- 03 Sep, 2020 40 commits
-
-
Jens Axboe authored
[ Upstream commit fd7d6de2 ] If an application is doing reads on signalfd, and we arm the poll handler because there's no data available, then the wakeup can recurse on the tasks sighand->siglock as the signal delivery from task_work_add() will use TWA_SIGNAL and that attempts to lock it again. We can detect the signalfd case pretty easily by comparing the poll->head wait_queue_head_t with the target task signalfd wait queue. Just use normal task wakeup for this case. Cc: stable@vger.kernel.org # v5.7+ Signed-off-by:
Jens Axboe <axboe@kernel.dk> Signed-off-by:
Sasha Levin <sashal@kernel.org>
-
Badhri Jagan Sridharan authored
commit 23e26d05 upstream. The patch addresses the compliance test failures while running TDA 2.3.1.1 and TDA 2.3.1.2 of the "PD Communications Engine USB PD Compliance MOI" test plan published in https://www.usb.org/usbc. For a product to be Type-C compliant, it's expected that these tests are run on usb.org certified Type-C compliance tester as mentioned in https://www.usb.org/usbc . While the purpose of TDA 2.3.1.1 and TDA 2.3.1.2 is to verify that the static and dynamic electrical capabilities of a Source meet the requirements for each PDO offered, while doing so, the tests also monitor that the timing of the VBUS waveform versus the messages meets the requirements for Hard Reset defined in PROT-PROC-HR-TSTR as mentioned in step 11 of TDA.2.3.1.1 and step 15 of TDA.2.3.1.2. TDB.2.2.13.1: PROT-PROC-HR-TSTR Procedure and Checks for Tester Originated Hard Reset Purpose: To perform the appropriate protocol checks relating to any circumstance in which the Hard Reset signal is sent by the Tester. UUT is behaving as source: The Tester sends a Hard Reset signal. 1. Check VBUS stays within present valid voltage range for tPSHardReset min (25ms) after last bit of Hard Reset signal. [PROT_PROC_HR_TSTR_1] 2. Check that VBUS starts to fall below present valid voltage range by tPSHardReset max (35ms). [PROT_PROC_HR_TSTR_2] 3. Check that VBUS reaches vSafe0V within tSafe0v max (650 ms). [PROT_PROC_HR_TSTR_3] 4. Check that VBUS starts rising to vSafe5V after a delay of tSrcRecover (0.66s - 1s) from reaching vSafe0V. [PROT_PROC_HR_TSTR_4] 5. Check that VBUS reaches vSafe5V within tSrcTurnOn max (275ms) of rising above vSafe0v max (0.8V). [PROT_PROC_HR_TSTR_5] Power Delivery Compliance Plan 139 6. Check that Source Capabilities are finished sending within tFirstSourceCap max (250ms) of VBUS reaching vSafe5v min. [PROT_PROC_HR_TSTR_6]. This is in line with 7.1.5 Response to Hard Resets of the USB Power Delivery Specification Revision 3.0, Version 1.2, "Hard Reset Signaling indicates a communication failure has occurred and the Source Shall stop driving VCONN, Shall remove Rp from the VCONN pin and Shall drive VBUS to vSafe0V as shown in Figure 7-9. The USB connection May reset during a Hard Reset since the VBUS voltage will be less than vSafe5V for an extended period of time. After establishing the vSafe0V voltage condition on VBUS, the Source Shall wait tSrcRecover before re-applying VCONN and restoring VBUS to vSafe5V. A Source Shall conform to the VCONN timing as specified in [USB Type-C 1.3]." With the above guidelines from the spec in mind, TCPM does not turn off VCONN while entering SRC_HARD_RESET_VBUS_OFF. The patch makes TCPM turn off VCONN while entering SRC_HARD_RESET_VBUS_OFF and turn it back on while entering SRC_HARD_RESET_VBUS_ON along with vbus instead of having VCONN on through hardreset. Also, the spec clearly states that "After establishing the vSafe0V voltage condition on VBUS", the Source Shall wait tSrcRecover before re-applying VCONN and restoring VBUS to vSafe5V. TCPM does not conform to this requirement. If the TCPC driver calls tcpm_vbus_change with vbus off signal, TCPM right away enters SRC_HARD_RESET_VBUS_ON without waiting for tSrcRecover. For TCPC's which are buggy/does not call tcpm_vbus_change, TCPM assumes that the vsafe0v is instantaneous as TCPM only waits tSrcRecover instead of waiting for tSafe0v + tSrcRecover. This patch also fixes this behavior by making sure that TCPM waits for tSrcRecover before transitioning into SRC_HARD_RESET_VBUS_ON when tcpm_vbus_change is called by TCPC. When TCPC does not call tcpm_vbus_change, TCPM assumes the worst case i.e. tSafe0v + tSrcRecover before transitioning into SRC_HARD_RESET_VBUS_ON. Signed-off-by:
Badhri Jagan Sridharan <badhri@google.com> Reviewed-by:
Guenter Roeck <linux@roeck-us.net> Reviewed-by:
Heikki Krogerus <heikki.krogerus@linux.intel.com> Cc: stable <stable@kernel.org> Link: https://lore.kernel.org/r/20200817184601.1899929-1-badhri@google.com Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Hans de Goede authored
commit bed97b30 upstream. Commit 081da132 ("usb: typec: ucsi: displayport: Fix a potential race during registration") made the ucsi code hold con->lock in ucsi_register_displayport(). But we really don't want any interactions with the connector to run before the port-registration process is fully complete. This commit moves the taking of con->lock from ucsi_register_displayport() into ucsi_register_port() to achieve this. Cc: stable@vger.kernel.org Fixes: 081da132 ("usb: typec: ucsi: displayport: Fix a potential race during registration") Signed-off-by:
Hans de Goede <hdegoede@redhat.com> Acked-by:
-
Hans de Goede authored
commit 25794e30 upstream. The ppm_lock really only needs to be hold during 2 functions: ucsi_reset_ppm() and ucsi_run_command(). Push the taking of the lock down into these 2 functions, renaming ucsi_run_command() to ucsi_send_command() which was an existing wrapper already taking the lock for its callers. This simplifies things for the callers and removes the difference between ucsi_send_command() and ucsi_run_command() which has led to various locking bugs in the past. Cc: stable@vger.kernel.org Signed-off-by:
-
Hans de Goede authored
commit 7e90057f upstream. Fix 2 unlocked ucsi_run_command calls: 1. ucsi_handle_connector_change() contains one ucsi_send_command() call, which takes the ppm_lock for it; and one ucsi_run_command() call which relies on the caller have taking the ppm_lock. ucsi_handle_connector_change() does not take the lock, so the second (ucsi_run_command) calls should also be ucsi_send_command(). 2. ucsi_get_pdos() gets called from ucsi_handle_connector_change() which does not hold the ppm_lock, so it also must use ucsi_send_command(). This commit also adds a WARN_ON(!mutex_is_locked(&ucsi->ppm_lock)); to ucsi_run_command() to avoid similar problems getting re-introduced in the future. Cc: stable@vger.kernel.org Signed-off-by:
-
Hans de Goede authored
commit 0ff0705a upstream. Lockdep reports an AB BA lock inversion between ucsi_init() and ucsi_handle_connector_change(): AB order: 1. ucsi_init takes ucsi->ppm_lock (it runs with that locked for the duration of the function) 2. usci_init eventually end up calling ucsi_register_displayport, which takes ucsi_connector->lock BA order: 1. ucsi_handle_connector_change work is started, takes ucsi_connector->lock 2. ucsi_handle_connector_change calls ucsi_send_command which takes ucsi->ppm_lock The ppm_lock really only needs to be hold during 2 functions: ucsi_reset_ppm() and ucsi_run_command(). This commit fixes the AB BA lock inversion by making ucsi_init drop the ucsi->ppm_lock before it starts registering ports; and replacing any ucsi_run_command() calls after this point with ucsi_send_command() (which is a wrapper around run_command taking the lock while handling the command). Some of the replacing of ucsi_run_command with ucsi_send_command in the helpers used during port registration also fixes a number of code paths after registration which call ucsi_run_command() without holding the ppm_lock: 1. ucsi_altmode_update_active() call in ucsi/displayport.c 2. ucsi_register_altmodes() call from ucsi_handle_connector_change() (through ucsi_partner_change()) Cc: stable@vger.kernel.org Signed-off-by:
-
Bastien Nocera authored
commit d5643d22 upstream. When a new device with a specialised device driver is plugged in, the new driver will be modprobe()'d but the driver core will attach the "generic" driver to the device. After that, nothing will trigger a reprobe when the modprobe()'d device driver has finished initialising, as the device has the "generic" driver attached to it. Trigger a reprobe ourselves when new specialised drivers get registered. Fixes: 88b7381a ("USB: Select better matching USB drivers when available") Signed-off-by:
Bastien Nocera <hadess@hadess.net> Cc: stable <stable@vger.kernel.org> Acked-by:
Alan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/20200818110445.509668-3-hadess@hadess.net Signed-off-by:
-
Bastien Nocera authored
commit adb6e6ac upstream. We only ever used the ID table matching before, but we should also support open-coded match functions. Fixes: 88b7381a ("USB: Select better matching USB drivers when available") Signed-off-by:
-
Alan Stern authored
commit 20934c0d upstream. The PSZ-HA* family of USB disk drives from Sony can't handle the REPORT OPCODES command when using the UAS protocol. This patch adds an appropriate quirks entry. Reported-and-tested-by:
Till Dörges <doerges@pre-sense.de> Signed-off-by:
-
Tom Rix authored
commit f4b9d8a5 upstream. Clang static analysis reports this error cdc-acm.c:409:3: warning: Use of memory after it is freed acm_process_notification(acm, (unsigned char *)dr); There are three problems, the first one is that dr is not reset The variable dr is set with if (acm->nb_index) dr = (struct usb_cdc_notification *)acm->notification_buffer; But if the notification_buffer is too small it is resized with if (acm->nb_size) { kfree(acm->notification_buffer); acm->nb_size = 0; } alloc_size = roundup_pow_of_two(expected_size); /* * kmalloc ensures a valid notification_buffer after a * use of kfree in case the previous allocation was too * small. Final freeing is done on disconnect. */ acm->notification_buffer = kmalloc(alloc_size, GFP_ATOMIC); dr should point to the new acm->notification_buffer. The second problem is any data in the notification_buffer is lost when the pointer is freed. In the normal case, the current data is accumulated in the notification_buffer here. memcpy(&acm->notification_buffer[acm->nb_index], urb->transfer_buffer, copy_size); When a resize happens, anything before notification_buffer[acm->nb_index] is garbage. The third problem is the acm->nb_index is not reset on a resizing buffer error. So switch resizing to using krealloc and reassign dr and reset nb_index. Fixes: ea258352 ("cdc-acm: reassemble fragmented notifications") Signed-off-by:
Tom Rix <trix@redhat.com> Cc: stable <stable@vger.kernel.org> Acked-by:
Oliver Neukum <oneukum@suse.com> Link: https://lore.kernel.org/r/20200801152154.20683-1-trix@redhat.com Signed-off-by:
-
Thinh Nguyen authored
commit bc9a2e22 upstream. Currently dwc3 doesn't handle usb_request->zero for SG requests. This change checks and prepares extra TRBs for the ZLP for SG requests. Cc: <stable@vger.kernel.org> # v4.5+ Fixes: 04c03d10 ("usb: dwc3: gadget: handle request->zero") Signed-off-by:
Thinh Nguyen <thinhn@synopsys.com> Signed-off-by:
Felipe Balbi <balbi@kernel.org> Signed-off-by:
-
Thinh Nguyen authored
commit d2ee3ff7 upstream. The usb_request->zero doesn't apply for isoc. Also, if we prepare a 0-length (ZLP) TRB for the OUT direction, we need to prepare an extra TRB to pad up to the MPS alignment. Use the same bounce buffer for the ZLP TRB and the extra pad TRB. Cc: <stable@vger.kernel.org> # v4.5+ Fixes: d6e5a549 ("usb: dwc3: simplify ZLP handling") Fixes: 04c03d10 ("usb: dwc3: gadget: handle request->zero") Signed-off-by:
-
Thinh Nguyen authored
commit 5d187c04 upstream. The SG list may be set up with entry size more than the requested length. Check the usb_request->length and make sure that we don't setup the TRBs to send/receive more than requested. This case may occur when the SG entry is allocated up to a certain minimum size, but the request length is less than that. It can also occur when the request is reused for a different request length. Cc: <stable@vger.kernel.org> # v4.18+ Fixes: a31e63b6 ("usb: dwc3: gadget: Correct handling of scattergather lists") Signed-off-by:
-
Andy Shevchenko authored
commit bfd08d06 upstream. Inadvertently the commit b1cd1b65 ("USB: gadget: u_f: add overflow checks to VLA macros") makes VLA macros to always return 0 due to different scope of two variables of the same name. Obviously we need to have only one. Fixes: b1cd1b65 ("USB: gadget: u_f: add overflow checks to VLA macros") Reported-by:
Marek Szyprowski <m.szyprowski@samsung.com> Tested-by:
Andy Shevchenko <andriy.shevchenko@linux.intel.com> Cc: Brooke Basile <brookebasile@gmail.com> Cc: stable <stable@kernel.org> Link: https://lore.kernel.org/r/20200826192119.56450-1-andriy.shevchenko@linux.intel.com Signed-off-by:
-
Brooke Basile authored
commit 2b74b0a0 upstream. Some values extracted by ncm_unwrap_ntb() could possibly lead to several different out of bounds reads of memory. Specifically the values passed to netdev_alloc_skb_ip_align() need to be checked so that memory is not overflowed. Resolve this by applying bounds checking to a number of different indexes and lengths of the structure parsing logic. Reported-by:
Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by:
Brooke Basile <brookebasile@gmail.com> Acked-by:
-
Brooke Basile authored
commit b1cd1b65 upstream. size can potentially hold an overflowed value if its assigned expression is left unchecked, leading to a smaller than needed allocation when vla_group_size() is used by callers to allocate memory. To fix this, add a test for saturation before declaring variables and an overflow check to (n) * sizeof(type). If the expression results in overflow, vla_group_size() will return SIZE_MAX. Reported-by:
Kees Cook <keescook@chromium.org> Signed-off-by:
-
Tang Bin authored
commit 1d416983 upstream. If the function platform_get_irq() failed, the negative value returned will not be detected here. So fix error handling in exynos_ohci_probe(). And when get irq failed, the function platform_get_irq() logs an error message, so remove redundant message here. Fixes: 62194244 ("USB: Add Samsung Exynos OHCI diver") Signed-off-by:
Zhang Shengju <zhangshengju@cmss.chinamobile.com> Cc: stable <stable@vger.kernel.org> Signed-off-by:
Tang Bin <tangbin@cmss.chinamobile.com> Reviewed-by:
Krzysztof Kozlowski <krzk@kernel.org> Link: https://lore.kernel.org/r/20200826144931.1828-1-tangbin@cmss.chinamobile.com Signed-off-by:
-
Cyril Roelandt authored
commit 9aa37788 upstream. This device does not support UAS properly and a similar entry already exists in drivers/usb/storage/unusual_uas.h. Without this patch, storage_probe() defers the handling of this device to UAS, which cannot handle it either. Tested-by:
Brice Goglin <brice.goglin@gmail.com> Fixes: bc3bdb12 ("usb-storage: Disable UAS on JMicron SATA enclosure") Acked-by:
Cyril Roelandt <tipecaml@gmail.com> Link: https://lore.kernel.org/r/20200825212231.46309-1-tipecaml@gmail.com Signed-off-by:
-
Alan Stern authored
commit 068834a2 upstream. The Sound Devices MixPre-D audio card suffers from the same defect as the Sound Devices USBPre2: an endpoint shared between a normal audio interface and a vendor-specific interface, in violation of the USB spec. Since the USB core now treats duplicated endpoints as bugs and ignores them, the audio endpoint isn't available and the card can't be used for audio capture. Along the same lines as commit bdd1b147 ("USB: quirks: blacklist duplicate ep on Sound Devices USBPre2"), this patch adds a quirks entry saying to ignore ep5in for interface 1, leaving it available for use with standard audio interface 2. Reported-and-tested-by:
Jean-Christophe Barnoud <jcbarnoud@gmail.com> Signed-off-by:
-
Kai-Heng Feng authored
commit 5967116e upstream. There's another Raydium touchscreen needs the no-lpm quirk: [ 1.339149] usb 1-9: New USB device found, idVendor=2386, idProduct=350e, bcdDevice= 0.00 [ 1.339150] usb 1-9: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 1.339151] usb 1-9: Product: Raydium Touch System [ 1.339152] usb 1-9: Manufacturer: Raydium Corporation ... [ 6.450497] usb 1-9: can't set config #1, error -110 BugLink: https://bugs.launchpad.net/bugs/1889446 Signed-off-by:
Kai-Heng Feng <kai.heng.feng@canonical.com> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20200731051622.28643-1-kai.heng.feng@canonical.com Signed-off-by:
-
Thinh Nguyen authored
commit 9a469bc9 upstream. PNY Pro Elite USB 3.1 Gen 2 device (SSD) doesn't respond to ATA_12 pass-through command (i.e. it just hangs). If it doesn't support this command, it should respond properly to the host. Let's just add a quirk to be able to move forward with other operations. Cc: stable@vger.kernel.org Signed-off-by:
-
Alan Stern authored
commit f176ede3 upstream. The syzbot fuzzer identified a bug in the yurex driver: It passes GFP_KERNEL as a memory-allocation flag to usb_submit_urb() at a time when its state is TASK_INTERRUPTIBLE, not TASK_RUNNING: do not call blocking ops when !TASK_RUNNING; state=1 set at [<00000000370c7c68>] prepare_to_wait+0xb1/0x2a0 kernel/sched/wait.c:247 WARNING: CPU: 1 PID: 340 at kernel/sched/core.c:7253 __might_sleep+0x135/0x190 kernel/sched/core.c:7253 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 340 Comm: syz-executor677 Not tainted 5.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xf6/0x16e lib/dump_stack.c:118 panic+0x2aa/0x6e1 kernel/panic.c:231 __warn.cold+0x20/0x50 kernel/panic.c:600 report_bug+0x1bd/0x210 lib/bug.c:198 handle_bug+0x41/0x80 arch/x86/kernel/traps.c:234 exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 RIP: 0010:__might_sleep+0x135/0x190 kernel/sched/core.c:7253 Code: 65 48 8b 1c 25 40 ef 01 00 48 8d 7b 10 48 89 fe 48 c1 ee 03 80 3c 06 00 75 2b 48 8b 73 10 48 c7 c7 e0 9e 06 86 e8 ed 12 f6 ff <0f> 0b e9 46 ff ff ff e8 1f b2 4b 00 e9 29 ff ff ff e8 15 b2 4b 00 RSP: 0018:ffff8881cdb77a28 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881c6458000 RCX: 0000000000000000 RDX: ffff8881c6458000 RSI: ffffffff8129ec93 RDI: ffffed1039b6ef37 RBP: ffffffff86fdade2 R08: 0000000000000001 R09: ffff8881db32f54f R10: 0000000000000000 R11: 0000000030343354 R12: 00000000000001f2 R13: 0000000000000000 R14: 0000000000000068 R15: ffffffff83c1b1aa slab_pre_alloc_hook.constprop.0+0xea/0x200 mm/slab.h:498 slab_alloc_node mm/slub.c:2816 [inline] slab_alloc mm/slub.c:2900 [inline] kmem_cache_alloc_trace+0x46/0x220 mm/slub.c:2917 kmalloc include/linux/slab.h:554 [inline] dummy_urb_enqueue+0x7a/0x880 drivers/usb/gadget/udc/dummy_hcd.c:1251 usb_hcd_submit_urb+0x2b2/0x22d0 drivers/usb/core/hcd.c:1547 usb_submit_urb+0xb4e/0x13e0 drivers/usb/core/urb.c:570 yurex_write+0x3ea/0x820 drivers/usb/misc/yurex.c:495 This patch changes the call to use GFP_ATOMIC instead of GFP_KERNEL. Reported-and-tested-by: syzbot+c2c3302f9c601a4b1be2@syzkaller.appspotmail.com Signed-off-by:
-
Evan Quan authored
commit 28e62864 upstream. Do the maths in celsius degree. This can fix the issues caused by the changes below: drm/amd/pm: correct Vega20 swctf limit setting drm/amd/pm: correct Vega12 swctf limit setting drm/amd/pm: correct Vega10 swctf limit setting Signed-off-by:
Evan Quan <evan.quan@amd.com> Reviewed-by:
Kenneth Feng <kenneth.feng@amd.com> Signed-off-by:
Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org Signed-off-by:
-
Evan Quan authored
commit 9b51c4b2 upstream. Correct the Vega20 thermal swctf limit. Signed-off-by:
-
Evan Quan authored
commit e0ffd340 upstream. Correct the Vega12 thermal swctf limit. Signed-off-by:
-
Evan Quan authored
commit b05d71b5 upstream. Correct the Vega10 thermal swctf limit. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1267 Signed-off-by:
-
Nicholas Kazlauskas authored
commit e2bf3723 upstream. [Why] DC uses these to raise the voltage as needed for higher dispclk/dppclk and to ensure that we have enough bandwidth to drive the displays. There's a bug preventing these from actuially sending messages since it's checking the actual clock (which is 0) instead of the incoming clock (which shouldn't be 0) when deciding to send the hardmin. [How] Check the clocks != 0 instead of the actual clocks. Fixes: 9ed9203c ("drm/amd/powerplay: rv dal-pplib interface refactor powerplay part") Signed-off-by:
Nicholas Kazlauskas <nicholas.kazlauskas@amd.com> Reviewed-by:
-
Jiansong Chen authored
commit de7a1b0b upstream. 1. enable ENABLE_CGTS_LEGACY to fix specviewperf11 random hang. 2. remove obsolete RLC_CGTT_SCLK_OVERRIDE workaround. Signed-off-by:
Jiansong Chen <Jiansong.Chen@amd.com> Reviewed-by:
Hawking Zhang <Hawking.Zhang@amd.com> Signed-off-by:
-
Alexander Monakov authored
commit 69d9f427 upstream. Documentation for sysfs backlight level interface requires that values in both 'brightness' and 'actual_brightness' files are interpreted to be in range from 0 to the value given in the 'max_brightness' file. With amdgpu, max_brightness gives 255, and values written by the user into 'brightness' are internally rescaled to a wider range. However, reading from 'actual_brightness' gives the raw register value without inverse rescaling. This causes issues for various userspace tools such as PowerTop and systemd that expect the value to be in the correct range. Introduce a helper to retrieve internal backlight range. Use it to reimplement 'convert_brightness' as 'convert_brightness_from_user' and introduce 'convert_brightness_to_user'. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=203905 Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1242 Cc: Alex Deucher <alexander.deucher@amd.com> Cc: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com> Reviewed-by:
Alexander Monakov <amonakov@ispras.ru> Signed-off-by:
-
Alex Deucher authored
commit b5b97cab upstream. The values for "se_num" and "sh_num" come from the user in the ioctl. They can be in the 0-255 range but if they're more than AMDGPU_GFX_MAX_SE (4) or AMDGPU_GFX_MAX_SH_PER_SE (2) then it results in an out of bounds read. Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Acked-by:
-
Daniel Vetter authored
commit 77ef3857 upstream. This fell off in the conversion in commit 9bcaa3fe Author: Michal Orzel <michalorzel.eng@gmail.com> Date: Tue Apr 28 19:10:04 2020 +0200 drm: Replace drm_modeset_lock/unlock_all with DRM_MODESET_LOCK_ALL_* helpers but it's caught by the drm_warn_on_modeset_not_all_locked() that the legacy modeset code uses. Since this is the bkl and it's unclear what's all protected, play it safe and grab it again for legacy drivers. Unfortunately this means we need to sprinkle a few more #includes around. Also we need to add the drm_device as a parameter to the _END macro. Finally remove the mute_lock() from setcrtc, since that's now done by the macro. Cc: Alex Deucher <alexdeucher@gmail.com> References: https://gitlab.freedesktop.org/drm/amd/-/issues/1224 Fixes: 9bcaa3fe ("drm: Replace drm_modeset_lock/unlock_all with DRM_MODESET_LOCK_ALL_* helpers") Cc: Michal Orzel <michalorzel.eng@gmail.com> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Maxime Ripard <mripard@kernel.org> Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: David Airlie <airlied@linux.ie> Cc: Daniel Vetter <daniel@ffwll.ch> Cc: dri-devel@lists.freedesktop.org Cc: <stable@vger.kernel.org> # v5.8+ Signed-off-by:
Daniel Vetter <daniel.vetter@intel.com> Reviewed-by:
-
Bhawanpreet Lakha authored
commit 88fee1c9 upstream. [Why] In certain cases the crtc can be NULL and returning -EINVAL causes atomic check to fail when it shouln't. This leads to valid configurations failing because atomic check fails. [How] Don't early return if crtc is null Signed-off-by:
Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com> Reviewed-by:
Lyude Paul <lyude@redhat.com> [added stable cc] Signed-off-by:
-
Christian Gmeiner authored
commit 2c5bf028 upstream. It looks like that this GPU core triggers an abort when reading VIVS_HI_CHIP_PRODUCT_ID and/or VIVS_HI_CHIP_ECO_ID. I looked at different versions of Vivante's kernel driver and did not found anything about this issue or what feature flag can be used. So go the simplest route and do not read these two registers on the affected GPU core. Signed-off-by:
Christian Gmeiner <christian.gmeiner@gmail.com> Reported-by:
Josua Mayer <josua.mayer@jm0.eu> Fixes: 815e45bb ("drm/etnaviv: determine product, customer and eco id") Cc: stable@vger.kernel.org Tested-by:
Lucas Stach <l.stach@pengutronix.de> Signed-off-by:
-
Mika Kuoppala authored
commit e5f10d63 upstream. Our variety of defined gpu commands have the actual command id field and possibly length and flags applied. We did start to apply the mask during initialization of the cmd descriptors but forgot to also apply it on comparisons. Fix comparisons in order to properly deny access with associated commands. v2: fix lri with correct mask (Chris) References: 926abff2 ("drm/i915/cmdparser: Ignore Length operands during command matching") Reported-by:
Nicolai Stange <nstange@suse.de> Cc: stable@vger.kernel.org # v5.4+ Cc: Miroslav Benes <mbenes@suse.cz> Cc: Takashi Iwai <tiwai@suse.de> Cc: Tyler Hicks <tyhicks@canonical.com> Cc: Jon Bloomfield <jon.bloomfield@intel.com> Cc: Chris Wilson <chris.p.wilson@intel.com> Signed-off-by:
Mika Kuoppala <mika.kuoppala@linux.intel.com> Reviewed-by:
Chris Wilson <chris@chris-wilson.co.uk> Link: https://patchwork.freedesktop.org/patch/msgid/20200817195926.12671-1-mika.kuoppala@linux.intel.com (cherry picked from commit 3b4efa14 ) Signed-off-by:
Jani Nikula <jani.nikula@intel.com> Signed-off-by:
-
Ashok Raj authored
commit 52d6b926 upstream. There is a race when taking a CPU offline. Current code looks like this: native_cpu_disable() { ... apic_soft_disable(); /* * Any existing set bits for pending interrupt to * this CPU are preserved and will be sent via IPI * to another CPU by fixup_irqs(). */ cpu_disable_common(); { .... /* * Race window happens here. Once local APIC has been * disabled any new interrupts from the device to * the old CPU are lost */ fixup_irqs(); // Too late to capture anything in IRR. ... } } The fix is to disable the APIC *after* cpu_disable_common(). Testing was done with a USB NIC that provided a source of frequent interrupts. A script migrated interrupts to a specific CPU and then took that CPU offline. Fixes: 60dcaad5 ("x86/hotplug: Silence APIC and NMI when CPU is dead") Reported-by:
Evan Green <evgreen@chromium.org> Signed-off-by:
Ashok Raj <ashok.raj@intel.com> Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Tested-by:
Mathias Nyman <mathias.nyman@linux.intel.com> Tested-by:
-
Thomas Gleixner authored
commit e027ffff upstream. Several people reported that 5.8 broke the interrupt affinity setting mechanism. The consolidation of the entry code reused the regular exception entry code for device interrupts and changed the way how the vector number is conveyed from ptregs->orig_ax to a function argument. The low level entry uses the hardware error code slot to push the vector number onto the stack which is retrieved from there into a function argument and the slot on stack is set to -1. The reason for setting it to -1 is that the error code slot is at the position where pt_regs::orig_ax is. A positive value in pt_regs::orig_ax indicates that the entry came via a syscall. If it's not set to a negative value then a signal delivery on return to userspace would try to restart a syscall. But there are other places which rely on pt_regs::orig_ax being a valid indicator for syscall entry. But setting pt_regs::orig_ax to -1 has a nasty side effect vs. the interrupt affinity setting mechanism, which was overlooked when this change was made. Moving interrupts on x86 happens in several steps. A new vector on a different CPU is allocated and the relevant interrupt source is reprogrammed to that. But that's racy and there might be an interrupt already in flight to the old vector. So the old vector is preserved until the first interrupt arrives on the new vector and the new target CPU. Once that happens the old vector is cleaned up, but this cleanup still depends on the vector number being stored in pt_regs::orig_ax, which is now -1. That -1 makes the check for cleanup: pt_regs::orig_ax == new_vector always false. As a consequence the interrupt is moved once, but then it cannot be moved anymore because the cleanup of the old vector never happens. There would be several ways to convey the vector information to that place in the guts of the interrupt handling, but on deeper inspection it turned out that this check is pointless and a leftover from the old affinity model of X86 which supported multi-CPU affinities. Under this model it was possible that an interrupt had an old and a new vector on the same CPU, so the vector match was required. Under the new model the effective affinity of an interrupt is always a single CPU from the requested affinity mask. If the affinity mask changes then either the interrupt stays on the CPU and on the same vector when that CPU is still in the new affinity mask or it is moved to a different CPU, but it is never moved to a different vector on the same CPU. Ergo the cleanup check for the matching vector number is not required and can be removed which makes the dependency on pt_regs:orig_ax go away. The remaining check for new_cpu == smp_processsor_id() is completely sufficient. If it matches then the interrupt was successfully migrated and the cleanup can proceed. For paranoia sake add a warning into the vector assignment code to validate that the assumption of never moving to a different vector on the same CPU holds. Fixes: 633260fa ("x86/irq: Convey vector as argument and not in ptregs") Reported-by:
Alex bykov <alex.bykov@scylladb.com> Reported-by:
Avi Kivity <avi@scylladb.com> Reported-by:
Alexander Graf <graf@amazon.com> Signed-off-by:
-
qiuguorui1 authored
commit e579076a upstream. In the current code, when the eoi callback of the exti clears the pending bit of the current interrupt, it will first read the values of fpr and rpr, then logically OR the corresponding bit of the interrupt number, and finally write back to fpr and rpr. We found through experiments that if two exti interrupts, we call them int1/int2, arrive almost at the same time. in our scenario, the time difference is 30 microseconds, assuming int1 is triggered first. there will be an extreme scenario: both int's pending bit are set to 1, the irq handle of int1 is executed first, and eoi handle is then executed, at this moment, all pending bits are cleared, but the int 2 has not finally been reported to the cpu yet, which eventually lost int2. According to stm32's TRM description about rpr and fpr: Writing a 1 to this bit will trigger a rising edge event on event x, Writing 0 has no effect. Therefore, when clearing the pending bit, we only need to clear the pending bit of the irq. Fixes: 927abfc4 ("irqchip/stm32: Add stm32mp1 support with hierarchy domain") Signed-off-by:
qiuguorui1 <qiuguorui1@huawei.com> Signed-off-by:
Marc Zyngier <maz@kernel.org> Cc: stable@vger.kernel.org # v4.18+ Link: https://lore.kernel.org/r/20200820031629.15582-1-qiuguorui1@huawei.com Signed-off-by:
-
Thomas Gleixner authored
commit 784a0830 upstream. Most of the CPU mask operations behave the same way, but for_each_cpu() and it's variants ignore the cpumask argument and claim that CPU0 is always in the mask. This is historical, inconsistent and annoying behaviour. The matrix allocator uses for_each_cpu() and can be called on UP with an empty cpumask. The calling code does not expect that this succeeds but until commit e027ffff ("x86/irq: Unbreak interrupt affinity setting") this went unnoticed. That commit added a WARN_ON() to catch cases which move an interrupt from one vector to another on the same CPU. The warning triggers on UP. Add a check for the cpumask being empty to prevent this. Fixes: 2f75d9e1 ("genirq: Implement bitmap matrix allocator") Reported-by:
kernel test robot <rong.a.chen@intel.com> Signed-off-by:
-
M. Vefa Bicakci authored
commit 7a2f2974 upstream. Commit 88b7381a ("USB: Select better matching USB drivers when available") introduced the use of a "match" function to select a non-generic/better driver for a particular USB device. This unfortunately breaks the operation of usbip in general, as reported in the kernel bugzilla with bug 208267 (linked below). Upon inspecting the aforementioned commit, one can observe that the original code in the usb_device_match function used to return 1 unconditionally, but the aforementioned commit makes the usb_device_match function use identifier tables and "match" virtual functions, if either of them are available. Hence, this commit implements a match function for usbip that unconditionally returns true to ensure that usbip is functional again. This change has been verified to restore usbip functionality, with a v5.7.y kernel on an up-to-date version of Qubes OS 4.0, which uses usbip to redirect USB devices between VMs. Thanks to Jonathan Dieter for the effort in bisecting this issue down to the aforementioned commit. Fixes: 88b7381a ("USB: Select better matching USB drivers when available") Link: https://bugzilla.kernel.org/show_bug.cgi?id=208267 Link: https://bugzilla.redhat.com/show_bug.cgi?id=1856443 Link: https://github.com/QubesOS/qubes-issues/issues/5905 Signed-off-by:
M. Vefa Bicakci <m.v.b@runbox.com> Cc: <stable@vger.kernel.org> # 5.7 Cc: Valentina Manea <valentina.manea.m@gmail.com> Cc: Alan Stern <stern@rowland.harvard.edu> Reviewed-by:
Shuah Khan <skhan@linuxfoundation.org> Link: https://lore.kernel.org/r/20200810160017.46002-1-m.v.b@runbox.com Signed-off-by:
-
Herbert Xu authored
commit c195d66a upstream. The iwd daemon uses libell which sets up the skcipher operation with two separate control messages. As the first control message is sent without MSG_MORE, it is interpreted as an empty request. While libell should be fixed to use MSG_MORE where appropriate, this patch works around the bug in the kernel so that existing binaries continue to work. We will print a warning however. A separate issue is that the new kernel code no longer allows the control message to be sent twice within the same request. This restriction is obviously incompatible with what iwd was doing (first setting an IV and then sending the real control message). This patch changes the kernel so that this is explicitly allowed. Reported-by:
Caleb Jorden <caljorden@hotmail.com> Fixes: f3c802a1 ("crypto: algif_aead - Only wake up when...") Cc: <stable@vger.kernel.org> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
