From: Greg Kroah-Hartman Date: Mon, 13 Feb 2023 11:50:27 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v6.1.12~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=607d4717e5c2ea8f048d913f1dc6b9efdc778ccd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: arm64-dts-meson-axg-make-mmc-host-controller-interrupts-level-sensitive.patch arm64-dts-meson-g12-common-make-mmc-host-controller-interrupts-level-sensitive.patch arm64-dts-meson-gx-make-mmc-host-controller-interrupts-level-sensitive.patch btrfs-free-device-in-btrfs_close_devices-for-a-single-device-filesystem.patch ceph-flush-cap-releases-when-the-session-is-flushed.patch clk-ingenic-jz4760-update-m-n-od-calculation-algorithm.patch fix-page-corruption-caused-by-racy-check-in-__free_pages.patch mptcp-be-careful-on-subflow-status-propagation-on-errors.patch powerpc-64s-interrupt-fix-interrupt-exit-race-with-security-mitigation-switch.patch riscv-fixup-race-condition-on-pg_dcache_clean-in-flush_icache_pte.patch rtmutex-ensure-that-the-top-waiter-is-always-woken-up.patch usb-core-add-quirk-for-alcor-link-ak9563-smartcard-reader.patch usb-typec-altmodes-displayport-fix-probe-pin-assign-check.patch --- diff --git a/queue-5.15/arm64-dts-meson-axg-make-mmc-host-controller-interrupts-level-sensitive.patch b/queue-5.15/arm64-dts-meson-axg-make-mmc-host-controller-interrupts-level-sensitive.patch new file mode 100644 index 00000000000..addff4cf575 --- /dev/null +++ b/queue-5.15/arm64-dts-meson-axg-make-mmc-host-controller-interrupts-level-sensitive.patch @@ -0,0 +1,51 @@ +From d182bcf300772d8b2e5f43e47fa0ebda2b767cc4 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Thu, 9 Feb 2023 21:10:31 +0100 +Subject: arm64: dts: meson-axg: Make mmc host controller interrupts level-sensitive + +From: Heiner Kallweit + +commit d182bcf300772d8b2e5f43e47fa0ebda2b767cc4 upstream. + +The usage of edge-triggered interrupts lead to lost interrupts under load, +see [0]. This was confirmed to be fixed by using level-triggered +interrupts. +The report was about SDIO. However, as the host controller is the same +for SD and MMC, apply the change to all mmc controller instances. + +[0] https://www.spinics.net/lists/linux-mmc/msg73991.html + +Fixes: 221cf34bac54 ("ARM64: dts: meson-axg: enable the eMMC controller") +Reported-by: Peter Suti +Tested-by: Vyacheslav Bocharov +Tested-by: Peter Suti +Cc: stable@vger.kernel.org +Signed-off-by: Heiner Kallweit +Acked-by: Neil Armstrong +Link: https://lore.kernel.org/r/c00655d3-02f8-6f5f-4239-ca2412420cad@gmail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/amlogic/meson-axg.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi +@@ -1885,7 +1885,7 @@ + sd_emmc_b: sd@5000 { + compatible = "amlogic,meson-axg-mmc"; + reg = <0x0 0x5000 0x0 0x800>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + clocks = <&clkc CLKID_SD_EMMC_B>, + <&clkc CLKID_SD_EMMC_B_CLK0>, +@@ -1897,7 +1897,7 @@ + sd_emmc_c: mmc@7000 { + compatible = "amlogic,meson-axg-mmc"; + reg = <0x0 0x7000 0x0 0x800>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + clocks = <&clkc CLKID_SD_EMMC_C>, + <&clkc CLKID_SD_EMMC_C_CLK0>, diff --git a/queue-5.15/arm64-dts-meson-g12-common-make-mmc-host-controller-interrupts-level-sensitive.patch b/queue-5.15/arm64-dts-meson-g12-common-make-mmc-host-controller-interrupts-level-sensitive.patch new file mode 100644 index 00000000000..c62b254aca4 --- /dev/null +++ b/queue-5.15/arm64-dts-meson-g12-common-make-mmc-host-controller-interrupts-level-sensitive.patch @@ -0,0 +1,60 @@ +From ac8db4cceed218cca21c84f9d75ce88182d8b04f Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Thu, 9 Feb 2023 21:11:10 +0100 +Subject: arm64: dts: meson-g12-common: Make mmc host controller interrupts level-sensitive + +From: Heiner Kallweit + +commit ac8db4cceed218cca21c84f9d75ce88182d8b04f upstream. + +The usage of edge-triggered interrupts lead to lost interrupts under load, +see [0]. This was confirmed to be fixed by using level-triggered +interrupts. +The report was about SDIO. However, as the host controller is the same +for SD and MMC, apply the change to all mmc controller instances. + +[0] https://www.spinics.net/lists/linux-mmc/msg73991.html + +Fixes: 4759fd87b928 ("arm64: dts: meson: g12a: add mmc nodes") +Tested-by: FUKAUMI Naoki +Tested-by: Martin Blumenstingl +Tested-by: Jerome Brunet +Cc: stable@vger.kernel.org +Signed-off-by: Heiner Kallweit +Acked-by: Neil Armstrong +Link: https://lore.kernel.org/r/27d89baa-b8fa-baca-541b-ef17a97cde3c@gmail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi +@@ -2330,7 +2330,7 @@ + sd_emmc_a: sd@ffe03000 { + compatible = "amlogic,meson-axg-mmc"; + reg = <0x0 0xffe03000 0x0 0x800>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + clocks = <&clkc CLKID_SD_EMMC_A>, + <&clkc CLKID_SD_EMMC_A_CLK0>, +@@ -2342,7 +2342,7 @@ + sd_emmc_b: sd@ffe05000 { + compatible = "amlogic,meson-axg-mmc"; + reg = <0x0 0xffe05000 0x0 0x800>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + clocks = <&clkc CLKID_SD_EMMC_B>, + <&clkc CLKID_SD_EMMC_B_CLK0>, +@@ -2354,7 +2354,7 @@ + sd_emmc_c: mmc@ffe07000 { + compatible = "amlogic,meson-axg-mmc"; + reg = <0x0 0xffe07000 0x0 0x800>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + clocks = <&clkc CLKID_SD_EMMC_C>, + <&clkc CLKID_SD_EMMC_C_CLK0>, diff --git a/queue-5.15/arm64-dts-meson-gx-make-mmc-host-controller-interrupts-level-sensitive.patch b/queue-5.15/arm64-dts-meson-gx-make-mmc-host-controller-interrupts-level-sensitive.patch new file mode 100644 index 00000000000..5cdd49da942 --- /dev/null +++ b/queue-5.15/arm64-dts-meson-gx-make-mmc-host-controller-interrupts-level-sensitive.patch @@ -0,0 +1,55 @@ +From 66e45351f7d6798751f98001d1fcd572024d87f0 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Thu, 9 Feb 2023 21:11:47 +0100 +Subject: arm64: dts: meson-gx: Make mmc host controller interrupts level-sensitive + +From: Heiner Kallweit + +commit 66e45351f7d6798751f98001d1fcd572024d87f0 upstream. + +The usage of edge-triggered interrupts lead to lost interrupts under load, +see [0]. This was confirmed to be fixed by using level-triggered +interrupts. +The report was about SDIO. However, as the host controller is the same +for SD and MMC, apply the change to all mmc controller instances. + +[0] https://www.spinics.net/lists/linux-mmc/msg73991.html + +Fixes: ef8d2ffedf18 ("ARM64: dts: meson-gxbb: add MMC support") +Cc: stable@vger.kernel.org +Signed-off-by: Heiner Kallweit +Acked-by: Neil Armstrong +Link: https://lore.kernel.org/r/76e042e0-a610-5ed5-209f-c4d7f879df44@gmail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -602,21 +602,21 @@ + sd_emmc_a: mmc@70000 { + compatible = "amlogic,meson-gx-mmc", "amlogic,meson-gxbb-mmc"; + reg = <0x0 0x70000 0x0 0x800>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + }; + + sd_emmc_b: mmc@72000 { + compatible = "amlogic,meson-gx-mmc", "amlogic,meson-gxbb-mmc"; + reg = <0x0 0x72000 0x0 0x800>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + }; + + sd_emmc_c: mmc@74000 { + compatible = "amlogic,meson-gx-mmc", "amlogic,meson-gxbb-mmc"; + reg = <0x0 0x74000 0x0 0x800>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + }; + }; diff --git a/queue-5.15/btrfs-free-device-in-btrfs_close_devices-for-a-single-device-filesystem.patch b/queue-5.15/btrfs-free-device-in-btrfs_close_devices-for-a-single-device-filesystem.patch new file mode 100644 index 00000000000..5a2aa15fc13 --- /dev/null +++ b/queue-5.15/btrfs-free-device-in-btrfs_close_devices-for-a-single-device-filesystem.patch @@ -0,0 +1,70 @@ +From 5f58d783fd7823b2c2d5954d1126e702f94bfc4c Mon Sep 17 00:00:00 2001 +From: Anand Jain +Date: Fri, 20 Jan 2023 21:47:16 +0800 +Subject: btrfs: free device in btrfs_close_devices for a single device filesystem + +From: Anand Jain + +commit 5f58d783fd7823b2c2d5954d1126e702f94bfc4c upstream. + +We have this check to make sure we don't accidentally add older devices +that may have disappeared and re-appeared with an older generation from +being added to an fs_devices (such as a replace source device). This +makes sense, we don't want stale disks in our file system. However for +single disks this doesn't really make sense. + +I've seen this in testing, but I was provided a reproducer from a +project that builds btrfs images on loopback devices. The loopback +device gets cached with the new generation, and then if it is re-used to +generate a new file system we'll fail to mount it because the new fs is +"older" than what we have in cache. + +Fix this by freeing the cache when closing the device for a single device +filesystem. This will ensure that the mount command passed device path is +scanned successfully during the next mount. + +CC: stable@vger.kernel.org # 5.10+ +Reported-by: Daan De Meyer +Signed-off-by: Josef Bacik +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -409,6 +409,7 @@ void btrfs_free_device(struct btrfs_devi + static void free_fs_devices(struct btrfs_fs_devices *fs_devices) + { + struct btrfs_device *device; ++ + WARN_ON(fs_devices->opened); + while (!list_empty(&fs_devices->devices)) { + device = list_entry(fs_devices->devices.next, +@@ -1221,9 +1222,22 @@ void btrfs_close_devices(struct btrfs_fs + + mutex_lock(&uuid_mutex); + close_fs_devices(fs_devices); +- if (!fs_devices->opened) ++ if (!fs_devices->opened) { + list_splice_init(&fs_devices->seed_list, &list); + ++ /* ++ * If the struct btrfs_fs_devices is not assembled with any ++ * other device, it can be re-initialized during the next mount ++ * without the needing device-scan step. Therefore, it can be ++ * fully freed. ++ */ ++ if (fs_devices->num_devices == 1) { ++ list_del(&fs_devices->fs_list); ++ free_fs_devices(fs_devices); ++ } ++ } ++ ++ + list_for_each_entry_safe(fs_devices, tmp, &list, seed_list) { + close_fs_devices(fs_devices); + list_del(&fs_devices->seed_list); diff --git a/queue-5.15/ceph-flush-cap-releases-when-the-session-is-flushed.patch b/queue-5.15/ceph-flush-cap-releases-when-the-session-is-flushed.patch new file mode 100644 index 00000000000..7dda35c5b6e --- /dev/null +++ b/queue-5.15/ceph-flush-cap-releases-when-the-session-is-flushed.patch @@ -0,0 +1,38 @@ +From e7d84c6a1296d059389f7342d9b4b7defb518d3a Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Tue, 7 Feb 2023 13:04:52 +0800 +Subject: ceph: flush cap releases when the session is flushed + +From: Xiubo Li + +commit e7d84c6a1296d059389f7342d9b4b7defb518d3a upstream. + +MDS expects the completed cap release prior to responding to the +session flush for cache drop. + +Cc: stable@vger.kernel.org +Link: http://tracker.ceph.com/issues/38009 +Signed-off-by: Xiubo Li +Reviewed-by: Venky Shankar +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/mds_client.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -3543,6 +3543,12 @@ static void handle_session(struct ceph_m + break; + + case CEPH_SESSION_FLUSHMSG: ++ /* flush cap releases */ ++ spin_lock(&session->s_cap_lock); ++ if (session->s_num_cap_releases) ++ ceph_flush_cap_releases(mdsc, session); ++ spin_unlock(&session->s_cap_lock); ++ + send_flushmsg_ack(mdsc, session, seq); + break; + diff --git a/queue-5.15/clk-ingenic-jz4760-update-m-n-od-calculation-algorithm.patch b/queue-5.15/clk-ingenic-jz4760-update-m-n-od-calculation-algorithm.patch new file mode 100644 index 00000000000..5c742b05ef1 --- /dev/null +++ b/queue-5.15/clk-ingenic-jz4760-update-m-n-od-calculation-algorithm.patch @@ -0,0 +1,82 @@ +From ecfb9f404771dde909ce7743df954370933c3be2 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Wed, 14 Dec 2022 13:37:04 +0100 +Subject: clk: ingenic: jz4760: Update M/N/OD calculation algorithm + +From: Paul Cercueil + +commit ecfb9f404771dde909ce7743df954370933c3be2 upstream. + +The previous algorithm was pretty broken. + +- The inner loop had a '(m > m_max)' condition, and the value of 'm' + would increase in each iteration; + +- Each iteration would actually multiply 'm' by two, so it is not needed + to re-compute the whole equation at each iteration; + +- It would loop until (m & 1) == 0, which means it would loop at most + once. + +- The outer loop would divide the 'n' value by two at the end of each + iteration. This meant that for a 12 MHz parent clock and a 1.2 GHz + requested clock, it would first try n=12, then n=6, then n=3, then + n=1, none of which would work; the only valid value is n=2 in this + case. + +Simplify this algorithm with a single for loop, which decrements 'n' +after each iteration, addressing all of the above problems. + +Fixes: bdbfc029374f ("clk: ingenic: Add support for the JZ4760") +Cc: +Signed-off-by: Paul Cercueil +Link: https://lore.kernel.org/r/20221214123704.7305-1-paul@crapouillou.net +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/ingenic/jz4760-cgu.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/drivers/clk/ingenic/jz4760-cgu.c b/drivers/clk/ingenic/jz4760-cgu.c +index ecd395ac8a28..e407f00bd594 100644 +--- a/drivers/clk/ingenic/jz4760-cgu.c ++++ b/drivers/clk/ingenic/jz4760-cgu.c +@@ -58,7 +58,7 @@ jz4760_cgu_calc_m_n_od(const struct ingenic_cgu_pll_info *pll_info, + unsigned long rate, unsigned long parent_rate, + unsigned int *pm, unsigned int *pn, unsigned int *pod) + { +- unsigned int m, n, od, m_max = (1 << pll_info->m_bits) - 2; ++ unsigned int m, n, od, m_max = (1 << pll_info->m_bits) - 1; + + /* The frequency after the N divider must be between 1 and 50 MHz. */ + n = parent_rate / (1 * MHZ); +@@ -66,19 +66,17 @@ jz4760_cgu_calc_m_n_od(const struct ingenic_cgu_pll_info *pll_info, + /* The N divider must be >= 2. */ + n = clamp_val(n, 2, 1 << pll_info->n_bits); + +- for (;; n >>= 1) { +- od = (unsigned int)-1; ++ rate /= MHZ; ++ parent_rate /= MHZ; + +- do { +- m = (rate / MHZ) * (1 << ++od) * n / (parent_rate / MHZ); +- } while ((m > m_max || m & 1) && (od < 4)); +- +- if (od < 4 && m >= 4 && m <= m_max) +- break; ++ for (m = m_max; m >= m_max && n >= 2; n--) { ++ m = rate * n / parent_rate; ++ od = m & 1; ++ m <<= od; + } + + *pm = m; +- *pn = n; ++ *pn = n + 1; + *pod = 1 << od; + } + +-- +2.39.1 + diff --git a/queue-5.15/fix-page-corruption-caused-by-racy-check-in-__free_pages.patch b/queue-5.15/fix-page-corruption-caused-by-racy-check-in-__free_pages.patch new file mode 100644 index 00000000000..418fbbcced0 --- /dev/null +++ b/queue-5.15/fix-page-corruption-caused-by-racy-check-in-__free_pages.patch @@ -0,0 +1,78 @@ +From 462a8e08e0e6287e5ce13187257edbf24213ed03 Mon Sep 17 00:00:00 2001 +From: David Chen +Date: Thu, 9 Feb 2023 17:48:28 +0000 +Subject: Fix page corruption caused by racy check in __free_pages + +From: David Chen + +commit 462a8e08e0e6287e5ce13187257edbf24213ed03 upstream. + +When we upgraded our kernel, we started seeing some page corruption like +the following consistently: + + BUG: Bad page state in process ganesha.nfsd pfn:1304ca + page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca + flags: 0x17ffffc0000000() + raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000 + raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000 + page dumped because: nonzero mapcount + CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P B O 5.10.158-1.nutanix.20221209.el7.x86_64 #1 + Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 + Call Trace: + dump_stack+0x74/0x96 + bad_page.cold+0x63/0x94 + check_new_page_bad+0x6d/0x80 + rmqueue+0x46e/0x970 + get_page_from_freelist+0xcb/0x3f0 + ? _cond_resched+0x19/0x40 + __alloc_pages_nodemask+0x164/0x300 + alloc_pages_current+0x87/0xf0 + skb_page_frag_refill+0x84/0x110 + ... + +Sometimes, it would also show up as corruption in the free list pointer +and cause crashes. + +After bisecting the issue, we found the issue started from commit +e320d3012d25 ("mm/page_alloc.c: fix freeing non-compound pages"): + + if (put_page_testzero(page)) + free_the_page(page, order); + else if (!PageHead(page)) + while (order-- > 0) + free_the_page(page + (1 << order), order); + +So the problem is the check PageHead is racy because at this point we +already dropped our reference to the page. So even if we came in with +compound page, the page can already be freed and PageHead can return +false and we will end up freeing all the tail pages causing double free. + +Fixes: e320d3012d25 ("mm/page_alloc.c: fix freeing non-compound pages") +Link: https://lore.kernel.org/lkml/BYAPR02MB448855960A9656EEA81141FC94D99@BYAPR02MB4488.namprd02.prod.outlook.com/ +Cc: Andrew Morton +Cc: stable@vger.kernel.org +Signed-off-by: Chunwei Chen +Reviewed-by: Vlastimil Babka +Reviewed-by: Matthew Wilcox (Oracle) +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -5490,9 +5490,12 @@ EXPORT_SYMBOL(get_zeroed_page); + */ + void __free_pages(struct page *page, unsigned int order) + { ++ /* get PageHead before we drop reference */ ++ int head = PageHead(page); ++ + if (put_page_testzero(page)) + free_the_page(page, order); +- else if (!PageHead(page)) ++ else if (!head) + while (order-- > 0) + free_the_page(page + (1 << order), order); + } diff --git a/queue-5.15/mptcp-be-careful-on-subflow-status-propagation-on-errors.patch b/queue-5.15/mptcp-be-careful-on-subflow-status-propagation-on-errors.patch new file mode 100644 index 00000000000..28d5df54215 --- /dev/null +++ b/queue-5.15/mptcp-be-careful-on-subflow-status-propagation-on-errors.patch @@ -0,0 +1,63 @@ +From 1249db44a102d9d3541ed7798d4b01ffdcf03524 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 7 Feb 2023 14:04:16 +0100 +Subject: mptcp: be careful on subflow status propagation on errors + +From: Paolo Abeni + +commit 1249db44a102d9d3541ed7798d4b01ffdcf03524 upstream. + +Currently the subflow error report callback unconditionally +propagates the fallback subflow status to the owning msk. + +If the msk is already orphaned, the above prevents the code +from correctly tracking the msk moving to the TCP_CLOSE state +and doing the appropriate cleanup. + +All the above causes increasing memory usage over time and +sporadic self-tests failures. + +There is a great deal of infrastructure trying to propagate +correctly the fallback subflow status to the owning mptcp socket, +e.g. via mptcp_subflow_eof() and subflow_sched_work_if_closed(): +in the error propagation path we need only to cope with unorphaned +sockets. + +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/339 +Fixes: 15cc10453398 ("mptcp: deliver ssk errors to msk") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/subflow.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -1284,6 +1284,7 @@ void __mptcp_error_report(struct sock *s + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + int err = sock_error(ssk); ++ int ssk_state; + + if (!err) + continue; +@@ -1294,7 +1295,14 @@ void __mptcp_error_report(struct sock *s + if (sk->sk_state != TCP_SYN_SENT && !__mptcp_check_fallback(msk)) + continue; + +- inet_sk_state_store(sk, inet_sk_state_load(ssk)); ++ /* We need to propagate only transition to CLOSE state. ++ * Orphaned socket will see such state change via ++ * subflow_sched_work_if_closed() and that path will properly ++ * destroy the msk as needed. ++ */ ++ ssk_state = inet_sk_state_load(ssk); ++ if (ssk_state == TCP_CLOSE && !sock_flag(sk, SOCK_DEAD)) ++ inet_sk_state_store(sk, ssk_state); + sk->sk_err = -err; + + /* This barrier is coupled with smp_rmb() in mptcp_poll() */ diff --git a/queue-5.15/powerpc-64s-interrupt-fix-interrupt-exit-race-with-security-mitigation-switch.patch b/queue-5.15/powerpc-64s-interrupt-fix-interrupt-exit-race-with-security-mitigation-switch.patch new file mode 100644 index 00000000000..5539890f32c --- /dev/null +++ b/queue-5.15/powerpc-64s-interrupt-fix-interrupt-exit-race-with-security-mitigation-switch.patch @@ -0,0 +1,57 @@ +From 2ea31e2e62bbc4d11c411eeb36f1b02841dbcab1 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Mon, 6 Feb 2023 14:22:40 +1000 +Subject: powerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch + +From: Nicholas Piggin + +commit 2ea31e2e62bbc4d11c411eeb36f1b02841dbcab1 upstream. + +The RFI and STF security mitigation options can flip the +interrupt_exit_not_reentrant static branch condition concurrently with +the interrupt exit code which tests that branch. + +Interrupt exit tests this condition to set MSR[EE|RI] for exit, then +again in the case a soft-masked interrupt is found pending, to recover +the MSR so the interrupt can be replayed before attempting to exit +again. If the condition changes between these two tests, the MSR and irq +soft-mask state will become corrupted, leading to warnings and possible +crashes. For example, if the branch is initially true then false, +MSR[EE] will be 0 but PACA_IRQ_HARD_DIS clear and EE may not get +enabled, leading to warnings in irq_64.c. + +Fixes: 13799748b957 ("powerpc/64: use interrupt restart table to speed up return from interrupt") +Cc: stable@vger.kernel.org # v5.14+ +Reported-by: Sachin Sant +Tested-by: Sachin Sant +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230206042240.92103-1-npiggin@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/interrupt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/interrupt.c ++++ b/arch/powerpc/kernel/interrupt.c +@@ -53,16 +53,18 @@ static inline bool exit_must_hard_disabl + */ + static notrace __always_inline bool prep_irq_for_enabled_exit(bool restartable) + { ++ bool must_hard_disable = (exit_must_hard_disable() || !restartable); ++ + /* This must be done with RI=1 because tracing may touch vmaps */ + trace_hardirqs_on(); + +- if (exit_must_hard_disable() || !restartable) ++ if (must_hard_disable) + __hard_EE_RI_disable(); + + #ifdef CONFIG_PPC64 + /* This pattern matches prep_irq_for_idle */ + if (unlikely(lazy_irq_pending_nocheck())) { +- if (exit_must_hard_disable() || !restartable) { ++ if (must_hard_disable) { + local_paca->irq_happened |= PACA_IRQ_HARD_DIS; + __hard_RI_enable(); + } diff --git a/queue-5.15/riscv-fixup-race-condition-on-pg_dcache_clean-in-flush_icache_pte.patch b/queue-5.15/riscv-fixup-race-condition-on-pg_dcache_clean-in-flush_icache_pte.patch new file mode 100644 index 00000000000..059a06f76b3 --- /dev/null +++ b/queue-5.15/riscv-fixup-race-condition-on-pg_dcache_clean-in-flush_icache_pte.patch @@ -0,0 +1,42 @@ +From 950b879b7f0251317d26bae0687e72592d607532 Mon Sep 17 00:00:00 2001 +From: Guo Ren +Date: Thu, 26 Jan 2023 22:53:06 -0500 +Subject: riscv: Fixup race condition on PG_dcache_clean in flush_icache_pte + +From: Guo Ren + +commit 950b879b7f0251317d26bae0687e72592d607532 upstream. + +In commit 588a513d3425 ("arm64: Fix race condition on PG_dcache_clean +in __sync_icache_dcache()"), we found RISC-V has the same issue as the +previous arm64. The previous implementation didn't guarantee the correct +sequence of operations, which means flush_icache_all() hasn't been +called when the PG_dcache_clean was set. That would cause a risk of page +synchronization. + +Fixes: 08f051eda33b ("RISC-V: Flush I$ when making a dirty page executable") +Signed-off-by: Guo Ren +Signed-off-by: Guo Ren +Reviewed-by: Andrew Jones +Reviewed-by: Conor Dooley +Link: https://lore.kernel.org/r/20230127035306.1819561-1-guoren@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/mm/cacheflush.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/riscv/mm/cacheflush.c ++++ b/arch/riscv/mm/cacheflush.c +@@ -85,7 +85,9 @@ void flush_icache_pte(pte_t pte) + { + struct page *page = pte_page(pte); + +- if (!test_and_set_bit(PG_dcache_clean, &page->flags)) ++ if (!test_bit(PG_dcache_clean, &page->flags)) { + flush_icache_all(); ++ set_bit(PG_dcache_clean, &page->flags); ++ } + } + #endif /* CONFIG_MMU */ diff --git a/queue-5.15/rtmutex-ensure-that-the-top-waiter-is-always-woken-up.patch b/queue-5.15/rtmutex-ensure-that-the-top-waiter-is-always-woken-up.patch new file mode 100644 index 00000000000..48f04b56e6e --- /dev/null +++ b/queue-5.15/rtmutex-ensure-that-the-top-waiter-is-always-woken-up.patch @@ -0,0 +1,120 @@ +From db370a8b9f67ae5f17e3d5482493294467784504 Mon Sep 17 00:00:00 2001 +From: Wander Lairson Costa +Date: Thu, 2 Feb 2023 09:30:20 -0300 +Subject: rtmutex: Ensure that the top waiter is always woken up + +From: Wander Lairson Costa + +commit db370a8b9f67ae5f17e3d5482493294467784504 upstream. + +Let L1 and L2 be two spinlocks. + +Let T1 be a task holding L1 and blocked on L2. T1, currently, is the top +waiter of L2. + +Let T2 be the task holding L2. + +Let T3 be a task trying to acquire L1. + +The following events will lead to a state in which the wait queue of L2 +isn't empty, but no task actually holds the lock. + +T1 T2 T3 +== == == + + spin_lock(L1) + | raw_spin_lock(L1->wait_lock) + | rtlock_slowlock_locked(L1) + | | task_blocks_on_rt_mutex(L1, T3) + | | | orig_waiter->lock = L1 + | | | orig_waiter->task = T3 + | | | raw_spin_unlock(L1->wait_lock) + | | | rt_mutex_adjust_prio_chain(T1, L1, L2, orig_waiter, T3) + spin_unlock(L2) | | | | + | rt_mutex_slowunlock(L2) | | | | + | | raw_spin_lock(L2->wait_lock) | | | | + | | wakeup(T1) | | | | + | | raw_spin_unlock(L2->wait_lock) | | | | + | | | | waiter = T1->pi_blocked_on + | | | | waiter == rt_mutex_top_waiter(L2) + | | | | waiter->task == T1 + | | | | raw_spin_lock(L2->wait_lock) + | | | | dequeue(L2, waiter) + | | | | update_prio(waiter, T1) + | | | | enqueue(L2, waiter) + | | | | waiter != rt_mutex_top_waiter(L2) + | | | | L2->owner == NULL + | | | | wakeup(T1) + | | | | raw_spin_unlock(L2->wait_lock) +T1 wakes up +T1 != top_waiter(L2) +schedule_rtlock() + +If the deadline of T1 is updated before the call to update_prio(), and the +new deadline is greater than the deadline of the second top waiter, then +after the requeue, T1 is no longer the top waiter, and the wrong task is +woken up which will then go back to sleep because it is not the top waiter. + +This can be reproduced in PREEMPT_RT with stress-ng: + +while true; do + stress-ng --sched deadline --sched-period 1000000000 \ + --sched-runtime 800000000 --sched-deadline \ + 1000000000 --mmapfork 23 -t 20 +done + +A similar issue was pointed out by Thomas versus the cases where the top +waiter drops out early due to a signal or timeout, which is a general issue +for all regular rtmutex use cases, e.g. futex. + +The problematic code is in rt_mutex_adjust_prio_chain(): + + // Save the top waiter before dequeue/enqueue + prerequeue_top_waiter = rt_mutex_top_waiter(lock); + + rt_mutex_dequeue(lock, waiter); + waiter_update_prio(waiter, task); + rt_mutex_enqueue(lock, waiter); + + // Lock has no owner? + if (!rt_mutex_owner(lock)) { + // Top waiter changed + ----> if (prerequeue_top_waiter != rt_mutex_top_waiter(lock)) + ----> wake_up_state(waiter->task, waiter->wake_state); + +This only takes the case into account where @waiter is the new top waiter +due to the requeue operation. + +But it fails to handle the case where @waiter is not longer the top +waiter due to the requeue operation. + +Ensure that the new top waiter is woken up so in all cases so it can take +over the ownerless lock. + +[ tglx: Amend changelog, add Fixes tag ] + +Fixes: c014ef69b3ac ("locking/rtmutex: Add wake_state to rt_mutex_waiter") +Signed-off-by: Wander Lairson Costa +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230117172649.52465-1-wander@redhat.com +Link: https://lore.kernel.org/r/20230202123020.14844-1-wander@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/rtmutex.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/locking/rtmutex.c ++++ b/kernel/locking/rtmutex.c +@@ -855,8 +855,9 @@ static int __sched rt_mutex_adjust_prio_ + * then we need to wake the new top waiter up to try + * to get the lock. + */ +- if (prerequeue_top_waiter != rt_mutex_top_waiter(lock)) +- wake_up_state(waiter->task, waiter->wake_state); ++ top_waiter = rt_mutex_top_waiter(lock); ++ if (prerequeue_top_waiter != top_waiter) ++ wake_up_state(top_waiter->task, top_waiter->wake_state); + raw_spin_unlock_irq(&lock->wait_lock); + return 0; + } diff --git a/queue-5.15/series b/queue-5.15/series index 8e8f196bf12..81d87f11016 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -48,3 +48,16 @@ spi-dw-fix-wrong-fifo-level-setting-for-long-xfers.patch pinctrl-intel-restore-the-pins-that-used-to-be-in-di.patch cifs-fix-use-after-free-in-rdata-read_into_pages.patch net-usb-fix-wrong-direction-warning-in-plusb.c.patch +mptcp-be-careful-on-subflow-status-propagation-on-errors.patch +btrfs-free-device-in-btrfs_close_devices-for-a-single-device-filesystem.patch +usb-core-add-quirk-for-alcor-link-ak9563-smartcard-reader.patch +usb-typec-altmodes-displayport-fix-probe-pin-assign-check.patch +clk-ingenic-jz4760-update-m-n-od-calculation-algorithm.patch +ceph-flush-cap-releases-when-the-session-is-flushed.patch +riscv-fixup-race-condition-on-pg_dcache_clean-in-flush_icache_pte.patch +powerpc-64s-interrupt-fix-interrupt-exit-race-with-security-mitigation-switch.patch +rtmutex-ensure-that-the-top-waiter-is-always-woken-up.patch +arm64-dts-meson-gx-make-mmc-host-controller-interrupts-level-sensitive.patch +arm64-dts-meson-g12-common-make-mmc-host-controller-interrupts-level-sensitive.patch +arm64-dts-meson-axg-make-mmc-host-controller-interrupts-level-sensitive.patch +fix-page-corruption-caused-by-racy-check-in-__free_pages.patch diff --git a/queue-5.15/usb-core-add-quirk-for-alcor-link-ak9563-smartcard-reader.patch b/queue-5.15/usb-core-add-quirk-for-alcor-link-ak9563-smartcard-reader.patch new file mode 100644 index 00000000000..edf60277ed1 --- /dev/null +++ b/queue-5.15/usb-core-add-quirk-for-alcor-link-ak9563-smartcard-reader.patch @@ -0,0 +1,38 @@ +From 303e724d7b1e1a0a93daf0b1ab5f7c4f53543b34 Mon Sep 17 00:00:00 2001 +From: Mark Pearson +Date: Wed, 8 Feb 2023 13:12:23 -0500 +Subject: usb: core: add quirk for Alcor Link AK9563 smartcard reader + +From: Mark Pearson + +commit 303e724d7b1e1a0a93daf0b1ab5f7c4f53543b34 upstream. + +The Alcor Link AK9563 smartcard reader used on some Lenovo platforms +doesn't work. If LPM is enabled the reader will provide an invalid +usb config descriptor. Added quirk to disable LPM. + +Verified fix on Lenovo P16 G1 and T14 G3 + +Tested-by: Miroslav Zatko +Tested-by: Dennis Wassenberg +Cc: stable@vger.kernel.org +Signed-off-by: Dennis Wassenberg +Signed-off-by: Mark Pearson +Link: https://lore.kernel.org/r/20230208181223.1092654-1-mpearson-lenovo@squebb.ca +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -526,6 +526,9 @@ static const struct usb_device_id usb_qu + /* DJI CineSSD */ + { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM }, + ++ /* Alcor Link AK9563 SC Reader used in 2022 Lenovo ThinkPads */ ++ { USB_DEVICE(0x2ce3, 0x9563), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* DELL USB GEN2 */ + { USB_DEVICE(0x413c, 0xb062), .driver_info = USB_QUIRK_NO_LPM | USB_QUIRK_RESET_RESUME }, + diff --git a/queue-5.15/usb-typec-altmodes-displayport-fix-probe-pin-assign-check.patch b/queue-5.15/usb-typec-altmodes-displayport-fix-probe-pin-assign-check.patch new file mode 100644 index 00000000000..10c3b1b020c --- /dev/null +++ b/queue-5.15/usb-typec-altmodes-displayport-fix-probe-pin-assign-check.patch @@ -0,0 +1,48 @@ +From 54e5c00a4eb0a4c663445b245f641bbfab142430 Mon Sep 17 00:00:00 2001 +From: Prashant Malani +Date: Wed, 8 Feb 2023 20:53:19 +0000 +Subject: usb: typec: altmodes/displayport: Fix probe pin assign check + +From: Prashant Malani + +commit 54e5c00a4eb0a4c663445b245f641bbfab142430 upstream. + +While checking Pin Assignments of the port and partner during probe, we +don't take into account whether the peripheral is a plug or receptacle. + +This manifests itself in a mode entry failure on certain docks and +dongles with captive cables. For instance, the Startech.com Type-C to DP +dongle (Model #CDP2DP) advertises its DP VDO as 0x405. This would fail +the Pin Assignment compatibility check, despite it supporting +Pin Assignment C as a UFP. + +Update the check to use the correct DP Pin Assign macros that +take the peripheral's receptacle bit into account. + +Fixes: c1e5c2f0cb8a ("usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles") +Cc: stable@vger.kernel.org +Reported-by: Diana Zigterman +Signed-off-by: Prashant Malani +Link: https://lore.kernel.org/r/20230208205318.131385-1-pmalani@chromium.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/altmodes/displayport.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -533,10 +533,10 @@ int dp_altmode_probe(struct typec_altmod + /* FIXME: Port can only be DFP_U. */ + + /* Make sure we have compatiple pin configurations */ +- if (!(DP_CAP_DFP_D_PIN_ASSIGN(port->vdo) & +- DP_CAP_UFP_D_PIN_ASSIGN(alt->vdo)) && +- !(DP_CAP_UFP_D_PIN_ASSIGN(port->vdo) & +- DP_CAP_DFP_D_PIN_ASSIGN(alt->vdo))) ++ if (!(DP_CAP_PIN_ASSIGN_DFP_D(port->vdo) & ++ DP_CAP_PIN_ASSIGN_UFP_D(alt->vdo)) && ++ !(DP_CAP_PIN_ASSIGN_UFP_D(port->vdo) & ++ DP_CAP_PIN_ASSIGN_DFP_D(alt->vdo))) + return -ENODEV; + + ret = sysfs_create_group(&alt->dev.kobj, &dp_altmode_group);