From: Greg Kroah-Hartman Date: Sat, 27 Mar 2021 14:27:43 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.11.11~60 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba93d8a253c377b11bae5aef509d30eca37ed188;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: acpi-video-add-missing-callback-back-for-sony-vpceh3u1e.patch acpica-always-create-namespace-nodes-using-acpi_ns_create_node.patch arm-dts-at91-sam9x60-fix-mux-mask-for-pa7-so-it-can-be-set-to-a-b-and-c.patch arm-dts-at91-sam9x60-fix-mux-mask-to-match-product-s-datasheet.patch arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch arm64-stacktrace-don-t-trace-arch_stack_walk.patch btrfs-fix-sleep-while-in-non-sleep-context-during-qgroup-removal.patch dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch dm-verity-fix-dm_verity_opts_max-value.patch drm-amd-pm-workaround-for-audio-noise-issue.patch drm-amdgpu-add-additional-sienna-cichlid-pci-id.patch drm-amdgpu-display-restore-aux_dphy_tx_control-for-dcn2.x.patch drm-etnaviv-use-foll_force-for-userptr.patch drm-i915-fix-the-gt-fence-revocation-runtime-pm-logic.patch gcov-fix-clang-11-support.patch hugetlb_cgroup-fix-imbalanced-css_get-and-css_put-pair-for-shared-mappings.patch integrity-double-check-iint_cache-was-initialized.patch kasan-fix-per-page-tags-for-non-page_alloc-pages.patch netsec-restore-phy-power-state-after-controller-reset.patch platform-x86-intel-vbtn-stop-reporting-sw_dock-events.patch psample-fix-user-api-breakage.patch selinux-don-t-log-mac_policy_load-record-on-failed-policy-load.patch selinux-fix-variable-scope-issue-in-live-sidtab-conversion.patch squashfs-fix-inode-lookup-sanity-checks.patch squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch z3fold-prevent-reclaim-free-race-for-headless-pages.patch --- diff --git a/queue-5.10/acpi-video-add-missing-callback-back-for-sony-vpceh3u1e.patch b/queue-5.10/acpi-video-add-missing-callback-back-for-sony-vpceh3u1e.patch new file mode 100644 index 00000000000..f989338b422 --- /dev/null +++ b/queue-5.10/acpi-video-add-missing-callback-back-for-sony-vpceh3u1e.patch @@ -0,0 +1,35 @@ +From c1d1e25a8c542816ae8dee41b81a18d30c7519a0 Mon Sep 17 00:00:00 2001 +From: Chris Chiu +Date: Fri, 12 Mar 2021 11:24:30 +0800 +Subject: ACPI: video: Add missing callback back for Sony VPCEH3U1E + +From: Chris Chiu + +commit c1d1e25a8c542816ae8dee41b81a18d30c7519a0 upstream. + +The .callback of the quirk for Sony VPCEH3U1E was unintetionally +removed by the commit 25417185e9b5 ("ACPI: video: Add DMI quirk +for GIGABYTE GB-BXBT-2807"). Add it back to make sure the quirk +for Sony VPCEH3U1E works as expected. + +Fixes: 25417185e9b5 ("ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807") +Signed-off-by: Chris Chiu +Reported-by: Pavel Machek +Reviewed-by: Pavel Machek (CIP) +Cc: 5.11+ # 5.11+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/video_detect.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -147,6 +147,7 @@ static const struct dmi_system_id video_ + }, + }, + { ++ .callback = video_detect_force_vendor, + .ident = "Sony VPCEH3U1E", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), diff --git a/queue-5.10/acpica-always-create-namespace-nodes-using-acpi_ns_create_node.patch b/queue-5.10/acpica-always-create-namespace-nodes-using-acpi_ns_create_node.patch new file mode 100644 index 00000000000..cd6895ec5cb --- /dev/null +++ b/queue-5.10/acpica-always-create-namespace-nodes-using-acpi_ns_create_node.patch @@ -0,0 +1,94 @@ +From 25928deeb1e4e2cdae1dccff349320c6841eb5f8 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Tue, 23 Mar 2021 14:20:33 -0700 +Subject: ACPICA: Always create namespace nodes using acpi_ns_create_node() + +From: Vegard Nossum + +commit 25928deeb1e4e2cdae1dccff349320c6841eb5f8 upstream. + +ACPICA commit 29da9a2a3f5b2c60420893e5c6309a0586d7a329 + +ACPI is allocating an object using kmalloc(), but then frees it +using kmem_cache_free(<"Acpi-Namespace" kmem_cache>). + +This is wrong and can lead to boot failures manifesting like this: + + hpet0: 3 comparators, 64-bit 100.000000 MHz counter + clocksource: Switched to clocksource tsc-early + BUG: unable to handle page fault for address: 000000003ffe0018 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP PTI + CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.6.0+ #211 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +Ubuntu-1.8.2-1ubuntu1 04/01/2014 + RIP: 0010:kmem_cache_alloc+0x70/0x1d0 + Code: 00 00 4c 8b 45 00 65 49 8b 50 08 65 4c 03 05 6f cc e7 7e 4d 8b +20 4d 85 e4 0f 84 3d 01 00 00 8b 45 20 48 8b 7d 00 48 8d 4a 01 <49> 8b + 1c 04 4c 89 e0 65 48 0f c7 0f 0f 94 c0 84 c0 74 c5 8b 45 20 + RSP: 0000:ffffc90000013df8 EFLAGS: 00010206 + RAX: 0000000000000018 RBX: ffffffff81c49200 RCX: 0000000000000002 + RDX: 0000000000000001 RSI: 0000000000000dc0 RDI: 000000000002b300 + RBP: ffff88803e403d00 R08: ffff88803ec2b300 R09: 0000000000000001 + R10: 0000000000000dc0 R11: 0000000000000006 R12: 000000003ffe0000 + R13: ffffffff8110a583 R14: 0000000000000dc0 R15: ffffffff81c49a80 + FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) +knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000003ffe0018 CR3: 0000000001c0a001 CR4: 00000000003606f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + __trace_define_field+0x33/0xa0 + event_trace_init+0xeb/0x2b4 + tracer_init_tracefs+0x60/0x195 + ? register_tracer+0x1e7/0x1e7 + do_one_initcall+0x74/0x160 + kernel_init_freeable+0x190/0x1f0 + ? rest_init+0x9a/0x9a + kernel_init+0x5/0xf6 + ret_from_fork+0x35/0x40 + CR2: 000000003ffe0018 + ---[ end trace 707efa023f2ee960 ]--- + RIP: 0010:kmem_cache_alloc+0x70/0x1d0 + +Bisection leads to unrelated changes in slab; Vlastimil Babka +suggests an unrelated layout or slab merge change merely exposed +the underlying bug. + +Link: https://lore.kernel.org/lkml/4dc93ff8-f86e-f4c9-ebeb-6d3153a78d03@oracle.com/ +Link: https://lore.kernel.org/r/a1461e21-c744-767d-6dfc-6641fd3e3ce2@siemens.com +Link: https://github.com/acpica/acpica/commit/29da9a2a +Fixes: f79c8e4136ea ("ACPICA: Namespace: simplify creation of the initial/default namespace") +Reported-by: Jan Kiszka +Diagnosed-by: Vlastimil Babka +Diagnosed-by: Kees Cook +Signed-off-by: Vegard Nossum +Signed-off-by: Bob Moore +Signed-off-by: Erik Kaneda +Cc: 5.10+ # 5.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/nsaccess.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/acpi/acpica/nsaccess.c ++++ b/drivers/acpi/acpica/nsaccess.c +@@ -99,13 +99,12 @@ acpi_status acpi_ns_root_initialize(void + * just create and link the new node(s) here. + */ + new_node = +- ACPI_ALLOCATE_ZEROED(sizeof(struct acpi_namespace_node)); ++ acpi_ns_create_node(*ACPI_CAST_PTR(u32, init_val->name)); + if (!new_node) { + status = AE_NO_MEMORY; + goto unlock_and_exit; + } + +- ACPI_COPY_NAMESEG(new_node->name.ascii, init_val->name); + new_node->descriptor_type = ACPI_DESC_TYPE_NAMED; + new_node->type = init_val->type; + diff --git a/queue-5.10/arm-dts-at91-sam9x60-fix-mux-mask-for-pa7-so-it-can-be-set-to-a-b-and-c.patch b/queue-5.10/arm-dts-at91-sam9x60-fix-mux-mask-for-pa7-so-it-can-be-set-to-a-b-and-c.patch new file mode 100644 index 00000000000..a2281d09917 --- /dev/null +++ b/queue-5.10/arm-dts-at91-sam9x60-fix-mux-mask-for-pa7-so-it-can-be-set-to-a-b-and-c.patch @@ -0,0 +1,34 @@ +From 664979bba8169d775959452def968d1a7c03901f Mon Sep 17 00:00:00 2001 +From: Federico Pellegrin +Date: Sun, 7 Feb 2021 06:00:22 +0100 +Subject: ARM: dts: at91: sam9x60: fix mux-mask for PA7 so it can be set to A, B and C + +From: Federico Pellegrin + +commit 664979bba8169d775959452def968d1a7c03901f upstream. + +According to the datasheet PA7 can be set to either function A, B or +C (see table 6-2 of DS60001579D). The previous value would permit just +configuring with function C. + +Signed-off-by: Federico Pellegrin +Fixes: 1e5f532c2737 ("ARM: dts: at91: sam9x60: add device tree for soc and board") +Cc: # 5.6+ +Cc: Sandeep Sheriker Mallikarjun +Signed-off-by: Nicolas Ferre +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/at91-sam9x60ek.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/at91-sam9x60ek.dts ++++ b/arch/arm/boot/dts/at91-sam9x60ek.dts +@@ -336,7 +336,7 @@ + &pinctrl { + atmel,mux-mask = < + /* A B C */ +- 0xFFFFFE7F 0xC0E0397F 0xEF00019D /* pioA */ ++ 0xFFFFFEFF 0xC0E039FF 0xEF00019D /* pioA */ + 0x03FFFFFF 0x02FC7E68 0x00780000 /* pioB */ + 0xffffffff 0xF83FFFFF 0xB800F3FC /* pioC */ + 0x003FFFFF 0x003F8000 0x00000000 /* pioD */ diff --git a/queue-5.10/arm-dts-at91-sam9x60-fix-mux-mask-to-match-product-s-datasheet.patch b/queue-5.10/arm-dts-at91-sam9x60-fix-mux-mask-to-match-product-s-datasheet.patch new file mode 100644 index 00000000000..02b4411e202 --- /dev/null +++ b/queue-5.10/arm-dts-at91-sam9x60-fix-mux-mask-to-match-product-s-datasheet.patch @@ -0,0 +1,64 @@ +From 2c69c8a1736eace8de491d480e6e577a27c2087c Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre +Date: Wed, 10 Mar 2021 16:20:06 +0100 +Subject: ARM: dts: at91: sam9x60: fix mux-mask to match product's datasheet + +From: Nicolas Ferre + +commit 2c69c8a1736eace8de491d480e6e577a27c2087c upstream. + +Fix the whole mux-mask table according to datasheet for the sam9x60 +product. Too much functions for pins were disabled leading to +misunderstandings when enabling more peripherals or taking this table +as an example for another board. +Take advantage of this fix to move the mux-mask in the SoC file where it +belongs and use lower case letters for hex numbers like everywhere in +the file. + +Signed-off-by: Nicolas Ferre +Fixes: 1e5f532c2737 ("ARM: dts: at91: sam9x60: add device tree for soc and board") +Cc: # 5.6+ +Cc: Sandeep Sheriker Mallikarjun +Reviewed-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20210310152006.15018-1-nicolas.ferre@microchip.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/at91-sam9x60ek.dts | 8 -------- + arch/arm/boot/dts/sam9x60.dtsi | 9 +++++++++ + 2 files changed, 9 insertions(+), 8 deletions(-) + +--- a/arch/arm/boot/dts/at91-sam9x60ek.dts ++++ b/arch/arm/boot/dts/at91-sam9x60ek.dts +@@ -334,14 +334,6 @@ + }; + + &pinctrl { +- atmel,mux-mask = < +- /* A B C */ +- 0xFFFFFEFF 0xC0E039FF 0xEF00019D /* pioA */ +- 0x03FFFFFF 0x02FC7E68 0x00780000 /* pioB */ +- 0xffffffff 0xF83FFFFF 0xB800F3FC /* pioC */ +- 0x003FFFFF 0x003F8000 0x00000000 /* pioD */ +- >; +- + adc { + pinctrl_adc_default: adc_default { + atmel,pins = ; +--- a/arch/arm/boot/dts/sam9x60.dtsi ++++ b/arch/arm/boot/dts/sam9x60.dtsi +@@ -606,6 +606,15 @@ + compatible = "microchip,sam9x60-pinctrl", "atmel,at91sam9x5-pinctrl", "atmel,at91rm9200-pinctrl", "simple-bus"; + ranges = <0xfffff400 0xfffff400 0x800>; + ++ /* mux-mask corresponding to sam9x60 SoC in TFBGA228L package */ ++ atmel,mux-mask = < ++ /* A B C */ ++ 0xffffffff 0xffe03fff 0xef00019d /* pioA */ ++ 0x03ffffff 0x02fc7e7f 0x00780000 /* pioB */ ++ 0xffffffff 0xffffffff 0xf83fffff /* pioC */ ++ 0x003fffff 0x003f8000 0x00000000 /* pioD */ ++ >; ++ + pioA: gpio@fffff400 { + compatible = "microchip,sam9x60-gpio", "atmel,at91sam9x5-gpio", "atmel,at91rm9200-gpio"; + reg = <0xfffff400 0x200>; diff --git a/queue-5.10/arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch b/queue-5.10/arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch new file mode 100644 index 00000000000..7542ad3abcf --- /dev/null +++ b/queue-5.10/arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch @@ -0,0 +1,40 @@ +From 221c3a09ddf70a0a51715e6c2878d8305e95c558 Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Wed, 11 Apr 2018 19:05:03 +0300 +Subject: ARM: dts: at91-sama5d27_som1: fix phy address to 7 + +From: Claudiu Beznea + +commit 221c3a09ddf70a0a51715e6c2878d8305e95c558 upstream. + +Fix the phy address to 7 for Ethernet PHY on SAMA5D27 SOM1. No +connection established if phy address 0 is used. + +The board uses the 24 pins version of the KSZ8081RNA part, KSZ8081RNA +pin 16 REFCLK as PHYAD bit [2] has weak internal pull-down. But at +reset, connected to PD09 of the MPU it's connected with an internal +pull-up forming PHYAD[2:0] = 7. + +Signed-off-by: Claudiu Beznea +Fixes: 2f61929eb10a ("ARM: dts: at91: at91-sama5d27_som1: fix PHY ID") +Cc: Ludovic Desroches +Signed-off-by: Nicolas Ferre +Cc: # 4.14+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/at91-sama5d27_som1.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/at91-sama5d27_som1.dtsi ++++ b/arch/arm/boot/dts/at91-sama5d27_som1.dtsi +@@ -84,8 +84,8 @@ + pinctrl-0 = <&pinctrl_macb0_default>; + phy-mode = "rmii"; + +- ethernet-phy@0 { +- reg = <0x0>; ++ ethernet-phy@7 { ++ reg = <0x7>; + interrupt-parent = <&pioA>; + interrupts = ; + pinctrl-names = "default"; diff --git a/queue-5.10/arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch b/queue-5.10/arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch new file mode 100644 index 00000000000..d83f0acb269 --- /dev/null +++ b/queue-5.10/arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch @@ -0,0 +1,38 @@ +From ba8da03fa7dff59d9400250aebd38f94cde3cb0f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Sun, 7 Mar 2021 22:47:37 +0200 +Subject: arm64: dts: ls1012a: mark crypto engine dma coherent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit ba8da03fa7dff59d9400250aebd38f94cde3cb0f upstream. + +Crypto engine (CAAM) on LS1012A platform is configured HW-coherent, +mark accordingly the DT node. + +Lack of "dma-coherent" property for an IP that is configured HW-coherent +can lead to problems, similar to what has been reported for LS1046A. + +Cc: # v4.12+ +Fixes: 85b85c569507 ("arm64: dts: ls1012a: add crypto node") +Signed-off-by: Horia Geantă +Acked-by: Li Yang +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/fsl-ls1012a.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls1012a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1012a.dtsi +@@ -192,6 +192,7 @@ + ranges = <0x0 0x00 0x1700000 0x100000>; + reg = <0x00 0x1700000 0x0 0x100000>; + interrupts = ; ++ dma-coherent; + + sec_jr0: jr@10000 { + compatible = "fsl,sec-v5.4-job-ring", diff --git a/queue-5.10/arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch b/queue-5.10/arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch new file mode 100644 index 00000000000..3cd7f12ea79 --- /dev/null +++ b/queue-5.10/arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch @@ -0,0 +1,39 @@ +From 4fb3a074755b7737c4081cffe0ccfa08c2f2d29d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Sun, 7 Mar 2021 22:47:36 +0200 +Subject: arm64: dts: ls1043a: mark crypto engine dma coherent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 4fb3a074755b7737c4081cffe0ccfa08c2f2d29d upstream. + +Crypto engine (CAAM) on LS1043A platform is configured HW-coherent, +mark accordingly the DT node. + +Lack of "dma-coherent" property for an IP that is configured HW-coherent +can lead to problems, similar to what has been reported for LS1046A. + +Cc: # v4.8+ +Fixes: 63dac35b58f4 ("arm64: dts: ls1043a: add crypto node") +Link: https://lore.kernel.org/linux-crypto/fe6faa24-d8f7-d18f-adfa-44fa0caa1598@arm.com +Signed-off-by: Horia Geantă +Acked-by: Li Yang +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi +@@ -322,6 +322,7 @@ + ranges = <0x0 0x00 0x1700000 0x100000>; + reg = <0x00 0x1700000 0x0 0x100000>; + interrupts = <0 75 0x4>; ++ dma-coherent; + + sec_jr0: jr@10000 { + compatible = "fsl,sec-v5.4-job-ring", diff --git a/queue-5.10/arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch b/queue-5.10/arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch new file mode 100644 index 00000000000..dc358698104 --- /dev/null +++ b/queue-5.10/arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch @@ -0,0 +1,87 @@ +From 9c3a16f88385e671b63a0de7b82b85e604a80f42 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Sun, 7 Mar 2021 22:47:35 +0200 +Subject: arm64: dts: ls1046a: mark crypto engine dma coherent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 9c3a16f88385e671b63a0de7b82b85e604a80f42 upstream. + +Crypto engine (CAAM) on LS1046A platform is configured HW-coherent, +mark accordingly the DT node. + +As reported by Greg and Sascha, and explained by Robin, lack of +"dma-coherent" property for an IP that is configured HW-coherent +can lead to problems, e.g. on v5.11: + +> kernel BUG at drivers/crypto/caam/jr.c:247! +> Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +> Modules linked in: +> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.11.0-20210225-3-00039-g434215968816-dirty #12 +> Hardware name: TQ TQMLS1046A SoM on Arkona AT1130 (C300) board (DT) +> pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) +> pc : caam_jr_dequeue+0x98/0x57c +> lr : caam_jr_dequeue+0x98/0x57c +> sp : ffff800010003d50 +> x29: ffff800010003d50 x28: ffff8000118d4000 +> x27: ffff8000118d4328 x26: 00000000000001f0 +> x25: ffff0008022be480 x24: ffff0008022c6410 +> x23: 00000000000001f1 x22: ffff8000118d4329 +> x21: 0000000000004d80 x20: 00000000000001f1 +> x19: 0000000000000001 x18: 0000000000000020 +> x17: 0000000000000000 x16: 0000000000000015 +> x15: ffff800011690230 x14: 2e2e2e2e2e2e2e2e +> x13: 2e2e2e2e2e2e2020 x12: 3030303030303030 +> x11: ffff800011700a38 x10: 00000000fffff000 +> x9 : ffff8000100ada30 x8 : ffff8000116a8a38 +> x7 : 0000000000000001 x6 : 0000000000000000 +> x5 : 0000000000000000 x4 : 0000000000000000 +> x3 : 00000000ffffffff x2 : 0000000000000000 +> x1 : 0000000000000000 x0 : 0000000000001800 +> Call trace: +> caam_jr_dequeue+0x98/0x57c +> tasklet_action_common.constprop.0+0x164/0x18c +> tasklet_action+0x44/0x54 +> __do_softirq+0x160/0x454 +> __irq_exit_rcu+0x164/0x16c +> irq_exit+0x1c/0x30 +> __handle_domain_irq+0xc0/0x13c +> gic_handle_irq+0x5c/0xf0 +> el1_irq+0xb4/0x180 +> arch_cpu_idle+0x18/0x30 +> default_idle_call+0x3c/0x1c0 +> do_idle+0x23c/0x274 +> cpu_startup_entry+0x34/0x70 +> rest_init+0xdc/0xec +> arch_call_rest_init+0x1c/0x28 +> start_kernel+0x4ac/0x4e4 +> Code: 91392021 912c2000 d377d8c6 97f24d96 (d4210000) + +Cc: # v4.10+ +Fixes: 8126d88162a5 ("arm64: dts: add QorIQ LS1046A SoC support") +Link: https://lore.kernel.org/linux-crypto/fe6faa24-d8f7-d18f-adfa-44fa0caa1598@arm.com +Reported-by: Greg Ungerer +Reported-by: Sascha Hauer +Tested-by: Sascha Hauer +Signed-off-by: Horia Geantă +Acked-by: Greg Ungerer +Acked-by: Li Yang +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi +@@ -325,6 +325,7 @@ + ranges = <0x0 0x00 0x1700000 0x100000>; + reg = <0x00 0x1700000 0x0 0x100000>; + interrupts = ; ++ dma-coherent; + + sec_jr0: jr@10000 { + compatible = "fsl,sec-v5.4-job-ring", diff --git a/queue-5.10/arm64-stacktrace-don-t-trace-arch_stack_walk.patch b/queue-5.10/arm64-stacktrace-don-t-trace-arch_stack_walk.patch new file mode 100644 index 00000000000..6608efcacc7 --- /dev/null +++ b/queue-5.10/arm64-stacktrace-don-t-trace-arch_stack_walk.patch @@ -0,0 +1,119 @@ +From c607ab4f916d4d5259072eca34055d3f5a795c21 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 19 Mar 2021 18:41:06 +0000 +Subject: arm64: stacktrace: don't trace arch_stack_walk() + +From: Mark Rutland + +commit c607ab4f916d4d5259072eca34055d3f5a795c21 upstream. + +We recently converted arm64 to use arch_stack_walk() in commit: + + 5fc57df2f6fd ("arm64: stacktrace: Convert to ARCH_STACKWALK") + +The core stacktrace code expects that (when tracing the current task) +arch_stack_walk() starts a trace at its caller, and does not include +itself in the trace. However, arm64's arch_stack_walk() includes itself, +and so traces include one more entry than callers expect. The core +stacktrace code which calls arch_stack_walk() tries to skip a number of +entries to prevent itself appearing in a trace, and the additional entry +prevents skipping one of the core stacktrace functions, leaving this in +the trace unexpectedly. + +We can fix this by having arm64's arch_stack_walk() begin the trace with +its caller. The first value returned by the trace will be +__builtin_return_address(0), i.e. the caller of arch_stack_walk(). The +first frame record to be unwound will be __builtin_frame_address(1), +i.e. the caller's frame record. To prevent surprises, arch_stack_walk() +is also marked noinline. + +While __builtin_frame_address(1) is not safe in portable code, local GCC +developers have confirmed that it is safe on arm64. To find the caller's +frame record, the builtin can safely dereference the current function's +frame record or (in theory) could stash the original FP into another GPR +at function entry time, neither of which are problematic. + +Prior to this patch, the tracing code would unexpectedly show up in +traces of the current task, e.g. + +| # cat /proc/self/stack +| [<0>] stack_trace_save_tsk+0x98/0x100 +| [<0>] proc_pid_stack+0xb4/0x130 +| [<0>] proc_single_show+0x60/0x110 +| [<0>] seq_read_iter+0x230/0x4d0 +| [<0>] seq_read+0xdc/0x130 +| [<0>] vfs_read+0xac/0x1e0 +| [<0>] ksys_read+0x6c/0xfc +| [<0>] __arm64_sys_read+0x20/0x30 +| [<0>] el0_svc_common.constprop.0+0x60/0x120 +| [<0>] do_el0_svc+0x24/0x90 +| [<0>] el0_svc+0x2c/0x54 +| [<0>] el0_sync_handler+0x1a4/0x1b0 +| [<0>] el0_sync+0x170/0x180 + +After this patch, the tracing code will not show up in such traces: + +| # cat /proc/self/stack +| [<0>] proc_pid_stack+0xb4/0x130 +| [<0>] proc_single_show+0x60/0x110 +| [<0>] seq_read_iter+0x230/0x4d0 +| [<0>] seq_read+0xdc/0x130 +| [<0>] vfs_read+0xac/0x1e0 +| [<0>] ksys_read+0x6c/0xfc +| [<0>] __arm64_sys_read+0x20/0x30 +| [<0>] el0_svc_common.constprop.0+0x60/0x120 +| [<0>] do_el0_svc+0x24/0x90 +| [<0>] el0_svc+0x2c/0x54 +| [<0>] el0_sync_handler+0x1a4/0x1b0 +| [<0>] el0_sync+0x170/0x180 + +Erring on the side of caution, I've given this a spin with a bunch of +toolchains, verifying the output of /proc/self/stack and checking that +the assembly looked sound. For GCC (where we require version 5.1.0 or +later) I tested with the kernel.org crosstool binares for versions +5.5.0, 6.4.0, 6.5.0, 7.3.0, 7.5.0, 8.1.0, 8.3.0, 8.4.0, 9.2.0, and +10.1.0. For clang (where we require version 10.0.1 or later) I tested +with the llvm.org binary releases of 11.0.0, and 11.0.1. + +Fixes: 5fc57df2f6fd ("arm64: stacktrace: Convert to ARCH_STACKWALK") +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Chen Jun +Cc: Marco Elver +Cc: Mark Brown +Cc: Will Deacon +Cc: # 5.10.x +Reviewed-by: Catalin Marinas +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20210319184106.5688-1-mark.rutland@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/stacktrace.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/arm64/kernel/stacktrace.c ++++ b/arch/arm64/kernel/stacktrace.c +@@ -199,8 +199,9 @@ void show_stack(struct task_struct *tsk, + + #ifdef CONFIG_STACKTRACE + +-void arch_stack_walk(stack_trace_consume_fn consume_entry, void *cookie, +- struct task_struct *task, struct pt_regs *regs) ++noinline void arch_stack_walk(stack_trace_consume_fn consume_entry, ++ void *cookie, struct task_struct *task, ++ struct pt_regs *regs) + { + struct stackframe frame; + +@@ -208,8 +209,8 @@ void arch_stack_walk(stack_trace_consume + start_backtrace(&frame, regs->regs[29], regs->pc); + else if (task == current) + start_backtrace(&frame, +- (unsigned long)__builtin_frame_address(0), +- (unsigned long)arch_stack_walk); ++ (unsigned long)__builtin_frame_address(1), ++ (unsigned long)__builtin_return_address(0)); + else + start_backtrace(&frame, thread_saved_fp(task), + thread_saved_pc(task)); diff --git a/queue-5.10/btrfs-fix-sleep-while-in-non-sleep-context-during-qgroup-removal.patch b/queue-5.10/btrfs-fix-sleep-while-in-non-sleep-context-during-qgroup-removal.patch new file mode 100644 index 00000000000..0d22271d211 --- /dev/null +++ b/queue-5.10/btrfs-fix-sleep-while-in-non-sleep-context-during-qgroup-removal.patch @@ -0,0 +1,102 @@ +From 0bb788300990d3eb5582d3301a720f846c78925c Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 18 Mar 2021 11:22:05 +0000 +Subject: btrfs: fix sleep while in non-sleep context during qgroup removal + +From: Filipe Manana + +commit 0bb788300990d3eb5582d3301a720f846c78925c upstream. + +While removing a qgroup's sysfs entry we end up taking the kernfs_mutex, +through kobject_del(), while holding the fs_info->qgroup_lock spinlock, +producing the following trace: + + [821.843637] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:281 + [821.843641] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 28214, name: podman + [821.843644] CPU: 3 PID: 28214 Comm: podman Tainted: G W 5.11.6 #15 + [821.843646] Hardware name: Dell Inc. PowerEdge R330/084XW4, BIOS 2.11.0 12/08/2020 + [821.843647] Call Trace: + [821.843650] dump_stack+0xa1/0xfb + [821.843656] ___might_sleep+0x144/0x160 + [821.843659] mutex_lock+0x17/0x40 + [821.843662] kernfs_remove_by_name_ns+0x1f/0x80 + [821.843666] sysfs_remove_group+0x7d/0xe0 + [821.843668] sysfs_remove_groups+0x28/0x40 + [821.843670] kobject_del+0x2a/0x80 + [821.843672] btrfs_sysfs_del_one_qgroup+0x2b/0x40 [btrfs] + [821.843685] __del_qgroup_rb+0x12/0x150 [btrfs] + [821.843696] btrfs_remove_qgroup+0x288/0x2a0 [btrfs] + [821.843707] btrfs_ioctl+0x3129/0x36a0 [btrfs] + [821.843717] ? __mod_lruvec_page_state+0x5e/0xb0 + [821.843719] ? page_add_new_anon_rmap+0xbc/0x150 + [821.843723] ? kfree+0x1b4/0x300 + [821.843725] ? mntput_no_expire+0x55/0x330 + [821.843728] __x64_sys_ioctl+0x5a/0xa0 + [821.843731] do_syscall_64+0x33/0x70 + [821.843733] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [821.843736] RIP: 0033:0x4cd3fb + [821.843741] RSP: 002b:000000c000906b20 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 + [821.843744] RAX: ffffffffffffffda RBX: 000000c000050000 RCX: 00000000004cd3fb + [821.843745] RDX: 000000c000906b98 RSI: 000000004010942a RDI: 000000000000000f + [821.843747] RBP: 000000c000907cd0 R08: 000000c000622901 R09: 0000000000000000 + [821.843748] R10: 000000c000d992c0 R11: 0000000000000206 R12: 000000000000012d + [821.843749] R13: 000000000000012c R14: 0000000000000200 R15: 0000000000000049 + +Fix this by removing the qgroup sysfs entry while not holding the spinlock, +since the spinlock is only meant for protection of the qgroup rbtree. + +Reported-by: Stuart Shelton +Link: https://lore.kernel.org/linux-btrfs/7A5485BB-0628-419D-A4D3-27B1AF47E25A@gmail.com/ +Fixes: 49e5fb46211de0 ("btrfs: qgroup: export qgroups in sysfs") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -226,7 +226,6 @@ static void __del_qgroup_rb(struct btrfs + { + struct btrfs_qgroup_list *list; + +- btrfs_sysfs_del_one_qgroup(fs_info, qgroup); + list_del(&qgroup->dirty); + while (!list_empty(&qgroup->groups)) { + list = list_first_entry(&qgroup->groups, +@@ -243,7 +242,6 @@ static void __del_qgroup_rb(struct btrfs + list_del(&list->next_member); + kfree(list); + } +- kfree(qgroup); + } + + /* must be called with qgroup_lock held */ +@@ -569,6 +567,8 @@ void btrfs_free_qgroup_config(struct btr + qgroup = rb_entry(n, struct btrfs_qgroup, node); + rb_erase(n, &fs_info->qgroup_tree); + __del_qgroup_rb(fs_info, qgroup); ++ btrfs_sysfs_del_one_qgroup(fs_info, qgroup); ++ kfree(qgroup); + } + /* + * We call btrfs_free_qgroup_config() when unmounting +@@ -1580,6 +1580,14 @@ int btrfs_remove_qgroup(struct btrfs_tra + spin_lock(&fs_info->qgroup_lock); + del_qgroup_rb(fs_info, qgroupid); + spin_unlock(&fs_info->qgroup_lock); ++ ++ /* ++ * Remove the qgroup from sysfs now without holding the qgroup_lock ++ * spinlock, since the sysfs_remove_group() function needs to take ++ * the mutex kernfs_mutex through kernfs_remove_by_name_ns(). ++ */ ++ btrfs_sysfs_del_one_qgroup(fs_info, qgroup); ++ kfree(qgroup); + out: + mutex_unlock(&fs_info->qgroup_ioctl_lock); + return ret; diff --git a/queue-5.10/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch b/queue-5.10/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch new file mode 100644 index 00000000000..87941f54bbc --- /dev/null +++ b/queue-5.10/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch @@ -0,0 +1,37 @@ +From 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 26 Mar 2021 14:32:32 -0400 +Subject: dm ioctl: fix out of bounds array access when no devices + +From: Mikulas Patocka + +commit 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a upstream. + +If there are not any dm devices, we need to zero the "dev" argument in +the first structure dm_name_list. However, this can cause out of +bounds write, because the "needed" variable is zero and len may be +less than eight. + +Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is +too small to hold the "nl->dev" value. + +Signed-off-by: Mikulas Patocka +Reported-by: Dan Carpenter +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -529,7 +529,7 @@ static int list_devices(struct file *fil + * Grab our output buffer. + */ + nl = orig_nl = get_result_buffer(param, param_size, &len); +- if (len < needed) { ++ if (len < needed || len < sizeof(nl->dev)) { + param->flags |= DM_BUFFER_FULL_FLAG; + goto out; + } diff --git a/queue-5.10/dm-verity-fix-dm_verity_opts_max-value.patch b/queue-5.10/dm-verity-fix-dm_verity_opts_max-value.patch new file mode 100644 index 00000000000..c2fd7619de4 --- /dev/null +++ b/queue-5.10/dm-verity-fix-dm_verity_opts_max-value.patch @@ -0,0 +1,33 @@ +From 160f99db943224e55906dd83880da1a704c6e6b9 Mon Sep 17 00:00:00 2001 +From: JeongHyeon Lee +Date: Thu, 11 Mar 2021 21:10:50 +0900 +Subject: dm verity: fix DM_VERITY_OPTS_MAX value + +From: JeongHyeon Lee + +commit 160f99db943224e55906dd83880da1a704c6e6b9 upstream. + +Three optional parameters must be accepted at once in a DM verity table, e.g.: + (verity_error_handling_mode) (ignore_zero_block) (check_at_most_once) +Fix this to be possible by incrementing DM_VERITY_OPTS_MAX. + +Signed-off-by: JeongHyeon Lee +Fixes: 843f38d382b1 ("dm verity: add 'check_at_most_once' option to only validate hashes once") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -34,7 +34,7 @@ + #define DM_VERITY_OPT_IGN_ZEROES "ignore_zero_blocks" + #define DM_VERITY_OPT_AT_MOST_ONCE "check_at_most_once" + +-#define DM_VERITY_OPTS_MAX (2 + DM_VERITY_OPTS_FEC + \ ++#define DM_VERITY_OPTS_MAX (3 + DM_VERITY_OPTS_FEC + \ + DM_VERITY_ROOT_HASH_VERIFICATION_OPTS) + + static unsigned dm_verity_prefetch_cluster = DM_VERITY_DEFAULT_PREFETCH_SIZE; diff --git a/queue-5.10/drm-amd-pm-workaround-for-audio-noise-issue.patch b/queue-5.10/drm-amd-pm-workaround-for-audio-noise-issue.patch new file mode 100644 index 00000000000..dc7c56e5d05 --- /dev/null +++ b/queue-5.10/drm-amd-pm-workaround-for-audio-noise-issue.patch @@ -0,0 +1,314 @@ +From 9d03730ecbc5afabfda26d4dbb014310bc4ea4d9 Mon Sep 17 00:00:00 2001 +From: Kenneth Feng +Date: Thu, 11 Mar 2021 12:19:57 +0800 +Subject: drm/amd/pm: workaround for audio noise issue + +From: Kenneth Feng + +commit 9d03730ecbc5afabfda26d4dbb014310bc4ea4d9 upstream. + +On some Intel platforms, audio noise can be detected due to +high pcie speed switch latency. +This patch leaverages ppfeaturemask to fix to the highest pcie +speed then disable pcie switching. + +v2: +coding style fix + +Signed-off-by: Kenneth Feng +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 54 +++++++++++++ + drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 74 +++++++++++++++--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c | 24 +++++ + drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c | 25 ++++++ + 4 files changed, 166 insertions(+), 11 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c +@@ -524,6 +524,48 @@ static int smu7_force_switch_to_arbf0(st + tmp, MC_CG_ARB_FREQ_F0); + } + ++static uint16_t smu7_override_pcie_speed(struct pp_hwmgr *hwmgr) ++{ ++ struct amdgpu_device *adev = (struct amdgpu_device *)(hwmgr->adev); ++ uint16_t pcie_gen = 0; ++ ++ if (adev->pm.pcie_gen_mask & CAIL_PCIE_LINK_SPEED_SUPPORT_GEN4 && ++ adev->pm.pcie_gen_mask & CAIL_ASIC_PCIE_LINK_SPEED_SUPPORT_GEN4) ++ pcie_gen = 3; ++ else if (adev->pm.pcie_gen_mask & CAIL_PCIE_LINK_SPEED_SUPPORT_GEN3 && ++ adev->pm.pcie_gen_mask & CAIL_ASIC_PCIE_LINK_SPEED_SUPPORT_GEN3) ++ pcie_gen = 2; ++ else if (adev->pm.pcie_gen_mask & CAIL_PCIE_LINK_SPEED_SUPPORT_GEN2 && ++ adev->pm.pcie_gen_mask & CAIL_ASIC_PCIE_LINK_SPEED_SUPPORT_GEN2) ++ pcie_gen = 1; ++ else if (adev->pm.pcie_gen_mask & CAIL_PCIE_LINK_SPEED_SUPPORT_GEN1 && ++ adev->pm.pcie_gen_mask & CAIL_ASIC_PCIE_LINK_SPEED_SUPPORT_GEN1) ++ pcie_gen = 0; ++ ++ return pcie_gen; ++} ++ ++static uint16_t smu7_override_pcie_width(struct pp_hwmgr *hwmgr) ++{ ++ struct amdgpu_device *adev = (struct amdgpu_device *)(hwmgr->adev); ++ uint16_t pcie_width = 0; ++ ++ if (adev->pm.pcie_mlw_mask & CAIL_PCIE_LINK_WIDTH_SUPPORT_X16) ++ pcie_width = 16; ++ else if (adev->pm.pcie_mlw_mask & CAIL_PCIE_LINK_WIDTH_SUPPORT_X12) ++ pcie_width = 12; ++ else if (adev->pm.pcie_mlw_mask & CAIL_PCIE_LINK_WIDTH_SUPPORT_X8) ++ pcie_width = 8; ++ else if (adev->pm.pcie_mlw_mask & CAIL_PCIE_LINK_WIDTH_SUPPORT_X4) ++ pcie_width = 4; ++ else if (adev->pm.pcie_mlw_mask & CAIL_PCIE_LINK_WIDTH_SUPPORT_X2) ++ pcie_width = 2; ++ else if (adev->pm.pcie_mlw_mask & CAIL_PCIE_LINK_WIDTH_SUPPORT_X1) ++ pcie_width = 1; ++ ++ return pcie_width; ++} ++ + static int smu7_setup_default_pcie_table(struct pp_hwmgr *hwmgr) + { + struct smu7_hwmgr *data = (struct smu7_hwmgr *)(hwmgr->backend); +@@ -620,6 +662,11 @@ static int smu7_setup_default_pcie_table + PP_Min_PCIEGen), + get_pcie_lane_support(data->pcie_lane_cap, + PP_Max_PCIELane)); ++ ++ if (data->pcie_dpm_key_disabled) ++ phm_setup_pcie_table_entry(&data->dpm_table.pcie_speed_table, ++ data->dpm_table.pcie_speed_table.count, ++ smu7_override_pcie_speed(hwmgr), smu7_override_pcie_width(hwmgr)); + } + return 0; + } +@@ -1180,6 +1227,13 @@ static int smu7_start_dpm(struct pp_hwmg + NULL)), + "Failed to enable pcie DPM during DPM Start Function!", + return -EINVAL); ++ } else { ++ PP_ASSERT_WITH_CODE( ++ (0 == smum_send_msg_to_smc(hwmgr, ++ PPSMC_MSG_PCIeDPM_Disable, ++ NULL)), ++ "Failed to disble pcie DPM during DPM Start Function!", ++ return -EINVAL); + } + + if (phm_cap_enabled(hwmgr->platform_descriptor.platformCaps, +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +@@ -54,6 +54,9 @@ + #include "smuio/smuio_9_0_offset.h" + #include "smuio/smuio_9_0_sh_mask.h" + ++#define smnPCIE_LC_SPEED_CNTL 0x11140290 ++#define smnPCIE_LC_LINK_WIDTH_CNTL 0x11140288 ++ + #define HBM_MEMORY_CHANNEL_WIDTH 128 + + static const uint32_t channel_number[] = {1, 2, 0, 4, 0, 8, 0, 16, 2}; +@@ -443,8 +446,7 @@ static void vega10_init_dpm_defaults(str + if (PP_CAP(PHM_PlatformCaps_VCEDPM)) + data->smu_features[GNLD_DPM_VCE].supported = true; + +- if (!data->registry_data.pcie_dpm_key_disabled) +- data->smu_features[GNLD_DPM_LINK].supported = true; ++ data->smu_features[GNLD_DPM_LINK].supported = true; + + if (!data->registry_data.dcefclk_dpm_key_disabled) + data->smu_features[GNLD_DPM_DCEFCLK].supported = true; +@@ -1545,6 +1547,13 @@ static int vega10_override_pcie_paramete + pp_table->PcieLaneCount[i] = pcie_width; + } + ++ if (data->registry_data.pcie_dpm_key_disabled) { ++ for (i = 0; i < NUM_LINK_LEVELS; i++) { ++ pp_table->PcieGenSpeed[i] = pcie_gen; ++ pp_table->PcieLaneCount[i] = pcie_width; ++ } ++ } ++ + return 0; + } + +@@ -2967,6 +2976,14 @@ static int vega10_start_dpm(struct pp_hw + } + } + ++ if (data->registry_data.pcie_dpm_key_disabled) { ++ PP_ASSERT_WITH_CODE(!vega10_enable_smc_features(hwmgr, ++ false, data->smu_features[GNLD_DPM_LINK].smu_feature_bitmap), ++ "Attempt to Disable Link DPM feature Failed!", return -EINVAL); ++ data->smu_features[GNLD_DPM_LINK].enabled = false; ++ data->smu_features[GNLD_DPM_LINK].supported = false; ++ } ++ + return 0; + } + +@@ -4583,6 +4600,24 @@ static int vega10_set_ppfeature_status(s + return 0; + } + ++static int vega10_get_current_pcie_link_width_level(struct pp_hwmgr *hwmgr) ++{ ++ struct amdgpu_device *adev = hwmgr->adev; ++ ++ return (RREG32_PCIE(smnPCIE_LC_LINK_WIDTH_CNTL) & ++ PCIE_LC_LINK_WIDTH_CNTL__LC_LINK_WIDTH_RD_MASK) ++ >> PCIE_LC_LINK_WIDTH_CNTL__LC_LINK_WIDTH_RD__SHIFT; ++} ++ ++static int vega10_get_current_pcie_link_speed_level(struct pp_hwmgr *hwmgr) ++{ ++ struct amdgpu_device *adev = hwmgr->adev; ++ ++ return (RREG32_PCIE(smnPCIE_LC_SPEED_CNTL) & ++ PSWUSP0_PCIE_LC_SPEED_CNTL__LC_CURRENT_DATA_RATE_MASK) ++ >> PSWUSP0_PCIE_LC_SPEED_CNTL__LC_CURRENT_DATA_RATE__SHIFT; ++} ++ + static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr, + enum pp_clock_type type, char *buf) + { +@@ -4591,8 +4626,9 @@ static int vega10_print_clock_levels(str + struct vega10_single_dpm_table *mclk_table = &(data->dpm_table.mem_table); + struct vega10_single_dpm_table *soc_table = &(data->dpm_table.soc_table); + struct vega10_single_dpm_table *dcef_table = &(data->dpm_table.dcef_table); +- struct vega10_pcie_table *pcie_table = &(data->dpm_table.pcie_table); + struct vega10_odn_clock_voltage_dependency_table *podn_vdd_dep = NULL; ++ uint32_t gen_speed, lane_width, current_gen_speed, current_lane_width; ++ PPTable_t *pptable = &(data->smc_state_table.pp_table); + + int i, now, size = 0, count = 0; + +@@ -4649,15 +4685,31 @@ static int vega10_print_clock_levels(str + "*" : ""); + break; + case PP_PCIE: +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentLinkIndex, &now); +- +- for (i = 0; i < pcie_table->count; i++) +- size += sprintf(buf + size, "%d: %s %s\n", i, +- (pcie_table->pcie_gen[i] == 0) ? "2.5GT/s, x1" : +- (pcie_table->pcie_gen[i] == 1) ? "5.0GT/s, x16" : +- (pcie_table->pcie_gen[i] == 2) ? "8.0GT/s, x16" : "", +- (i == now) ? "*" : ""); ++ current_gen_speed = ++ vega10_get_current_pcie_link_speed_level(hwmgr); ++ current_lane_width = ++ vega10_get_current_pcie_link_width_level(hwmgr); ++ for (i = 0; i < NUM_LINK_LEVELS; i++) { ++ gen_speed = pptable->PcieGenSpeed[i]; ++ lane_width = pptable->PcieLaneCount[i]; ++ ++ size += sprintf(buf + size, "%d: %s %s %s\n", i, ++ (gen_speed == 0) ? "2.5GT/s," : ++ (gen_speed == 1) ? "5.0GT/s," : ++ (gen_speed == 2) ? "8.0GT/s," : ++ (gen_speed == 3) ? "16.0GT/s," : "", ++ (lane_width == 1) ? "x1" : ++ (lane_width == 2) ? "x2" : ++ (lane_width == 3) ? "x4" : ++ (lane_width == 4) ? "x8" : ++ (lane_width == 5) ? "x12" : ++ (lane_width == 6) ? "x16" : "", ++ (current_gen_speed == gen_speed) && ++ (current_lane_width == lane_width) ? ++ "*" : ""); ++ } + break; ++ + case OD_SCLK: + if (hwmgr->od_enabled) { + size = sprintf(buf, "%s:\n", "OD_SCLK"); +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c +@@ -133,6 +133,7 @@ static void vega12_set_default_registry_ + data->registry_data.auto_wattman_debug = 0; + data->registry_data.auto_wattman_sample_period = 100; + data->registry_data.auto_wattman_threshold = 50; ++ data->registry_data.pcie_dpm_key_disabled = !(hwmgr->feature_mask & PP_PCIE_DPM_MASK); + } + + static int vega12_set_features_platform_caps(struct pp_hwmgr *hwmgr) +@@ -539,6 +540,29 @@ static int vega12_override_pcie_paramete + pp_table->PcieLaneCount[i] = pcie_width_arg; + } + ++ /* override to the highest if it's disabled from ppfeaturmask */ ++ if (data->registry_data.pcie_dpm_key_disabled) { ++ for (i = 0; i < NUM_LINK_LEVELS; i++) { ++ smu_pcie_arg = (i << 16) | (pcie_gen << 8) | pcie_width; ++ ret = smum_send_msg_to_smc_with_parameter(hwmgr, ++ PPSMC_MSG_OverridePcieParameters, smu_pcie_arg, ++ NULL); ++ PP_ASSERT_WITH_CODE(!ret, ++ "[OverridePcieParameters] Attempt to override pcie params failed!", ++ return ret); ++ ++ pp_table->PcieGenSpeed[i] = pcie_gen; ++ pp_table->PcieLaneCount[i] = pcie_width; ++ } ++ ret = vega12_enable_smc_features(hwmgr, ++ false, ++ data->smu_features[GNLD_DPM_LINK].smu_feature_bitmap); ++ PP_ASSERT_WITH_CODE(!ret, ++ "Attempt to Disable DPM LINK Failed!", ++ return ret); ++ data->smu_features[GNLD_DPM_LINK].enabled = false; ++ data->smu_features[GNLD_DPM_LINK].supported = false; ++ } + return 0; + } + +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c +@@ -171,6 +171,7 @@ static void vega20_set_default_registry_ + data->registry_data.gfxoff_controlled_by_driver = 1; + data->gfxoff_allowed = false; + data->counter_gfxoff = 0; ++ data->registry_data.pcie_dpm_key_disabled = !(hwmgr->feature_mask & PP_PCIE_DPM_MASK); + } + + static int vega20_set_features_platform_caps(struct pp_hwmgr *hwmgr) +@@ -885,6 +886,30 @@ static int vega20_override_pcie_paramete + pp_table->PcieLaneCount[i] = pcie_width_arg; + } + ++ /* override to the highest if it's disabled from ppfeaturmask */ ++ if (data->registry_data.pcie_dpm_key_disabled) { ++ for (i = 0; i < NUM_LINK_LEVELS; i++) { ++ smu_pcie_arg = (i << 16) | (pcie_gen << 8) | pcie_width; ++ ret = smum_send_msg_to_smc_with_parameter(hwmgr, ++ PPSMC_MSG_OverridePcieParameters, smu_pcie_arg, ++ NULL); ++ PP_ASSERT_WITH_CODE(!ret, ++ "[OverridePcieParameters] Attempt to override pcie params failed!", ++ return ret); ++ ++ pp_table->PcieGenSpeed[i] = pcie_gen; ++ pp_table->PcieLaneCount[i] = pcie_width; ++ } ++ ret = vega20_enable_smc_features(hwmgr, ++ false, ++ data->smu_features[GNLD_DPM_LINK].smu_feature_bitmap); ++ PP_ASSERT_WITH_CODE(!ret, ++ "Attempt to Disable DPM LINK Failed!", ++ return ret); ++ data->smu_features[GNLD_DPM_LINK].enabled = false; ++ data->smu_features[GNLD_DPM_LINK].supported = false; ++ } ++ + return 0; + } + diff --git a/queue-5.10/drm-amdgpu-add-additional-sienna-cichlid-pci-id.patch b/queue-5.10/drm-amdgpu-add-additional-sienna-cichlid-pci-id.patch new file mode 100644 index 00000000000..0e3860b90ff --- /dev/null +++ b/queue-5.10/drm-amdgpu-add-additional-sienna-cichlid-pci-id.patch @@ -0,0 +1,29 @@ +From c933b111094f2818571fc51b81b98ee0d370c035 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 18 Mar 2021 16:44:10 -0400 +Subject: drm/amdgpu: Add additional Sienna Cichlid PCI ID + +From: Alex Deucher + +commit c933b111094f2818571fc51b81b98ee0d370c035 upstream. + +Add new DID. + +Reviewed-by: Guchun Chen +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -1093,6 +1093,7 @@ static const struct pci_device_id pciidl + {0x1002, 0x73A3, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_SIENNA_CICHLID}, + {0x1002, 0x73AB, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_SIENNA_CICHLID}, + {0x1002, 0x73AE, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_SIENNA_CICHLID}, ++ {0x1002, 0x73AF, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_SIENNA_CICHLID}, + {0x1002, 0x73BF, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_SIENNA_CICHLID}, + + {0, 0, 0} diff --git a/queue-5.10/drm-amdgpu-display-restore-aux_dphy_tx_control-for-dcn2.x.patch b/queue-5.10/drm-amdgpu-display-restore-aux_dphy_tx_control-for-dcn2.x.patch new file mode 100644 index 00000000000..85c61170044 --- /dev/null +++ b/queue-5.10/drm-amdgpu-display-restore-aux_dphy_tx_control-for-dcn2.x.patch @@ -0,0 +1,40 @@ +From 5c458585c0141754cdcbf25feebb547dd671b559 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 16 Feb 2021 12:22:40 -0500 +Subject: drm/amdgpu/display: restore AUX_DPHY_TX_CONTROL for DCN2.x + +From: Alex Deucher + +commit 5c458585c0141754cdcbf25feebb547dd671b559 upstream. + +Commit 098214999c8f added fetching of the AUX_DPHY register +values from the vbios, but it also changed the default values +in the case when there are no values in the vbios. This causes +problems with displays with high refresh rates. To fix this, +switch back to the original default value for AUX_DPHY_TX_CONTROL. + +Fixes: 098214999c8f ("drm/amd/display: Read VBIOS Golden Settings Tbl") +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1426 +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Cc: Igor Kravchenko +Cc: Aric Cyr +Cc: Aurabindo Pillai +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_link_encoder.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_link_encoder.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_link_encoder.c +@@ -341,8 +341,7 @@ void enc2_hw_init(struct link_encoder *e + } else { + AUX_REG_WRITE(AUX_DPHY_RX_CONTROL0, 0x103d1110); + +- AUX_REG_WRITE(AUX_DPHY_TX_CONTROL, 0x21c4d); +- ++ AUX_REG_WRITE(AUX_DPHY_TX_CONTROL, 0x21c7a); + } + + //AUX_DPHY_TX_REF_CONTROL'AUX_TX_REF_DIV HW default is 0x32; diff --git a/queue-5.10/drm-etnaviv-use-foll_force-for-userptr.patch b/queue-5.10/drm-etnaviv-use-foll_force-for-userptr.patch new file mode 100644 index 00000000000..c4b8d6b27f2 --- /dev/null +++ b/queue-5.10/drm-etnaviv-use-foll_force-for-userptr.patch @@ -0,0 +1,45 @@ +From cd5297b0855f17c8b4e3ef1d20c6a3656209c7b3 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Mon, 1 Mar 2021 10:52:53 +0100 +Subject: drm/etnaviv: Use FOLL_FORCE for userptr + +From: Daniel Vetter + +commit cd5297b0855f17c8b4e3ef1d20c6a3656209c7b3 upstream. + +Nothing checks userptr.ro except this call to pup_fast, which means +there's nothing actually preventing userspace from writing to this. +Which means you can just read-only mmap any file you want, userptr it +and then write to it with the gpu. Not good. + +The right way to handle this is FOLL_WRITE | FOLL_FORCE, which will +break any COW mappings and update tracking for MAY_WRITE mappings so +there's no exploit and the vm isn't confused about what's going on. +For any legit use case there's no difference from what userspace can +observe and do. + +Reviewed-by: Lucas Stach +Cc: stable@vger.kernel.org +Cc: John Hubbard +Signed-off-by: Daniel Vetter +Cc: Lucas Stach +Cc: Russell King +Cc: Christian Gmeiner +Cc: etnaviv@lists.freedesktop.org +Link: https://patchwork.freedesktop.org/patch/msgid/20210301095254.1946084-1-daniel.vetter@ffwll.ch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/etnaviv/etnaviv_gem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/etnaviv/etnaviv_gem.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_gem.c +@@ -675,7 +675,7 @@ static int etnaviv_gem_userptr_get_pages + struct page **pages = pvec + pinned; + + ret = pin_user_pages_fast(ptr, num_pages, +- !userptr->ro ? FOLL_WRITE : 0, pages); ++ FOLL_WRITE | FOLL_FORCE, pages); + if (ret < 0) { + unpin_user_pages(pvec, pinned); + kvfree(pvec); diff --git a/queue-5.10/drm-i915-fix-the-gt-fence-revocation-runtime-pm-logic.patch b/queue-5.10/drm-i915-fix-the-gt-fence-revocation-runtime-pm-logic.patch new file mode 100644 index 00000000000..e917478310e --- /dev/null +++ b/queue-5.10/drm-i915-fix-the-gt-fence-revocation-runtime-pm-logic.patch @@ -0,0 +1,147 @@ +From 8840e3bd981f128846b01c12d3966d115e8617c9 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Mon, 22 Mar 2021 22:28:17 +0200 +Subject: drm/i915: Fix the GT fence revocation runtime PM logic + +From: Imre Deak + +commit 8840e3bd981f128846b01c12d3966d115e8617c9 upstream. + +To optimize some task deferring it until runtime resume unless someone +holds a runtime PM reference (because in this case the task can be done +w/o the overhead of runtime resume), we have to use the runtime PM +get-if-active logic: If the runtime PM usage count is 0 (and so +get-if-in-use would return false) the runtime suspend handler is not +necessarily called yet (it could be just pending), so the device is not +necessarily powered down, and so the runtime resume handler is not +guaranteed to be called. + +The fence revocation depends on the above deferral, so add a +get-if-active helper and use it during fence revocation. + +v2: +- Add code comment explaining the fence reg programming deferral logic + to i915_vma_revoke_fence(). (Chris) +- Add Cc: stable and Fixes: tags. (Chris) +- Fix the function docbook comment. + +Cc: Chris Wilson +Cc: # v4.12+ +Fixes: 181df2d458f3 ("drm/i915: Take rpm wakelock for releasing the fence on unbind") +Reviewed-by: Chris Wilson +Signed-off-by: Imre Deak +Link: https://patchwork.freedesktop.org/patch/msgid/20210322204223.919936-1-imre.deak@intel.com +(cherry picked from commit 9d58aa46291d4d696bb1eac3436d3118f7bf2573) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c | 13 +++++++++++- + drivers/gpu/drm/i915/intel_runtime_pm.c | 29 ++++++++++++++++++++++----- + drivers/gpu/drm/i915/intel_runtime_pm.h | 5 ++++ + 3 files changed, 41 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c ++++ b/drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c +@@ -316,7 +316,18 @@ void i915_vma_revoke_fence(struct i915_v + WRITE_ONCE(fence->vma, NULL); + vma->fence = NULL; + +- with_intel_runtime_pm_if_in_use(fence_to_uncore(fence)->rpm, wakeref) ++ /* ++ * Skip the write to HW if and only if the device is currently ++ * suspended. ++ * ++ * If the driver does not currently hold a wakeref (if_in_use == 0), ++ * the device may currently be runtime suspended, or it may be woken ++ * up before the suspend takes place. If the device is not suspended ++ * (powered down) and we skip clearing the fence register, the HW is ++ * left in an undefined state where we may end up with multiple ++ * registers overlapping. ++ */ ++ with_intel_runtime_pm_if_active(fence_to_uncore(fence)->rpm, wakeref) + fence_write(fence); + } + +--- a/drivers/gpu/drm/i915/intel_runtime_pm.c ++++ b/drivers/gpu/drm/i915/intel_runtime_pm.c +@@ -412,12 +412,20 @@ intel_wakeref_t intel_runtime_pm_get(str + } + + /** +- * intel_runtime_pm_get_if_in_use - grab a runtime pm reference if device in use ++ * __intel_runtime_pm_get_if_active - grab a runtime pm reference if device is active + * @rpm: the intel_runtime_pm structure ++ * @ignore_usecount: get a ref even if dev->power.usage_count is 0 + * + * This function grabs a device-level runtime pm reference if the device is +- * already in use and ensures that it is powered up. It is illegal to try +- * and access the HW should intel_runtime_pm_get_if_in_use() report failure. ++ * already active and ensures that it is powered up. It is illegal to try ++ * and access the HW should intel_runtime_pm_get_if_active() report failure. ++ * ++ * If @ignore_usecount=true, a reference will be acquired even if there is no ++ * user requiring the device to be powered up (dev->power.usage_count == 0). ++ * If the function returns false in this case then it's guaranteed that the ++ * device's runtime suspend hook has been called already or that it will be ++ * called (and hence it's also guaranteed that the device's runtime resume ++ * hook will be called eventually). + * + * Any runtime pm reference obtained by this function must have a symmetric + * call to intel_runtime_pm_put() to release the reference again. +@@ -425,7 +433,8 @@ intel_wakeref_t intel_runtime_pm_get(str + * Returns: the wakeref cookie to pass to intel_runtime_pm_put(), evaluates + * as True if the wakeref was acquired, or False otherwise. + */ +-intel_wakeref_t intel_runtime_pm_get_if_in_use(struct intel_runtime_pm *rpm) ++static intel_wakeref_t __intel_runtime_pm_get_if_active(struct intel_runtime_pm *rpm, ++ bool ignore_usecount) + { + if (IS_ENABLED(CONFIG_PM)) { + /* +@@ -434,7 +443,7 @@ intel_wakeref_t intel_runtime_pm_get_if_ + * function, since the power state is undefined. This applies + * atm to the late/early system suspend/resume handlers. + */ +- if (pm_runtime_get_if_in_use(rpm->kdev) <= 0) ++ if (pm_runtime_get_if_active(rpm->kdev, ignore_usecount) <= 0) + return 0; + } + +@@ -443,6 +452,16 @@ intel_wakeref_t intel_runtime_pm_get_if_ + return track_intel_runtime_pm_wakeref(rpm); + } + ++intel_wakeref_t intel_runtime_pm_get_if_in_use(struct intel_runtime_pm *rpm) ++{ ++ return __intel_runtime_pm_get_if_active(rpm, false); ++} ++ ++intel_wakeref_t intel_runtime_pm_get_if_active(struct intel_runtime_pm *rpm) ++{ ++ return __intel_runtime_pm_get_if_active(rpm, true); ++} ++ + /** + * intel_runtime_pm_get_noresume - grab a runtime pm reference + * @rpm: the intel_runtime_pm structure +--- a/drivers/gpu/drm/i915/intel_runtime_pm.h ++++ b/drivers/gpu/drm/i915/intel_runtime_pm.h +@@ -177,6 +177,7 @@ void intel_runtime_pm_driver_release(str + + intel_wakeref_t intel_runtime_pm_get(struct intel_runtime_pm *rpm); + intel_wakeref_t intel_runtime_pm_get_if_in_use(struct intel_runtime_pm *rpm); ++intel_wakeref_t intel_runtime_pm_get_if_active(struct intel_runtime_pm *rpm); + intel_wakeref_t intel_runtime_pm_get_noresume(struct intel_runtime_pm *rpm); + intel_wakeref_t intel_runtime_pm_get_raw(struct intel_runtime_pm *rpm); + +@@ -188,6 +189,10 @@ intel_wakeref_t intel_runtime_pm_get_raw + for ((wf) = intel_runtime_pm_get_if_in_use(rpm); (wf); \ + intel_runtime_pm_put((rpm), (wf)), (wf) = 0) + ++#define with_intel_runtime_pm_if_active(rpm, wf) \ ++ for ((wf) = intel_runtime_pm_get_if_active(rpm); (wf); \ ++ intel_runtime_pm_put((rpm), (wf)), (wf) = 0) ++ + void intel_runtime_pm_put_unchecked(struct intel_runtime_pm *rpm); + #if IS_ENABLED(CONFIG_DRM_I915_DEBUG_RUNTIME_PM) + void intel_runtime_pm_put(struct intel_runtime_pm *rpm, intel_wakeref_t wref); diff --git a/queue-5.10/gcov-fix-clang-11-support.patch b/queue-5.10/gcov-fix-clang-11-support.patch new file mode 100644 index 00000000000..9d61ea79564 --- /dev/null +++ b/queue-5.10/gcov-fix-clang-11-support.patch @@ -0,0 +1,163 @@ +From 60bcf728ee7c60ac2a1f9a0eaceb3a7b3954cd2b Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers +Date: Wed, 24 Mar 2021 21:37:44 -0700 +Subject: gcov: fix clang-11+ support + +From: Nick Desaulniers + +commit 60bcf728ee7c60ac2a1f9a0eaceb3a7b3954cd2b upstream. + +LLVM changed the expected function signatures for llvm_gcda_start_file() +and llvm_gcda_emit_function() in the clang-11 release. Users of +clang-11 or newer may have noticed their kernels failing to boot due to +a panic when enabling CONFIG_GCOV_KERNEL=y +CONFIG_GCOV_PROFILE_ALL=y. +Fix up the function signatures so calling these functions doesn't panic +the kernel. + +Link: https://reviews.llvm.org/rGcdd683b516d147925212724b09ec6fb792a40041 +Link: https://reviews.llvm.org/rG13a633b438b6500ecad9e4f936ebadf3411d0f44 +Link: https://lkml.kernel.org/r/20210312224132.3413602-2-ndesaulniers@google.com +Signed-off-by: Nick Desaulniers +Reported-by: Prasad Sodagudi +Suggested-by: Nathan Chancellor +Reviewed-by: Fangrui Song +Tested-by: Nathan Chancellor +Acked-by: Peter Oberparleiter +Reviewed-by: Nathan Chancellor +Cc: [5.4+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/gcov/clang.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 69 insertions(+) + +--- a/kernel/gcov/clang.c ++++ b/kernel/gcov/clang.c +@@ -75,7 +75,9 @@ struct gcov_fn_info { + + u32 num_counters; + u64 *counters; ++#if CONFIG_CLANG_VERSION < 110000 + const char *function_name; ++#endif + }; + + static struct gcov_info *current_info; +@@ -105,6 +107,7 @@ void llvm_gcov_init(llvm_gcov_callback w + } + EXPORT_SYMBOL(llvm_gcov_init); + ++#if CONFIG_CLANG_VERSION < 110000 + void llvm_gcda_start_file(const char *orig_filename, const char version[4], + u32 checksum) + { +@@ -113,7 +116,17 @@ void llvm_gcda_start_file(const char *or + current_info->checksum = checksum; + } + EXPORT_SYMBOL(llvm_gcda_start_file); ++#else ++void llvm_gcda_start_file(const char *orig_filename, u32 version, u32 checksum) ++{ ++ current_info->filename = orig_filename; ++ current_info->version = version; ++ current_info->checksum = checksum; ++} ++EXPORT_SYMBOL(llvm_gcda_start_file); ++#endif + ++#if CONFIG_CLANG_VERSION < 110000 + void llvm_gcda_emit_function(u32 ident, const char *function_name, + u32 func_checksum, u8 use_extra_checksum, u32 cfg_checksum) + { +@@ -133,6 +146,24 @@ void llvm_gcda_emit_function(u32 ident, + list_add_tail(&info->head, ¤t_info->functions); + } + EXPORT_SYMBOL(llvm_gcda_emit_function); ++#else ++void llvm_gcda_emit_function(u32 ident, u32 func_checksum, ++ u8 use_extra_checksum, u32 cfg_checksum) ++{ ++ struct gcov_fn_info *info = kzalloc(sizeof(*info), GFP_KERNEL); ++ ++ if (!info) ++ return; ++ ++ INIT_LIST_HEAD(&info->head); ++ info->ident = ident; ++ info->checksum = func_checksum; ++ info->use_extra_checksum = use_extra_checksum; ++ info->cfg_checksum = cfg_checksum; ++ list_add_tail(&info->head, ¤t_info->functions); ++} ++EXPORT_SYMBOL(llvm_gcda_emit_function); ++#endif + + void llvm_gcda_emit_arcs(u32 num_counters, u64 *counters) + { +@@ -295,6 +326,7 @@ void gcov_info_add(struct gcov_info *dst + } + } + ++#if CONFIG_CLANG_VERSION < 110000 + static struct gcov_fn_info *gcov_fn_info_dup(struct gcov_fn_info *fn) + { + size_t cv_size; /* counter values size */ +@@ -322,6 +354,28 @@ err_name: + kfree(fn_dup); + return NULL; + } ++#else ++static struct gcov_fn_info *gcov_fn_info_dup(struct gcov_fn_info *fn) ++{ ++ size_t cv_size; /* counter values size */ ++ struct gcov_fn_info *fn_dup = kmemdup(fn, sizeof(*fn), ++ GFP_KERNEL); ++ if (!fn_dup) ++ return NULL; ++ INIT_LIST_HEAD(&fn_dup->head); ++ ++ cv_size = fn->num_counters * sizeof(fn->counters[0]); ++ fn_dup->counters = vmalloc(cv_size); ++ if (!fn_dup->counters) { ++ kfree(fn_dup); ++ return NULL; ++ } ++ ++ memcpy(fn_dup->counters, fn->counters, cv_size); ++ ++ return fn_dup; ++} ++#endif + + /** + * gcov_info_dup - duplicate profiling data set +@@ -362,6 +416,7 @@ err: + * gcov_info_free - release memory for profiling data set duplicate + * @info: profiling data set duplicate to free + */ ++#if CONFIG_CLANG_VERSION < 110000 + void gcov_info_free(struct gcov_info *info) + { + struct gcov_fn_info *fn, *tmp; +@@ -375,6 +430,20 @@ void gcov_info_free(struct gcov_info *in + kfree(info->filename); + kfree(info); + } ++#else ++void gcov_info_free(struct gcov_info *info) ++{ ++ struct gcov_fn_info *fn, *tmp; ++ ++ list_for_each_entry_safe(fn, tmp, &info->functions, head) { ++ vfree(fn->counters); ++ list_del(&fn->head); ++ kfree(fn); ++ } ++ kfree(info->filename); ++ kfree(info); ++} ++#endif + + #define ITER_STRIDE PAGE_SIZE + diff --git a/queue-5.10/hugetlb_cgroup-fix-imbalanced-css_get-and-css_put-pair-for-shared-mappings.patch b/queue-5.10/hugetlb_cgroup-fix-imbalanced-css_get-and-css_put-pair-for-shared-mappings.patch new file mode 100644 index 00000000000..823e345bad9 --- /dev/null +++ b/queue-5.10/hugetlb_cgroup-fix-imbalanced-css_get-and-css_put-pair-for-shared-mappings.patch @@ -0,0 +1,253 @@ +From d85aecf2844ff02a0e5f077252b2461d4f10c9f0 Mon Sep 17 00:00:00 2001 +From: Miaohe Lin +Date: Wed, 24 Mar 2021 21:37:17 -0700 +Subject: hugetlb_cgroup: fix imbalanced css_get and css_put pair for shared mappings + +From: Miaohe Lin + +commit d85aecf2844ff02a0e5f077252b2461d4f10c9f0 upstream. + +The current implementation of hugetlb_cgroup for shared mappings could +have different behavior. Consider the following two scenarios: + + 1.Assume initial css reference count of hugetlb_cgroup is 1: + 1.1 Call hugetlb_reserve_pages with from = 1, to = 2. So css reference + count is 2 associated with 1 file_region. + 1.2 Call hugetlb_reserve_pages with from = 2, to = 3. So css reference + count is 3 associated with 2 file_region. + 1.3 coalesce_file_region will coalesce these two file_regions into + one. So css reference count is 3 associated with 1 file_region + now. + + 2.Assume initial css reference count of hugetlb_cgroup is 1 again: + 2.1 Call hugetlb_reserve_pages with from = 1, to = 3. So css reference + count is 2 associated with 1 file_region. + +Therefore, we might have one file_region while holding one or more css +reference counts. This inconsistency could lead to imbalanced css_get() +and css_put() pair. If we do css_put one by one (i.g. hole punch case), +scenario 2 would put one more css reference. If we do css_put all +together (i.g. truncate case), scenario 1 will leak one css reference. + +The imbalanced css_get() and css_put() pair would result in a non-zero +reference when we try to destroy the hugetlb cgroup. The hugetlb cgroup +directory is removed __but__ associated resource is not freed. This +might result in OOM or can not create a new hugetlb cgroup in a busy +workload ultimately. + +In order to fix this, we have to make sure that one file_region must +hold exactly one css reference. So in coalesce_file_region case, we +should release one css reference before coalescence. Also only put css +reference when the entire file_region is removed. + +The last thing to note is that the caller of region_add() will only hold +one reference to h_cg->css for the whole contiguous reservation region. +But this area might be scattered when there are already some +file_regions reside in it. As a result, many file_regions may share only +one h_cg->css reference. In order to ensure that one file_region must +hold exactly one css reference, we should do css_get() for each +file_region and release the reference held by caller when they are done. + +[linmiaohe@huawei.com: fix imbalanced css_get and css_put pair for shared mappings] + Link: https://lkml.kernel.org/r/20210316023002.53921-1-linmiaohe@huawei.com + +Link: https://lkml.kernel.org/r/20210301120540.37076-1-linmiaohe@huawei.com +Fixes: 075a61d07a8e ("hugetlb_cgroup: add accounting for shared mappings") +Reported-by: kernel test robot (auto build test ERROR) +Signed-off-by: Miaohe Lin +Reviewed-by: Mike Kravetz +Cc: Aneesh Kumar K.V +Cc: Wanpeng Li +Cc: Mina Almasry +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hugetlb_cgroup.h | 15 +++++++++++++-- + mm/hugetlb.c | 41 +++++++++++++++++++++++++++++++++++++---- + mm/hugetlb_cgroup.c | 10 ++++++++-- + 3 files changed, 58 insertions(+), 8 deletions(-) + +--- a/include/linux/hugetlb_cgroup.h ++++ b/include/linux/hugetlb_cgroup.h +@@ -113,6 +113,11 @@ static inline bool hugetlb_cgroup_disabl + return !cgroup_subsys_enabled(hugetlb_cgrp_subsys); + } + ++static inline void hugetlb_cgroup_put_rsvd_cgroup(struct hugetlb_cgroup *h_cg) ++{ ++ css_put(&h_cg->css); ++} ++ + extern int hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages, + struct hugetlb_cgroup **ptr); + extern int hugetlb_cgroup_charge_cgroup_rsvd(int idx, unsigned long nr_pages, +@@ -138,7 +143,8 @@ extern void hugetlb_cgroup_uncharge_coun + + extern void hugetlb_cgroup_uncharge_file_region(struct resv_map *resv, + struct file_region *rg, +- unsigned long nr_pages); ++ unsigned long nr_pages, ++ bool region_del); + + extern void hugetlb_cgroup_file_init(void) __init; + extern void hugetlb_cgroup_migrate(struct page *oldhpage, +@@ -147,7 +153,8 @@ extern void hugetlb_cgroup_migrate(struc + #else + static inline void hugetlb_cgroup_uncharge_file_region(struct resv_map *resv, + struct file_region *rg, +- unsigned long nr_pages) ++ unsigned long nr_pages, ++ bool region_del) + { + } + +@@ -185,6 +192,10 @@ static inline bool hugetlb_cgroup_disabl + return true; + } + ++static inline void hugetlb_cgroup_put_rsvd_cgroup(struct hugetlb_cgroup *h_cg) ++{ ++} ++ + static inline int hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages, + struct hugetlb_cgroup **ptr) + { +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -285,6 +285,17 @@ static void record_hugetlb_cgroup_unchar + nrg->reservation_counter = + &h_cg->rsvd_hugepage[hstate_index(h)]; + nrg->css = &h_cg->css; ++ /* ++ * The caller will hold exactly one h_cg->css reference for the ++ * whole contiguous reservation region. But this area might be ++ * scattered when there are already some file_regions reside in ++ * it. As a result, many file_regions may share only one css ++ * reference. In order to ensure that one file_region must hold ++ * exactly one h_cg->css reference, we should do css_get for ++ * each file_region and leave the reference held by caller ++ * untouched. ++ */ ++ css_get(&h_cg->css); + if (!resv->pages_per_hpage) + resv->pages_per_hpage = pages_per_huge_page(h); + /* pages_per_hpage should be the same for all entries in +@@ -298,6 +309,14 @@ static void record_hugetlb_cgroup_unchar + #endif + } + ++static void put_uncharge_info(struct file_region *rg) ++{ ++#ifdef CONFIG_CGROUP_HUGETLB ++ if (rg->css) ++ css_put(rg->css); ++#endif ++} ++ + static bool has_same_uncharge_info(struct file_region *rg, + struct file_region *org) + { +@@ -321,6 +340,7 @@ static void coalesce_file_region(struct + prg->to = rg->to; + + list_del(&rg->link); ++ put_uncharge_info(rg); + kfree(rg); + + rg = prg; +@@ -332,6 +352,7 @@ static void coalesce_file_region(struct + nrg->from = rg->from; + + list_del(&rg->link); ++ put_uncharge_info(rg); + kfree(rg); + } + } +@@ -664,7 +685,7 @@ retry: + + del += t - f; + hugetlb_cgroup_uncharge_file_region( +- resv, rg, t - f); ++ resv, rg, t - f, false); + + /* New entry for end of split region */ + nrg->from = t; +@@ -685,7 +706,7 @@ retry: + if (f <= rg->from && t >= rg->to) { /* Remove entire region */ + del += rg->to - rg->from; + hugetlb_cgroup_uncharge_file_region(resv, rg, +- rg->to - rg->from); ++ rg->to - rg->from, true); + list_del(&rg->link); + kfree(rg); + continue; +@@ -693,13 +714,13 @@ retry: + + if (f <= rg->from) { /* Trim beginning of region */ + hugetlb_cgroup_uncharge_file_region(resv, rg, +- t - rg->from); ++ t - rg->from, false); + + del += t - rg->from; + rg->from = t; + } else { /* Trim end of region */ + hugetlb_cgroup_uncharge_file_region(resv, rg, +- rg->to - f); ++ rg->to - f, false); + + del += rg->to - f; + rg->to = f; +@@ -5189,6 +5210,10 @@ int hugetlb_reserve_pages(struct inode * + */ + long rsv_adjust; + ++ /* ++ * hugetlb_cgroup_uncharge_cgroup_rsvd() will put the ++ * reference to h_cg->css. See comment below for detail. ++ */ + hugetlb_cgroup_uncharge_cgroup_rsvd( + hstate_index(h), + (chg - add) * pages_per_huge_page(h), h_cg); +@@ -5196,6 +5221,14 @@ int hugetlb_reserve_pages(struct inode * + rsv_adjust = hugepage_subpool_put_pages(spool, + chg - add); + hugetlb_acct_memory(h, -rsv_adjust); ++ } else if (h_cg) { ++ /* ++ * The file_regions will hold their own reference to ++ * h_cg->css. So we should release the reference held ++ * via hugetlb_cgroup_charge_cgroup_rsvd() when we are ++ * done. ++ */ ++ hugetlb_cgroup_put_rsvd_cgroup(h_cg); + } + } + return 0; +--- a/mm/hugetlb_cgroup.c ++++ b/mm/hugetlb_cgroup.c +@@ -391,7 +391,8 @@ void hugetlb_cgroup_uncharge_counter(str + + void hugetlb_cgroup_uncharge_file_region(struct resv_map *resv, + struct file_region *rg, +- unsigned long nr_pages) ++ unsigned long nr_pages, ++ bool region_del) + { + if (hugetlb_cgroup_disabled() || !resv || !rg || !nr_pages) + return; +@@ -400,7 +401,12 @@ void hugetlb_cgroup_uncharge_file_region + !resv->reservation_counter) { + page_counter_uncharge(rg->reservation_counter, + nr_pages * resv->pages_per_hpage); +- css_put(rg->css); ++ /* ++ * Only do css_put(rg->css) when we delete the entire region ++ * because one file_region must hold exactly one css reference. ++ */ ++ if (region_del) ++ css_put(rg->css); + } + } + diff --git a/queue-5.10/integrity-double-check-iint_cache-was-initialized.patch b/queue-5.10/integrity-double-check-iint_cache-was-initialized.patch new file mode 100644 index 00000000000..339912feb4d --- /dev/null +++ b/queue-5.10/integrity-double-check-iint_cache-was-initialized.patch @@ -0,0 +1,98 @@ +From 92063f3ca73aab794bd5408d3361fd5b5ea33079 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Fri, 19 Mar 2021 11:17:23 -0400 +Subject: integrity: double check iint_cache was initialized + +From: Mimi Zohar + +commit 92063f3ca73aab794bd5408d3361fd5b5ea33079 upstream. + +The kernel may be built with multiple LSMs, but only a subset may be +enabled on the boot command line by specifying "lsm=". Not including +"integrity" on the ordered LSM list may result in a NULL deref. + +As reported by Dmitry Vyukov: +in qemu: +qemu-system-x86_64 -enable-kvm -machine q35,nvdimm -cpu +max,migratable=off -smp 4 -m 4G,slots=4,maxmem=16G -hda +wheezy.img -kernel arch/x86/boot/bzImage -nographic -vga std + -soundhw all -usb -usbdevice tablet -bt hci -bt device:keyboard + -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net +nic,model=virtio-net-pci -object +memory-backend-file,id=pmem1,share=off,mem-path=/dev/zero,size=64M + -device nvdimm,id=nvdimm1,memdev=pmem1 -append "console=ttyS0 +root=/dev/sda earlyprintk=serial rodata=n oops=panic panic_on_warn=1 +panic=86400 lsm=smack numa=fake=2 nopcid dummy_hcd.num=8" -pidfile +vm_pid -m 2G -cpu host + +But it crashes on NULL deref in integrity_inode_get during boot: + +Run /sbin/init as init process +BUG: kernel NULL pointer dereference, address: 000000000000001c +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP KASAN +CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc2+ #97 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS +rel-1.13.0-44-g88ab0c15525c-prebuilt.qemu.org 04/01/2014 +RIP: 0010:kmem_cache_alloc+0x2b/0x370 mm/slub.c:2920 +Code: 57 41 56 41 55 41 54 41 89 f4 55 48 89 fd 53 48 83 ec 10 44 8b +3d d9 1f 90 0b 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 31 c0 <8b> 5f +1c 4cf +RSP: 0000:ffffc9000032f9d8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff888017fc4f00 RCX: 0000000000000000 +RDX: ffff888040220000 RSI: 0000000000000c40 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888019263627 +R10: ffffffff83937cd1 R11: 0000000000000000 R12: 0000000000000c40 +R13: ffff888019263538 R14: 0000000000000000 R15: 0000000000ffffff +FS: 0000000000000000(0000) GS:ffff88802d180000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000000001c CR3: 000000000b48e000 CR4: 0000000000750ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + integrity_inode_get+0x47/0x260 security/integrity/iint.c:105 + process_measurement+0x33d/0x17e0 security/integrity/ima/ima_main.c:237 + ima_bprm_check+0xde/0x210 security/integrity/ima/ima_main.c:474 + security_bprm_check+0x7d/0xa0 security/security.c:845 + search_binary_handler fs/exec.c:1708 [inline] + exec_binprm fs/exec.c:1761 [inline] + bprm_execve fs/exec.c:1830 [inline] + bprm_execve+0x764/0x19a0 fs/exec.c:1792 + kernel_execve+0x370/0x460 fs/exec.c:1973 + try_to_run_init_process+0x14/0x4e init/main.c:1366 + kernel_init+0x11d/0x1b8 init/main.c:1477 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 +Modules linked in: +CR2: 000000000000001c +---[ end trace 22d601a500de7d79 ]--- + +Since LSMs and IMA may be configured at build time, but not enabled at +run time, panic the system if "integrity" was not initialized before use. + +Reported-by: Dmitry Vyukov +Fixes: 79f7865d844c ("LSM: Introduce "lsm=" for boottime LSM selection") +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/iint.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/security/integrity/iint.c ++++ b/security/integrity/iint.c +@@ -98,6 +98,14 @@ struct integrity_iint_cache *integrity_i + struct rb_node *node, *parent = NULL; + struct integrity_iint_cache *iint, *test_iint; + ++ /* ++ * The integrity's "iint_cache" is initialized at security_init(), ++ * unless it is not included in the ordered list of LSMs enabled ++ * on the boot command line. ++ */ ++ if (!iint_cache) ++ panic("%s: lsm=integrity required.\n", __func__); ++ + iint = integrity_iint_find(inode); + if (iint) + return iint; diff --git a/queue-5.10/kasan-fix-per-page-tags-for-non-page_alloc-pages.patch b/queue-5.10/kasan-fix-per-page-tags-for-non-page_alloc-pages.patch new file mode 100644 index 00000000000..245194c20a9 --- /dev/null +++ b/queue-5.10/kasan-fix-per-page-tags-for-non-page_alloc-pages.patch @@ -0,0 +1,87 @@ +From cf10bd4c4aff8dd64d1aa7f2a529d0c672bc16af Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Wed, 24 Mar 2021 21:37:20 -0700 +Subject: kasan: fix per-page tags for non-page_alloc pages + +From: Andrey Konovalov + +commit cf10bd4c4aff8dd64d1aa7f2a529d0c672bc16af upstream. + +To allow performing tag checks on page_alloc addresses obtained via +page_address(), tag-based KASAN modes store tags for page_alloc +allocations in page->flags. + +Currently, the default tag value stored in page->flags is 0x00. +Therefore, page_address() returns a 0x00ffff... address for pages that +were not allocated via page_alloc. + +This might cause problems. A particular case we encountered is a +conflict with KFENCE. If a KFENCE-allocated slab object is being freed +via kfree(page_address(page) + offset), the address passed to kfree() +will get tagged with 0x00 (as slab pages keep the default per-page +tags). This leads to is_kfence_address() check failing, and a KFENCE +object ending up in normal slab freelist, which causes memory +corruptions. + +This patch changes the way KASAN stores tag in page-flags: they are now +stored xor'ed with 0xff. This way, KASAN doesn't need to initialize +per-page flags for every created page, which might be slow. + +With this change, page_address() returns natively-tagged (with 0xff) +pointers for pages that didn't have tags set explicitly. + +This patch fixes the encountered conflict with KFENCE and prevents more +similar issues that can occur in the future. + +Link: https://lkml.kernel.org/r/1a41abb11c51b264511d9e71c303bb16d5cb367b.1615475452.git.andreyknvl@google.com +Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via pagealloc") +Signed-off-by: Andrey Konovalov +Reviewed-by: Marco Elver +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Vincenzo Frascino +Cc: Dmitry Vyukov +Cc: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Peter Collingbourne +Cc: Evgenii Stepanov +Cc: Branislav Rankov +Cc: Kevin Brodsky +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mm.h | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1414,13 +1414,26 @@ static inline bool cpupid_match_pid(stru + #endif /* CONFIG_NUMA_BALANCING */ + + #ifdef CONFIG_KASAN_SW_TAGS ++ ++/* ++ * KASAN per-page tags are stored xor'ed with 0xff. This allows to avoid ++ * setting tags for all pages to native kernel tag value 0xff, as the default ++ * value 0x00 maps to 0xff. ++ */ ++ + static inline u8 page_kasan_tag(const struct page *page) + { +- return (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK; ++ u8 tag; ++ ++ tag = (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK; ++ tag ^= 0xff; ++ ++ return tag; + } + + static inline void page_kasan_tag_set(struct page *page, u8 tag) + { ++ tag ^= 0xff; + page->flags &= ~(KASAN_TAG_MASK << KASAN_TAG_PGSHIFT); + page->flags |= (tag & KASAN_TAG_MASK) << KASAN_TAG_PGSHIFT; + } diff --git a/queue-5.10/netsec-restore-phy-power-state-after-controller-reset.patch b/queue-5.10/netsec-restore-phy-power-state-after-controller-reset.patch new file mode 100644 index 00000000000..af5f9bddc04 --- /dev/null +++ b/queue-5.10/netsec-restore-phy-power-state-after-controller-reset.patch @@ -0,0 +1,50 @@ +From 804741ac7b9f2fdebe3740cb0579cb8d94d49e60 Mon Sep 17 00:00:00 2001 +From: Mian Yousaf Kaukab +Date: Thu, 18 Mar 2021 09:50:26 +0100 +Subject: netsec: restore phy power state after controller reset + +From: Mian Yousaf Kaukab + +commit 804741ac7b9f2fdebe3740cb0579cb8d94d49e60 upstream. + +Since commit 8e850f25b581 ("net: socionext: Stop PHY before resetting +netsec") netsec_netdev_init() power downs phy before resetting the +controller. However, the state is not restored once the reset is +complete. As a result it is not possible to bring up network on a +platform with Broadcom BCM5482 phy. + +Fix the issue by restoring phy power state after controller reset is +complete. + +Fixes: 8e850f25b581 ("net: socionext: Stop PHY before resetting netsec") +Cc: stable@vger.kernel.org +Signed-off-by: Mian Yousaf Kaukab +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/socionext/netsec.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/socionext/netsec.c ++++ b/drivers/net/ethernet/socionext/netsec.c +@@ -1708,14 +1708,17 @@ static int netsec_netdev_init(struct net + goto err1; + + /* set phy power down */ +- data = netsec_phy_read(priv->mii_bus, priv->phy_addr, MII_BMCR) | +- BMCR_PDOWN; +- netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, data); ++ data = netsec_phy_read(priv->mii_bus, priv->phy_addr, MII_BMCR); ++ netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, ++ data | BMCR_PDOWN); + + ret = netsec_reset_hardware(priv, true); + if (ret) + goto err2; + ++ /* Restore phy power state */ ++ netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, data); ++ + spin_lock_init(&priv->desc_ring[NETSEC_RING_TX].lock); + spin_lock_init(&priv->desc_ring[NETSEC_RING_RX].lock); + diff --git a/queue-5.10/platform-x86-intel-vbtn-stop-reporting-sw_dock-events.patch b/queue-5.10/platform-x86-intel-vbtn-stop-reporting-sw_dock-events.patch new file mode 100644 index 00000000000..a109c2dfaee --- /dev/null +++ b/queue-5.10/platform-x86-intel-vbtn-stop-reporting-sw_dock-events.patch @@ -0,0 +1,61 @@ +From 538d2dd0b9920334e6596977a664e9e7bac73703 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 21 Mar 2021 17:35:13 +0100 +Subject: platform/x86: intel-vbtn: Stop reporting SW_DOCK events + +From: Hans de Goede + +commit 538d2dd0b9920334e6596977a664e9e7bac73703 upstream. + +Stop reporting SW_DOCK events because this breaks suspend-on-lid-close. + +SW_DOCK should only be reported for docking stations, but all the DSDTs in +my DSDT collection which use the intel-vbtn code, always seem to use this +for 2-in-1s / convertibles and set SW_DOCK=1 when in laptop-mode (in tandem +with setting SW_TABLET_MODE=0). + +This causes userspace to think the laptop is docked to a port-replicator +and to disable suspend-on-lid-close, which is undesirable. + +Map the dock events to KEY_IGNORE to avoid this broken SW_DOCK reporting. + +Note this may theoretically cause us to stop reporting SW_DOCK on some +device where the 0xCA and 0xCB intel-vbtn events are actually used for +reporting docking to a classic docking-station / port-replicator but +I'm not aware of any such devices. + +Also the most important thing is that we only report SW_DOCK when it +reliably reports being docked to a classic docking-station without any +false positives, which clearly is not the case here. If there is a +chance of reporting false positives then it is better to not report +SW_DOCK at all. + +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210321163513.72328-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel-vbtn.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -47,8 +47,16 @@ static const struct key_entry intel_vbtn + }; + + static const struct key_entry intel_vbtn_switchmap[] = { +- { KE_SW, 0xCA, { .sw = { SW_DOCK, 1 } } }, /* Docked */ +- { KE_SW, 0xCB, { .sw = { SW_DOCK, 0 } } }, /* Undocked */ ++ /* ++ * SW_DOCK should only be reported for docking stations, but DSDTs using the ++ * intel-vbtn code, always seem to use this for 2-in-1s / convertibles and set ++ * SW_DOCK=1 when in laptop-mode (in tandem with setting SW_TABLET_MODE=0). ++ * This causes userspace to think the laptop is docked to a port-replicator ++ * and to disable suspend-on-lid-close, which is undesirable. ++ * Map the dock events to KEY_IGNORE to avoid this broken SW_DOCK reporting. ++ */ ++ { KE_IGNORE, 0xCA, { .sw = { SW_DOCK, 1 } } }, /* Docked */ ++ { KE_IGNORE, 0xCB, { .sw = { SW_DOCK, 0 } } }, /* Undocked */ + { KE_SW, 0xCC, { .sw = { SW_TABLET_MODE, 1 } } }, /* Tablet */ + { KE_SW, 0xCD, { .sw = { SW_TABLET_MODE, 0 } } }, /* Laptop */ + }; diff --git a/queue-5.10/psample-fix-user-api-breakage.patch b/queue-5.10/psample-fix-user-api-breakage.patch new file mode 100644 index 00000000000..385b17c3dc9 --- /dev/null +++ b/queue-5.10/psample-fix-user-api-breakage.patch @@ -0,0 +1,61 @@ +From e43accba9b071dcd106b5e7643b1b106a158cbb1 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Wed, 24 Mar 2021 21:43:32 +0200 +Subject: psample: Fix user API breakage + +From: Ido Schimmel + +commit e43accba9b071dcd106b5e7643b1b106a158cbb1 upstream. + +Cited commit added a new attribute before the existing group reference +count attribute, thereby changing its value and breaking existing +applications on new kernels. + +Before: + + # psample -l + libpsample ERROR psample_group_foreach: failed to recv message: Operation not supported + +After: + + # psample -l + Group Num Refcount Group Seq + 1 1 0 + +Fix by restoring the value of the old attribute and remove the +misleading comments from the enumerator to avoid future bugs. + +Cc: stable@vger.kernel.org +Fixes: d8bed686ab96 ("net: psample: Add tunnel support") +Signed-off-by: Ido Schimmel +Reported-by: Adiel Bidani +Reviewed-by: Jiri Pirko +Reviewed-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/psample.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/include/uapi/linux/psample.h ++++ b/include/uapi/linux/psample.h +@@ -3,7 +3,6 @@ + #define __UAPI_PSAMPLE_H + + enum { +- /* sampled packet metadata */ + PSAMPLE_ATTR_IIFINDEX, + PSAMPLE_ATTR_OIFINDEX, + PSAMPLE_ATTR_ORIGSIZE, +@@ -11,10 +10,8 @@ enum { + PSAMPLE_ATTR_GROUP_SEQ, + PSAMPLE_ATTR_SAMPLE_RATE, + PSAMPLE_ATTR_DATA, +- PSAMPLE_ATTR_TUNNEL, +- +- /* commands attributes */ + PSAMPLE_ATTR_GROUP_REFCOUNT, ++ PSAMPLE_ATTR_TUNNEL, + + __PSAMPLE_ATTR_MAX + }; diff --git a/queue-5.10/selinux-don-t-log-mac_policy_load-record-on-failed-policy-load.patch b/queue-5.10/selinux-don-t-log-mac_policy_load-record-on-failed-policy-load.patch new file mode 100644 index 00000000000..b0b1c1f780c --- /dev/null +++ b/queue-5.10/selinux-don-t-log-mac_policy_load-record-on-failed-policy-load.patch @@ -0,0 +1,41 @@ +From 519dad3bcd809dc1523bf80ab0310ddb3bf00ade Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 18 Mar 2021 22:53:01 +0100 +Subject: selinux: don't log MAC_POLICY_LOAD record on failed policy load + +From: Ondrej Mosnacek + +commit 519dad3bcd809dc1523bf80ab0310ddb3bf00ade upstream. + +If sel_make_policy_nodes() fails, we should jump to 'out', not 'out1', +as the latter would incorrectly log an MAC_POLICY_LOAD audit record, +even though the policy hasn't actually been reloaded. The 'out1' jump +label now becomes unused and can be removed. + +Fixes: 02a52c5c8c3b ("selinux: move policy commit after updating selinuxfs") +Cc: stable@vger.kernel.org +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/selinuxfs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -651,14 +651,13 @@ static ssize_t sel_write_load(struct fil + length = sel_make_policy_nodes(fsi, newpolicy); + if (length) { + selinux_policy_cancel(fsi->state, newpolicy); +- goto out1; ++ goto out; + } + + selinux_policy_commit(fsi->state, newpolicy); + + length = count; + +-out1: + audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, + "auid=%u ses=%u lsm=selinux res=1", + from_kuid(&init_user_ns, audit_get_loginuid(current)), diff --git a/queue-5.10/selinux-fix-variable-scope-issue-in-live-sidtab-conversion.patch b/queue-5.10/selinux-fix-variable-scope-issue-in-live-sidtab-conversion.patch new file mode 100644 index 00000000000..e015f77763d --- /dev/null +++ b/queue-5.10/selinux-fix-variable-scope-issue-in-live-sidtab-conversion.patch @@ -0,0 +1,279 @@ +From 6406887a12ee5dcdaffff1a8508d91113d545559 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 18 Mar 2021 22:53:02 +0100 +Subject: selinux: fix variable scope issue in live sidtab conversion + +From: Ondrej Mosnacek + +commit 6406887a12ee5dcdaffff1a8508d91113d545559 upstream. + +Commit 02a52c5c8c3b ("selinux: move policy commit after updating +selinuxfs") moved the selinux_policy_commit() call out of +security_load_policy() into sel_write_load(), which caused a subtle yet +rather serious bug. + +The problem is that security_load_policy() passes a reference to the +convert_params local variable to sidtab_convert(), which stores it in +the sidtab, where it may be accessed until the policy is swapped over +and RCU synchronized. Before 02a52c5c8c3b, selinux_policy_commit() was +called directly from security_load_policy(), so the convert_params +pointer remained valid all the way until the old sidtab was destroyed, +but now that's no longer the case and calls to sidtab_context_to_sid() +on the old sidtab after security_load_policy() returns may cause invalid +memory accesses. + +This can be easily triggered using the stress test from commit +ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve +performance"): +``` +function rand_cat() { + echo $(( $RANDOM % 1024 )) +} + +function do_work() { + while true; do + echo -n "system_u:system_r:kernel_t:s0:c$(rand_cat),c$(rand_cat)" \ + >/sys/fs/selinux/context 2>/dev/null || true + done +} + +do_work >/dev/null & +do_work >/dev/null & +do_work >/dev/null & + +while load_policy; do echo -n .; sleep 0.1; done + +kill %1 +kill %2 +kill %3 +``` + +Fix this by allocating the temporary sidtab convert structures +dynamically and passing them among the +selinux_policy_{load,cancel,commit} functions. + +Fixes: 02a52c5c8c3b ("selinux: move policy commit after updating selinuxfs") +Cc: stable@vger.kernel.org +Tested-by: Tyler Hicks +Reviewed-by: Tyler Hicks +Signed-off-by: Ondrej Mosnacek +[PM: merge fuzz in security.h and services.c] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/include/security.h | 15 ++++++-- + security/selinux/selinuxfs.c | 10 ++--- + security/selinux/ss/services.c | 65 ++++++++++++++++++++++-------------- + 3 files changed, 56 insertions(+), 34 deletions(-) + +--- a/security/selinux/include/security.h ++++ b/security/selinux/include/security.h +@@ -219,14 +219,21 @@ static inline bool selinux_policycap_gen + return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]); + } + ++struct selinux_policy_convert_data; ++ ++struct selinux_load_state { ++ struct selinux_policy *policy; ++ struct selinux_policy_convert_data *convert_data; ++}; ++ + int security_mls_enabled(struct selinux_state *state); + int security_load_policy(struct selinux_state *state, +- void *data, size_t len, +- struct selinux_policy **newpolicyp); ++ void *data, size_t len, ++ struct selinux_load_state *load_state); + void selinux_policy_commit(struct selinux_state *state, +- struct selinux_policy *newpolicy); ++ struct selinux_load_state *load_state); + void selinux_policy_cancel(struct selinux_state *state, +- struct selinux_policy *policy); ++ struct selinux_load_state *load_state); + int security_read_policy(struct selinux_state *state, + void **data, size_t *len); + +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -616,7 +616,7 @@ static ssize_t sel_write_load(struct fil + + { + struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info; +- struct selinux_policy *newpolicy; ++ struct selinux_load_state load_state; + ssize_t length; + void *data = NULL; + +@@ -642,19 +642,19 @@ static ssize_t sel_write_load(struct fil + if (copy_from_user(data, buf, count) != 0) + goto out; + +- length = security_load_policy(fsi->state, data, count, &newpolicy); ++ length = security_load_policy(fsi->state, data, count, &load_state); + if (length) { + pr_warn_ratelimited("SELinux: failed to load policy\n"); + goto out; + } + +- length = sel_make_policy_nodes(fsi, newpolicy); ++ length = sel_make_policy_nodes(fsi, load_state.policy); + if (length) { +- selinux_policy_cancel(fsi->state, newpolicy); ++ selinux_policy_cancel(fsi->state, &load_state); + goto out; + } + +- selinux_policy_commit(fsi->state, newpolicy); ++ selinux_policy_commit(fsi->state, &load_state); + + length = count; + +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -66,6 +66,17 @@ + #include "audit.h" + #include "policycap_names.h" + ++struct convert_context_args { ++ struct selinux_state *state; ++ struct policydb *oldp; ++ struct policydb *newp; ++}; ++ ++struct selinux_policy_convert_data { ++ struct convert_context_args args; ++ struct sidtab_convert_params sidtab_params; ++}; ++ + /* Forward declaration. */ + static int context_struct_to_string(struct policydb *policydb, + struct context *context, +@@ -1975,12 +1986,6 @@ static inline int convert_context_handle + return 0; + } + +-struct convert_context_args { +- struct selinux_state *state; +- struct policydb *oldp; +- struct policydb *newp; +-}; +- + /* + * Convert the values in the security context + * structure `oldc' from the values specified +@@ -2160,7 +2165,7 @@ static void selinux_policy_cond_free(str + } + + void selinux_policy_cancel(struct selinux_state *state, +- struct selinux_policy *policy) ++ struct selinux_load_state *load_state) + { + struct selinux_policy *oldpolicy; + +@@ -2168,7 +2173,8 @@ void selinux_policy_cancel(struct selinu + lockdep_is_held(&state->policy_mutex)); + + sidtab_cancel_convert(oldpolicy->sidtab); +- selinux_policy_free(policy); ++ selinux_policy_free(load_state->policy); ++ kfree(load_state->convert_data); + } + + static void selinux_notify_policy_change(struct selinux_state *state, +@@ -2183,9 +2189,9 @@ static void selinux_notify_policy_change + } + + void selinux_policy_commit(struct selinux_state *state, +- struct selinux_policy *newpolicy) ++ struct selinux_load_state *load_state) + { +- struct selinux_policy *oldpolicy; ++ struct selinux_policy *oldpolicy, *newpolicy = load_state->policy; + u32 seqno; + + oldpolicy = rcu_dereference_protected(state->policy, +@@ -2225,6 +2231,7 @@ void selinux_policy_commit(struct selinu + /* Free the old policy */ + synchronize_rcu(); + selinux_policy_free(oldpolicy); ++ kfree(load_state->convert_data); + + /* Notify others of the policy change */ + selinux_notify_policy_change(state, seqno); +@@ -2241,11 +2248,10 @@ void selinux_policy_commit(struct selinu + * loading the new policy. + */ + int security_load_policy(struct selinux_state *state, void *data, size_t len, +- struct selinux_policy **newpolicyp) ++ struct selinux_load_state *load_state) + { + struct selinux_policy *newpolicy, *oldpolicy; +- struct sidtab_convert_params convert_params; +- struct convert_context_args args; ++ struct selinux_policy_convert_data *convert_data; + int rc = 0; + struct policy_file file = { data, len }, *fp = &file; + +@@ -2275,10 +2281,10 @@ int security_load_policy(struct selinux_ + goto err_mapping; + } + +- + if (!selinux_initialized(state)) { + /* First policy load, so no need to preserve state from old policy */ +- *newpolicyp = newpolicy; ++ load_state->policy = newpolicy; ++ load_state->convert_data = NULL; + return 0; + } + +@@ -2292,29 +2298,38 @@ int security_load_policy(struct selinux_ + goto err_free_isids; + } + ++ convert_data = kmalloc(sizeof(*convert_data), GFP_KERNEL); ++ if (!convert_data) { ++ rc = -ENOMEM; ++ goto err_free_isids; ++ } ++ + /* + * Convert the internal representations of contexts + * in the new SID table. + */ +- args.state = state; +- args.oldp = &oldpolicy->policydb; +- args.newp = &newpolicy->policydb; +- +- convert_params.func = convert_context; +- convert_params.args = &args; +- convert_params.target = newpolicy->sidtab; ++ convert_data->args.state = state; ++ convert_data->args.oldp = &oldpolicy->policydb; ++ convert_data->args.newp = &newpolicy->policydb; ++ ++ convert_data->sidtab_params.func = convert_context; ++ convert_data->sidtab_params.args = &convert_data->args; ++ convert_data->sidtab_params.target = newpolicy->sidtab; + +- rc = sidtab_convert(oldpolicy->sidtab, &convert_params); ++ rc = sidtab_convert(oldpolicy->sidtab, &convert_data->sidtab_params); + if (rc) { + pr_err("SELinux: unable to convert the internal" + " representation of contexts in the new SID" + " table\n"); +- goto err_free_isids; ++ goto err_free_convert_data; + } + +- *newpolicyp = newpolicy; ++ load_state->policy = newpolicy; ++ load_state->convert_data = convert_data; + return 0; + ++err_free_convert_data: ++ kfree(convert_data); + err_free_isids: + sidtab_destroy(newpolicy->sidtab); + err_mapping: diff --git a/queue-5.10/series b/queue-5.10/series index 587f25e8d25..9a15a80c7d2 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -59,3 +59,32 @@ static_call-allow-module-use-without-exposing-static.patch static_call-fix-the-module-key-fixup.patch static_call-fix-static_call_set_init.patch kvm-x86-protect-userspace-msr-filter-with-srcu-and-s.patch +btrfs-fix-sleep-while-in-non-sleep-context-during-qgroup-removal.patch +selinux-don-t-log-mac_policy_load-record-on-failed-policy-load.patch +selinux-fix-variable-scope-issue-in-live-sidtab-conversion.patch +netsec-restore-phy-power-state-after-controller-reset.patch +platform-x86-intel-vbtn-stop-reporting-sw_dock-events.patch +psample-fix-user-api-breakage.patch +z3fold-prevent-reclaim-free-race-for-headless-pages.patch +squashfs-fix-inode-lookup-sanity-checks.patch +squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch +hugetlb_cgroup-fix-imbalanced-css_get-and-css_put-pair-for-shared-mappings.patch +kasan-fix-per-page-tags-for-non-page_alloc-pages.patch +gcov-fix-clang-11-support.patch +acpi-video-add-missing-callback-back-for-sony-vpceh3u1e.patch +acpica-always-create-namespace-nodes-using-acpi_ns_create_node.patch +arm64-stacktrace-don-t-trace-arch_stack_walk.patch +arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch +arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch +arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch +arm-dts-at91-sam9x60-fix-mux-mask-for-pa7-so-it-can-be-set-to-a-b-and-c.patch +arm-dts-at91-sam9x60-fix-mux-mask-to-match-product-s-datasheet.patch +arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch +integrity-double-check-iint_cache-was-initialized.patch +drm-etnaviv-use-foll_force-for-userptr.patch +drm-amd-pm-workaround-for-audio-noise-issue.patch +drm-amdgpu-display-restore-aux_dphy_tx_control-for-dcn2.x.patch +drm-amdgpu-add-additional-sienna-cichlid-pci-id.patch +drm-i915-fix-the-gt-fence-revocation-runtime-pm-logic.patch +dm-verity-fix-dm_verity_opts_max-value.patch +dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch diff --git a/queue-5.10/squashfs-fix-inode-lookup-sanity-checks.patch b/queue-5.10/squashfs-fix-inode-lookup-sanity-checks.patch new file mode 100644 index 00000000000..bcaa1500683 --- /dev/null +++ b/queue-5.10/squashfs-fix-inode-lookup-sanity-checks.patch @@ -0,0 +1,61 @@ +From c1b2028315c6b15e8d6725e0d5884b15887d3daa Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Wed, 24 Mar 2021 21:37:32 -0700 +Subject: squashfs: fix inode lookup sanity checks + +From: Sean Nyekjaer + +commit c1b2028315c6b15e8d6725e0d5884b15887d3daa upstream. + +When mouting a squashfs image created without inode compression it fails +with: "unable to read inode lookup table" + +It turns out that the BLOCK_OFFSET is missing when checking the +SQUASHFS_METADATA_SIZE agaist the actual size. + +Link: https://lkml.kernel.org/r/20210226092903.1473545-1-sean@geanix.com +Fixes: eabac19e40c0 ("squashfs: add more sanity checks in inode lookup") +Signed-off-by: Sean Nyekjaer +Acked-by: Phillip Lougher +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/export.c | 8 ++++++-- + fs/squashfs/squashfs_fs.h | 1 + + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/squashfs/export.c ++++ b/fs/squashfs/export.c +@@ -152,14 +152,18 @@ __le64 *squashfs_read_inode_lookup_table + start = le64_to_cpu(table[n]); + end = le64_to_cpu(table[n + 1]); + +- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= end ++ || (end - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } + } + + start = le64_to_cpu(table[indexes - 1]); +- if (start >= lookup_table_start || (lookup_table_start - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= lookup_table_start || ++ (lookup_table_start - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } +--- a/fs/squashfs/squashfs_fs.h ++++ b/fs/squashfs/squashfs_fs.h +@@ -17,6 +17,7 @@ + + /* size of metadata (inode and directory) blocks */ + #define SQUASHFS_METADATA_SIZE 8192 ++#define SQUASHFS_BLOCK_OFFSET 2 + + /* default size of block device I/O */ + #ifdef CONFIG_SQUASHFS_4K_DEVBLK_SIZE diff --git a/queue-5.10/squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch b/queue-5.10/squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch new file mode 100644 index 00000000000..85ce8b9e63a --- /dev/null +++ b/queue-5.10/squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch @@ -0,0 +1,67 @@ +From 8b44ca2b634527151af07447a8090a5f3a043321 Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Wed, 24 Mar 2021 21:37:35 -0700 +Subject: squashfs: fix xattr id and id lookup sanity checks + +From: Phillip Lougher + +commit 8b44ca2b634527151af07447a8090a5f3a043321 upstream. + +The checks for maximum metadata block size is missing +SQUASHFS_BLOCK_OFFSET (the two byte length count). + +Link: https://lkml.kernel.org/r/2069685113.2081245.1614583677427@webmail.123-reg.co.uk +Fixes: f37aa4c7366e23f ("squashfs: add more sanity checks in id lookup") +Signed-off-by: Phillip Lougher +Cc: Sean Nyekjaer +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/id.c | 6 ++++-- + fs/squashfs/xattr_id.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/squashfs/id.c ++++ b/fs/squashfs/id.c +@@ -97,14 +97,16 @@ __le64 *squashfs_read_id_index_table(str + start = le64_to_cpu(table[n]); + end = le64_to_cpu(table[n + 1]); + +- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= end || (end - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } + } + + start = le64_to_cpu(table[indexes - 1]); +- if (start >= id_table_start || (id_table_start - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= id_table_start || (id_table_start - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } +--- a/fs/squashfs/xattr_id.c ++++ b/fs/squashfs/xattr_id.c +@@ -109,14 +109,16 @@ __le64 *squashfs_read_xattr_id_table(str + start = le64_to_cpu(table[n]); + end = le64_to_cpu(table[n + 1]); + +- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= end || (end - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } + } + + start = le64_to_cpu(table[indexes - 1]); +- if (start >= table_start || (table_start - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= table_start || (table_start - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } diff --git a/queue-5.10/z3fold-prevent-reclaim-free-race-for-headless-pages.patch b/queue-5.10/z3fold-prevent-reclaim-free-race-for-headless-pages.patch new file mode 100644 index 00000000000..a3e012d4066 --- /dev/null +++ b/queue-5.10/z3fold-prevent-reclaim-free-race-for-headless-pages.patch @@ -0,0 +1,98 @@ +From 6d679578fe9c762c8fbc3d796a067cbba84a7884 Mon Sep 17 00:00:00 2001 +From: Thomas Hebb +Date: Wed, 24 Mar 2021 21:37:29 -0700 +Subject: z3fold: prevent reclaim/free race for headless pages + +From: Thomas Hebb + +commit 6d679578fe9c762c8fbc3d796a067cbba84a7884 upstream. + +Commit ca0246bb97c2 ("z3fold: fix possible reclaim races") introduced +the PAGE_CLAIMED flag "to avoid racing on a z3fold 'headless' page +release." By atomically testing and setting the bit in each of +z3fold_free() and z3fold_reclaim_page(), a double-free was avoided. + +However, commit dcf5aedb24f8 ("z3fold: stricter locking and more careful +reclaim") appears to have unintentionally broken this behavior by moving +the PAGE_CLAIMED check in z3fold_reclaim_page() to after the page lock +gets taken, which only happens for non-headless pages. For headless +pages, the check is now skipped entirely and races can occur again. + +I have observed such a race on my system: + + page:00000000ffbd76b7 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x165316 + flags: 0x2ffff0000000000() + raw: 02ffff0000000000 ffffea0004535f48 ffff8881d553a170 0000000000000000 + raw: 0000000000000000 0000000000000011 00000000ffffffff 0000000000000000 + page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) + ------------[ cut here ]------------ + kernel BUG at include/linux/mm.h:707! + invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI + CPU: 2 PID: 291928 Comm: kworker/2:0 Tainted: G B 5.10.7-arch1-1-kasan #1 + Hardware name: Gigabyte Technology Co., Ltd. H97N-WIFI/H97N-WIFI, BIOS F9b 03/03/2016 + Workqueue: zswap-shrink shrink_worker + RIP: 0010:__free_pages+0x10a/0x130 + Code: c1 e7 06 48 01 ef 45 85 e4 74 d1 44 89 e6 31 d2 41 83 ec 01 e8 e7 b0 ff ff eb da 48 c7 c6 e0 32 91 88 48 89 ef e8 a6 89 f8 ff <0f> 0b 4c 89 e7 e8 fc 79 07 00 e9 33 ff ff ff 48 89 ef e8 ff 79 07 + RSP: 0000:ffff88819a2ffb98 EFLAGS: 00010296 + RAX: 0000000000000000 RBX: ffffea000594c5a8 RCX: 0000000000000000 + RDX: 1ffffd4000b298b7 RSI: 0000000000000000 RDI: ffffea000594c5b8 + RBP: ffffea000594c580 R08: 000000000000003e R09: ffff8881d5520bbb + R10: ffffed103aaa4177 R11: 0000000000000001 R12: ffffea000594c5b4 + R13: 0000000000000000 R14: ffff888165316000 R15: ffffea000594c588 + FS: 0000000000000000(0000) GS:ffff8881d5500000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f7c8c3654d8 CR3: 0000000103f42004 CR4: 00000000001706e0 + Call Trace: + z3fold_zpool_shrink+0x9b6/0x1240 + shrink_worker+0x35/0x90 + process_one_work+0x70c/0x1210 + worker_thread+0x539/0x1200 + kthread+0x330/0x400 + ret_from_fork+0x22/0x30 + Modules linked in: rfcomm ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ccm algif_aead des_generic libdes ecb algif_skcipher cmac bnep md4 algif_hash af_alg vfat fat intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel iwlmvm hid_logitech_hidpp kvm at24 mac80211 snd_hda_codec_realtek iTCO_wdt snd_hda_codec_generic intel_pmc_bxt snd_hda_codec_hdmi ledtrig_audio iTCO_vendor_support mei_wdt mei_hdcp snd_hda_intel snd_intel_dspcfg libarc4 soundwire_intel irqbypass iwlwifi soundwire_generic_allocation rapl soundwire_cadence intel_cstate snd_hda_codec intel_uncore btusb joydev mousedev snd_usb_audio pcspkr btrtl uvcvideo nouveau btbcm i2c_i801 btintel snd_hda_core videobuf2_vmalloc i2c_smbus snd_usbmidi_lib videobuf2_memops bluetooth snd_hwdep soundwire_bus snd_soc_rt5640 videobuf2_v4l2 cfg80211 snd_soc_rl6231 videobuf2_common snd_rawmidi lpc_ich alx videodev mdio snd_seq_device snd_soc_core mc ecdh_generic mxm_wmi mei_me + hid_logitech_dj wmi snd_compress e1000e ac97_bus mei ttm rfkill snd_pcm_dmaengine ecc snd_pcm snd_timer snd soundcore mac_hid acpi_pad pkcs8_key_parser it87 hwmon_vid crypto_user fuse ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 dm_crypt cbc encrypted_keys trusted tpm rng_core usbhid dm_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper xhci_pci xhci_pci_renesas i915 video intel_gtt i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm agpgart + ---[ end trace 126d646fc3dc0ad8 ]--- + +To fix the issue, re-add the earlier test and set in the case where we +have a headless page. + +Link: https://lkml.kernel.org/r/c8106dbe6d8390b290cd1d7f873a2942e805349e.1615452048.git.tommyhebb@gmail.com +Fixes: dcf5aedb24f8 ("z3fold: stricter locking and more careful reclaim") +Signed-off-by: Thomas Hebb +Reviewed-by: Vitaly Wool +Cc: Jongseok Kim +Cc: Snild Dolkow +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/z3fold.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/mm/z3fold.c ++++ b/mm/z3fold.c +@@ -1350,8 +1350,22 @@ static int z3fold_reclaim_page(struct z3 + page = list_entry(pos, struct page, lru); + + zhdr = page_address(page); +- if (test_bit(PAGE_HEADLESS, &page->private)) ++ if (test_bit(PAGE_HEADLESS, &page->private)) { ++ /* ++ * For non-headless pages, we wait to do this ++ * until we have the page lock to avoid racing ++ * with __z3fold_alloc(). Headless pages don't ++ * have a lock (and __z3fold_alloc() will never ++ * see them), but we still need to test and set ++ * PAGE_CLAIMED to avoid racing with ++ * z3fold_free(), so just do it now before ++ * leaving the loop. ++ */ ++ if (test_and_set_bit(PAGE_CLAIMED, &page->private)) ++ continue; ++ + break; ++ } + + if (kref_get_unless_zero(&zhdr->refcount) == 0) { + zhdr = NULL;