From: Greg Kroah-Hartman Date: Mon, 20 Mar 2023 11:57:55 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v4.14.311~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3057ebed782d96055a7b922459ec5961a89160e8;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: acpi-pptt-fix-to-avoid-sleep-in-the-atomic-context-when-pptt-is-absent.patch asoc-intel-soc-acpi-fix-copy-paste-issue-in-topology-names.patch asoc-qcom-q6prm-fix-incorrect-clk_root-passed-to-adsp.patch cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch fbdev-fix-incorrect-page-mapping-clearance-at-fb_deferred_io_release.patch fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch ice-avoid-bonding-causing-auxiliary-plug-unplug-under-rtnl-lock.patch mm-teach-mincore_hugetlb-about-pte-markers.patch mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch mmc-sdhci_am654-lower-power-on-failed-message-severity.patch net-phy-nxp-c45-tja11xx-fix-mii_basic_config_rev-bit.patch nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv3000.patch ocfs2-fix-data-corruption-after-failed-write.patch powerpc-64-set-default-cpu-in-kconfig.patch powerpc-boot-don-t-always-pass-mcpu-powerpc-when-building-32-bit-uimage.patch trace-hwlat-do-not-start-per-cpu-thread-if-it-is-already-running.patch trace-hwlat-do-not-wipe-the-contents-of-per-cpu-thread-data.patch vp_vdpa-fix-the-crash-in-hot-unplug-with-vp_vdpa.patch x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch x86-resctrl-clear-staged_config-before-and-after-it-is-used.patch --- diff --git a/queue-6.1/acpi-pptt-fix-to-avoid-sleep-in-the-atomic-context-when-pptt-is-absent.patch b/queue-6.1/acpi-pptt-fix-to-avoid-sleep-in-the-atomic-context-when-pptt-is-absent.patch new file mode 100644 index 00000000000..8164ec2df0b --- /dev/null +++ b/queue-6.1/acpi-pptt-fix-to-avoid-sleep-in-the-atomic-context-when-pptt-is-absent.patch @@ -0,0 +1,92 @@ +From 91d7b60a65d9f71230ea09b86d2058a884a3c2af Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Wed, 8 Mar 2023 11:26:32 +0000 +Subject: ACPI: PPTT: Fix to avoid sleep in the atomic context when PPTT is absent + +From: Sudeep Holla + +commit 91d7b60a65d9f71230ea09b86d2058a884a3c2af upstream. + +Commit 0c80f9e165f8 ("ACPI: PPTT: Leave the table mapped for the runtime usage") +enabled to map PPTT once on the first invocation of acpi_get_pptt() and +never unmapped the same allowing it to be used at runtime with out the +hassle of mapping and unmapping the table. This was needed to fetch LLC +information from the PPTT in the cpuhotplug path which is executed in +the atomic context as the acpi_get_table() might sleep waiting for a +mutex. + +However it missed to handle the case when there is no PPTT on the system +which results in acpi_get_pptt() being called from all the secondary +CPUs attempting to fetch the LLC information in the atomic context +without knowing the absence of PPTT resulting in the splat like below: + + | BUG: sleeping function called from invalid context at kernel/locking/semaphore.c:164 + | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 + | preempt_count: 1, expected: 0 + | RCU nest depth: 0, expected: 0 + | no locks held by swapper/1/0. + | irq event stamp: 0 + | hardirqs last enabled at (0): 0x0 + | hardirqs last disabled at (0): copy_process+0x61c/0x1b40 + | softirqs last enabled at (0): copy_process+0x61c/0x1b40 + | softirqs last disabled at (0): 0x0 + | CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.3.0-rc1 #1 + | Call trace: + | dump_backtrace+0xac/0x138 + | show_stack+0x30/0x48 + | dump_stack_lvl+0x60/0xb0 + | dump_stack+0x18/0x28 + | __might_resched+0x160/0x270 + | __might_sleep+0x58/0xb0 + | down_timeout+0x34/0x98 + | acpi_os_wait_semaphore+0x7c/0xc0 + | acpi_ut_acquire_mutex+0x58/0x108 + | acpi_get_table+0x40/0xe8 + | acpi_get_pptt+0x48/0xa0 + | acpi_get_cache_info+0x38/0x140 + | init_cache_level+0xf4/0x118 + | detect_cache_attributes+0x2e4/0x640 + | update_siblings_masks+0x3c/0x330 + | store_cpu_topology+0x88/0xf0 + | secondary_start_kernel+0xd0/0x168 + | __secondary_switched+0xb8/0xc0 + +Update acpi_get_pptt() to consider the fact that PPTT is once checked and +is not available on the system and return NULL avoiding any attempts to +fetch PPTT and thereby avoiding any possible sleep waiting for a mutex +in the atomic context. + +Fixes: 0c80f9e165f8 ("ACPI: PPTT: Leave the table mapped for the runtime usage") +Reported-by: Aishwarya TCV +Signed-off-by: Sudeep Holla +Tested-by: Pierre Gondois +Cc: 6.0+ # 6.0+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/pptt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/pptt.c ++++ b/drivers/acpi/pptt.c +@@ -537,16 +537,19 @@ static int topology_get_acpi_cpu_tag(str + static struct acpi_table_header *acpi_get_pptt(void) + { + static struct acpi_table_header *pptt; ++ static bool is_pptt_checked; + acpi_status status; + + /* + * PPTT will be used at runtime on every CPU hotplug in path, so we + * don't need to call acpi_put_table() to release the table mapping. + */ +- if (!pptt) { ++ if (!pptt && !is_pptt_checked) { + status = acpi_get_table(ACPI_SIG_PPTT, 0, &pptt); + if (ACPI_FAILURE(status)) + acpi_pptt_warn_missing(); ++ ++ is_pptt_checked = true; + } + + return pptt; diff --git a/queue-6.1/asoc-intel-soc-acpi-fix-copy-paste-issue-in-topology-names.patch b/queue-6.1/asoc-intel-soc-acpi-fix-copy-paste-issue-in-topology-names.patch new file mode 100644 index 00000000000..4901bd27949 --- /dev/null +++ b/queue-6.1/asoc-intel-soc-acpi-fix-copy-paste-issue-in-topology-names.patch @@ -0,0 +1,42 @@ +From 858a438a6cf919e5727d2a0f5f3f0e68b2d5354e Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Tue, 7 Mar 2023 12:07:33 +0200 +Subject: ASoC: Intel: soc-acpi: fix copy-paste issue in topology names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +commit 858a438a6cf919e5727d2a0f5f3f0e68b2d5354e upstream. + +For some reason the convention for topology names was not followed and +the name inspired by another unrelated hardware configuration. As a +result, the kernel will request a non-existent topology file. + +Link: https://github.com/thesofproject/sof/pull/6878 +Fixes: 2ec8b081d59f ("ASoC: Intel: soc-acpi: Add entry for sof_es8336 in ADL match table") +Cc: stable@vger.kernel.org +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Reviewed-by: Bard Liao +Reviewed-by: Péter Ujfalusi +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20230307100733.15025-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/common/soc-acpi-intel-adl-match.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/intel/common/soc-acpi-intel-adl-match.c ++++ b/sound/soc/intel/common/soc-acpi-intel-adl-match.c +@@ -547,7 +547,7 @@ struct snd_soc_acpi_mach snd_soc_acpi_in + { + .comp_ids = &essx_83x6, + .drv_name = "sof-essx8336", +- .sof_tplg_filename = "sof-adl-es83x6", /* the tplg suffix is added at run time */ ++ .sof_tplg_filename = "sof-adl-es8336", /* the tplg suffix is added at run time */ + .tplg_quirk_mask = SND_SOC_ACPI_TPLG_INTEL_SSP_NUMBER | + SND_SOC_ACPI_TPLG_INTEL_SSP_MSB | + SND_SOC_ACPI_TPLG_INTEL_DMIC_NUMBER, diff --git a/queue-6.1/asoc-qcom-q6prm-fix-incorrect-clk_root-passed-to-adsp.patch b/queue-6.1/asoc-qcom-q6prm-fix-incorrect-clk_root-passed-to-adsp.patch new file mode 100644 index 00000000000..edb94dae6cf --- /dev/null +++ b/queue-6.1/asoc-qcom-q6prm-fix-incorrect-clk_root-passed-to-adsp.patch @@ -0,0 +1,42 @@ +From 65882134bc622a1e57bd5928ac588855ea2e3ddd Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 2 Mar 2023 13:29:08 +0100 +Subject: ASoC: qcom: q6prm: fix incorrect clk_root passed to ADSP + +From: Krzysztof Kozlowski + +commit 65882134bc622a1e57bd5928ac588855ea2e3ddd upstream. + +The second to last argument is clk_root (root of the clock), however the +code called q6prm_request_lpass_clock() with clk_attr instead +(copy-paste error). This effectively was passing value of 1 as root +clock which worked on some of the SoCs (e.g. SM8450) but fails on +others, depending on the ADSP. For example on SM8550 this "1" as root +clock is not accepted and results in errors coming from ADSP. + +Fixes: 2f20640491ed ("ASoC: qdsp6: qdsp6: q6prm: handle clk disable correctly") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Srinivas Kandagatla +Tested-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230302122908.221398-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6prm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6prm.c ++++ b/sound/soc/qcom/qdsp6/q6prm.c +@@ -183,9 +183,9 @@ int q6prm_set_lpass_clock(struct device + unsigned int freq) + { + if (freq) +- return q6prm_request_lpass_clock(dev, clk_id, clk_attr, clk_attr, freq); ++ return q6prm_request_lpass_clock(dev, clk_id, clk_attr, clk_root, freq); + +- return q6prm_release_lpass_clock(dev, clk_id, clk_attr, clk_attr, freq); ++ return q6prm_release_lpass_clock(dev, clk_id, clk_attr, clk_root, freq); + } + EXPORT_SYMBOL_GPL(q6prm_set_lpass_clock); + diff --git a/queue-6.1/cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch b/queue-6.1/cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch new file mode 100644 index 00000000000..4c131655e28 --- /dev/null +++ b/queue-6.1/cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch @@ -0,0 +1,62 @@ +From 6b0313c2fa3d2cf991c9ffef6fae6e7ef592ce6d Mon Sep 17 00:00:00 2001 +From: Shawn Guo +Date: Sat, 4 Mar 2023 15:41:07 +0800 +Subject: cpuidle: psci: Iterate backwards over list in psci_pd_remove() + +From: Shawn Guo + +commit 6b0313c2fa3d2cf991c9ffef6fae6e7ef592ce6d upstream. + +In case that psci_pd_init_topology() fails for some reason, +psci_pd_remove() will be responsible for deleting provider and removing +genpd from psci_pd_providers list. There will be a failure when removing +the cluster PD, because the cpu (child) PDs haven't been removed. + +[ 0.050232] CPUidle PSCI: init PM domain cpu0 +[ 0.050278] CPUidle PSCI: init PM domain cpu1 +[ 0.050329] CPUidle PSCI: init PM domain cpu2 +[ 0.050370] CPUidle PSCI: init PM domain cpu3 +[ 0.050422] CPUidle PSCI: init PM domain cpu-cluster0 +[ 0.050475] PM: genpd_remove: unable to remove cpu-cluster0 +[ 0.051412] PM: genpd_remove: removed cpu3 +[ 0.051449] PM: genpd_remove: removed cpu2 +[ 0.051499] PM: genpd_remove: removed cpu1 +[ 0.051546] PM: genpd_remove: removed cpu0 + +Fix the problem by iterating the provider list reversely, so that parent +PD gets removed after child's PDs like below. + +[ 0.029052] CPUidle PSCI: init PM domain cpu0 +[ 0.029076] CPUidle PSCI: init PM domain cpu1 +[ 0.029103] CPUidle PSCI: init PM domain cpu2 +[ 0.029124] CPUidle PSCI: init PM domain cpu3 +[ 0.029151] CPUidle PSCI: init PM domain cpu-cluster0 +[ 0.029647] PM: genpd_remove: removed cpu0 +[ 0.029666] PM: genpd_remove: removed cpu1 +[ 0.029690] PM: genpd_remove: removed cpu2 +[ 0.029714] PM: genpd_remove: removed cpu3 +[ 0.029738] PM: genpd_remove: removed cpu-cluster0 + +Fixes: a65a397f2451 ("cpuidle: psci: Add support for PM domains by using genpd") +Reviewed-by: Sudeep Holla +Reviewed-by: Ulf Hansson +Signed-off-by: Shawn Guo +Cc: 5.10+ # 5.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/cpuidle-psci-domain.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/cpuidle/cpuidle-psci-domain.c ++++ b/drivers/cpuidle/cpuidle-psci-domain.c +@@ -103,7 +103,8 @@ static void psci_pd_remove(void) + struct psci_pd_provider *pd_provider, *it; + struct generic_pm_domain *genpd; + +- list_for_each_entry_safe(pd_provider, it, &psci_pd_providers, link) { ++ list_for_each_entry_safe_reverse(pd_provider, it, ++ &psci_pd_providers, link) { + of_genpd_del_provider(pd_provider->node); + + genpd = of_genpd_remove_last(pd_provider->node); diff --git a/queue-6.1/fbdev-fix-incorrect-page-mapping-clearance-at-fb_deferred_io_release.patch b/queue-6.1/fbdev-fix-incorrect-page-mapping-clearance-at-fb_deferred_io_release.patch new file mode 100644 index 00000000000..17d53646adf --- /dev/null +++ b/queue-6.1/fbdev-fix-incorrect-page-mapping-clearance-at-fb_deferred_io_release.patch @@ -0,0 +1,104 @@ +From fe9ae05cfbe587dda724fcf537c00bc2f287da62 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 8 Mar 2023 11:50:12 +0100 +Subject: fbdev: Fix incorrect page mapping clearance at fb_deferred_io_release() + +From: Takashi Iwai + +commit fe9ae05cfbe587dda724fcf537c00bc2f287da62 upstream. + +The recent fix for the deferred I/O by the commit + 3efc61d95259 ("fbdev: Fix invalid page access after closing deferred I/O devices") +caused a regression when the same fb device is opened/closed while +it's being used. It resulted in a frozen screen even if something +is redrawn there after the close. The breakage is because the patch +was made under a wrong assumption of a single open; in the current +code, fb_deferred_io_release() cleans up the page mapping of the +pageref list and it calls cancel_delayed_work_sync() unconditionally, +where both are no correct behavior for multiple opens. + +This patch adds a refcount for the opens of the device, and applies +the cleanup only when all files get closed. + +As both fb_deferred_io_open() and _close() are called always in the +fb_info lock (mutex), it's safe to use the normal int for the +refcounting. + +Also, a useless BUG_ON() is dropped. + +Fixes: 3efc61d95259 ("fbdev: Fix invalid page access after closing deferred I/O devices") +Cc: +Signed-off-by: Takashi Iwai +Reviewed-by: Patrik Jakobsson +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230308105012.1845-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fb_defio.c | 17 +++++++++++++---- + include/linux/fb.h | 1 + + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c +index 583cbcf09446..a3cf1f764f29 100644 +--- a/drivers/video/fbdev/core/fb_defio.c ++++ b/drivers/video/fbdev/core/fb_defio.c +@@ -309,17 +309,18 @@ void fb_deferred_io_open(struct fb_info *info, + struct inode *inode, + struct file *file) + { ++ struct fb_deferred_io *fbdefio = info->fbdefio; ++ + file->f_mapping->a_ops = &fb_deferred_io_aops; ++ fbdefio->open_count++; + } + EXPORT_SYMBOL_GPL(fb_deferred_io_open); + +-void fb_deferred_io_release(struct fb_info *info) ++static void fb_deferred_io_lastclose(struct fb_info *info) + { +- struct fb_deferred_io *fbdefio = info->fbdefio; + struct page *page; + int i; + +- BUG_ON(!fbdefio); + cancel_delayed_work_sync(&info->deferred_work); + + /* clear out the mapping that we setup */ +@@ -328,13 +329,21 @@ void fb_deferred_io_release(struct fb_info *info) + page->mapping = NULL; + } + } ++ ++void fb_deferred_io_release(struct fb_info *info) ++{ ++ struct fb_deferred_io *fbdefio = info->fbdefio; ++ ++ if (!--fbdefio->open_count) ++ fb_deferred_io_lastclose(info); ++} + EXPORT_SYMBOL_GPL(fb_deferred_io_release); + + void fb_deferred_io_cleanup(struct fb_info *info) + { + struct fb_deferred_io *fbdefio = info->fbdefio; + +- fb_deferred_io_release(info); ++ fb_deferred_io_lastclose(info); + + kvfree(info->pagerefs); + mutex_destroy(&fbdefio->lock); +diff --git a/include/linux/fb.h b/include/linux/fb.h +index 73eb1f85ea8e..05e40fcc7696 100644 +--- a/include/linux/fb.h ++++ b/include/linux/fb.h +@@ -212,6 +212,7 @@ struct fb_deferred_io { + /* delay between mkwrite and deferred handler */ + unsigned long delay; + bool sort_pagereflist; /* sort pagelist by offset */ ++ int open_count; /* number of opened files; protected by fb_info lock */ + struct mutex lock; /* mutex that protects the pageref list */ + struct list_head pagereflist; /* list of pagerefs for touched pages */ + /* callback */ +-- +2.40.0 + diff --git a/queue-6.1/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch b/queue-6.1/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch new file mode 100644 index 00000000000..cd73ec4752d --- /dev/null +++ b/queue-6.1/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch @@ -0,0 +1,77 @@ +From 203873a535d627c668f293be0cb73e26c30f9cc7 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Thu, 16 Mar 2023 11:38:19 +0100 +Subject: fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks + +From: Helge Deller + +commit 203873a535d627c668f293be0cb73e26c30f9cc7 upstream. + +Find a valid modeline depending on the machine graphic card +configuration and add the fb_check_var() function to validate +Xorg provided graphics settings. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/stifb.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/drivers/video/fbdev/stifb.c ++++ b/drivers/video/fbdev/stifb.c +@@ -922,6 +922,28 @@ SETUP_HCRX(struct stifb_info *fb) + /* ------------------- driver specific functions --------------------------- */ + + static int ++stifb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) ++{ ++ struct stifb_info *fb = container_of(info, struct stifb_info, info); ++ ++ if (var->xres != fb->info.var.xres || ++ var->yres != fb->info.var.yres || ++ var->bits_per_pixel != fb->info.var.bits_per_pixel) ++ return -EINVAL; ++ ++ var->xres_virtual = var->xres; ++ var->yres_virtual = var->yres; ++ var->xoffset = 0; ++ var->yoffset = 0; ++ var->grayscale = fb->info.var.grayscale; ++ var->red.length = fb->info.var.red.length; ++ var->green.length = fb->info.var.green.length; ++ var->blue.length = fb->info.var.blue.length; ++ ++ return 0; ++} ++ ++static int + stifb_setcolreg(u_int regno, u_int red, u_int green, + u_int blue, u_int transp, struct fb_info *info) + { +@@ -1145,6 +1167,7 @@ stifb_init_display(struct stifb_info *fb + + static const struct fb_ops stifb_ops = { + .owner = THIS_MODULE, ++ .fb_check_var = stifb_check_var, + .fb_setcolreg = stifb_setcolreg, + .fb_blank = stifb_blank, + .fb_fillrect = stifb_fillrect, +@@ -1164,6 +1187,7 @@ static int __init stifb_init_fb(struct s + struct stifb_info *fb; + struct fb_info *info; + unsigned long sti_rom_address; ++ char modestr[32]; + char *dev_name; + int bpp, xres, yres; + +@@ -1342,6 +1366,9 @@ static int __init stifb_init_fb(struct s + info->flags = FBINFO_HWACCEL_COPYAREA | FBINFO_HWACCEL_FILLRECT; + info->pseudo_palette = &fb->pseudo_palette; + ++ scnprintf(modestr, sizeof(modestr), "%dx%d-%d", xres, yres, bpp); ++ fb_find_mode(&info->var, info, modestr, NULL, 0, NULL, bpp); ++ + /* This has to be done !!! */ + if (fb_alloc_cmap(&info->cmap, NR_PALETTE, 0)) + goto out_err1; diff --git a/queue-6.1/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch b/queue-6.1/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch new file mode 100644 index 00000000000..98339c87d06 --- /dev/null +++ b/queue-6.1/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch @@ -0,0 +1,54 @@ +From ee92fa443358f4fc0017c1d0d325c27b37802504 Mon Sep 17 00:00:00 2001 +From: Chen Zhongjin +Date: Thu, 9 Mar 2023 16:02:30 +0800 +Subject: ftrace: Fix invalid address access in lookup_rec() when index is 0 + +From: Chen Zhongjin + +commit ee92fa443358f4fc0017c1d0d325c27b37802504 upstream. + +KASAN reported follow problem: + + BUG: KASAN: use-after-free in lookup_rec + Read of size 8 at addr ffff000199270ff0 by task modprobe + CPU: 2 Comm: modprobe + Call trace: + kasan_report + __asan_load8 + lookup_rec + ftrace_location + arch_check_ftrace_location + check_kprobe_address_safe + register_kprobe + +When checking pg->records[pg->index - 1].ip in lookup_rec(), it can get a +pg which is newly added to ftrace_pages_start in ftrace_process_locs(). +Before the first pg->index++, index is 0 and accessing pg->records[-1].ip +will cause this problem. + +Don't check the ip when pg->index is 0. + +Link: https://lore.kernel.org/linux-trace-kernel/20230309080230.36064-1-chenzhongjin@huawei.com + +Cc: stable@vger.kernel.org +Fixes: 9644302e3315 ("ftrace: Speed up search by skipping pages by address") +Suggested-by: Steven Rostedt (Google) +Signed-off-by: Chen Zhongjin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1537,7 +1537,8 @@ static struct dyn_ftrace *lookup_rec(uns + key.flags = end; /* overload flags, as it is unsigned long */ + + for (pg = ftrace_pages_start; pg; pg = pg->next) { +- if (end < pg->records[0].ip || ++ if (pg->index == 0 || ++ end < pg->records[0].ip || + start >= (pg->records[pg->index - 1].ip + MCOUNT_INSN_SIZE)) + continue; + rec = bsearch(&key, pg->records, pg->index, diff --git a/queue-6.1/ice-avoid-bonding-causing-auxiliary-plug-unplug-under-rtnl-lock.patch b/queue-6.1/ice-avoid-bonding-causing-auxiliary-plug-unplug-under-rtnl-lock.patch new file mode 100644 index 00000000000..7e81027cd90 --- /dev/null +++ b/queue-6.1/ice-avoid-bonding-causing-auxiliary-plug-unplug-under-rtnl-lock.patch @@ -0,0 +1,97 @@ +From 248401cb2c4612d83eb0c352ee8103b78b8eb365 Mon Sep 17 00:00:00 2001 +From: Dave Ertman +Date: Fri, 10 Mar 2023 11:48:33 -0800 +Subject: ice: avoid bonding causing auxiliary plug/unplug under RTNL lock + +From: Dave Ertman + +commit 248401cb2c4612d83eb0c352ee8103b78b8eb365 upstream. + +RDMA is not supported in ice on a PF that has been added to a bonded +interface. To enforce this, when an interface enters a bond, we unplug +the auxiliary device that supports RDMA functionality. This unplug +currently happens in the context of handling the netdev bonding event. +This event is sent to the ice driver under RTNL context. This is causing +a deadlock where the RDMA driver is waiting for the RTNL lock to complete +the removal. + +Defer the unplugging/re-plugging of the auxiliary device to the service +task so that it is not performed under the RTNL lock context. + +Cc: stable@vger.kernel.org # 6.1.x +Reported-by: Jaroslav Pulchart +Link: https://lore.kernel.org/netdev/CAK8fFZ6A_Gphw_3-QMGKEFQk=sfCw1Qmq0TVZK3rtAi7vb621A@mail.gmail.com/ +Fixes: 5cb1ebdbc434 ("ice: Fix race condition during interface enslave") +Fixes: 4eace75e0853 ("RDMA/irdma: Report the correct link speed") +Signed-off-by: Dave Ertman +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20230310194833.3074601-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice.h | 14 +++++--------- + drivers/net/ethernet/intel/ice/ice_main.c | 19 ++++++++----------- + 2 files changed, 13 insertions(+), 20 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice.h ++++ b/drivers/net/ethernet/intel/ice/ice.h +@@ -485,6 +485,7 @@ enum ice_pf_flags { + ICE_FLAG_VF_VLAN_PRUNING, + ICE_FLAG_LINK_LENIENT_MODE_ENA, + ICE_FLAG_PLUG_AUX_DEV, ++ ICE_FLAG_UNPLUG_AUX_DEV, + ICE_FLAG_MTU_CHANGED, + ICE_FLAG_GNSS, /* GNSS successfully initialized */ + ICE_PF_FLAGS_NBITS /* must be last */ +@@ -926,16 +927,11 @@ static inline void ice_set_rdma_cap(stru + */ + static inline void ice_clear_rdma_cap(struct ice_pf *pf) + { +- /* We can directly unplug aux device here only if the flag bit +- * ICE_FLAG_PLUG_AUX_DEV is not set because ice_unplug_aux_dev() +- * could race with ice_plug_aux_dev() called from +- * ice_service_task(). In this case we only clear that bit now and +- * aux device will be unplugged later once ice_plug_aux_device() +- * called from ice_service_task() finishes (see ice_service_task()). ++ /* defer unplug to service task to avoid RTNL lock and ++ * clear PLUG bit so that pending plugs don't interfere + */ +- if (!test_and_clear_bit(ICE_FLAG_PLUG_AUX_DEV, pf->flags)) +- ice_unplug_aux_dev(pf); +- ++ clear_bit(ICE_FLAG_PLUG_AUX_DEV, pf->flags); ++ set_bit(ICE_FLAG_UNPLUG_AUX_DEV, pf->flags); + clear_bit(ICE_FLAG_RDMA_ENA, pf->flags); + } + #endif /* _ICE_H_ */ +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -2326,18 +2326,15 @@ static void ice_service_task(struct work + } + } + +- if (test_bit(ICE_FLAG_PLUG_AUX_DEV, pf->flags)) { +- /* Plug aux device per request */ +- ice_plug_aux_dev(pf); ++ /* unplug aux dev per request, if an unplug request came in ++ * while processing a plug request, this will handle it ++ */ ++ if (test_and_clear_bit(ICE_FLAG_UNPLUG_AUX_DEV, pf->flags)) ++ ice_unplug_aux_dev(pf); + +- /* Mark plugging as done but check whether unplug was +- * requested during ice_plug_aux_dev() call +- * (e.g. from ice_clear_rdma_cap()) and if so then +- * plug aux device. +- */ +- if (!test_and_clear_bit(ICE_FLAG_PLUG_AUX_DEV, pf->flags)) +- ice_unplug_aux_dev(pf); +- } ++ /* Plug aux device per request */ ++ if (test_and_clear_bit(ICE_FLAG_PLUG_AUX_DEV, pf->flags)) ++ ice_plug_aux_dev(pf); + + if (test_and_clear_bit(ICE_FLAG_MTU_CHANGED, pf->flags)) { + struct iidc_event *event; diff --git a/queue-6.1/mm-teach-mincore_hugetlb-about-pte-markers.patch b/queue-6.1/mm-teach-mincore_hugetlb-about-pte-markers.patch new file mode 100644 index 00000000000..96c4ee48e07 --- /dev/null +++ b/queue-6.1/mm-teach-mincore_hugetlb-about-pte-markers.patch @@ -0,0 +1,47 @@ +From 63cf584203f3367c8b073d417c8e5cbbfc450506 Mon Sep 17 00:00:00 2001 +From: James Houghton +Date: Thu, 2 Mar 2023 22:24:04 +0000 +Subject: mm: teach mincore_hugetlb about pte markers + +From: James Houghton + +commit 63cf584203f3367c8b073d417c8e5cbbfc450506 upstream. + +By checking huge_pte_none(), we incorrectly classify PTE markers as +"present". Instead, check huge_pte_none_mostly(), classifying PTE markers +the same as if the PTE were completely blank. + +PTE markers, unlike other kinds of swap entries, don't reference any +physical page and don't indicate that a physical page was mapped +previously. As such, treat them as non-present for the sake of mincore(). + +Link: https://lkml.kernel.org/r/20230302222404.175303-1-jthoughton@google.com +Fixes: 5c041f5d1f23 ("mm: teach core mm about pte markers") +Signed-off-by: James Houghton +Acked-by: Peter Xu +Acked-by: David Hildenbrand +Cc: Axel Rasmussen +Cc: James Houghton +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/mincore.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/mincore.c b/mm/mincore.c +index cd69b9db0081..d359650b0f75 100644 +--- a/mm/mincore.c ++++ b/mm/mincore.c +@@ -33,7 +33,7 @@ static int mincore_hugetlb(pte_t *pte, unsigned long hmask, unsigned long addr, + * Hugepages under user process are always in RAM and never + * swapped out, but theoretically it needs to be checked. + */ +- present = pte && !huge_pte_none(huge_ptep_get(pte)); ++ present = pte && !huge_pte_none_mostly(huge_ptep_get(pte)); + for (; addr != end; vec++, addr += PAGE_SIZE) + *vec = present; + walk->private = vec; +-- +2.40.0 + diff --git a/queue-6.1/mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch b/queue-6.1/mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch new file mode 100644 index 00000000000..21b6302edc1 --- /dev/null +++ b/queue-6.1/mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch @@ -0,0 +1,223 @@ +From 42b2af2c9b7eede8ef21d0943f84d135e21a32a3 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 2 Mar 2023 18:54:23 +0100 +Subject: mm/userfaultfd: propagate uffd-wp bit when PTE-mapping the huge zeropage + +From: David Hildenbrand + +commit 42b2af2c9b7eede8ef21d0943f84d135e21a32a3 upstream. + +Currently, we'd lose the userfaultfd-wp marker when PTE-mapping a huge +zeropage, resulting in the next write faults in the PMD range not +triggering uffd-wp events. + +Various actions (partial MADV_DONTNEED, partial mremap, partial munmap, +partial mprotect) could trigger this. However, most importantly, +un-protecting a single sub-page from the userfaultfd-wp handler when +processing a uffd-wp event will PTE-map the shared huge zeropage and lose +the uffd-wp bit for the remainder of the PMD. + +Let's properly propagate the uffd-wp bit to the PMDs. + + #define _GNU_SOURCE + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + static size_t pagesize; + static int uffd; + static volatile bool uffd_triggered; + + #define barrier() __asm__ __volatile__("": : :"memory") + + static void uffd_wp_range(char *start, size_t size, bool wp) + { + struct uffdio_writeprotect uffd_writeprotect; + + uffd_writeprotect.range.start = (unsigned long) start; + uffd_writeprotect.range.len = size; + if (wp) { + uffd_writeprotect.mode = UFFDIO_WRITEPROTECT_MODE_WP; + } else { + uffd_writeprotect.mode = 0; + } + if (ioctl(uffd, UFFDIO_WRITEPROTECT, &uffd_writeprotect)) { + fprintf(stderr, "UFFDIO_WRITEPROTECT failed: %d\n", errno); + exit(1); + } + } + + static void *uffd_thread_fn(void *arg) + { + static struct uffd_msg msg; + ssize_t nread; + + while (1) { + struct pollfd pollfd; + int nready; + + pollfd.fd = uffd; + pollfd.events = POLLIN; + nready = poll(&pollfd, 1, -1); + if (nready == -1) { + fprintf(stderr, "poll() failed: %d\n", errno); + exit(1); + } + + nread = read(uffd, &msg, sizeof(msg)); + if (nread <= 0) + continue; + + if (msg.event != UFFD_EVENT_PAGEFAULT || + !(msg.arg.pagefault.flags & UFFD_PAGEFAULT_FLAG_WP)) { + printf("FAIL: wrong uffd-wp event fired\n"); + exit(1); + } + + /* un-protect the single page. */ + uffd_triggered = true; + uffd_wp_range((char *)(uintptr_t)msg.arg.pagefault.address, + pagesize, false); + } + return arg; + } + + static int setup_uffd(char *map, size_t size) + { + struct uffdio_api uffdio_api; + struct uffdio_register uffdio_register; + pthread_t thread; + + uffd = syscall(__NR_userfaultfd, + O_CLOEXEC | O_NONBLOCK | UFFD_USER_MODE_ONLY); + if (uffd < 0) { + fprintf(stderr, "syscall() failed: %d\n", errno); + return -errno; + } + + uffdio_api.api = UFFD_API; + uffdio_api.features = UFFD_FEATURE_PAGEFAULT_FLAG_WP; + if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) { + fprintf(stderr, "UFFDIO_API failed: %d\n", errno); + return -errno; + } + + if (!(uffdio_api.features & UFFD_FEATURE_PAGEFAULT_FLAG_WP)) { + fprintf(stderr, "UFFD_FEATURE_WRITEPROTECT missing\n"); + return -ENOSYS; + } + + uffdio_register.range.start = (unsigned long) map; + uffdio_register.range.len = size; + uffdio_register.mode = UFFDIO_REGISTER_MODE_WP; + if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) { + fprintf(stderr, "UFFDIO_REGISTER failed: %d\n", errno); + return -errno; + } + + pthread_create(&thread, NULL, uffd_thread_fn, NULL); + + return 0; + } + + int main(void) + { + const size_t size = 4 * 1024 * 1024ull; + char *map, *cur; + + pagesize = getpagesize(); + + map = mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); + if (map == MAP_FAILED) { + fprintf(stderr, "mmap() failed\n"); + return -errno; + } + + if (madvise(map, size, MADV_HUGEPAGE)) { + fprintf(stderr, "MADV_HUGEPAGE failed\n"); + return -errno; + } + + if (setup_uffd(map, size)) + return 1; + + /* Read the whole range, populating zeropages. */ + madvise(map, size, MADV_POPULATE_READ); + + /* Write-protect the whole range. */ + uffd_wp_range(map, size, true); + + /* Make sure uffd-wp triggers on each page. */ + for (cur = map; cur < map + size; cur += pagesize) { + uffd_triggered = false; + + barrier(); + /* Trigger a write fault. */ + *cur = 1; + barrier(); + + if (!uffd_triggered) { + printf("FAIL: uffd-wp did not trigger\n"); + return 1; + } + } + + printf("PASS: uffd-wp triggered\n"); + return 0; + } + +Link: https://lkml.kernel.org/r/20230302175423.589164-1-david@redhat.com +Fixes: e06f1e1dd499 ("userfaultfd: wp: enabled write protection in userfaultfd API") +Signed-off-by: David Hildenbrand +Acked-by: Peter Xu +Cc: Mike Rapoport +Cc: Andrea Arcangeli +Cc: Jerome Glisse +Cc: Shaohua Li +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2004,7 +2004,7 @@ static void __split_huge_zero_page_pmd(s + { + struct mm_struct *mm = vma->vm_mm; + pgtable_t pgtable; +- pmd_t _pmd; ++ pmd_t _pmd, old_pmd; + int i; + + /* +@@ -2015,7 +2015,7 @@ static void __split_huge_zero_page_pmd(s + * + * See Documentation/mm/mmu_notifier.rst + */ +- pmdp_huge_clear_flush(vma, haddr, pmd); ++ old_pmd = pmdp_huge_clear_flush(vma, haddr, pmd); + + pgtable = pgtable_trans_huge_withdraw(mm, pmd); + pmd_populate(mm, &_pmd, pgtable); +@@ -2024,6 +2024,8 @@ static void __split_huge_zero_page_pmd(s + pte_t *pte, entry; + entry = pfn_pte(my_zero_pfn(haddr), vma->vm_page_prot); + entry = pte_mkspecial(entry); ++ if (pmd_uffd_wp(old_pmd)) ++ entry = pte_mkuffd_wp(entry); + pte = pte_offset_map(&_pmd, haddr); + VM_BUG_ON(!pte_none(*pte)); + set_pte_at(mm, haddr, pte, entry); diff --git a/queue-6.1/mmc-sdhci_am654-lower-power-on-failed-message-severity.patch b/queue-6.1/mmc-sdhci_am654-lower-power-on-failed-message-severity.patch new file mode 100644 index 00000000000..dc0c760dffc --- /dev/null +++ b/queue-6.1/mmc-sdhci_am654-lower-power-on-failed-message-severity.patch @@ -0,0 +1,36 @@ +From 11440da77d6020831ee6f9ce4551b545dea789ee Mon Sep 17 00:00:00 2001 +From: Francesco Dolcini +Date: Mon, 6 Mar 2023 17:27:51 +0100 +Subject: mmc: sdhci_am654: lower power-on failed message severity + +From: Francesco Dolcini + +commit 11440da77d6020831ee6f9ce4551b545dea789ee upstream. + +Lower the power-on failed message severity from warn to info when the +controller does not power-up. It's normal to have this situation when +the SD card slot is empty, therefore we should not warn the user about +it. + +Fixes: 7ca0f166f5b2 ("mmc: sdhci_am654: Add workaround for card detect debounce timer") +Signed-off-by: Francesco Dolcini +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230306162751.163369-1-francesco@dolcini.it +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci_am654.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci_am654.c ++++ b/drivers/mmc/host/sdhci_am654.c +@@ -369,7 +369,7 @@ static void sdhci_am654_write_b(struct s + MAX_POWER_ON_TIMEOUT, false, host, val, + reg); + if (ret) +- dev_warn(mmc_dev(host->mmc), "Power on failed\n"); ++ dev_info(mmc_dev(host->mmc), "Power on failed\n"); + } + } + diff --git a/queue-6.1/net-phy-nxp-c45-tja11xx-fix-mii_basic_config_rev-bit.patch b/queue-6.1/net-phy-nxp-c45-tja11xx-fix-mii_basic_config_rev-bit.patch new file mode 100644 index 00000000000..7fe8695f3b4 --- /dev/null +++ b/queue-6.1/net-phy-nxp-c45-tja11xx-fix-mii_basic_config_rev-bit.patch @@ -0,0 +1,33 @@ +From 8ba572052a4b8fe5b205854d27e54e3486049b71 Mon Sep 17 00:00:00 2001 +From: "Radu Pirea (OSS)" +Date: Thu, 9 Mar 2023 12:01:11 +0200 +Subject: net: phy: nxp-c45-tja11xx: fix MII_BASIC_CONFIG_REV bit + +From: Radu Pirea (OSS) + +commit 8ba572052a4b8fe5b205854d27e54e3486049b71 upstream. + +According to the TJA1103 user manual, the bit for the reversed role in MII +or RMII modes is bit 4. + +Cc: # 5.15+ +Fixes: b050f2f15e04 ("phy: nxp-c45: add driver for tja1103") +Signed-off-by: Radu Pirea (OSS) +Link: https://lore.kernel.org/r/20230309100111.1246214-1-radu-nicolae.pirea@oss.nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/nxp-c45-tja11xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/nxp-c45-tja11xx.c ++++ b/drivers/net/phy/nxp-c45-tja11xx.c +@@ -79,7 +79,7 @@ + #define SGMII_ABILITY BIT(0) + + #define VEND1_MII_BASIC_CONFIG 0xAFC6 +-#define MII_BASIC_CONFIG_REV BIT(8) ++#define MII_BASIC_CONFIG_REV BIT(4) + #define MII_BASIC_CONFIG_SGMII 0x9 + #define MII_BASIC_CONFIG_RGMII 0x7 + #define MII_BASIC_CONFIG_RMII 0x5 diff --git a/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv3000.patch b/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv3000.patch new file mode 100644 index 00000000000..dcdaf112d87 --- /dev/null +++ b/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv3000.patch @@ -0,0 +1,31 @@ +From 9630d80655bfe7e62e4aff2889dc4eae7ceeb887 Mon Sep 17 00:00:00 2001 +From: Elmer Miroslav Mosher Golovin +Date: Wed, 8 Mar 2023 19:19:29 +0300 +Subject: nvme-pci: add NVME_QUIRK_BOGUS_NID for Netac NV3000 + +From: Elmer Miroslav Mosher Golovin + +commit 9630d80655bfe7e62e4aff2889dc4eae7ceeb887 upstream. + +Added a quirk to fix the Netac NV3000 SSD reporting duplicate NGUIDs. + +Cc: +Signed-off-by: Elmer Miroslav Mosher Golovin +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3525,6 +3525,8 @@ static const struct pci_device_id nvme_i + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE(0x2646, 0x501E), /* KINGSTON OM3PGP4xxxxQ OS21011 NVMe SSD */ + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, ++ { PCI_DEVICE(0x1f40, 0x1202), /* Netac Technologies Co. NV3000 NVMe SSD */ ++ .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1f40, 0x5236), /* Netac Technologies Co. NV7000 NVMe SSD */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1e4B, 0x1001), /* MAXIO MAP1001 */ diff --git a/queue-6.1/ocfs2-fix-data-corruption-after-failed-write.patch b/queue-6.1/ocfs2-fix-data-corruption-after-failed-write.patch new file mode 100644 index 00000000000..7aeee5b3307 --- /dev/null +++ b/queue-6.1/ocfs2-fix-data-corruption-after-failed-write.patch @@ -0,0 +1,66 @@ +From 90410bcf873cf05f54a32183afff0161f44f9715 Mon Sep 17 00:00:00 2001 +From: Jan Kara via Ocfs2-devel +Date: Thu, 2 Mar 2023 16:38:43 +0100 +Subject: ocfs2: fix data corruption after failed write + +From: Jan Kara via Ocfs2-devel + +commit 90410bcf873cf05f54a32183afff0161f44f9715 upstream. + +When buffered write fails to copy data into underlying page cache page, +ocfs2_write_end_nolock() just zeroes out and dirties the page. This can +leave dirty page beyond EOF and if page writeback tries to write this page +before write succeeds and expands i_size, page gets into inconsistent +state where page dirty bit is clear but buffer dirty bits stay set +resulting in page data never getting written and so data copied to the +page is lost. Fix the problem by invalidating page beyond EOF after +failed write. + +Link: https://lkml.kernel.org/r/20230302153843.18499-1-jack@suse.cz +Fixes: 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()") +Signed-off-by: Jan Kara +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/aops.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -1977,11 +1977,26 @@ int ocfs2_write_end_nolock(struct addres + } + + if (unlikely(copied < len) && wc->w_target_page) { ++ loff_t new_isize; ++ + if (!PageUptodate(wc->w_target_page)) + copied = 0; + +- ocfs2_zero_new_buffers(wc->w_target_page, start+copied, +- start+len); ++ new_isize = max_t(loff_t, i_size_read(inode), pos + copied); ++ if (new_isize > page_offset(wc->w_target_page)) ++ ocfs2_zero_new_buffers(wc->w_target_page, start+copied, ++ start+len); ++ else { ++ /* ++ * When page is fully beyond new isize (data copy ++ * failed), do not bother zeroing the page. Invalidate ++ * it instead so that writeback does not get confused ++ * put page & buffer dirty bits into inconsistent ++ * state. ++ */ ++ block_invalidate_folio(page_folio(wc->w_target_page), ++ 0, PAGE_SIZE); ++ } + } + if (wc->w_target_page) + flush_dcache_page(wc->w_target_page); diff --git a/queue-6.1/powerpc-64-set-default-cpu-in-kconfig.patch b/queue-6.1/powerpc-64-set-default-cpu-in-kconfig.patch new file mode 100644 index 00000000000..7ffadacd0b0 --- /dev/null +++ b/queue-6.1/powerpc-64-set-default-cpu-in-kconfig.patch @@ -0,0 +1,130 @@ +From 45f7091aac3546ef8112bf62836650ca0bbf0b79 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Wed, 25 Jan 2023 08:38:59 +0100 +Subject: powerpc/64: Set default CPU in Kconfig +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christophe Leroy + +commit 45f7091aac3546ef8112bf62836650ca0bbf0b79 upstream. + +Since commit 0069f3d14e7a ("powerpc/64e: Tie PPC_BOOK3E_64 to +PPC_E500MC"), the only possible BOOK3E/64 are E500, so no need of a +default CPU over the E5500. + +When the user selects book3e, they must have an e500 compatible +compiler, and it won't work anymore with the default -mcpu=power64, see +commit d6b551b8f90c ("powerpc/64e: Fix build failure with GCC +12 (unrecognized opcode: `wrteei')"). + +For book3s/64, replace GENERIC_CPU by POWERPC64_CPU to match the PPC32 +POWERPC_CPU, and set a default mpcu value in Kconfig directly. + +When a user selects a particular CPU, they must ensure the compiler has +the requested capability. Therefore, remove hidden fallback, instead +offer user the possibility to say they want to use the toolchain +default. + +Fixes: d6b551b8f90c ("powerpc/64e: Fix build failure with GCC 12 (unrecognized opcode: `wrteei')") +Reported-by: Pali Rohár +Tested-by: Pali Rohár +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/76c11197b058193dcb8e8b26adffba09cfbdab11.1674632329.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/Makefile | 22 +++++----------------- + arch/powerpc/platforms/Kconfig.cputype | 12 +++++++----- + 2 files changed, 12 insertions(+), 22 deletions(-) + +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -146,19 +146,6 @@ CFLAGS-$(CONFIG_PPC32) += $(call cc-opti + + CFLAGS-$(CONFIG_PPC32) += $(call cc-option,-mno-readonly-in-sdata) + +-ifdef CONFIG_PPC_BOOK3S_64 +-ifdef CONFIG_CPU_LITTLE_ENDIAN +-CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=power8 +-else +-CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=power4 +-endif +-CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=power10, \ +- $(call cc-option,-mtune=power9, \ +- $(call cc-option,-mtune=power8))) +-else ifdef CONFIG_PPC_BOOK3E_64 +-CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=powerpc64 +-endif +- + ifdef CONFIG_FUNCTION_TRACER + CC_FLAGS_FTRACE := -pg + ifdef CONFIG_MPROFILE_KERNEL +@@ -166,11 +153,12 @@ CC_FLAGS_FTRACE += -mprofile-kernel + endif + endif + +-CFLAGS-$(CONFIG_TARGET_CPU_BOOL) += $(call cc-option,-mcpu=$(CONFIG_TARGET_CPU)) +-AFLAGS-$(CONFIG_TARGET_CPU_BOOL) += $(call cc-option,-mcpu=$(CONFIG_TARGET_CPU)) ++CFLAGS-$(CONFIG_TARGET_CPU_BOOL) += -mcpu=$(CONFIG_TARGET_CPU) ++AFLAGS-$(CONFIG_TARGET_CPU_BOOL) += -mcpu=$(CONFIG_TARGET_CPU) + +-CFLAGS-$(CONFIG_E5500_CPU) += $(call cc-option,-mcpu=e500mc64,-mcpu=powerpc64) +-CFLAGS-$(CONFIG_E6500_CPU) += $(call cc-option,-mcpu=e6500,$(E5500_CPU)) ++CFLAGS-$(CONFIG_POWERPC64_CPU) += $(call cc-option,-mtune=power10, \ ++ $(call cc-option,-mtune=power9, \ ++ $(call cc-option,-mtune=power8))) + + asinstr := $(call as-instr,lis 9$(comma)foo@high,-DHAVE_AS_ATHIGH=1) + +--- a/arch/powerpc/platforms/Kconfig.cputype ++++ b/arch/powerpc/platforms/Kconfig.cputype +@@ -118,19 +118,18 @@ endchoice + + choice + prompt "CPU selection" +- default GENERIC_CPU + help + This will create a kernel which is optimised for a particular CPU. + The resulting kernel may not run on other CPUs, so use this with care. + + If unsure, select Generic. + +-config GENERIC_CPU ++config POWERPC64_CPU + bool "Generic (POWER5 and PowerPC 970 and above)" + depends on PPC_BOOK3S_64 && !CPU_LITTLE_ENDIAN + select PPC_64S_HASH_MMU + +-config GENERIC_CPU ++config POWERPC64_CPU + bool "Generic (POWER8 and above)" + depends on PPC_BOOK3S_64 && CPU_LITTLE_ENDIAN + select ARCH_HAS_FAST_MULTIPLIER +@@ -228,13 +227,12 @@ config E500MC_CPU + + config TOOLCHAIN_DEFAULT_CPU + bool "Rely on the toolchain's implicit default CPU" +- depends on PPC32 + + endchoice + + config TARGET_CPU_BOOL + bool +- default !GENERIC_CPU && !TOOLCHAIN_DEFAULT_CPU ++ default !TOOLCHAIN_DEFAULT_CPU + + config TARGET_CPU + string +@@ -246,6 +244,10 @@ config TARGET_CPU + default "power8" if POWER8_CPU + default "power9" if POWER9_CPU + default "power10" if POWER10_CPU ++ default "e500mc64" if E5500_CPU ++ default "e6500" if E6500_CPU ++ default "power4" if POWERPC64_CPU && !CPU_LITTLE_ENDIAN ++ default "power8" if POWERPC64_CPU && CPU_LITTLE_ENDIAN + default "405" if 405_CPU + default "440" if 440_CPU + default "464" if 464_CPU diff --git a/queue-6.1/powerpc-boot-don-t-always-pass-mcpu-powerpc-when-building-32-bit-uimage.patch b/queue-6.1/powerpc-boot-don-t-always-pass-mcpu-powerpc-when-building-32-bit-uimage.patch new file mode 100644 index 00000000000..a91a141db53 --- /dev/null +++ b/queue-6.1/powerpc-boot-don-t-always-pass-mcpu-powerpc-when-building-32-bit-uimage.patch @@ -0,0 +1,62 @@ +From ff7c76f66d8bad4e694c264c789249e1d3a8205d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Wed, 25 Jan 2023 08:39:00 +0100 +Subject: powerpc/boot: Don't always pass -mcpu=powerpc when building 32-bit uImage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit ff7c76f66d8bad4e694c264c789249e1d3a8205d upstream. + +When CONFIG_TARGET_CPU is specified then pass its value to the compiler +-mcpu option. This fixes following build error when building kernel with +powerpc e500 SPE capable cross compilers: + + BOOTAS arch/powerpc/boot/crt0.o + powerpc-linux-gnuspe-gcc: error: unrecognized argument in option ‘-mcpu=powerpc’ + powerpc-linux-gnuspe-gcc: note: valid arguments to ‘-mcpu=’ are: 8540 8548 native + make[1]: *** [arch/powerpc/boot/Makefile:231: arch/powerpc/boot/crt0.o] Error 1 + +Similar change was already introduced for the main powerpc Makefile in +commit 446cda1b21d9 ("powerpc/32: Don't always pass -mcpu=powerpc to the +compiler"). + +Fixes: 40a75584e526 ("powerpc/boot: Build wrapper for an appropriate CPU") +Cc: stable@vger.kernel.org # v5.19+ +Signed-off-by: Pali Rohár +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/2ae3ae5887babfdacc34435bff0944b3f336100a.1674632329.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/boot/Makefile | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/boot/Makefile ++++ b/arch/powerpc/boot/Makefile +@@ -39,13 +39,19 @@ BOOTCFLAGS := -Wall -Wundef -Wstrict- + $(LINUXINCLUDE) + + ifdef CONFIG_PPC64_BOOT_WRAPPER +-ifdef CONFIG_CPU_LITTLE_ENDIAN +-BOOTCFLAGS += -m64 -mcpu=powerpc64le ++BOOTCFLAGS += -m64 + else +-BOOTCFLAGS += -m64 -mcpu=powerpc64 ++BOOTCFLAGS += -m32 + endif ++ ++ifdef CONFIG_TARGET_CPU_BOOL ++BOOTCFLAGS += -mcpu=$(CONFIG_TARGET_CPU) ++else ifdef CONFIG_PPC64_BOOT_WRAPPER ++ifdef CONFIG_CPU_LITTLE_ENDIAN ++BOOTCFLAGS += -mcpu=powerpc64le + else +-BOOTCFLAGS += -m32 -mcpu=powerpc ++BOOTCFLAGS += -mcpu=powerpc64 ++endif + endif + + BOOTCFLAGS += -isystem $(shell $(BOOTCC) -print-file-name=include) diff --git a/queue-6.1/series b/queue-6.1/series index c77f48cf3aa..4a6d6d265bc 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -165,3 +165,25 @@ mptcp-fix-possible-deadlock-in-subflow_error_report.patch mptcp-add-ro_after_init-for-tcp-v6-_prot_override.patch mptcp-avoid-setting-tcp_close-state-twice.patch mptcp-fix-lockdep-false-positive-in-mptcp_pm_nl_create_listen_socket.patch +ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch +ocfs2-fix-data-corruption-after-failed-write.patch +nvme-pci-add-nvme_quirk_bogus_nid-for-netac-nv3000.patch +ice-avoid-bonding-causing-auxiliary-plug-unplug-under-rtnl-lock.patch +vp_vdpa-fix-the-crash-in-hot-unplug-with-vp_vdpa.patch +mm-userfaultfd-propagate-uffd-wp-bit-when-pte-mapping-the-huge-zeropage.patch +mm-teach-mincore_hugetlb-about-pte-markers.patch +powerpc-64-set-default-cpu-in-kconfig.patch +powerpc-boot-don-t-always-pass-mcpu-powerpc-when-building-32-bit-uimage.patch +mmc-sdhci_am654-lower-power-on-failed-message-severity.patch +fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch +trace-hwlat-do-not-wipe-the-contents-of-per-cpu-thread-data.patch +trace-hwlat-do-not-start-per-cpu-thread-if-it-is-already-running.patch +acpi-pptt-fix-to-avoid-sleep-in-the-atomic-context-when-pptt-is-absent.patch +net-phy-nxp-c45-tja11xx-fix-mii_basic_config_rev-bit.patch +fbdev-fix-incorrect-page-mapping-clearance-at-fb_deferred_io_release.patch +cpuidle-psci-iterate-backwards-over-list-in-psci_pd_remove.patch +asoc-intel-soc-acpi-fix-copy-paste-issue-in-topology-names.patch +asoc-qcom-q6prm-fix-incorrect-clk_root-passed-to-adsp.patch +x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch +x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch +x86-resctrl-clear-staged_config-before-and-after-it-is-used.patch diff --git a/queue-6.1/trace-hwlat-do-not-start-per-cpu-thread-if-it-is-already-running.patch b/queue-6.1/trace-hwlat-do-not-start-per-cpu-thread-if-it-is-already-running.patch new file mode 100644 index 00000000000..0737d90c68c --- /dev/null +++ b/queue-6.1/trace-hwlat-do-not-start-per-cpu-thread-if-it-is-already-running.patch @@ -0,0 +1,51 @@ +From 08697bca9bbba15f2058fdbd9f970bd5f6a8a2e8 Mon Sep 17 00:00:00 2001 +From: Tero Kristo +Date: Fri, 10 Mar 2023 12:04:51 +0200 +Subject: trace/hwlat: Do not start per-cpu thread if it is already running + +From: Tero Kristo + +commit 08697bca9bbba15f2058fdbd9f970bd5f6a8a2e8 upstream. + +The hwlatd tracer will end up starting multiple per-cpu threads with +the following script: + + #!/bin/sh + cd /sys/kernel/debug/tracing + echo 0 > tracing_on + echo hwlat > current_tracer + echo per-cpu > hwlat_detector/mode + echo 100000 > hwlat_detector/width + echo 200000 > hwlat_detector/window + echo 1 > tracing_on + +To fix the issue, check if the hwlatd thread for the cpu is already +running, before starting a new one. Along with the previous patch, this +avoids running multiple instances of the same CPU thread on the system. + +Link: https://lore.kernel.org/all/20230302113654.2984709-1-tero.kristo@linux.intel.com/ +Link: https://lkml.kernel.org/r/20230310100451.3948583-3-tero.kristo@linux.intel.com + +Cc: stable@vger.kernel.org +Fixes: f46b16520a087 ("trace/hwlat: Implement the per-cpu mode") +Signed-off-by: Tero Kristo +Acked-by: Daniel Bristot de Oliveira +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_hwlat.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/trace_hwlat.c ++++ b/kernel/trace/trace_hwlat.c +@@ -492,6 +492,10 @@ static int start_cpu_kthread(unsigned in + { + struct task_struct *kthread; + ++ /* Do not start a new hwlatd thread if it is already running */ ++ if (per_cpu(hwlat_per_cpu_data, cpu).kthread) ++ return 0; ++ + kthread = kthread_run_on_cpu(kthread_fn, NULL, cpu, "hwlatd/%u"); + if (IS_ERR(kthread)) { + pr_err(BANNER "could not start sampling thread\n"); diff --git a/queue-6.1/trace-hwlat-do-not-wipe-the-contents-of-per-cpu-thread-data.patch b/queue-6.1/trace-hwlat-do-not-wipe-the-contents-of-per-cpu-thread-data.patch new file mode 100644 index 00000000000..2ca92073d84 --- /dev/null +++ b/queue-6.1/trace-hwlat-do-not-wipe-the-contents-of-per-cpu-thread-data.patch @@ -0,0 +1,38 @@ +From 4c42f5f0d1dd20bddd9f940beb1e6ccad60c4498 Mon Sep 17 00:00:00 2001 +From: Tero Kristo +Date: Fri, 10 Mar 2023 12:04:50 +0200 +Subject: trace/hwlat: Do not wipe the contents of per-cpu thread data + +From: Tero Kristo + +commit 4c42f5f0d1dd20bddd9f940beb1e6ccad60c4498 upstream. + +Do not wipe the contents of the per-cpu kthread data when starting the +tracer, as this will completely forget about already running instances +and can later start new additional per-cpu threads. + +Link: https://lore.kernel.org/all/20230302113654.2984709-1-tero.kristo@linux.intel.com/ +Link: https://lkml.kernel.org/r/20230310100451.3948583-2-tero.kristo@linux.intel.com + +Cc: stable@vger.kernel.org +Fixes: f46b16520a087 ("trace/hwlat: Implement the per-cpu mode") +Signed-off-by: Tero Kristo +Acked-by: Daniel Bristot de Oliveira +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_hwlat.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/kernel/trace/trace_hwlat.c ++++ b/kernel/trace/trace_hwlat.c +@@ -584,9 +584,6 @@ static int start_per_cpu_kthreads(struct + */ + cpumask_and(current_mask, cpu_online_mask, tr->tracing_cpumask); + +- for_each_online_cpu(cpu) +- per_cpu(hwlat_per_cpu_data, cpu).kthread = NULL; +- + for_each_cpu(cpu, current_mask) { + retval = start_cpu_kthread(cpu); + if (retval) diff --git a/queue-6.1/vp_vdpa-fix-the-crash-in-hot-unplug-with-vp_vdpa.patch b/queue-6.1/vp_vdpa-fix-the-crash-in-hot-unplug-with-vp_vdpa.patch new file mode 100644 index 00000000000..043bcaa57a6 --- /dev/null +++ b/queue-6.1/vp_vdpa-fix-the-crash-in-hot-unplug-with-vp_vdpa.patch @@ -0,0 +1,102 @@ +From aed8efddd39b3434c96718d39009285c52b1cafc Mon Sep 17 00:00:00 2001 +From: Cindy Lu +Date: Tue, 14 Feb 2023 16:09:24 +0800 +Subject: vp_vdpa: fix the crash in hot unplug with vp_vdpa + +From: Cindy Lu + +commit aed8efddd39b3434c96718d39009285c52b1cafc upstream. + +While unplugging the vp_vdpa device, it triggers a kernel panic +The root cause is: vdpa_mgmtdev_unregister() will accesses modern +devices which will cause a use after free. +So need to change the sequence in vp_vdpa_remove + +[ 195.003359] BUG: unable to handle page fault for address: ff4e8beb80199014 +[ 195.004012] #PF: supervisor read access in kernel mode +[ 195.004486] #PF: error_code(0x0000) - not-present page +[ 195.004960] PGD 100000067 P4D 1001b6067 PUD 1001b7067 PMD 1001b8067 PTE 0 +[ 195.005578] Oops: 0000 1 PREEMPT SMP PTI +[ 195.005968] CPU: 13 PID: 164 Comm: kworker/u56:10 Kdump: loaded Not tainted 5.14.0-252.el9.x86_64 #1 +[ 195.006792] Hardware name: Red Hat KVM/RHEL, BIOS edk2-20221207gitfff6d81270b5-2.el9 unknown +[ 195.007556] Workqueue: kacpi_hotplug acpi_hotplug_work_fn +[ 195.008059] RIP: 0010:ioread8+0x31/0x80 +[ 195.008418] Code: 77 28 48 81 ff 00 00 01 00 76 0b 89 fa ec 0f b6 c0 c3 cc cc cc cc 8b 15 ad 72 93 01 b8 ff 00 00 00 85 d2 75 0f c3 cc cc cc cc <8a> 07 0f b6 c0 c3 cc cc cc cc 83 ea 01 48 83 ec 08 48 89 fe 48 c7 +[ 195.010104] RSP: 0018:ff4e8beb8067bab8 EFLAGS: 00010292 +[ 195.010584] RAX: ffffffffc05834a0 RBX: ffffffffc05843c0 RCX: ff4e8beb8067bae0 +[ 195.011233] RDX: ff1bcbd580f88000 RSI: 0000000000000246 RDI: ff4e8beb80199014 +[ 195.011881] RBP: ff1bcbd587e39000 R08: ffffffff916fa2d0 R09: ff4e8beb8067ba68 +[ 195.012527] R10: 000000000000001c R11: 0000000000000000 R12: ff1bcbd5a3de9120 +[ 195.013179] R13: ffffffffc062d000 R14: 0000000000000080 R15: ff1bcbe402bc7805 +[ 195.013826] FS: 0000000000000000(0000) GS:ff1bcbe402740000(0000) knlGS:0000000000000000 +[ 195.014564] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 195.015093] CR2: ff4e8beb80199014 CR3: 0000000107dea002 CR4: 0000000000771ee0 +[ 195.015741] PKRU: 55555554 +[ 195.016001] Call Trace: +[ 195.016233] +[ 195.016434] vp_modern_get_status+0x12/0x20 +[ 195.016823] vp_vdpa_reset+0x1b/0x50 [vp_vdpa] +[ 195.017238] virtio_vdpa_reset+0x3c/0x48 [virtio_vdpa] +[ 195.017709] remove_vq_common+0x1f/0x3a0 [virtio_net] +[ 195.018178] virtnet_remove+0x5d/0x70 [virtio_net] +[ 195.018618] virtio_dev_remove+0x3d/0x90 +[ 195.018986] device_release_driver_internal+0x1aa/0x230 +[ 195.019466] bus_remove_device+0xd8/0x150 +[ 195.019841] device_del+0x18b/0x3f0 +[ 195.020167] ? kernfs_find_ns+0x35/0xd0 +[ 195.020526] device_unregister+0x13/0x60 +[ 195.020894] unregister_virtio_device+0x11/0x20 +[ 195.021311] device_release_driver_internal+0x1aa/0x230 +[ 195.021790] bus_remove_device+0xd8/0x150 +[ 195.022162] device_del+0x18b/0x3f0 +[ 195.022487] device_unregister+0x13/0x60 +[ 195.022852] ? vdpa_dev_remove+0x30/0x30 [vdpa] +[ 195.023270] vp_vdpa_dev_del+0x12/0x20 [vp_vdpa] +[ 195.023694] vdpa_match_remove+0x2b/0x40 [vdpa] +[ 195.024115] bus_for_each_dev+0x78/0xc0 +[ 195.024471] vdpa_mgmtdev_unregister+0x65/0x80 [vdpa] +[ 195.024937] vp_vdpa_remove+0x23/0x40 [vp_vdpa] +[ 195.025353] pci_device_remove+0x36/0xa0 +[ 195.025719] device_release_driver_internal+0x1aa/0x230 +[ 195.026201] pci_stop_bus_device+0x6c/0x90 +[ 195.026580] pci_stop_and_remove_bus_device+0xe/0x20 +[ 195.027039] disable_slot+0x49/0x90 +[ 195.027366] acpiphp_disable_and_eject_slot+0x15/0x90 +[ 195.027832] hotplug_event+0xea/0x210 +[ 195.028171] ? hotplug_event+0x210/0x210 +[ 195.028535] acpiphp_hotplug_notify+0x22/0x80 +[ 195.028942] ? hotplug_event+0x210/0x210 +[ 195.029303] acpi_device_hotplug+0x8a/0x1d0 +[ 195.029690] acpi_hotplug_work_fn+0x1a/0x30 +[ 195.030077] process_one_work+0x1e8/0x3c0 +[ 195.030451] worker_thread+0x50/0x3b0 +[ 195.030791] ? rescuer_thread+0x3a0/0x3a0 +[ 195.031165] kthread+0xd9/0x100 +[ 195.031459] ? kthread_complete_and_exit+0x20/0x20 +[ 195.031899] ret_from_fork+0x22/0x30 +[ 195.032233] + +Fixes: ffbda8e9df10 ("vdpa/vp_vdpa : add vdpa tool support in vp_vdpa") +Tested-by: Lei Yang +Cc: stable@vger.kernel.org +Signed-off-by: Cindy Lu +Message-Id: <20230214080924.131462-1-lulu@redhat.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vdpa/virtio_pci/vp_vdpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vdpa/virtio_pci/vp_vdpa.c ++++ b/drivers/vdpa/virtio_pci/vp_vdpa.c +@@ -645,8 +645,8 @@ static void vp_vdpa_remove(struct pci_de + struct virtio_pci_modern_device *mdev = NULL; + + mdev = vp_vdpa_mgtdev->mdev; +- vp_modern_remove(mdev); + vdpa_mgmtdev_unregister(&vp_vdpa_mgtdev->mgtdev); ++ vp_modern_remove(mdev); + kfree(vp_vdpa_mgtdev->mgtdev.id_table); + kfree(mdev); + kfree(vp_vdpa_mgtdev); diff --git a/queue-6.1/x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch b/queue-6.1/x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch new file mode 100644 index 00000000000..9983e665215 --- /dev/null +++ b/queue-6.1/x86-mce-make-sure-logged-mces-are-processed-after-sysfs-update.patch @@ -0,0 +1,44 @@ +From 4783b9cb374af02d49740e00e2da19fd4ed6dec4 Mon Sep 17 00:00:00 2001 +From: Yazen Ghannam +Date: Wed, 1 Mar 2023 22:14:20 +0000 +Subject: x86/mce: Make sure logged MCEs are processed after sysfs update + +From: Yazen Ghannam + +commit 4783b9cb374af02d49740e00e2da19fd4ed6dec4 upstream. + +A recent change introduced a flag to queue up errors found during +boot-time polling. These errors will be processed during late init once +the MCE subsystem is fully set up. + +A number of sysfs updates call mce_restart() which goes through a subset +of the CPU init flow. This includes polling MCA banks and logging any +errors found. Since the same function is used as boot-time polling, +errors will be queued. However, the system is now past late init, so the +errors will remain queued until another error is found and the workqueue +is triggered. + +Call mce_schedule_work() at the end of mce_restart() so that queued +errors are processed. + +Fixes: 3bff147b187d ("x86/mce: Defer processing of early errors") +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Tony Luck +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230301221420.2203184-1-yazen.ghannam@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mce/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -2365,6 +2365,7 @@ static void mce_restart(void) + { + mce_timer_delete_all(); + on_each_cpu(mce_cpu_restart, NULL, 1); ++ mce_schedule_work(); + } + + /* Toggle features for corrected errors */ diff --git a/queue-6.1/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch b/queue-6.1/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch new file mode 100644 index 00000000000..a1076c9dcf7 --- /dev/null +++ b/queue-6.1/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch @@ -0,0 +1,40 @@ +From cbebd68f59f03633469f3ecf9bea99cd6cce3854 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Mon, 6 Mar 2023 08:06:56 -0800 +Subject: x86/mm: Fix use of uninitialized buffer in sme_enable() + +From: Nikita Zhandarovich + +commit cbebd68f59f03633469f3ecf9bea99cd6cce3854 upstream. + +cmdline_find_option() may fail before doing any initialization of +the buffer array. This may lead to unpredictable results when the same +buffer is used later in calls to strncmp() function. Fix the issue by +returning early if cmdline_find_option() returns an error. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: aca20d546214 ("x86/mm: Add support to make use of Secure Memory Encryption") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Tom Lendacky +Cc: +Link: https://lore.kernel.org/r/20230306160656.14844-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/mem_encrypt_identity.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/mm/mem_encrypt_identity.c ++++ b/arch/x86/mm/mem_encrypt_identity.c +@@ -600,7 +600,8 @@ void __init sme_enable(struct boot_param + cmdline_ptr = (const char *)((u64)bp->hdr.cmd_line_ptr | + ((u64)bp->ext_cmd_line_ptr << 32)); + +- cmdline_find_option(cmdline_ptr, cmdline_arg, buffer, sizeof(buffer)); ++ if (cmdline_find_option(cmdline_ptr, cmdline_arg, buffer, sizeof(buffer)) < 0) ++ return; + + if (!strncmp(buffer, cmdline_on, sizeof(buffer))) + sme_me_mask = me_mask; diff --git a/queue-6.1/x86-resctrl-clear-staged_config-before-and-after-it-is-used.patch b/queue-6.1/x86-resctrl-clear-staged_config-before-and-after-it-is-used.patch new file mode 100644 index 00000000000..13b25729a00 --- /dev/null +++ b/queue-6.1/x86-resctrl-clear-staged_config-before-and-after-it-is-used.patch @@ -0,0 +1,165 @@ +From 0424a7dfe9129b93f29b277511a60e87f052ac6b Mon Sep 17 00:00:00 2001 +From: Shawn Wang +Date: Tue, 17 Jan 2023 13:14:50 -0800 +Subject: x86/resctrl: Clear staged_config[] before and after it is used + +From: Shawn Wang + +commit 0424a7dfe9129b93f29b277511a60e87f052ac6b upstream. + +As a temporary storage, staged_config[] in rdt_domain should be cleared +before and after it is used. The stale value in staged_config[] could +cause an MSR access error. + +Here is a reproducer on a system with 16 usable CLOSIDs for a 15-way L3 +Cache (MBA should be disabled if the number of CLOSIDs for MB is less than +16.) : + mount -t resctrl resctrl -o cdp /sys/fs/resctrl + mkdir /sys/fs/resctrl/p{1..7} + umount /sys/fs/resctrl/ + mount -t resctrl resctrl /sys/fs/resctrl + mkdir /sys/fs/resctrl/p{1..8} + +An error occurs when creating resource group named p8: + unchecked MSR access error: WRMSR to 0xca0 (tried to write 0x00000000000007ff) at rIP: 0xffffffff82249142 (cat_wrmsr+0x32/0x60) + Call Trace: + + __flush_smp_call_function_queue+0x11d/0x170 + __sysvec_call_function+0x24/0xd0 + sysvec_call_function+0x89/0xc0 + + + asm_sysvec_call_function+0x16/0x20 + +When creating a new resource control group, hardware will be configured +by the following process: + rdtgroup_mkdir() + rdtgroup_mkdir_ctrl_mon() + rdtgroup_init_alloc() + resctrl_arch_update_domains() + +resctrl_arch_update_domains() iterates and updates all resctrl_conf_type +whose have_new_ctrl is true. Since staged_config[] holds the same values as +when CDP was enabled, it will continue to update the CDP_CODE and CDP_DATA +configurations. When group p8 is created, get_config_index() called in +resctrl_arch_update_domains() will return 16 and 17 as the CLOSIDs for +CDP_CODE and CDP_DATA, which will be translated to an invalid register - +0xca0 in this scenario. + +Fix it by clearing staged_config[] before and after it is used. + +[reinette: re-order commit tags] + +Fixes: 75408e43509e ("x86/resctrl: Allow different CODE/DATA configurations to be staged") +Suggested-by: Xin Hao +Signed-off-by: Shawn Wang +Signed-off-by: Reinette Chatre +Signed-off-by: Dave Hansen +Tested-by: Reinette Chatre +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/2fad13f49fbe89687fc40e9a5a61f23a28d1507a.1673988935.git.reinette.chatre%40intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 7 ++----- + arch/x86/kernel/cpu/resctrl/internal.h | 1 + + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 25 +++++++++++++++++++++---- + 3 files changed, 24 insertions(+), 9 deletions(-) + +--- a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c ++++ b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c +@@ -374,7 +374,6 @@ ssize_t rdtgroup_schemata_write(struct k + { + struct resctrl_schema *s; + struct rdtgroup *rdtgrp; +- struct rdt_domain *dom; + struct rdt_resource *r; + char *tok, *resname; + int ret = 0; +@@ -403,10 +402,7 @@ ssize_t rdtgroup_schemata_write(struct k + goto out; + } + +- list_for_each_entry(s, &resctrl_schema_all, list) { +- list_for_each_entry(dom, &s->res->domains, list) +- memset(dom->staged_config, 0, sizeof(dom->staged_config)); +- } ++ rdt_staged_configs_clear(); + + while ((tok = strsep(&buf, "\n")) != NULL) { + resname = strim(strsep(&tok, ":")); +@@ -451,6 +447,7 @@ ssize_t rdtgroup_schemata_write(struct k + } + + out: ++ rdt_staged_configs_clear(); + rdtgroup_kn_unlock(of->kn); + cpus_read_unlock(); + return ret ?: nbytes; +--- a/arch/x86/kernel/cpu/resctrl/internal.h ++++ b/arch/x86/kernel/cpu/resctrl/internal.h +@@ -537,5 +537,6 @@ bool has_busy_rmid(struct rdt_resource * + void __check_limbo(struct rdt_domain *d, bool force_free); + void rdt_domain_reconfigure_cdp(struct rdt_resource *r); + void __init thread_throttle_mode_init(void); ++void rdt_staged_configs_clear(void); + + #endif /* _ASM_X86_RESCTRL_INTERNAL_H */ +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -78,6 +78,19 @@ void rdt_last_cmd_printf(const char *fmt + va_end(ap); + } + ++void rdt_staged_configs_clear(void) ++{ ++ struct rdt_resource *r; ++ struct rdt_domain *dom; ++ ++ lockdep_assert_held(&rdtgroup_mutex); ++ ++ for_each_alloc_capable_rdt_resource(r) { ++ list_for_each_entry(dom, &r->domains, list) ++ memset(dom->staged_config, 0, sizeof(dom->staged_config)); ++ } ++} ++ + /* + * Trivial allocator for CLOSIDs. Since h/w only supports a small number, + * we can keep a bitmap of free CLOSIDs in a single integer. +@@ -2851,7 +2864,9 @@ static int rdtgroup_init_alloc(struct rd + { + struct resctrl_schema *s; + struct rdt_resource *r; +- int ret; ++ int ret = 0; ++ ++ rdt_staged_configs_clear(); + + list_for_each_entry(s, &resctrl_schema_all, list) { + r = s->res; +@@ -2862,20 +2877,22 @@ static int rdtgroup_init_alloc(struct rd + } else { + ret = rdtgroup_init_cat(s, rdtgrp->closid); + if (ret < 0) +- return ret; ++ goto out; + } + + ret = resctrl_arch_update_domains(r, rdtgrp->closid); + if (ret < 0) { + rdt_last_cmd_puts("Failed to initialize allocations\n"); +- return ret; ++ goto out; + } + + } + + rdtgrp->mode = RDT_MODE_SHAREABLE; + +- return 0; ++out: ++ rdt_staged_configs_clear(); ++ return ret; + } + + static int mkdir_rdt_prepare(struct kernfs_node *parent_kn,