From: Greg Kroah-Hartman Date: Mon, 27 Dec 2021 13:23:48 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.4.297~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=49a67129799d8c0e594b0ee43f6b8c4d22b10ca1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch gpio-dln2-fix-interrupts-when-replugging-the-device.patch ksmbd-disable-smb2_global_cap_encryption-for-smb-3.1.1.patch ksmbd-fix-error-code-in-ndr_read_int32.patch ksmbd-fix-uninitialized-symbol-pntsd_size.patch mac80211-fix-locking-in-ieee80211_start_ap-error-path.patch mm-damon-dbgfs-protect-targets-destructions-with-kdamond_lock.patch mm-hwpoison-clear-mf_count_increased-before-retrying-get_any_page.patch mm-hwpoison-fix-condition-in-free-hugetlb-page-path.patch mm-mempolicy-fix-thp-allocations-escaping-mempolicy-restrictions.patch mmc-core-disable-card-detect-during-shutdown.patch mmc-meson-mx-sdhc-set-manual_stop-for-multi-block-sdio-commands.patch mmc-mmci-stm32-clear-dlyb_cr-after-sending-tuning-command.patch mmc-sdhci-tegra-fix-switch-to-hs400es-mode.patch netfs-fix-parameter-of-cleanup.patch pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch tee-optee-fix-incorrect-page-free-bug.patch --- diff --git a/queue-5.15/arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch b/queue-5.15/arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch new file mode 100644 index 00000000000..6a87ef40832 --- /dev/null +++ b/queue-5.15/arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch @@ -0,0 +1,51 @@ +From 8536a5ef886005bc443c2da9b842d69fd3d7647f Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 15 Dec 2021 09:31:36 +0100 +Subject: ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling + +From: Ard Biesheuvel + +commit 8536a5ef886005bc443c2da9b842d69fd3d7647f upstream. + +The Thumb2 version of the FP exception handling entry code treats the +register holding the CP number (R8) differently, resulting in the iWMMXT +CP number check to be incorrect. + +Fix this by unifying the ARM and Thumb2 code paths, and switch the +order of the additions of the TI_USED_CP offset and the shifted CP +index. + +Cc: +Fixes: b86040a59feb ("Thumb-2: Implementation of the unified start-up and exceptions code") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/kernel/entry-armv.S | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -597,11 +597,9 @@ call_fpe: + tstne r0, #0x04000000 @ bit 26 set on both ARM and Thumb-2 + reteq lr + and r8, r0, #0x00000f00 @ mask out CP number +- THUMB( lsr r8, r8, #8 ) + mov r7, #1 +- add r6, r10, #TI_USED_CP +- ARM( strb r7, [r6, r8, lsr #8] ) @ set appropriate used_cp[] +- THUMB( strb r7, [r6, r8] ) @ set appropriate used_cp[] ++ add r6, r10, r8, lsr #8 @ add used_cp[] array offset first ++ strb r7, [r6, #TI_USED_CP] @ set appropriate used_cp[] + #ifdef CONFIG_IWMMXT + @ Test if we need to give access to iWMMXt coprocessors + ldr r5, [r10, #TI_FLAGS] +@@ -610,7 +608,7 @@ call_fpe: + bcs iwmmxt_task_enable + #endif + ARM( add pc, pc, r8, lsr #6 ) +- THUMB( lsl r8, r8, #2 ) ++ THUMB( lsr r8, r8, #6 ) + THUMB( add pc, r8 ) + nop + diff --git a/queue-5.15/f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch b/queue-5.15/f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch new file mode 100644 index 00000000000..73ba35884a5 --- /dev/null +++ b/queue-5.15/f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch @@ -0,0 +1,84 @@ +From 5598b24efaf4892741c798b425d543e4bed357a1 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Sun, 12 Dec 2021 17:16:30 +0800 +Subject: f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr() + +From: Chao Yu + +commit 5598b24efaf4892741c798b425d543e4bed357a1 upstream. + +As Wenqing Liu reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=215235 + +- Overview +page fault in f2fs_setxattr() when mount and operate on corrupted image + +- Reproduce +tested on kernel 5.16-rc3, 5.15.X under root + +1. unzip tmp7.zip +2. ./single.sh f2fs 7 + +Sometimes need to run the script several times + +- Kernel dump +loop0: detected capacity change from 0 to 131072 +F2FS-fs (loop0): Found nat_bits in checkpoint +F2FS-fs (loop0): Mounted with checkpoint version = 7548c2ee +BUG: unable to handle page fault for address: ffffe47bc7123f48 +RIP: 0010:kfree+0x66/0x320 +Call Trace: + __f2fs_setxattr+0x2aa/0xc00 [f2fs] + f2fs_setxattr+0xfa/0x480 [f2fs] + __f2fs_set_acl+0x19b/0x330 [f2fs] + __vfs_removexattr+0x52/0x70 + __vfs_removexattr_locked+0xb1/0x140 + vfs_removexattr+0x56/0x100 + removexattr+0x57/0x80 + path_removexattr+0xa3/0xc0 + __x64_sys_removexattr+0x17/0x20 + do_syscall_64+0x37/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The root cause is in __f2fs_setxattr(), we missed to do sanity check on +last xattr entry, result in out-of-bound memory access during updating +inconsistent xattr data of target inode. + +After the fix, it can detect such xattr inconsistency as below: + +F2FS-fs (loop11): inode (7) has invalid last xattr entry, entry_size: 60676 +F2FS-fs (loop11): inode (8) has corrupted xattr +F2FS-fs (loop11): inode (8) has corrupted xattr +F2FS-fs (loop11): inode (8) has invalid last xattr entry, entry_size: 47736 + +Cc: stable@vger.kernel.org +Reported-by: Wenqing Liu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/xattr.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -684,8 +684,17 @@ static int __f2fs_setxattr(struct inode + } + + last = here; +- while (!IS_XATTR_LAST_ENTRY(last)) ++ while (!IS_XATTR_LAST_ENTRY(last)) { ++ if ((void *)(last) + sizeof(__u32) > last_base_addr || ++ (void *)XATTR_NEXT_ENTRY(last) > last_base_addr) { ++ f2fs_err(F2FS_I_SB(inode), "inode (%lu) has invalid last xattr entry, entry_size: %zu", ++ inode->i_ino, ENTRY_SIZE(last)); ++ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK); ++ error = -EFSCORRUPTED; ++ goto exit; ++ } + last = XATTR_NEXT_ENTRY(last); ++ } + + newsize = XATTR_ALIGN(sizeof(struct f2fs_xattr_entry) + len + size); + diff --git a/queue-5.15/gpio-dln2-fix-interrupts-when-replugging-the-device.patch b/queue-5.15/gpio-dln2-fix-interrupts-when-replugging-the-device.patch new file mode 100644 index 00000000000..b414c99c922 --- /dev/null +++ b/queue-5.15/gpio-dln2-fix-interrupts-when-replugging-the-device.patch @@ -0,0 +1,76 @@ +From 9a5875f14b0e3a13ae314883f1bb72b7f31fac07 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= +Date: Mon, 18 Oct 2021 13:22:01 +0200 +Subject: gpio: dln2: Fix interrupts when replugging the device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Noralf Trønnes + +commit 9a5875f14b0e3a13ae314883f1bb72b7f31fac07 upstream. + +When replugging the device the following message shows up: + +gpio gpiochip2: (dln2): detected irqchip that is shared with multiple gpiochips: please fix the driver. + +This also has the effect that interrupts won't work. +The same problem would also show up if multiple devices where plugged in. + +Fix this by allocating the irq_chip data structure per instance like other +drivers do. + +I don't know when this problem appeared, but it is present in 5.10. + +Cc: # 5.10+ +Cc: Daniel Baluta +Signed-off-by: Noralf Trønnes +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-dln2.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/gpio/gpio-dln2.c ++++ b/drivers/gpio/gpio-dln2.c +@@ -46,6 +46,7 @@ + struct dln2_gpio { + struct platform_device *pdev; + struct gpio_chip gpio; ++ struct irq_chip irqchip; + + /* + * Cache pin direction to save us one transfer, since the hardware has +@@ -383,15 +384,6 @@ static void dln2_irq_bus_unlock(struct i + mutex_unlock(&dln2->irq_lock); + } + +-static struct irq_chip dln2_gpio_irqchip = { +- .name = "dln2-irq", +- .irq_mask = dln2_irq_mask, +- .irq_unmask = dln2_irq_unmask, +- .irq_set_type = dln2_irq_set_type, +- .irq_bus_lock = dln2_irq_bus_lock, +- .irq_bus_sync_unlock = dln2_irq_bus_unlock, +-}; +- + static void dln2_gpio_event(struct platform_device *pdev, u16 echo, + const void *data, int len) + { +@@ -473,8 +465,15 @@ static int dln2_gpio_probe(struct platfo + dln2->gpio.direction_output = dln2_gpio_direction_output; + dln2->gpio.set_config = dln2_gpio_set_config; + ++ dln2->irqchip.name = "dln2-irq", ++ dln2->irqchip.irq_mask = dln2_irq_mask, ++ dln2->irqchip.irq_unmask = dln2_irq_unmask, ++ dln2->irqchip.irq_set_type = dln2_irq_set_type, ++ dln2->irqchip.irq_bus_lock = dln2_irq_bus_lock, ++ dln2->irqchip.irq_bus_sync_unlock = dln2_irq_bus_unlock, ++ + girq = &dln2->gpio.irq; +- girq->chip = &dln2_gpio_irqchip; ++ girq->chip = &dln2->irqchip; + /* The event comes from the outside so no parent handler */ + girq->parent_handler = NULL; + girq->num_parents = 0; diff --git a/queue-5.15/ksmbd-disable-smb2_global_cap_encryption-for-smb-3.1.1.patch b/queue-5.15/ksmbd-disable-smb2_global_cap_encryption-for-smb-3.1.1.patch new file mode 100644 index 00000000000..2c98d0bf554 --- /dev/null +++ b/queue-5.15/ksmbd-disable-smb2_global_cap_encryption-for-smb-3.1.1.patch @@ -0,0 +1,88 @@ +From 83912d6d55be10d65b5268d1871168b9ebe1ec4b Mon Sep 17 00:00:00 2001 +From: Marcos Del Sol Vives +Date: Thu, 16 Dec 2021 11:37:22 +0100 +Subject: ksmbd: disable SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1 + +From: Marcos Del Sol Vives + +commit 83912d6d55be10d65b5268d1871168b9ebe1ec4b upstream. + +According to the official Microsoft MS-SMB2 document section 3.3.5.4, this +flag should be used only for 3.0 and 3.0.2 dialects. Setting it for 3.1.1 +is a violation of the specification. + +This causes my Windows 10 client to detect an anomaly in the negotiation, +and disable encryption entirely despite being explicitly enabled in ksmbd, +causing all data transfers to go in plain text. + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org # v5.15 +Acked-by: Namjae Jeon +Signed-off-by: Marcos Del Sol Vives +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2ops.c | 3 --- + fs/ksmbd/smb2pdu.c | 25 +++++++++++++++++++++---- + 2 files changed, 21 insertions(+), 7 deletions(-) + +--- a/fs/ksmbd/smb2ops.c ++++ b/fs/ksmbd/smb2ops.c +@@ -272,9 +272,6 @@ int init_smb3_11_server(struct ksmbd_con + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING; + +- if (conn->cipher_type) +- conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; +- + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL; + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -917,6 +917,25 @@ static void decode_encrypt_ctxt(struct k + } + } + ++/** ++ * smb3_encryption_negotiated() - checks if server and client agreed on enabling encryption ++ * @conn: smb connection ++ * ++ * Return: true if connection should be encrypted, else false ++ */ ++static bool smb3_encryption_negotiated(struct ksmbd_conn *conn) ++{ ++ if (!conn->ops->generate_encryptionkey) ++ return false; ++ ++ /* ++ * SMB 3.0 and 3.0.2 dialects use the SMB2_GLOBAL_CAP_ENCRYPTION flag. ++ * SMB 3.1.1 uses the cipher_type field. ++ */ ++ return (conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) || ++ conn->cipher_type; ++} ++ + static void decode_compress_ctxt(struct ksmbd_conn *conn, + struct smb2_compression_ctx *pneg_ctxt) + { +@@ -1471,8 +1490,7 @@ static int ntlm_authenticate(struct ksmb + (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) + sess->sign = true; + +- if (conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION && +- conn->ops->generate_encryptionkey && ++ if (smb3_encryption_negotiated(conn) && + !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { + rc = conn->ops->generate_encryptionkey(sess); + if (rc) { +@@ -1562,8 +1580,7 @@ static int krb5_authenticate(struct ksmb + (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) + sess->sign = true; + +- if ((conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) && +- conn->ops->generate_encryptionkey) { ++ if (smb3_encryption_negotiated(conn)) { + retval = conn->ops->generate_encryptionkey(sess); + if (retval) { + ksmbd_debug(SMB, diff --git a/queue-5.15/ksmbd-fix-error-code-in-ndr_read_int32.patch b/queue-5.15/ksmbd-fix-error-code-in-ndr_read_int32.patch new file mode 100644 index 00000000000..c445efb63f6 --- /dev/null +++ b/queue-5.15/ksmbd-fix-error-code-in-ndr_read_int32.patch @@ -0,0 +1,33 @@ +From ef399469d9ceb9f2171cdd79863f9434b9fa3edc Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 30 Nov 2021 15:50:47 +0300 +Subject: ksmbd: fix error code in ndr_read_int32() + +From: Dan Carpenter + +commit ef399469d9ceb9f2171cdd79863f9434b9fa3edc upstream. + +This is a failure path and it should return -EINVAL instead of success. +Otherwise it could result in the caller using uninitialized memory. + +Fixes: 303fff2b8c77 ("ksmbd: add validation for ndr read/write functions") +Cc: stable@vger.kernel.org # v5.15 +Acked-by: Namjae Jeon +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/ndr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ksmbd/ndr.c ++++ b/fs/ksmbd/ndr.c +@@ -148,7 +148,7 @@ static int ndr_read_int16(struct ndr *n, + static int ndr_read_int32(struct ndr *n, __u32 *value) + { + if (n->offset + sizeof(__u32) > n->length) +- return 0; ++ return -EINVAL; + + if (value) + *value = le32_to_cpu(*(__le32 *)ndr_get_field(n)); diff --git a/queue-5.15/ksmbd-fix-uninitialized-symbol-pntsd_size.patch b/queue-5.15/ksmbd-fix-uninitialized-symbol-pntsd_size.patch new file mode 100644 index 00000000000..5cecb3a4cdb --- /dev/null +++ b/queue-5.15/ksmbd-fix-uninitialized-symbol-pntsd_size.patch @@ -0,0 +1,35 @@ +From f2e78affc48dee29b989c1d9b0d89b503dcd1204 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Wed, 1 Dec 2021 10:12:39 +0900 +Subject: ksmbd: fix uninitialized symbol 'pntsd_size' + +From: Namjae Jeon + +commit f2e78affc48dee29b989c1d9b0d89b503dcd1204 upstream. + +No check for if "rc" is an error code for build_sec_desc(). +This can cause problems with using uninitialized pntsd_size. + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org # v5.15 +Reported-by: Dan Carpenter +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -2964,6 +2964,10 @@ int smb2_open(struct ksmbd_work *work) + &pntsd_size, &fattr); + posix_acl_release(fattr.cf_acls); + posix_acl_release(fattr.cf_dacls); ++ if (rc) { ++ kfree(pntsd); ++ goto err_out; ++ } + + rc = ksmbd_vfs_set_sd_xattr(conn, + user_ns, diff --git a/queue-5.15/mac80211-fix-locking-in-ieee80211_start_ap-error-path.patch b/queue-5.15/mac80211-fix-locking-in-ieee80211_start_ap-error-path.patch new file mode 100644 index 00000000000..89d4afa5d81 --- /dev/null +++ b/queue-5.15/mac80211-fix-locking-in-ieee80211_start_ap-error-path.patch @@ -0,0 +1,36 @@ +From 87a270625a89fc841f1a7e21aae6176543d8385c Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 20 Dec 2021 10:22:40 +0100 +Subject: mac80211: fix locking in ieee80211_start_ap error path + +From: Johannes Berg + +commit 87a270625a89fc841f1a7e21aae6176543d8385c upstream. + +We need to hold the local->mtx to release the channel context, +as even encoded by the lockdep_assert_held() there. Fix it. + +Cc: stable@vger.kernel.org +Fixes: 295b02c4be74 ("mac80211: Add FILS discovery support") +Reported-and-tested-by: syzbot+11c342e5e30e9539cabd@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20211220090836.cee3d59a1915.I36bba9b79dc2ff4d57c3c7aa30dff9a003fe8c5c@changeid +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1226,7 +1226,10 @@ static int ieee80211_start_ap(struct wip + return 0; + + error: ++ mutex_lock(&local->mtx); + ieee80211_vif_release_channel(sdata); ++ mutex_unlock(&local->mtx); ++ + return err; + } + diff --git a/queue-5.15/mm-damon-dbgfs-protect-targets-destructions-with-kdamond_lock.patch b/queue-5.15/mm-damon-dbgfs-protect-targets-destructions-with-kdamond_lock.patch new file mode 100644 index 00000000000..f983093170f --- /dev/null +++ b/queue-5.15/mm-damon-dbgfs-protect-targets-destructions-with-kdamond_lock.patch @@ -0,0 +1,43 @@ +From 34796417964b8d0aef45a99cf6c2d20cebe33733 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Fri, 24 Dec 2021 21:12:54 -0800 +Subject: mm/damon/dbgfs: protect targets destructions with kdamond_lock + +From: SeongJae Park + +commit 34796417964b8d0aef45a99cf6c2d20cebe33733 upstream. + +DAMON debugfs interface iterates current monitoring targets in +'dbgfs_target_ids_read()' while holding the corresponding +'kdamond_lock'. However, it also destructs the monitoring targets in +'dbgfs_before_terminate()' without holding the lock. This can result in +a use_after_free bug. This commit avoids the race by protecting the +destruction with the corresponding 'kdamond_lock'. + +Link: https://lkml.kernel.org/r/20211221094447.2241-1-sj@kernel.org +Reported-by: Sangwoo Bae +Fixes: 4bc05954d007 ("mm/damon: implement a debugfs-based user space interface") +Signed-off-by: SeongJae Park +Cc: [5.15.x] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/dbgfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/damon/dbgfs.c ++++ b/mm/damon/dbgfs.c +@@ -309,10 +309,12 @@ static int dbgfs_before_terminate(struct + if (!targetid_is_pid(ctx)) + return 0; + ++ mutex_lock(&ctx->kdamond_lock); + damon_for_each_target_safe(t, next, ctx) { + put_pid((struct pid *)t->id); + damon_destroy_target(t); + } ++ mutex_unlock(&ctx->kdamond_lock); + return 0; + } + diff --git a/queue-5.15/mm-hwpoison-clear-mf_count_increased-before-retrying-get_any_page.patch b/queue-5.15/mm-hwpoison-clear-mf_count_increased-before-retrying-get_any_page.patch new file mode 100644 index 00000000000..3e8c5910aaf --- /dev/null +++ b/queue-5.15/mm-hwpoison-clear-mf_count_increased-before-retrying-get_any_page.patch @@ -0,0 +1,63 @@ +From 2a57d83c78f889bf3f54eede908d0643c40d5418 Mon Sep 17 00:00:00 2001 +From: Liu Shixin +Date: Fri, 24 Dec 2021 21:12:58 -0800 +Subject: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() + +From: Liu Shixin + +commit 2a57d83c78f889bf3f54eede908d0643c40d5418 upstream. + +Hulk Robot reported a panic in put_page_testzero() when testing +madvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retrying +get_any_page(). This is because we keep MF_COUNT_INCREASED flag in +second try but the refcnt is not increased. + + page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) + ------------[ cut here ]------------ + kernel BUG at include/linux/mm.h:737! + invalid opcode: 0000 [#1] PREEMPT SMP + CPU: 5 PID: 2135 Comm: sshd Tainted: G B 5.16.0-rc6-dirty #373 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 + RIP: release_pages+0x53f/0x840 + Call Trace: + free_pages_and_swap_cache+0x64/0x80 + tlb_flush_mmu+0x6f/0x220 + unmap_page_range+0xe6c/0x12c0 + unmap_single_vma+0x90/0x170 + unmap_vmas+0xc4/0x180 + exit_mmap+0xde/0x3a0 + mmput+0xa3/0x250 + do_exit+0x564/0x1470 + do_group_exit+0x3b/0x100 + __do_sys_exit_group+0x13/0x20 + __x64_sys_exit_group+0x16/0x20 + do_syscall_64+0x34/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + Modules linked in: + ---[ end trace e99579b570fe0649 ]--- + RIP: 0010:release_pages+0x53f/0x840 + +Link: https://lkml.kernel.org/r/20211221074908.3910286-1-liushixin2@huawei.com +Fixes: b94e02822deb ("mm,hwpoison: try to narrow window race for free pages") +Signed-off-by: Liu Shixin +Reported-by: Hulk Robot +Reviewed-by: Oscar Salvador +Acked-by: Naoya Horiguchi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory-failure.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -2201,6 +2201,7 @@ retry: + } else if (ret == 0) { + if (soft_offline_free_page(page) && try_again) { + try_again = false; ++ flags &= ~MF_COUNT_INCREASED; + goto retry; + } + } diff --git a/queue-5.15/mm-hwpoison-fix-condition-in-free-hugetlb-page-path.patch b/queue-5.15/mm-hwpoison-fix-condition-in-free-hugetlb-page-path.patch new file mode 100644 index 00000000000..45cb7616187 --- /dev/null +++ b/queue-5.15/mm-hwpoison-fix-condition-in-free-hugetlb-page-path.patch @@ -0,0 +1,64 @@ +From e37e7b0b3bd52ec4f8ab71b027bcec08f57f1b3b Mon Sep 17 00:00:00 2001 +From: Naoya Horiguchi +Date: Fri, 24 Dec 2021 21:12:45 -0800 +Subject: mm, hwpoison: fix condition in free hugetlb page path + +From: Naoya Horiguchi + +commit e37e7b0b3bd52ec4f8ab71b027bcec08f57f1b3b upstream. + +When a memory error hits a tail page of a free hugepage, +__page_handle_poison() is expected to be called to isolate the error in +4kB unit, but it's not called due to the outdated if-condition in +memory_failure_hugetlb(). This loses the chance to isolate the error in +the finer unit, so it's not optimal. Drop the condition. + +This "(p != head && TestSetPageHWPoison(head)" condition is based on the +old semantics of PageHWPoison on hugepage (where PG_hwpoison flag was +set on the subpage), so it's not necessray any more. By getting to set +PG_hwpoison on head page for hugepages, concurrent error events on +different subpages in a single hugepage can be prevented by +TestSetPageHWPoison(head) at the beginning of memory_failure_hugetlb(). +So dropping the condition should not reopen the race window originally +mentioned in commit b985194c8c0a ("hwpoison, hugetlb: +lock_page/unlock_page does not match for handling a free hugepage") + +[naoya.horiguchi@linux.dev: fix "HardwareCorrupted" counter] + Link: https://lkml.kernel.org/r/20211220084851.GA1460264@u2004 + +Link: https://lkml.kernel.org/r/20211210110208.879740-1-naoya.horiguchi@linux.dev +Signed-off-by: Naoya Horiguchi +Reported-by: Fei Luo +Reviewed-by: Mike Kravetz +Cc: [5.14+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory-failure.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1437,17 +1437,12 @@ static int memory_failure_hugetlb(unsign + if (!(flags & MF_COUNT_INCREASED)) { + res = get_hwpoison_page(p, flags); + if (!res) { +- /* +- * Check "filter hit" and "race with other subpage." +- */ + lock_page(head); +- if (PageHWPoison(head)) { +- if ((hwpoison_filter(p) && TestClearPageHWPoison(p)) +- || (p != head && TestSetPageHWPoison(head))) { ++ if (hwpoison_filter(p)) { ++ if (TestClearPageHWPoison(head)) + num_poisoned_pages_dec(); +- unlock_page(head); +- return 0; +- } ++ unlock_page(head); ++ return 0; + } + unlock_page(head); + res = MF_FAILED; diff --git a/queue-5.15/mm-mempolicy-fix-thp-allocations-escaping-mempolicy-restrictions.patch b/queue-5.15/mm-mempolicy-fix-thp-allocations-escaping-mempolicy-restrictions.patch new file mode 100644 index 00000000000..7aaa46715e6 --- /dev/null +++ b/queue-5.15/mm-mempolicy-fix-thp-allocations-escaping-mempolicy-restrictions.patch @@ -0,0 +1,120 @@ +From 338635340669d5b317c7e8dcf4fff4a0f3651d87 Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Fri, 24 Dec 2021 21:12:35 -0800 +Subject: mm: mempolicy: fix THP allocations escaping mempolicy restrictions + +From: Andrey Ryabinin + +commit 338635340669d5b317c7e8dcf4fff4a0f3651d87 upstream. + +alloc_pages_vma() may try to allocate THP page on the local NUMA node +first: + + page = __alloc_pages_node(hpage_node, + gfp | __GFP_THISNODE | __GFP_NORETRY, order); + +And if the allocation fails it retries allowing remote memory: + + if (!page && (gfp & __GFP_DIRECT_RECLAIM)) + page = __alloc_pages_node(hpage_node, + gfp, order); + +However, this retry allocation completely ignores memory policy nodemask +allowing allocation to escape restrictions. + +The first appearance of this bug seems to be the commit ac5b2c18911f +("mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings"). + +The bug disappeared later in the commit 89c83fb539f9 ("mm, thp: +consolidate THP gfp handling into alloc_hugepage_direct_gfpmask") and +reappeared again in slightly different form in the commit 76e654cc91bb +("mm, page_alloc: allow hugepage fallback to remote nodes when +madvised") + +Fix this by passing correct nodemask to the __alloc_pages() call. + +The demonstration/reproducer of the problem: + + $ mount -oremount,size=4G,huge=always /dev/shm/ + $ echo always > /sys/kernel/mm/transparent_hugepage/defrag + $ cat mbind_thp.c + #include + #include + #include + #include + #include + #include + #include + #include + + #define SIZE 2ULL << 30 + int main(int argc, char **argv) + { + int fd; + unsigned long long i; + char *addr; + pid_t pid; + char buf[100]; + unsigned long nodemask = 1; + + fd = open("/dev/shm/test", O_RDWR|O_CREAT); + assert(fd > 0); + assert(ftruncate(fd, SIZE) == 0); + + addr = mmap(NULL, SIZE, PROT_READ|PROT_WRITE, + MAP_SHARED, fd, 0); + + assert(mbind(addr, SIZE, MPOL_BIND, &nodemask, 2, MPOL_MF_STRICT|MPOL_MF_MOVE)==0); + for (i = 0; i < SIZE; i+=4096) { + addr[i] = 1; + } + pid = getpid(); + snprintf(buf, sizeof(buf), "grep shm /proc/%d/numa_maps", pid); + system(buf); + sleep(10000); + + return 0; + } + $ gcc mbind_thp.c -o mbind_thp -lnuma + $ numactl -H + available: 2 nodes (0-1) + node 0 cpus: 0 2 + node 0 size: 1918 MB + node 0 free: 1595 MB + node 1 cpus: 1 3 + node 1 size: 2014 MB + node 1 free: 1731 MB + node distances: + node 0 1 + 0: 10 20 + 1: 20 10 + $ rm -f /dev/shm/test; taskset -c 0 ./mbind_thp + 7fd970a00000 bind:0 file=/dev/shm/test dirty=524288 active=0 N0=396800 N1=127488 kernelpagesize_kB=4 + +Link: https://lkml.kernel.org/r/20211208165343.22349-1-arbn@yandex-team.com +Fixes: ac5b2c18911f ("mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings") +Signed-off-by: Andrey Ryabinin +Acked-by: Michal Hocko +Acked-by: Mel Gorman +Acked-by: David Rientjes +Cc: Andrea Arcangeli +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempolicy.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -2140,8 +2140,7 @@ struct page *alloc_pages_vma(gfp_t gfp, + * memory with both reclaim and compact as well. + */ + if (!page && (gfp & __GFP_DIRECT_RECLAIM)) +- page = __alloc_pages_node(hpage_node, +- gfp, order); ++ page = __alloc_pages(gfp, order, hpage_node, nmask); + + goto out; + } diff --git a/queue-5.15/mmc-core-disable-card-detect-during-shutdown.patch b/queue-5.15/mmc-core-disable-card-detect-during-shutdown.patch new file mode 100644 index 00000000000..9e85fd89f3c --- /dev/null +++ b/queue-5.15/mmc-core-disable-card-detect-during-shutdown.patch @@ -0,0 +1,83 @@ +From 66c915d09b942fb3b2b0cb2f56562180901fba17 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Fri, 3 Dec 2021 15:15:54 +0100 +Subject: mmc: core: Disable card detect during shutdown + +From: Ulf Hansson + +commit 66c915d09b942fb3b2b0cb2f56562180901fba17 upstream. + +It's seems prone to problems by allowing card detect and its corresponding +mmc_rescan() work to run, during platform shutdown. For example, we may end +up turning off the power while initializing a card, which potentially could +damage it. + +To avoid this scenario, let's add ->shutdown_pre() callback for the mmc host +class device and then turn of the card detect from there. + +Reported-by: Al Cooper +Suggested-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211203141555.105351-1-ulf.hansson@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/core.c | 7 ++++++- + drivers/mmc/core/core.h | 1 + + drivers/mmc/core/host.c | 9 +++++++++ + 3 files changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -2264,7 +2264,7 @@ void mmc_start_host(struct mmc_host *hos + _mmc_detect_change(host, 0, false); + } + +-void mmc_stop_host(struct mmc_host *host) ++void __mmc_stop_host(struct mmc_host *host) + { + if (host->slot.cd_irq >= 0) { + mmc_gpio_set_cd_wake(host, false); +@@ -2273,6 +2273,11 @@ void mmc_stop_host(struct mmc_host *host + + host->rescan_disable = 1; + cancel_delayed_work_sync(&host->detect); ++} ++ ++void mmc_stop_host(struct mmc_host *host) ++{ ++ __mmc_stop_host(host); + + /* clear pm flags now and let card drivers set them as needed */ + host->pm_flags = 0; +--- a/drivers/mmc/core/core.h ++++ b/drivers/mmc/core/core.h +@@ -70,6 +70,7 @@ static inline void mmc_delay(unsigned in + + void mmc_rescan(struct work_struct *work); + void mmc_start_host(struct mmc_host *host); ++void __mmc_stop_host(struct mmc_host *host); + void mmc_stop_host(struct mmc_host *host); + + void _mmc_detect_change(struct mmc_host *host, unsigned long delay, +--- a/drivers/mmc/core/host.c ++++ b/drivers/mmc/core/host.c +@@ -80,9 +80,18 @@ static void mmc_host_classdev_release(st + kfree(host); + } + ++static int mmc_host_classdev_shutdown(struct device *dev) ++{ ++ struct mmc_host *host = cls_dev_to_mmc_host(dev); ++ ++ __mmc_stop_host(host); ++ return 0; ++} ++ + static struct class mmc_host_class = { + .name = "mmc_host", + .dev_release = mmc_host_classdev_release, ++ .shutdown_pre = mmc_host_classdev_shutdown, + .pm = MMC_HOST_CLASS_DEV_PM_OPS, + }; + diff --git a/queue-5.15/mmc-meson-mx-sdhc-set-manual_stop-for-multi-block-sdio-commands.patch b/queue-5.15/mmc-meson-mx-sdhc-set-manual_stop-for-multi-block-sdio-commands.patch new file mode 100644 index 00000000000..c0c20e657df --- /dev/null +++ b/queue-5.15/mmc-meson-mx-sdhc-set-manual_stop-for-multi-block-sdio-commands.patch @@ -0,0 +1,82 @@ +From f89b548ca66be7500dcd92ee8e61590f7d08ac91 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sun, 19 Dec 2021 16:34:41 +0100 +Subject: mmc: meson-mx-sdhc: Set MANUAL_STOP for multi-block SDIO commands + +From: Martin Blumenstingl + +commit f89b548ca66be7500dcd92ee8e61590f7d08ac91 upstream. + +The vendor driver implements special handling for multi-block +SD_IO_RW_EXTENDED (and SD_IO_RW_DIRECT) commands which have data +attached to them. It sets the MANUAL_STOP bit in the MESON_SDHC_MISC +register for these commands. In all other cases this bit is cleared. +Here we omit SD_IO_RW_DIRECT since that command never has any data +attached to it. + +This fixes SDIO wifi using the brcmfmac driver which reported the +following error without this change on a Netxeon S82 board using a +Meson8 (S802) SoC: + brcmf_fw_alloc_request: using brcm/brcmfmac43362-sdio for chip + BCM43362/1 + brcmf_sdiod_ramrw: membytes transfer failed + brcmf_sdio_download_code_file: error -110 on writing 219557 membytes + at 0x00000000 + brcmf_sdio_download_firmware: dongle image file download failed + +And with this change: + brcmf_fw_alloc_request: using brcm/brcmfmac43362-sdio for chip + BCM43362/1 + brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may + have limited channels available + brcmf_c_preinit_dcmds: Firmware: BCM43362/1 wl0: Apr 22 2013 14:50:00 + version 5.90.195.89.6 FWID 01-b30a427d + +Fixes: e4bf1b0970ef96 ("mmc: host: meson-mx-sdhc: new driver for the Amlogic Meson SDHC host") +Signed-off-by: Martin Blumenstingl +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211219153442.463863-2-martin.blumenstingl@googlemail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/meson-mx-sdhc-mmc.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/mmc/host/meson-mx-sdhc-mmc.c ++++ b/drivers/mmc/host/meson-mx-sdhc-mmc.c +@@ -135,6 +135,7 @@ static void meson_mx_sdhc_start_cmd(stru + struct mmc_command *cmd) + { + struct meson_mx_sdhc_host *host = mmc_priv(mmc); ++ bool manual_stop = false; + u32 ictl, send; + int pack_len; + +@@ -172,12 +173,27 @@ static void meson_mx_sdhc_start_cmd(stru + else + /* software flush: */ + ictl |= MESON_SDHC_ICTL_DATA_XFER_OK; ++ ++ /* ++ * Mimic the logic from the vendor driver where (only) ++ * SD_IO_RW_EXTENDED commands with more than one block set the ++ * MESON_SDHC_MISC_MANUAL_STOP bit. This fixes the firmware ++ * download in the brcmfmac driver for a BCM43362/1 card. ++ * Without this sdio_memcpy_toio() (with a size of 219557 ++ * bytes) times out if MESON_SDHC_MISC_MANUAL_STOP is not set. ++ */ ++ manual_stop = cmd->data->blocks > 1 && ++ cmd->opcode == SD_IO_RW_EXTENDED; + } else { + pack_len = 0; + + ictl |= MESON_SDHC_ICTL_RESP_OK; + } + ++ regmap_update_bits(host->regmap, MESON_SDHC_MISC, ++ MESON_SDHC_MISC_MANUAL_STOP, ++ manual_stop ? MESON_SDHC_MISC_MANUAL_STOP : 0); ++ + if (cmd->opcode == MMC_STOP_TRANSMISSION) + send |= MESON_SDHC_SEND_DATA_STOP; + diff --git a/queue-5.15/mmc-mmci-stm32-clear-dlyb_cr-after-sending-tuning-command.patch b/queue-5.15/mmc-mmci-stm32-clear-dlyb_cr-after-sending-tuning-command.patch new file mode 100644 index 00000000000..aab0cd5481d --- /dev/null +++ b/queue-5.15/mmc-mmci-stm32-clear-dlyb_cr-after-sending-tuning-command.patch @@ -0,0 +1,41 @@ +From ff31ee0a0f471776f67be5e5275c18d17736fc6b Mon Sep 17 00:00:00 2001 +From: Yann Gautier +Date: Wed, 15 Dec 2021 15:17:26 +0100 +Subject: mmc: mmci: stm32: clear DLYB_CR after sending tuning command + +From: Yann Gautier + +commit ff31ee0a0f471776f67be5e5275c18d17736fc6b upstream. + +During test campaign, and especially after several unbind/bind sequences, +it has been seen that the SD-card on SDMMC1 thread could freeze. +The freeze always appear on a CMD23 following a CMD19. +Checking SDMMC internal registers shows that the tuning command (CMD19) +has failed. +The freeze is then due to the delay block involved in the tuning sequence. +To correct this, clear the delay block register DLYB_CR register after +the tuning commands. + +Signed-off-by: Christophe Kerello +Signed-off-by: Yann Gautier +Reviewed-by: Linus Walleij +Fixes: 1103f807a3b9 ("mmc: mmci_sdmmc: Add execute tuning with delay block") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211215141727.4901-4-yann.gautier@foss.st.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mmci_stm32_sdmmc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mmc/host/mmci_stm32_sdmmc.c ++++ b/drivers/mmc/host/mmci_stm32_sdmmc.c +@@ -441,6 +441,8 @@ static int sdmmc_dlyb_phase_tuning(struc + return -EINVAL; + } + ++ writel_relaxed(0, dlyb->base + DLYB_CR); ++ + phase = end_of_len - max_len / 2; + sdmmc_dlyb_set_cfgr(dlyb, dlyb->unit, phase, false); + diff --git a/queue-5.15/mmc-sdhci-tegra-fix-switch-to-hs400es-mode.patch b/queue-5.15/mmc-sdhci-tegra-fix-switch-to-hs400es-mode.patch new file mode 100644 index 00000000000..6785a4c844e --- /dev/null +++ b/queue-5.15/mmc-sdhci-tegra-fix-switch-to-hs400es-mode.patch @@ -0,0 +1,85 @@ +From 4fc7261dbab139d3c64c3b618262504e16cfe7ee Mon Sep 17 00:00:00 2001 +From: Prathamesh Shete +Date: Tue, 14 Dec 2021 17:06:53 +0530 +Subject: mmc: sdhci-tegra: Fix switch to HS400ES mode + +From: Prathamesh Shete + +commit 4fc7261dbab139d3c64c3b618262504e16cfe7ee upstream. + +When CMD13 is sent after switching to HS400ES mode, the bus +is operating at either MMC_HIGH_26_MAX_DTR or MMC_HIGH_52_MAX_DTR. +To meet Tegra SDHCI requirement at HS400ES mode, force SDHCI +interface clock to MMC_HS200_MAX_DTR (200 MHz) so that host +controller CAR clock and the interface clock are rate matched. + +Signed-off-by: Prathamesh Shete +Acked-by: Adrian Hunter +Fixes: dfc9700cef77 ("mmc: tegra: Implement HS400 enhanced strobe") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211214113653.4631-1-pshete@nvidia.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-tegra.c | 43 ++++++++++++++++++++++++----------------- + 1 file changed, 26 insertions(+), 17 deletions(-) + +--- a/drivers/mmc/host/sdhci-tegra.c ++++ b/drivers/mmc/host/sdhci-tegra.c +@@ -356,23 +356,6 @@ static void tegra_sdhci_set_tap(struct s + } + } + +-static void tegra_sdhci_hs400_enhanced_strobe(struct mmc_host *mmc, +- struct mmc_ios *ios) +-{ +- struct sdhci_host *host = mmc_priv(mmc); +- u32 val; +- +- val = sdhci_readl(host, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL); +- +- if (ios->enhanced_strobe) +- val |= SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE; +- else +- val &= ~SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE; +- +- sdhci_writel(host, val, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL); +- +-} +- + static void tegra_sdhci_reset(struct sdhci_host *host, u8 mask) + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); +@@ -793,6 +776,32 @@ static void tegra_sdhci_set_clock(struct + } + } + ++static void tegra_sdhci_hs400_enhanced_strobe(struct mmc_host *mmc, ++ struct mmc_ios *ios) ++{ ++ struct sdhci_host *host = mmc_priv(mmc); ++ u32 val; ++ ++ val = sdhci_readl(host, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL); ++ ++ if (ios->enhanced_strobe) { ++ val |= SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE; ++ /* ++ * When CMD13 is sent from mmc_select_hs400es() after ++ * switching to HS400ES mode, the bus is operating at ++ * either MMC_HIGH_26_MAX_DTR or MMC_HIGH_52_MAX_DTR. ++ * To meet Tegra SDHCI requirement at HS400ES mode, force SDHCI ++ * interface clock to MMC_HS200_MAX_DTR (200 MHz) so that host ++ * controller CAR clock and the interface clock are rate matched. ++ */ ++ tegra_sdhci_set_clock(host, MMC_HS200_MAX_DTR); ++ } else { ++ val &= ~SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE; ++ } ++ ++ sdhci_writel(host, val, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL); ++} ++ + static unsigned int tegra_sdhci_get_max_clock(struct sdhci_host *host) + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); diff --git a/queue-5.15/netfs-fix-parameter-of-cleanup.patch b/queue-5.15/netfs-fix-parameter-of-cleanup.patch new file mode 100644 index 00000000000..a88a33e194b --- /dev/null +++ b/queue-5.15/netfs-fix-parameter-of-cleanup.patch @@ -0,0 +1,54 @@ +From 3cfef1b612e15a0c2f5b1c9d3f3f31ad72d56fcd Mon Sep 17 00:00:00 2001 +From: Jeffle Xu +Date: Tue, 7 Dec 2021 11:14:49 +0800 +Subject: netfs: fix parameter of cleanup() + +From: Jeffle Xu + +commit 3cfef1b612e15a0c2f5b1c9d3f3f31ad72d56fcd upstream. + +The order of these two parameters is just reversed. gcc didn't warn on +that, probably because 'void *' can be converted from or to other +pointer types without warning. + +Cc: stable@vger.kernel.org +Fixes: 3d3c95046742 ("netfs: Provide readahead and readpage netfs helpers") +Fixes: e1b1240c1ff5 ("netfs: Add write_begin helper") +Signed-off-by: Jeffle Xu +Signed-off-by: David Howells +Reviewed-by: Jeff Layton +Link: https://lore.kernel.org/r/20211207031449.100510-1-jefflexu@linux.alibaba.com/ # v1 +Signed-off-by: Greg Kroah-Hartman +--- + fs/netfs/read_helper.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/netfs/read_helper.c ++++ b/fs/netfs/read_helper.c +@@ -958,7 +958,7 @@ int netfs_readpage(struct file *file, + rreq = netfs_alloc_read_request(ops, netfs_priv, file); + if (!rreq) { + if (netfs_priv) +- ops->cleanup(netfs_priv, page_file_mapping(page)); ++ ops->cleanup(page_file_mapping(page), netfs_priv); + unlock_page(page); + return -ENOMEM; + } +@@ -1185,7 +1185,7 @@ have_page: + goto error; + have_page_no_wait: + if (netfs_priv) +- ops->cleanup(netfs_priv, mapping); ++ ops->cleanup(mapping, netfs_priv); + *_page = page; + _leave(" = 0"); + return 0; +@@ -1196,7 +1196,7 @@ error: + unlock_page(page); + put_page(page); + if (netfs_priv) +- ops->cleanup(netfs_priv, mapping); ++ ops->cleanup(mapping, netfs_priv); + _leave(" = %d", ret); + return ret; + } diff --git a/queue-5.15/pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch b/queue-5.15/pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch new file mode 100644 index 00000000000..6a053f0919a --- /dev/null +++ b/queue-5.15/pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch @@ -0,0 +1,43 @@ +From b67210cc217f9ca1c576909454d846970c13dfd4 Mon Sep 17 00:00:00 2001 +From: Fabien Dessenne +Date: Wed, 15 Dec 2021 10:58:08 +0100 +Subject: pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines + +From: Fabien Dessenne + +commit b67210cc217f9ca1c576909454d846970c13dfd4 upstream. + +Consider the GPIO controller offset (from "gpio-ranges") to compute the +maximum GPIO line number. +This fixes an issue where gpio-ranges uses a non-null offset. + e.g.: gpio-ranges = <&pinctrl 6 86 10> + In that case the last valid GPIO line is not 9 but 15 (6 + 10 - 1) + +Cc: stable@vger.kernel.org +Fixes: 67e2996f72c7 ("pinctrl: stm32: fix the reported number of GPIO lines per bank") +Reported-by: Christoph Fritz +Signed-off-by: Fabien Dessenne +Link: https://lore.kernel.org/r/20211215095808.621716-1-fabien.dessenne@foss.st.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/stm32/pinctrl-stm32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c +@@ -1251,10 +1251,10 @@ static int stm32_gpiolib_register_bank(s + bank_nr = args.args[1] / STM32_GPIO_PINS_PER_BANK; + bank->gpio_chip.base = args.args[1]; + +- npins = args.args[2]; +- while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, +- ++i, &args)) +- npins += args.args[2]; ++ /* get the last defined gpio line (offset + nb of pins) */ ++ npins = args.args[0] + args.args[2]; ++ while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, ++i, &args)) ++ npins = max(npins, (int)(args.args[0] + args.args[2])); + } else { + bank_nr = pctl->nbanks; + bank->gpio_chip.base = bank_nr * STM32_GPIO_PINS_PER_BANK; diff --git a/queue-5.15/series b/queue-5.15/series index f126ecf3b0b..89180ce0f0f 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -88,3 +88,21 @@ kvm-x86-mmu-don-t-advance-iterator-after-restart-due-to-yielding.patch kvm-nvmx-synthesize-triple_fault-for-l2-if-emulation-is-required.patch kvm-vmx-always-clear-vmx-fail-on-emulation_required.patch kvm-vmx-wake-vcpu-when-delivering-posted-irq-even-if-vcpu-this-vcpu.patch +pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch +gpio-dln2-fix-interrupts-when-replugging-the-device.patch +mmc-sdhci-tegra-fix-switch-to-hs400es-mode.patch +mmc-meson-mx-sdhc-set-manual_stop-for-multi-block-sdio-commands.patch +mmc-core-disable-card-detect-during-shutdown.patch +mmc-mmci-stm32-clear-dlyb_cr-after-sending-tuning-command.patch +arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch +ksmbd-fix-error-code-in-ndr_read_int32.patch +ksmbd-fix-uninitialized-symbol-pntsd_size.patch +ksmbd-disable-smb2_global_cap_encryption-for-smb-3.1.1.patch +mac80211-fix-locking-in-ieee80211_start_ap-error-path.patch +mm-mempolicy-fix-thp-allocations-escaping-mempolicy-restrictions.patch +mm-hwpoison-fix-condition-in-free-hugetlb-page-path.patch +mm-hwpoison-clear-mf_count_increased-before-retrying-get_any_page.patch +mm-damon-dbgfs-protect-targets-destructions-with-kdamond_lock.patch +tee-optee-fix-incorrect-page-free-bug.patch +f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch +netfs-fix-parameter-of-cleanup.patch diff --git a/queue-5.15/tee-optee-fix-incorrect-page-free-bug.patch b/queue-5.15/tee-optee-fix-incorrect-page-free-bug.patch new file mode 100644 index 00000000000..d3d77cbc1ce --- /dev/null +++ b/queue-5.15/tee-optee-fix-incorrect-page-free-bug.patch @@ -0,0 +1,40 @@ +From 18549bf4b21c739a9def39f27dcac53e27286ab5 Mon Sep 17 00:00:00 2001 +From: Sumit Garg +Date: Thu, 16 Dec 2021 11:17:25 +0530 +Subject: tee: optee: Fix incorrect page free bug + +From: Sumit Garg + +commit 18549bf4b21c739a9def39f27dcac53e27286ab5 upstream. + +Pointer to the allocated pages (struct page *page) has already +progressed towards the end of allocation. It is incorrect to perform +__free_pages(page, order) using this pointer as we would free any +arbitrary pages. Fix this by stop modifying the page pointer. + +Fixes: ec185dd3ab25 ("optee: Fix memory leak when failing to register shm pages") +Cc: stable@vger.kernel.org +Reported-by: Patrik Lantz +Signed-off-by: Sumit Garg +Reviewed-by: Tyler Hicks +Signed-off-by: Jens Wiklander +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/optee/shm_pool.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/tee/optee/shm_pool.c ++++ b/drivers/tee/optee/shm_pool.c +@@ -41,10 +41,8 @@ static int pool_op_alloc(struct tee_shm_ + goto err; + } + +- for (i = 0; i < nr_pages; i++) { +- pages[i] = page; +- page++; +- } ++ for (i = 0; i < nr_pages; i++) ++ pages[i] = page + i; + + shm->flags |= TEE_SHM_REGISTER; + rc = optee_shm_register(shm->ctx, shm, pages, nr_pages,