From: Sasha Levin Date: Sun, 10 Apr 2022 02:06:29 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.9.310~108 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a7ad958d1c3d55e884f4b30af459535566e31f0e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-9187-1-jive-fix-return-value-of-__setup-handler.patch b/queue-4.14/arm-9187-1-jive-fix-return-value-of-__setup-handler.patch new file mode 100644 index 00000000000..2f514d3dc65 --- /dev/null +++ b/queue-4.14/arm-9187-1-jive-fix-return-value-of-__setup-handler.patch @@ -0,0 +1,61 @@ +From 62a79f35b65fc7a978d4166f8d7085ad74fa426b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Mar 2022 07:36:09 +0100 +Subject: ARM: 9187/1: JIVE: fix return value of __setup handler + +From: Randy Dunlap + +[ Upstream commit 8b2360c7157b462c4870d447d1e65d30ef31f9aa ] + +__setup() handlers should return 1 to obsolete_checksetup() in +init/main.c to indicate that the boot option has been handled. +A return of 0 causes the boot option/value to be listed as an Unknown +kernel parameter and added to init's (limited) argument or environment +strings. Also, error return codes don't mean anything to +obsolete_checksetup() -- only non-zero (usually 1) or zero. +So return 1 from jive_mtdset(). + +Fixes: 9db829f485c5 ("[ARM] JIVE: Initial machine support for Logitech Jive") +Signed-off-by: Randy Dunlap +Cc: Ben Dooks +Cc: Krzysztof Kozlowski +Cc: Alim Akhtar +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-samsung-soc@vger.kernel.org +Cc: patches@armlinux.org.uk +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mach-s3c24xx/mach-jive.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-s3c24xx/mach-jive.c b/arch/arm/mach-s3c24xx/mach-jive.c +index 17821976f769..5de514940a9c 100644 +--- a/arch/arm/mach-s3c24xx/mach-jive.c ++++ b/arch/arm/mach-s3c24xx/mach-jive.c +@@ -241,11 +241,11 @@ static int __init jive_mtdset(char *options) + unsigned long set; + + if (options == NULL || options[0] == '\0') +- return 0; ++ return 1; + + if (kstrtoul(options, 10, &set)) { + printk(KERN_ERR "failed to parse mtdset=%s\n", options); +- return 0; ++ return 1; + } + + switch (set) { +@@ -260,7 +260,7 @@ static int __init jive_mtdset(char *options) + "using default.", set); + } + +- return 0; ++ return 1; + } + + /* parse the mtdset= option given to the kernel command line */ +-- +2.35.1 + diff --git a/queue-4.14/ath5k-fix-oob-in-ath5k_eeprom_read_pcal_info_5111.patch b/queue-4.14/ath5k-fix-oob-in-ath5k_eeprom_read_pcal_info_5111.patch new file mode 100644 index 00000000000..5b82cf27fd0 --- /dev/null +++ b/queue-4.14/ath5k-fix-oob-in-ath5k_eeprom_read_pcal_info_5111.patch @@ -0,0 +1,87 @@ +From bacac078898cb65c804e66ce8a02458d90092e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Dec 2021 22:12:13 -0500 +Subject: ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 + +From: Zekun Shen + +[ Upstream commit 564d4eceb97eaf381dd6ef6470b06377bb50c95a ] + +The bug was found during fuzzing. Stacktrace locates it in +ath5k_eeprom_convert_pcal_info_5111. +When none of the curve is selected in the loop, idx can go +up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound. +pd = &chinfo[pier].pd_curves[idx]; + +There are many OOB writes using pd later in the code. So I +added a sanity check for idx. Checks for other loops involving +AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not +used outside the loops. + +The patch is NOT tested with real device. + +The following is the fuzzing report + +BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] +Write of size 1 at addr ffff8880174a4d60 by task modprobe/214 + +CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1 +Call Trace: + dump_stack+0x76/0xa0 + print_address_description.constprop.0+0x16/0x200 + ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] + ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] + __kasan_report.cold+0x37/0x7c + ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] + kasan_report+0xe/0x20 + ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] + ? apic_timer_interrupt+0xa/0x20 + ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] + ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k] + ath5k_eeprom_init+0x2513/0x6290 [ath5k] + ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] + ? usleep_range+0xb8/0x100 + ? apic_timer_interrupt+0xa/0x20 + ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k] + ath5k_hw_init+0xb60/0x1970 [ath5k] + ath5k_init_ah+0x6fe/0x2530 [ath5k] + ? kasprintf+0xa6/0xe0 + ? ath5k_stop+0x140/0x140 [ath5k] + ? _dev_notice+0xf6/0xf6 + ? apic_timer_interrupt+0xa/0x20 + ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k] + ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] + ? mutex_lock+0x89/0xd0 + ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] + local_pci_probe+0xd3/0x160 + pci_device_probe+0x23f/0x3e0 + ? pci_device_remove+0x280/0x280 + ? pci_device_remove+0x280/0x280 + really_probe+0x209/0x5d0 + +Reported-by: Brendan Dolan-Gavitt +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YckvDdj3mtCkDRIt@a-10-27-26-18.dynapool.vpn.nyu.edu +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath5k/eeprom.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath5k/eeprom.c b/drivers/net/wireless/ath/ath5k/eeprom.c +index 94d34ee02265..01163b333945 100644 +--- a/drivers/net/wireless/ath/ath5k/eeprom.c ++++ b/drivers/net/wireless/ath/ath5k/eeprom.c +@@ -746,6 +746,9 @@ ath5k_eeprom_convert_pcal_info_5111(struct ath5k_hw *ah, int mode, + } + } + ++ if (idx == AR5K_EEPROM_N_PD_CURVES) ++ goto err_out; ++ + ee->ee_pd_gains[mode] = 1; + + pd = &chinfo[pier].pd_curves[idx]; +-- +2.35.1 + diff --git a/queue-4.14/bluetooth-fix-use-after-free-in-hci_send_acl.patch b/queue-4.14/bluetooth-fix-use-after-free-in-hci_send_acl.patch new file mode 100644 index 00000000000..bd76952829d --- /dev/null +++ b/queue-4.14/bluetooth-fix-use-after-free-in-hci_send_acl.patch @@ -0,0 +1,134 @@ +From 3efc2d3401d68f9b6bc4f8e3b9974926196dfc74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Mar 2022 13:19:33 -0800 +Subject: Bluetooth: Fix use after free in hci_send_acl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +[ Upstream commit f63d24baff787e13b723d86fe036f84bdbc35045 ] + +This fixes the following trace caused by receiving +HCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without +first checking if conn->type is in fact AMP_LINK and in case it is +do properly cleanup upper layers with hci_disconn_cfm: + + ================================================================== + BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50 + Read of size 8 at addr ffff88800e404818 by task bluetoothd/142 + + CPU: 0 PID: 142 Comm: bluetoothd Not tainted + 5.17.0-rc5-00006-gda4022eeac1a #7 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS + rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 + Call Trace: + + dump_stack_lvl+0x45/0x59 + print_address_description.constprop.0+0x1f/0x150 + kasan_report.cold+0x7f/0x11b + hci_send_acl+0xaba/0xc50 + l2cap_do_send+0x23f/0x3d0 + l2cap_chan_send+0xc06/0x2cc0 + l2cap_sock_sendmsg+0x201/0x2b0 + sock_sendmsg+0xdc/0x110 + sock_write_iter+0x20f/0x370 + do_iter_readv_writev+0x343/0x690 + do_iter_write+0x132/0x640 + vfs_writev+0x198/0x570 + do_writev+0x202/0x280 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 + Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 + 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05 + <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 + RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015 + RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77 + R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580 + RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001 + + R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0 + + Allocated by task 45: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0x81/0xa0 + hci_chan_create+0x9a/0x2f0 + l2cap_conn_add.part.0+0x1a/0xdc0 + l2cap_connect_cfm+0x236/0x1000 + le_conn_complete_evt+0x15a7/0x1db0 + hci_le_conn_complete_evt+0x226/0x2c0 + hci_le_meta_evt+0x247/0x450 + hci_event_packet+0x61b/0xe90 + hci_rx_work+0x4d5/0xc50 + process_one_work+0x8fb/0x15a0 + worker_thread+0x576/0x1240 + kthread+0x29d/0x340 + ret_from_fork+0x1f/0x30 + + Freed by task 45: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_set_free_info+0x20/0x30 + __kasan_slab_free+0xfb/0x130 + kfree+0xac/0x350 + hci_conn_cleanup+0x101/0x6a0 + hci_conn_del+0x27e/0x6c0 + hci_disconn_phylink_complete_evt+0xe0/0x120 + hci_event_packet+0x812/0xe90 + hci_rx_work+0x4d5/0xc50 + process_one_work+0x8fb/0x15a0 + worker_thread+0x576/0x1240 + kthread+0x29d/0x340 + ret_from_fork+0x1f/0x30 + + The buggy address belongs to the object at ffff88800c0f0500 + The buggy address is located 24 bytes inside of + which belongs to the cache kmalloc-128 of size 128 + The buggy address belongs to the page: + 128-byte region [ffff88800c0f0500, ffff88800c0f0580) + flags: 0x100000000000200(slab|node=0|zone=1) + page:00000000fe45cd86 refcount:1 mapcount:0 + mapping:0000000000000000 index:0x0 pfn:0xc0f0 + raw: 0000000000000000 0000000080100010 00000001ffffffff + 0000000000000000 + raw: 0100000000000200 ffffea00003a2c80 dead000000000004 + ffff8880078418c0 + page dumped because: kasan: bad access detected + ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc + Memory state around the buggy address: + >ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ================================================================== + ffff88800c0f0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Reported-by: Sönke Huster +Tested-by: Sönke Huster +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 39e222fb3004..4eeba9dfb38f 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4470,8 +4470,9 @@ static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, + hci_dev_lock(hdev); + + hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); +- if (hcon) { ++ if (hcon && hcon->type == AMP_LINK) { + hcon->state = BT_CLOSED; ++ hci_disconn_cfm(hcon, ev->reason); + hci_conn_del(hcon); + } + +-- +2.35.1 + diff --git a/queue-4.14/bnxt_en-eliminate-unintended-link-toggle-during-fw-r.patch b/queue-4.14/bnxt_en-eliminate-unintended-link-toggle-during-fw-r.patch new file mode 100644 index 00000000000..0763e294839 --- /dev/null +++ b/queue-4.14/bnxt_en-eliminate-unintended-link-toggle-during-fw-r.patch @@ -0,0 +1,47 @@ +From b178ca8ca7b738cee45d0a29610e891d56ea642e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 03:54:39 -0500 +Subject: bnxt_en: Eliminate unintended link toggle during FW reset + +From: Michael Chan + +[ Upstream commit 7c492a2530c1f05441da541307c2534230dfd59b ] + +If the flow control settings have been changed, a subsequent FW reset +may cause the ethernet link to toggle unnecessarily. This link toggle +will increase the down time by a few seconds. + +The problem is caused by bnxt_update_phy_setting() detecting a false +mismatch in the flow control settings between the stored software +settings and the current FW settings after the FW reset. This mismatch +is caused by the AUTONEG bit added to link_info->req_flow_ctrl in an +inconsistent way in bnxt_set_pauseparam() in autoneg mode. The AUTONEG +bit should not be added to link_info->req_flow_ctrl. + +Reviewed-by: Colin Winegarden +Reviewed-by: Pavan Chebbi +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index e3123cb0fb70..82e16b2d1f7a 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -1272,9 +1272,7 @@ static int bnxt_set_pauseparam(struct net_device *dev, + } + + link_info->autoneg |= BNXT_AUTONEG_FLOW_CTRL; +- if (bp->hwrm_spec_code >= 0x10201) +- link_info->req_flow_ctrl = +- PORT_PHY_CFG_REQ_AUTO_PAUSE_AUTONEG_PAUSE; ++ link_info->req_flow_ctrl = 0; + } else { + /* when transition from auto pause to force pause, + * force a link change +-- +2.35.1 + diff --git a/queue-4.14/dm-ioctl-prevent-potential-spectre-v1-gadget.patch b/queue-4.14/dm-ioctl-prevent-potential-spectre-v1-gadget.patch new file mode 100644 index 00000000000..6e43cffc80a --- /dev/null +++ b/queue-4.14/dm-ioctl-prevent-potential-spectre-v1-gadget.patch @@ -0,0 +1,44 @@ +From 3b8abe006b542895624f9dd6ba9999f19f337aa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Jan 2022 15:58:39 +0100 +Subject: dm ioctl: prevent potential spectre v1 gadget + +From: Jordy Zomer + +[ Upstream commit cd9c88da171a62c4b0f1c70e50c75845969fbc18 ] + +It appears like cmd could be a Spectre v1 gadget as it's supplied by a +user and used as an array index. Prevent the contents of kernel memory +from being leaked to userspace via speculative execution by using +array_index_nospec. + +Signed-off-by: Jordy Zomer +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-ioctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c +index 2f020401d5ba..ddfea5324b58 100644 +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1669,6 +1670,7 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags) + if (unlikely(cmd >= ARRAY_SIZE(_ioctls))) + return NULL; + ++ cmd = array_index_nospec(cmd, ARRAY_SIZE(_ioctls)); + *ioctl_flags = _ioctls[cmd].flags; + return _ioctls[cmd].fn; + } +-- +2.35.1 + diff --git a/queue-4.14/init-main.c-return-1-from-handled-__setup-functions.patch b/queue-4.14/init-main.c-return-1-from-handled-__setup-functions.patch new file mode 100644 index 00000000000..a72267981db --- /dev/null +++ b/queue-4.14/init-main.c-return-1-from-handled-__setup-functions.patch @@ -0,0 +1,57 @@ +From ecda09ff7ac2923863fe6066b9a85fad9ebb03e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Mar 2022 16:06:14 -0700 +Subject: init/main.c: return 1 from handled __setup() functions + +From: Randy Dunlap + +[ Upstream commit f9a40b0890658330c83c95511f9d6b396610defc ] + +initcall_blacklist() should return 1 to indicate that it handled its +cmdline arguments. + +set_debug_rodata() should return 1 to indicate that it handled its +cmdline arguments. Print a warning if the option string is invalid. + +This prevents these strings from being added to the 'init' program's +environment as they are not init arguments/parameters. + +Link: https://lkml.kernel.org/r/20220221050901.23985-1-rdunlap@infradead.org +Signed-off-by: Randy Dunlap +Reported-by: Igor Zhbanov +Cc: Ingo Molnar +Cc: Greg Kroah-Hartman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + init/main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/init/main.c b/init/main.c +index f0b2411a5fbf..621cedd9173a 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -749,7 +749,7 @@ static int __init initcall_blacklist(char *str) + } + } while (str_entry); + +- return 0; ++ return 1; + } + + static bool __init_or_module initcall_blacklisted(initcall_t fn) +@@ -965,7 +965,9 @@ static noinline void __init kernel_init_freeable(void); + bool rodata_enabled __ro_after_init = true; + static int __init set_debug_rodata(char *str) + { +- return strtobool(str, &rodata_enabled); ++ if (strtobool(str, &rodata_enabled)) ++ pr_warn("Invalid option string for rodata: '%s'\n", str); ++ return 1; + } + __setup("rodata=", set_debug_rodata); + #endif +-- +2.35.1 + diff --git a/queue-4.14/iommu-arm-smmu-v3-fix-event-handling-soft-lockup.patch b/queue-4.14/iommu-arm-smmu-v3-fix-event-handling-soft-lockup.patch new file mode 100644 index 00000000000..efe28e9355e --- /dev/null +++ b/queue-4.14/iommu-arm-smmu-v3-fix-event-handling-soft-lockup.patch @@ -0,0 +1,55 @@ +From ada391e3ecf4fab91862551e94a7b6f3f6b21ed4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jan 2022 07:07:54 +0000 +Subject: iommu/arm-smmu-v3: fix event handling soft lockup + +From: Zhou Guanghui + +[ Upstream commit 30de2b541af98179780054836b48825fcfba4408 ] + +During event processing, events are read from the event queue one +by one until the queue is empty.If the master device continuously +requests address access at the same time and the SMMU generates +events, the cyclic processing of the event takes a long time and +softlockup warnings may be reported. + +arm-smmu-v3 arm-smmu-v3.34.auto: event 0x0a received: +arm-smmu-v3 arm-smmu-v3.34.auto: 0x00007f220000280a +arm-smmu-v3 arm-smmu-v3.34.auto: 0x000010000000007e +arm-smmu-v3 arm-smmu-v3.34.auto: 0x00000000034e8670 +watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [irq/268-arm-smm:247] +Call trace: + _dev_info+0x7c/0xa0 + arm_smmu_evtq_thread+0x1c0/0x230 + irq_thread_fn+0x30/0x80 + irq_thread+0x128/0x210 + kthread+0x134/0x138 + ret_from_fork+0x10/0x1c +Kernel panic - not syncing: softlockup: hung tasks + +Fix this by calling cond_resched() after the event information is +printed. + +Signed-off-by: Zhou Guanghui +Link: https://lore.kernel.org/r/20220119070754.26528-1-zhouguanghui1@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm-smmu-v3.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c +index 29feafa8007f..878087b9ddfe 100644 +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -1210,6 +1210,7 @@ static irqreturn_t arm_smmu_evtq_thread(int irq, void *dev) + dev_info(smmu->dev, "\t0x%016llx\n", + (unsigned long long)evt[i]); + ++ cond_resched(); + } + + /* +-- +2.35.1 + diff --git a/queue-4.14/ipv6-add-missing-tx-timestamping-on-ipproto_raw.patch b/queue-4.14/ipv6-add-missing-tx-timestamping-on-ipproto_raw.patch new file mode 100644 index 00000000000..6f3f055b48a --- /dev/null +++ b/queue-4.14/ipv6-add-missing-tx-timestamping-on-ipproto_raw.patch @@ -0,0 +1,60 @@ +From c781c8145d374f5dfc859af338e94c4dc33b0d69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 22:29:54 +0300 +Subject: ipv6: add missing tx timestamping on IPPROTO_RAW + +From: Willem de Bruijn + +[ Upstream commit fbfb2321e950918b430e7225546296b2dcadf725 ] + +Raw sockets support tx timestamping, but one case is missing. + +IPPROTO_RAW takes a separate packet construction path. raw_send_hdrinc +has an explicit call to sock_tx_timestamp, but rawv6_send_hdrinc does +not. Add it. + +Fixes: 11878b40ed5c ("net-timestamp: SOCK_RAW and PING timestamping") +Signed-off-by: Willem de Bruijn +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Vladimir Oltean +Signed-off-by: Sasha Levin +--- + net/ipv6/raw.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index 3d9d20074203..f0d8b7e9a685 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -622,7 +622,7 @@ static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6, + + static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length, + struct flowi6 *fl6, struct dst_entry **dstp, +- unsigned int flags) ++ unsigned int flags, const struct sockcm_cookie *sockc) + { + struct ipv6_pinfo *np = inet6_sk(sk); + struct net *net = sock_net(sk); +@@ -659,6 +659,8 @@ static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length, + + skb->ip_summed = CHECKSUM_NONE; + ++ sock_tx_timestamp(sk, sockc->tsflags, &skb_shinfo(skb)->tx_flags); ++ + if (flags & MSG_CONFIRM) + skb_set_dst_pending_confirm(skb, 1); + +@@ -945,7 +947,8 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + + back_from_confirm: + if (hdrincl) +- err = rawv6_send_hdrinc(sk, msg, len, &fl6, &dst, msg->msg_flags); ++ err = rawv6_send_hdrinc(sk, msg, len, &fl6, &dst, ++ msg->msg_flags, &sockc); + else { + ipc6.opt = opt; + lock_sock(sk); +-- +2.35.1 + diff --git a/queue-4.14/jfs-prevent-null-deref-in-difree.patch b/queue-4.14/jfs-prevent-null-deref-in-difree.patch new file mode 100644 index 00000000000..cc74c82103c --- /dev/null +++ b/queue-4.14/jfs-prevent-null-deref-in-difree.patch @@ -0,0 +1,48 @@ +From a4ba0ebffb3535fb5dc455d1104d4f8bc803a5df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 21:59:17 +0800 +Subject: jfs: prevent NULL deref in diFree + +From: Haimin Zhang + +[ Upstream commit a53046291020ec41e09181396c1e829287b48d47 ] + +Add validation check for JFS_IP(ipimap)->i_imap to prevent a NULL deref +in diFree since diFree uses it without do any validations. +When function jfs_mount calls diMount to initialize fileset inode +allocation map, it can fail and JFS_IP(ipimap)->i_imap won't be +initialized. Then it calls diFreeSpecial to close fileset inode allocation +map inode and it will flow into jfs_evict_inode. Function jfs_evict_inode +just validates JFS_SBI(inode->i_sb)->ipimap, then calls diFree. diFree use +JFS_IP(ipimap)->i_imap directly, then it will cause a NULL deref. + +Reported-by: TCS Robot +Signed-off-by: Haimin Zhang +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c +index 87b41edc800d..68779cc3609a 100644 +--- a/fs/jfs/inode.c ++++ b/fs/jfs/inode.c +@@ -156,12 +156,13 @@ void jfs_evict_inode(struct inode *inode) + dquot_initialize(inode); + + if (JFS_IP(inode)->fileset == FILESYSTEM_I) { ++ struct inode *ipimap = JFS_SBI(inode->i_sb)->ipimap; + truncate_inode_pages_final(&inode->i_data); + + if (test_cflag(COMMIT_Freewmap, inode)) + jfs_free_zero_link(inode); + +- if (JFS_SBI(inode->i_sb)->ipimap) ++ if (ipimap && JFS_IP(ipimap)->i_imap) + diFree(inode); + + /* +-- +2.35.1 + diff --git a/queue-4.14/kvm-x86-svm-clear-reserved-bits-written-to-perfevtse.patch b/queue-4.14/kvm-x86-svm-clear-reserved-bits-written-to-perfevtse.patch new file mode 100644 index 00000000000..94c28376884 --- /dev/null +++ b/queue-4.14/kvm-x86-svm-clear-reserved-bits-written-to-perfevtse.patch @@ -0,0 +1,74 @@ +From 9a614565fa355403846dd198c239d6e55f25d982 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Feb 2022 15:41:31 -0800 +Subject: KVM: x86/svm: Clear reserved bits written to PerfEvtSeln MSRs + +From: Jim Mattson + +[ Upstream commit 9b026073db2f1ad0e4d8b61c83316c8497981037 ] + +AMD EPYC CPUs never raise a #GP for a WRMSR to a PerfEvtSeln MSR. Some +reserved bits are cleared, and some are not. Specifically, on +Zen3/Milan, bits 19 and 42 are not cleared. + +When emulating such a WRMSR, KVM should not synthesize a #GP, +regardless of which bits are set. However, undocumented bits should +not be passed through to the hardware MSR. So, rather than checking +for reserved bits and synthesizing a #GP, just clear the reserved +bits. + +This may seem pedantic, but since KVM currently does not support the +"Host/Guest Only" bits (41:40), it is necessary to clear these bits +rather than synthesizing #GP, because some popular guests (e.g Linux) +will set the "Host Only" bit even on CPUs that don't support +EFER.SVME, and they don't expect a #GP. + +For example, + +root@Ubuntu1804:~# perf stat -e r26 -a sleep 1 + + Performance counter stats for 'system wide': + + 0 r26 + + 1.001070977 seconds time elapsed + +Feb 23 03:59:58 Ubuntu1804 kernel: [ 405.379957] unchecked MSR access error: WRMSR to 0xc0010200 (tried to write 0x0000020000130026) at rIP: 0xffffffff9b276a28 (native_write_msr+0x8/0x30) +Feb 23 03:59:58 Ubuntu1804 kernel: [ 405.379958] Call Trace: +Feb 23 03:59:58 Ubuntu1804 kernel: [ 405.379963] amd_pmu_disable_event+0x27/0x90 + +Fixes: ca724305a2b0 ("KVM: x86/vPMU: Implement AMD vPMU code for KVM") +Reported-by: Lotus Fenn +Signed-off-by: Jim Mattson +Reviewed-by: Like Xu +Reviewed-by: David Dunn +Message-Id: <20220226234131.2167175-1-jmattson@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/pmu_amd.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kvm/pmu_amd.c b/arch/x86/kvm/pmu_amd.c +index cd944435dfbd..e0473c72062e 100644 +--- a/arch/x86/kvm/pmu_amd.c ++++ b/arch/x86/kvm/pmu_amd.c +@@ -139,12 +139,10 @@ static int amd_pmu_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + /* MSR_K7_EVNTSELn */ + pmc = get_gp_pmc(pmu, msr, MSR_K7_EVNTSEL0); + if (pmc) { +- if (data == pmc->eventsel) +- return 0; +- if (!(data & pmu->reserved_bits)) { ++ data &= ~pmu->reserved_bits; ++ if (data != pmc->eventsel) + reprogram_gp_counter(pmc, data); +- return 0; +- } ++ return 0; + } + + return 1; +-- +2.35.1 + diff --git a/queue-4.14/macvtap-advertise-link-netns-via-netlink.patch b/queue-4.14/macvtap-advertise-link-netns-via-netlink.patch new file mode 100644 index 00000000000..7de74d585d9 --- /dev/null +++ b/queue-4.14/macvtap-advertise-link-netns-via-netlink.patch @@ -0,0 +1,68 @@ +From 19856de71ab35758e8dd24776569a9e885397b88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 01:32:40 +0100 +Subject: macvtap: advertise link netns via netlink +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sven Eckelmann + +[ Upstream commit a02192151b7dbf855084c38dca380d77c7658353 ] + +Assign rtnl_link_ops->get_link_net() callback so that IFLA_LINK_NETNSID is +added to rtnetlink messages. This fixes iproute2 which otherwise resolved +the link interface to an interface in the wrong namespace. + +Test commands: + + ip netns add nst + ip link add dummy0 type dummy + ip link add link macvtap0 link dummy0 type macvtap + ip link set macvtap0 netns nst + ip -netns nst link show macvtap0 + +Before: + + 10: macvtap0@gre0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 500 + link/ether 5e:8f:ae:1d:60:50 brd ff:ff:ff:ff:ff:ff + +After: + + 10: macvtap0@if2: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 500 + link/ether 5e:8f:ae:1d:60:50 brd ff:ff:ff:ff:ff:ff link-netnsid 0 + +Reported-by: Leonardo Mörlein +Signed-off-by: Sven Eckelmann +Link: https://lore.kernel.org/r/20220228003240.1337426-1-sven@narfation.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvtap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index cba5cb3b849a..dc89019ca876 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -132,11 +132,17 @@ static void macvtap_setup(struct net_device *dev) + dev->tx_queue_len = TUN_READQ_SIZE; + } + ++static struct net *macvtap_link_net(const struct net_device *dev) ++{ ++ return dev_net(macvlan_dev_real_dev(dev)); ++} ++ + static struct rtnl_link_ops macvtap_link_ops __read_mostly = { + .kind = "macvtap", + .setup = macvtap_setup, + .newlink = macvtap_newlink, + .dellink = macvtap_dellink, ++ .get_link_net = macvtap_link_net, + .priv_size = sizeof(struct macvtap_dev), + }; + +-- +2.35.1 + diff --git a/queue-4.14/mips-fix-fortify-panic-when-copying-asm-exception-ha.patch b/queue-4.14/mips-fix-fortify-panic-when-copying-asm-exception-ha.patch new file mode 100644 index 00000000000..3876075247f --- /dev/null +++ b/queue-4.14/mips-fix-fortify-panic-when-copying-asm-exception-ha.patch @@ -0,0 +1,99 @@ +From 8487ab35dda373331f74a0c9095e5d75eaaceabc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Feb 2022 01:30:23 +0000 +Subject: MIPS: fix fortify panic when copying asm exception handlers + +From: Alexander Lobakin + +[ Upstream commit d17b66417308996e7e64b270a3c7f3c1fbd4cfc8 ] + +With KCFLAGS="-O3", I was able to trigger a fortify-source +memcpy() overflow panic on set_vi_srs_handler(). +Although O3 level is not supported in the mainline, under some +conditions that may've happened with any optimization settings, +it's just a matter of inlining luck. The panic itself is correct, +more precisely, 50/50 false-positive and not at the same time. +From the one side, no real overflow happens. Exception handler +defined in asm just gets copied to some reserved places in the +memory. +But the reason behind is that C code refers to that exception +handler declares it as `char`, i.e. something of 1 byte length. +It's obvious that the asm function itself is way more than 1 byte, +so fortify logics thought we are going to past the symbol declared. +The standard way to refer to asm symbols from C code which is not +supposed to be called from C is to declare them as +`extern const u8[]`. This is fully correct from any point of view, +as any code itself is just a bunch of bytes (including 0 as it is +for syms like _stext/_etext/etc.), and the exact size is not known +at the moment of compilation. +Adjust the type of the except_vec_vi_*() and related variables. +Make set_handler() take `const` as a second argument to avoid +cast-away warnings and give a little more room for optimization. + +Signed-off-by: Alexander Lobakin +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/setup.h | 2 +- + arch/mips/kernel/traps.c | 22 +++++++++++----------- + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/arch/mips/include/asm/setup.h b/arch/mips/include/asm/setup.h +index d49d247d48a1..d48a5f18a267 100644 +--- a/arch/mips/include/asm/setup.h ++++ b/arch/mips/include/asm/setup.h +@@ -14,7 +14,7 @@ static inline void setup_8250_early_printk_port(unsigned long base, + unsigned int reg_shift, unsigned int timeout) {} + #endif + +-extern void set_handler(unsigned long offset, void *addr, unsigned long len); ++void set_handler(unsigned long offset, const void *addr, unsigned long len); + extern void set_uncached_handler(unsigned long offset, void *addr, unsigned long len); + + typedef void (*vi_handler_t)(void); +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c +index 4a23d89e251c..abbc64788008 100644 +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -2017,19 +2017,19 @@ static void *set_vi_srs_handler(int n, vi_handler_t addr, int srs) + * If no shadow set is selected then use the default handler + * that does normal register saving and standard interrupt exit + */ +- extern char except_vec_vi, except_vec_vi_lui; +- extern char except_vec_vi_ori, except_vec_vi_end; +- extern char rollback_except_vec_vi; +- char *vec_start = using_rollback_handler() ? +- &rollback_except_vec_vi : &except_vec_vi; ++ extern const u8 except_vec_vi[], except_vec_vi_lui[]; ++ extern const u8 except_vec_vi_ori[], except_vec_vi_end[]; ++ extern const u8 rollback_except_vec_vi[]; ++ const u8 *vec_start = using_rollback_handler() ? ++ rollback_except_vec_vi : except_vec_vi; + #if defined(CONFIG_CPU_MICROMIPS) || defined(CONFIG_CPU_BIG_ENDIAN) +- const int lui_offset = &except_vec_vi_lui - vec_start + 2; +- const int ori_offset = &except_vec_vi_ori - vec_start + 2; ++ const int lui_offset = except_vec_vi_lui - vec_start + 2; ++ const int ori_offset = except_vec_vi_ori - vec_start + 2; + #else +- const int lui_offset = &except_vec_vi_lui - vec_start; +- const int ori_offset = &except_vec_vi_ori - vec_start; ++ const int lui_offset = except_vec_vi_lui - vec_start; ++ const int ori_offset = except_vec_vi_ori - vec_start; + #endif +- const int handler_len = &except_vec_vi_end - vec_start; ++ const int handler_len = except_vec_vi_end - vec_start; + + if (handler_len > VECTORSPACING) { + /* +@@ -2249,7 +2249,7 @@ void per_cpu_trap_init(bool is_boot_cpu) + } + + /* Install CPU exception handler */ +-void set_handler(unsigned long offset, void *addr, unsigned long size) ++void set_handler(unsigned long offset, const void *addr, unsigned long size) + { + #ifdef CONFIG_CPU_MICROMIPS + memcpy((void *)(ebase + offset), ((unsigned char *)addr - 1), size); +-- +2.35.1 + diff --git a/queue-4.14/mm-fix-race-between-madv_free-reclaim-and-blkdev-dir.patch b/queue-4.14/mm-fix-race-between-madv_free-reclaim-and-blkdev-dir.patch new file mode 100644 index 00000000000..0403d2f60a0 --- /dev/null +++ b/queue-4.14/mm-fix-race-between-madv_free-reclaim-and-blkdev-dir.patch @@ -0,0 +1,464 @@ +From 45c001ceb0fc8ec8877b41616d31e9d001bb0d3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 16:14:31 -0300 +Subject: mm: fix race between MADV_FREE reclaim and blkdev direct IO read + +From: Mauricio Faria de Oliveira + +commit 6c8e2a256915a223f6289f651d6b926cd7135c9e upstream. + +Problem: +======= + +Userspace might read the zero-page instead of actual data from a direct IO +read on a block device if the buffers have been called madvise(MADV_FREE) +on earlier (this is discussed below) due to a race between page reclaim on +MADV_FREE and blkdev direct IO read. + +- Race condition: + ============== + +During page reclaim, the MADV_FREE page check in try_to_unmap_one() checks +if the page is not dirty, then discards its rmap PTE(s) (vs. remap back +if the page is dirty). + +However, after try_to_unmap_one() returns to shrink_page_list(), it might +keep the page _anyway_ if page_ref_freeze() fails (it expects exactly +_one_ page reference, from the isolation for page reclaim). + +Well, blkdev_direct_IO() gets references for all pages, and on READ +operations it only sets them dirty _later_. + +So, if MADV_FREE'd pages (i.e., not dirty) are used as buffers for direct +IO read from block devices, and page reclaim happens during +__blkdev_direct_IO[_simple]() exactly AFTER bio_iov_iter_get_pages() +returns, but BEFORE the pages are set dirty, the situation happens. + +The direct IO read eventually completes. Now, when userspace reads the +buffers, the PTE is no longer there and the page fault handler +do_anonymous_page() services that with the zero-page, NOT the data! + +A synthetic reproducer is provided. + +- Page faults: + =========== + +If page reclaim happens BEFORE bio_iov_iter_get_pages() the issue doesn't +happen, because that faults-in all pages as writeable, so +do_anonymous_page() sets up a new page/rmap/PTE, and that is used by +direct IO. The userspace reads don't fault as the PTE is there (thus +zero-page is not used/setup). + +But if page reclaim happens AFTER it / BEFORE setting pages dirty, the PTE +is no longer there; the subsequent page faults can't help: + +The data-read from the block device probably won't generate faults due to +DMA (no MMU) but even in the case it wouldn't use DMA, that happens on +different virtual addresses (not user-mapped addresses) because `struct +bio_vec` stores `struct page` to figure addresses out (which are different +from user-mapped addresses) for the read. + +Thus userspace reads (to user-mapped addresses) still fault, then +do_anonymous_page() gets another `struct page` that would address/ map to +other memory than the `struct page` used by `struct bio_vec` for the read. +(The original `struct page` is not available, since it wasn't freed, as +page_ref_freeze() failed due to more page refs. And even if it were +available, its data cannot be trusted anymore.) + +Solution: +======== + +One solution is to check for the expected page reference count in +try_to_unmap_one(). + +There should be one reference from the isolation (that is also checked in +shrink_page_list() with page_ref_freeze()) plus one or more references +from page mapping(s) (put in discard: label). Further references mean +that rmap/PTE cannot be unmapped/nuked. + +(Note: there might be more than one reference from mapping due to +fork()/clone() without CLONE_VM, which use the same `struct page` for +references, until the copy-on-write page gets copied.) + +So, additional page references (e.g., from direct IO read) now prevent the +rmap/PTE from being unmapped/dropped; similarly to the page is not freed +per shrink_page_list()/page_ref_freeze()). + +- Races and Barriers: + ================== + +The new check in try_to_unmap_one() should be safe in races with +bio_iov_iter_get_pages() in get_user_pages() fast and slow paths, as it's +done under the PTE lock. + +The fast path doesn't take the lock, but it checks if the PTE has changed +and if so, it drops the reference and leaves the page for the slow path +(which does take that lock). + +The fast path requires synchronization w/ full memory barrier: it writes +the page reference count first then it reads the PTE later, while +try_to_unmap() writes PTE first then it reads page refcount. + +And a second barrier is needed, as the page dirty flag should not be read +before the page reference count (as in __remove_mapping()). (This can be +a load memory barrier only; no writes are involved.) + +Call stack/comments: + +- try_to_unmap_one() + - page_vma_mapped_walk() + - map_pte() # see pte_offset_map_lock(): + pte_offset_map() + spin_lock() + + - ptep_get_and_clear() # write PTE + - smp_mb() # (new barrier) GUP fast path + - page_ref_count() # (new check) read refcount + + - page_vma_mapped_walk_done() # see pte_unmap_unlock(): + pte_unmap() + spin_unlock() + +- bio_iov_iter_get_pages() + - __bio_iov_iter_get_pages() + - iov_iter_get_pages() + - get_user_pages_fast() + - internal_get_user_pages_fast() + + # fast path + - lockless_pages_from_mm() + - gup_{pgd,p4d,pud,pmd,pte}_range() + ptep = pte_offset_map() # not _lock() + pte = ptep_get_lockless(ptep) + + page = pte_page(pte) + try_grab_compound_head(page) # inc refcount + # (RMW/barrier + # on success) + + if (pte_val(pte) != pte_val(*ptep)) # read PTE + put_compound_head(page) # dec refcount + # go slow path + + # slow path + - __gup_longterm_unlocked() + - get_user_pages_unlocked() + - __get_user_pages_locked() + - __get_user_pages() + - follow_{page,p4d,pud,pmd}_mask() + - follow_page_pte() + ptep = pte_offset_map_lock() + pte = *ptep + page = vm_normal_page(pte) + try_grab_page(page) # inc refcount + pte_unmap_unlock() + +- Huge Pages: + ========== + +Regarding transparent hugepages, that logic shouldn't change, as MADV_FREE +(aka lazyfree) pages are PageAnon() && !PageSwapBacked() +(madvise_free_pte_range() -> mark_page_lazyfree() -> lru_lazyfree_fn()) +thus should reach shrink_page_list() -> split_huge_page_to_list() before +try_to_unmap[_one](), so it deals with normal pages only. + +(And in case unlikely/TTU_SPLIT_HUGE_PMD/split_huge_pmd_address() happens, +which should not or be rare, the page refcount should be greater than +mapcount: the head page is referenced by tail pages. That also prevents +checking the head `page` then incorrectly call page_remove_rmap(subpage) +for a tail page, that isn't even in the shrink_page_list()'s page_list (an +effect of split huge pmd/pmvw), as it might happen today in this unlikely +scenario.) + +MADV_FREE'd buffers: +=================== + +So, back to the "if MADV_FREE pages are used as buffers" note. The case +is arguable, and subject to multiple interpretations. + +The madvise(2) manual page on the MADV_FREE advice value says: + +1) 'After a successful MADV_FREE ... data will be lost when + the kernel frees the pages.' +2) 'the free operation will be canceled if the caller writes + into the page' / 'subsequent writes ... will succeed and + then [the] kernel cannot free those dirtied pages' +3) 'If there is no subsequent write, the kernel can free the + pages at any time.' + +Thoughts, questions, considerations... respectively: + +1) Since the kernel didn't actually free the page (page_ref_freeze() + failed), should the data not have been lost? (on userspace read.) +2) Should writes performed by the direct IO read be able to cancel + the free operation? + - Should the direct IO read be considered as 'the caller' too, + as it's been requested by 'the caller'? + - Should the bio technique to dirty pages on return to userspace + (bio_check_pages_dirty() is called/used by __blkdev_direct_IO()) + be considered in another/special way here? +3) Should an upcoming write from a previously requested direct IO + read be considered as a subsequent write, so the kernel should + not free the pages? (as it's known at the time of page reclaim.) + +And lastly: + +Technically, the last point would seem a reasonable consideration and +balance, as the madvise(2) manual page apparently (and fairly) seem to +assume that 'writes' are memory access from the userspace process (not +explicitly considering writes from the kernel or its corner cases; again, +fairly).. plus the kernel fix implementation for the corner case of the +largely 'non-atomic write' encompassed by a direct IO read operation, is +relatively simple; and it helps. + +Reproducer: +========== + +@ test.c (simplified, but works) + + #define _GNU_SOURCE + #include + #include + #include + #include + + int main() { + int fd, i; + char *buf; + + fd = open(DEV, O_RDONLY | O_DIRECT); + + buf = mmap(NULL, BUF_SIZE, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + + for (i = 0; i < BUF_SIZE; i += PAGE_SIZE) + buf[i] = 1; // init to non-zero + + madvise(buf, BUF_SIZE, MADV_FREE); + + read(fd, buf, BUF_SIZE); + + for (i = 0; i < BUF_SIZE; i += PAGE_SIZE) + printf("%p: 0x%x\n", &buf[i], buf[i]); + + return 0; + } + +@ block/fops.c (formerly fs/block_dev.c) + + +#include + ... + ... __blkdev_direct_IO[_simple](...) + { + ... + + if (!strcmp(current->comm, "good")) + + shrink_all_memory(ULONG_MAX); + + + ret = bio_iov_iter_get_pages(...); + + + + if (!strcmp(current->comm, "bad")) + + shrink_all_memory(ULONG_MAX); + ... + } + +@ shell + + # NUM_PAGES=4 + # PAGE_SIZE=$(getconf PAGE_SIZE) + + # yes | dd of=test.img bs=${PAGE_SIZE} count=${NUM_PAGES} + # DEV=$(losetup -f --show test.img) + + # gcc -DDEV=\"$DEV\" \ + -DBUF_SIZE=$((PAGE_SIZE * NUM_PAGES)) \ + -DPAGE_SIZE=${PAGE_SIZE} \ + test.c -o test + + # od -tx1 $DEV + 0000000 79 0a 79 0a 79 0a 79 0a 79 0a 79 0a 79 0a 79 0a + * + 0040000 + + # mv test good + # ./good + 0x7f7c10418000: 0x79 + 0x7f7c10419000: 0x79 + 0x7f7c1041a000: 0x79 + 0x7f7c1041b000: 0x79 + + # mv good bad + # ./bad + 0x7fa1b8050000: 0x0 + 0x7fa1b8051000: 0x0 + 0x7fa1b8052000: 0x0 + 0x7fa1b8053000: 0x0 + +Note: the issue is consistent on v5.17-rc3, but it's intermittent with the +support of MADV_FREE on v4.5 (60%-70% error; needs swap). [wrap +do_direct_IO() in do_blockdev_direct_IO() @ fs/direct-io.c]. + +- v5.17-rc3: + + # for i in {1..1000}; do ./good; done \ + | cut -d: -f2 | sort | uniq -c + 4000 0x79 + + # mv good bad + # for i in {1..1000}; do ./bad; done \ + | cut -d: -f2 | sort | uniq -c + 4000 0x0 + + # free | grep Swap + Swap: 0 0 0 + +- v4.5: + + # for i in {1..1000}; do ./good; done \ + | cut -d: -f2 | sort | uniq -c + 4000 0x79 + + # mv good bad + # for i in {1..1000}; do ./bad; done \ + | cut -d: -f2 | sort | uniq -c + 2702 0x0 + 1298 0x79 + + # swapoff -av + swapoff /swap + + # for i in {1..1000}; do ./bad; done \ + | cut -d: -f2 | sort | uniq -c + 4000 0x79 + +Ceph/TCMalloc: +============= + +For documentation purposes, the use case driving the analysis/fix is Ceph +on Ubuntu 18.04, as the TCMalloc library there still uses MADV_FREE to +release unused memory to the system from the mmap'ed page heap (might be +committed back/used again; it's not munmap'ed.) - PageHeap::DecommitSpan() +-> TCMalloc_SystemRelease() -> madvise() - PageHeap::CommitSpan() -> +TCMalloc_SystemCommit() -> do nothing. + +Note: TCMalloc switched back to MADV_DONTNEED a few commits after the +release in Ubuntu 18.04 (google-perftools/gperftools 2.5), so the issue +just 'disappeared' on Ceph on later Ubuntu releases but is still present +in the kernel, and can be hit by other use cases. + +The observed issue seems to be the old Ceph bug #22464 [1], where checksum +mismatches are observed (and instrumentation with buffer dumps shows +zero-pages read from mmap'ed/MADV_FREE'd page ranges). + +The issue in Ceph was reasonably deemed a kernel bug (comment #50) and +mostly worked around with a retry mechanism, but other parts of Ceph could +still hit that (rocksdb). Anyway, it's less likely to be hit again as +TCMalloc switched out of MADV_FREE by default. + +(Some kernel versions/reports from the Ceph bug, and relation with +the MADV_FREE introduction/changes; TCMalloc versions not checked.) +- 4.4 good +- 4.5 (madv_free: introduction) +- 4.9 bad +- 4.10 good? maybe a swapless system +- 4.12 (madv_free: no longer free instantly on swapless systems) +- 4.13 bad + +[1] https://tracker.ceph.com/issues/22464 + +Thanks: +====== + +Several people contributed to analysis/discussions/tests/reproducers in +the first stages when drilling down on ceph/tcmalloc/linux kernel: + +- Dan Hill +- Dan Streetman +- Dongdong Tao +- Gavin Guo +- Gerald Yang +- Heitor Alves de Siqueira +- Ioanna Alifieraki +- Jay Vosburgh +- Matthew Ruffell +- Ponnuvel Palaniyappan + +Reviews, suggestions, corrections, comments: + +- Minchan Kim +- Yu Zhao +- Huang, Ying +- John Hubbard +- Christoph Hellwig + +[mfo@canonical.com: v4] + Link: https://lkml.kernel.org/r/20220209202659.183418-1-mfo@canonical.comLink: https://lkml.kernel.org/r/20220131230255.789059-1-mfo@canonical.com + +Fixes: 802a3a92ad7a ("mm: reclaim MADV_FREE pages") +Signed-off-by: Mauricio Faria de Oliveira +Reviewed-by: "Huang, Ying" +Cc: Minchan Kim +Cc: Yu Zhao +Cc: Yang Shi +Cc: Miaohe Lin +Cc: Dan Hill +Cc: Dan Streetman +Cc: Dongdong Tao +Cc: Gavin Guo +Cc: Gerald Yang +Cc: Heitor Alves de Siqueira +Cc: Ioanna Alifieraki +Cc: Jay Vosburgh +Cc: Matthew Ruffell +Cc: Ponnuvel Palaniyappan +Cc: +Cc: Christoph Hellwig +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +[mfo: backport: replace folio/test_flag with page/flag equivalents; + mmu_notifier_invalidate_range() is called in the 'discard:' label; + real Fixes: 854e9ed09ded ("mm: support madvise(MADV_FREE)") in v4.] +Signed-off-by: Mauricio Faria de Oliveira +Signed-off-by: Sasha Levin +--- + mm/rmap.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/mm/rmap.c b/mm/rmap.c +index 8ed8ec113d5a..65de683e7f7c 100644 +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -1564,7 +1564,30 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma, + + /* MADV_FREE page check */ + if (!PageSwapBacked(page)) { +- if (!PageDirty(page)) { ++ int ref_count, map_count; ++ ++ /* ++ * Synchronize with gup_pte_range(): ++ * - clear PTE; barrier; read refcount ++ * - inc refcount; barrier; read PTE ++ */ ++ smp_mb(); ++ ++ ref_count = page_ref_count(page); ++ map_count = page_mapcount(page); ++ ++ /* ++ * Order reads for page refcount and dirty flag ++ * (see comments in __remove_mapping()). ++ */ ++ smp_rmb(); ++ ++ /* ++ * The only page refs must be one from isolation ++ * plus the rmap(s) (dropped by discard:). ++ */ ++ if (ref_count == 1 + map_count && ++ !PageDirty(page)) { + dec_mm_counter(mm, MM_ANONPAGES); + goto discard; + } +-- +2.35.1 + diff --git a/queue-4.14/net-add-missing-sof_timestamping_opt_id-support.patch b/queue-4.14/net-add-missing-sof_timestamping_opt_id-support.patch new file mode 100644 index 00000000000..883765fcdaa --- /dev/null +++ b/queue-4.14/net-add-missing-sof_timestamping_opt_id-support.patch @@ -0,0 +1,150 @@ +From f7be4ad3052718e105315865af54a028e28ad7a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 22:29:55 +0300 +Subject: net: add missing SOF_TIMESTAMPING_OPT_ID support + +From: Willem de Bruijn + +[ Upstream commit 8f932f762e7928d250e21006b00ff9b7718b0a64 ] + +SOF_TIMESTAMPING_OPT_ID is supported on TCP, UDP and RAW sockets. +But it was missing on RAW with IPPROTO_IP, PF_PACKET and CAN. + +Add skb_setup_tx_timestamp that configures both tx_flags and tskey +for these paths that do not need corking or use bytestream keys. + +Fixes: 09c2d251b707 ("net-timestamp: add key to disambiguate concurrent datagrams") +Signed-off-by: Willem de Bruijn +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Vladimir Oltean +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 25 +++++++++++++++++++++---- + net/can/raw.c | 2 +- + net/ipv4/raw.c | 2 +- + net/ipv6/raw.c | 2 +- + net/packet/af_packet.c | 6 +++--- + 5 files changed, 27 insertions(+), 10 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index f72753391acc..f729ccfe756a 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2311,22 +2311,39 @@ static inline void sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk, + void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags); + + /** +- * sock_tx_timestamp - checks whether the outgoing packet is to be time stamped ++ * _sock_tx_timestamp - checks whether the outgoing packet is to be time stamped + * @sk: socket sending this packet + * @tsflags: timestamping flags to use + * @tx_flags: completed with instructions for time stamping ++ * @tskey: filled in with next sk_tskey (not for TCP, which uses seqno) + * + * Note: callers should take care of initial ``*tx_flags`` value (usually 0) + */ +-static inline void sock_tx_timestamp(const struct sock *sk, __u16 tsflags, +- __u8 *tx_flags) ++static inline void _sock_tx_timestamp(struct sock *sk, __u16 tsflags, ++ __u8 *tx_flags, __u32 *tskey) + { +- if (unlikely(tsflags)) ++ if (unlikely(tsflags)) { + __sock_tx_timestamp(tsflags, tx_flags); ++ if (tsflags & SOF_TIMESTAMPING_OPT_ID && tskey && ++ tsflags & SOF_TIMESTAMPING_TX_RECORD_MASK) ++ *tskey = sk->sk_tskey++; ++ } + if (unlikely(sock_flag(sk, SOCK_WIFI_STATUS))) + *tx_flags |= SKBTX_WIFI_STATUS; + } + ++static inline void sock_tx_timestamp(struct sock *sk, __u16 tsflags, ++ __u8 *tx_flags) ++{ ++ _sock_tx_timestamp(sk, tsflags, tx_flags, NULL); ++} ++ ++static inline void skb_setup_tx_timestamp(struct sk_buff *skb, __u16 tsflags) ++{ ++ _sock_tx_timestamp(skb->sk, tsflags, &skb_shinfo(skb)->tx_flags, ++ &skb_shinfo(skb)->tskey); ++} ++ + /** + * sk_eat_skb - Release a skb if it is no longer needed + * @sk: socket to eat this skb from +diff --git a/net/can/raw.c b/net/can/raw.c +index 2a987a6ea6d7..bda2113a8529 100644 +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -814,7 +814,7 @@ static int raw_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) + if (err < 0) + goto free_skb; + +- sock_tx_timestamp(sk, sk->sk_tsflags, &skb_shinfo(skb)->tx_flags); ++ skb_setup_tx_timestamp(skb, sk->sk_tsflags); + + skb->dev = dev; + skb->sk = sk; +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 9c4b2c0dc68a..19a6ec2adc6c 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -390,7 +390,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4, + + skb->ip_summed = CHECKSUM_NONE; + +- sock_tx_timestamp(sk, sockc->tsflags, &skb_shinfo(skb)->tx_flags); ++ skb_setup_tx_timestamp(skb, sockc->tsflags); + + if (flags & MSG_CONFIRM) + skb_set_dst_pending_confirm(skb, 1); +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index f0d8b7e9a685..e8926ebfe74c 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -659,7 +659,7 @@ static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length, + + skb->ip_summed = CHECKSUM_NONE; + +- sock_tx_timestamp(sk, sockc->tsflags, &skb_shinfo(skb)->tx_flags); ++ skb_setup_tx_timestamp(skb, sockc->tsflags); + + if (flags & MSG_CONFIRM) + skb_set_dst_pending_confirm(skb, 1); +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 92394595920c..b0dd17d1992e 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2017,7 +2017,7 @@ static int packet_sendmsg_spkt(struct socket *sock, struct msghdr *msg, + skb->priority = sk->sk_priority; + skb->mark = sk->sk_mark; + +- sock_tx_timestamp(sk, sockc.tsflags, &skb_shinfo(skb)->tx_flags); ++ skb_setup_tx_timestamp(skb, sockc.tsflags); + + if (unlikely(extra_len == 4)) + skb->no_fcs = 1; +@@ -2539,7 +2539,7 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + skb->dev = dev; + skb->priority = po->sk.sk_priority; + skb->mark = po->sk.sk_mark; +- sock_tx_timestamp(&po->sk, sockc->tsflags, &skb_shinfo(skb)->tx_flags); ++ skb_setup_tx_timestamp(skb, sockc->tsflags); + skb_zcopy_set_nouarg(skb, ph.raw); + + skb_reserve(skb, hlen); +@@ -3002,7 +3002,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + goto out_free; + } + +- sock_tx_timestamp(sk, sockc.tsflags, &skb_shinfo(skb)->tx_flags); ++ skb_setup_tx_timestamp(skb, sockc.tsflags); + + if (!vnet_hdr.gso_type && (len > dev->mtu + reserve + extra_len) && + !packet_extra_vlan_len_allowed(dev, skb)) { +-- +2.35.1 + diff --git a/queue-4.14/net-smc-correct-settings-of-rmb-window-update-limit.patch b/queue-4.14/net-smc-correct-settings-of-rmb-window-update-limit.patch new file mode 100644 index 00000000000..dd958803a8d --- /dev/null +++ b/queue-4.14/net-smc-correct-settings-of-rmb-window-update-limit.patch @@ -0,0 +1,52 @@ +From ae99a4c3d46bcc6a68fdee394ea2848f5515945e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 17:44:00 +0800 +Subject: net/smc: correct settings of RMB window update limit + +From: Dust Li + +[ Upstream commit 6bf536eb5c8ca011d1ff57b5c5f7c57ceac06a37 ] + +rmbe_update_limit is used to limit announcing receive +window updating too frequently. RFC7609 request a minimal +increase in the window size of 10% of the receive buffer +space. But current implementation used: + + min_t(int, rmbe_size / 10, SOCK_MIN_SNDBUF / 2) + +and SOCK_MIN_SNDBUF / 2 == 2304 Bytes, which is almost +always less then 10% of the receive buffer space. + +This causes the receiver always sending CDC message to +update its consumer cursor when it consumes more then 2K +of data. And as a result, we may encounter something like +"TCP silly window syndrome" when sending 2.5~8K message. + +This patch fixes this using max(rmbe_size / 10, SOCK_MIN_SNDBUF / 2). + +With this patch and SMC autocorking enabled, qperf 2K/4K/8K +tcp_bw test shows 45%/75%/40% increase in throughput respectively. + +Signed-off-by: Dust Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c +index 7dc907a45c68..a28e06c70e52 100644 +--- a/net/smc/smc_core.c ++++ b/net/smc/smc_core.c +@@ -499,7 +499,7 @@ struct smc_buf_desc *smc_buf_get_slot(struct smc_link_group *lgr, + */ + static inline int smc_rmb_wnd_update_limit(int rmbe_size) + { +- return min_t(int, rmbe_size / 10, SOCK_MIN_SNDBUF / 2); ++ return max_t(int, rmbe_size / 10, SOCK_MIN_SNDBUF / 2); + } + + static struct smc_buf_desc *smc_new_buf_create(struct smc_link_group *lgr, +-- +2.35.1 + diff --git a/queue-4.14/nfs-swap-io-handling-is-slightly-different-for-o_dir.patch b/queue-4.14/nfs-swap-io-handling-is-slightly-different-for-o_dir.patch new file mode 100644 index 00000000000..3244d7d1168 --- /dev/null +++ b/queue-4.14/nfs-swap-io-handling-is-slightly-different-for-o_dir.patch @@ -0,0 +1,183 @@ +From 79362c452c3d573d6de3a2ad553cbb0a9b9f53c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 10:41:44 +1100 +Subject: NFS: swap IO handling is slightly different for O_DIRECT IO + +From: NeilBrown + +[ Upstream commit 64158668ac8b31626a8ce48db4cad08496eb8340 ] + +1/ Taking the i_rwsem for swap IO triggers lockdep warnings regarding + possible deadlocks with "fs_reclaim". These deadlocks could, I believe, + eventuate if a buffered read on the swapfile was attempted. + + We don't need coherence with the page cache for a swap file, and + buffered writes are forbidden anyway. There is no other need for + i_rwsem during direct IO. So never take it for swap_rw() + +2/ generic_write_checks() explicitly forbids writes to swap, and + performs checks that are not needed for swap. So bypass it + for swap_rw(). + +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/direct.c | 42 ++++++++++++++++++++++++++++-------------- + fs/nfs/file.c | 4 ++-- + include/linux/nfs_fs.h | 8 ++++---- + 3 files changed, 34 insertions(+), 20 deletions(-) + +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index e6ea4511c41c..ef30215d5b3a 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -288,8 +288,8 @@ ssize_t nfs_direct_IO(struct kiocb *iocb, struct iov_iter *iter) + VM_BUG_ON(iov_iter_count(iter) != PAGE_SIZE); + + if (iov_iter_rw(iter) == READ) +- return nfs_file_direct_read(iocb, iter); +- return nfs_file_direct_write(iocb, iter); ++ return nfs_file_direct_read(iocb, iter, true); ++ return nfs_file_direct_write(iocb, iter, true); + } + + static void nfs_direct_release_pages(struct page **pages, unsigned int npages) +@@ -553,6 +553,7 @@ static ssize_t nfs_direct_read_schedule_iovec(struct nfs_direct_req *dreq, + * nfs_file_direct_read - file direct read operation for NFS files + * @iocb: target I/O control block + * @iter: vector of user buffers into which to read data ++ * @swap: flag indicating this is swap IO, not O_DIRECT IO + * + * We use this function for direct reads instead of calling + * generic_file_aio_read() in order to avoid gfar's check to see if +@@ -568,7 +569,8 @@ static ssize_t nfs_direct_read_schedule_iovec(struct nfs_direct_req *dreq, + * client must read the updated atime from the server back into its + * cache. + */ +-ssize_t nfs_file_direct_read(struct kiocb *iocb, struct iov_iter *iter) ++ssize_t nfs_file_direct_read(struct kiocb *iocb, struct iov_iter *iter, ++ bool swap) + { + struct file *file = iocb->ki_filp; + struct address_space *mapping = file->f_mapping; +@@ -610,12 +612,14 @@ ssize_t nfs_file_direct_read(struct kiocb *iocb, struct iov_iter *iter) + if (iter_is_iovec(iter)) + dreq->flags = NFS_ODIRECT_SHOULD_DIRTY; + +- nfs_start_io_direct(inode); ++ if (!swap) ++ nfs_start_io_direct(inode); + + NFS_I(inode)->read_io += count; + requested = nfs_direct_read_schedule_iovec(dreq, iter, iocb->ki_pos); + +- nfs_end_io_direct(inode); ++ if (!swap) ++ nfs_end_io_direct(inode); + + if (requested > 0) { + result = nfs_direct_wait(dreq); +@@ -971,6 +975,7 @@ static ssize_t nfs_direct_write_schedule_iovec(struct nfs_direct_req *dreq, + * nfs_file_direct_write - file direct write operation for NFS files + * @iocb: target I/O control block + * @iter: vector of user buffers from which to write data ++ * @swap: flag indicating this is swap IO, not O_DIRECT IO + * + * We use this function for direct writes instead of calling + * generic_file_aio_write() in order to avoid taking the inode +@@ -987,7 +992,8 @@ static ssize_t nfs_direct_write_schedule_iovec(struct nfs_direct_req *dreq, + * Note that O_APPEND is not supported for NFS direct writes, as there + * is no atomic O_APPEND write facility in the NFS protocol. + */ +-ssize_t nfs_file_direct_write(struct kiocb *iocb, struct iov_iter *iter) ++ssize_t nfs_file_direct_write(struct kiocb *iocb, struct iov_iter *iter, ++ bool swap) + { + ssize_t result = -EINVAL, requested; + size_t count; +@@ -1001,7 +1007,11 @@ ssize_t nfs_file_direct_write(struct kiocb *iocb, struct iov_iter *iter) + dfprintk(FILE, "NFS: direct write(%pD2, %zd@%Ld)\n", + file, iov_iter_count(iter), (long long) iocb->ki_pos); + +- result = generic_write_checks(iocb, iter); ++ if (swap) ++ /* bypass generic checks */ ++ result = iov_iter_count(iter); ++ else ++ result = generic_write_checks(iocb, iter); + if (result <= 0) + return result; + count = result; +@@ -1031,16 +1041,20 @@ ssize_t nfs_file_direct_write(struct kiocb *iocb, struct iov_iter *iter) + if (!is_sync_kiocb(iocb)) + dreq->iocb = iocb; + +- nfs_start_io_direct(inode); ++ if (swap) { ++ requested = nfs_direct_write_schedule_iovec(dreq, iter, pos); ++ } else { ++ nfs_start_io_direct(inode); + +- requested = nfs_direct_write_schedule_iovec(dreq, iter, pos); ++ requested = nfs_direct_write_schedule_iovec(dreq, iter, pos); + +- if (mapping->nrpages) { +- invalidate_inode_pages2_range(mapping, +- pos >> PAGE_SHIFT, end); +- } ++ if (mapping->nrpages) { ++ invalidate_inode_pages2_range(mapping, ++ pos >> PAGE_SHIFT, end); ++ } + +- nfs_end_io_direct(inode); ++ nfs_end_io_direct(inode); ++ } + + if (requested > 0) { + result = nfs_direct_wait(dreq); +diff --git a/fs/nfs/file.c b/fs/nfs/file.c +index 81cca49a8375..4d847fcbedcf 100644 +--- a/fs/nfs/file.c ++++ b/fs/nfs/file.c +@@ -157,7 +157,7 @@ nfs_file_read(struct kiocb *iocb, struct iov_iter *to) + ssize_t result; + + if (iocb->ki_flags & IOCB_DIRECT) +- return nfs_file_direct_read(iocb, to); ++ return nfs_file_direct_read(iocb, to, false); + + dprintk("NFS: read(%pD2, %zu@%lu)\n", + iocb->ki_filp, +@@ -606,7 +606,7 @@ ssize_t nfs_file_write(struct kiocb *iocb, struct iov_iter *from) + return result; + + if (iocb->ki_flags & IOCB_DIRECT) +- return nfs_file_direct_write(iocb, from); ++ return nfs_file_direct_write(iocb, from, false); + + dprintk("NFS: write(%pD2, %zu@%Ld)\n", + file, iov_iter_count(from), (long long) iocb->ki_pos); +diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h +index e51292d9e1a2..b32347453679 100644 +--- a/include/linux/nfs_fs.h ++++ b/include/linux/nfs_fs.h +@@ -442,10 +442,10 @@ static inline struct rpc_cred *nfs_file_cred(struct file *file) + * linux/fs/nfs/direct.c + */ + extern ssize_t nfs_direct_IO(struct kiocb *, struct iov_iter *); +-extern ssize_t nfs_file_direct_read(struct kiocb *iocb, +- struct iov_iter *iter); +-extern ssize_t nfs_file_direct_write(struct kiocb *iocb, +- struct iov_iter *iter); ++ssize_t nfs_file_direct_read(struct kiocb *iocb, ++ struct iov_iter *iter, bool swap); ++ssize_t nfs_file_direct_write(struct kiocb *iocb, ++ struct iov_iter *iter, bool swap); + + /* + * linux/fs/nfs/dir.c +-- +2.35.1 + diff --git a/queue-4.14/nfs-swap-out-must-always-use-stable-writes.patch b/queue-4.14/nfs-swap-out-must-always-use-stable-writes.patch new file mode 100644 index 00000000000..2b1a6b17b35 --- /dev/null +++ b/queue-4.14/nfs-swap-out-must-always-use-stable-writes.patch @@ -0,0 +1,71 @@ +From 3797c7da00ed62c8b7081240e664c50715d13708 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 10:41:44 +1100 +Subject: NFS: swap-out must always use STABLE writes. + +From: NeilBrown + +[ Upstream commit c265de257f558a05c1859ee9e3fed04883b9ec0e ] + +The commit handling code is not safe against memory-pressure deadlocks +when writing to swap. In particular, nfs_commitdata_alloc() blocks +indefinitely waiting for memory, and this can consume all available +workqueue threads. + +swap-out most likely uses STABLE writes anyway as COND_STABLE indicates +that a stable write should be used if the write fits in a single +request, and it normally does. However if we ever swap with a small +wsize, or gather unusually large numbers of pages for a single write, +this might change. + +For safety, make it explicit in the code that direct writes used for swap +must always use FLUSH_STABLE. + +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/direct.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index ef30215d5b3a..8acff8f6678e 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -888,7 +888,7 @@ static const struct nfs_pgio_completion_ops nfs_direct_write_completion_ops = { + */ + static ssize_t nfs_direct_write_schedule_iovec(struct nfs_direct_req *dreq, + struct iov_iter *iter, +- loff_t pos) ++ loff_t pos, int ioflags) + { + struct nfs_pageio_descriptor desc; + struct inode *inode = dreq->inode; +@@ -896,7 +896,7 @@ static ssize_t nfs_direct_write_schedule_iovec(struct nfs_direct_req *dreq, + size_t requested_bytes = 0; + size_t wsize = max_t(size_t, NFS_SERVER(inode)->wsize, PAGE_SIZE); + +- nfs_pageio_init_write(&desc, inode, FLUSH_COND_STABLE, false, ++ nfs_pageio_init_write(&desc, inode, ioflags, false, + &nfs_direct_write_completion_ops); + desc.pg_dreq = dreq; + get_dreq(dreq); +@@ -1042,11 +1042,13 @@ ssize_t nfs_file_direct_write(struct kiocb *iocb, struct iov_iter *iter, + dreq->iocb = iocb; + + if (swap) { +- requested = nfs_direct_write_schedule_iovec(dreq, iter, pos); ++ requested = nfs_direct_write_schedule_iovec(dreq, iter, pos, ++ FLUSH_STABLE); + } else { + nfs_start_io_direct(inode); + +- requested = nfs_direct_write_schedule_iovec(dreq, iter, pos); ++ requested = nfs_direct_write_schedule_iovec(dreq, iter, pos, ++ FLUSH_COND_STABLE); + + if (mapping->nrpages) { + invalidate_inode_pages2_range(mapping, +-- +2.35.1 + diff --git a/queue-4.14/parisc-fix-cpu-affinity-for-lasi-wax-and-dino-chips.patch b/queue-4.14/parisc-fix-cpu-affinity-for-lasi-wax-and-dino-chips.patch new file mode 100644 index 00000000000..31c0f659ed7 --- /dev/null +++ b/queue-4.14/parisc-fix-cpu-affinity-for-lasi-wax-and-dino-chips.patch @@ -0,0 +1,232 @@ +From 32bded08769762619900d0c8c9a9d7bab15aef89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Mar 2022 15:46:26 +0200 +Subject: parisc: Fix CPU affinity for Lasi, WAX and Dino chips + +From: Helge Deller + +[ Upstream commit 939fc856676c266c3bc347c1c1661872a3725c0f ] + +Add the missing logic to allow Lasi, WAX and Dino to set the +CPU affinity. This fixes IRQ migration to other CPUs when a +CPU is shutdown which currently holds the IRQs for one of those +chips. + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/parisc/dino.c | 41 +++++++++++++++++++++++++++++++++-------- + drivers/parisc/gsc.c | 31 +++++++++++++++++++++++++++++++ + drivers/parisc/gsc.h | 1 + + drivers/parisc/lasi.c | 7 +++---- + drivers/parisc/wax.c | 7 +++---- + 5 files changed, 71 insertions(+), 16 deletions(-) + +diff --git a/drivers/parisc/dino.c b/drivers/parisc/dino.c +index c11515bdac83..4cc84c3b7602 100644 +--- a/drivers/parisc/dino.c ++++ b/drivers/parisc/dino.c +@@ -144,9 +144,8 @@ struct dino_device + { + struct pci_hba_data hba; /* 'C' inheritance - must be first */ + spinlock_t dinosaur_pen; +- unsigned long txn_addr; /* EIR addr to generate interrupt */ +- u32 txn_data; /* EIR data assign to each dino */ + u32 imr; /* IRQ's which are enabled */ ++ struct gsc_irq gsc_irq; + int global_irq[DINO_LOCAL_IRQS]; /* map IMR bit to global irq */ + #ifdef DINO_DEBUG + unsigned int dino_irr0; /* save most recent IRQ line stat */ +@@ -343,14 +342,43 @@ static void dino_unmask_irq(struct irq_data *d) + if (tmp & DINO_MASK_IRQ(local_irq)) { + DBG(KERN_WARNING "%s(): IRQ asserted! (ILR 0x%x)\n", + __func__, tmp); +- gsc_writel(dino_dev->txn_data, dino_dev->txn_addr); ++ gsc_writel(dino_dev->gsc_irq.txn_data, dino_dev->gsc_irq.txn_addr); + } + } + ++#ifdef CONFIG_SMP ++static int dino_set_affinity_irq(struct irq_data *d, const struct cpumask *dest, ++ bool force) ++{ ++ struct dino_device *dino_dev = irq_data_get_irq_chip_data(d); ++ struct cpumask tmask; ++ int cpu_irq; ++ u32 eim; ++ ++ if (!cpumask_and(&tmask, dest, cpu_online_mask)) ++ return -EINVAL; ++ ++ cpu_irq = cpu_check_affinity(d, &tmask); ++ if (cpu_irq < 0) ++ return cpu_irq; ++ ++ dino_dev->gsc_irq.txn_addr = txn_affinity_addr(d->irq, cpu_irq); ++ eim = ((u32) dino_dev->gsc_irq.txn_addr) | dino_dev->gsc_irq.txn_data; ++ __raw_writel(eim, dino_dev->hba.base_addr+DINO_IAR0); ++ ++ irq_data_update_effective_affinity(d, &tmask); ++ ++ return IRQ_SET_MASK_OK; ++} ++#endif ++ + static struct irq_chip dino_interrupt_type = { + .name = "GSC-PCI", + .irq_unmask = dino_unmask_irq, + .irq_mask = dino_mask_irq, ++#ifdef CONFIG_SMP ++ .irq_set_affinity = dino_set_affinity_irq, ++#endif + }; + + +@@ -811,7 +839,6 @@ static int __init dino_common_init(struct parisc_device *dev, + { + int status; + u32 eim; +- struct gsc_irq gsc_irq; + struct resource *res; + + pcibios_register_hba(&dino_dev->hba); +@@ -826,10 +853,8 @@ static int __init dino_common_init(struct parisc_device *dev, + ** still only has 11 IRQ input lines - just map some of them + ** to a different processor. + */ +- dev->irq = gsc_alloc_irq(&gsc_irq); +- dino_dev->txn_addr = gsc_irq.txn_addr; +- dino_dev->txn_data = gsc_irq.txn_data; +- eim = ((u32) gsc_irq.txn_addr) | gsc_irq.txn_data; ++ dev->irq = gsc_alloc_irq(&dino_dev->gsc_irq); ++ eim = ((u32) dino_dev->gsc_irq.txn_addr) | dino_dev->gsc_irq.txn_data; + + /* + ** Dino needs a PA "IRQ" to get a processor's attention. +diff --git a/drivers/parisc/gsc.c b/drivers/parisc/gsc.c +index 1bab5a2cd359..a0cae6194591 100644 +--- a/drivers/parisc/gsc.c ++++ b/drivers/parisc/gsc.c +@@ -139,10 +139,41 @@ static void gsc_asic_unmask_irq(struct irq_data *d) + */ + } + ++#ifdef CONFIG_SMP ++static int gsc_set_affinity_irq(struct irq_data *d, const struct cpumask *dest, ++ bool force) ++{ ++ struct gsc_asic *gsc_dev = irq_data_get_irq_chip_data(d); ++ struct cpumask tmask; ++ int cpu_irq; ++ ++ if (!cpumask_and(&tmask, dest, cpu_online_mask)) ++ return -EINVAL; ++ ++ cpu_irq = cpu_check_affinity(d, &tmask); ++ if (cpu_irq < 0) ++ return cpu_irq; ++ ++ gsc_dev->gsc_irq.txn_addr = txn_affinity_addr(d->irq, cpu_irq); ++ gsc_dev->eim = ((u32) gsc_dev->gsc_irq.txn_addr) | gsc_dev->gsc_irq.txn_data; ++ ++ /* switch IRQ's for devices below LASI/WAX to other CPU */ ++ gsc_writel(gsc_dev->eim, gsc_dev->hpa + OFFSET_IAR); ++ ++ irq_data_update_effective_affinity(d, &tmask); ++ ++ return IRQ_SET_MASK_OK; ++} ++#endif ++ ++ + static struct irq_chip gsc_asic_interrupt_type = { + .name = "GSC-ASIC", + .irq_unmask = gsc_asic_unmask_irq, + .irq_mask = gsc_asic_mask_irq, ++#ifdef CONFIG_SMP ++ .irq_set_affinity = gsc_set_affinity_irq, ++#endif + }; + + int gsc_assign_irq(struct irq_chip *type, void *data) +diff --git a/drivers/parisc/gsc.h b/drivers/parisc/gsc.h +index b9d7bfb68e24..9a364a4d09a5 100644 +--- a/drivers/parisc/gsc.h ++++ b/drivers/parisc/gsc.h +@@ -32,6 +32,7 @@ struct gsc_asic { + int version; + int type; + int eim; ++ struct gsc_irq gsc_irq; + int global_irq[32]; + }; + +diff --git a/drivers/parisc/lasi.c b/drivers/parisc/lasi.c +index 4c9225431500..07ac0b8ee4fe 100644 +--- a/drivers/parisc/lasi.c ++++ b/drivers/parisc/lasi.c +@@ -167,7 +167,6 @@ static int __init lasi_init_chip(struct parisc_device *dev) + { + extern void (*chassis_power_off)(void); + struct gsc_asic *lasi; +- struct gsc_irq gsc_irq; + int ret; + + lasi = kzalloc(sizeof(*lasi), GFP_KERNEL); +@@ -189,7 +188,7 @@ static int __init lasi_init_chip(struct parisc_device *dev) + lasi_init_irq(lasi); + + /* the IRQ lasi should use */ +- dev->irq = gsc_alloc_irq(&gsc_irq); ++ dev->irq = gsc_alloc_irq(&lasi->gsc_irq); + if (dev->irq < 0) { + printk(KERN_ERR "%s(): cannot get GSC irq\n", + __func__); +@@ -197,9 +196,9 @@ static int __init lasi_init_chip(struct parisc_device *dev) + return -EBUSY; + } + +- lasi->eim = ((u32) gsc_irq.txn_addr) | gsc_irq.txn_data; ++ lasi->eim = ((u32) lasi->gsc_irq.txn_addr) | lasi->gsc_irq.txn_data; + +- ret = request_irq(gsc_irq.irq, gsc_asic_intr, 0, "lasi", lasi); ++ ret = request_irq(lasi->gsc_irq.irq, gsc_asic_intr, 0, "lasi", lasi); + if (ret < 0) { + kfree(lasi); + return ret; +diff --git a/drivers/parisc/wax.c b/drivers/parisc/wax.c +index 6a3e40702b3b..5c42bfa83398 100644 +--- a/drivers/parisc/wax.c ++++ b/drivers/parisc/wax.c +@@ -72,7 +72,6 @@ static int __init wax_init_chip(struct parisc_device *dev) + { + struct gsc_asic *wax; + struct parisc_device *parent; +- struct gsc_irq gsc_irq; + int ret; + + wax = kzalloc(sizeof(*wax), GFP_KERNEL); +@@ -89,7 +88,7 @@ static int __init wax_init_chip(struct parisc_device *dev) + wax_init_irq(wax); + + /* the IRQ wax should use */ +- dev->irq = gsc_claim_irq(&gsc_irq, WAX_GSC_IRQ); ++ dev->irq = gsc_claim_irq(&wax->gsc_irq, WAX_GSC_IRQ); + if (dev->irq < 0) { + printk(KERN_ERR "%s(): cannot get GSC irq\n", + __func__); +@@ -97,9 +96,9 @@ static int __init wax_init_chip(struct parisc_device *dev) + return -EBUSY; + } + +- wax->eim = ((u32) gsc_irq.txn_addr) | gsc_irq.txn_data; ++ wax->eim = ((u32) wax->gsc_irq.txn_addr) | wax->gsc_irq.txn_data; + +- ret = request_irq(gsc_irq.irq, gsc_asic_intr, 0, "wax", wax); ++ ret = request_irq(wax->gsc_irq.irq, gsc_asic_intr, 0, "wax", wax); + if (ret < 0) { + kfree(wax); + return ret; +-- +2.35.1 + diff --git a/queue-4.14/pci-aardvark-fix-support-for-msi-interrupts.patch b/queue-4.14/pci-aardvark-fix-support-for-msi-interrupts.patch new file mode 100644 index 00000000000..a57e78ca73c --- /dev/null +++ b/queue-4.14/pci-aardvark-fix-support-for-msi-interrupts.patch @@ -0,0 +1,84 @@ +From 74ae655f9c5baf58b07538be5cbfa121713d58ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jan 2022 02:49:58 +0100 +Subject: PCI: aardvark: Fix support for MSI interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit b0b0b8b897f8e12b2368e868bd7cdc5742d5c5a9 ] + +Aardvark hardware supports Multi-MSI and MSI_FLAG_MULTI_PCI_MSI is already +set for the MSI chip. But when allocating MSI interrupt numbers for +Multi-MSI, the numbers need to be properly aligned, otherwise endpoint +devices send MSI interrupt with incorrect numbers. + +Fix this issue by using function bitmap_find_free_region() instead of +bitmap_find_next_zero_area(). + +To ensure that aligned MSI interrupt numbers are used by endpoint devices, +we cannot use Linux virtual irq numbers (as they are random and not +properly aligned). Instead we need to use the aligned hwirq numbers. + +This change fixes receiving MSI interrupts on Armada 3720 boards and +allows using NVMe disks which use Multi-MSI feature with 3 interrupts. + +Without this NVMe disks freeze booting as linux nvme-core.c is waiting +60s for an interrupt. + +Link: https://lore.kernel.org/r/20220110015018.26359-4-kabel@kernel.org +Signed-off-by: Pali Rohár +Signed-off-by: Marek Behún +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +--- + drivers/pci/host/pci-aardvark.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/drivers/pci/host/pci-aardvark.c b/drivers/pci/host/pci-aardvark.c +index 9ae544e113dc..124fd7cb5da5 100644 +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -834,7 +834,7 @@ static void advk_msi_irq_compose_msi_msg(struct irq_data *data, + + msg->address_lo = lower_32_bits(msi_msg); + msg->address_hi = upper_32_bits(msi_msg); +- msg->data = data->irq; ++ msg->data = data->hwirq; + } + + static int advk_msi_set_affinity(struct irq_data *irq_data, +@@ -851,15 +851,11 @@ static int advk_msi_irq_domain_alloc(struct irq_domain *domain, + int hwirq, i; + + mutex_lock(&pcie->msi_used_lock); +- hwirq = bitmap_find_next_zero_area(pcie->msi_used, MSI_IRQ_NUM, +- 0, nr_irqs, 0); +- if (hwirq >= MSI_IRQ_NUM) { +- mutex_unlock(&pcie->msi_used_lock); +- return -ENOSPC; +- } +- +- bitmap_set(pcie->msi_used, hwirq, nr_irqs); ++ hwirq = bitmap_find_free_region(pcie->msi_used, MSI_IRQ_NUM, ++ order_base_2(nr_irqs)); + mutex_unlock(&pcie->msi_used_lock); ++ if (hwirq < 0) ++ return -ENOSPC; + + for (i = 0; i < nr_irqs; i++) + irq_domain_set_info(domain, virq + i, hwirq + i, +@@ -877,7 +873,7 @@ static void advk_msi_irq_domain_free(struct irq_domain *domain, + struct advk_pcie *pcie = domain->host_data; + + mutex_lock(&pcie->msi_used_lock); +- bitmap_clear(pcie->msi_used, d->hwirq, nr_irqs); ++ bitmap_release_region(pcie->msi_used, d->hwirq, order_base_2(nr_irqs)); + mutex_unlock(&pcie->msi_used_lock); + } + +-- +2.35.1 + diff --git a/queue-4.14/power-supply-axp20x_battery-properly-report-current-.patch b/queue-4.14/power-supply-axp20x_battery-properly-report-current-.patch new file mode 100644 index 00000000000..fb424f6fb73 --- /dev/null +++ b/queue-4.14/power-supply-axp20x_battery-properly-report-current-.patch @@ -0,0 +1,63 @@ +From 4cada8c038c9812136aff9ce39b5ca4899a4917d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jan 2022 11:47:27 +0300 +Subject: power: supply: axp20x_battery: properly report current when + discharging + +From: Evgeny Boger + +[ Upstream commit d4f408cdcd26921c1268cb8dcbe8ffb6faf837f3 ] + +As stated in [1], negative current values are used for discharging +batteries. + +AXP PMICs internally have two different ADC channels for shunt current +measurement: one used during charging and one during discharging. +The values reported by these ADCs are unsigned. +While the driver properly selects ADC channel to get the data from, +it doesn't apply negative sign when reporting discharging current. + +[1] Documentation/ABI/testing/sysfs-class-power + +Signed-off-by: Evgeny Boger +Acked-by: Chen-Yu Tsai +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/axp20x_battery.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/power/supply/axp20x_battery.c b/drivers/power/supply/axp20x_battery.c +index 7494f0f0eadb..a2e2443357fa 100644 +--- a/drivers/power/supply/axp20x_battery.c ++++ b/drivers/power/supply/axp20x_battery.c +@@ -160,7 +160,6 @@ static int axp20x_battery_get_prop(struct power_supply *psy, + union power_supply_propval *val) + { + struct axp20x_batt_ps *axp20x_batt = power_supply_get_drvdata(psy); +- struct iio_channel *chan; + int ret = 0, reg, val1; + + switch (psp) { +@@ -240,12 +239,12 @@ static int axp20x_battery_get_prop(struct power_supply *psy, + if (ret) + return ret; + +- if (reg & AXP20X_PWR_STATUS_BAT_CHARGING) +- chan = axp20x_batt->batt_chrg_i; +- else +- chan = axp20x_batt->batt_dischrg_i; +- +- ret = iio_read_channel_processed(chan, &val->intval); ++ if (reg & AXP20X_PWR_STATUS_BAT_CHARGING) { ++ ret = iio_read_channel_processed(axp20x_batt->batt_chrg_i, &val->intval); ++ } else { ++ ret = iio_read_channel_processed(axp20x_batt->batt_dischrg_i, &val1); ++ val->intval = -val1; ++ } + if (ret) + return ret; + +-- +2.35.1 + diff --git a/queue-4.14/powerpc-code-patching-pre-map-patch-area.patch b/queue-4.14/powerpc-code-patching-pre-map-patch-area.patch new file mode 100644 index 00000000000..407e48a253a --- /dev/null +++ b/queue-4.14/powerpc-code-patching-pre-map-patch-area.patch @@ -0,0 +1,99 @@ +From 9f4ba417df4c9ff048c90698c54c6a856b2212c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Feb 2022 12:58:21 +1100 +Subject: powerpc/code-patching: Pre-map patch area + +From: Michael Ellerman + +[ Upstream commit 591b4b268435f00d2f0b81f786c2c7bd5ef66416 ] + +Paul reported a warning with DEBUG_ATOMIC_SLEEP=y: + + BUG: sleeping function called from invalid context at include/linux/sched/mm.h:256 + in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0 + preempt_count: 0, expected: 0 + ... + Call Trace: + dump_stack_lvl+0xa0/0xec (unreliable) + __might_resched+0x2f4/0x310 + kmem_cache_alloc+0x220/0x4b0 + __pud_alloc+0x74/0x1d0 + hash__map_kernel_page+0x2cc/0x390 + do_patch_instruction+0x134/0x4a0 + arch_jump_label_transform+0x64/0x78 + __jump_label_update+0x148/0x180 + static_key_enable_cpuslocked+0xd0/0x120 + static_key_enable+0x30/0x50 + check_kvm_guest+0x60/0x88 + pSeries_smp_probe+0x54/0xb0 + smp_prepare_cpus+0x3e0/0x430 + kernel_init_freeable+0x20c/0x43c + kernel_init+0x30/0x1a0 + ret_from_kernel_thread+0x5c/0x64 + +Peter pointed out that this is because do_patch_instruction() has +disabled interrupts, but then map_patch_area() calls map_kernel_page() +then hash__map_kernel_page() which does a sleeping memory allocation. + +We only see the warning in KVM guests with SMT enabled, which is not +particularly common, or on other platforms if CONFIG_KPROBES is +disabled, also not common. The reason we don't see it in most +configurations is that another path that happens to have interrupts +enabled has allocated the required page tables for us, eg. there's a +path in kprobes init that does that. That's just pure luck though. + +As Christophe suggested, the simplest solution is to do a dummy +map/unmap when we initialise the patching, so that any required page +table levels are pre-allocated before the first call to +do_patch_instruction(). This works because the unmap doesn't free any +page tables that were allocated by the map, it just clears the PTE, +leaving the page table levels there for the next map. + +Reported-by: Paul Menzel +Debugged-by: Peter Zijlstra +Suggested-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220223015821.473097-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/lib/code-patching.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/arch/powerpc/lib/code-patching.c b/arch/powerpc/lib/code-patching.c +index 85f84b45d3a0..c58a619a68b3 100644 +--- a/arch/powerpc/lib/code-patching.c ++++ b/arch/powerpc/lib/code-patching.c +@@ -47,9 +47,14 @@ int raw_patch_instruction(unsigned int *addr, unsigned int instr) + #ifdef CONFIG_STRICT_KERNEL_RWX + static DEFINE_PER_CPU(struct vm_struct *, text_poke_area); + ++static int map_patch_area(void *addr, unsigned long text_poke_addr); ++static void unmap_patch_area(unsigned long addr); ++ + static int text_area_cpu_up(unsigned int cpu) + { + struct vm_struct *area; ++ unsigned long addr; ++ int err; + + area = get_vm_area(PAGE_SIZE, VM_ALLOC); + if (!area) { +@@ -57,6 +62,15 @@ static int text_area_cpu_up(unsigned int cpu) + cpu); + return -1; + } ++ ++ // Map/unmap the area to ensure all page tables are pre-allocated ++ addr = (unsigned long)area->addr; ++ err = map_patch_area(empty_zero_page, addr); ++ if (err) ++ return err; ++ ++ unmap_patch_area(addr); ++ + this_cpu_write(text_poke_area, area); + + return 0; +-- +2.35.1 + diff --git a/queue-4.14/powerpc-dts-t104xrdb-fix-phy-type-for-fman-4-5.patch b/queue-4.14/powerpc-dts-t104xrdb-fix-phy-type-for-fman-4-5.patch new file mode 100644 index 00000000000..36b4b514d28 --- /dev/null +++ b/queue-4.14/powerpc-dts-t104xrdb-fix-phy-type-for-fman-4-5.patch @@ -0,0 +1,47 @@ +From e2a8aa90078900db2ac2162e2a27862cde264ce7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Dec 2021 18:11:21 +0300 +Subject: powerpc: dts: t104xrdb: fix phy type for FMAN 4/5 + +From: Maxim Kiselev + +[ Upstream commit 17846485dff91acce1ad47b508b633dffc32e838 ] + +T1040RDB has two RTL8211E-VB phys which requires setting +of internal delays for correct work. + +Changing the phy-connection-type property to `rgmii-id` +will fix this issue. + +Signed-off-by: Maxim Kiselev +Reviewed-by: Maxim Kochetkov +Reviewed-by: Vladimir Oltean +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211230151123.1258321-1-bigunclemax@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/dts/fsl/t104xrdb.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/boot/dts/fsl/t104xrdb.dtsi b/arch/powerpc/boot/dts/fsl/t104xrdb.dtsi +index 5fdddbd2a62b..b0a9beab1c26 100644 +--- a/arch/powerpc/boot/dts/fsl/t104xrdb.dtsi ++++ b/arch/powerpc/boot/dts/fsl/t104xrdb.dtsi +@@ -139,12 +139,12 @@ + fman@400000 { + ethernet@e6000 { + phy-handle = <&phy_rgmii_0>; +- phy-connection-type = "rgmii"; ++ phy-connection-type = "rgmii-id"; + }; + + ethernet@e8000 { + phy-handle = <&phy_rgmii_1>; +- phy-connection-type = "rgmii"; ++ phy-connection-type = "rgmii-id"; + }; + + mdio0: mdio@fc000 { +-- +2.35.1 + diff --git a/queue-4.14/powerpc-set-crashkernel-offset-to-mid-of-rma-region.patch b/queue-4.14/powerpc-set-crashkernel-offset-to-mid-of-rma-region.patch new file mode 100644 index 00000000000..4101ed0fc02 --- /dev/null +++ b/queue-4.14/powerpc-set-crashkernel-offset-to-mid-of-rma-region.patch @@ -0,0 +1,90 @@ +From 8941879bfd3d505106738c304bfe817bdffd56ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Feb 2022 14:26:01 +0530 +Subject: powerpc: Set crashkernel offset to mid of RMA region + +From: Sourabh Jain + +[ Upstream commit 7c5ed82b800d8615cdda00729e7b62e5899f0b13 ] + +On large config LPARs (having 192 and more cores), Linux fails to boot +due to insufficient memory in the first memblock. It is due to the +memory reservation for the crash kernel which starts at 128MB offset of +the first memblock. This memory reservation for the crash kernel doesn't +leave enough space in the first memblock to accommodate other essential +system resources. + +The crash kernel start address was set to 128MB offset by default to +ensure that the crash kernel get some memory below the RMA region which +is used to be of size 256MB. But given that the RMA region size can be +512MB or more, setting the crash kernel offset to mid of RMA size will +leave enough space for the kernel to allocate memory for other system +resources. + +Since the above crash kernel offset change is only applicable to the LPAR +platform, the LPAR feature detection is pushed before the crash kernel +reservation. The rest of LPAR specific initialization will still +be done during pseries_probe_fw_features as usual. + +This patch is dependent on changes to paca allocation for boot CPU. It +expect boot CPU to discover 1T segment support which is introduced by +the patch posted here: +https://lists.ozlabs.org/pipermail/linuxppc-dev/2022-January/239175.html + +Reported-by: Abdul haleem +Signed-off-by: Sourabh Jain +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220204085601.107257-1-sourabhjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/machine_kexec.c | 15 +++++++++++---- + arch/powerpc/kernel/rtas.c | 6 ++++++ + 2 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/kernel/machine_kexec.c b/arch/powerpc/kernel/machine_kexec.c +index cb4d6cd949fc..101b0fb7a80e 100644 +--- a/arch/powerpc/kernel/machine_kexec.c ++++ b/arch/powerpc/kernel/machine_kexec.c +@@ -145,11 +145,18 @@ void __init reserve_crashkernel(void) + if (!crashk_res.start) { + #ifdef CONFIG_PPC64 + /* +- * On 64bit we split the RMO in half but cap it at half of +- * a small SLB (128MB) since the crash kernel needs to place +- * itself and some stacks to be in the first segment. ++ * On the LPAR platform place the crash kernel to mid of ++ * RMA size (512MB or more) to ensure the crash kernel ++ * gets enough space to place itself and some stack to be ++ * in the first segment. At the same time normal kernel ++ * also get enough space to allocate memory for essential ++ * system resource in the first segment. Keep the crash ++ * kernel starts at 128MB offset on other platforms. + */ +- crashk_res.start = min(0x8000000ULL, (ppc64_rma_size / 2)); ++ if (firmware_has_feature(FW_FEATURE_LPAR)) ++ crashk_res.start = ppc64_rma_size / 2; ++ else ++ crashk_res.start = min(0x8000000ULL, (ppc64_rma_size / 2)); + #else + crashk_res.start = KDUMP_KERNELBASE; + #endif +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index 55b266d7afe1..912e7f69266e 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -1356,6 +1356,12 @@ int __init early_init_dt_scan_rtas(unsigned long node, + entryp = of_get_flat_dt_prop(node, "linux,rtas-entry", NULL); + sizep = of_get_flat_dt_prop(node, "rtas-size", NULL); + ++#ifdef CONFIG_PPC64 ++ /* need this feature to decide the crashkernel offset */ ++ if (of_get_flat_dt_prop(node, "ibm,hypertas-functions", NULL)) ++ powerpc_firmware_features |= FW_FEATURE_LPAR; ++#endif ++ + if (basep && entryp && sizep) { + rtas.base = *basep; + rtas.entry = *entryp; +-- +2.35.1 + diff --git a/queue-4.14/ptp-replace-snprintf-with-sysfs_emit.patch b/queue-4.14/ptp-replace-snprintf-with-sysfs_emit.patch new file mode 100644 index 00000000000..f19c217c066 --- /dev/null +++ b/queue-4.14/ptp-replace-snprintf-with-sysfs_emit.patch @@ -0,0 +1,52 @@ +From 368ee4991bb9086c74e53473bc346926f464b0c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 08:02:36 +0800 +Subject: ptp: replace snprintf with sysfs_emit + +From: Yang Guang + +[ Upstream commit e2cf07654efb0fd7bbcb475c6f74be7b5755a8fd ] + +coccinelle report: +./drivers/ptp/ptp_sysfs.c:17:8-16: +WARNING: use scnprintf or sprintf +./drivers/ptp/ptp_sysfs.c:390:8-16: +WARNING: use scnprintf or sprintf + +Use sysfs_emit instead of scnprintf or sprintf makes more sense. + +Reported-by: Zeal Robot +Signed-off-by: Yang Guang +Signed-off-by: David Yang +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c +index 48401dfcd999..f97a5eefa2e2 100644 +--- a/drivers/ptp/ptp_sysfs.c ++++ b/drivers/ptp/ptp_sysfs.c +@@ -26,7 +26,7 @@ static ssize_t clock_name_show(struct device *dev, + struct device_attribute *attr, char *page) + { + struct ptp_clock *ptp = dev_get_drvdata(dev); +- return snprintf(page, PAGE_SIZE-1, "%s\n", ptp->info->name); ++ return sysfs_emit(page, "%s\n", ptp->info->name); + } + static DEVICE_ATTR_RO(clock_name); + +@@ -240,7 +240,7 @@ static ssize_t ptp_pin_show(struct device *dev, struct device_attribute *attr, + + mutex_unlock(&ptp->pincfg_mux); + +- return snprintf(page, PAGE_SIZE, "%u %u\n", func, chan); ++ return sysfs_emit(page, "%u %u\n", func, chan); + } + + static ssize_t ptp_pin_store(struct device *dev, struct device_attribute *attr, +-- +2.35.1 + diff --git a/queue-4.14/rtc-wm8350-handle-error-for-wm8350_register_irq.patch b/queue-4.14/rtc-wm8350-handle-error-for-wm8350_register_irq.patch new file mode 100644 index 00000000000..3209719b6fd --- /dev/null +++ b/queue-4.14/rtc-wm8350-handle-error-for-wm8350_register_irq.patch @@ -0,0 +1,55 @@ +From bbf8b78457afd324d7f6be47114e439d472b29a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Mar 2022 16:50:30 +0800 +Subject: rtc: wm8350: Handle error for wm8350_register_irq + +From: Jiasheng Jiang + +[ Upstream commit 43f0269b6b89c1eec4ef83c48035608f4dcdd886 ] + +As the potential failure of the wm8350_register_irq(), +it should be better to check it and return error if fails. +Also, it need not free 'wm_rtc->rtc' since it will be freed +automatically. + +Fixes: 077eaf5b40ec ("rtc: rtc-wm8350: add support for WM8350 RTC") +Signed-off-by: Jiasheng Jiang +Acked-by: Charles Keepax +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20220303085030.291793-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-wm8350.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/rtc/rtc-wm8350.c b/drivers/rtc/rtc-wm8350.c +index 483c7993516b..ed874e5c5fc8 100644 +--- a/drivers/rtc/rtc-wm8350.c ++++ b/drivers/rtc/rtc-wm8350.c +@@ -441,14 +441,21 @@ static int wm8350_rtc_probe(struct platform_device *pdev) + return ret; + } + +- wm8350_register_irq(wm8350, WM8350_IRQ_RTC_SEC, ++ ret = wm8350_register_irq(wm8350, WM8350_IRQ_RTC_SEC, + wm8350_rtc_update_handler, 0, + "RTC Seconds", wm8350); ++ if (ret) ++ return ret; ++ + wm8350_mask_irq(wm8350, WM8350_IRQ_RTC_SEC); + +- wm8350_register_irq(wm8350, WM8350_IRQ_RTC_ALM, ++ ret = wm8350_register_irq(wm8350, WM8350_IRQ_RTC_ALM, + wm8350_rtc_alarm_handler, 0, + "RTC Alarm", wm8350); ++ if (ret) { ++ wm8350_free_irq(wm8350, WM8350_IRQ_RTC_SEC, wm8350); ++ return ret; ++ } + + return 0; + } +-- +2.35.1 + diff --git a/queue-4.14/scsi-aha152x-fix-aha152x_setup-__setup-handler-retur.patch b/queue-4.14/scsi-aha152x-fix-aha152x_setup-__setup-handler-retur.patch new file mode 100644 index 00000000000..2d52165c8aa --- /dev/null +++ b/queue-4.14/scsi-aha152x-fix-aha152x_setup-__setup-handler-retur.patch @@ -0,0 +1,52 @@ +From fa4adb171f555128fca039d1f633d7ef998675d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Feb 2022 16:06:23 -0800 +Subject: scsi: aha152x: Fix aha152x_setup() __setup handler return value + +From: Randy Dunlap + +[ Upstream commit cc8294ec4738d25e2bb2d71f7d82a9bf7f4a157b ] + +__setup() handlers should return 1 if the command line option is handled +and 0 if not (or maybe never return 0; doing so just pollutes init's +environment with strings that are not init arguments/parameters). + +Return 1 from aha152x_setup() to indicate that the boot option has been +handled. + +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Link: https://lore.kernel.org/r/20220223000623.5920-1-rdunlap@infradead.org +Cc: "Juergen E. Fischer" +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Reported-by: Igor Zhbanov +Signed-off-by: Randy Dunlap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aha152x.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/aha152x.c b/drivers/scsi/aha152x.c +index bc0058df31c6..24ef8e326ee5 100644 +--- a/drivers/scsi/aha152x.c ++++ b/drivers/scsi/aha152x.c +@@ -3374,13 +3374,11 @@ static int __init aha152x_setup(char *str) + setup[setup_count].synchronous = ints[0] >= 6 ? ints[6] : 1; + setup[setup_count].delay = ints[0] >= 7 ? ints[7] : DELAY_DEFAULT; + setup[setup_count].ext_trans = ints[0] >= 8 ? ints[8] : 0; +- if (ints[0] > 8) { /*}*/ ++ if (ints[0] > 8) + printk(KERN_NOTICE "aha152x: usage: aha152x=[,[," + "[,[,[,[,[,]]]]]]]\n"); +- } else { ++ else + setup_count++; +- return 0; +- } + + return 1; + } +-- +2.35.1 + diff --git a/queue-4.14/scsi-bfa-replace-snprintf-with-sysfs_emit.patch b/queue-4.14/scsi-bfa-replace-snprintf-with-sysfs_emit.patch new file mode 100644 index 00000000000..4c3051c3d57 --- /dev/null +++ b/queue-4.14/scsi-bfa-replace-snprintf-with-sysfs_emit.patch @@ -0,0 +1,169 @@ +From 75a4a5b3e4d7e2e222c7d92f49101eb11947d88a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 08:03:46 +0800 +Subject: scsi: bfa: Replace snprintf() with sysfs_emit() + +From: Yang Guang + +[ Upstream commit 2245ea91fd3a04cafbe2f54911432a8657528c3b ] + +coccinelle report: +./drivers/scsi/bfa/bfad_attr.c:908:8-16: +WARNING: use scnprintf or sprintf +./drivers/scsi/bfa/bfad_attr.c:860:8-16: +WARNING: use scnprintf or sprintf +./drivers/scsi/bfa/bfad_attr.c:888:8-16: +WARNING: use scnprintf or sprintf +./drivers/scsi/bfa/bfad_attr.c:853:8-16: +WARNING: use scnprintf or sprintf +./drivers/scsi/bfa/bfad_attr.c:808:8-16: +WARNING: use scnprintf or sprintf +./drivers/scsi/bfa/bfad_attr.c:728:8-16: +WARNING: use scnprintf or sprintf +./drivers/scsi/bfa/bfad_attr.c:822:8-16: +WARNING: use scnprintf or sprintf +./drivers/scsi/bfa/bfad_attr.c:927:9-17: +WARNING: use scnprintf or sprintf +./drivers/scsi/bfa/bfad_attr.c:900:8-16: +WARNING: use scnprintf or sprintf +./drivers/scsi/bfa/bfad_attr.c:874:8-16: +WARNING: use scnprintf or sprintf +./drivers/scsi/bfa/bfad_attr.c:714:8-16: +WARNING: use scnprintf or sprintf +./drivers/scsi/bfa/bfad_attr.c:839:8-16: +WARNING: use scnprintf or sprintf + +Use sysfs_emit() instead of scnprintf() or sprintf(). + +Link: https://lore.kernel.org/r/def83ff75faec64ba592b867a8499b1367bae303.1643181468.git.yang.guang5@zte.com.cn +Reported-by: Zeal Robot +Signed-off-by: Yang Guang +Signed-off-by: David Yang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bfa/bfad_attr.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/drivers/scsi/bfa/bfad_attr.c b/drivers/scsi/bfa/bfad_attr.c +index 0a70d54a4df6..47e599352468 100644 +--- a/drivers/scsi/bfa/bfad_attr.c ++++ b/drivers/scsi/bfa/bfad_attr.c +@@ -722,7 +722,7 @@ bfad_im_serial_num_show(struct device *dev, struct device_attribute *attr, + char serial_num[BFA_ADAPTER_SERIAL_NUM_LEN]; + + bfa_get_adapter_serial_num(&bfad->bfa, serial_num); +- return snprintf(buf, PAGE_SIZE, "%s\n", serial_num); ++ return sysfs_emit(buf, "%s\n", serial_num); + } + + static ssize_t +@@ -736,7 +736,7 @@ bfad_im_model_show(struct device *dev, struct device_attribute *attr, + char model[BFA_ADAPTER_MODEL_NAME_LEN]; + + bfa_get_adapter_model(&bfad->bfa, model); +- return snprintf(buf, PAGE_SIZE, "%s\n", model); ++ return sysfs_emit(buf, "%s\n", model); + } + + static ssize_t +@@ -816,7 +816,7 @@ bfad_im_model_desc_show(struct device *dev, struct device_attribute *attr, + snprintf(model_descr, BFA_ADAPTER_MODEL_DESCR_LEN, + "Invalid Model"); + +- return snprintf(buf, PAGE_SIZE, "%s\n", model_descr); ++ return sysfs_emit(buf, "%s\n", model_descr); + } + + static ssize_t +@@ -830,7 +830,7 @@ bfad_im_node_name_show(struct device *dev, struct device_attribute *attr, + u64 nwwn; + + nwwn = bfa_fcs_lport_get_nwwn(port->fcs_port); +- return snprintf(buf, PAGE_SIZE, "0x%llx\n", cpu_to_be64(nwwn)); ++ return sysfs_emit(buf, "0x%llx\n", cpu_to_be64(nwwn)); + } + + static ssize_t +@@ -847,7 +847,7 @@ bfad_im_symbolic_name_show(struct device *dev, struct device_attribute *attr, + bfa_fcs_lport_get_attr(&bfad->bfa_fcs.fabric.bport, &port_attr); + strlcpy(symname, port_attr.port_cfg.sym_name.symname, + BFA_SYMNAME_MAXLEN); +- return snprintf(buf, PAGE_SIZE, "%s\n", symname); ++ return sysfs_emit(buf, "%s\n", symname); + } + + static ssize_t +@@ -861,14 +861,14 @@ bfad_im_hw_version_show(struct device *dev, struct device_attribute *attr, + char hw_ver[BFA_VERSION_LEN]; + + bfa_get_pci_chip_rev(&bfad->bfa, hw_ver); +- return snprintf(buf, PAGE_SIZE, "%s\n", hw_ver); ++ return sysfs_emit(buf, "%s\n", hw_ver); + } + + static ssize_t + bfad_im_drv_version_show(struct device *dev, struct device_attribute *attr, + char *buf) + { +- return snprintf(buf, PAGE_SIZE, "%s\n", BFAD_DRIVER_VERSION); ++ return sysfs_emit(buf, "%s\n", BFAD_DRIVER_VERSION); + } + + static ssize_t +@@ -882,7 +882,7 @@ bfad_im_optionrom_version_show(struct device *dev, + char optrom_ver[BFA_VERSION_LEN]; + + bfa_get_adapter_optrom_ver(&bfad->bfa, optrom_ver); +- return snprintf(buf, PAGE_SIZE, "%s\n", optrom_ver); ++ return sysfs_emit(buf, "%s\n", optrom_ver); + } + + static ssize_t +@@ -896,7 +896,7 @@ bfad_im_fw_version_show(struct device *dev, struct device_attribute *attr, + char fw_ver[BFA_VERSION_LEN]; + + bfa_get_adapter_fw_ver(&bfad->bfa, fw_ver); +- return snprintf(buf, PAGE_SIZE, "%s\n", fw_ver); ++ return sysfs_emit(buf, "%s\n", fw_ver); + } + + static ssize_t +@@ -908,7 +908,7 @@ bfad_im_num_of_ports_show(struct device *dev, struct device_attribute *attr, + (struct bfad_im_port_s *) shost->hostdata[0]; + struct bfad_s *bfad = im_port->bfad; + +- return snprintf(buf, PAGE_SIZE, "%d\n", ++ return sysfs_emit(buf, "%d\n", + bfa_get_nports(&bfad->bfa)); + } + +@@ -916,7 +916,7 @@ static ssize_t + bfad_im_drv_name_show(struct device *dev, struct device_attribute *attr, + char *buf) + { +- return snprintf(buf, PAGE_SIZE, "%s\n", BFAD_DRIVER_NAME); ++ return sysfs_emit(buf, "%s\n", BFAD_DRIVER_NAME); + } + + static ssize_t +@@ -935,14 +935,14 @@ bfad_im_num_of_discovered_ports_show(struct device *dev, + rports = kzalloc(sizeof(struct bfa_rport_qualifier_s) * nrports, + GFP_ATOMIC); + if (rports == NULL) +- return snprintf(buf, PAGE_SIZE, "Failed\n"); ++ return sysfs_emit(buf, "Failed\n"); + + spin_lock_irqsave(&bfad->bfad_lock, flags); + bfa_fcs_lport_get_rport_quals(port->fcs_port, rports, &nrports); + spin_unlock_irqrestore(&bfad->bfad_lock, flags); + kfree(rports); + +- return snprintf(buf, PAGE_SIZE, "%d\n", nrports); ++ return sysfs_emit(buf, "%d\n", nrports); + } + + static DEVICE_ATTR(serial_number, S_IRUGO, +-- +2.35.1 + diff --git a/queue-4.14/scsi-libfc-fix-use-after-free-in-fc_exch_abts_resp.patch b/queue-4.14/scsi-libfc-fix-use-after-free-in-fc_exch_abts_resp.patch new file mode 100644 index 00000000000..4655ce54e47 --- /dev/null +++ b/queue-4.14/scsi-libfc-fix-use-after-free-in-fc_exch_abts_resp.patch @@ -0,0 +1,39 @@ +From afa5bad2ec7236f2b22a62393528f08d4adc3fef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Mar 2022 09:51:15 +0800 +Subject: scsi: libfc: Fix use after free in fc_exch_abts_resp() + +From: Jianglei Nie + +[ Upstream commit 271add11994ba1a334859069367e04d2be2ebdd4 ] + +fc_exch_release(ep) will decrease the ep's reference count. When the +reference count reaches zero, it is freed. But ep is still used in the +following code, which will lead to a use after free. + +Return after the fc_exch_release() call to avoid use after free. + +Link: https://lore.kernel.org/r/20220303015115.459778-1-niejianglei2021@163.com +Reviewed-by: Hannes Reinecke +Signed-off-by: Jianglei Nie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_exch.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c +index 384458d1f73c..9fa0aa235cb4 100644 +--- a/drivers/scsi/libfc/fc_exch.c ++++ b/drivers/scsi/libfc/fc_exch.c +@@ -1709,6 +1709,7 @@ static void fc_exch_abts_resp(struct fc_exch *ep, struct fc_frame *fp) + if (cancel_delayed_work_sync(&ep->timeout_work)) { + FC_EXCH_DBG(ep, "Exchange timer canceled due to ABTS response\n"); + fc_exch_release(ep); /* release from pending timer hold */ ++ return; + } + + spin_lock_bh(&ep->ex_lock); +-- +2.35.1 + diff --git a/queue-4.14/scsi-mvsas-replace-snprintf-with-sysfs_emit.patch b/queue-4.14/scsi-mvsas-replace-snprintf-with-sysfs_emit.patch new file mode 100644 index 00000000000..0867db2d5a1 --- /dev/null +++ b/queue-4.14/scsi-mvsas-replace-snprintf-with-sysfs_emit.patch @@ -0,0 +1,52 @@ +From 68f47452a456853d07c1d22ef54819b72bdfd2bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 08:00:59 +0800 +Subject: scsi: mvsas: Replace snprintf() with sysfs_emit() + +From: Yang Guang + +[ Upstream commit 0ad3867b0f13e45cfee5a1298bfd40eef096116c ] + +coccinelle report: +./drivers/scsi/mvsas/mv_init.c:699:8-16: +WARNING: use scnprintf or sprintf +./drivers/scsi/mvsas/mv_init.c:747:8-16: +WARNING: use scnprintf or sprintf + +Use sysfs_emit() instead of scnprintf() or sprintf(). + +Link: https://lore.kernel.org/r/c1711f7cf251730a8ceb5bdfc313bf85662b3395.1643182948.git.yang.guang5@zte.com.cn +Reported-by: Zeal Robot +Signed-off-by: Yang Guang +Signed-off-by: David Yang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mvsas/mv_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/mvsas/mv_init.c b/drivers/scsi/mvsas/mv_init.c +index 718c88de328b..f6070b1fe1d8 100644 +--- a/drivers/scsi/mvsas/mv_init.c ++++ b/drivers/scsi/mvsas/mv_init.c +@@ -729,7 +729,7 @@ static ssize_t + mvs_show_driver_version(struct device *cdev, + struct device_attribute *attr, char *buffer) + { +- return snprintf(buffer, PAGE_SIZE, "%s\n", DRV_VERSION); ++ return sysfs_emit(buffer, "%s\n", DRV_VERSION); + } + + static DEVICE_ATTR(driver_version, +@@ -781,7 +781,7 @@ mvs_store_interrupt_coalescing(struct device *cdev, + static ssize_t mvs_show_interrupt_coalescing(struct device *cdev, + struct device_attribute *attr, char *buffer) + { +- return snprintf(buffer, PAGE_SIZE, "%d\n", interrupt_coalescing); ++ return sysfs_emit(buffer, "%d\n", interrupt_coalescing); + } + + static DEVICE_ATTR(interrupt_coalescing, +-- +2.35.1 + diff --git a/queue-4.14/scsi-pm8001-fix-pm8001_mpi_task_abort_resp.patch b/queue-4.14/scsi-pm8001-fix-pm8001_mpi_task_abort_resp.patch new file mode 100644 index 00000000000..f8020fe77a2 --- /dev/null +++ b/queue-4.14/scsi-pm8001-fix-pm8001_mpi_task_abort_resp.patch @@ -0,0 +1,46 @@ +From 41fb0f6956e13f56b706f1667462e95c685608b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Feb 2022 12:17:57 +0900 +Subject: scsi: pm8001: Fix pm8001_mpi_task_abort_resp() + +From: Damien Le Moal + +[ Upstream commit 7e6b7e740addcea450041b5be8e42f0a4ceece0f ] + +The call to pm8001_ccb_task_free() at the end of +pm8001_mpi_task_abort_resp() already frees the ccb tag. So when the device +NCQ_ABORT_ALL_FLAG is set, the tag should not be freed again. Also change +the hardcoded 0xBFFFFFFF value to ~NCQ_ABORT_ALL_FLAG as it ought to be. + +Link: https://lore.kernel.org/r/20220220031810.738362-19-damien.lemoal@opensource.wdc.com +Reviewed-by: Jack Wang +Signed-off-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm8001_hwi.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c +index b44bf34499a9..cc90b5c8d462 100644 +--- a/drivers/scsi/pm8001/pm8001_hwi.c ++++ b/drivers/scsi/pm8001/pm8001_hwi.c +@@ -3768,12 +3768,11 @@ int pm8001_mpi_task_abort_resp(struct pm8001_hba_info *pm8001_ha, void *piomb) + mb(); + + if (pm8001_dev->id & NCQ_ABORT_ALL_FLAG) { +- pm8001_tag_free(pm8001_ha, tag); + sas_free_task(t); +- /* clear the flag */ +- pm8001_dev->id &= 0xBFFFFFFF; +- } else ++ pm8001_dev->id &= ~NCQ_ABORT_ALL_FLAG; ++ } else { + t->task_done(t); ++ } + + return 0; + } +-- +2.35.1 + diff --git a/queue-4.14/serial-samsung_tty-do-not-unlock-port-lock-for-uart_.patch b/queue-4.14/serial-samsung_tty-do-not-unlock-port-lock-for-uart_.patch new file mode 100644 index 00000000000..ab310822d17 --- /dev/null +++ b/queue-4.14/serial-samsung_tty-do-not-unlock-port-lock-for-uart_.patch @@ -0,0 +1,53 @@ +From 1814556cb45d1924e0230eb4f750aaaf40b25158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 12:51:53 +0100 +Subject: serial: samsung_tty: do not unlock port->lock for uart_write_wakeup() + +From: Jiri Slaby + +[ Upstream commit 988c7c00691008ea1daaa1235680a0da49dab4e8 ] + +The commit c15c3747ee32 (serial: samsung: fix potential soft lockup +during uart write) added an unlock of port->lock before +uart_write_wakeup() and a lock after it. It was always problematic to +write data from tty_ldisc_ops::write_wakeup and it was even documented +that way. We fixed the line disciplines to conform to this recently. +So if there is still a missed one, we should fix them instead of this +workaround. + +On the top of that, s3c24xx_serial_tx_dma_complete() in this driver +still holds the port->lock while calling uart_write_wakeup(). + +So revert the wrap added by the commit above. + +Cc: Thomas Abraham +Cc: Kyungmin Park +Cc: Hyeonkook Kim +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20220308115153.4225-1-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/samsung.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 70d29b697e82..3886d4799603 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -764,11 +764,8 @@ static irqreturn_t s3c24xx_serial_tx_chars(int irq, void *id) + goto out; + } + +- if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) { +- spin_unlock(&port->lock); ++ if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) + uart_write_wakeup(port); +- spin_lock(&port->lock); +- } + + if (uart_circ_empty(xmit)) + s3c24xx_serial_stop_tx(port); +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 67f5425d7ac..42a3248abac 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -203,3 +203,40 @@ arm-dts-spear1340-update-serial-node-properties.patch arm-dts-spear13xx-update-spi-dma-properties.patch openvswitch-fixed-nd-target-mask-field-in-the-flow-dump.patch kvm-x86-forbid-vmm-to-set-synic-stimer-msrs-when-synic-wasn-t-activated.patch +ubifs-rectify-space-amount-budget-for-mkdir-tmpfile-.patch +rtc-wm8350-handle-error-for-wm8350_register_irq.patch +arm-9187-1-jive-fix-return-value-of-__setup-handler.patch +kvm-x86-svm-clear-reserved-bits-written-to-perfevtse.patch +ath5k-fix-oob-in-ath5k_eeprom_read_pcal_info_5111.patch +ptp-replace-snprintf-with-sysfs_emit.patch +powerpc-dts-t104xrdb-fix-phy-type-for-fman-4-5.patch +scsi-mvsas-replace-snprintf-with-sysfs_emit.patch +scsi-bfa-replace-snprintf-with-sysfs_emit.patch +power-supply-axp20x_battery-properly-report-current-.patch +powerpc-set-crashkernel-offset-to-mid-of-rma-region.patch +pci-aardvark-fix-support-for-msi-interrupts.patch +iommu-arm-smmu-v3-fix-event-handling-soft-lockup.patch +dm-ioctl-prevent-potential-spectre-v1-gadget.patch +scsi-pm8001-fix-pm8001_mpi_task_abort_resp.patch +scsi-aha152x-fix-aha152x_setup-__setup-handler-retur.patch +net-smc-correct-settings-of-rmb-window-update-limit.patch +macvtap-advertise-link-netns-via-netlink.patch +bnxt_en-eliminate-unintended-link-toggle-during-fw-r.patch +mips-fix-fortify-panic-when-copying-asm-exception-ha.patch +powerpc-code-patching-pre-map-patch-area.patch +scsi-libfc-fix-use-after-free-in-fc_exch_abts_resp.patch +usb-dwc3-omap-fix-unbalanced-disables-for-smps10_out.patch +xtensa-fix-dtc-warning-unit_address_format.patch +bluetooth-fix-use-after-free-in-hci_send_acl.patch +init-main.c-return-1-from-handled-__setup-functions.patch +w1-w1_therm-fixes-w1_seq-for-ds28ea00-sensors.patch +sunrpc-call_alloc-async-tasks-mustn-t-block-waiting-.patch +nfs-swap-io-handling-is-slightly-different-for-o_dir.patch +nfs-swap-out-must-always-use-stable-writes.patch +serial-samsung_tty-do-not-unlock-port-lock-for-uart_.patch +virtio_console-eliminate-anonymous-module_init-modul.patch +jfs-prevent-null-deref-in-difree.patch +parisc-fix-cpu-affinity-for-lasi-wax-and-dino-chips.patch +ipv6-add-missing-tx-timestamping-on-ipproto_raw.patch +net-add-missing-sof_timestamping_opt_id-support.patch +mm-fix-race-between-madv_free-reclaim-and-blkdev-dir.patch diff --git a/queue-4.14/sunrpc-call_alloc-async-tasks-mustn-t-block-waiting-.patch b/queue-4.14/sunrpc-call_alloc-async-tasks-mustn-t-block-waiting-.patch new file mode 100644 index 00000000000..b8f8c28a638 --- /dev/null +++ b/queue-4.14/sunrpc-call_alloc-async-tasks-mustn-t-block-waiting-.patch @@ -0,0 +1,65 @@ +From 16c63d87753866dcd1e93818e9d1a0698b64f59e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 10:41:44 +1100 +Subject: SUNRPC/call_alloc: async tasks mustn't block waiting for memory + +From: NeilBrown + +[ Upstream commit c487216bec83b0c5a8803e5c61433d33ad7b104d ] + +When memory is short, new worker threads cannot be created and we depend +on the minimum one rpciod thread to be able to handle everything. +So it must not block waiting for memory. + +mempools are particularly a problem as memory can only be released back +to the mempool by an async rpc task running. If all available +workqueue threads are waiting on the mempool, no thread is available to +return anything. + +rpc_malloc() can block, and this might cause deadlocks. +So check RPC_IS_ASYNC(), rather than RPC_IS_SWAPPER() to determine if +blocking is acceptable. + +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/sched.c | 4 +++- + net/sunrpc/xprtrdma/transport.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c +index 253132130c42..4e0ebb4780df 100644 +--- a/net/sunrpc/sched.c ++++ b/net/sunrpc/sched.c +@@ -883,8 +883,10 @@ int rpc_malloc(struct rpc_task *task) + struct rpc_buffer *buf; + gfp_t gfp = GFP_NOIO | __GFP_NOWARN; + ++ if (RPC_IS_ASYNC(task)) ++ gfp = GFP_NOWAIT | __GFP_NOWARN; + if (RPC_IS_SWAPPER(task)) +- gfp = __GFP_MEMALLOC | GFP_NOWAIT | __GFP_NOWARN; ++ gfp |= __GFP_MEMALLOC; + + size += sizeof(struct rpc_buffer); + if (size <= RPC_BUFFER_MAXSIZE) +diff --git a/net/sunrpc/xprtrdma/transport.c b/net/sunrpc/xprtrdma/transport.c +index ead20e6754ab..90c99919ea30 100644 +--- a/net/sunrpc/xprtrdma/transport.c ++++ b/net/sunrpc/xprtrdma/transport.c +@@ -645,8 +645,10 @@ xprt_rdma_allocate(struct rpc_task *task) + return -ENOMEM; + + flags = RPCRDMA_DEF_GFP; ++ if (RPC_IS_ASYNC(task)) ++ flags = GFP_NOWAIT | __GFP_NOWARN; + if (RPC_IS_SWAPPER(task)) +- flags = __GFP_MEMALLOC | GFP_NOWAIT | __GFP_NOWARN; ++ flags |= __GFP_MEMALLOC; + + if (!rpcrdma_get_rdmabuf(r_xprt, req, flags)) + goto out_fail; +-- +2.35.1 + diff --git a/queue-4.14/ubifs-rectify-space-amount-budget-for-mkdir-tmpfile-.patch b/queue-4.14/ubifs-rectify-space-amount-budget-for-mkdir-tmpfile-.patch new file mode 100644 index 00000000000..4ebeae6bc8b --- /dev/null +++ b/queue-4.14/ubifs-rectify-space-amount-budget-for-mkdir-tmpfile-.patch @@ -0,0 +1,71 @@ +From d61d11d49af758dd7a2b4fb1b4b1d8a8768be862 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Dec 2021 11:22:38 +0800 +Subject: ubifs: Rectify space amount budget for mkdir/tmpfile operations + +From: Zhihao Cheng + +[ Upstream commit a6dab6607d4681d227905d5198710b575dbdb519 ] + +UBIFS should make sure the flash has enough space to store dirty (Data +that is newer than disk) data (in memory), space budget is exactly +designed to do that. If space budget calculates less data than we need, +'make_reservation()' will do more work(return -ENOSPC if no free space +lelf, sometimes we can see "cannot reserve xxx bytes in jhead xxx, error +-28" in ubifs error messages) with ubifs inodes locked, which may effect +other syscalls. + +A simple way to decide how much space do we need when make a budget: +See how much space is needed by 'make_reservation()' in ubifs_jnl_xxx() +function according to corresponding operation. + +It's better to report ENOSPC in ubifs_budget_space(), as early as we can. + +Fixes: 474b93704f32163 ("ubifs: Implement O_TMPFILE") +Fixes: 1e51764a3c2ac05 ("UBIFS: add new flash file system") +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/dir.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c +index 12356dcc3ecb..299611052bbf 100644 +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -390,15 +390,18 @@ static int do_tmpfile(struct inode *dir, struct dentry *dentry, + { + struct inode *inode; + struct ubifs_info *c = dir->i_sb->s_fs_info; +- struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1}; ++ struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1, ++ .dirtied_ino = 1}; + struct ubifs_budget_req ino_req = { .dirtied_ino = 1 }; + struct ubifs_inode *ui, *dir_ui = ubifs_inode(dir); + int err, instantiated = 0; + struct fscrypt_name nm; + + /* +- * Budget request settings: new dirty inode, new direntry, +- * budget for dirtied inode will be released via writeback. ++ * Budget request settings: new inode, new direntry, changing the ++ * parent directory inode. ++ * Allocate budget separately for new dirtied inode, the budget will ++ * be released via writeback. + */ + + dbg_gen("dent '%pd', mode %#hx in dir ino %lu", +@@ -990,7 +993,8 @@ static int ubifs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) + struct ubifs_inode *dir_ui = ubifs_inode(dir); + struct ubifs_info *c = dir->i_sb->s_fs_info; + int err, sz_change; +- struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1 }; ++ struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1, ++ .dirtied_ino = 1}; + struct fscrypt_name nm; + + /* +-- +2.35.1 + diff --git a/queue-4.14/usb-dwc3-omap-fix-unbalanced-disables-for-smps10_out.patch b/queue-4.14/usb-dwc3-omap-fix-unbalanced-disables-for-smps10_out.patch new file mode 100644 index 00000000000..8625bbe7180 --- /dev/null +++ b/queue-4.14/usb-dwc3-omap-fix-unbalanced-disables-for-smps10_out.patch @@ -0,0 +1,75 @@ +From 77c04d2c06286ef90190364ae2b60b9ad0b9395f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 14:03:37 +0100 +Subject: usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on + omap5evm + +From: H. Nikolaus Schaller + +[ Upstream commit ac01df343e5a6c6bcead2ed421af1fde30f73e7e ] + +Usually, the vbus_regulator (smps10 on omap5evm) boots up disabled. + +Hence calling regulator_disable() indirectly through dwc3_omap_set_mailbox() +during probe leads to: + +[ 10.332764] WARNING: CPU: 0 PID: 1628 at drivers/regulator/core.c:2853 _regulator_disable+0x40/0x164 +[ 10.351919] unbalanced disables for smps10_out1 +[ 10.361298] Modules linked in: dwc3_omap(+) clk_twl6040 at24 gpio_twl6040 palmas_gpadc palmas_pwrbutton +industrialio snd_soc_omap_mcbsp(+) snd_soc_ti_sdma display_connector ti_tpd12s015 drm leds_gpio +drm_panel_orientation_quirks ip_tables x_tables ipv6 autofs4 +[ 10.387818] CPU: 0 PID: 1628 Comm: systemd-udevd Not tainted 5.17.0-rc1-letux-lpae+ #8139 +[ 10.405129] Hardware name: Generic OMAP5 (Flattened Device Tree) +[ 10.411455] unwind_backtrace from show_stack+0x10/0x14 +[ 10.416970] show_stack from dump_stack_lvl+0x40/0x4c +[ 10.422313] dump_stack_lvl from __warn+0xb8/0x170 +[ 10.427377] __warn from warn_slowpath_fmt+0x70/0x9c +[ 10.432595] warn_slowpath_fmt from _regulator_disable+0x40/0x164 +[ 10.439037] _regulator_disable from regulator_disable+0x30/0x64 +[ 10.445382] regulator_disable from dwc3_omap_set_mailbox+0x8c/0xf0 [dwc3_omap] +[ 10.453116] dwc3_omap_set_mailbox [dwc3_omap] from dwc3_omap_probe+0x2b8/0x394 [dwc3_omap] +[ 10.467021] dwc3_omap_probe [dwc3_omap] from platform_probe+0x58/0xa8 +[ 10.481762] platform_probe from really_probe+0x168/0x2fc +[ 10.481782] really_probe from __driver_probe_device+0xc4/0xd8 +[ 10.481782] __driver_probe_device from driver_probe_device+0x24/0xa4 +[ 10.503762] driver_probe_device from __driver_attach+0xc4/0xd8 +[ 10.510018] __driver_attach from bus_for_each_dev+0x64/0xa0 +[ 10.516001] bus_for_each_dev from bus_add_driver+0x148/0x1a4 +[ 10.524880] bus_add_driver from driver_register+0xb4/0xf8 +[ 10.530678] driver_register from do_one_initcall+0x90/0x1c4 +[ 10.536661] do_one_initcall from do_init_module+0x4c/0x200 +[ 10.536683] do_init_module from load_module+0x13dc/0x1910 +[ 10.551159] load_module from sys_finit_module+0xc8/0xd8 +[ 10.561319] sys_finit_module from __sys_trace_return+0x0/0x18 +[ 10.561336] Exception stack(0xc344bfa8 to 0xc344bff0) +[ 10.561341] bfa0: b6fb5778 b6fab8d8 00000007 b6ecfbb8 00000000 b6ed0398 +[ 10.561341] bfc0: b6fb5778 b6fab8d8 855c0500 0000017b 00020000 b6f9a3cc 00000000 b6fb5778 +[ 10.595500] bfe0: bede18f8 bede18e8 b6ec9aeb b6dda1c2 +[ 10.601345] ---[ end trace 0000000000000000 ]--- + +Fix this unnecessary warning by checking if the regulator is enabled. + +Signed-off-by: H. Nikolaus Schaller +Link: https://lore.kernel.org/r/af3b750dc2265d875deaabcf5f80098c9645da45.1646744616.git.hns@goldelico.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-omap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/dwc3-omap.c b/drivers/usb/dwc3/dwc3-omap.c +index 830ef7333750..6fbaa0d1bcd2 100644 +--- a/drivers/usb/dwc3/dwc3-omap.c ++++ b/drivers/usb/dwc3/dwc3-omap.c +@@ -245,7 +245,7 @@ static void dwc3_omap_set_mailbox(struct dwc3_omap *omap, + break; + + case OMAP_DWC3_ID_FLOAT: +- if (omap->vbus_reg) ++ if (omap->vbus_reg && regulator_is_enabled(omap->vbus_reg)) + regulator_disable(omap->vbus_reg); + val = dwc3_omap_read_utmi_ctrl(omap); + val |= USBOTGSS_UTMI_OTG_CTRL_IDDIG; +-- +2.35.1 + diff --git a/queue-4.14/virtio_console-eliminate-anonymous-module_init-modul.patch b/queue-4.14/virtio_console-eliminate-anonymous-module_init-modul.patch new file mode 100644 index 00000000000..0bae80d4f34 --- /dev/null +++ b/queue-4.14/virtio_console-eliminate-anonymous-module_init-modul.patch @@ -0,0 +1,76 @@ +From 8aee0f2537154f075c058251909df554cc845c54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 12:20:03 -0700 +Subject: virtio_console: eliminate anonymous module_init & module_exit + +From: Randy Dunlap + +[ Upstream commit fefb8a2a941338d871e2d83fbd65fbfa068857bd ] + +Eliminate anonymous module_init() and module_exit(), which can lead to +confusion or ambiguity when reading System.map, crashes/oops/bugs, +or an initcall_debug log. + +Give each of these init and exit functions unique driver-specific +names to eliminate the anonymous names. + +Example 1: (System.map) + ffffffff832fc78c t init + ffffffff832fc79e t init + ffffffff832fc8f8 t init + +Example 2: (initcall_debug log) + calling init+0x0/0x12 @ 1 + initcall init+0x0/0x12 returned 0 after 15 usecs + calling init+0x0/0x60 @ 1 + initcall init+0x0/0x60 returned 0 after 2 usecs + calling init+0x0/0x9a @ 1 + initcall init+0x0/0x9a returned 0 after 74 usecs + +Signed-off-by: Randy Dunlap +Reviewed-by: Amit Shah +Cc: virtualization@lists.linux-foundation.org +Cc: Arnd Bergmann +Link: https://lore.kernel.org/r/20220316192010.19001-3-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/char/virtio_console.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index 2140d401523f..fa103e7a43b7 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -2281,7 +2281,7 @@ static struct virtio_driver virtio_rproc_serial = { + .remove = virtcons_remove, + }; + +-static int __init init(void) ++static int __init virtio_console_init(void) + { + int err; + +@@ -2318,7 +2318,7 @@ static int __init init(void) + return err; + } + +-static void __exit fini(void) ++static void __exit virtio_console_fini(void) + { + reclaim_dma_bufs(); + +@@ -2328,8 +2328,8 @@ static void __exit fini(void) + class_destroy(pdrvdata.class); + debugfs_remove_recursive(pdrvdata.debugfs_dir); + } +-module_init(init); +-module_exit(fini); ++module_init(virtio_console_init); ++module_exit(virtio_console_fini); + + MODULE_DESCRIPTION("Virtio console driver"); + MODULE_LICENSE("GPL"); +-- +2.35.1 + diff --git a/queue-4.14/w1-w1_therm-fixes-w1_seq-for-ds28ea00-sensors.patch b/queue-4.14/w1-w1_therm-fixes-w1_seq-for-ds28ea00-sensors.patch new file mode 100644 index 00000000000..5c002feca23 --- /dev/null +++ b/queue-4.14/w1-w1_therm-fixes-w1_seq-for-ds28ea00-sensors.patch @@ -0,0 +1,52 @@ +From c634f29b494389c215bab6c94bad2699329f32e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Feb 2022 11:35:55 +0000 +Subject: w1: w1_therm: fixes w1_seq for ds28ea00 sensors + +From: Lucas Denefle + +[ Upstream commit 41a92a89eee819298f805c40187ad8b02bb53426 ] + +w1_seq was failing due to several devices responding to the +CHAIN_DONE at the same time. Now properly selects the current +device in the chain with MATCH_ROM. Also acknowledgment was +read twice. + +Signed-off-by: Lucas Denefle +Link: https://lore.kernel.org/r/20220223113558.232750-1-lucas.denefle@converge.io +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/w1/slaves/w1_therm.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/w1/slaves/w1_therm.c b/drivers/w1/slaves/w1_therm.c +index 259525c3382a..9b9870ba01cd 100644 +--- a/drivers/w1/slaves/w1_therm.c ++++ b/drivers/w1/slaves/w1_therm.c +@@ -690,16 +690,20 @@ static ssize_t w1_seq_show(struct device *device, + if (sl->reg_num.id == reg_num->id) + seq = i; + ++ if (w1_reset_bus(sl->master)) ++ goto error; ++ ++ /* Put the device into chain DONE state */ ++ w1_write_8(sl->master, W1_MATCH_ROM); ++ w1_write_block(sl->master, (u8 *)&rn, 8); + w1_write_8(sl->master, W1_42_CHAIN); + w1_write_8(sl->master, W1_42_CHAIN_DONE); + w1_write_8(sl->master, W1_42_CHAIN_DONE_INV); +- w1_read_block(sl->master, &ack, sizeof(ack)); + + /* check for acknowledgment */ + ack = w1_read_8(sl->master); + if (ack != W1_42_SUCCESS_CONFIRM_BYTE) + goto error; +- + } + + /* Exit from CHAIN state */ +-- +2.35.1 + diff --git a/queue-4.14/xtensa-fix-dtc-warning-unit_address_format.patch b/queue-4.14/xtensa-fix-dtc-warning-unit_address_format.patch new file mode 100644 index 00000000000..2f2e73815d1 --- /dev/null +++ b/queue-4.14/xtensa-fix-dtc-warning-unit_address_format.patch @@ -0,0 +1,103 @@ +From cf4dbd3abe09a5ee5352dac805c68b47490f8259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Mar 2022 02:49:41 -0700 +Subject: xtensa: fix DTC warning unit_address_format + +From: Max Filippov + +[ Upstream commit e85d29ba4b24f68e7a78cb85c55e754362eeb2de ] + +DTC issues the following warnings when building xtfpga device trees: + + /soc/flash@00000000/partition@0x0: unit name should not have leading "0x" + /soc/flash@00000000/partition@0x6000000: unit name should not have leading "0x" + /soc/flash@00000000/partition@0x6800000: unit name should not have leading "0x" + /soc/flash@00000000/partition@0x7fe0000: unit name should not have leading "0x" + +Drop leading 0x from flash partition unit names. + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/boot/dts/xtfpga-flash-128m.dtsi | 8 ++++---- + arch/xtensa/boot/dts/xtfpga-flash-16m.dtsi | 8 ++++---- + arch/xtensa/boot/dts/xtfpga-flash-4m.dtsi | 4 ++-- + 3 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/xtensa/boot/dts/xtfpga-flash-128m.dtsi b/arch/xtensa/boot/dts/xtfpga-flash-128m.dtsi +index 9bf8bad1dd18..c33932568aa7 100644 +--- a/arch/xtensa/boot/dts/xtfpga-flash-128m.dtsi ++++ b/arch/xtensa/boot/dts/xtfpga-flash-128m.dtsi +@@ -8,19 +8,19 @@ + reg = <0x00000000 0x08000000>; + bank-width = <2>; + device-width = <2>; +- partition@0x0 { ++ partition@0 { + label = "data"; + reg = <0x00000000 0x06000000>; + }; +- partition@0x6000000 { ++ partition@6000000 { + label = "boot loader area"; + reg = <0x06000000 0x00800000>; + }; +- partition@0x6800000 { ++ partition@6800000 { + label = "kernel image"; + reg = <0x06800000 0x017e0000>; + }; +- partition@0x7fe0000 { ++ partition@7fe0000 { + label = "boot environment"; + reg = <0x07fe0000 0x00020000>; + }; +diff --git a/arch/xtensa/boot/dts/xtfpga-flash-16m.dtsi b/arch/xtensa/boot/dts/xtfpga-flash-16m.dtsi +index 40c2f81f7cb6..7bde2ab2d6fb 100644 +--- a/arch/xtensa/boot/dts/xtfpga-flash-16m.dtsi ++++ b/arch/xtensa/boot/dts/xtfpga-flash-16m.dtsi +@@ -8,19 +8,19 @@ + reg = <0x08000000 0x01000000>; + bank-width = <2>; + device-width = <2>; +- partition@0x0 { ++ partition@0 { + label = "boot loader area"; + reg = <0x00000000 0x00400000>; + }; +- partition@0x400000 { ++ partition@400000 { + label = "kernel image"; + reg = <0x00400000 0x00600000>; + }; +- partition@0xa00000 { ++ partition@a00000 { + label = "data"; + reg = <0x00a00000 0x005e0000>; + }; +- partition@0xfe0000 { ++ partition@fe0000 { + label = "boot environment"; + reg = <0x00fe0000 0x00020000>; + }; +diff --git a/arch/xtensa/boot/dts/xtfpga-flash-4m.dtsi b/arch/xtensa/boot/dts/xtfpga-flash-4m.dtsi +index fb8d3a9f33c2..0655b868749a 100644 +--- a/arch/xtensa/boot/dts/xtfpga-flash-4m.dtsi ++++ b/arch/xtensa/boot/dts/xtfpga-flash-4m.dtsi +@@ -8,11 +8,11 @@ + reg = <0x08000000 0x00400000>; + bank-width = <2>; + device-width = <2>; +- partition@0x0 { ++ partition@0 { + label = "boot loader area"; + reg = <0x00000000 0x003f0000>; + }; +- partition@0x3f0000 { ++ partition@3f0000 { + label = "boot environment"; + reg = <0x003f0000 0x00010000>; + }; +-- +2.35.1 +