zoned initializes reference counters of new chunk works with zero
value and refcount_inc() is called to increment the counter. However, the
refcount_inc() function handles the addition to zero value as an error
and triggers the warning as follows:

refcount_t: addition on 0; use-after-free.
WARNING: CPU: 7 PID: 1506 at lib/refcount.c:25 refcount_warn_saturate+0x68/0xf0
...
CPU: 7 PID: 1506 Comm: systemd-udevd Not tainted 5.4.0+ #134
...
Call Trace:
 dmz_map+0x2d2/0x350 [dm_zoned]
 __map_bio+0x42/0x1a0
 __split_and_process_non_flush+0x14a/0x1b0
 __split_and_process_bio+0x83/0x240
 ? kmem_cache_alloc+0x165/0x220
 dm_process_bio+0x90/0x230
 ? generic_make_request_checks+0x2e7/0x680
 dm_make_request+0x3e/0xb0
 generic_make_request+0xcf/0x320
 ? memcg_drain_all_list_lrus+0x1c0/0x1c0
 submit_bio+0x3c/0x160
 ? guard_bio_eod+0x2c/0x130
 mpage_readpages+0x182/0x1d0
 ? bdev_evict_inode+0xf0/0xf0
 read_pages+0x6b/0x1b0
 __do_page_cache_readahead+0x1ba/0x1d0
 force_page_cache_readahead+0x93/0x100
 generic_file_read_iter+0x83a/0xe40
 ? __seccomp_filter+0x7b/0x670
 new_sync_read+0x12a/0x1c0
 vfs_read+0x9d/0x150
 ksys_read+0x5f/0xe0
 do_syscall_64+0x5b/0x180
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
...

After this warning, following refcount API calls for the counter all fail
to change the counter value.

Fix this by setting the initial reference counter value not zero but one
for the new chunk works. Instead, do not call refcount_inc() via
dmz_get_chunk_work() for the new chunks works.

The failure was observed with linux version 5.4 with CONFIG_REFCOUNT_FULL
enabled. Refcount rework was merged to linux version 5.5 by the
commit 168829ad09ca ("Merge branch 'locking-core-for-linus' of
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip"). After this
commit, CONFIG_REFCOUNT_FULL was removed and the failure was observed
regardless of kernel configuration.

Linux version 4.20 merged the commit 092b5648760a ("dm zoned: target: use
refcount_t for dm zoned reference counters"). Before this commit, dm
zoned used atomic_t APIs which does not check addition to zero, then this
fix is not necessary.

Fixes: 092b5648760a ("dm zoned: target: use refcount_t for dm zoned reference counters")
Cc: stable@vger.kernel.org # 5.4+
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-zoned-target.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/md/dm-zoned-target.c
+++ b/drivers/md/dm-zoned-target.c
@@ -533,8 +533,9 @@ static int dmz_queue_chunk_work(struct d
 
 	/* Get the BIO chunk work. If one is not active yet, create one */
 	cw = radix_tree_lookup(&dmz->chunk_rxtree, chunk);
-	if (!cw) {
-
+	if (cw) {
+		dmz_get_chunk_work(cw);
+	} else {
 		/* Create a new chunk work */
 		cw = kmalloc(sizeof(struct dm_chunk_work), GFP_NOIO);
 		if (unlikely(!cw)) {
@@ -543,7 +544,7 @@ static int dmz_queue_chunk_work(struct d
 		}
 
 		INIT_WORK(&cw->work, dmz_chunk_work);
-		refcount_set(&cw->refcount, 0);
+		refcount_set(&cw->refcount, 1);
 		cw->target = dmz;
 		cw->chunk = chunk;
 		bio_list_init(&cw->bio_list);
@@ -556,7 +557,6 @@ static int dmz_queue_chunk_work(struct d
 	}
 
 	bio_list_add(&cw->bio_list, bio);
-	dmz_get_chunk_work(cw);
 
 	dmz_reclaim_bio_acc(dmz->reclaim);
 	if (queue_work(dmz->chunk_wq, &cw->work))



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 111/168] dm: fix congested_fn for request-based device
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 110/168] dm zoned: Fix reference counter initial value of chunk works Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 112/168] arm64: dts: meson-sm1-sei610: add missing interrupt-names Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hou Tao, Mike Snitzer

From: Hou Tao <houtao1@huawei.com>

commit 974f51e8633f0f3f33e8f86bbb5ae66758aa63c7 upstream.

We neither assign congested_fn for requested-based blk-mq device nor
implement it correctly. So fix both.

Also, remove incorrect comment from dm_init_normal_md_queue and rename
it to dm_init_congested_fn.

Fixes: 4aa9c692e052 ("bdi: separate out congested state into a separate struct")
Cc: stable@vger.kernel.org
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm.c |   21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1809,7 +1809,8 @@ static int dm_any_congested(void *conges
 			 * With request-based DM we only need to check the
 			 * top-level queue for congestion.
 			 */
-			r = md->queue->backing_dev_info->wb.state & bdi_bits;
+			struct backing_dev_info *bdi = md->queue->backing_dev_info;
+			r = bdi->wb.congested->state & bdi_bits;
 		} else {
 			map = dm_get_live_table_fast(md);
 			if (map)
@@ -1875,15 +1876,6 @@ static const struct dax_operations dm_da
 
 static void dm_wq_work(struct work_struct *work);
 
-static void dm_init_normal_md_queue(struct mapped_device *md)
-{
-	/*
-	 * Initialize aspects of queue that aren't relevant for blk-mq
-	 */
-	md->queue->backing_dev_info->congested_data = md;
-	md->queue->backing_dev_info->congested_fn = dm_any_congested;
-}
-
 static void cleanup_mapped_device(struct mapped_device *md)
 {
 	if (md->wq)
@@ -2270,6 +2262,12 @@ struct queue_limits *dm_get_queue_limits
 }
 EXPORT_SYMBOL_GPL(dm_get_queue_limits);
 
+static void dm_init_congested_fn(struct mapped_device *md)
+{
+	md->queue->backing_dev_info->congested_data = md;
+	md->queue->backing_dev_info->congested_fn = dm_any_congested;
+}
+
 /*
  * Setup the DM device's queue based on md's type
  */
@@ -2286,11 +2284,12 @@ int dm_setup_md_queue(struct mapped_devi
 			DMERR("Cannot initialize queue for request-based dm-mq mapped device");
 			return r;
 		}
+		dm_init_congested_fn(md);
 		break;
 	case DM_TYPE_BIO_BASED:
 	case DM_TYPE_DAX_BIO_BASED:
 	case DM_TYPE_NVME_BIO_BASED:
-		dm_init_normal_md_queue(md);
+		dm_init_congested_fn(md);
 		break;
 	case DM_TYPE_NONE:
 		WARN_ON_ONCE(true);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 112/168] arm64: dts: meson-sm1-sei610: add missing interrupt-names
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 111/168] dm: fix congested_fn for request-based device Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 113/168] ARM: dts: ls1021a: Restore MDIO compatible to gianfar Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guillaume La Roque, Neil Armstrong,
	Kevin Hilman

From: Guillaume La Roque <glaroque@baylibre.com>

commit 5bea1336ed2c939328999c64de28792e8dc0699b upstream.

add missing "host-wakeup interrupt names

Fixes: 30388cc07572 ("arm64: dts: meson-sm1-sei610: add gpio bluetooth interrupt")

Signed-off-by: Guillaume La Roque <glaroque@baylibre.com>
Acked-by: Neil Armstrong <narmstrong@baylibre.com>
Link: https://lore.kernel.org/r/20200117133423.22602-1-glaroque@baylibre.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/amlogic/meson-sm1-sei610.dts |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm64/boot/dts/amlogic/meson-sm1-sei610.dts
+++ b/arch/arm64/boot/dts/amlogic/meson-sm1-sei610.dts
@@ -363,6 +363,7 @@
 		compatible = "brcm,bcm43438-bt";
 		interrupt-parent = <&gpio_intc>;
 		interrupts = <95 IRQ_TYPE_LEVEL_HIGH>;
+		interrupt-names = "host-wakeup";
 		shutdown-gpios = <&gpio GPIOX_17 GPIO_ACTIVE_HIGH>;
 		max-speed = <2000000>;
 		clocks = <&wifi32k>;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 113/168] ARM: dts: ls1021a: Restore MDIO compatible to gianfar
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 112/168] arm64: dts: meson-sm1-sei610: add missing interrupt-names Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 114/168] spi: bcm63xx-hsspi: Really keep pll clk enabled Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Machek, Vladimir Oltean, Shawn Guo

From: Vladimir Oltean <olteanv@gmail.com>

commit 7155c44624d061692b4c13aa8343f119c67d4fc0 upstream.

The difference between "fsl,etsec2-mdio" and "gianfar" has to do with
the .get_tbipa function, which calculates the address of the TBIPA
register automatically, if not explicitly specified. [ see
drivers/net/ethernet/freescale/fsl_pq_mdio.c ]. On LS1021A, the TBIPA
register is at offset 0x30 within the port register block, which is what
the "gianfar" method of calculating addresses actually does.

Luckily, the bad "compatible" is inconsequential for ls1021a.dtsi,
because the TBIPA register is explicitly specified via the second "reg"
(<0x0 0x2d10030 0x0 0x4>), so the "get_tbipa" function is dead code.
Nonetheless it's good to restore it to its correct value.

Background discussion:
https://www.spinics.net/lists/stable/msg361156.html

Fixes: c7861adbe37f ("ARM: dts: ls1021: Fix SGMII PCS link remaining down after PHY disconnect")
Reported-by: Pavel Machek <pavel@denx.de>
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/ls1021a.dtsi |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/ls1021a.dtsi
+++ b/arch/arm/boot/dts/ls1021a.dtsi
@@ -728,7 +728,7 @@
 		};
 
 		mdio0: mdio@2d24000 {
-			compatible = "fsl,etsec2-mdio";
+			compatible = "gianfar";
 			device_type = "mdio";
 			#address-cells = <1>;
 			#size-cells = <0>;
@@ -737,7 +737,7 @@
 		};
 
 		mdio1: mdio@2d64000 {
-			compatible = "fsl,etsec2-mdio";
+			compatible = "gianfar";
 			device_type = "mdio";
 			#address-cells = <1>;
 			#size-cells = <0>;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 114/168] spi: bcm63xx-hsspi: Really keep pll clk enabled
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 113/168] ARM: dts: ls1021a: Restore MDIO compatible to gianfar Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 115/168] drm/virtio: make resource id workaround runtime switchable Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Jonas Gorski, Mark Brown

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

commit 51bddd4501bc414b8b1e8f4d096b4a5304068169 upstream.

The purpose of commit 0fd85869c2a9 ("spi/bcm63xx-hsspi: keep pll clk enabled")
was to keep the pll clk enabled through the lifetime of the device.

In order to do that, some 'clk_prepare_enable()'/'clk_disable_unprepare()'
calls have been added in the error handling path of the probe function, in
the remove function and in the suspend and resume functions.

However, a 'clk_disable_unprepare()' call has been unfortunately left in
the probe function. So the commit seems to be more or less a no-op.

Axe it now, so that the pll clk is left enabled through the lifetime of
the device, as described in the commit.

Fixes: 0fd85869c2a9 ("spi/bcm63xx-hsspi: keep pll clk enabled")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Acked-by: Jonas Gorski <jonas.gorski@gmail.com>
Link: https://lore.kernel.org/r/20200228213838.7124-1-christophe.jaillet@wanadoo.fr
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/spi/spi-bcm63xx-hsspi.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/spi/spi-bcm63xx-hsspi.c
+++ b/drivers/spi/spi-bcm63xx-hsspi.c
@@ -367,7 +367,6 @@ static int bcm63xx_hsspi_probe(struct pl
 			goto out_disable_clk;
 
 		rate = clk_get_rate(pll_clk);
-		clk_disable_unprepare(pll_clk);
 		if (!rate) {
 			ret = -EINVAL;
 			goto out_disable_pll_clk;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 115/168] drm/virtio: make resource id workaround runtime switchable.
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 114/168] spi: bcm63xx-hsspi: Really keep pll clk enabled Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 116/168] drm/virtio: fix resource id creation race Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gerd Hoffmann, Chia-I Wu

From: Gerd Hoffmann <kraxel@redhat.com>

commit 3e93bc2a58aa241081e043ef9e6e86c42808499a upstream.

Also update the comment with a reference to the virglrenderer fix.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20190822102614.18164-1-kraxel@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/virtio/virtgpu_object.c |   44 +++++++++++++++++---------------
 1 file changed, 24 insertions(+), 20 deletions(-)

--- a/drivers/gpu/drm/virtio/virtgpu_object.c
+++ b/drivers/gpu/drm/virtio/virtgpu_object.c
@@ -27,34 +27,38 @@
 
 #include "virtgpu_drv.h"
 
+static int virtio_gpu_virglrenderer_workaround = 1;
+module_param_named(virglhack, virtio_gpu_virglrenderer_workaround, int, 0400);
+
 static int virtio_gpu_resource_id_get(struct virtio_gpu_device *vgdev,
 				       uint32_t *resid)
 {
-#if 0
-	int handle = ida_alloc(&vgdev->resource_ida, GFP_KERNEL);
-
-	if (handle < 0)
-		return handle;
-#else
-	static int handle;
-
-	/*
-	 * FIXME: dirty hack to avoid re-using IDs, virglrenderer
-	 * can't deal with that.  Needs fixing in virglrenderer, also
-	 * should figure a better way to handle that in the guest.
-	 */
-	handle++;
-#endif
-
-	*resid = handle + 1;
+	if (virtio_gpu_virglrenderer_workaround) {
+		/*
+		 * Hack to avoid re-using resource IDs.
+		 *
+		 * virglrenderer versions up to (and including) 0.7.0
+		 * can't deal with that.  virglrenderer commit
+		 * "f91a9dd35715 Fix unlinking resources from hash
+		 * table." (Feb 2019) fixes the bug.
+		 */
+		static int handle;
+		handle++;
+		*resid = handle + 1;
+	} else {
+		int handle = ida_alloc(&vgdev->resource_ida, GFP_KERNEL);
+		if (handle < 0)
+			return handle;
+		*resid = handle + 1;
+	}
 	return 0;
 }
 
 static void virtio_gpu_resource_id_put(struct virtio_gpu_device *vgdev, uint32_t id)
 {
-#if 0
-	ida_free(&vgdev->resource_ida, id - 1);
-#endif
+	if (!virtio_gpu_virglrenderer_workaround) {
+		ida_free(&vgdev->resource_ida, id - 1);
+	}
 }
 
 static void virtio_gpu_ttm_bo_destroy(struct ttm_buffer_object *tbo)



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 116/168] drm/virtio: fix resource id creation race
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 115/168] drm/virtio: make resource id workaround runtime switchable Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 117/168] ASoC: topology: Fix memleak in soc_tplg_link_elems_load() Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Bates, Chia-I Wu, Gerd Hoffmann

From: John Bates <jbates@chromium.org>

commit fbb30168c7395b9cfeb9e6f7b0c0bca854a6552d upstream.

The previous code was not thread safe and caused
undefined behavior from spurious duplicate resource IDs.
In this patch, an atomic_t is used instead. We no longer
see any duplicate IDs in tests with this change.

Fixes: 16065fcdd19d ("drm/virtio: do NOT reuse resource ids")
Signed-off-by: John Bates <jbates@chromium.org>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20200220225319.45621-1-jbates@chromium.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/virtio/virtgpu_object.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/virtio/virtgpu_object.c
+++ b/drivers/gpu/drm/virtio/virtgpu_object.c
@@ -42,8 +42,8 @@ static int virtio_gpu_resource_id_get(st
 		 * "f91a9dd35715 Fix unlinking resources from hash
 		 * table." (Feb 2019) fixes the bug.
 		 */
-		static int handle;
-		handle++;
+		static atomic_t seqno = ATOMIC_INIT(0);
+		int handle = atomic_inc_return(&seqno);
 		*resid = handle + 1;
 	} else {
 		int handle = ida_alloc(&vgdev->resource_ida, GFP_KERNEL);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 117/168] ASoC: topology: Fix memleak in soc_tplg_link_elems_load()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 116/168] drm/virtio: fix resource id creation race Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 118/168] ASoC: topology: Fix memleak in soc_tplg_manifest_load() Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dragos Tarcatu, Mark Brown

From: Dragos Tarcatu <dragos_tarcatu@mentor.com>

commit 2b2d5c4db732c027a14987cfccf767dac1b45170 upstream.

If soc_tplg_link_config() fails, _link needs to be freed in case of
topology ABI version mismatch. However the current code is returning
directly and ends up leaking memory in this case.
This patch fixes that.

Fixes: 593d9e52f9bb ("ASoC: topology: Add support to configure existing physical DAI links")
Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
Link: https://lore.kernel.org/r/20200207185325.22320-2-dragos_tarcatu@mentor.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/soc-topology.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -2320,8 +2320,11 @@ static int soc_tplg_link_elems_load(stru
 		}
 
 		ret = soc_tplg_link_config(tplg, _link);
-		if (ret < 0)
+		if (ret < 0) {
+			if (!abi_match)
+				kfree(_link);
 			return ret;
+		}
 
 		/* offset by version-specific struct size and
 		 * real priv data size



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 118/168] ASoC: topology: Fix memleak in soc_tplg_manifest_load()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 117/168] ASoC: topology: Fix memleak in soc_tplg_link_elems_load() Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 119/168] ASoC: SOF: Fix snd_sof_ipc_stream_posn() Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dragos Tarcatu, Mark Brown

From: Dragos Tarcatu <dragos_tarcatu@mentor.com>

commit 242c46c023610dbc0213fc8fb6b71eb836bc5d95 upstream.

In case of ABI version mismatch, _manifest needs to be freed as
it is just a copy of the original topology manifest. However, if
a driver manifest handler is defined, that would get executed and
the cleanup is never reached. Fix that by getting the return status
of manifest() instead of returning directly.

Fixes: 583958fa2e52 ("ASoC: topology: Make manifest backward compatible from ABI v4")
Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
Link: https://lore.kernel.org/r/20200207185325.22320-3-dragos_tarcatu@mentor.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/soc-topology.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -2488,7 +2488,7 @@ static int soc_tplg_manifest_load(struct
 {
 	struct snd_soc_tplg_manifest *manifest, *_manifest;
 	bool abi_match;
-	int err;
+	int ret = 0;
 
 	if (tplg->pass != SOC_TPLG_PASS_MANIFEST)
 		return 0;
@@ -2501,19 +2501,19 @@ static int soc_tplg_manifest_load(struct
 		_manifest = manifest;
 	} else {
 		abi_match = false;
-		err = manifest_new_ver(tplg, manifest, &_manifest);
-		if (err < 0)
-			return err;
+		ret = manifest_new_ver(tplg, manifest, &_manifest);
+		if (ret < 0)
+			return ret;
 	}
 
 	/* pass control to component driver for optional further init */
 	if (tplg->comp && tplg->ops && tplg->ops->manifest)
-		return tplg->ops->manifest(tplg->comp, tplg->index, _manifest);
+		ret = tplg->ops->manifest(tplg->comp, tplg->index, _manifest);
 
 	if (!abi_match)	/* free the duplicated one */
 		kfree(_manifest);
 
-	return 0;
+	return ret;
 }
 
 /* validate header magic, size and type */



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 119/168] ASoC: SOF: Fix snd_sof_ipc_stream_posn()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 118/168] ASoC: topology: Fix memleak in soc_tplg_manifest_load() Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 120/168] ASoC: intel: skl: Fix pin debug prints Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Kai Vehmanen, Mark Brown

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 613cea5935e83cb5a7d182ee3f98d54620e102e2 upstream.

We're passing "&posn" instead of "posn" so it ends up corrupting
memory instead of doing something useful.

Fixes: 53e0c72d98ba ("ASoC: SOF: Add support for IPC IO between DSP and Host")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Link: https://lore.kernel.org/r/20200303101858.ytehbrivocyp3cnf@kili.mountain
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/sof/ipc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/soc/sof/ipc.c
+++ b/sound/soc/sof/ipc.c
@@ -497,7 +497,7 @@ int snd_sof_ipc_stream_posn(struct snd_s
 
 	/* send IPC to the DSP */
 	err = sof_ipc_tx_message(sdev->ipc,
-				 stream.hdr.cmd, &stream, sizeof(stream), &posn,
+				 stream.hdr.cmd, &stream, sizeof(stream), posn,
 				 sizeof(*posn));
 	if (err < 0) {
 		dev_err(sdev->dev, "error: failed to get stream %d position\n",



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 120/168] ASoC: intel: skl: Fix pin debug prints
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 119/168] ASoC: SOF: Fix snd_sof_ipc_stream_posn() Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 121/168] ASoC: intel: skl: Fix possible buffer overflow in debug outputs Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Cezary Rojewski, Mark Brown

From: Takashi Iwai <tiwai@suse.de>

commit 64bbacc5f08c01954890981c63de744df1f29a30 upstream.

skl_print_pins() loops over all given pins but it overwrites the text
at the very same position while increasing the returned length.
Fix this to show the all pin contents properly.

Fixes: d14700a01f91 ("ASoC: Intel: Skylake: Debugfs facility to dump module config")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20200218111737.14193-2-tiwai@suse.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/intel/skylake/skl-debug.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/sound/soc/intel/skylake/skl-debug.c
+++ b/sound/soc/intel/skylake/skl-debug.c
@@ -34,7 +34,7 @@ static ssize_t skl_print_pins(struct skl
 	int i;
 	ssize_t ret = 0;
 
-	for (i = 0; i < max_pin; i++)
+	for (i = 0; i < max_pin; i++) {
 		ret += snprintf(buf + size, MOD_BUF - size,
 				"%s %d\n\tModule %d\n\tInstance %d\n\t"
 				"In-used %s\n\tType %s\n"
@@ -45,6 +45,8 @@ static ssize_t skl_print_pins(struct skl
 				m_pin[i].in_use ? "Used" : "Unused",
 				m_pin[i].is_dynamic ? "Dynamic" : "Static",
 				m_pin[i].pin_state, i);
+		size += ret;
+	}
 	return ret;
 }
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 121/168] ASoC: intel: skl: Fix possible buffer overflow in debug outputs
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 120/168] ASoC: intel: skl: Fix pin debug prints Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 122/168] powerpc: define helpers to get L1 icache sizes Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Cezary Rojewski, Mark Brown

From: Takashi Iwai <tiwai@suse.de>

commit 549cd0ba04dcfe340c349cd983bd440480fae8ee upstream.

The debugfs output of intel skl driver writes strings with multiple
snprintf() calls with the fixed size.  This was supposed to avoid the
buffer overflow but actually it still would, because snprintf()
returns the expected size to be output, not the actual output size.

Fix it by replacing snprintf() calls with scnprintf().

Fixes: d14700a01f91 ("ASoC: Intel: Skylake: Debugfs facility to dump module config")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20200218111737.14193-3-tiwai@suse.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/intel/skylake/skl-debug.c |   28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

--- a/sound/soc/intel/skylake/skl-debug.c
+++ b/sound/soc/intel/skylake/skl-debug.c
@@ -35,7 +35,7 @@ static ssize_t skl_print_pins(struct skl
 	ssize_t ret = 0;
 
 	for (i = 0; i < max_pin; i++) {
-		ret += snprintf(buf + size, MOD_BUF - size,
+		ret += scnprintf(buf + size, MOD_BUF - size,
 				"%s %d\n\tModule %d\n\tInstance %d\n\t"
 				"In-used %s\n\tType %s\n"
 				"\tState %d\n\tIndex %d\n",
@@ -53,7 +53,7 @@ static ssize_t skl_print_pins(struct skl
 static ssize_t skl_print_fmt(struct skl_module_fmt *fmt, char *buf,
 					ssize_t size, bool direction)
 {
-	return snprintf(buf + size, MOD_BUF - size,
+	return scnprintf(buf + size, MOD_BUF - size,
 			"%s\n\tCh %d\n\tFreq %d\n\tBit depth %d\n\t"
 			"Valid bit depth %d\n\tCh config %#x\n\tInterleaving %d\n\t"
 			"Sample Type %d\n\tCh Map %#x\n",
@@ -77,16 +77,16 @@ static ssize_t module_read(struct file *
 	if (!buf)
 		return -ENOMEM;
 
-	ret = snprintf(buf, MOD_BUF, "Module:\n\tUUID %pUL\n\tModule id %d\n"
+	ret = scnprintf(buf, MOD_BUF, "Module:\n\tUUID %pUL\n\tModule id %d\n"
 			"\tInstance id %d\n\tPvt_id %d\n", mconfig->guid,
 			mconfig->id.module_id, mconfig->id.instance_id,
 			mconfig->id.pvt_id);
 
-	ret += snprintf(buf + ret, MOD_BUF - ret,
+	ret += scnprintf(buf + ret, MOD_BUF - ret,
 			"Resources:\n\tCPC %#x\n\tIBS %#x\n\tOBS %#x\t\n",
 			res->cpc, res->ibs, res->obs);
 
-	ret += snprintf(buf + ret, MOD_BUF - ret,
+	ret += scnprintf(buf + ret, MOD_BUF - ret,
 			"Module data:\n\tCore %d\n\tIn queue %d\n\t"
 			"Out queue %d\n\tType %s\n",
 			mconfig->core_id, mconfig->max_in_queue,
@@ -96,38 +96,38 @@ static ssize_t module_read(struct file *
 	ret += skl_print_fmt(mconfig->in_fmt, buf, ret, true);
 	ret += skl_print_fmt(mconfig->out_fmt, buf, ret, false);
 
-	ret += snprintf(buf + ret, MOD_BUF - ret,
+	ret += scnprintf(buf + ret, MOD_BUF - ret,
 			"Fixup:\n\tParams %#x\n\tConverter %#x\n",
 			mconfig->params_fixup, mconfig->converter);
 
-	ret += snprintf(buf + ret, MOD_BUF - ret,
+	ret += scnprintf(buf + ret, MOD_BUF - ret,
 			"Module Gateway:\n\tType %#x\n\tVbus %#x\n\tHW conn %#x\n\tSlot %#x\n",
 			mconfig->dev_type, mconfig->vbus_id,
 			mconfig->hw_conn_type, mconfig->time_slot);
 
-	ret += snprintf(buf + ret, MOD_BUF - ret,
+	ret += scnprintf(buf + ret, MOD_BUF - ret,
 			"Pipeline:\n\tID %d\n\tPriority %d\n\tConn Type %d\n\t"
 			"Pages %#x\n", mconfig->pipe->ppl_id,
 			mconfig->pipe->pipe_priority, mconfig->pipe->conn_type,
 			mconfig->pipe->memory_pages);
 
-	ret += snprintf(buf + ret, MOD_BUF - ret,
+	ret += scnprintf(buf + ret, MOD_BUF - ret,
 			"\tParams:\n\t\tHost DMA %d\n\t\tLink DMA %d\n",
 			mconfig->pipe->p_params->host_dma_id,
 			mconfig->pipe->p_params->link_dma_id);
 
-	ret += snprintf(buf + ret, MOD_BUF - ret,
+	ret += scnprintf(buf + ret, MOD_BUF - ret,
 			"\tPCM params:\n\t\tCh %d\n\t\tFreq %d\n\t\tFormat %d\n",
 			mconfig->pipe->p_params->ch,
 			mconfig->pipe->p_params->s_freq,
 			mconfig->pipe->p_params->s_fmt);
 
-	ret += snprintf(buf + ret, MOD_BUF - ret,
+	ret += scnprintf(buf + ret, MOD_BUF - ret,
 			"\tLink %#x\n\tStream %#x\n",
 			mconfig->pipe->p_params->linktype,
 			mconfig->pipe->p_params->stream);
 
-	ret += snprintf(buf + ret, MOD_BUF - ret,
+	ret += scnprintf(buf + ret, MOD_BUF - ret,
 			"\tState %d\n\tPassthru %s\n",
 			mconfig->pipe->state,
 			mconfig->pipe->passthru ? "true" : "false");
@@ -137,7 +137,7 @@ static ssize_t module_read(struct file *
 	ret += skl_print_pins(mconfig->m_out_pin, buf,
 			mconfig->max_out_queue, ret, false);
 
-	ret += snprintf(buf + ret, MOD_BUF - ret,
+	ret += scnprintf(buf + ret, MOD_BUF - ret,
 			"Other:\n\tDomain %d\n\tHomogeneous Input %s\n\t"
 			"Homogeneous Output %s\n\tIn Queue Mask %d\n\t"
 			"Out Queue Mask %d\n\tDMA ID %d\n\tMem Pages %d\n\t"
@@ -193,7 +193,7 @@ static ssize_t fw_softreg_read(struct fi
 		__ioread32_copy(d->fw_read_buff, fw_reg_addr, w0_stat_sz >> 2);
 
 	for (offset = 0; offset < FW_REG_SIZE; offset += 16) {
-		ret += snprintf(tmp + ret, FW_REG_BUF - ret, "%#.4x: ", offset);
+		ret += scnprintf(tmp + ret, FW_REG_BUF - ret, "%#.4x: ", offset);
 		hex_dump_to_buffer(d->fw_read_buff + offset, 16, 16, 4,
 				   tmp + ret, FW_REG_BUF - ret, 0);
 		ret += strlen(tmp + ret);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 122/168] powerpc: define helpers to get L1 icache sizes
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 121/168] ASoC: intel: skl: Fix possible buffer overflow in debug outputs Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 123/168] powerpc: Convert flush_icache_range & friends to C Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alastair DSilva, Michael Ellerman,
	Sasha Levin

From: Alastair D'Silva <alastair@d-silva.org>

[ Upstream commit 7a0745c5e03ff1129864bc6d80f5c4417e8d7893 ]

This patch adds helpers to retrieve icache sizes, and renames the existing
helpers to make it clear that they are for dcache.

Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20191104023305.9581-4-alastair@au1.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/include/asm/cache.h      | 29 +++++++++++++++++++++++----
 arch/powerpc/include/asm/cacheflush.h | 12 +++++------
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/arch/powerpc/include/asm/cache.h b/arch/powerpc/include/asm/cache.h
index 45e3137ccd71c..afb88754e0e07 100644
--- a/arch/powerpc/include/asm/cache.h
+++ b/arch/powerpc/include/asm/cache.h
@@ -55,25 +55,46 @@ struct ppc64_caches {
 
 extern struct ppc64_caches ppc64_caches;
 
-static inline u32 l1_cache_shift(void)
+static inline u32 l1_dcache_shift(void)
 {
 	return ppc64_caches.l1d.log_block_size;
 }
 
-static inline u32 l1_cache_bytes(void)
+static inline u32 l1_dcache_bytes(void)
 {
 	return ppc64_caches.l1d.block_size;
 }
+
+static inline u32 l1_icache_shift(void)
+{
+	return ppc64_caches.l1i.log_block_size;
+}
+
+static inline u32 l1_icache_bytes(void)
+{
+	return ppc64_caches.l1i.block_size;
+}
 #else
-static inline u32 l1_cache_shift(void)
+static inline u32 l1_dcache_shift(void)
 {
 	return L1_CACHE_SHIFT;
 }
 
-static inline u32 l1_cache_bytes(void)
+static inline u32 l1_dcache_bytes(void)
 {
 	return L1_CACHE_BYTES;
 }
+
+static inline u32 l1_icache_shift(void)
+{
+	return L1_CACHE_SHIFT;
+}
+
+static inline u32 l1_icache_bytes(void)
+{
+	return L1_CACHE_BYTES;
+}
+
 #endif
 #endif /* ! __ASSEMBLY__ */
 
diff --git a/arch/powerpc/include/asm/cacheflush.h b/arch/powerpc/include/asm/cacheflush.h
index eef388f2659f4..ed57843ef4524 100644
--- a/arch/powerpc/include/asm/cacheflush.h
+++ b/arch/powerpc/include/asm/cacheflush.h
@@ -63,8 +63,8 @@ static inline void __flush_dcache_icache_phys(unsigned long physaddr)
  */
 static inline void flush_dcache_range(unsigned long start, unsigned long stop)
 {
-	unsigned long shift = l1_cache_shift();
-	unsigned long bytes = l1_cache_bytes();
+	unsigned long shift = l1_dcache_shift();
+	unsigned long bytes = l1_dcache_bytes();
 	void *addr = (void *)(start & ~(bytes - 1));
 	unsigned long size = stop - (unsigned long)addr + (bytes - 1);
 	unsigned long i;
@@ -89,8 +89,8 @@ static inline void flush_dcache_range(unsigned long start, unsigned long stop)
  */
 static inline void clean_dcache_range(unsigned long start, unsigned long stop)
 {
-	unsigned long shift = l1_cache_shift();
-	unsigned long bytes = l1_cache_bytes();
+	unsigned long shift = l1_dcache_shift();
+	unsigned long bytes = l1_dcache_bytes();
 	void *addr = (void *)(start & ~(bytes - 1));
 	unsigned long size = stop - (unsigned long)addr + (bytes - 1);
 	unsigned long i;
@@ -108,8 +108,8 @@ static inline void clean_dcache_range(unsigned long start, unsigned long stop)
 static inline void invalidate_dcache_range(unsigned long start,
 					   unsigned long stop)
 {
-	unsigned long shift = l1_cache_shift();
-	unsigned long bytes = l1_cache_bytes();
+	unsigned long shift = l1_dcache_shift();
+	unsigned long bytes = l1_dcache_bytes();
 	void *addr = (void *)(start & ~(bytes - 1));
 	unsigned long size = stop - (unsigned long)addr + (bytes - 1);
 	unsigned long i;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 123/168] powerpc: Convert flush_icache_range & friends to C
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 122/168] powerpc: define helpers to get L1 icache sizes Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 124/168] powerpc/mm: Fix missing KUAP disable in flush_coherent_icache() Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alastair DSilva, Christophe Leroy,
	Michael Ellerman, Sasha Levin

From: Alastair D'Silva <alastair@d-silva.org>

[ Upstream commit 23eb7f560a2a6a1b0dbaaaae8685da75314347e4 ]

Similar to commit 22e9c88d486a
("powerpc/64: reuse PPC32 static inline flush_dcache_range()")
this patch converts the following ASM symbols to C:
    flush_icache_range()
    __flush_dcache_icache()
    __flush_dcache_icache_phys()

This was done as we discovered a long-standing bug where the length of the
range was truncated due to using a 32 bit shift instead of a 64 bit one.

By converting these functions to C, it becomes easier to maintain.

flush_dcache_icache_phys() retains a critical assembler section as we must
ensure there are no memory accesses while the data MMU is disabled
(authored by Christophe Leroy). Since this has no external callers, it has
also been made static, allowing the compiler to inline it within
flush_dcache_icache_page().

Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[mpe: Minor fixups, don't export __flush_dcache_icache()]
Link: https://lore.kernel.org/r/20191104023305.9581-5-alastair@au1.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/include/asm/cache.h      |  26 ++---
 arch/powerpc/include/asm/cacheflush.h |  24 ++---
 arch/powerpc/kernel/misc_32.S         | 120 ---------------------
 arch/powerpc/kernel/misc_64.S         | 102 ------------------
 arch/powerpc/mm/mem.c                 | 150 +++++++++++++++++++++++++-
 5 files changed, 170 insertions(+), 252 deletions(-)

diff --git a/arch/powerpc/include/asm/cache.h b/arch/powerpc/include/asm/cache.h
index afb88754e0e07..72b81015cebe9 100644
--- a/arch/powerpc/include/asm/cache.h
+++ b/arch/powerpc/include/asm/cache.h
@@ -96,22 +96,7 @@ static inline u32 l1_icache_bytes(void)
 }
 
 #endif
-#endif /* ! __ASSEMBLY__ */
-
-#if defined(__ASSEMBLY__)
-/*
- * For a snooping icache, we still need a dummy icbi to purge all the
- * prefetched instructions from the ifetch buffers. We also need a sync
- * before the icbi to order the the actual stores to memory that might
- * have modified instructions with the icbi.
- */
-#define PURGE_PREFETCHED_INS	\
-	sync;			\
-	icbi	0,r3;		\
-	sync;			\
-	isync
 
-#else
 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
 
 #ifdef CONFIG_PPC_BOOK3S_32
@@ -145,6 +130,17 @@ static inline void dcbst(void *addr)
 {
 	__asm__ __volatile__ ("dcbst 0, %0" : : "r"(addr) : "memory");
 }
+
+static inline void icbi(void *addr)
+{
+	asm volatile ("icbi 0, %0" : : "r"(addr) : "memory");
+}
+
+static inline void iccci(void *addr)
+{
+	asm volatile ("iccci 0, %0" : : "r"(addr) : "memory");
+}
+
 #endif /* !__ASSEMBLY__ */
 #endif /* __KERNEL__ */
 #endif /* _ASM_POWERPC_CACHE_H */
diff --git a/arch/powerpc/include/asm/cacheflush.h b/arch/powerpc/include/asm/cacheflush.h
index ed57843ef4524..4a1c9f0200e1b 100644
--- a/arch/powerpc/include/asm/cacheflush.h
+++ b/arch/powerpc/include/asm/cacheflush.h
@@ -42,24 +42,20 @@ extern void flush_dcache_page(struct page *page);
 #define flush_dcache_mmap_lock(mapping)		do { } while (0)
 #define flush_dcache_mmap_unlock(mapping)	do { } while (0)
 
-extern void flush_icache_range(unsigned long, unsigned long);
+void flush_icache_range(unsigned long start, unsigned long stop);
 extern void flush_icache_user_range(struct vm_area_struct *vma,
 				    struct page *page, unsigned long addr,
 				    int len);
-extern void __flush_dcache_icache(void *page_va);
 extern void flush_dcache_icache_page(struct page *page);
-#if defined(CONFIG_PPC32) && !defined(CONFIG_BOOKE)
-extern void __flush_dcache_icache_phys(unsigned long physaddr);
-#else
-static inline void __flush_dcache_icache_phys(unsigned long physaddr)
-{
-	BUG();
-}
-#endif
-
-/*
- * Write any modified data cache blocks out to memory and invalidate them.
- * Does not invalidate the corresponding instruction cache blocks.
+void __flush_dcache_icache(void *page);
+
+/**
+ * flush_dcache_range(): Write any modified data cache blocks out to memory and
+ * invalidate them. Does not invalidate the corresponding instruction cache
+ * blocks.
+ *
+ * @start: the start address
+ * @stop: the stop address (exclusive)
  */
 static inline void flush_dcache_range(unsigned long start, unsigned long stop)
 {
diff --git a/arch/powerpc/kernel/misc_32.S b/arch/powerpc/kernel/misc_32.S
index 82df4b09e79f4..f4e4a1926a7a5 100644
--- a/arch/powerpc/kernel/misc_32.S
+++ b/arch/powerpc/kernel/misc_32.S
@@ -316,126 +316,6 @@ _GLOBAL(flush_instruction_cache)
 EXPORT_SYMBOL(flush_instruction_cache)
 #endif /* CONFIG_PPC_8xx */
 
-/*
- * Write any modified data cache blocks out to memory
- * and invalidate the corresponding instruction cache blocks.
- * This is a no-op on the 601.
- *
- * flush_icache_range(unsigned long start, unsigned long stop)
- */
-_GLOBAL(flush_icache_range)
-#if defined(CONFIG_PPC_BOOK3S_601) || defined(CONFIG_E200)
-	PURGE_PREFETCHED_INS
-	blr				/* for 601 and e200, do nothing */
-#else
-	rlwinm	r3,r3,0,0,31 - L1_CACHE_SHIFT
-	subf	r4,r3,r4
-	addi	r4,r4,L1_CACHE_BYTES - 1
-	srwi.	r4,r4,L1_CACHE_SHIFT
-	beqlr
-	mtctr	r4
-	mr	r6,r3
-1:	dcbst	0,r3
-	addi	r3,r3,L1_CACHE_BYTES
-	bdnz	1b
-	sync				/* wait for dcbst's to get to ram */
-#ifndef CONFIG_44x
-	mtctr	r4
-2:	icbi	0,r6
-	addi	r6,r6,L1_CACHE_BYTES
-	bdnz	2b
-#else
-	/* Flash invalidate on 44x because we are passed kmapped addresses and
-	   this doesn't work for userspace pages due to the virtually tagged
-	   icache.  Sigh. */
-	iccci	0, r0
-#endif
-	sync				/* additional sync needed on g4 */
-	isync
-	blr
-#endif
-_ASM_NOKPROBE_SYMBOL(flush_icache_range)
-EXPORT_SYMBOL(flush_icache_range)
-
-/*
- * Flush a particular page from the data cache to RAM.
- * Note: this is necessary because the instruction cache does *not*
- * snoop from the data cache.
- * This is a no-op on the 601 and e200 which have a unified cache.
- *
- *	void __flush_dcache_icache(void *page)
- */
-_GLOBAL(__flush_dcache_icache)
-#if defined(CONFIG_PPC_BOOK3S_601) || defined(CONFIG_E200)
-	PURGE_PREFETCHED_INS
-	blr
-#else
-	rlwinm	r3,r3,0,0,31-PAGE_SHIFT		/* Get page base address */
-	li	r4,PAGE_SIZE/L1_CACHE_BYTES	/* Number of lines in a page */
-	mtctr	r4
-	mr	r6,r3
-0:	dcbst	0,r3				/* Write line to ram */
-	addi	r3,r3,L1_CACHE_BYTES
-	bdnz	0b
-	sync
-#ifdef CONFIG_44x
-	/* We don't flush the icache on 44x. Those have a virtual icache
-	 * and we don't have access to the virtual address here (it's
-	 * not the page vaddr but where it's mapped in user space). The
-	 * flushing of the icache on these is handled elsewhere, when
-	 * a change in the address space occurs, before returning to
-	 * user space
-	 */
-BEGIN_MMU_FTR_SECTION
-	blr
-END_MMU_FTR_SECTION_IFSET(MMU_FTR_TYPE_44x)
-#endif /* CONFIG_44x */
-	mtctr	r4
-1:	icbi	0,r6
-	addi	r6,r6,L1_CACHE_BYTES
-	bdnz	1b
-	sync
-	isync
-	blr
-#endif
-
-#ifndef CONFIG_BOOKE
-/*
- * Flush a particular page from the data cache to RAM, identified
- * by its physical address.  We turn off the MMU so we can just use
- * the physical address (this may be a highmem page without a kernel
- * mapping).
- *
- *	void __flush_dcache_icache_phys(unsigned long physaddr)
- */
-_GLOBAL(__flush_dcache_icache_phys)
-#if defined(CONFIG_PPC_BOOK3S_601) || defined(CONFIG_E200)
-	PURGE_PREFETCHED_INS
-	blr					/* for 601 and e200, do nothing */
-#else
-	mfmsr	r10
-	rlwinm	r0,r10,0,28,26			/* clear DR */
-	mtmsr	r0
-	isync
-	rlwinm	r3,r3,0,0,31-PAGE_SHIFT		/* Get page base address */
-	li	r4,PAGE_SIZE/L1_CACHE_BYTES	/* Number of lines in a page */
-	mtctr	r4
-	mr	r6,r3
-0:	dcbst	0,r3				/* Write line to ram */
-	addi	r3,r3,L1_CACHE_BYTES
-	bdnz	0b
-	sync
-	mtctr	r4
-1:	icbi	0,r6
-	addi	r6,r6,L1_CACHE_BYTES
-	bdnz	1b
-	sync
-	mtmsr	r10				/* restore DR */
-	isync
-	blr
-#endif
-#endif /* CONFIG_BOOKE */
-
 /*
  * Copy a whole page.  We use the dcbz instruction on the destination
  * to reduce memory traffic (it eliminates the unnecessary reads of
diff --git a/arch/powerpc/kernel/misc_64.S b/arch/powerpc/kernel/misc_64.S
index 9bc0aa9aeb654..ff20c253f2737 100644
--- a/arch/powerpc/kernel/misc_64.S
+++ b/arch/powerpc/kernel/misc_64.S
@@ -49,108 +49,6 @@ _GLOBAL(call_do_irq)
 	mtlr	r0
 	blr
 
-	.section	".toc","aw"
-PPC64_CACHES:
-	.tc		ppc64_caches[TC],ppc64_caches
-	.section	".text"
-
-/*
- * Write any modified data cache blocks out to memory
- * and invalidate the corresponding instruction cache blocks.
- *
- * flush_icache_range(unsigned long start, unsigned long stop)
- *
- *   flush all bytes from start through stop-1 inclusive
- */
-
-_GLOBAL_TOC(flush_icache_range)
-BEGIN_FTR_SECTION
-	PURGE_PREFETCHED_INS
-	blr
-END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_ICACHE)
-/*
- * Flush the data cache to memory 
- * 
- * Different systems have different cache line sizes
- * and in some cases i-cache and d-cache line sizes differ from
- * each other.
- */
- 	ld	r10,PPC64_CACHES@toc(r2)
-	lwz	r7,DCACHEL1BLOCKSIZE(r10)/* Get cache block size */
-	addi	r5,r7,-1
-	andc	r6,r3,r5		/* round low to line bdy */
-	subf	r8,r6,r4		/* compute length */
-	add	r8,r8,r5		/* ensure we get enough */
-	lwz	r9,DCACHEL1LOGBLOCKSIZE(r10)	/* Get log-2 of cache block size */
-	srd.	r8,r8,r9		/* compute line count */
-	beqlr				/* nothing to do? */
-	mtctr	r8
-1:	dcbst	0,r6
-	add	r6,r6,r7
-	bdnz	1b
-	sync
-
-/* Now invalidate the instruction cache */
-	
-	lwz	r7,ICACHEL1BLOCKSIZE(r10)	/* Get Icache block size */
-	addi	r5,r7,-1
-	andc	r6,r3,r5		/* round low to line bdy */
-	subf	r8,r6,r4		/* compute length */
-	add	r8,r8,r5
-	lwz	r9,ICACHEL1LOGBLOCKSIZE(r10)	/* Get log-2 of Icache block size */
-	srd.	r8,r8,r9		/* compute line count */
-	beqlr				/* nothing to do? */
-	mtctr	r8
-2:	icbi	0,r6
-	add	r6,r6,r7
-	bdnz	2b
-	isync
-	blr
-_ASM_NOKPROBE_SYMBOL(flush_icache_range)
-EXPORT_SYMBOL(flush_icache_range)
-
-/*
- * Flush a particular page from the data cache to RAM.
- * Note: this is necessary because the instruction cache does *not*
- * snoop from the data cache.
- *
- *	void __flush_dcache_icache(void *page)
- */
-_GLOBAL(__flush_dcache_icache)
-/*
- * Flush the data cache to memory 
- * 
- * Different systems have different cache line sizes
- */
-
-BEGIN_FTR_SECTION
-	PURGE_PREFETCHED_INS
-	blr
-END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_ICACHE)
-
-/* Flush the dcache */
- 	ld	r7,PPC64_CACHES@toc(r2)
-	clrrdi	r3,r3,PAGE_SHIFT           	    /* Page align */
-	lwz	r4,DCACHEL1BLOCKSPERPAGE(r7)	/* Get # dcache blocks per page */
-	lwz	r5,DCACHEL1BLOCKSIZE(r7)	/* Get dcache block size */
-	mr	r6,r3
-	mtctr	r4
-0:	dcbst	0,r6
-	add	r6,r6,r5
-	bdnz	0b
-	sync
-
-/* Now invalidate the icache */	
-
-	lwz	r4,ICACHEL1BLOCKSPERPAGE(r7)	/* Get # icache blocks per page */
-	lwz	r5,ICACHEL1BLOCKSIZE(r7)	/* Get icache block size */
-	mtctr	r4
-1:	icbi	0,r3
-	add	r3,r3,r5
-	bdnz	1b
-	isync
-	blr
-
 _GLOBAL(__bswapdi2)
 EXPORT_SYMBOL(__bswapdi2)
 	srdi	r8,r3,32
diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c
index 9f5b32163bda3..6612796ea69c2 100644
--- a/arch/powerpc/mm/mem.c
+++ b/arch/powerpc/mm/mem.c
@@ -348,6 +348,120 @@ void free_initmem(void)
 	free_initmem_default(POISON_FREE_INITMEM);
 }
 
+/**
+ * flush_coherent_icache() - if a CPU has a coherent icache, flush it
+ * @addr: The base address to use (can be any valid address, the whole cache will be flushed)
+ * Return true if the cache was flushed, false otherwise
+ */
+static inline bool flush_coherent_icache(unsigned long addr)
+{
+	/*
+	 * For a snooping icache, we still need a dummy icbi to purge all the
+	 * prefetched instructions from the ifetch buffers. We also need a sync
+	 * before the icbi to order the the actual stores to memory that might
+	 * have modified instructions with the icbi.
+	 */
+	if (cpu_has_feature(CPU_FTR_COHERENT_ICACHE)) {
+		mb(); /* sync */
+		icbi((void *)addr);
+		mb(); /* sync */
+		isync();
+		return true;
+	}
+
+	return false;
+}
+
+/**
+ * invalidate_icache_range() - Flush the icache by issuing icbi across an address range
+ * @start: the start address
+ * @stop: the stop address (exclusive)
+ */
+static void invalidate_icache_range(unsigned long start, unsigned long stop)
+{
+	unsigned long shift = l1_icache_shift();
+	unsigned long bytes = l1_icache_bytes();
+	char *addr = (char *)(start & ~(bytes - 1));
+	unsigned long size = stop - (unsigned long)addr + (bytes - 1);
+	unsigned long i;
+
+	for (i = 0; i < size >> shift; i++, addr += bytes)
+		icbi(addr);
+
+	mb(); /* sync */
+	isync();
+}
+
+/**
+ * flush_icache_range: Write any modified data cache blocks out to memory
+ * and invalidate the corresponding blocks in the instruction cache
+ *
+ * Generic code will call this after writing memory, before executing from it.
+ *
+ * @start: the start address
+ * @stop: the stop address (exclusive)
+ */
+void flush_icache_range(unsigned long start, unsigned long stop)
+{
+	if (flush_coherent_icache(start))
+		return;
+
+	clean_dcache_range(start, stop);
+
+	if (IS_ENABLED(CONFIG_44x)) {
+		/*
+		 * Flash invalidate on 44x because we are passed kmapped
+		 * addresses and this doesn't work for userspace pages due to
+		 * the virtually tagged icache.
+		 */
+		iccci((void *)start);
+		mb(); /* sync */
+		isync();
+	} else
+		invalidate_icache_range(start, stop);
+}
+EXPORT_SYMBOL(flush_icache_range);
+
+#if !defined(CONFIG_PPC_8xx) && !defined(CONFIG_PPC64)
+/**
+ * flush_dcache_icache_phys() - Flush a page by it's physical address
+ * @physaddr: the physical address of the page
+ */
+static void flush_dcache_icache_phys(unsigned long physaddr)
+{
+	unsigned long bytes = l1_dcache_bytes();
+	unsigned long nb = PAGE_SIZE / bytes;
+	unsigned long addr = physaddr & PAGE_MASK;
+	unsigned long msr, msr0;
+	unsigned long loop1 = addr, loop2 = addr;
+
+	msr0 = mfmsr();
+	msr = msr0 & ~MSR_DR;
+	/*
+	 * This must remain as ASM to prevent potential memory accesses
+	 * while the data MMU is disabled
+	 */
+	asm volatile(
+		"   mtctr %2;\n"
+		"   mtmsr %3;\n"
+		"   isync;\n"
+		"0: dcbst   0, %0;\n"
+		"   addi    %0, %0, %4;\n"
+		"   bdnz    0b;\n"
+		"   sync;\n"
+		"   mtctr %2;\n"
+		"1: icbi    0, %1;\n"
+		"   addi    %1, %1, %4;\n"
+		"   bdnz    1b;\n"
+		"   sync;\n"
+		"   mtmsr %5;\n"
+		"   isync;\n"
+		: "+&r" (loop1), "+&r" (loop2)
+		: "r" (nb), "r" (msr), "i" (bytes), "r" (msr0)
+		: "ctr", "memory");
+}
+#endif // !defined(CONFIG_PPC_8xx) && !defined(CONFIG_PPC64)
+
 /*
  * This is called when a page has been modified by the kernel.
  * It just marks the page as not i-cache clean.  We do the i-cache
@@ -380,12 +494,46 @@ void flush_dcache_icache_page(struct page *page)
 		__flush_dcache_icache(start);
 		kunmap_atomic(start);
 	} else {
-		__flush_dcache_icache_phys(page_to_pfn(page) << PAGE_SHIFT);
+		unsigned long addr = page_to_pfn(page) << PAGE_SHIFT;
+
+		if (flush_coherent_icache(addr))
+			return;
+		flush_dcache_icache_phys(addr);
 	}
 #endif
 }
 EXPORT_SYMBOL(flush_dcache_icache_page);
 
+/**
+ * __flush_dcache_icache(): Flush a particular page from the data cache to RAM.
+ * Note: this is necessary because the instruction cache does *not*
+ * snoop from the data cache.
+ *
+ * @page: the address of the page to flush
+ */
+void __flush_dcache_icache(void *p)
+{
+	unsigned long addr = (unsigned long)p;
+
+	if (flush_coherent_icache(addr))
+		return;
+
+	clean_dcache_range(addr, addr + PAGE_SIZE);
+
+	/*
+	 * We don't flush the icache on 44x. Those have a virtual icache and we
+	 * don't have access to the virtual address here (it's not the page
+	 * vaddr but where it's mapped in user space). The flushing of the
+	 * icache on these is handled elsewhere, when a change in the address
+	 * space occurs, before returning to user space.
+	 */
+
+	if (cpu_has_feature(MMU_FTR_TYPE_44x))
+		return;
+
+	invalidate_icache_range(addr, addr + PAGE_SIZE);
+}
+
 void clear_user_page(void *page, unsigned long vaddr, struct page *pg)
 {
 	clear_page(page);
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 124/168] powerpc/mm: Fix missing KUAP disable in flush_coherent_icache()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 123/168] powerpc: Convert flush_icache_range & friends to C Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 125/168] ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Berger, Michael Ellerman, Sasha Levin

From: Michael Ellerman <mpe@ellerman.id.au>

[ Upstream commit 59bee45b9712c759ea4d3dcc4eff1752f3a66558 ]

Stefan reported a strange kernel fault which turned out to be due to a
missing KUAP disable in flush_coherent_icache() called from
flush_icache_range().

The fault looks like:

  Kernel attempted to access user page (7fffc30d9c00) - exploit attempt? (uid: 1009)
  BUG: Unable to handle kernel data access on read at 0x7fffc30d9c00
  Faulting instruction address: 0xc00000000007232c
  Oops: Kernel access of bad area, sig: 11 [#1]
  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
  CPU: 35 PID: 5886 Comm: sigtramp Not tainted 5.6.0-rc2-gcc-8.2.0-00003-gfc37a1632d40 #79
  NIP:  c00000000007232c LR: c00000000003b7fc CTR: 0000000000000000
  REGS: c000001e11093940 TRAP: 0300   Not tainted  (5.6.0-rc2-gcc-8.2.0-00003-gfc37a1632d40)
  MSR:  900000000280b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  CR: 28000884  XER: 00000000
  CFAR: c0000000000722fc DAR: 00007fffc30d9c00 DSISR: 08000000 IRQMASK: 0
  GPR00: c00000000003b7fc c000001e11093bd0 c0000000023ac200 00007fffc30d9c00
  GPR04: 00007fffc30d9c18 0000000000000000 c000001e11093bd4 0000000000000000
  GPR08: 0000000000000000 0000000000000001 0000000000000000 c000001e1104ed80
  GPR12: 0000000000000000 c000001fff6ab380 c0000000016be2d0 4000000000000000
  GPR16: c000000000000000 bfffffffffffffff 0000000000000000 0000000000000000
  GPR20: 00007fffc30d9c00 00007fffc30d8f58 00007fffc30d9c18 00007fffc30d9c20
  GPR24: 00007fffc30d9c18 0000000000000000 c000001e11093d90 c000001e1104ed80
  GPR28: c000001e11093e90 0000000000000000 c0000000023d9d18 00007fffc30d9c00
  NIP flush_icache_range+0x5c/0x80
  LR  handle_rt_signal64+0x95c/0xc2c
  Call Trace:
    0xc000001e11093d90 (unreliable)
    handle_rt_signal64+0x93c/0xc2c
    do_notify_resume+0x310/0x430
    ret_from_except_lite+0x70/0x74
  Instruction dump:
  409e002c 7c0802a6 3c62ff31 3863f6a0 f8010080 48195fed 60000000 48fe4c8d
  60000000 e8010080 7c0803a6 7c0004ac <7c00ffac> 7c0004ac 4c00012c 38210070

This path through handle_rt_signal64() to setup_trampoline() and
flush_icache_range() is only triggered by 64-bit processes that have
unmapped their VDSO, which is rare.

flush_icache_range() takes a range of addresses to flush. In
flush_coherent_icache() we implement an optimisation for CPUs where we
know we don't actually have to flush the whole range, we just need to
do a single icbi.

However we still execute the icbi on the user address of the start of
the range we're flushing. On CPUs that also implement KUAP (Power9)
that leads to the spurious fault above.

We should be able to pass any address, including a kernel address, to
the icbi on these CPUs, which would avoid any interaction with KUAP.
But I don't want to make that change in a bug fix, just in case it
surfaces some strange behaviour on some CPU.

So for now just disable KUAP around the icbi. Note the icbi is treated
as a load, so we allow read access, not write as you'd expect.

Fixes: 890274c2dc4c ("powerpc/64s: Implement KUAP for Radix MMU")
Cc: stable@vger.kernel.org # v5.2+
Reported-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200303235708.26004-1-mpe@ellerman.id.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/mm/mem.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c
index 6612796ea69c2..96ca90ce0264a 100644
--- a/arch/powerpc/mm/mem.c
+++ b/arch/powerpc/mm/mem.c
@@ -363,7 +363,9 @@ static inline bool flush_coherent_icache(unsigned long addr)
 	 */
 	if (cpu_has_feature(CPU_FTR_COHERENT_ICACHE)) {
 		mb(); /* sync */
+		allow_read_from_user((const void __user *)addr, L1_CACHE_BYTES);
 		icbi((void *)addr);
+		prevent_read_from_user((const void __user *)addr, L1_CACHE_BYTES);
 		mb(); /* sync */
 		isync();
 		return true;
-- 
2.20.1




^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 125/168] ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 124/168] powerpc/mm: Fix missing KUAP disable in flush_coherent_icache() Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 126/168] ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Cezary Rojewski, Mark Brown

From: Takashi Iwai <tiwai@suse.de>

commit 6c89ffea60aa3b2a33ae7987de1e84bfb89e4c9e upstream.

dpcm_show_state() invokes multiple snprintf() calls to concatenate
formatted strings on the fixed size buffer.  The usage of snprintf()
is supposed for avoiding the buffer overflow, but it doesn't work as
expected because snprintf() doesn't return the actual output size but
the size to be written.

Fix this bug by replacing all snprintf() calls with scnprintf()
calls.

Fixes: f86dcef87b77 ("ASoC: dpcm: Add debugFS support for DPCM")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20200218111737.14193-4-tiwai@suse.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/soc-pcm.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -3169,16 +3169,16 @@ static ssize_t dpcm_show_state(struct sn
 	unsigned long flags;
 
 	/* FE state */
-	offset += snprintf(buf + offset, size - offset,
+	offset += scnprintf(buf + offset, size - offset,
 			"[%s - %s]\n", fe->dai_link->name,
 			stream ? "Capture" : "Playback");
 
-	offset += snprintf(buf + offset, size - offset, "State: %s\n",
+	offset += scnprintf(buf + offset, size - offset, "State: %s\n",
 	                dpcm_state_string(fe->dpcm[stream].state));
 
 	if ((fe->dpcm[stream].state >= SND_SOC_DPCM_STATE_HW_PARAMS) &&
 	    (fe->dpcm[stream].state <= SND_SOC_DPCM_STATE_STOP))
-		offset += snprintf(buf + offset, size - offset,
+		offset += scnprintf(buf + offset, size - offset,
 				"Hardware Params: "
 				"Format = %s, Channels = %d, Rate = %d\n",
 				snd_pcm_format_name(params_format(params)),
@@ -3186,10 +3186,10 @@ static ssize_t dpcm_show_state(struct sn
 				params_rate(params));
 
 	/* BEs state */
-	offset += snprintf(buf + offset, size - offset, "Backends:\n");
+	offset += scnprintf(buf + offset, size - offset, "Backends:\n");
 
 	if (list_empty(&fe->dpcm[stream].be_clients)) {
-		offset += snprintf(buf + offset, size - offset,
+		offset += scnprintf(buf + offset, size - offset,
 				" No active DSP links\n");
 		goto out;
 	}
@@ -3199,16 +3199,16 @@ static ssize_t dpcm_show_state(struct sn
 		struct snd_soc_pcm_runtime *be = dpcm->be;
 		params = &dpcm->hw_params;
 
-		offset += snprintf(buf + offset, size - offset,
+		offset += scnprintf(buf + offset, size - offset,
 				"- %s\n", be->dai_link->name);
 
-		offset += snprintf(buf + offset, size - offset,
+		offset += scnprintf(buf + offset, size - offset,
 				"   State: %s\n",
 				dpcm_state_string(be->dpcm[stream].state));
 
 		if ((be->dpcm[stream].state >= SND_SOC_DPCM_STATE_HW_PARAMS) &&
 		    (be->dpcm[stream].state <= SND_SOC_DPCM_STATE_STOP))
-			offset += snprintf(buf + offset, size - offset,
+			offset += scnprintf(buf + offset, size - offset,
 				"   Hardware Params: "
 				"Format = %s, Channels = %d, Rate = %d\n",
 				snd_pcm_format_name(params_format(params)),



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 126/168] ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 125/168] ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 127/168] ASoC: Intel: Skylake: Fix available clock counter incrementation Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Reichl,
	Pierre-Louis Bossart, Mark Brown

From: Matthias Reichl <hias@horus.com>

commit ac0a68997935c4acb92eaae5ad8982e0bb432d56 upstream.

When we get a clock error during probe we have to call
regulator_bulk_disable before bailing out, otherwise we trigger
a warning in regulator_put.

Fix this by using "goto err" like in the error cases above.

Fixes: 5a3af1293194d ("ASoC: pcm512x: Add PCM512x driver")
Signed-off-by: Matthias Reichl <hias@horus.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20200220202956.29233-1-hias@horus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/codecs/pcm512x.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/sound/soc/codecs/pcm512x.c
+++ b/sound/soc/codecs/pcm512x.c
@@ -1564,13 +1564,15 @@ int pcm512x_probe(struct device *dev, st
 	}
 
 	pcm512x->sclk = devm_clk_get(dev, NULL);
-	if (PTR_ERR(pcm512x->sclk) == -EPROBE_DEFER)
-		return -EPROBE_DEFER;
+	if (PTR_ERR(pcm512x->sclk) == -EPROBE_DEFER) {
+		ret = -EPROBE_DEFER;
+		goto err;
+	}
 	if (!IS_ERR(pcm512x->sclk)) {
 		ret = clk_prepare_enable(pcm512x->sclk);
 		if (ret != 0) {
 			dev_err(dev, "Failed to enable SCLK: %d\n", ret);
-			return ret;
+			goto err;
 		}
 	}
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 127/168] ASoC: Intel: Skylake: Fix available clock counter incrementation
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 126/168] ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 128/168] ASoC: dapm: Correct DAPM handling of active widgets during shutdown Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amadeusz Sławiński,
	Cezary Rojewski, Pierre-Louis Bossart, Mark Brown

From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>

commit 8308a09e87d2cb51adb186dc7d5a5c1913fb0758 upstream.

Incrementation of avail_clk_cnt was incorrectly moved to error path. Put
it back to success path.

Fixes: 6ee927f2f01466 ('ASoC: Intel: Skylake: Fix NULL ptr dereference when unloading clk dev')
Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20200224125202.13784-1-amadeuszx.slawinski@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/intel/skylake/skl-ssp-clk.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/sound/soc/intel/skylake/skl-ssp-clk.c
+++ b/sound/soc/intel/skylake/skl-ssp-clk.c
@@ -384,9 +384,11 @@ static int skl_clk_dev_probe(struct plat
 				&clks[i], clk_pdata, i);
 
 		if (IS_ERR(data->clk[data->avail_clk_cnt])) {
-			ret = PTR_ERR(data->clk[data->avail_clk_cnt++]);
+			ret = PTR_ERR(data->clk[data->avail_clk_cnt]);
 			goto err_unreg_skl_clk;
 		}
+
+		data->avail_clk_cnt++;
 	}
 
 	platform_set_drvdata(pdev, data);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 128/168] ASoC: dapm: Correct DAPM handling of active widgets during shutdown
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 127/168] ASoC: Intel: Skylake: Fix available clock counter incrementation Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 129/168] spi: atmel-quadspi: fix possible MMIO window size overrun Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Charles Keepax, Mark Brown

From: Charles Keepax <ckeepax@opensource.cirrus.com>

commit 9b3193089e77d3b59b045146ff1c770dd899acb1 upstream.

commit c2caa4da46a4 ("ASoC: Fix widget powerdown on shutdown") added a
set of the power state during snd_soc_dapm_shutdown to ensure the
widgets powered off. However, when commit 39eb5fd13dff
("ASoC: dapm: Delay w->power update until the changes are written")
added the new_power member of the widget structure, to differentiate
between the current power state and the target power state, it did not
update the shutdown to use the new_power member.

As new_power has not updated it will be left in the state set by the
last DAPM sequence, ie. 1 for active widgets. So as the DAPM sequence
for the shutdown proceeds it will turn the widgets on (despite them
already being on) rather than turning them off.

Fixes: 39eb5fd13dff ("ASoC: dapm: Delay w->power update until the changes are written")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/20200228153145.21013-1-ckeepax@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/soc-dapm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -4749,7 +4749,7 @@ static void soc_dapm_shutdown_dapm(struc
 			continue;
 		if (w->power) {
 			dapm_seq_insert(w, &down_list, false);
-			w->power = 0;
+			w->new_power = 0;
 			powerdown = 1;
 		}
 	}



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 129/168] spi: atmel-quadspi: fix possible MMIO window size overrun
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 128/168] ASoC: dapm: Correct DAPM handling of active widgets during shutdown Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 130/168] drm/panfrost: Dont try to map on error faults Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tudor Ambarus, Mark Brown

From: Tudor Ambarus <tudor.ambarus@microchip.com>

commit 8e093ea4d3593379be46b845b9e823179558047e upstream.

The QSPI controller memory space is limited to 128MB:
0x9000_00000-0x9800_00000/0XD000_0000--0XD800_0000.

There are nor flashes that are bigger in size than the memory size
supported by the controller: Micron MT25QL02G (256 MB).

Check if the address exceeds the MMIO window size. An improvement
would be to add support for regular SPI mode and fall back to it
when the flash memories overrun the controller's memory space.

Fixes: 0e6aae08e9ae ("spi: Add QuadSPI driver for Atmel SAMA5D2")
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Link: https://lore.kernel.org/r/20200228155437.1558219-1-tudor.ambarus@microchip.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/spi/atmel-quadspi.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/spi/atmel-quadspi.c
+++ b/drivers/spi/atmel-quadspi.c
@@ -149,6 +149,7 @@ struct atmel_qspi {
 	struct clk		*qspick;
 	struct platform_device	*pdev;
 	const struct atmel_qspi_caps *caps;
+	resource_size_t		mmap_size;
 	u32			pending;
 	u32			mr;
 	u32			scr;
@@ -329,6 +330,14 @@ static int atmel_qspi_exec_op(struct spi
 	u32 sr, offset;
 	int err;
 
+	/*
+	 * Check if the address exceeds the MMIO window size. An improvement
+	 * would be to add support for regular SPI mode and fall back to it
+	 * when the flash memories overrun the controller's memory space.
+	 */
+	if (op->addr.val + op->data.nbytes > aq->mmap_size)
+		return -ENOTSUPP;
+
 	err = atmel_qspi_set_cfg(aq, op, &offset);
 	if (err)
 		return err;
@@ -480,6 +489,8 @@ static int atmel_qspi_probe(struct platf
 		goto exit;
 	}
 
+	aq->mmap_size = resource_size(res);
+
 	/* Get the peripheral clock */
 	aq->pclk = devm_clk_get(&pdev->dev, "pclk");
 	if (IS_ERR(aq->pclk))



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 130/168] drm/panfrost: Dont try to map on error faults
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 129/168] spi: atmel-quadspi: fix possible MMIO window size overrun Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 131/168] drm: kirin: Revert "Fix for hikey620 display offset problem" Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rob Herring, Tomeu Vizoso,
	Steven Price, Alyssa Rosenzweig

From: Tomeu Vizoso <tomeu.vizoso@collabora.com>

commit eb9d8ddbc107d02e489681f9dcbf93949e1a99a4 upstream.

If the exception type isn't a translation fault, don't try to map and
instead go straight to a terminal fault.

Otherwise, we can get flooded by kernel warnings and further faults.

Fixes: 187d2929206e ("drm/panfrost: Add support for GPU heap allocations")
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Tomeu Vizoso <tomeu.vizoso@collabora.com>
Reviewed-by: Steven Price <steven.price@arm.com>
Reviewed-by: Tomeu Vizoso <tomeu.vizoso@collabora.com>
Acked-by: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200212202236.13095-1-robh@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/panfrost/panfrost_mmu.c |   44 +++++++++++++-------------------
 1 file changed, 19 insertions(+), 25 deletions(-)

--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c
+++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c
@@ -601,33 +601,27 @@ static irqreturn_t panfrost_mmu_irq_hand
 		source_id = (fault_status >> 16);
 
 		/* Page fault only */
-		if ((status & mask) == BIT(i)) {
-			WARN_ON(exception_type < 0xC1 || exception_type > 0xC4);
-
+		ret = -1;
+		if ((status & mask) == BIT(i) && (exception_type & 0xF8) == 0xC0)
 			ret = panfrost_mmu_map_fault_addr(pfdev, i, addr);
-			if (!ret) {
-				mmu_write(pfdev, MMU_INT_CLEAR, BIT(i));
-				status &= ~mask;
-				continue;
-			}
-		}
 
-		/* terminal fault, print info about the fault */
-		dev_err(pfdev->dev,
-			"Unhandled Page fault in AS%d at VA 0x%016llX\n"
-			"Reason: %s\n"
-			"raw fault status: 0x%X\n"
-			"decoded fault status: %s\n"
-			"exception type 0x%X: %s\n"
-			"access type 0x%X: %s\n"
-			"source id 0x%X\n",
-			i, addr,
-			"TODO",
-			fault_status,
-			(fault_status & (1 << 10) ? "DECODER FAULT" : "SLAVE FAULT"),
-			exception_type, panfrost_exception_name(pfdev, exception_type),
-			access_type, access_type_name(pfdev, fault_status),
-			source_id);
+		if (ret)
+			/* terminal fault, print info about the fault */
+			dev_err(pfdev->dev,
+				"Unhandled Page fault in AS%d at VA 0x%016llX\n"
+				"Reason: %s\n"
+				"raw fault status: 0x%X\n"
+				"decoded fault status: %s\n"
+				"exception type 0x%X: %s\n"
+				"access type 0x%X: %s\n"
+				"source id 0x%X\n",
+				i, addr,
+				"TODO",
+				fault_status,
+				(fault_status & (1 << 10) ? "DECODER FAULT" : "SLAVE FAULT"),
+				exception_type, panfrost_exception_name(pfdev, exception_type),
+				access_type, access_type_name(pfdev, fault_status),
+				source_id);
 
 		mmu_write(pfdev, MMU_INT_CLEAR, mask);
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 131/168] drm: kirin: Revert "Fix for hikey620 display offset problem"
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 130/168] drm/panfrost: Dont try to map on error faults Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 132/168] drm/sun4i: Add separate DE3 VI layer formats Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xinliang Liu, Rongrong Zou,
	Xinwei Kong, Chen Feng, Sam Ravnborg, David Airlie,
	Daniel Vetter, dri-devel, John Stultz

From: John Stultz <john.stultz@linaro.org>

commit 1b79cfd99ff5127e6a143767b51694a527b3ea38 upstream.

This reverts commit ff57c6513820efe945b61863cf4a51b79f18b592.

With the commit ff57c6513820 ("drm: kirin: Fix for hikey620
display offset problem") we added support for handling LDI
overflows by resetting the hardware.

However, its been observed that when we do hit the LDI overflow
condition, the irq seems to be screaming, and we do nothing but
stream:
  [drm:ade_irq_handler [kirin_drm]] *ERROR* LDI underflow!
over and over to the screen

I've tried a few appraoches to avoid this, but none has yet
been successful and the cure here is worse then the original
disease, so revert this for now.

Cc: Xinliang Liu <xinliang.liu@linaro.org>
Cc: Rongrong Zou <zourongrong@gmail.com>
Cc: Xinwei Kong <kong.kongxinwei@hisilicon.com>
Cc: Chen Feng <puck.chen@hisilicon.com>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel <dri-devel@lists.freedesktop.org>
Fixes: ff57c6513820 ("drm: kirin: Fix for hikey620 display offset problem")
Signed-off-by: John Stultz <john.stultz@linaro.org>
Acked-by: Xinliang Liu <xinliang.liu@linaro.org>
Signed-off-by: Xinliang Liu <xinliang.liu@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20200303163228.52741-1-john.stultz@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/hisilicon/kirin/kirin_ade_reg.h |    1 -
 drivers/gpu/drm/hisilicon/kirin/kirin_drm_ade.c |   20 --------------------
 2 files changed, 21 deletions(-)

--- a/drivers/gpu/drm/hisilicon/kirin/kirin_ade_reg.h
+++ b/drivers/gpu/drm/hisilicon/kirin/kirin_ade_reg.h
@@ -83,7 +83,6 @@
 #define VSIZE_OFST			20
 #define LDI_INT_EN			0x741C
 #define FRAME_END_INT_EN_OFST		1
-#define UNDERFLOW_INT_EN_OFST		2
 #define LDI_CTRL			0x7420
 #define BPP_OFST			3
 #define DATA_GATE_EN			BIT(2)
--- a/drivers/gpu/drm/hisilicon/kirin/kirin_drm_ade.c
+++ b/drivers/gpu/drm/hisilicon/kirin/kirin_drm_ade.c
@@ -46,7 +46,6 @@ struct ade_hw_ctx {
 	struct clk *media_noc_clk;
 	struct clk *ade_pix_clk;
 	struct reset_control *reset;
-	struct work_struct display_reset_wq;
 	bool power_on;
 	int irq;
 
@@ -136,7 +135,6 @@ static void ade_init(struct ade_hw_ctx *
 	 */
 	ade_update_bits(base + ADE_CTRL, FRM_END_START_OFST,
 			FRM_END_START_MASK, REG_EFFECTIVE_IN_ADEEN_FRMEND);
-	ade_update_bits(base + LDI_INT_EN, UNDERFLOW_INT_EN_OFST, MASK(1), 1);
 }
 
 static bool ade_crtc_mode_fixup(struct drm_crtc *crtc,
@@ -304,17 +302,6 @@ static void ade_crtc_disable_vblank(stru
 			MASK(1), 0);
 }
 
-static void drm_underflow_wq(struct work_struct *work)
-{
-	struct ade_hw_ctx *ctx = container_of(work, struct ade_hw_ctx,
-					      display_reset_wq);
-	struct drm_device *drm_dev = ctx->crtc->dev;
-	struct drm_atomic_state *state;
-
-	state = drm_atomic_helper_suspend(drm_dev);
-	drm_atomic_helper_resume(drm_dev, state);
-}
-
 static irqreturn_t ade_irq_handler(int irq, void *data)
 {
 	struct ade_hw_ctx *ctx = data;
@@ -331,12 +318,6 @@ static irqreturn_t ade_irq_handler(int i
 				MASK(1), 1);
 		drm_crtc_handle_vblank(crtc);
 	}
-	if (status & BIT(UNDERFLOW_INT_EN_OFST)) {
-		ade_update_bits(base + LDI_INT_CLR, UNDERFLOW_INT_EN_OFST,
-				MASK(1), 1);
-		DRM_ERROR("LDI underflow!");
-		schedule_work(&ctx->display_reset_wq);
-	}
 
 	return IRQ_HANDLED;
 }
@@ -919,7 +900,6 @@ static void *ade_hw_ctx_alloc(struct pla
 	if (ret)
 		return ERR_PTR(-EIO);
 
-	INIT_WORK(&ctx->display_reset_wq, drm_underflow_wq);
 	ctx->crtc = crtc;
 
 	return ctx;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 132/168] drm/sun4i: Add separate DE3 VI layer formats
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 131/168] drm: kirin: Revert "Fix for hikey620 display offset problem" Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 133/168] drm/sun4i: Fix DE2 VI layer format support Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maxime Ripard, Jernej Skrabec

From: Jernej Skrabec <jernej.skrabec@siol.net>

commit 169ca4b38932112e8b2ee8baef9cea44678625b3 upstream.

DE3 VI layers support alpha blending, but DE2 VI layers do not.
Additionally, DE3 VI layers support 10-bit RGB and YUV formats.

Make a separate list for DE3.

Fixes: c50519e6db4d ("drm/sun4i: Add basic support for DE3")
Acked-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Link: https://patchwork.freedesktop.org/patch/msgid/20200224173901.174016-3-jernej.skrabec@siol.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/sun4i/sun8i_mixer.c    |   36 ++++++++++++++++++++
 drivers/gpu/drm/sun4i/sun8i_mixer.h    |   11 ++++++
 drivers/gpu/drm/sun4i/sun8i_vi_layer.c |   58 +++++++++++++++++++++++++++++++--
 3 files changed, 102 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/sun4i/sun8i_mixer.c
+++ b/drivers/gpu/drm/sun4i/sun8i_mixer.c
@@ -149,6 +149,30 @@ static const struct de2_fmt_info de2_for
 		.csc = SUN8I_CSC_MODE_OFF,
 	},
 	{
+		.drm_fmt = DRM_FORMAT_ARGB2101010,
+		.de2_fmt = SUN8I_MIXER_FBFMT_ARGB2101010,
+		.rgb = true,
+		.csc = SUN8I_CSC_MODE_OFF,
+	},
+	{
+		.drm_fmt = DRM_FORMAT_ABGR2101010,
+		.de2_fmt = SUN8I_MIXER_FBFMT_ABGR2101010,
+		.rgb = true,
+		.csc = SUN8I_CSC_MODE_OFF,
+	},
+	{
+		.drm_fmt = DRM_FORMAT_RGBA1010102,
+		.de2_fmt = SUN8I_MIXER_FBFMT_RGBA1010102,
+		.rgb = true,
+		.csc = SUN8I_CSC_MODE_OFF,
+	},
+	{
+		.drm_fmt = DRM_FORMAT_BGRA1010102,
+		.de2_fmt = SUN8I_MIXER_FBFMT_BGRA1010102,
+		.rgb = true,
+		.csc = SUN8I_CSC_MODE_OFF,
+	},
+	{
 		.drm_fmt = DRM_FORMAT_UYVY,
 		.de2_fmt = SUN8I_MIXER_FBFMT_UYVY,
 		.rgb = false,
@@ -244,6 +268,18 @@ static const struct de2_fmt_info de2_for
 		.rgb = false,
 		.csc = SUN8I_CSC_MODE_YVU2RGB,
 	},
+	{
+		.drm_fmt = DRM_FORMAT_P010,
+		.de2_fmt = SUN8I_MIXER_FBFMT_P010_YUV,
+		.rgb = false,
+		.csc = SUN8I_CSC_MODE_YUV2RGB,
+	},
+	{
+		.drm_fmt = DRM_FORMAT_P210,
+		.de2_fmt = SUN8I_MIXER_FBFMT_P210_YUV,
+		.rgb = false,
+		.csc = SUN8I_CSC_MODE_YUV2RGB,
+	},
 };
 
 const struct de2_fmt_info *sun8i_mixer_format_info(u32 format)
--- a/drivers/gpu/drm/sun4i/sun8i_mixer.h
+++ b/drivers/gpu/drm/sun4i/sun8i_mixer.h
@@ -93,6 +93,10 @@
 #define SUN8I_MIXER_FBFMT_ABGR1555	17
 #define SUN8I_MIXER_FBFMT_RGBA5551	18
 #define SUN8I_MIXER_FBFMT_BGRA5551	19
+#define SUN8I_MIXER_FBFMT_ARGB2101010	20
+#define SUN8I_MIXER_FBFMT_ABGR2101010	21
+#define SUN8I_MIXER_FBFMT_RGBA1010102	22
+#define SUN8I_MIXER_FBFMT_BGRA1010102	23
 
 #define SUN8I_MIXER_FBFMT_YUYV		0
 #define SUN8I_MIXER_FBFMT_UYVY		1
@@ -109,6 +113,13 @@
 /* format 12 is semi-planar YUV411 UVUV */
 /* format 13 is semi-planar YUV411 VUVU */
 #define SUN8I_MIXER_FBFMT_YUV411	14
+/* format 15 doesn't exist */
+/* format 16 is P010 YVU */
+#define SUN8I_MIXER_FBFMT_P010_YUV	17
+/* format 18 is P210 YVU */
+#define SUN8I_MIXER_FBFMT_P210_YUV	19
+/* format 20 is packed YVU444 10-bit */
+/* format 21 is packed YUV444 10-bit */
 
 /*
  * Sub-engines listed bellow are unused for now. The EN registers are here only
--- a/drivers/gpu/drm/sun4i/sun8i_vi_layer.c
+++ b/drivers/gpu/drm/sun4i/sun8i_vi_layer.c
@@ -438,24 +438,76 @@ static const u32 sun8i_vi_layer_formats[
 	DRM_FORMAT_YVU444,
 };
 
+static const u32 sun8i_vi_layer_de3_formats[] = {
+	DRM_FORMAT_ABGR1555,
+	DRM_FORMAT_ABGR2101010,
+	DRM_FORMAT_ABGR4444,
+	DRM_FORMAT_ABGR8888,
+	DRM_FORMAT_ARGB1555,
+	DRM_FORMAT_ARGB2101010,
+	DRM_FORMAT_ARGB4444,
+	DRM_FORMAT_ARGB8888,
+	DRM_FORMAT_BGR565,
+	DRM_FORMAT_BGR888,
+	DRM_FORMAT_BGRA1010102,
+	DRM_FORMAT_BGRA5551,
+	DRM_FORMAT_BGRA4444,
+	DRM_FORMAT_BGRA8888,
+	DRM_FORMAT_BGRX8888,
+	DRM_FORMAT_RGB565,
+	DRM_FORMAT_RGB888,
+	DRM_FORMAT_RGBA1010102,
+	DRM_FORMAT_RGBA4444,
+	DRM_FORMAT_RGBA5551,
+	DRM_FORMAT_RGBA8888,
+	DRM_FORMAT_RGBX8888,
+	DRM_FORMAT_XBGR8888,
+	DRM_FORMAT_XRGB8888,
+
+	DRM_FORMAT_NV16,
+	DRM_FORMAT_NV12,
+	DRM_FORMAT_NV21,
+	DRM_FORMAT_NV61,
+	DRM_FORMAT_P010,
+	DRM_FORMAT_P210,
+	DRM_FORMAT_UYVY,
+	DRM_FORMAT_VYUY,
+	DRM_FORMAT_YUYV,
+	DRM_FORMAT_YVYU,
+	DRM_FORMAT_YUV411,
+	DRM_FORMAT_YUV420,
+	DRM_FORMAT_YUV422,
+	DRM_FORMAT_YVU411,
+	DRM_FORMAT_YVU420,
+	DRM_FORMAT_YVU422,
+};
+
 struct sun8i_vi_layer *sun8i_vi_layer_init_one(struct drm_device *drm,
 					       struct sun8i_mixer *mixer,
 					       int index)
 {
 	u32 supported_encodings, supported_ranges;
+	unsigned int plane_cnt, format_count;
 	struct sun8i_vi_layer *layer;
-	unsigned int plane_cnt;
+	const u32 *formats;
 	int ret;
 
 	layer = devm_kzalloc(drm->dev, sizeof(*layer), GFP_KERNEL);
 	if (!layer)
 		return ERR_PTR(-ENOMEM);
 
+	if (mixer->cfg->is_de3) {
+		formats = sun8i_vi_layer_de3_formats;
+		format_count = ARRAY_SIZE(sun8i_vi_layer_de3_formats);
+	} else {
+		formats = sun8i_vi_layer_formats;
+		format_count = ARRAY_SIZE(sun8i_vi_layer_formats);
+	}
+
 	/* possible crtcs are set later */
 	ret = drm_universal_plane_init(drm, &layer->plane, 0,
 				       &sun8i_vi_layer_funcs,
-				       sun8i_vi_layer_formats,
-				       ARRAY_SIZE(sun8i_vi_layer_formats),
+				       formats, format_count,
 				       NULL, DRM_PLANE_TYPE_OVERLAY, NULL);
 	if (ret) {
 		dev_err(drm->dev, "Couldn't initialize layer\n");



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 133/168] drm/sun4i: Fix DE2 VI layer format support
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 132/168] drm/sun4i: Add separate DE3 VI layer formats Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 134/168] drm/sun4i: de2/de3: Remove unsupported VI layer formats Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maxime Ripard, Jernej Skrabec

From: Jernej Skrabec <jernej.skrabec@siol.net>

commit 20896ef137340e9426cf322606f764452f5eb960 upstream.

DE2 VI layer doesn't support blending which means alpha channel is
ignored. Replace all formats with alpha with "don't care" (X) channel.

Fixes: 7480ba4d7571 ("drm/sun4i: Add support for DE2 VI planes")
Acked-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Link: https://patchwork.freedesktop.org/patch/msgid/20200224173901.174016-4-jernej.skrabec@siol.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/sun4i/sun8i_mixer.c    |   56 +++++++++++++++++++++++++++++++++
 drivers/gpu/drm/sun4i/sun8i_vi_layer.c |   22 ++++++------
 2 files changed, 67 insertions(+), 11 deletions(-)

--- a/drivers/gpu/drm/sun4i/sun8i_mixer.c
+++ b/drivers/gpu/drm/sun4i/sun8i_mixer.c
@@ -107,46 +107,102 @@ static const struct de2_fmt_info de2_for
 		.csc = SUN8I_CSC_MODE_OFF,
 	},
 	{
+		/* for DE2 VI layer which ignores alpha */
+		.drm_fmt = DRM_FORMAT_XRGB4444,
+		.de2_fmt = SUN8I_MIXER_FBFMT_ARGB4444,
+		.rgb = true,
+		.csc = SUN8I_CSC_MODE_OFF,
+	},
+	{
 		.drm_fmt = DRM_FORMAT_ABGR4444,
 		.de2_fmt = SUN8I_MIXER_FBFMT_ABGR4444,
 		.rgb = true,
 		.csc = SUN8I_CSC_MODE_OFF,
 	},
 	{
+		/* for DE2 VI layer which ignores alpha */
+		.drm_fmt = DRM_FORMAT_XBGR4444,
+		.de2_fmt = SUN8I_MIXER_FBFMT_ABGR4444,
+		.rgb = true,
+		.csc = SUN8I_CSC_MODE_OFF,
+	},
+	{
 		.drm_fmt = DRM_FORMAT_RGBA4444,
 		.de2_fmt = SUN8I_MIXER_FBFMT_RGBA4444,
 		.rgb = true,
 		.csc = SUN8I_CSC_MODE_OFF,
 	},
 	{
+		/* for DE2 VI layer which ignores alpha */
+		.drm_fmt = DRM_FORMAT_RGBX4444,
+		.de2_fmt = SUN8I_MIXER_FBFMT_RGBA4444,
+		.rgb = true,
+		.csc = SUN8I_CSC_MODE_OFF,
+	},
+	{
 		.drm_fmt = DRM_FORMAT_BGRA4444,
 		.de2_fmt = SUN8I_MIXER_FBFMT_BGRA4444,
 		.rgb = true,
 		.csc = SUN8I_CSC_MODE_OFF,
 	},
 	{
+		/* for DE2 VI layer which ignores alpha */
+		.drm_fmt = DRM_FORMAT_BGRX4444,
+		.de2_fmt = SUN8I_MIXER_FBFMT_BGRA4444,
+		.rgb = true,
+		.csc = SUN8I_CSC_MODE_OFF,
+	},
+	{
 		.drm_fmt = DRM_FORMAT_ARGB1555,
 		.de2_fmt = SUN8I_MIXER_FBFMT_ARGB1555,
 		.rgb = true,
 		.csc = SUN8I_CSC_MODE_OFF,
 	},
 	{
+		/* for DE2 VI layer which ignores alpha */
+		.drm_fmt = DRM_FORMAT_XRGB1555,
+		.de2_fmt = SUN8I_MIXER_FBFMT_ARGB1555,
+		.rgb = true,
+		.csc = SUN8I_CSC_MODE_OFF,
+	},
+	{
 		.drm_fmt = DRM_FORMAT_ABGR1555,
 		.de2_fmt = SUN8I_MIXER_FBFMT_ABGR1555,
 		.rgb = true,
 		.csc = SUN8I_CSC_MODE_OFF,
 	},
 	{
+		/* for DE2 VI layer which ignores alpha */
+		.drm_fmt = DRM_FORMAT_XBGR1555,
+		.de2_fmt = SUN8I_MIXER_FBFMT_ABGR1555,
+		.rgb = true,
+		.csc = SUN8I_CSC_MODE_OFF,
+	},
+	{
 		.drm_fmt = DRM_FORMAT_RGBA5551,
 		.de2_fmt = SUN8I_MIXER_FBFMT_RGBA5551,
 		.rgb = true,
 		.csc = SUN8I_CSC_MODE_OFF,
 	},
 	{
+		/* for DE2 VI layer which ignores alpha */
+		.drm_fmt = DRM_FORMAT_RGBX5551,
+		.de2_fmt = SUN8I_MIXER_FBFMT_RGBA5551,
+		.rgb = true,
+		.csc = SUN8I_CSC_MODE_OFF,
+	},
+	{
 		.drm_fmt = DRM_FORMAT_BGRA5551,
 		.de2_fmt = SUN8I_MIXER_FBFMT_BGRA5551,
 		.rgb = true,
 		.csc = SUN8I_CSC_MODE_OFF,
+	},
+	{
+		/* for DE2 VI layer which ignores alpha */
+		.drm_fmt = DRM_FORMAT_BGRX5551,
+		.de2_fmt = SUN8I_MIXER_FBFMT_BGRA5551,
+		.rgb = true,
+		.csc = SUN8I_CSC_MODE_OFF,
 	},
 	{
 		.drm_fmt = DRM_FORMAT_ARGB2101010,
--- a/drivers/gpu/drm/sun4i/sun8i_vi_layer.c
+++ b/drivers/gpu/drm/sun4i/sun8i_vi_layer.c
@@ -398,26 +398,26 @@ static const struct drm_plane_funcs sun8
 };
 
 /*
- * While all RGB formats are supported, VI planes don't support
- * alpha blending, so there is no point having formats with alpha
- * channel if their opaque analog exist.
+ * While DE2 VI layer supports same RGB formats as UI layer, alpha
+ * channel is ignored. This structure lists all unique variants
+ * where alpha channel is replaced with "don't care" (X) channel.
  */
 static const u32 sun8i_vi_layer_formats[] = {
-	DRM_FORMAT_ABGR1555,
-	DRM_FORMAT_ABGR4444,
-	DRM_FORMAT_ARGB1555,
-	DRM_FORMAT_ARGB4444,
 	DRM_FORMAT_BGR565,
 	DRM_FORMAT_BGR888,
-	DRM_FORMAT_BGRA5551,
-	DRM_FORMAT_BGRA4444,
+	DRM_FORMAT_BGRX4444,
+	DRM_FORMAT_BGRX5551,
 	DRM_FORMAT_BGRX8888,
 	DRM_FORMAT_RGB565,
 	DRM_FORMAT_RGB888,
-	DRM_FORMAT_RGBA4444,
-	DRM_FORMAT_RGBA5551,
+	DRM_FORMAT_RGBX4444,
+	DRM_FORMAT_RGBX5551,
 	DRM_FORMAT_RGBX8888,
+	DRM_FORMAT_XBGR1555,
+	DRM_FORMAT_XBGR4444,
 	DRM_FORMAT_XBGR8888,
+	DRM_FORMAT_XRGB1555,
+	DRM_FORMAT_XRGB4444,
 	DRM_FORMAT_XRGB8888,
 
 	DRM_FORMAT_NV16,



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 134/168] drm/sun4i: de2/de3: Remove unsupported VI layer formats
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 133/168] drm/sun4i: Fix DE2 VI layer format support Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 135/168] drm/i915: Program MBUS with rmw during initialization Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maxime Ripard, Jernej Skrabec

From: Jernej Skrabec <jernej.skrabec@siol.net>

commit a4769905f0ae32cae4f096f646ab03b8b4794c74 upstream.

YUV444 and YVU444 are planar formats, but HW format RGB888 is packed.
This means that those two mappings were never correct. Remove them.

Fixes: 60a3dcf96aa8 ("drm/sun4i: Add DE2 definitions for YUV formats")
Acked-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Link: https://patchwork.freedesktop.org/patch/msgid/20200224173901.174016-2-jernej.skrabec@siol.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/sun4i/sun8i_mixer.c    |   12 ------------
 drivers/gpu/drm/sun4i/sun8i_vi_layer.c |    2 --
 2 files changed, 14 deletions(-)

--- a/drivers/gpu/drm/sun4i/sun8i_mixer.c
+++ b/drivers/gpu/drm/sun4i/sun8i_mixer.c
@@ -277,12 +277,6 @@ static const struct de2_fmt_info de2_for
 		.csc = SUN8I_CSC_MODE_YUV2RGB,
 	},
 	{
-		.drm_fmt = DRM_FORMAT_YUV444,
-		.de2_fmt = SUN8I_MIXER_FBFMT_RGB888,
-		.rgb = true,
-		.csc = SUN8I_CSC_MODE_YUV2RGB,
-	},
-	{
 		.drm_fmt = DRM_FORMAT_YUV422,
 		.de2_fmt = SUN8I_MIXER_FBFMT_YUV422,
 		.rgb = false,
@@ -301,12 +295,6 @@ static const struct de2_fmt_info de2_for
 		.csc = SUN8I_CSC_MODE_YUV2RGB,
 	},
 	{
-		.drm_fmt = DRM_FORMAT_YVU444,
-		.de2_fmt = SUN8I_MIXER_FBFMT_RGB888,
-		.rgb = true,
-		.csc = SUN8I_CSC_MODE_YVU2RGB,
-	},
-	{
 		.drm_fmt = DRM_FORMAT_YVU422,
 		.de2_fmt = SUN8I_MIXER_FBFMT_YUV422,
 		.rgb = false,
--- a/drivers/gpu/drm/sun4i/sun8i_vi_layer.c
+++ b/drivers/gpu/drm/sun4i/sun8i_vi_layer.c
@@ -431,11 +431,9 @@ static const u32 sun8i_vi_layer_formats[
 	DRM_FORMAT_YUV411,
 	DRM_FORMAT_YUV420,
 	DRM_FORMAT_YUV422,
-	DRM_FORMAT_YUV444,
 	DRM_FORMAT_YVU411,
 	DRM_FORMAT_YVU420,
 	DRM_FORMAT_YVU422,
-	DRM_FORMAT_YVU444,
 };
 
 static const u32 sun8i_vi_layer_de3_formats[] = {



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 135/168] drm/i915: Program MBUS with rmw during initialization
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 134/168] drm/sun4i: de2/de3: Remove unsupported VI layer formats Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 136/168] drm/i915/selftests: Fix return in assert_mmap_offset() Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanislav Lisovskiy, Matt Roper,
	Matt Atwood, Jani Nikula

From: Matt Roper <matthew.d.roper@intel.com>

commit c725161924f9a5872a3e53b73345a6026a5c170e upstream.

It wasn't terribly clear from the bspec's wording, but after discussion
with the hardware folks, it turns out that we need to preserve the
pre-existing contents of the MBUS ABOX control register when
initializing a few specific bits.

Bspec: 49213
Bspec: 50096
Fixes: 4cb4585e5a7f ("drm/i915/icl: initialize MBus during display init")
Cc: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200204011032.582737-1-matthew.d.roper@intel.com
Reviewed-by: Matt Atwood <matthew.s.atwood@intel.com>
(cherry picked from commit 837b63e6087838d0f1e612d448405419199d8033)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200228004320.127142-1-matthew.d.roper@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/display/intel_display_power.c |   16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

--- a/drivers/gpu/drm/i915/display/intel_display_power.c
+++ b/drivers/gpu/drm/i915/display/intel_display_power.c
@@ -4205,13 +4205,19 @@ static void icl_dbuf_disable(struct drm_
 
 static void icl_mbus_init(struct drm_i915_private *dev_priv)
 {
-	u32 val;
+	u32 mask, val;
 
-	val = MBUS_ABOX_BT_CREDIT_POOL1(16) |
-	      MBUS_ABOX_BT_CREDIT_POOL2(16) |
-	      MBUS_ABOX_B_CREDIT(1) |
-	      MBUS_ABOX_BW_CREDIT(1);
+	mask = MBUS_ABOX_BT_CREDIT_POOL1_MASK |
+		MBUS_ABOX_BT_CREDIT_POOL2_MASK |
+		MBUS_ABOX_B_CREDIT_MASK |
+		MBUS_ABOX_BW_CREDIT_MASK;
 
+	val = I915_READ(MBUS_ABOX_CTL);
+	val &= ~mask;
+	val |= MBUS_ABOX_BT_CREDIT_POOL1(16) |
+		MBUS_ABOX_BT_CREDIT_POOL2(16) |
+		MBUS_ABOX_B_CREDIT(1) |
+		MBUS_ABOX_BW_CREDIT(1);
 	I915_WRITE(MBUS_ABOX_CTL, val);
 }
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 136/168] drm/i915/selftests: Fix return in assert_mmap_offset()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 135/168] drm/i915: Program MBUS with rmw during initialization Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 137/168] phy: mapphone-mdm6600: Fix timeouts by adding wake-up handling Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Chris Wilson, Jani Nikula

From: Dan Carpenter <dan.carpenter@oracle.com>

commit f4aaa44e8b20f7e0d4ea68d3bca4968b6ae5aaff upstream.

The assert_mmap_offset() returns type bool so if we return an error
pointer that is "return true;" or success.  If we have an error, then
we should return false.

Fixes: 3d81d589d6e3 ("drm/i915: Test exhaustion of the mmap space")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20200228141413.qfjf4abr323drlo4@kili.mountain
(cherry picked from commit efbf928824820f2738f41271934f6ec2c6ebd587)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/gem/selftests/i915_gem_mman.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/gem/selftests/i915_gem_mman.c
+++ b/drivers/gpu/drm/i915/gem/selftests/i915_gem_mman.c
@@ -375,7 +375,7 @@ static bool assert_mmap_offset(struct dr
 
 	obj = i915_gem_object_create_internal(i915, size);
 	if (IS_ERR(obj))
-		return PTR_ERR(obj);
+		return false;
 
 	err = create_mmap_offset(obj);
 	i915_gem_object_put(obj);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 137/168] phy: mapphone-mdm6600: Fix timeouts by adding wake-up handling
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 136/168] drm/i915/selftests: Fix return in assert_mmap_offset() Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 138/168] phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marcel Partap, Merlijn Wajer,
	Michael Scott, NeKit, Pavel Machek, Sebastian Reichel,
	Tony Lindgren, Kishon Vijay Abraham I

From: Tony Lindgren <tony@atomide.com>

commit be4e3c737eebd75815633f4b8fd766defaf0f1fc upstream.

We have an interrupt handler for the wake-up GPIO pin, but we're missing
the code to wake-up the system. This can cause timeouts receiving data
for the UART that shares the wake-up GPIO pin with the USB PHY.

All we need to do is just wake the system and kick the autosuspend
timeout to fix the issue.

Fixes: 5d1ebbda0318 ("phy: mapphone-mdm6600: Add USB PHY driver for MDM6600 on Droid 4")
Cc: Marcel Partap <mpartap@gmx.net>
Cc: Merlijn Wajer <merlijn@wizzup.org>
Cc: Michael Scott <hashcode0f@gmail.com>
Cc: NeKit <nekit1000@gmail.com>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/phy/motorola/phy-mapphone-mdm6600.c |   18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

--- a/drivers/phy/motorola/phy-mapphone-mdm6600.c
+++ b/drivers/phy/motorola/phy-mapphone-mdm6600.c
@@ -243,10 +243,24 @@ static irqreturn_t phy_mdm6600_wakeirq_t
 {
 	struct phy_mdm6600 *ddata = data;
 	struct gpio_desc *mode_gpio1;
+	int error, wakeup;
 
 	mode_gpio1 = ddata->mode_gpios->desc[PHY_MDM6600_MODE1];
-	dev_dbg(ddata->dev, "OOB wake on mode_gpio1: %i\n",
-		gpiod_get_value(mode_gpio1));
+	wakeup = gpiod_get_value(mode_gpio1);
+	if (!wakeup)
+		return IRQ_NONE;
+
+	dev_dbg(ddata->dev, "OOB wake on mode_gpio1: %i\n", wakeup);
+	error = pm_runtime_get_sync(ddata->dev);
+	if (error < 0) {
+		pm_runtime_put_noidle(ddata->dev);
+
+		return IRQ_NONE;
+	}
+
+	/* Just wake-up and kick the autosuspend timer */
+	pm_runtime_mark_last_busy(ddata->dev);
+	pm_runtime_put_autosuspend(ddata->dev);
 
 	return IRQ_HANDLED;
 }



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 138/168] phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 137/168] phy: mapphone-mdm6600: Fix timeouts by adding wake-up handling Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 139/168] ARM: dts: imx6: phycore-som: fix emmc supply Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marcel Partap, Merlijn Wajer,
	Michael Scott, NeKit, Pavel Machek, Sebastian Reichel,
	Tony Lindgren, Kishon Vijay Abraham I

From: Tony Lindgren <tony@atomide.com>

commit 46b7edf1c7b7c91004c4db2c355cbd033f2385f9 upstream.

I've noticed that when writing data to the modem the writes can time out
at some point eventually. Looks like kicking the modem idle GPIO every
600 ms instead of once a second fixes the issue. Note that this rate is
different from our runtime PM autosuspend rate MDM6600_MODEM_IDLE_DELAY_MS
that we still want to keep at 1 second, so let's add a separate define for
PHY_MDM6600_IDLE_KICK_MS.

Fixes: f7f50b2a7b05 ("phy: mapphone-mdm6600: Add runtime PM support for n_gsm on USB suspend")
Cc: Marcel Partap <mpartap@gmx.net>
Cc: Merlijn Wajer <merlijn@wizzup.org>
Cc: Michael Scott <hashcode0f@gmail.com>
Cc: NeKit <nekit1000@gmail.com>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/phy/motorola/phy-mapphone-mdm6600.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/phy/motorola/phy-mapphone-mdm6600.c
+++ b/drivers/phy/motorola/phy-mapphone-mdm6600.c
@@ -20,6 +20,7 @@
 
 #define PHY_MDM6600_PHY_DELAY_MS	4000	/* PHY enable 2.2s to 3.5s */
 #define PHY_MDM6600_ENABLED_DELAY_MS	8000	/* 8s more total for MDM6600 */
+#define PHY_MDM6600_WAKE_KICK_MS	600	/* time on after GPIO toggle */
 #define MDM6600_MODEM_IDLE_DELAY_MS	1000	/* modem after USB suspend */
 #define MDM6600_MODEM_WAKE_DELAY_MS	200	/* modem response after idle */
 
@@ -510,8 +511,14 @@ static void phy_mdm6600_modem_wake(struc
 
 	ddata = container_of(work, struct phy_mdm6600, modem_wake_work.work);
 	phy_mdm6600_wake_modem(ddata);
+
+	/*
+	 * The modem does not always stay awake 1.2 seconds after toggling
+	 * the wake GPIO, and sometimes it idles after about some 600 ms
+	 * making writes time out.
+	 */
 	schedule_delayed_work(&ddata->modem_wake_work,
-			      msecs_to_jiffies(MDM6600_MODEM_IDLE_DELAY_MS));
+			      msecs_to_jiffies(PHY_MDM6600_WAKE_KICK_MS));
 }
 
 static int __maybe_unused phy_mdm6600_runtime_suspend(struct device *dev)



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 139/168] ARM: dts: imx6: phycore-som: fix emmc supply
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 138/168] phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 140/168] arm64: dts: imx8qxp-mek: Remove unexisting Ethernet PHY Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marco Felsch, Shawn Guo

From: Marco Felsch <m.felsch@pengutronix.de>

commit eb0bbba7636b9fc81939d6087a5fe575e150c95a upstream.

Currently the vmmc is supplied by the 1.8V pmic rail but this is wrong.
The default module behaviour is to power VCCQ and VCC by the 3.3V power
rail. Optional the user can connect the VCCQ to the pmic 1.8V emmc
power rail using a solder jumper.

Fixes: ddec5d1c0047 ("ARM: dts: imx6: Add initial support for phyCORE-i.MX 6 SOM")
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6qdl-phytec-phycore-som.dtsi |    1 -
 1 file changed, 1 deletion(-)

--- a/arch/arm/boot/dts/imx6qdl-phytec-phycore-som.dtsi
+++ b/arch/arm/boot/dts/imx6qdl-phytec-phycore-som.dtsi
@@ -183,7 +183,6 @@
 	pinctrl-0 = <&pinctrl_usdhc4>;
 	bus-width = <8>;
 	non-removable;
-	vmmc-supply = <&vdd_emmc_1p8>;
 	status = "disabled";
 };
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 140/168] arm64: dts: imx8qxp-mek: Remove unexisting Ethernet PHY
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 139/168] ARM: dts: imx6: phycore-som: fix emmc supply Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 141/168] firmware: imx: misc: Align imx sc msg structs to 4 Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fabio Estevam, Leonard Crestez, Shawn Guo

From: Fabio Estevam <festevam@gmail.com>

commit 26c4b4758fce8f0ae744335e1762213be29db441 upstream.

There is only on Ethernet port and one Ethernet PHY on imx8qxp-mek.

Remove the unexisting ethphy1 port.

This fixes a run-time warning:

mdio_bus 5b040000.ethernet-1: MDIO device at address 1 is missing.

Fixes: fdea904e85e1 ("arm64: dts: imx: add imx8qxp mek support")
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Reviewed-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/freescale/imx8qxp-mek.dts |    5 -----
 1 file changed, 5 deletions(-)

--- a/arch/arm64/boot/dts/freescale/imx8qxp-mek.dts
+++ b/arch/arm64/boot/dts/freescale/imx8qxp-mek.dts
@@ -52,11 +52,6 @@
 			compatible = "ethernet-phy-ieee802.3-c22";
 			reg = <0>;
 		};
-
-		ethphy1: ethernet-phy@1 {
-			compatible = "ethernet-phy-ieee802.3-c22";
-			reg = <1>;
-		};
 	};
 };
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 141/168] firmware: imx: misc: Align imx sc msg structs to 4
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 140/168] arm64: dts: imx8qxp-mek: Remove unexisting Ethernet PHY Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 142/168] firmware: imx: scu-pd: " Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Leonard Crestez, Shawn Guo

From: Leonard Crestez <leonard.crestez@nxp.com>

commit 1e6a4eba693ac72e6f91b4252458c933110e5f4c upstream.

The imx SC api strongly assumes that messages are composed out of
4-bytes words but some of our message structs have odd sizeofs.

This produces many oopses with CONFIG_KASAN=y:

    BUG: KASAN: stack-out-of-bounds in imx_mu_send_data+0x108/0x1f0

It shouldn't cause an issues in normal use because these structs are
always allocated on the stack.

Fixes: 15e1f2bc8b3b ("firmware: imx: add misc svc support")
Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/imx/misc.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/firmware/imx/misc.c
+++ b/drivers/firmware/imx/misc.c
@@ -16,7 +16,7 @@ struct imx_sc_msg_req_misc_set_ctrl {
 	u32 ctrl;
 	u32 val;
 	u16 resource;
-} __packed;
+} __packed __aligned(4);
 
 struct imx_sc_msg_req_cpu_start {
 	struct imx_sc_rpc_msg hdr;
@@ -30,12 +30,12 @@ struct imx_sc_msg_req_misc_get_ctrl {
 	struct imx_sc_rpc_msg hdr;
 	u32 ctrl;
 	u16 resource;
-} __packed;
+} __packed __aligned(4);
 
 struct imx_sc_msg_resp_misc_get_ctrl {
 	struct imx_sc_rpc_msg hdr;
 	u32 val;
-} __packed;
+} __packed __aligned(4);
 
 /*
  * This function sets a miscellaneous control value.



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 142/168] firmware: imx: scu-pd: Align imx sc msg structs to 4
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 141/168] firmware: imx: misc: Align imx sc msg structs to 4 Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 143/168] firmware: imx: Align imx_sc_msg_req_cpu_start " Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Leonard Crestez, Shawn Guo

From: Leonard Crestez <leonard.crestez@nxp.com>

commit 7c1a1c814ccc858633c761951c2546041202b24e upstream.

The imx SC api strongly assumes that messages are composed out of
4-bytes words but some of our message structs have odd sizeofs.

This produces many oopses with CONFIG_KASAN=y.

Fix by marking with __aligned(4).

Fixes: c800cd7824bd ("firmware: imx: add SCU power domain driver")
Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/imx/scu-pd.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/firmware/imx/scu-pd.c
+++ b/drivers/firmware/imx/scu-pd.c
@@ -61,7 +61,7 @@ struct imx_sc_msg_req_set_resource_power
 	struct imx_sc_rpc_msg hdr;
 	u16 resource;
 	u8 mode;
-} __packed;
+} __packed __aligned(4);
 
 #define IMX_SCU_PD_NAME_SIZE 20
 struct imx_sc_pm_domain {



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 143/168] firmware: imx: Align imx_sc_msg_req_cpu_start to 4
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 142/168] firmware: imx: scu-pd: " Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 144/168] soc: imx-scu: Align imx sc msg structs " Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Leonard Crestez, Shawn Guo

From: Leonard Crestez <leonard.crestez@nxp.com>

commit f5bfeff44612d304deb100065a9f712309dc2783 upstream.

The imx SC api strongly assumes that messages are composed out of
4-bytes words but some of our message structs have odd sizeofs.

This produces many oopses with CONFIG_KASAN=y.

Fix by marking with __aligned(4).

Fixes: d90bf296ae18 ("firmware: imx: Add support to start/stop a CPU")
Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/imx/misc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/firmware/imx/misc.c
+++ b/drivers/firmware/imx/misc.c
@@ -24,7 +24,7 @@ struct imx_sc_msg_req_cpu_start {
 	u32 address_lo;
 	u16 resource;
 	u8 enable;
-} __packed;
+} __packed __aligned(4);
 
 struct imx_sc_msg_req_misc_get_ctrl {
 	struct imx_sc_rpc_msg hdr;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 144/168] soc: imx-scu: Align imx sc msg structs to 4
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 143/168] firmware: imx: Align imx_sc_msg_req_cpu_start " Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 145/168] Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow" Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Leonard Crestez, Shawn Guo

From: Leonard Crestez <leonard.crestez@nxp.com>

commit f10e58a5d20e1cf3a39a842da92c9dd0c3c23849 upstream.

The imx SC api strongly assumes that messages are composed out of
4-bytes words but some of our message structs have odd sizeofs.

This produces many oopses with CONFIG_KASAN=y.

Fix by marking with __aligned(4).

Fixes: 73feb4d0f8f1 ("soc: imx-scu: Add SoC UID(unique identifier) support")
Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/soc/imx/soc-imx-scu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/soc/imx/soc-imx-scu.c
+++ b/drivers/soc/imx/soc-imx-scu.c
@@ -25,7 +25,7 @@ struct imx_sc_msg_misc_get_soc_id {
 			u32 id;
 		} resp;
 	} data;
-} __packed;
+} __packed __aligned(4);
 
 struct imx_sc_msg_misc_get_soc_uid {
 	struct imx_sc_rpc_msg hdr;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 145/168] Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow"
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 144/168] soc: imx-scu: Align imx sc msg structs " Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 146/168] RDMA/rw: Fix error flow during RDMA context initialization Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Parav Pandit, Leon Romanovsky,
	Jason Gunthorpe

From: Parav Pandit <parav@mellanox.com>

commit e4103312d7b7afb8a3a7a842a33ef2b1856b2c0f upstream.

This reverts commit 219d2e9dfda9431b808c28d5efc74b404b95b638.

The call chain below requires the cm_id_priv's destination address to be
setup before performing rdma_bind_addr(). Otherwise source port allocation
fails as cma_port_is_unique() no longer sees the correct tuple to allow
duplicate users of the source port.

rdma_resolve_addr()
  cma_bind_addr()
    rdma_bind_addr()
      cma_get_port()
        cma_alloc_any_port()
          cma_port_is_unique() <- compared with zero daddr

This can result in false failures to connect, particularly if the source
port range is restricted.

Fixes: 219d2e9dfda9 ("RDMA/cma: Simplify rdma_resolve_addr() error flow")
Link: https://lore.kernel.org/r/20200212072635.682689-4-leon@kernel.org
Signed-off-by: Parav Pandit <parav@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/cma.c |   15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -3155,19 +3155,26 @@ int rdma_resolve_addr(struct rdma_cm_id
 	int ret;
 
 	id_priv = container_of(id, struct rdma_id_private, id);
+	memcpy(cma_dst_addr(id_priv), dst_addr, rdma_addr_size(dst_addr));
 	if (id_priv->state == RDMA_CM_IDLE) {
 		ret = cma_bind_addr(id, src_addr, dst_addr);
-		if (ret)
+		if (ret) {
+			memset(cma_dst_addr(id_priv), 0,
+			       rdma_addr_size(dst_addr));
 			return ret;
+		}
 	}
 
-	if (cma_family(id_priv) != dst_addr->sa_family)
+	if (cma_family(id_priv) != dst_addr->sa_family) {
+		memset(cma_dst_addr(id_priv), 0, rdma_addr_size(dst_addr));
 		return -EINVAL;
+	}
 
-	if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_ADDR_QUERY))
+	if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_ADDR_QUERY)) {
+		memset(cma_dst_addr(id_priv), 0, rdma_addr_size(dst_addr));
 		return -EINVAL;
+	}
 
-	memcpy(cma_dst_addr(id_priv), dst_addr, rdma_addr_size(dst_addr));
 	if (cma_any_addr(dst_addr)) {
 		ret = cma_resolve_loopback(id_priv);
 	} else {



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 146/168] RDMA/rw: Fix error flow during RDMA context initialization
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 145/168] Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow" Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 147/168] RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Max Gurtovoy, Leon Romanovsky,
	Logan Gunthorpe, Jason Gunthorpe

From: Max Gurtovoy <maxg@mellanox.com>

commit 6affca140cbea01f497c4f4e16f1e2be7f74bd04 upstream.

In case the SGL was mapped for P2P DMA operation, we must unmap it using
pci_p2pdma_unmap_sg during the error unwind of rdma_rw_ctx_init()

Fixes: 7f73eac3a713 ("PCI/P2PDMA: Introduce pci_p2pdma_unmap_sg()")
Link: https://lore.kernel.org/r/20200220100819.41860-1-maxg@mellanox.com
Signed-off-by: Max Gurtovoy <maxg@mellanox.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/rw.c |   31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

--- a/drivers/infiniband/core/rw.c
+++ b/drivers/infiniband/core/rw.c
@@ -268,6 +268,23 @@ static int rdma_rw_init_single_wr(struct
 	return 1;
 }
 
+static void rdma_rw_unmap_sg(struct ib_device *dev, struct scatterlist *sg,
+			     u32 sg_cnt, enum dma_data_direction dir)
+{
+	if (is_pci_p2pdma_page(sg_page(sg)))
+		pci_p2pdma_unmap_sg(dev->dma_device, sg, sg_cnt, dir);
+	else
+		ib_dma_unmap_sg(dev, sg, sg_cnt, dir);
+}
+
+static int rdma_rw_map_sg(struct ib_device *dev, struct scatterlist *sg,
+			  u32 sg_cnt, enum dma_data_direction dir)
+{
+	if (is_pci_p2pdma_page(sg_page(sg)))
+		return pci_p2pdma_map_sg(dev->dma_device, sg, sg_cnt, dir);
+	return ib_dma_map_sg(dev, sg, sg_cnt, dir);
+}
+
 /**
  * rdma_rw_ctx_init - initialize a RDMA READ/WRITE context
  * @ctx:	context to initialize
@@ -290,11 +307,7 @@ int rdma_rw_ctx_init(struct rdma_rw_ctx
 	struct ib_device *dev = qp->pd->device;
 	int ret;
 
-	if (is_pci_p2pdma_page(sg_page(sg)))
-		ret = pci_p2pdma_map_sg(dev->dma_device, sg, sg_cnt, dir);
-	else
-		ret = ib_dma_map_sg(dev, sg, sg_cnt, dir);
-
+	ret = rdma_rw_map_sg(dev, sg, sg_cnt, dir);
 	if (!ret)
 		return -ENOMEM;
 	sg_cnt = ret;
@@ -333,7 +346,7 @@ int rdma_rw_ctx_init(struct rdma_rw_ctx
 	return ret;
 
 out_unmap_sg:
-	ib_dma_unmap_sg(dev, sg, sg_cnt, dir);
+	rdma_rw_unmap_sg(dev, sg, sg_cnt, dir);
 	return ret;
 }
 EXPORT_SYMBOL(rdma_rw_ctx_init);
@@ -583,11 +596,7 @@ void rdma_rw_ctx_destroy(struct rdma_rw_
 		break;
 	}
 
-	if (is_pci_p2pdma_page(sg_page(sg)))
-		pci_p2pdma_unmap_sg(qp->pd->device->dma_device, sg,
-				    sg_cnt, dir);
-	else
-		ib_dma_unmap_sg(qp->pd->device, sg, sg_cnt, dir);
+	rdma_rw_unmap_sg(qp->pd->device, sg, sg_cnt, dir);
 }
 EXPORT_SYMBOL(rdma_rw_ctx_destroy);
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 147/168] RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 146/168] RDMA/rw: Fix error flow during RDMA context initialization Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 148/168] RDMA/siw: Fix failure handling during device creation Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+bd4af81bc51ee0283445,
	Mark Zhang, Leon Romanovsky, Jason Gunthorpe

From: Mark Zhang <markz@mellanox.com>

commit 78f34a16c28654cb47791257006f90d0948f2f0c upstream.

This fixes the kernel crash when a RDMA_NLDEV_CMD_STAT_SET command is
received, but the QP number parameter is not available.

  iwpm_register_pid: Unable to send a nlmsg (client = 2)
  infiniband syz1: RDMA CMA: cma_listen_on_dev, error -98
  general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
  CPU: 0 PID: 9754 Comm: syz-executor069 Not tainted 5.6.0-rc2-syzkaller #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  RIP: 0010:nla_get_u32 include/net/netlink.h:1474 [inline]
  RIP: 0010:nldev_stat_set_doit+0x63c/0xb70 drivers/infiniband/core/nldev.c:1760
  Code: fc 01 0f 84 58 03 00 00 e8 41 83 bf fb 4c 8b a3 58 fd ff ff 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 6d
  RSP: 0018:ffffc900068bf350 EFLAGS: 00010247
  RAX: dffffc0000000000 RBX: ffffc900068bf728 RCX: ffffffff85b60470
  RDX: 0000000000000000 RSI: ffffffff85b6047f RDI: 0000000000000004
  RBP: ffffc900068bf750 R08: ffff88808c3ee140 R09: ffff8880a25e6010
  R10: ffffed10144bcddc R11: ffff8880a25e6ee3 R12: 0000000000000000
  R13: ffff88809acb0000 R14: ffff888092a42c80 R15: 000000009ef2e29a
  FS:  0000000001ff0880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007f4733e34000 CR3: 00000000a9b27000 CR4: 00000000001406f0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
    rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:195 [inline]
    rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
    rdma_nl_rcv+0x5d9/0x980 drivers/infiniband/core/netlink.c:259
    netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
    netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1329
    netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1918
    sock_sendmsg_nosec net/socket.c:652 [inline]
    sock_sendmsg+0xd7/0x130 net/socket.c:672
    ____sys_sendmsg+0x753/0x880 net/socket.c:2343
    ___sys_sendmsg+0x100/0x170 net/socket.c:2397
    __sys_sendmsg+0x105/0x1d0 net/socket.c:2430
    __do_sys_sendmsg net/socket.c:2439 [inline]
    __se_sys_sendmsg net/socket.c:2437 [inline]
    __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2437
    do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
    entry_SYSCALL_64_after_hwframe+0x49/0xbe
  RIP: 0033:0x4403d9
  Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
  RSP: 002b:00007ffc0efbc5c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
  RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403d9
  RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000004
  RBP: 00000000006ca018 R08: 0000000000000008 R09: 00000000004002c8
  R10: 000000000000004a R11: 0000000000000246 R12: 0000000000401c60
  R13: 0000000000401cf0 R14: 0000000000000000 R15: 0000000000000000

Fixes: b389327df905 ("RDMA/nldev: Allow counter manual mode configration through RDMA netlink")
Link: https://lore.kernel.org/r/20200227125111.99142-1-leon@kernel.org
Reported-by: syzbot+bd4af81bc51ee0283445@syzkaller.appspotmail.com
Signed-off-by: Mark Zhang <markz@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/nldev.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/infiniband/core/nldev.c
+++ b/drivers/infiniband/core/nldev.c
@@ -1711,6 +1711,8 @@ static int nldev_stat_set_doit(struct sk
 		if (ret)
 			goto err_msg;
 	} else {
+		if (!tb[RDMA_NLDEV_ATTR_RES_LQPN])
+			goto err_msg;
 		qpn = nla_get_u32(tb[RDMA_NLDEV_ATTR_RES_LQPN]);
 		if (tb[RDMA_NLDEV_ATTR_STAT_COUNTER_ID]) {
 			cntn = nla_get_u32(tb[RDMA_NLDEV_ATTR_STAT_COUNTER_ID]);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 148/168] RDMA/siw: Fix failure handling during device creation
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 147/168] RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 149/168] RDMA/iwcm: Fix iwcm work deallocation Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+2e80962bedd9559fe0b3,
	Bernard Metzler, Jason Gunthorpe

From: Bernard Metzler <bmt@zurich.ibm.com>

commit 12e5eef0f4d8087ea7b559f6630be08ffea2d851 upstream.

A failing call to ib_device_set_netdev() during device creation caused
system crash due to xa_destroy of uninitialized xarray hit by device
deallocation. Fixed by moving xarray initialization before potential
device deallocation.

Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface")
Link: https://lore.kernel.org/r/20200302155814.9896-1-bmt@zurich.ibm.com
Reported-by: syzbot+2e80962bedd9559fe0b3@syzkaller.appspotmail.com
Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/sw/siw/siw_main.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/infiniband/sw/siw/siw_main.c
+++ b/drivers/infiniband/sw/siw/siw_main.c
@@ -379,6 +379,9 @@ static struct siw_device *siw_device_cre
 	base_dev->dev.dma_ops = &dma_virt_ops;
 	base_dev->num_comp_vectors = num_possible_cpus();
 
+	xa_init_flags(&sdev->qp_xa, XA_FLAGS_ALLOC1);
+	xa_init_flags(&sdev->mem_xa, XA_FLAGS_ALLOC1);
+
 	ib_set_device_ops(base_dev, &siw_device_ops);
 	rv = ib_device_set_netdev(base_dev, netdev, 1);
 	if (rv)
@@ -406,9 +409,6 @@ static struct siw_device *siw_device_cre
 	sdev->attrs.max_srq_wr = SIW_MAX_SRQ_WR;
 	sdev->attrs.max_srq_sge = SIW_MAX_SGE;
 
-	xa_init_flags(&sdev->qp_xa, XA_FLAGS_ALLOC1);
-	xa_init_flags(&sdev->mem_xa, XA_FLAGS_ALLOC1);
-
 	INIT_LIST_HEAD(&sdev->cep_list);
 	INIT_LIST_HEAD(&sdev->qp_list);
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 149/168] RDMA/iwcm: Fix iwcm work deallocation
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 148/168] RDMA/siw: Fix failure handling during device creation Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 150/168] RDMA/core: Fix protection fault in ib_mr_pool_destroy Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+cb0c054eabfba4342146,
	Bernard Metzler, Jason Gunthorpe

From: Bernard Metzler <bmt@zurich.ibm.com>

commit 810dbc69087b08fd53e1cdd6c709f385bc2921ad upstream.

The dealloc_work_entries() function must update the work_free_list pointer
while freeing its entries, since potentially called again on same list. A
second iteration of the work list caused system crash. This happens, if
work allocation fails during cma_iw_listen() and free_cm_id() tries to
free the list again during cleanup.

Fixes: 922a8e9fb2e0 ("RDMA: iWARP Connection Manager.")
Link: https://lore.kernel.org/r/20200302181614.17042-1-bmt@zurich.ibm.com
Reported-by: syzbot+cb0c054eabfba4342146@syzkaller.appspotmail.com
Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/iwcm.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/core/iwcm.c
+++ b/drivers/infiniband/core/iwcm.c
@@ -159,8 +159,10 @@ static void dealloc_work_entries(struct
 {
 	struct list_head *e, *tmp;
 
-	list_for_each_safe(e, tmp, &cm_id_priv->work_free_list)
+	list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) {
+		list_del(e);
 		kfree(list_entry(e, struct iwcm_work, free_list));
+	}
 }
 
 static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count)



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 150/168] RDMA/core: Fix protection fault in ib_mr_pool_destroy
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 149/168] RDMA/iwcm: Fix iwcm work deallocation Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 151/168] regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maor Gottlieb, Leon Romanovsky,
	Jason Gunthorpe

From: Maor Gottlieb <maorg@mellanox.com>

commit e38b55ea0443da35a50a3eb2079ad3612cf763b9 upstream.

Fix NULL pointer dereference in the error flow of ib_create_qp_user
when accessing to uninitialized list pointers - rdma_mrs and sig_mrs.
The following crash from syzkaller revealed it.

  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP KASAN PTI
  CPU: 1 PID: 23167 Comm: syz-executor.1 Not tainted 5.5.0-rc5 #2
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
  RIP: 0010:ib_mr_pool_destroy+0x81/0x1f0
  Code: 00 00 fc ff df 49 c1 ec 03 4d 01 fc e8 a8 ea 72 fe 41 80 3c 24 00
  0f 85 62 01 00 00 48 8b 13 48 89 d6 4c 8d 6a c8 48 c1 ee 03 <42> 80 3c
  3e 00 0f 85 34 01 00 00 48 8d 7a 08 4c 8b 02 48 89 fe 48
  RSP: 0018:ffffc9000951f8b0 EFLAGS: 00010046
  RAX: 0000000000040000 RBX: ffff88810f268038 RCX: ffffffff82c41628
  RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc9000951f850
  RBP: ffff88810f268020 R08: 0000000000000004 R09: fffff520012a3f0a
  R10: 0000000000000001 R11: fffff520012a3f0a R12: ffffed1021e4d007
  R13: ffffffffffffffc8 R14: 0000000000000246 R15: dffffc0000000000
  FS:  00007f54bc788700(0000) GS:ffff88811b100000(0000)
  knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000000 CR3: 0000000116920002 CR4: 0000000000360ee0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   rdma_rw_cleanup_mrs+0x15/0x30
   ib_destroy_qp_user+0x674/0x7d0
   ib_create_qp_user+0xb01/0x11c0
   create_qp+0x1517/0x2130
   ib_uverbs_create_qp+0x13e/0x190
   ib_uverbs_write+0xaa5/0xdf0
   __vfs_write+0x7c/0x100
   vfs_write+0x168/0x4a0
   ksys_write+0xc8/0x200
   do_syscall_64+0x9c/0x390
   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x465b49
  Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
  f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
  f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
  RSP: 002b:00007f54bc787c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
  RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000465b49
  RDX: 0000000000000040 RSI: 0000000020000540 RDI: 0000000000000003
  RBP: 00007f54bc787c70 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000246 R12: 00007f54bc7886bc
  R13: 00000000004ca2ec R14: 000000000070ded0 R15: 0000000000000005

Fixes: a060b5629ab0 ("IB/core: generic RDMA READ/WRITE API")
Link: https://lore.kernel.org/r/20200227112708.93023-1-leon@kernel.org
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/core_priv.h  |   15 +++++++++++++++
 drivers/infiniband/core/uverbs_cmd.c |   10 ----------
 drivers/infiniband/core/verbs.c      |   10 ----------
 3 files changed, 15 insertions(+), 20 deletions(-)

--- a/drivers/infiniband/core/core_priv.h
+++ b/drivers/infiniband/core/core_priv.h
@@ -338,6 +338,21 @@ static inline struct ib_qp *_ib_create_q
 	qp->pd = pd;
 	qp->uobject = uobj;
 	qp->real_qp = qp;
+
+	qp->qp_type = attr->qp_type;
+	qp->qp_context = attr->qp_context;
+	qp->rwq_ind_tbl = attr->rwq_ind_tbl;
+	qp->send_cq = attr->send_cq;
+	qp->recv_cq = attr->recv_cq;
+	qp->srq = attr->srq;
+	qp->rwq_ind_tbl = attr->rwq_ind_tbl;
+	qp->event_handler = attr->event_handler;
+
+	atomic_set(&qp->usecnt, 0);
+	spin_lock_init(&qp->mr_lock);
+	INIT_LIST_HEAD(&qp->rdma_mrs);
+	INIT_LIST_HEAD(&qp->sig_mrs);
+
 	/*
 	 * We don't track XRC QPs for now, because they don't have PD
 	 * and more importantly they are created internaly by driver,
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1431,17 +1431,7 @@ static int create_qp(struct uverbs_attr_
 		if (ret)
 			goto err_cb;
 
-		qp->pd		  = pd;
-		qp->send_cq	  = attr.send_cq;
-		qp->recv_cq	  = attr.recv_cq;
-		qp->srq		  = attr.srq;
-		qp->rwq_ind_tbl	  = ind_tbl;
-		qp->event_handler = attr.event_handler;
-		qp->qp_context	  = attr.qp_context;
-		qp->qp_type	  = attr.qp_type;
-		atomic_set(&qp->usecnt, 0);
 		atomic_inc(&pd->usecnt);
-		qp->port = 0;
 		if (attr.send_cq)
 			atomic_inc(&attr.send_cq->usecnt);
 		if (attr.recv_cq)
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -1180,16 +1180,6 @@ struct ib_qp *ib_create_qp_user(struct i
 	if (ret)
 		goto err;
 
-	qp->qp_type    = qp_init_attr->qp_type;
-	qp->rwq_ind_tbl = qp_init_attr->rwq_ind_tbl;
-
-	atomic_set(&qp->usecnt, 0);
-	qp->mrs_used = 0;
-	spin_lock_init(&qp->mr_lock);
-	INIT_LIST_HEAD(&qp->rdma_mrs);
-	INIT_LIST_HEAD(&qp->sig_mrs);
-	qp->port = 0;
-
 	if (qp_init_attr->qp_type == IB_QPT_XRC_TGT) {
 		struct ib_qp *xrc_qp =
 			create_xrc_qp_user(qp, qp_init_attr, udata);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 151/168] regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 150/168] RDMA/core: Fix protection fault in ib_mr_pool_destroy Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 152/168] RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen() Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Fabrice Gasnier, Mark Brown

From: Fabrice Gasnier <fabrice.gasnier@st.com>

commit 02fbabd5f4ed182d2c616e49309f5a3efd9ec671 upstream.

There maybe an overshoot, when disabling, then re-enabling vrefbuf
too quickly. VREFBUF is used by ADC/DAC on some boards. When re-enabling
too quickly, an overshoot on the reference voltage make the conversions
inaccurate for a short period of time.
- Don't put the VREFBUF in HiZ when disabling, to force an active
discharge.
- Enforce a 1ms OFF/ON delay

Fixes: 0cdbf481e927 ("regulator: Add support for stm32-vrefbuf")

Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
Message-Id: <1583312132-20932-1-git-send-email-fabrice.gasnier@st.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/regulator/stm32-vrefbuf.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/regulator/stm32-vrefbuf.c
+++ b/drivers/regulator/stm32-vrefbuf.c
@@ -88,7 +88,7 @@ static int stm32_vrefbuf_disable(struct
 	}
 
 	val = readl_relaxed(priv->base + STM32_VREFBUF_CSR);
-	val = (val & ~STM32_ENVR) | STM32_HIZ;
+	val &= ~STM32_ENVR;
 	writel_relaxed(val, priv->base + STM32_VREFBUF_CSR);
 
 	pm_runtime_mark_last_busy(priv->dev);
@@ -175,6 +175,7 @@ static const struct regulator_desc stm32
 	.volt_table = stm32_vrefbuf_voltages,
 	.n_voltages = ARRAY_SIZE(stm32_vrefbuf_voltages),
 	.ops = &stm32_vrefbuf_volt_ops,
+	.off_on_delay = 1000,
 	.type = REGULATOR_VOLTAGE,
 	.owner = THIS_MODULE,
 };



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 152/168] RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 151/168] regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:39 ` [PATCH 5.4 153/168] IB/hfi1, qib: Ensure RCU is locked when accessing list Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jason Gunthorpe

From: Jason Gunthorpe <jgg@mellanox.com>

commit c14dfddbd869bf0c2bafb7ef260c41d9cebbcfec upstream.

The algorithm pre-allocates a cm_id since allocation cannot be done while
holding the cm.lock spinlock, however it doesn't free it on one error
path, leading to a memory leak.

Fixes: 067b171b8679 ("IB/cm: Share listening CM IDs")
Link: https://lore.kernel.org/r/20200221152023.GA8680@ziepe.ca
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/cm.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -1228,6 +1228,7 @@ struct ib_cm_id *ib_cm_insert_listen(str
 			/* Sharing an ib_cm_id with different handlers is not
 			 * supported */
 			spin_unlock_irqrestore(&cm.lock, flags);
+			ib_destroy_cm_id(cm_id);
 			return ERR_PTR(-EINVAL);
 		}
 		atomic_inc(&cm_id_priv->refcount);



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 153/168] IB/hfi1, qib: Ensure RCU is locked when accessing list
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 152/168] RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen() Greg Kroah-Hartman
@ 2020-03-10 12:39 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 154/168] ARM: imx: build v7_cpu_resume() unconditionally Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:39 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Marciniszyn, Dennis Dalessandro,
	Jason Gunthorpe

From: Dennis Dalessandro <dennis.dalessandro@intel.com>

commit 817a68a6584aa08e323c64283fec5ded7be84759 upstream.

The packet handling function, specifically the iteration of the qp list
for mad packet processing misses locking RCU before running through the
list. Not only is this incorrect, but the list_for_each_entry_rcu() call
can not be called with a conditional check for lock dependency. Remedy
this by invoking the rcu lock and unlock around the critical section.

This brings MAD packet processing in line with what is done for non-MAD
packets.

Fixes: 7724105686e7 ("IB/hfi1: add driver files")
Link: https://lore.kernel.org/r/20200225195445.140896.41873.stgit@awfm-01.aw.intel.com
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/hfi1/verbs.c    |    4 +++-
 drivers/infiniband/hw/qib/qib_verbs.c |    2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/hw/hfi1/verbs.c
+++ b/drivers/infiniband/hw/hfi1/verbs.c
@@ -515,10 +515,11 @@ static inline void hfi1_handle_packet(st
 				       opa_get_lid(packet->dlid, 9B));
 		if (!mcast)
 			goto drop;
+		rcu_read_lock();
 		list_for_each_entry_rcu(p, &mcast->qp_list, list) {
 			packet->qp = p->qp;
 			if (hfi1_do_pkey_check(packet))
-				goto drop;
+				goto unlock_drop;
 			spin_lock_irqsave(&packet->qp->r_lock, flags);
 			packet_handler = qp_ok(packet);
 			if (likely(packet_handler))
@@ -527,6 +528,7 @@ static inline void hfi1_handle_packet(st
 				ibp->rvp.n_pkt_drops++;
 			spin_unlock_irqrestore(&packet->qp->r_lock, flags);
 		}
+		rcu_read_unlock();
 		/*
 		 * Notify rvt_multicast_detach() if it is waiting for us
 		 * to finish.
--- a/drivers/infiniband/hw/qib/qib_verbs.c
+++ b/drivers/infiniband/hw/qib/qib_verbs.c
@@ -329,8 +329,10 @@ void qib_ib_rcv(struct qib_ctxtdata *rcd
 		if (mcast == NULL)
 			goto drop;
 		this_cpu_inc(ibp->pmastats->n_multicast_rcv);
+		rcu_read_lock();
 		list_for_each_entry_rcu(p, &mcast->qp_list, list)
 			qib_qp_rcv(rcd, hdr, 1, data, tlen, p->qp);
+		rcu_read_unlock();
 		/*
 		 * Notify rvt_multicast_detach() if it is waiting for us
 		 * to finish.



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 154/168] ARM: imx: build v7_cpu_resume() unconditionally
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2020-03-10 12:39 ` [PATCH 5.4 153/168] IB/hfi1, qib: Ensure RCU is locked when accessing list Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 155/168] ARM: dts: am437x-idk-evm: Fix incorrect OPP node names Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lucas Stach, Ahmad Fatoum,
	Rouven Czerwinski, Shawn Guo

From: Ahmad Fatoum <a.fatoum@pengutronix.de>

commit 512a928affd51c2dc631401e56ad5ee5d5dd68b6 upstream.

This function is not only needed by the platform suspend code, but is also
reused as the CPU resume function when the ARM cores can be powered down
completely in deep idle, which is the case on i.MX6SX and i.MX6UL(L).

Providing the static inline stub whenever CONFIG_SUSPEND is disabled means
that those platforms will hang on resume from cpuidle if suspend is disabled.

So there are two problems:

  - The static inline stub masks the linker error
  - The function is not available where needed

Fix both by just building the function unconditionally, when
CONFIG_SOC_IMX6 is enabled. The actual code is three instructions long,
so it's arguably ok to just leave it in for all i.MX6 kernel configurations.

Fixes: 05136f0897b5 ("ARM: imx: support arm power off in cpuidle for i.mx6sx")
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-imx/Makefile       |    2 ++
 arch/arm/mach-imx/common.h       |    4 ++--
 arch/arm/mach-imx/resume-imx6.S  |   24 ++++++++++++++++++++++++
 arch/arm/mach-imx/suspend-imx6.S |   14 --------------
 4 files changed, 28 insertions(+), 16 deletions(-)

--- a/arch/arm/mach-imx/Makefile
+++ b/arch/arm/mach-imx/Makefile
@@ -91,6 +91,8 @@ AFLAGS_suspend-imx6.o :=-Wa,-march=armv7
 obj-$(CONFIG_SOC_IMX6) += suspend-imx6.o
 obj-$(CONFIG_SOC_IMX53) += suspend-imx53.o
 endif
+AFLAGS_resume-imx6.o :=-Wa,-march=armv7-a
+obj-$(CONFIG_SOC_IMX6) += resume-imx6.o
 obj-$(CONFIG_SOC_IMX6) += pm-imx6.o
 
 obj-$(CONFIG_SOC_IMX1) += mach-imx1.o
--- a/arch/arm/mach-imx/common.h
+++ b/arch/arm/mach-imx/common.h
@@ -109,17 +109,17 @@ void imx_cpu_die(unsigned int cpu);
 int imx_cpu_kill(unsigned int cpu);
 
 #ifdef CONFIG_SUSPEND
-void v7_cpu_resume(void);
 void imx53_suspend(void __iomem *ocram_vbase);
 extern const u32 imx53_suspend_sz;
 void imx6_suspend(void __iomem *ocram_vbase);
 #else
-static inline void v7_cpu_resume(void) {}
 static inline void imx53_suspend(void __iomem *ocram_vbase) {}
 static const u32 imx53_suspend_sz;
 static inline void imx6_suspend(void __iomem *ocram_vbase) {}
 #endif
 
+void v7_cpu_resume(void);
+
 void imx6_pm_ccm_init(const char *ccm_compat);
 void imx6q_pm_init(void);
 void imx6dl_pm_init(void);
--- /dev/null
+++ b/arch/arm/mach-imx/resume-imx6.S
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Copyright 2014 Freescale Semiconductor, Inc.
+ */
+
+#include <linux/linkage.h>
+#include <asm/assembler.h>
+#include <asm/asm-offsets.h>
+#include <asm/hardware/cache-l2x0.h>
+#include "hardware.h"
+
+/*
+ * The following code must assume it is running from physical address
+ * where absolute virtual addresses to the data section have to be
+ * turned into relative ones.
+ */
+
+ENTRY(v7_cpu_resume)
+	bl	v7_invalidate_l1
+#ifdef CONFIG_CACHE_L2X0
+	bl	l2c310_early_resume
+#endif
+	b	cpu_resume
+ENDPROC(v7_cpu_resume)
--- a/arch/arm/mach-imx/suspend-imx6.S
+++ b/arch/arm/mach-imx/suspend-imx6.S
@@ -327,17 +327,3 @@ resume:
 
 	ret	lr
 ENDPROC(imx6_suspend)
-
-/*
- * The following code must assume it is running from physical address
- * where absolute virtual addresses to the data section have to be
- * turned into relative ones.
- */
-
-ENTRY(v7_cpu_resume)
-	bl	v7_invalidate_l1
-#ifdef CONFIG_CACHE_L2X0
-	bl	l2c310_early_resume
-#endif
-	b	cpu_resume
-ENDPROC(v7_cpu_resume)



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 155/168] ARM: dts: am437x-idk-evm: Fix incorrect OPP node names
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 154/168] ARM: imx: build v7_cpu_resume() unconditionally Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 156/168] ARM: dts: dra7xx-clocks: Fixup IPU1 mux clock parent source Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roger Quadros, Suman Anna, Tony Lindgren

From: Suman Anna <s-anna@ti.com>

commit 31623468be0bf57617b8057dcd335693935a9491 upstream.

The commit 337c6c9a69af ("ARM: dts: am437x-idk-evm: Disable
OPP50 for MPU") adjusts couple of OPP nodes defined in the
common am4372.dtsi file, but used outdated node names. This
results in these getting treated as new OPP nodes with missing
properties.

Fix this properly by using the correct node names as updated in
commit b9cb2ba71848 ("ARM: dts: Use - instead of @ for DT OPP
entries for TI SoCs").

Reported-by: Roger Quadros <rogerq@ti.com>
Fixes: 337c6c9a69af ("ARM: dts: am437x-idk-evm: Disable OPP50 for MPU")
Signed-off-by: Suman Anna <s-anna@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/am437x-idk-evm.dts |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/am437x-idk-evm.dts
+++ b/arch/arm/boot/dts/am437x-idk-evm.dts
@@ -526,11 +526,11 @@
 	 * Supply voltage supervisor on board will not allow opp50 so
 	 * disable it and set opp100 as suspend OPP.
 	 */
-	opp50@300000000 {
+	opp50-300000000 {
 		status = "disabled";
 	};
 
-	opp100@600000000 {
+	opp100-600000000 {
 		opp-suspend;
 	};
 };



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 156/168] ARM: dts: dra7xx-clocks: Fixup IPU1 mux clock parent source
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 155/168] ARM: dts: am437x-idk-evm: Fix incorrect OPP node names Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 157/168] ARM: dts: imx6dl-colibri-eval-v3: fix sram compatible properties Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Suman Anna, Tony Lindgren

From: Suman Anna <s-anna@ti.com>

commit 78722d37b2b4cf9178295e2aa5510880e6135fd7 upstream.

The IPU1 functional clock is the output of a mux clock (represented
by ipu1_gfclk_mux previously) and the clock source for this has been
updated to be sourced from dpll_core_h22x2_ck in commit 39879c7d963e
("ARM: dts: dra7xx-clocks: Source IPU1 functional clock from CORE DPLL").
ipu1_gfclk_mux is an obsolete clock now with the clkctrl conversion,
and this clock source parenting is lost during the new clkctrl layout
conversion.

Remove this stale clock and fix up the clock source for this mux
clock using the latest equivalent clkctrl clock. This restores the
previous logic and ensures that the IPU1 continues to run at the
same frequency of IPU2 and independent of the ABE DPLL.

Fixes: b5f8ffbb6fad ("ARM: dts: dra7: convert to use new clkctrl layout")
Signed-off-by: Suman Anna <s-anna@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/dra7xx-clocks.dtsi |   12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

--- a/arch/arm/boot/dts/dra7xx-clocks.dtsi
+++ b/arch/arm/boot/dts/dra7xx-clocks.dtsi
@@ -796,16 +796,6 @@
 		clock-div = <1>;
 	};
 
-	ipu1_gfclk_mux: ipu1_gfclk_mux@520 {
-		#clock-cells = <0>;
-		compatible = "ti,mux-clock";
-		clocks = <&dpll_abe_m2x2_ck>, <&dpll_core_h22x2_ck>;
-		ti,bit-shift = <24>;
-		reg = <0x0520>;
-		assigned-clocks = <&ipu1_gfclk_mux>;
-		assigned-clock-parents = <&dpll_core_h22x2_ck>;
-	};
-
 	dummy_ck: dummy_ck {
 		#clock-cells = <0>;
 		compatible = "fixed-clock";
@@ -1564,6 +1554,8 @@
 			compatible = "ti,clkctrl";
 			reg = <0x20 0x4>;
 			#clock-cells = <2>;
+			assigned-clocks = <&ipu1_clkctrl DRA7_IPU1_MMU_IPU1_CLKCTRL 24>;
+			assigned-clock-parents = <&dpll_core_h22x2_ck>;
 		};
 
 		ipu_clkctrl: ipu-clkctrl@50 {



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 157/168] ARM: dts: imx6dl-colibri-eval-v3: fix sram compatible properties
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 156/168] ARM: dts: dra7xx-clocks: Fixup IPU1 mux clock parent source Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 158/168] ARM: dts: imx7-colibri: Fix frequency for sd/mmc Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sanchayan Maity, Marcel Ziswiler,
	Shawn Guo, Johan Hovold, Oleksandr Suvorov

From: Johan Hovold <johan@kernel.org>

commit bcbf53a0dab50980867476994f6079c1ec5bb3a3 upstream.

The sram-node compatible properties have mistakingly combined the
model-specific string with the generic "mtd-ram" string.

Note that neither "cy7c1019dv33-10zsxi, mtd-ram" or
"cy7c1019dv33-10zsxi" are used by any in-kernel driver and they are
not present in any binding.

The physmap driver will however bind to platform devices that specify
"mtd-ram".

Fixes: fc48e76489fd ("ARM: dts: imx6: Add support for Toradex Colibri iMX6 module")
Cc: Sanchayan Maity <maitysanchayan@gmail.com>
Cc: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Cc: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6dl-colibri-eval-v3.dts |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/imx6dl-colibri-eval-v3.dts
+++ b/arch/arm/boot/dts/imx6dl-colibri-eval-v3.dts
@@ -236,7 +236,7 @@
 
 	/* SRAM on Colibri nEXT_CS0 */
 	sram@0,0 {
-		compatible = "cypress,cy7c1019dv33-10zsxi, mtd-ram";
+		compatible = "cypress,cy7c1019dv33-10zsxi", "mtd-ram";
 		reg = <0 0 0x00010000>;
 		#address-cells = <1>;
 		#size-cells = <1>;
@@ -247,7 +247,7 @@
 
 	/* SRAM on Colibri nEXT_CS1 */
 	sram@1,0 {
-		compatible = "cypress,cy7c1019dv33-10zsxi, mtd-ram";
+		compatible = "cypress,cy7c1019dv33-10zsxi", "mtd-ram";
 		reg = <1 0 0x00010000>;
 		#address-cells = <1>;
 		#size-cells = <1>;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 158/168] ARM: dts: imx7-colibri: Fix frequency for sd/mmc
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 157/168] ARM: dts: imx6dl-colibri-eval-v3: fix sram compatible properties Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 159/168] hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleksandr Suvorov, Fabio Estevam, Shawn Guo

From: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>

commit 2773fe1d31c42ffae2a9cb9a6055d99dd86e2fee upstream.

SD/MMC on Colibri iMX7S/D modules successfully support
200Mhz frequency in HS200 mode.

Removing the unnecessary max-frequency limit significantly
increases the performance:

== before fix ====
root@colibri-imx7-emmc:~# hdparm -t /dev/mmcblk0
/dev/mmcblk0:
 Timing buffered disk reads: 252 MB in  3.02 seconds =  83.54 MB/sec
==================

=== after fix ====
root@colibri-imx7-emmc:~# hdparm -t /dev/mmcblk0
/dev/mmcblk0:
 Timing buffered disk reads: 408 MB in  3.00 seconds = 135.94 MB/sec
==================

Fixes: f928a4a377e4 ("ARM: dts: imx7: add Toradex Colibri iMX7D 1GB (eMMC) support")
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx7-colibri.dtsi |    1 -
 1 file changed, 1 deletion(-)

--- a/arch/arm/boot/dts/imx7-colibri.dtsi
+++ b/arch/arm/boot/dts/imx7-colibri.dtsi
@@ -337,7 +337,6 @@
 	assigned-clock-rates = <400000000>;
 	bus-width = <8>;
 	fsl,tuning-step = <2>;
-	max-frequency = <100000000>;
 	vmmc-supply = <&reg_module_3v3>;
 	vqmmc-supply = <&reg_DCDC3>;
 	non-removable;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 159/168] hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 158/168] ARM: dts: imx7-colibri: Fix frequency for sd/mmc Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 160/168] dma-buf: free dmabuf->name in dma_buf_release() Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Darrick J. Wong,
	Guenter Roeck

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 44f2f882909fedfc3a56e4b90026910456019743 upstream.

This is only called from adt7462_update_device().  The caller expects it
to return zero on error.  I fixed a similar issue earlier in commit
a4bf06d58f21 ("hwmon: (adt7462) ADT7462_REG_VOLT_MAX() should return 0")
but I missed this one.

Fixes: c0b4e3ab0c76 ("adt7462: new hwmon driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Link: https://lore.kernel.org/r/20200303101608.kqjwfcazu2ylhi2a@kili.mountain
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwmon/adt7462.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/hwmon/adt7462.c
+++ b/drivers/hwmon/adt7462.c
@@ -413,7 +413,7 @@ static int ADT7462_REG_VOLT(struct adt74
 			return 0x95;
 		break;
 	}
-	return -ENODEV;
+	return 0;
 }
 
 /* Provide labels for sysfs */



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 160/168] dma-buf: free dmabuf->name in dma_buf_release()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 159/168] hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 161/168] dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+b2098bc44728a4efb3e9,
	Greg Hackmann, Chenbo Feng, Sumit Semwal, Cong Wang

From: Cong Wang <xiyou.wangcong@gmail.com>

commit d1f37226431f5d9657aa144a40f2383adbcf27e1 upstream.

dma-buf name can be set via DMA_BUF_SET_NAME ioctl, but once set
it never gets freed.

Free it in dma_buf_release().

Fixes: bb2bb9030425 ("dma-buf: add DMA_BUF_SET_NAME ioctls")
Reported-by: syzbot+b2098bc44728a4efb3e9@syzkaller.appspotmail.com
Cc: Greg Hackmann <ghackmann@google.com>
Cc: Chenbo Feng <fengc@google.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Chenbo Feng <fengc@google.com>
Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20191227063204.5813-1-xiyou.wangcong@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/dma-buf/dma-buf.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -108,6 +108,7 @@ static int dma_buf_release(struct inode
 		dma_resv_fini(dmabuf->resv);
 
 	module_put(dmabuf->owner);
+	kfree(dmabuf->name);
 	kfree(dmabuf);
 	return 0;
 }



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 161/168] dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 160/168] dma-buf: free dmabuf->name in dma_buf_release() Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 162/168] arm64: dts: meson: fix gxm-khadas-vim2 wifi Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Vinod Koul

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 36d5d22090d13fd3a7a8c9663a711cbe6970aac8 upstream.

The caller is already holding the lock so this will deadlock.

Fixes: 0b58828c923e ("DMAENGINE: COH 901 318 remove irq counting")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20200217144050.3i4ymbytogod4ijn@kili.mountain
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/dma/coh901318.c |    4 ----
 1 file changed, 4 deletions(-)

--- a/drivers/dma/coh901318.c
+++ b/drivers/dma/coh901318.c
@@ -1947,8 +1947,6 @@ static void dma_tc_handle(struct coh9013
 		return;
 	}
 
-	spin_lock(&cohc->lock);
-
 	/*
 	 * When we reach this point, at least one queue item
 	 * should have been moved over from cohc->queue to
@@ -1969,8 +1967,6 @@ static void dma_tc_handle(struct coh9013
 	if (coh901318_queue_start(cohc) == NULL)
 		cohc->busy = 0;
 
-	spin_unlock(&cohc->lock);
-
 	/*
 	 * This tasklet will remove items from cohc->active
 	 * and thus terminates them.



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 162/168] arm64: dts: meson: fix gxm-khadas-vim2 wifi
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 161/168] dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 163/168] bus: ti-sysc: Fix 1-wire reset quirk Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Art Nikpal, Christian Hewitt, Kevin Hilman

From: Christian Hewitt <christianshewitt@gmail.com>

commit 146033562e7e5d1c9aae9653986806664995f1d5 upstream.

before

[6.418252] brcmfmac: F1 signature read @0x18000000=0x17224356
[6.435663] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4356-sdio for chip BCM4356/2
[6.551259] brcmfmac: brcmf_sdiod_ramrw: membytes transfer failed
[6.551275] brcmfmac: brcmf_sdio_verifymemory: error -84 on reading 2048 membytes at 0x00184000
[6.551352] brcmfmac: brcmf_sdio_download_firmware: dongle image file download failed

after

[6.657165] brcmfmac: F1 signature read @0x18000000=0x17224356
[6.660807] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4356-sdio for chip BCM4356/2
[6.918643] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4356-sdio for chip BCM4356/2
[6.918734] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available
[6.922724] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4356/2 wl0: Jun 16 2015 14:25:06 version 7.35.184.r1 (TOB) (r559293) FWID 01-b22ae69c

Fixes: adc52bf7ef16 ("arm64: dts: meson: fix mmc v2 chips max frequencies")
Suggested-by: Art Nikpal <email2tema@gmail.com>
Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Link: https://lore.kernel.org/r/1582212790-11402-1-git-send-email-christianshewitt@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/boot/dts/amlogic/meson-gxm-khadas-vim2.dts |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/amlogic/meson-gxm-khadas-vim2.dts
+++ b/arch/arm64/boot/dts/amlogic/meson-gxm-khadas-vim2.dts
@@ -327,7 +327,7 @@
 	#size-cells = <0>;
 
 	bus-width = <4>;
-	max-frequency = <50000000>;
+	max-frequency = <60000000>;
 
 	non-removable;
 	disable-wp;



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 163/168] bus: ti-sysc: Fix 1-wire reset quirk
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 162/168] arm64: dts: meson: fix gxm-khadas-vim2 wifi Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 164/168] EDAC/synopsys: Do not print an error with back-to-back snprintf() calls Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tony Lindgren

From: Tony Lindgren <tony@atomide.com>

commit aec551c7a00fb7eae049c0c4cc3208ca53e26355 upstream.

Because of the i2c quirk we have the reset quirks named in a confusing
way. Let's fix the 1-wire quirk accordinlyg. Then let's switch to using
better naming later on.

Fixes: 4e23be473e30 ("bus: ti-sysc: Add support for module specific reset quirks")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bus/ti-sysc.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/bus/ti-sysc.c
+++ b/drivers/bus/ti-sysc.c
@@ -1406,7 +1406,7 @@ static void sysc_init_revision_quirks(st
 }
 
 /* 1-wire needs module's internal clocks enabled for reset */
-static void sysc_clk_enable_quirk_hdq1w(struct sysc *ddata)
+static void sysc_pre_reset_quirk_hdq1w(struct sysc *ddata)
 {
 	int offset = 0x0c;	/* HDQ_CTRL_STATUS */
 	u16 val;
@@ -1494,7 +1494,7 @@ static void sysc_init_module_quirks(stru
 		return;
 
 	if (ddata->cfg.quirks & SYSC_MODULE_QUIRK_HDQ1W) {
-		ddata->clk_enable_quirk = sysc_clk_enable_quirk_hdq1w;
+		ddata->clk_disable_quirk = sysc_pre_reset_quirk_hdq1w;
 
 		return;
 	}



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 164/168] EDAC/synopsys: Do not print an error with back-to-back snprintf() calls
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 163/168] bus: ti-sysc: Fix 1-wire reset quirk Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 165/168] powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sherry Sun, Borislav Petkov,
	James Morse, Manish Narani

From: Sherry Sun <sherry.sun@nxp.com>

commit dfc6014e3b60713f375d0601d7549eed224c4615 upstream.

handle_error() currently calls snprintf() a couple of times in
succession to output the message for a CE/UE, therefore overwriting each
part of the message which was formatted with the previous snprintf()
call. As a result, only the part of the message from the last snprintf()
call will be printed.

The simplest and most effective way to fix this problem is to combine
the whole string into one which to supply to a single snprintf() call.

 [ bp: Massage. ]

Fixes: b500b4a029d57 ("EDAC, synopsys: Add ECC support for ZynqMP DDR controller")
Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: James Morse <james.morse@arm.com>
Cc: Manish Narani <manish.narani@xilinx.com>
Link: https://lkml.kernel.org/r/1582792452-32575-1-git-send-email-sherry.sun@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/edac/synopsys_edac.c |   22 +++++++---------------
 1 file changed, 7 insertions(+), 15 deletions(-)

--- a/drivers/edac/synopsys_edac.c
+++ b/drivers/edac/synopsys_edac.c
@@ -479,20 +479,14 @@ static void handle_error(struct mem_ctl_
 		pinf = &p->ceinfo;
 		if (!priv->p_data->quirks) {
 			snprintf(priv->message, SYNPS_EDAC_MSG_SIZE,
-				 "DDR ECC error type:%s Row %d Bank %d Col %d ",
-				  "CE", pinf->row, pinf->bank, pinf->col);
-			snprintf(priv->message, SYNPS_EDAC_MSG_SIZE,
-				 "Bit Position: %d Data: 0x%08x\n",
+				 "DDR ECC error type:%s Row %d Bank %d Col %d Bit Position: %d Data: 0x%08x",
+				 "CE", pinf->row, pinf->bank, pinf->col,
 				 pinf->bitpos, pinf->data);
 		} else {
 			snprintf(priv->message, SYNPS_EDAC_MSG_SIZE,
-				 "DDR ECC error type:%s Row %d Bank %d Col %d ",
-				  "CE", pinf->row, pinf->bank, pinf->col);
-			snprintf(priv->message, SYNPS_EDAC_MSG_SIZE,
-				 "BankGroup Number %d Block Number %d ",
-				 pinf->bankgrpnr, pinf->blknr);
-			snprintf(priv->message, SYNPS_EDAC_MSG_SIZE,
-				 "Bit Position: %d Data: 0x%08x\n",
+				 "DDR ECC error type:%s Row %d Bank %d Col %d BankGroup Number %d Block Number %d Bit Position: %d Data: 0x%08x",
+				 "CE", pinf->row, pinf->bank, pinf->col,
+				 pinf->bankgrpnr, pinf->blknr,
 				 pinf->bitpos, pinf->data);
 		}
 
@@ -509,10 +503,8 @@ static void handle_error(struct mem_ctl_
 				"UE", pinf->row, pinf->bank, pinf->col);
 		} else {
 			snprintf(priv->message, SYNPS_EDAC_MSG_SIZE,
-				 "DDR ECC error type :%s Row %d Bank %d Col %d ",
-				 "UE", pinf->row, pinf->bank, pinf->col);
-			snprintf(priv->message, SYNPS_EDAC_MSG_SIZE,
-				 "BankGroup Number %d Block Number %d",
+				 "DDR ECC error type :%s Row %d Bank %d Col %d BankGroup Number %d Block Number %d",
+				 "UE", pinf->row, pinf->bank, pinf->col,
 				 pinf->bankgrpnr, pinf->blknr);
 		}
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 165/168] powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 164/168] EDAC/synopsys: Do not print an error with back-to-back snprintf() calls Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 166/168] efi/x86: Align GUIDs to their size in the mixed mode runtime wrapper Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Desnes A. Nunes do Rosario,
	Leonardo Bras, Michael Ellerman

From: Desnes A. Nunes do Rosario <desnesn@linux.ibm.com>

commit fc37a1632d40c80c067eb1bc235139f5867a2667 upstream.

PowerVM systems running compatibility mode on a few Power8 revisions are
still vulnerable to the hardware defect that loses PMU exceptions arriving
prior to a context switch.

The software fix for this issue is enabled through the CPU_FTR_PMAO_BUG
cpu_feature bit, nevertheless this bit also needs to be set for PowerVM
compatibility mode systems.

Fixes: 68f2f0d431d9ea4 ("powerpc: Add a cpu feature CPU_FTR_PMAO_BUG")
Signed-off-by: Desnes A. Nunes do Rosario <desnesn@linux.ibm.com>
Reviewed-by: Leonardo Bras <leonardo@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200227134715.9715-1-desnesn@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/cputable.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kernel/cputable.c
+++ b/arch/powerpc/kernel/cputable.c
@@ -2193,11 +2193,13 @@ static struct cpu_spec * __init setup_cp
 		 * oprofile_cpu_type already has a value, then we are
 		 * possibly overriding a real PVR with a logical one,
 		 * and, in that case, keep the current value for
-		 * oprofile_cpu_type.
+		 * oprofile_cpu_type. Futhermore, let's ensure that the
+		 * fix for the PMAO bug is enabled on compatibility mode.
 		 */
 		if (old.oprofile_cpu_type != NULL) {
 			t->oprofile_cpu_type = old.oprofile_cpu_type;
 			t->oprofile_type = old.oprofile_type;
+			t->cpu_features |= old.cpu_features & CPU_FTR_PMAO_BUG;
 		}
 	}
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 166/168] efi/x86: Align GUIDs to their size in the mixed mode runtime wrapper
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 165/168] powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 167/168] efi/x86: Handle by-ref arguments covering multiple pages in mixed mode Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Ard Biesheuvel,
	Ingo Molnar, linux-efi, Thomas Gleixner

From: Ard Biesheuvel <ardb@kernel.org>

commit 63056e8b5ebf41d52170e9f5ba1fc83d1855278c upstream.

Hans reports that his mixed mode systems running v5.6-rc1 kernels hit
the WARN_ON() in virt_to_phys_or_null_size(), caused by the fact that
efi_guid_t objects on the vmap'ed stack happen to be misaligned with
respect to their sizes. As a quick (i.e., backportable) fix, copy GUID
pointer arguments to the local stack into a buffer that is naturally
aligned to its size, so that it is guaranteed to cover only one
physical page.

Note that on x86, we cannot rely on the stack pointer being aligned
the way the compiler expects, so we need to allocate an 8-byte aligned
buffer of sufficient size, and copy the GUID into that buffer at an
offset that is aligned to 16 bytes.

Fixes: f6697df36bdf0bf7 ("x86/efi: Prevent mixed mode boot corruption with CONFIG_VMAP_STACK=y")
Reported-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Tested-by: Hans de Goede <hdegoede@redhat.com>
Cc: linux-efi@vger.kernel.org
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20200221084849.26878-2-ardb@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/platform/efi/efi_64.c |   25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -791,6 +791,8 @@ static efi_status_t
 efi_thunk_get_variable(efi_char16_t *name, efi_guid_t *vendor,
 		       u32 *attr, unsigned long *data_size, void *data)
 {
+	u8 buf[24] __aligned(8);
+	efi_guid_t *vnd = PTR_ALIGN((efi_guid_t *)buf, sizeof(*vnd));
 	efi_status_t status;
 	u32 phys_name, phys_vendor, phys_attr;
 	u32 phys_data_size, phys_data;
@@ -798,8 +800,10 @@ efi_thunk_get_variable(efi_char16_t *nam
 
 	spin_lock_irqsave(&efi_runtime_lock, flags);
 
+	*vnd = *vendor;
+
 	phys_data_size = virt_to_phys_or_null(data_size);
-	phys_vendor = virt_to_phys_or_null(vendor);
+	phys_vendor = virt_to_phys_or_null(vnd);
 	phys_name = virt_to_phys_or_null_size(name, efi_name_size(name));
 	phys_attr = virt_to_phys_or_null(attr);
 	phys_data = virt_to_phys_or_null_size(data, *data_size);
@@ -816,14 +820,18 @@ static efi_status_t
 efi_thunk_set_variable(efi_char16_t *name, efi_guid_t *vendor,
 		       u32 attr, unsigned long data_size, void *data)
 {
+	u8 buf[24] __aligned(8);
+	efi_guid_t *vnd = PTR_ALIGN((efi_guid_t *)buf, sizeof(*vnd));
 	u32 phys_name, phys_vendor, phys_data;
 	efi_status_t status;
 	unsigned long flags;
 
 	spin_lock_irqsave(&efi_runtime_lock, flags);
 
+	*vnd = *vendor;
+
 	phys_name = virt_to_phys_or_null_size(name, efi_name_size(name));
-	phys_vendor = virt_to_phys_or_null(vendor);
+	phys_vendor = virt_to_phys_or_null(vnd);
 	phys_data = virt_to_phys_or_null_size(data, data_size);
 
 	/* If data_size is > sizeof(u32) we've got problems */
@@ -840,6 +848,8 @@ efi_thunk_set_variable_nonblocking(efi_c
 				   u32 attr, unsigned long data_size,
 				   void *data)
 {
+	u8 buf[24] __aligned(8);
+	efi_guid_t *vnd = PTR_ALIGN((efi_guid_t *)buf, sizeof(*vnd));
 	u32 phys_name, phys_vendor, phys_data;
 	efi_status_t status;
 	unsigned long flags;
@@ -847,8 +857,10 @@ efi_thunk_set_variable_nonblocking(efi_c
 	if (!spin_trylock_irqsave(&efi_runtime_lock, flags))
 		return EFI_NOT_READY;
 
+	*vnd = *vendor;
+
 	phys_name = virt_to_phys_or_null_size(name, efi_name_size(name));
-	phys_vendor = virt_to_phys_or_null(vendor);
+	phys_vendor = virt_to_phys_or_null(vnd);
 	phys_data = virt_to_phys_or_null_size(data, data_size);
 
 	/* If data_size is > sizeof(u32) we've got problems */
@@ -865,14 +877,18 @@ efi_thunk_get_next_variable(unsigned lon
 			    efi_char16_t *name,
 			    efi_guid_t *vendor)
 {
+	u8 buf[24] __aligned(8);
+	efi_guid_t *vnd = PTR_ALIGN((efi_guid_t *)buf, sizeof(*vnd));
 	efi_status_t status;
 	u32 phys_name_size, phys_name, phys_vendor;
 	unsigned long flags;
 
 	spin_lock_irqsave(&efi_runtime_lock, flags);
 
+	*vnd = *vendor;
+
 	phys_name_size = virt_to_phys_or_null(name_size);
-	phys_vendor = virt_to_phys_or_null(vendor);
+	phys_vendor = virt_to_phys_or_null(vnd);
 	phys_name = virt_to_phys_or_null_size(name, *name_size);
 
 	status = efi_thunk(get_next_variable, phys_name_size,
@@ -880,6 +896,7 @@ efi_thunk_get_next_variable(unsigned lon
 
 	spin_unlock_irqrestore(&efi_runtime_lock, flags);
 
+	*vendor = *vnd;
 	return status;
 }
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 167/168] efi/x86: Handle by-ref arguments covering multiple pages in mixed mode
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 166/168] efi/x86: Align GUIDs to their size in the mixed mode runtime wrapper Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 12:40 ` [PATCH 5.4 168/168] efi: READ_ONCE rng seed size before munmap Greg Kroah-Hartman
                   ` (2 subsequent siblings)
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, Ingo Molnar,
	linux-efi, Thomas Gleixner

From: Ard Biesheuvel <ardb@kernel.org>

commit 8319e9d5ad98ffccd19f35664382c73cea216193 upstream.

The mixed mode runtime wrappers are fragile when it comes to how the
memory referred to by its pointer arguments are laid out in memory, due
to the fact that it translates these addresses to physical addresses that
the runtime services can dereference when running in 1:1 mode. Since
vmalloc'ed pages (including the vmap'ed stack) are not contiguous in the
physical address space, this scheme only works if the referenced memory
objects do not cross page boundaries.

Currently, the mixed mode runtime service wrappers require that all by-ref
arguments that live in the vmalloc space have a size that is a power of 2,
and are aligned to that same value. While this is a sensible way to
construct an object that is guaranteed not to cross a page boundary, it is
overly strict when it comes to checking whether a given object violates
this requirement, as we can simply take the physical address of the first
and the last byte, and verify that they point into the same physical page.

When this check fails, we emit a WARN(), but then simply proceed with the
call, which could cause data corruption if the next physical page belongs
to a mapping that is entirely unrelated.

Given that with vmap'ed stacks, this condition is much more likely to
trigger, let's relax the condition a bit, but fail the runtime service
call if it does trigger.

Fixes: f6697df36bdf0bf7 ("x86/efi: Prevent mixed mode boot corruption with CONFIG_VMAP_STACK=y")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: linux-efi@vger.kernel.org
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20200221084849.26878-4-ardb@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/platform/efi/efi_64.c |   45 +++++++++++++++++++++++------------------
 1 file changed, 26 insertions(+), 19 deletions(-)

--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -316,7 +316,7 @@ void efi_sync_low_kernel_mappings(void)
 static inline phys_addr_t
 virt_to_phys_or_null_size(void *va, unsigned long size)
 {
-	bool bad_size;
+	phys_addr_t pa;
 
 	if (!va)
 		return 0;
@@ -324,16 +324,13 @@ virt_to_phys_or_null_size(void *va, unsi
 	if (virt_addr_valid(va))
 		return virt_to_phys(va);
 
-	/*
-	 * A fully aligned variable on the stack is guaranteed not to
-	 * cross a page bounary. Try to catch strings on the stack by
-	 * checking that 'size' is a power of two.
-	 */
-	bad_size = size > PAGE_SIZE || !is_power_of_2(size);
+	pa = slow_virt_to_phys(va);
 
-	WARN_ON(!IS_ALIGNED((unsigned long)va, size) || bad_size);
+	/* check if the object crosses a page boundary */
+	if (WARN_ON((pa ^ (pa + size - 1)) & PAGE_MASK))
+		return 0;
 
-	return slow_virt_to_phys(va);
+	return pa;
 }
 
 #define virt_to_phys_or_null(addr)				\
@@ -808,8 +805,11 @@ efi_thunk_get_variable(efi_char16_t *nam
 	phys_attr = virt_to_phys_or_null(attr);
 	phys_data = virt_to_phys_or_null_size(data, *data_size);
 
-	status = efi_thunk(get_variable, phys_name, phys_vendor,
-			   phys_attr, phys_data_size, phys_data);
+	if (!phys_name || (data && !phys_data))
+		status = EFI_INVALID_PARAMETER;
+	else
+		status = efi_thunk(get_variable, phys_name, phys_vendor,
+				   phys_attr, phys_data_size, phys_data);
 
 	spin_unlock_irqrestore(&efi_runtime_lock, flags);
 
@@ -834,9 +834,11 @@ efi_thunk_set_variable(efi_char16_t *nam
 	phys_vendor = virt_to_phys_or_null(vnd);
 	phys_data = virt_to_phys_or_null_size(data, data_size);
 
-	/* If data_size is > sizeof(u32) we've got problems */
-	status = efi_thunk(set_variable, phys_name, phys_vendor,
-			   attr, data_size, phys_data);
+	if (!phys_name || !phys_data)
+		status = EFI_INVALID_PARAMETER;
+	else
+		status = efi_thunk(set_variable, phys_name, phys_vendor,
+				   attr, data_size, phys_data);
 
 	spin_unlock_irqrestore(&efi_runtime_lock, flags);
 
@@ -863,9 +865,11 @@ efi_thunk_set_variable_nonblocking(efi_c
 	phys_vendor = virt_to_phys_or_null(vnd);
 	phys_data = virt_to_phys_or_null_size(data, data_size);
 
-	/* If data_size is > sizeof(u32) we've got problems */
-	status = efi_thunk(set_variable, phys_name, phys_vendor,
-			   attr, data_size, phys_data);
+	if (!phys_name || !phys_data)
+		status = EFI_INVALID_PARAMETER;
+	else
+		status = efi_thunk(set_variable, phys_name, phys_vendor,
+				   attr, data_size, phys_data);
 
 	spin_unlock_irqrestore(&efi_runtime_lock, flags);
 
@@ -891,8 +895,11 @@ efi_thunk_get_next_variable(unsigned lon
 	phys_vendor = virt_to_phys_or_null(vnd);
 	phys_name = virt_to_phys_or_null_size(name, *name_size);
 
-	status = efi_thunk(get_next_variable, phys_name_size,
-			   phys_name, phys_vendor);
+	if (!phys_name)
+		status = EFI_INVALID_PARAMETER;
+	else
+		status = efi_thunk(get_next_variable, phys_name_size,
+				   phys_name, phys_vendor);
 
 	spin_unlock_irqrestore(&efi_runtime_lock, flags);
 



^ permalink raw reply	[flat|nested] 177+ messages in thread

* [PATCH 5.4 168/168] efi: READ_ONCE rng seed size before munmap
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 167/168] efi/x86: Handle by-ref arguments covering multiple pages in mixed mode Greg Kroah-Hartman
@ 2020-03-10 12:40 ` Greg Kroah-Hartman
  2020-03-10 14:02 ` [PATCH 5.4 000/168] 5.4.25-stable review Holger Hoffstätte
  2020-03-11  7:52 ` Naresh Kamboju
  169 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 12:40 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason A. Donenfeld, Ard Biesheuvel,
	Ingo Molnar, linux-efi, Thomas Gleixner

From: Jason A. Donenfeld <Jason@zx2c4.com>

commit be36f9e7517e17810ec369626a128d7948942259 upstream.

This function is consistent with using size instead of seed->size
(except for one place that this patch fixes), but it reads seed->size
without using READ_ONCE, which means the compiler might still do
something unwanted. So, this commit simply adds the READ_ONCE
wrapper.

Fixes: 636259880a7e ("efi: Add support for seeding the RNG from a UEFI ...")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: linux-efi@vger.kernel.org
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20200217123354.21140-1-Jason@zx2c4.com
Link: https://lore.kernel.org/r/20200221084849.26878-5-ardb@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/efi/efi.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -544,7 +544,7 @@ int __init efi_config_parse_tables(void
 
 		seed = early_memremap(efi.rng_seed, sizeof(*seed));
 		if (seed != NULL) {
-			size = seed->size;
+			size = READ_ONCE(seed->size);
 			early_memunmap(seed, sizeof(*seed));
 		} else {
 			pr_err("Could not map UEFI random seed!\n");
@@ -554,7 +554,7 @@ int __init efi_config_parse_tables(void
 					      sizeof(*seed) + size);
 			if (seed != NULL) {
 				pr_notice("seeding entropy pool\n");
-				add_bootloader_randomness(seed->bits, seed->size);
+				add_bootloader_randomness(seed->bits, size);
 				early_memunmap(seed, sizeof(*seed) + size);
 			} else {
 				pr_err("Could not map UEFI random seed!\n");



^ permalink raw reply	[flat|nested] 177+ messages in thread

* Re: [PATCH 5.4 000/168] 5.4.25-stable review
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2020-03-10 12:40 ` [PATCH 5.4 168/168] efi: READ_ONCE rng seed size before munmap Greg Kroah-Hartman
@ 2020-03-10 14:02 ` Holger Hoffstätte
  2020-03-10 14:35   ` Greg Kroah-Hartman
  2020-03-11  7:52 ` Naresh Kamboju
  169 siblings, 1 reply; 177+ messages in thread
From: Holger Hoffstätte @ 2020-03-10 14:02 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel; +Cc: linux, shuah, stable, Paolo Valente

On 3/10/20 1:37 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.25 release.

This fails to compile due to broken patch 001/168:
"block, bfq: get a ref to a group when adding it to a service tree":

..
block/bfq-wf2q.c: In function 'bfq_get_entity':
./include/linux/kernel.h:994:51: error: 'struct bfq_group' has no member named 'entity'
..

The calls to bfq_get_entity::bfqg_and_blkg_get and bfq_forget_entity::bfqg_and_blkg_put
in bfq-wf2q.c need to be wrapped in #ifdef CONFIG_BFQ_GROUP_IOSCHED, otherwise
the build will fail when CONFIG_BFQ_GROUP_IOSCHED is not enabled.
This horribly error-prone #ifdef mess was finally removed in upstream commit
4d8340d0d4d9. For 5.4 we'll either need that as well or add them back.

-h

^ permalink raw reply	[flat|nested] 177+ messages in thread

* Re: [PATCH 5.4 000/168] 5.4.25-stable review
  2020-03-10 14:02 ` [PATCH 5.4 000/168] 5.4.25-stable review Holger Hoffstätte
@ 2020-03-10 14:35   ` Greg Kroah-Hartman
  2020-03-10 14:51     ` Holger Hoffstätte
  0 siblings, 1 reply; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 14:35 UTC (permalink / raw)
  To: Holger Hoffstätte; +Cc: linux-kernel, linux, shuah, stable, Paolo Valente

On Tue, Mar 10, 2020 at 03:02:37PM +0100, Holger Hoffstätte wrote:
> On 3/10/20 1:37 PM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.4.25 release.
> 
> This fails to compile due to broken patch 001/168:
> "block, bfq: get a ref to a group when adding it to a service tree":
> 
> ..
> block/bfq-wf2q.c: In function 'bfq_get_entity':
> ./include/linux/kernel.h:994:51: error: 'struct bfq_group' has no member named 'entity'
> ..
> 
> The calls to bfq_get_entity::bfqg_and_blkg_get and bfq_forget_entity::bfqg_and_blkg_put
> in bfq-wf2q.c need to be wrapped in #ifdef CONFIG_BFQ_GROUP_IOSCHED, otherwise
> the build will fail when CONFIG_BFQ_GROUP_IOSCHED is not enabled.
> This horribly error-prone #ifdef mess was finally removed in upstream commit
> 4d8340d0d4d9. For 5.4 we'll either need that as well or add them back.

Ick, that's a mess.

I'll go drop that patch now, odd that it passed my build tests...

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 177+ messages in thread

* Re: [PATCH 5.4 000/168] 5.4.25-stable review
  2020-03-10 14:35   ` Greg Kroah-Hartman
@ 2020-03-10 14:51     ` Holger Hoffstätte
  2020-03-10 14:57       ` Holger Hoffstätte
  2020-03-10 15:00       ` Greg Kroah-Hartman
  0 siblings, 2 replies; 177+ messages in thread
From: Holger Hoffstätte @ 2020-03-10 14:51 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, linux, shuah, stable, Paolo Valente

On 3/10/20 3:35 PM, Greg Kroah-Hartman wrote:
> On Tue, Mar 10, 2020 at 03:02:37PM +0100, Holger Hoffstätte wrote:
>> On 3/10/20 1:37 PM, Greg Kroah-Hartman wrote:
>>> This is the start of the stable review cycle for the 5.4.25 release.
>>
>> This fails to compile due to broken patch 001/168:
>> "block, bfq: get a ref to a group when adding it to a service tree":
>>
>> ..
>> block/bfq-wf2q.c: In function 'bfq_get_entity':
>> ./include/linux/kernel.h:994:51: error: 'struct bfq_group' has no member named 'entity'
>> ..
>>
>> The calls to bfq_get_entity::bfqg_and_blkg_get and bfq_forget_entity::bfqg_and_blkg_put
>> in bfq-wf2q.c need to be wrapped in #ifdef CONFIG_BFQ_GROUP_IOSCHED, otherwise
>> the build will fail when CONFIG_BFQ_GROUP_IOSCHED is not enabled.
>> This horribly error-prone #ifdef mess was finally removed in upstream commit
>> 4d8340d0d4d9. For 5.4 we'll either need that as well or add them back.
> 
> Ick, that's a mess.
> 
> I'll go drop that patch now, odd that it passed my build tests...

Uh, please no? It fixes a rather nasty UAF when cgroups are in use.
Please just add the other upstream commit as well, I confirmed it applies
cleanly and fixes the problem.

thanks,
Holger

^ permalink raw reply	[flat|nested] 177+ messages in thread

* Re: [PATCH 5.4 000/168] 5.4.25-stable review
  2020-03-10 14:51     ` Holger Hoffstätte
@ 2020-03-10 14:57       ` Holger Hoffstätte
  2020-03-10 15:00       ` Greg Kroah-Hartman
  1 sibling, 0 replies; 177+ messages in thread
From: Holger Hoffstätte @ 2020-03-10 14:57 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, linux, shuah, stable, Paolo Valente

[-- Attachment #1: Type: text/plain, Size: 1538 bytes --]

On 3/10/20 3:51 PM, Holger Hoffstätte wrote:
> On 3/10/20 3:35 PM, Greg Kroah-Hartman wrote:
>> On Tue, Mar 10, 2020 at 03:02:37PM +0100, Holger Hoffstätte wrote:
>>> On 3/10/20 1:37 PM, Greg Kroah-Hartman wrote:
>>>> This is the start of the stable review cycle for the 5.4.25 release.
>>>
>>> This fails to compile due to broken patch 001/168:
>>> "block, bfq: get a ref to a group when adding it to a service tree":
>>>
>>> ..
>>> block/bfq-wf2q.c: In function 'bfq_get_entity':
>>> ./include/linux/kernel.h:994:51: error: 'struct bfq_group' has no member named 'entity'
>>> ..
>>>
>>> The calls to bfq_get_entity::bfqg_and_blkg_get and bfq_forget_entity::bfqg_and_blkg_put
>>> in bfq-wf2q.c need to be wrapped in #ifdef CONFIG_BFQ_GROUP_IOSCHED, otherwise
>>> the build will fail when CONFIG_BFQ_GROUP_IOSCHED is not enabled.
>>> This horribly error-prone #ifdef mess was finally removed in upstream commit
>>> 4d8340d0d4d9. For 5.4 we'll either need that as well or add them back.
>>
>> Ick, that's a mess.
>>
>> I'll go drop that patch now, odd that it passed my build tests...
> 
> Uh, please no? It fixes a rather nasty UAF when cgroups are in use.
> Please just add the other upstream commit as well, I confirmed it applies
> cleanly and fixes the problem.
> 

Alternatively I've appended the version originally sent to the mailing list,
with those #ifdefs intact. That's what I had in my tree so far, you could
consider it a 5.4 backport. Other than that there's no functional difference
to the upstream version.

hth,
Holger

[-- Attachment #2: block-20200131-get-a-ref-to-a-group-when-adding-it-to-a-service-tree.patch --]
[-- Type: text/x-patch, Size: 2934 bytes --]

From: Paolo Valente <paolo.valente@linaro.org>
To: Jens Axboe <axboe@kernel.dk>
Cc: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, bfq-iosched@googlegroups.com,
    oleksandr@natalenko.name, patdung100@gmail.com, cevich@redhat.com, Paolo Valente <paolo.valente@linaro.org>
Subject: [PATCH BUGFIX 5/6] block, bfq: get a ref to a group when adding it to a service tree
Date: Fri, 31 Jan 2020 10:24:08 +0100

BFQ schedules generic entities, which may represent either bfq_queues
or groups of bfq_queues. When an entity is inserted into a service
tree, a reference must be taken, to make sure that the entity does not
disappear while still referred in the tree. Unfortunately, such a
reference is mistakenly taken only if the entity represents a
bfq_queue. This commit takes a reference also in case the entity
represents a group.

Tested-by: Chris Evich <cevich@redhat.com>
Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
---
 block/bfq-cgroup.c  |  2 +-
 block/bfq-iosched.h |  1 +
 block/bfq-wf2q.c    | 16 +++++++++++++++-
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
index c818c64766e5..f85b25fd06f2 100644
--- a/block/bfq-cgroup.c
+++ b/block/bfq-cgroup.c
@@ -332,7 +332,7 @@ static void bfqg_put(struct bfq_group *bfqg)
 		kfree(bfqg);
 }
 
-static void bfqg_and_blkg_get(struct bfq_group *bfqg)
+void bfqg_and_blkg_get(struct bfq_group *bfqg)
 {
 	/* see comments in bfq_bic_update_cgroup for why refcounting bfqg */
 	bfqg_get(bfqg);
diff --git a/block/bfq-iosched.h b/block/bfq-iosched.h
index f1cb89def7f8..b9627ec7007b 100644
--- a/block/bfq-iosched.h
+++ b/block/bfq-iosched.h
@@ -984,6 +984,7 @@ struct bfq_group *bfq_find_set_group(struct bfq_data *bfqd,
 struct blkcg_gq *bfqg_to_blkg(struct bfq_group *bfqg);
 struct bfq_group *bfqq_group(struct bfq_queue *bfqq);
 struct bfq_group *bfq_create_group_hierarchy(struct bfq_data *bfqd, int node);
+void bfqg_and_blkg_get(struct bfq_group *bfqg);
 void bfqg_and_blkg_put(struct bfq_group *bfqg);
 
 #ifdef CONFIG_BFQ_GROUP_IOSCHED
diff --git a/block/bfq-wf2q.c b/block/bfq-wf2q.c
index 26776bdbdf36..ef06e0d34b5b 100644
--- a/block/bfq-wf2q.c
+++ b/block/bfq-wf2q.c
@@ -533,7 +533,13 @@ static void bfq_get_entity(struct bfq_entity *entity)
 		bfqq->ref++;
 		bfq_log_bfqq(bfqq->bfqd, bfqq, "get_entity: %p %d",
 			     bfqq, bfqq->ref);
+#ifdef CONFIG_BFQ_GROUP_IOSCHED
+	} else
+		bfqg_and_blkg_get(container_of(entity, struct bfq_group,
+					       entity));
+#else
 	}
+#endif
 }
 
 /**
@@ -647,8 +653,16 @@ static void bfq_forget_entity(struct bfq_service_tree *st,
 
 	entity->on_st_or_in_serv = false;
 	st->wsum -= entity->weight;
-	if (bfqq && !is_in_service)
+	if (is_in_service)
+		return;
+
+	if (bfqq)
 		bfq_put_queue(bfqq);
+#ifdef CONFIG_BFQ_GROUP_IOSCHED
+	else
+		bfqg_and_blkg_put(container_of(entity, struct bfq_group,
+					       entity));
+#endif
 }
 
 /**
-- 
2.20.1



^ permalink raw reply	[flat|nested] 177+ messages in thread

* Re: [PATCH 5.4 000/168] 5.4.25-stable review
  2020-03-10 14:51     ` Holger Hoffstätte
  2020-03-10 14:57       ` Holger Hoffstätte
@ 2020-03-10 15:00       ` Greg Kroah-Hartman
  2020-03-10 15:07         ` Holger Hoffstätte
  1 sibling, 1 reply; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-10 15:00 UTC (permalink / raw)
  To: Holger Hoffstätte; +Cc: linux-kernel, linux, shuah, stable, Paolo Valente

On Tue, Mar 10, 2020 at 03:51:01PM +0100, Holger Hoffstätte wrote:
> On 3/10/20 3:35 PM, Greg Kroah-Hartman wrote:
> > On Tue, Mar 10, 2020 at 03:02:37PM +0100, Holger Hoffstätte wrote:
> > > On 3/10/20 1:37 PM, Greg Kroah-Hartman wrote:
> > > > This is the start of the stable review cycle for the 5.4.25 release.
> > > 
> > > This fails to compile due to broken patch 001/168:
> > > "block, bfq: get a ref to a group when adding it to a service tree":
> > > 
> > > ..
> > > block/bfq-wf2q.c: In function 'bfq_get_entity':
> > > ./include/linux/kernel.h:994:51: error: 'struct bfq_group' has no member named 'entity'
> > > ..
> > > 
> > > The calls to bfq_get_entity::bfqg_and_blkg_get and bfq_forget_entity::bfqg_and_blkg_put
> > > in bfq-wf2q.c need to be wrapped in #ifdef CONFIG_BFQ_GROUP_IOSCHED, otherwise
> > > the build will fail when CONFIG_BFQ_GROUP_IOSCHED is not enabled.
> > > This horribly error-prone #ifdef mess was finally removed in upstream commit
> > > 4d8340d0d4d9. For 5.4 we'll either need that as well or add them back.
> > 
> > Ick, that's a mess.
> > 
> > I'll go drop that patch now, odd that it passed my build tests...
> 
> Uh, please no? It fixes a rather nasty UAF when cgroups are in use.
> Please just add the other upstream commit as well, I confirmed it applies
> cleanly and fixes the problem.

I didn't get that from your email at all, sorry.

So, what commits, and in what order, should be applied to 5.4.y at the
moment to resolve this issue?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 177+ messages in thread

* Re: [PATCH 5.4 000/168] 5.4.25-stable review
  2020-03-10 15:00       ` Greg Kroah-Hartman
@ 2020-03-10 15:07         ` Holger Hoffstätte
  2020-03-11 18:09           ` Greg Kroah-Hartman
  0 siblings, 1 reply; 177+ messages in thread
From: Holger Hoffstätte @ 2020-03-10 15:07 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, linux, shuah, stable, Paolo Valente

On 3/10/20 4:00 PM, Greg Kroah-Hartman wrote:
> On Tue, Mar 10, 2020 at 03:51:01PM +0100, Holger Hoffstätte wrote:
>> On 3/10/20 3:35 PM, Greg Kroah-Hartman wrote:
>>> On Tue, Mar 10, 2020 at 03:02:37PM +0100, Holger Hoffstätte wrote:
>>>> On 3/10/20 1:37 PM, Greg Kroah-Hartman wrote:
>>>>> This is the start of the stable review cycle for the 5.4.25 release.
>>>>
>>>> This fails to compile due to broken patch 001/168:
>>>> "block, bfq: get a ref to a group when adding it to a service tree":
>>>>
>>>> ..
>>>> block/bfq-wf2q.c: In function 'bfq_get_entity':
>>>> ./include/linux/kernel.h:994:51: error: 'struct bfq_group' has no member named 'entity'
>>>> ..
>>>>
>>>> The calls to bfq_get_entity::bfqg_and_blkg_get and bfq_forget_entity::bfqg_and_blkg_put
>>>> in bfq-wf2q.c need to be wrapped in #ifdef CONFIG_BFQ_GROUP_IOSCHED, otherwise
>>>> the build will fail when CONFIG_BFQ_GROUP_IOSCHED is not enabled.
>>>> This horribly error-prone #ifdef mess was finally removed in upstream commit
>>>> 4d8340d0d4d9. For 5.4 we'll either need that as well or add them back.
>>>
>>> Ick, that's a mess.
>>>
>>> I'll go drop that patch now, odd that it passed my build tests...
>>
>> Uh, please no? It fixes a rather nasty UAF when cgroups are in use.
>> Please just add the other upstream commit as well, I confirmed it applies
>> cleanly and fixes the problem.
> 
> I didn't get that from your email at all, sorry.
> 
> So, what commits, and in what order, should be applied to 5.4.y at the
> moment to resolve this issue?

Just add upstream 4d8340d0d4d9 and it should work. Order shouldn't matter
(built for me either way) unless you want to follow upstream, in which case
it should come before "get a ref to a group..". Easy :)

-h

^ permalink raw reply	[flat|nested] 177+ messages in thread

* Re: [PATCH 5.4 000/168] 5.4.25-stable review
  2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2020-03-10 14:02 ` [PATCH 5.4 000/168] 5.4.25-stable review Holger Hoffstätte
@ 2020-03-11  7:52 ` Naresh Kamboju
  169 siblings, 0 replies; 177+ messages in thread
From: Naresh Kamboju @ 2020-03-11  7:52 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Shuah Khan, patches, lkft-triage, Ben Hutchings,
	linux- stable, Andrew Morton, Linus Torvalds, Guenter Roeck

On Tue, 10 Mar 2020 at 18:19, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.4.25 release.
> There are 168 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 12 Mar 2020 12:34:10 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.25-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 5.4.25-rc2
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-5.4.y
git commit: 877097a6286abcb4d5eaa7d683640e3a86b7a95c
git describe: v5.4.24-168-g877097a6286a
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-5.4-oe/build/v5.4.24-168-g877097a6286a

No regressions (compared to build v5.4.24)

No fixes (compared to build v5.4.24)

Ran 26864 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c
- hi6220-hikey
- i386
- juno-r2
- nxp-ls2088
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15
- x86

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* install-android-platform-tools-r2800
* kselftest
* libgpiod
* libhugetlbfs
* linux-log-parser
* ltp-commands-tests
* ltp-containers-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-math-tests
* ltp-mm-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* ltp-cap_bounds-tests
* ltp-cpuhotplug-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-ipc-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* network-basic-tests
* kvm-unit-tests
* ltp-crypto-tests
* ltp-cap_bounds-64k-page_size-tests
* ltp-cap_bounds-kasan-tests
* ltp-commands-64k-page_size-tests
* ltp-commands-kasan-tests
* ltp-containers-64k-page_size-tests
* ltp-containers-kasan-tests
* ltp-cpuhotplug-64k-page_size-tests
* ltp-cpuhotplug-kasan-tests
* ltp-crypto-64k-page_size-tests
* ltp-crypto-kasan-tests
* ltp-cve-64k-page_size-tests
* ltp-cve-kasan-tests
* ltp-dio-64k-page_size-tests
* ltp-dio-kasan-tests
* ltp-fcntl-locktests-64k-page_size-tests
* ltp-fcntl-locktests-kasan-tests
* ltp-filecaps-64k-page_size-tests
* ltp-filecaps-kasan-tests
* ltp-fs-64k-page_size-tests
* ltp-fs-kasan-tests
* ltp-fs_bind-64k-page_size-tests
* ltp-fs_bind-kasan-tests
* ltp-fs_perms_simple-64k-page_size-tests
* ltp-fs_perms_simple-kasan-tests
* ltp-fsx-64k-page_size-tests
* ltp-fsx-kasan-tests
* ltp-hugetlb-64k-page_size-tests
* ltp-hugetlb-kasan-tests
* ltp-io-64k-page_size-tests
* ltp-io-kasan-tests
* ltp-ipc-64k-page_size-tests
* ltp-ipc-kasan-tests
* ltp-math-64k-page_size-tests
* ltp-math-kasan-tests
* ltp-mm-64k-page_size-tests
* ltp-mm-kasan-tests
* ltp-nptl-64k-page_size-tests
* ltp-nptl-kasan-tests
* ltp-pty-64k-page_size-tests
* ltp-pty-kasan-tests
* ltp-sched-64k-page_size-tests
* ltp-sched-kasan-tests
* ltp-securebits-64k-page_size-tests
* ltp-securebits-kasan-tests
* ltp-syscalls-64k-page_size-tests
* ltp-syscalls-compat-tests
* ltp-syscalls-kasan-tests
* ltp-open-posix-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 177+ messages in thread

* Re: [PATCH 5.4 000/168] 5.4.25-stable review
  2020-03-10 15:07         ` Holger Hoffstätte
@ 2020-03-11 18:09           ` Greg Kroah-Hartman
  0 siblings, 0 replies; 177+ messages in thread
From: Greg Kroah-Hartman @ 2020-03-11 18:09 UTC (permalink / raw)
  To: Holger Hoffstätte; +Cc: linux-kernel, linux, shuah, stable, Paolo Valente

On Tue, Mar 10, 2020 at 04:07:23PM +0100, Holger Hoffstätte wrote:
> On 3/10/20 4:00 PM, Greg Kroah-Hartman wrote:
> > On Tue, Mar 10, 2020 at 03:51:01PM +0100, Holger Hoffstätte wrote:
> > > On 3/10/20 3:35 PM, Greg Kroah-Hartman wrote:
> > > > On Tue, Mar 10, 2020 at 03:02:37PM +0100, Holger Hoffstätte wrote:
> > > > > On 3/10/20 1:37 PM, Greg Kroah-Hartman wrote:
> > > > > > This is the start of the stable review cycle for the 5.4.25 release.
> > > > > 
> > > > > This fails to compile due to broken patch 001/168:
> > > > > "block, bfq: get a ref to a group when adding it to a service tree":
> > > > > 
> > > > > ..
> > > > > block/bfq-wf2q.c: In function 'bfq_get_entity':
> > > > > ./include/linux/kernel.h:994:51: error: 'struct bfq_group' has no member named 'entity'
> > > > > ..
> > > > > 
> > > > > The calls to bfq_get_entity::bfqg_and_blkg_get and bfq_forget_entity::bfqg_and_blkg_put
> > > > > in bfq-wf2q.c need to be wrapped in #ifdef CONFIG_BFQ_GROUP_IOSCHED, otherwise
> > > > > the build will fail when CONFIG_BFQ_GROUP_IOSCHED is not enabled.
> > > > > This horribly error-prone #ifdef mess was finally removed in upstream commit
> > > > > 4d8340d0d4d9. For 5.4 we'll either need that as well or add them back.
> > > > 
> > > > Ick, that's a mess.
> > > > 
> > > > I'll go drop that patch now, odd that it passed my build tests...
> > > 
> > > Uh, please no? It fixes a rather nasty UAF when cgroups are in use.
> > > Please just add the other upstream commit as well, I confirmed it applies
> > > cleanly and fixes the problem.
> > 
> > I didn't get that from your email at all, sorry.
> > 
> > So, what commits, and in what order, should be applied to 5.4.y at the
> > moment to resolve this issue?
> 
> Just add upstream 4d8340d0d4d9 and it should work. Order shouldn't matter
> (built for me either way) unless you want to follow upstream, in which case
> it should come before "get a ref to a group..". Easy :)

Ok, I've added both back now, and to the 5.5.y tree as well.  Hopefully
that should resolve these build issues.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 177+ messages in thread

end of thread, other threads:[~2020-03-11 18:09 UTC | newest]

Thread overview: 177+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-10 12:37 [PATCH 5.4 000/168] 5.4.25-stable review Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 001/168] block, bfq: get a ref to a group when adding it to a service tree Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 002/168] block, bfq: get extra ref to prevent a queue from being freed during a group move Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 003/168] block, bfq: do not insert oom queue into position tree Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 004/168] ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 005/168] net: dsa: bcm_sf2: Forcibly configure IMP port for 1Gb/sec Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 006/168] net: stmmac: fix notifier registration Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 007/168] dm thin metadata: fix lockdep complaint Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 008/168] RDMA/core: Fix pkey and port assignment in get_new_pps Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 009/168] RDMA/core: Fix use of logical OR " Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 010/168] kbuild: fix No such file or directory warning when cleaning Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 011/168] kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 012/168] blktrace: fix dereference after null check Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 013/168] ALSA: hda: do not override bus codec_mask in link_get() Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 014/168] serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 015/168] selftests: fix too long argument Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 016/168] usb: gadget: composite: Support more than 500mA MaxPower Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 017/168] usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 018/168] usb: gadget: serial: fix Tx stall after buffer overflow Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 019/168] habanalabs: halt the engines before hard-reset Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 020/168] habanalabs: do not halt CoreSight during hard reset Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 021/168] habanalabs: patched cb equals user cb in device memset Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 022/168] drm/msm/mdp5: rate limit pp done timeout warnings Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 023/168] drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 024/168] drm/modes: Make sure to parse valid rotation value from cmdline Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 025/168] drm/modes: Allow DRM_MODE_ROTATE_0 when applying video mode parameters Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 026/168] scsi: megaraid_sas: silence a warning Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 027/168] drm/msm/dsi: save pll state before dsi host is powered off Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 028/168] drm/msm/dsi/pll: call vco set rate explicitly Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 029/168] selftests: forwarding: use proto icmp for {gretap, ip6gretap}_mac testing Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 030/168] selftests: forwarding: vxlan_bridge_1d: fix tos value Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 031/168] net: atlantic: check rpc result and wait for rpc address Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 032/168] net: ks8851-ml: Remove 8-bit bus accessors Greg Kroah-Hartman
2020-03-10 12:37 ` [PATCH 5.4 033/168] net: ks8851-ml: Fix 16-bit data access Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 034/168] net: ks8851-ml: Fix 16-bit IO operation Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 035/168] net: ethernet: dm9000: Handle -EPROBE_DEFER in dm9000_parse_dt() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 036/168] watchdog: da9062: do not ping the hw during stop() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 037/168] s390/cio: cio_ignore_proc_seq_next should increase position index Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 038/168] s390: make install not depend on vmlinux Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 039/168] efi: Only print errors about failing to get certs if EFI vars are found Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 040/168] net/mlx5: DR, Fix matching on vport gvmi Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 041/168] iommu/amd: Disable IOMMU on Stoney Ridge systems Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 042/168] nvme/pci: Add sleep quirk for Samsung and Toshiba drives Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 043/168] nvme-pci: Use single IRQ vector for old Apple models Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 044/168] x86/boot/compressed: Dont declare __force_order in kaslr_64.c Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 045/168] s390/qdio: fill SL with absolute addresses Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 046/168] nvme: Fix uninitialized-variable warning Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 047/168] ice: Dont tell the OS that link is going down Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 048/168] x86/xen: Distribute switch variables for initialization Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 049/168] net: thunderx: workaround BGX TX Underflow issue Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 050/168] csky/mm: Fixup export invalid_pte_table symbol Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 051/168] csky: Set regs->usp to kernel sp, when the exception is from kernel Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 052/168] csky/smp: Fixup boot failed when CONFIG_SMP Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 053/168] csky: Fixup ftrace modify panic Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 054/168] csky: Fixup compile warning for three unimplemented syscalls Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 055/168] arch/csky: fix some Kconfig typos Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 056/168] selftests: forwarding: vxlan_bridge_1d: use more proper tos value Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 057/168] firmware: imx: scu: Ensure sequential TX Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 058/168] binder: prevent UAF for binderfs devices Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 059/168] binder: prevent UAF for binderfs devices II Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 060/168] ALSA: hda/realtek - Add Headset Mic supported Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 061/168] ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 062/168] ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 063/168] ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 064/168] cifs: dont leak -EAGAIN for stat() during reconnect Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 065/168] cifs: fix rename() by ensuring source handle opened with DELETE bit Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 066/168] usb: storage: Add quirk for Samsung Fit flash Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 067/168] usb: quirks: add NO_LPM quirk for Logitech Screen Share Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 068/168] usb: dwc3: gadget: Update chain bit correctly when using sg list Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 069/168] usb: cdns3: gadget: link trb should point to next request Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 070/168] usb: cdns3: gadget: toggle cycle bit before reset endpoint Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 071/168] usb: core: hub: fix unhandled return by employing a void function Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 072/168] usb: core: hub: do error out if usb_autopm_get_interface() fails Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 073/168] usb: core: port: " Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 074/168] vgacon: Fix a UAF in vgacon_invert_region Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 075/168] mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 076/168] mm: fix possible PMD dirty bit lost in set_pmd_migration_entry() Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 077/168] mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 078/168] fat: fix uninit-memory access for partial initialized inode Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 079/168] btrfs: fix RAID direct I/O reads with alternate csums Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 080/168] arm64: dts: socfpga: agilex: Fix gmac compatible Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 081/168] arm: dts: dra76x: Fix mmc3 max-frequency Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 082/168] tty:serial:mvebu-uart:fix a wrong return Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 083/168] tty: serial: fsl_lpuart: free IDs allocated by IDA Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 084/168] serial: 8250_exar: add support for ACCES cards Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 085/168] vt: selection, close sel_buffer race Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 086/168] vt: selection, push console lock down Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 087/168] vt: selection, push sel_lock up Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 088/168] media: hantro: Fix broken media controller links Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 089/168] media: mc-entity.c: use & to check pad flags, not == Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 090/168] media: vicodec: process all 4 components for RGB32 formats Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 091/168] media: v4l2-mem2mem.c: fix broken links Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 092/168] perf intel-pt: Fix endless record after being terminated Greg Kroah-Hartman
2020-03-10 12:38 ` [PATCH 5.4 093/168] perf intel-bts: " Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 094/168] perf cs-etm: " Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 095/168] perf arm-spe: " Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 096/168] spi: spidev: Fix CS polarity if GPIO descriptors are used Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 097/168] x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 098/168] s390/pci: Fix unexpected write combine on resource Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 099/168] s390/mm: fix panic in gup_fast on large pud Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 100/168] dmaengine: imx-sdma: fix context cache Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 101/168] dmaengine: imx-sdma: Fix the event id check to include RX event for UART6 Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 102/168] dmaengine: tegra-apb: Fix use-after-free Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 103/168] dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 104/168] dm integrity: fix recalculation when moving from journal mode to bitmap mode Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 105/168] dm integrity: fix a deadlock due to offloading to an incorrect workqueue Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 106/168] dm integrity: fix invalid table returned due to argument count mismatch Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 107/168] dm cache: fix a crash due to incorrect work item cancelling Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 108/168] dm: report suspended device during destroy Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 109/168] dm writecache: verify watermark during resume Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 110/168] dm zoned: Fix reference counter initial value of chunk works Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 111/168] dm: fix congested_fn for request-based device Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 112/168] arm64: dts: meson-sm1-sei610: add missing interrupt-names Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 113/168] ARM: dts: ls1021a: Restore MDIO compatible to gianfar Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 114/168] spi: bcm63xx-hsspi: Really keep pll clk enabled Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 115/168] drm/virtio: make resource id workaround runtime switchable Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 116/168] drm/virtio: fix resource id creation race Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 117/168] ASoC: topology: Fix memleak in soc_tplg_link_elems_load() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 118/168] ASoC: topology: Fix memleak in soc_tplg_manifest_load() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 119/168] ASoC: SOF: Fix snd_sof_ipc_stream_posn() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 120/168] ASoC: intel: skl: Fix pin debug prints Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 121/168] ASoC: intel: skl: Fix possible buffer overflow in debug outputs Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 122/168] powerpc: define helpers to get L1 icache sizes Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 123/168] powerpc: Convert flush_icache_range & friends to C Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 124/168] powerpc/mm: Fix missing KUAP disable in flush_coherent_icache() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 125/168] ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 126/168] ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 127/168] ASoC: Intel: Skylake: Fix available clock counter incrementation Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 128/168] ASoC: dapm: Correct DAPM handling of active widgets during shutdown Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 129/168] spi: atmel-quadspi: fix possible MMIO window size overrun Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 130/168] drm/panfrost: Dont try to map on error faults Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 131/168] drm: kirin: Revert "Fix for hikey620 display offset problem" Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 132/168] drm/sun4i: Add separate DE3 VI layer formats Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 133/168] drm/sun4i: Fix DE2 VI layer format support Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 134/168] drm/sun4i: de2/de3: Remove unsupported VI layer formats Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 135/168] drm/i915: Program MBUS with rmw during initialization Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 136/168] drm/i915/selftests: Fix return in assert_mmap_offset() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 137/168] phy: mapphone-mdm6600: Fix timeouts by adding wake-up handling Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 138/168] phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 139/168] ARM: dts: imx6: phycore-som: fix emmc supply Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 140/168] arm64: dts: imx8qxp-mek: Remove unexisting Ethernet PHY Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 141/168] firmware: imx: misc: Align imx sc msg structs to 4 Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 142/168] firmware: imx: scu-pd: " Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 143/168] firmware: imx: Align imx_sc_msg_req_cpu_start " Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 144/168] soc: imx-scu: Align imx sc msg structs " Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 145/168] Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow" Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 146/168] RDMA/rw: Fix error flow during RDMA context initialization Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 147/168] RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 148/168] RDMA/siw: Fix failure handling during device creation Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 149/168] RDMA/iwcm: Fix iwcm work deallocation Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 150/168] RDMA/core: Fix protection fault in ib_mr_pool_destroy Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 151/168] regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 152/168] RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen() Greg Kroah-Hartman
2020-03-10 12:39 ` [PATCH 5.4 153/168] IB/hfi1, qib: Ensure RCU is locked when accessing list Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 154/168] ARM: imx: build v7_cpu_resume() unconditionally Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 155/168] ARM: dts: am437x-idk-evm: Fix incorrect OPP node names Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 156/168] ARM: dts: dra7xx-clocks: Fixup IPU1 mux clock parent source Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 157/168] ARM: dts: imx6dl-colibri-eval-v3: fix sram compatible properties Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 158/168] ARM: dts: imx7-colibri: Fix frequency for sd/mmc Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 159/168] hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 160/168] dma-buf: free dmabuf->name in dma_buf_release() Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 161/168] dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 162/168] arm64: dts: meson: fix gxm-khadas-vim2 wifi Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 163/168] bus: ti-sysc: Fix 1-wire reset quirk Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 164/168] EDAC/synopsys: Do not print an error with back-to-back snprintf() calls Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 165/168] powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 166/168] efi/x86: Align GUIDs to their size in the mixed mode runtime wrapper Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 167/168] efi/x86: Handle by-ref arguments covering multiple pages in mixed mode Greg Kroah-Hartman
2020-03-10 12:40 ` [PATCH 5.4 168/168] efi: READ_ONCE rng seed size before munmap Greg Kroah-Hartman
2020-03-10 14:02 ` [PATCH 5.4 000/168] 5.4.25-stable review Holger Hoffstätte
2020-03-10 14:35   ` Greg Kroah-Hartman
2020-03-10 14:51     ` Holger Hoffstätte
2020-03-10 14:57       ` Holger Hoffstätte
2020-03-10 15:00       ` Greg Kroah-Hartman
2020-03-10 15:07         ` Holger Hoffstätte
2020-03-11 18:09           ` Greg Kroah-Hartman
2020-03-11  7:52 ` Naresh Kamboju

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).