From: Greg Kroah-Hartman Date: Mon, 21 Feb 2022 06:30:11 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.9.303~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c065bf4dfea1fa753030f8900947da4cd72514c7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: asoc-qcom-actually-clear-dma-interrupt-register-for-hdmi.patch asoc-tas2770-insert-post-reset-delay.patch block-fix-surprise-removal-for-drivers-calling-blk_set_queue_dying.patch block-wbt-fix-negative-inflight-counter-when-remove-scsi-device.patch mtd-parsers-qcom-fix-kernel-panic-on-skipped-partition.patch mtd-parsers-qcom-fix-missing-free-for-pparts-in-cleanup.patch mtd-phram-prevent-divide-by-zero-bug-in-phram_setup.patch mtd-rawnand-brcmnand-fixed-incorrect-sub-page-ecc-status.patch mtd-rawnand-qcom-fix-clock-sequencing-in-qcom_nandc_probe.patch nfs-do-not-report-writeback-errors-in-nfs_getattr.patch nfs-lookup_directory-is-also-ok-with-symlinks.patch nfs-remove-an-incorrect-revalidation-in-nfs4_update_changeattr_locked.patch tty-n_tty-do-not-look-ahead-for-eol-character-past-the-end-of-the-buffer.patch --- diff --git a/queue-5.15/asoc-qcom-actually-clear-dma-interrupt-register-for-hdmi.patch b/queue-5.15/asoc-qcom-actually-clear-dma-interrupt-register-for-hdmi.patch new file mode 100644 index 00000000000..050ca1d2778 --- /dev/null +++ b/queue-5.15/asoc-qcom-actually-clear-dma-interrupt-register-for-hdmi.patch @@ -0,0 +1,81 @@ +From c8d251f51ee61df06ee0e419348d8c9160bbfb86 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Wed, 9 Feb 2022 15:25:20 -0800 +Subject: ASoC: qcom: Actually clear DMA interrupt register for HDMI + +From: Stephen Boyd + +commit c8d251f51ee61df06ee0e419348d8c9160bbfb86 upstream. + +In commit da0363f7bfd3 ("ASoC: qcom: Fix for DMA interrupt clear reg +overwriting") we changed regmap_write() to regmap_update_bits() so that +we can avoid overwriting bits that we didn't intend to modify. +Unfortunately this change breaks the case where a register is writable +but not readable, which is exactly how the HDMI irq clear register is +designed (grep around LPASS_HDMITX_APP_IRQCLEAR_REG to see how it's +write only). That's because regmap_update_bits() tries to read the +register from the hardware and if it isn't readable it looks in the +regmap cache to see what was written there last time to compare against +what we want to write there. Eventually, we're unable to modify this +register at all because the bits that we're trying to set are already +set in the cache. + +This is doubly bad for the irq clear register because you have to write +the bit to clear an interrupt. Given the irq is level triggered, we see +an interrupt storm upon plugging in an HDMI cable and starting audio +playback. The irq storm is so great that performance degrades +significantly, leading to CPU soft lockups. + +Fix it by using regmap_write_bits() so that we really do write the bits +in the clear register that we want to. This brings the number of irqs +handled by lpass_dma_interrupt_handler() down from ~150k/sec to ~10/sec. + +Fixes: da0363f7bfd3 ("ASoC: qcom: Fix for DMA interrupt clear reg overwriting") +Cc: Srinivasa Rao Mandadapu +Cc: Srinivas Kandagatla +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20220209232520.4017634-1-swboyd@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/lpass-platform.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/soc/qcom/lpass-platform.c ++++ b/sound/soc/qcom/lpass-platform.c +@@ -524,7 +524,7 @@ static int lpass_platform_pcmops_trigger + return -EINVAL; + } + +- ret = regmap_update_bits(map, reg_irqclr, val_irqclr, val_irqclr); ++ ret = regmap_write_bits(map, reg_irqclr, val_irqclr, val_irqclr); + if (ret) { + dev_err(soc_runtime->dev, "error writing to irqclear reg: %d\n", ret); + return ret; +@@ -665,7 +665,7 @@ static irqreturn_t lpass_dma_interrupt_h + return -EINVAL; + } + if (interrupts & LPAIF_IRQ_PER(chan)) { +- rv = regmap_update_bits(map, reg, mask, (LPAIF_IRQ_PER(chan) | val)); ++ rv = regmap_write_bits(map, reg, mask, (LPAIF_IRQ_PER(chan) | val)); + if (rv) { + dev_err(soc_runtime->dev, + "error writing to irqclear reg: %d\n", rv); +@@ -676,7 +676,7 @@ static irqreturn_t lpass_dma_interrupt_h + } + + if (interrupts & LPAIF_IRQ_XRUN(chan)) { +- rv = regmap_update_bits(map, reg, mask, (LPAIF_IRQ_XRUN(chan) | val)); ++ rv = regmap_write_bits(map, reg, mask, (LPAIF_IRQ_XRUN(chan) | val)); + if (rv) { + dev_err(soc_runtime->dev, + "error writing to irqclear reg: %d\n", rv); +@@ -688,7 +688,7 @@ static irqreturn_t lpass_dma_interrupt_h + } + + if (interrupts & LPAIF_IRQ_ERR(chan)) { +- rv = regmap_update_bits(map, reg, mask, (LPAIF_IRQ_ERR(chan) | val)); ++ rv = regmap_write_bits(map, reg, mask, (LPAIF_IRQ_ERR(chan) | val)); + if (rv) { + dev_err(soc_runtime->dev, + "error writing to irqclear reg: %d\n", rv); diff --git a/queue-5.15/asoc-tas2770-insert-post-reset-delay.patch b/queue-5.15/asoc-tas2770-insert-post-reset-delay.patch new file mode 100644 index 00000000000..56823ec1d3d --- /dev/null +++ b/queue-5.15/asoc-tas2770-insert-post-reset-delay.patch @@ -0,0 +1,59 @@ +From 307f31452078792aab94a729fce33200c6e42dc4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Martin=20Povi=C5=A1er?= +Date: Fri, 4 Feb 2022 10:53:01 +0100 +Subject: ASoC: tas2770: Insert post reset delay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Povišer + +commit 307f31452078792aab94a729fce33200c6e42dc4 upstream. + +Per TAS2770 datasheet there must be a 1 ms delay from reset to first +command. So insert delays into the driver where appropriate. + +Fixes: 1a476abc723e ("tas2770: add tas2770 smart PA kernel driver") +Signed-off-by: Martin Povišer +Link: https://lore.kernel.org/r/20220204095301.5554-1-povik+lin@cutebit.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/tas2770.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/sound/soc/codecs/tas2770.c ++++ b/sound/soc/codecs/tas2770.c +@@ -38,10 +38,12 @@ static void tas2770_reset(struct tas2770 + gpiod_set_value_cansleep(tas2770->reset_gpio, 0); + msleep(20); + gpiod_set_value_cansleep(tas2770->reset_gpio, 1); ++ usleep_range(1000, 2000); + } + + snd_soc_component_write(tas2770->component, TAS2770_SW_RST, + TAS2770_RST); ++ usleep_range(1000, 2000); + } + + static int tas2770_set_bias_level(struct snd_soc_component *component, +@@ -110,6 +112,7 @@ static int tas2770_codec_resume(struct s + + if (tas2770->sdz_gpio) { + gpiod_set_value_cansleep(tas2770->sdz_gpio, 1); ++ usleep_range(1000, 2000); + } else { + ret = snd_soc_component_update_bits(component, TAS2770_PWR_CTRL, + TAS2770_PWR_CTRL_MASK, +@@ -510,8 +513,10 @@ static int tas2770_codec_probe(struct sn + + tas2770->component = component; + +- if (tas2770->sdz_gpio) ++ if (tas2770->sdz_gpio) { + gpiod_set_value_cansleep(tas2770->sdz_gpio, 1); ++ usleep_range(1000, 2000); ++ } + + tas2770_reset(tas2770); + diff --git a/queue-5.15/block-fix-surprise-removal-for-drivers-calling-blk_set_queue_dying.patch b/queue-5.15/block-fix-surprise-removal-for-drivers-calling-blk_set_queue_dying.patch new file mode 100644 index 00000000000..5ffde2035e1 --- /dev/null +++ b/queue-5.15/block-fix-surprise-removal-for-drivers-calling-blk_set_queue_dying.patch @@ -0,0 +1,166 @@ +From 7a5428dcb7902700b830e912feee4e845df7c019 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 17 Feb 2022 08:52:31 +0100 +Subject: block: fix surprise removal for drivers calling blk_set_queue_dying +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christoph Hellwig + +commit 7a5428dcb7902700b830e912feee4e845df7c019 upstream. + +Various block drivers call blk_set_queue_dying to mark a disk as dead due +to surprise removal events, but since commit 8e141f9eb803 that doesn't +work given that the GD_DEAD flag needs to be set to stop I/O. + +Replace the driver calls to blk_set_queue_dying with a new (and properly +documented) blk_mark_disk_dead API, and fold blk_set_queue_dying into the +only remaining caller. + +Fixes: 8e141f9eb803 ("block: drain file system I/O on del_gendisk") +Reported-by: Markus Blöchl +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Link: https://lore.kernel.org/r/20220217075231.1140-1-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-core.c | 10 ++-------- + block/genhd.c | 14 ++++++++++++++ + drivers/block/mtip32xx/mtip32xx.c | 2 +- + drivers/block/rbd.c | 2 +- + drivers/block/xen-blkfront.c | 2 +- + drivers/md/dm.c | 2 +- + drivers/nvme/host/core.c | 2 +- + drivers/nvme/host/multipath.c | 2 +- + include/linux/blkdev.h | 3 ++- + 9 files changed, 24 insertions(+), 15 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -350,13 +350,6 @@ void blk_queue_start_drain(struct reques + wake_up_all(&q->mq_freeze_wq); + } + +-void blk_set_queue_dying(struct request_queue *q) +-{ +- blk_queue_flag_set(QUEUE_FLAG_DYING, q); +- blk_queue_start_drain(q); +-} +-EXPORT_SYMBOL_GPL(blk_set_queue_dying); +- + /** + * blk_cleanup_queue - shutdown a request queue + * @q: request queue to shutdown +@@ -374,7 +367,8 @@ void blk_cleanup_queue(struct request_qu + WARN_ON_ONCE(blk_queue_registered(q)); + + /* mark @q DYING, no new request or merges will be allowed afterwards */ +- blk_set_queue_dying(q); ++ blk_queue_flag_set(QUEUE_FLAG_DYING, q); ++ blk_queue_start_drain(q); + + blk_queue_flag_set(QUEUE_FLAG_NOMERGES, q); + blk_queue_flag_set(QUEUE_FLAG_NOXMERGES, q); +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -545,6 +545,20 @@ out_free_ext_minor: + EXPORT_SYMBOL(device_add_disk); + + /** ++ * blk_mark_disk_dead - mark a disk as dead ++ * @disk: disk to mark as dead ++ * ++ * Mark as disk as dead (e.g. surprise removed) and don't accept any new I/O ++ * to this disk. ++ */ ++void blk_mark_disk_dead(struct gendisk *disk) ++{ ++ set_bit(GD_DEAD, &disk->state); ++ blk_queue_start_drain(disk->queue); ++} ++EXPORT_SYMBOL_GPL(blk_mark_disk_dead); ++ ++/** + * del_gendisk - remove the gendisk + * @disk: the struct gendisk to remove + * +--- a/drivers/block/mtip32xx/mtip32xx.c ++++ b/drivers/block/mtip32xx/mtip32xx.c +@@ -4112,7 +4112,7 @@ static void mtip_pci_remove(struct pci_d + "Completion workers still active!\n"); + } + +- blk_set_queue_dying(dd->queue); ++ blk_mark_disk_dead(dd->disk); + set_bit(MTIP_DDF_REMOVE_PENDING_BIT, &dd->dd_flag); + + /* Clean up the block layer. */ +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -7182,7 +7182,7 @@ static ssize_t do_rbd_remove(struct bus_ + * IO to complete/fail. + */ + blk_mq_freeze_queue(rbd_dev->disk->queue); +- blk_set_queue_dying(rbd_dev->disk->queue); ++ blk_mark_disk_dead(rbd_dev->disk); + } + + del_gendisk(rbd_dev->disk); +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -2128,7 +2128,7 @@ static void blkfront_closing(struct blkf + + /* No more blkif_request(). */ + blk_mq_stop_hw_queues(info->rq); +- blk_set_queue_dying(info->rq); ++ blk_mark_disk_dead(info->gd); + set_capacity(info->gd, 0); + + for_each_rinfo(info, rinfo, i) { +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2156,7 +2156,7 @@ static void __dm_destroy(struct mapped_d + set_bit(DMF_FREEING, &md->flags); + spin_unlock(&_minor_lock); + +- blk_set_queue_dying(md->queue); ++ blk_mark_disk_dead(md->disk); + + /* + * Take suspend_lock so that presuspend and postsuspend methods +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -131,7 +131,7 @@ static void nvme_set_queue_dying(struct + if (test_and_set_bit(NVME_NS_DEAD, &ns->flags)) + return; + +- blk_set_queue_dying(ns->queue); ++ blk_mark_disk_dead(ns->disk); + blk_mq_unquiesce_queue(ns->queue); + + set_capacity_and_notify(ns->disk, 0); +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -792,7 +792,7 @@ void nvme_mpath_remove_disk(struct nvme_ + { + if (!head->disk) + return; +- blk_set_queue_dying(head->disk->queue); ++ blk_mark_disk_dead(head->disk); + /* make sure all pending bios are cleaned up */ + kblockd_schedule_work(&head->requeue_work); + flush_work(&head->requeue_work); +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -1184,7 +1184,8 @@ extern void blk_dump_rq_flags(struct req + + bool __must_check blk_get_queue(struct request_queue *); + extern void blk_put_queue(struct request_queue *); +-extern void blk_set_queue_dying(struct request_queue *); ++ ++void blk_mark_disk_dead(struct gendisk *disk); + + #ifdef CONFIG_BLOCK + /* diff --git a/queue-5.15/block-wbt-fix-negative-inflight-counter-when-remove-scsi-device.patch b/queue-5.15/block-wbt-fix-negative-inflight-counter-when-remove-scsi-device.patch new file mode 100644 index 00000000000..6c4fa9b3d95 --- /dev/null +++ b/queue-5.15/block-wbt-fix-negative-inflight-counter-when-remove-scsi-device.patch @@ -0,0 +1,78 @@ +From e92bc4cd34de2ce454bdea8cd198b8067ee4e123 Mon Sep 17 00:00:00 2001 +From: Laibin Qiu +Date: Sat, 22 Jan 2022 19:10:45 +0800 +Subject: block/wbt: fix negative inflight counter when remove scsi device + +From: Laibin Qiu + +commit e92bc4cd34de2ce454bdea8cd198b8067ee4e123 upstream. + +Now that we disable wbt by set WBT_STATE_OFF_DEFAULT in +wbt_disable_default() when switch elevator to bfq. And when +we remove scsi device, wbt will be enabled by wbt_enable_default. +If it become false positive between wbt_wait() and wbt_track() +when submit write request. + +The following is the scenario that triggered the problem. + +T1 T2 T3 + elevator_switch_mq + bfq_init_queue + wbt_disable_default <= Set + rwb->enable_state (OFF) +Submit_bio +blk_mq_make_request +rq_qos_throttle +<= rwb->enable_state (OFF) + scsi_remove_device + sd_remove + del_gendisk + blk_unregister_queue + elv_unregister_queue + wbt_enable_default + <= Set rwb->enable_state (ON) +q_qos_track +<= rwb->enable_state (ON) +^^^^^^ this request will mark WBT_TRACKED without inflight add and will +lead to drop rqw->inflight to -1 in wbt_done() which will trigger IO hung. + +Fix this by move wbt_enable_default() from elv_unregister to +bfq_exit_queue(). Only re-enable wbt when bfq exit. + +Fixes: 76a8040817b4b ("blk-wbt: make sure throttle is enabled properly") + +Remove oneline stale comment, and kill one oneshot local variable. + +Signed-off-by: Ming Lei +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/linux-block/20211214133103.551813-1-qiulaibin@huawei.com/ +Signed-off-by: Laibin Qiu +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/bfq-iosched.c | 2 ++ + block/elevator.c | 2 -- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -6878,6 +6878,8 @@ static void bfq_exit_queue(struct elevat + spin_unlock_irq(&bfqd->lock); + #endif + ++ wbt_enable_default(bfqd->queue); ++ + kfree(bfqd); + } + +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -523,8 +523,6 @@ void elv_unregister_queue(struct request + kobject_del(&e->kobj); + + e->registered = 0; +- /* Re-enable throttling in case elevator disabled it */ +- wbt_enable_default(q); + } + } + diff --git a/queue-5.15/mtd-parsers-qcom-fix-kernel-panic-on-skipped-partition.patch b/queue-5.15/mtd-parsers-qcom-fix-kernel-panic-on-skipped-partition.patch new file mode 100644 index 00000000000..a0a74835f61 --- /dev/null +++ b/queue-5.15/mtd-parsers-qcom-fix-kernel-panic-on-skipped-partition.patch @@ -0,0 +1,106 @@ +From 65d003cca335cabc0160d3cd7daa689eaa9dd3cd Mon Sep 17 00:00:00 2001 +From: Ansuel Smith +Date: Sun, 16 Jan 2022 04:22:10 +0100 +Subject: mtd: parsers: qcom: Fix kernel panic on skipped partition + +From: Ansuel Smith + +commit 65d003cca335cabc0160d3cd7daa689eaa9dd3cd upstream. + +In the event of a skipped partition (case when the entry name is empty) +the kernel panics in the cleanup function as the name entry is NULL. +Rework the parser logic by first checking the real partition number and +then allocate the space and set the data for the valid partitions. + +The logic was also fundamentally wrong as with a skipped partition, the +parts number returned was incorrect by not decreasing it for the skipped +partitions. + +Fixes: 803eb124e1a6 ("mtd: parsers: Add Qcom SMEM parser") +Signed-off-by: Ansuel Smith +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220116032211.9728-1-ansuelsmth@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/parsers/qcomsmempart.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +--- a/drivers/mtd/parsers/qcomsmempart.c ++++ b/drivers/mtd/parsers/qcomsmempart.c +@@ -58,11 +58,11 @@ static int parse_qcomsmem_part(struct mt + const struct mtd_partition **pparts, + struct mtd_part_parser_data *data) + { ++ size_t len = SMEM_FLASH_PTABLE_HDR_LEN; ++ int ret, i, j, tmpparts, numparts = 0; + struct smem_flash_pentry *pentry; + struct smem_flash_ptable *ptable; +- size_t len = SMEM_FLASH_PTABLE_HDR_LEN; + struct mtd_partition *parts; +- int ret, i, numparts; + char *name, *c; + + if (IS_ENABLED(CONFIG_MTD_SPI_NOR_USE_4K_SECTORS) +@@ -87,8 +87,8 @@ static int parse_qcomsmem_part(struct mt + } + + /* Ensure that # of partitions is less than the max we have allocated */ +- numparts = le32_to_cpu(ptable->numparts); +- if (numparts > SMEM_FLASH_PTABLE_MAX_PARTS_V4) { ++ tmpparts = le32_to_cpu(ptable->numparts); ++ if (tmpparts > SMEM_FLASH_PTABLE_MAX_PARTS_V4) { + pr_err("Partition numbers exceed the max limit\n"); + return -EINVAL; + } +@@ -116,11 +116,17 @@ static int parse_qcomsmem_part(struct mt + return PTR_ERR(ptable); + } + ++ for (i = 0; i < tmpparts; i++) { ++ pentry = &ptable->pentry[i]; ++ if (pentry->name[0] != '\0') ++ numparts++; ++ } ++ + parts = kcalloc(numparts, sizeof(*parts), GFP_KERNEL); + if (!parts) + return -ENOMEM; + +- for (i = 0; i < numparts; i++) { ++ for (i = 0, j = 0; i < tmpparts; i++) { + pentry = &ptable->pentry[i]; + if (pentry->name[0] == '\0') + continue; +@@ -135,24 +141,25 @@ static int parse_qcomsmem_part(struct mt + for (c = name; *c != '\0'; c++) + *c = tolower(*c); + +- parts[i].name = name; +- parts[i].offset = le32_to_cpu(pentry->offset) * mtd->erasesize; +- parts[i].mask_flags = pentry->attr; +- parts[i].size = le32_to_cpu(pentry->length) * mtd->erasesize; ++ parts[j].name = name; ++ parts[j].offset = le32_to_cpu(pentry->offset) * mtd->erasesize; ++ parts[j].mask_flags = pentry->attr; ++ parts[j].size = le32_to_cpu(pentry->length) * mtd->erasesize; + pr_debug("%d: %s offs=0x%08x size=0x%08x attr:0x%08x\n", + i, pentry->name, le32_to_cpu(pentry->offset), + le32_to_cpu(pentry->length), pentry->attr); ++ j++; + } + + pr_debug("SMEM partition table found: ver: %d len: %d\n", +- le32_to_cpu(ptable->version), numparts); ++ le32_to_cpu(ptable->version), tmpparts); + *pparts = parts; + + return numparts; + + out_free_parts: +- while (--i >= 0) +- kfree(parts[i].name); ++ while (--j >= 0) ++ kfree(parts[j].name); + kfree(parts); + *pparts = NULL; + diff --git a/queue-5.15/mtd-parsers-qcom-fix-missing-free-for-pparts-in-cleanup.patch b/queue-5.15/mtd-parsers-qcom-fix-missing-free-for-pparts-in-cleanup.patch new file mode 100644 index 00000000000..544569db5f1 --- /dev/null +++ b/queue-5.15/mtd-parsers-qcom-fix-missing-free-for-pparts-in-cleanup.patch @@ -0,0 +1,33 @@ +From 3dd8ba961b9356c4113b96541c752c73d98fef70 Mon Sep 17 00:00:00 2001 +From: Ansuel Smith +Date: Sun, 16 Jan 2022 04:22:11 +0100 +Subject: mtd: parsers: qcom: Fix missing free for pparts in cleanup + +From: Ansuel Smith + +commit 3dd8ba961b9356c4113b96541c752c73d98fef70 upstream. + +Mtdpart doesn't free pparts when a cleanup function is declared. +Add missing free for pparts in cleanup function for smem to fix the +leak. + +Fixes: 10f3b4d79958 ("mtd: parsers: qcom: Fix leaking of partition name") +Signed-off-by: Ansuel Smith +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220116032211.9728-2-ansuelsmth@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/parsers/qcomsmempart.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/parsers/qcomsmempart.c ++++ b/drivers/mtd/parsers/qcomsmempart.c +@@ -173,6 +173,8 @@ static void parse_qcomsmem_cleanup(const + + for (i = 0; i < nr_parts; i++) + kfree(pparts[i].name); ++ ++ kfree(pparts); + } + + static const struct of_device_id qcomsmem_of_match_table[] = { diff --git a/queue-5.15/mtd-phram-prevent-divide-by-zero-bug-in-phram_setup.patch b/queue-5.15/mtd-phram-prevent-divide-by-zero-bug-in-phram_setup.patch new file mode 100644 index 00000000000..b1c3b09b19f --- /dev/null +++ b/queue-5.15/mtd-phram-prevent-divide-by-zero-bug-in-phram_setup.patch @@ -0,0 +1,52 @@ +From 3e3765875b1b8864898603768fd5c93eeb552211 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 21 Jan 2022 14:55:05 +0300 +Subject: mtd: phram: Prevent divide by zero bug in phram_setup() + +From: Dan Carpenter + +commit 3e3765875b1b8864898603768fd5c93eeb552211 upstream. + +The problem is that "erasesize" is a uint64_t type so it might be +non-zero but the lower 32 bits are zero so when it's truncated, +"(uint32_t)erasesize", then that value is zero. This leads to a +divide by zero bug. + +Avoid the bug by delaying the divide until after we have validated +that "erasesize" is non-zero and within the uint32_t range. + +Fixes: dc2b3e5cbc80 ("mtd: phram: use div_u64_rem to stop overwrite len in phram_setup") +Signed-off-by: Dan Carpenter +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220121115505.GI1978@kadam +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/devices/phram.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/devices/phram.c ++++ b/drivers/mtd/devices/phram.c +@@ -264,15 +264,19 @@ static int phram_setup(const char *val) + } + } + +- if (erasesize) +- div_u64_rem(len, (uint32_t)erasesize, &rem); +- + if (len == 0 || erasesize == 0 || erasesize > len +- || erasesize > UINT_MAX || rem) { ++ || erasesize > UINT_MAX) { + parse_err("illegal erasesize or len\n"); + ret = -EINVAL; + goto error; + } ++ ++ div_u64_rem(len, (uint32_t)erasesize, &rem); ++ if (rem) { ++ parse_err("len is not multiple of erasesize\n"); ++ ret = -EINVAL; ++ goto error; ++ } + + ret = register_device(name, start, len, (uint32_t)erasesize); + if (ret) diff --git a/queue-5.15/mtd-rawnand-brcmnand-fixed-incorrect-sub-page-ecc-status.patch b/queue-5.15/mtd-rawnand-brcmnand-fixed-incorrect-sub-page-ecc-status.patch new file mode 100644 index 00000000000..dd4d56517c9 --- /dev/null +++ b/queue-5.15/mtd-rawnand-brcmnand-fixed-incorrect-sub-page-ecc-status.patch @@ -0,0 +1,43 @@ +From 36415a7964711822e63695ea67fede63979054d9 Mon Sep 17 00:00:00 2001 +From: david regan +Date: Wed, 26 Jan 2022 23:43:44 +0100 +Subject: mtd: rawnand: brcmnand: Fixed incorrect sub-page ECC status + +From: david regan + +commit 36415a7964711822e63695ea67fede63979054d9 upstream. + +The brcmnand driver contains a bug in which if a page (example 2k byte) +is read from the parallel/ONFI NAND and within that page a subpage (512 +byte) has correctable errors which is followed by a subpage with +uncorrectable errors, the page read will return the wrong status of +correctable (as opposed to the actual status of uncorrectable.) + +The bug is in function brcmnand_read_by_pio where there is a check for +uncorrectable bits which will be preempted if a previous status for +correctable bits is detected. + +The fix is to stop checking for bad bits only if we already have a bad +bits status. + +Fixes: 27c5b17cd1b1 ("mtd: nand: add NAND driver "library" for Broadcom STB NAND controller") +Signed-off-by: david regan +Reviewed-by: Florian Fainelli +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/trinity-478e0c09-9134-40e8-8f8c-31c371225eda-1643237024774@3c-app-mailcom-lxa02 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -2106,7 +2106,7 @@ static int brcmnand_read_by_pio(struct m + mtd->oobsize / trans, + host->hwcfg.sector_size_1k); + +- if (!ret) { ++ if (ret != -EBADMSG) { + *err_addr = brcmnand_get_uncorrecc_addr(ctrl); + + if (*err_addr) diff --git a/queue-5.15/mtd-rawnand-qcom-fix-clock-sequencing-in-qcom_nandc_probe.patch b/queue-5.15/mtd-rawnand-qcom-fix-clock-sequencing-in-qcom_nandc_probe.patch new file mode 100644 index 00000000000..6fbfbcdb93f --- /dev/null +++ b/queue-5.15/mtd-rawnand-qcom-fix-clock-sequencing-in-qcom_nandc_probe.patch @@ -0,0 +1,91 @@ +From 5c23b3f965bc9ee696bf2ed4bdc54d339dd9a455 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Mon, 3 Jan 2022 03:03:15 +0000 +Subject: mtd: rawnand: qcom: Fix clock sequencing in qcom_nandc_probe() + +From: Bryan O'Donoghue + +commit 5c23b3f965bc9ee696bf2ed4bdc54d339dd9a455 upstream. + +Interacting with a NAND chip on an IPQ6018 I found that the qcomsmem NAND +partition parser was returning -EPROBE_DEFER waiting for the main smem +driver to load. + +This caused the board to reset. Playing about with the probe() function +shows that the problem lies in the core clock being switched off before the +nandc_unalloc() routine has completed. + +If we look at how qcom_nandc_remove() tears down allocated resources we see +the expected order is + +qcom_nandc_unalloc(nandc); + +clk_disable_unprepare(nandc->aon_clk); +clk_disable_unprepare(nandc->core_clk); + +dma_unmap_resource(&pdev->dev, nandc->base_dma, resource_size(res), + DMA_BIDIRECTIONAL, 0); + +Tweaking probe() to both bring up and tear-down in that order removes the +reset if we end up deferring elsewhere. + +Fixes: c76b78d8ec05 ("mtd: nand: Qualcomm NAND controller driver") +Signed-off-by: Bryan O'Donoghue +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220103030316.58301-2-bryan.odonoghue@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/qcom_nandc.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/drivers/mtd/nand/raw/qcom_nandc.c ++++ b/drivers/mtd/nand/raw/qcom_nandc.c +@@ -2,7 +2,6 @@ + /* + * Copyright (c) 2016, The Linux Foundation. All rights reserved. + */ +- + #include + #include + #include +@@ -3063,10 +3062,6 @@ static int qcom_nandc_probe(struct platf + if (dma_mapping_error(dev, nandc->base_dma)) + return -ENXIO; + +- ret = qcom_nandc_alloc(nandc); +- if (ret) +- goto err_nandc_alloc; +- + ret = clk_prepare_enable(nandc->core_clk); + if (ret) + goto err_core_clk; +@@ -3075,6 +3070,10 @@ static int qcom_nandc_probe(struct platf + if (ret) + goto err_aon_clk; + ++ ret = qcom_nandc_alloc(nandc); ++ if (ret) ++ goto err_nandc_alloc; ++ + ret = qcom_nandc_setup(nandc); + if (ret) + goto err_setup; +@@ -3086,15 +3085,14 @@ static int qcom_nandc_probe(struct platf + return 0; + + err_setup: ++ qcom_nandc_unalloc(nandc); ++err_nandc_alloc: + clk_disable_unprepare(nandc->aon_clk); + err_aon_clk: + clk_disable_unprepare(nandc->core_clk); + err_core_clk: +- qcom_nandc_unalloc(nandc); +-err_nandc_alloc: + dma_unmap_resource(dev, res->start, resource_size(res), + DMA_BIDIRECTIONAL, 0); +- + return ret; + } + diff --git a/queue-5.15/nfs-do-not-report-writeback-errors-in-nfs_getattr.patch b/queue-5.15/nfs-do-not-report-writeback-errors-in-nfs_getattr.patch new file mode 100644 index 00000000000..eb269e045e8 --- /dev/null +++ b/queue-5.15/nfs-do-not-report-writeback-errors-in-nfs_getattr.patch @@ -0,0 +1,39 @@ +From d19e0183a88306acda07f4a01fedeeffe2a2a06b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 15 Feb 2022 18:05:18 -0500 +Subject: NFS: Do not report writeback errors in nfs_getattr() + +From: Trond Myklebust + +commit d19e0183a88306acda07f4a01fedeeffe2a2a06b upstream. + +The result of the writeback, whether it is an ENOSPC or an EIO, or +anything else, does not inhibit the NFS client from reporting the +correct file timestamps. + +Fixes: 79566ef018f5 ("NFS: Getattr doesn't require data sync semantics") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/inode.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -840,12 +840,9 @@ int nfs_getattr(struct user_namespace *m + } + + /* Flush out writes to the server in order to update c/mtime. */ +- if ((request_mask & (STATX_CTIME|STATX_MTIME)) && +- S_ISREG(inode->i_mode)) { +- err = filemap_write_and_wait(inode->i_mapping); +- if (err) +- goto out; +- } ++ if ((request_mask & (STATX_CTIME | STATX_MTIME)) && ++ S_ISREG(inode->i_mode)) ++ filemap_write_and_wait(inode->i_mapping); + + /* + * We may force a getattr if the user cares about atime. diff --git a/queue-5.15/nfs-lookup_directory-is-also-ok-with-symlinks.patch b/queue-5.15/nfs-lookup_directory-is-also-ok-with-symlinks.patch new file mode 100644 index 00000000000..86931699c91 --- /dev/null +++ b/queue-5.15/nfs-lookup_directory-is-also-ok-with-symlinks.patch @@ -0,0 +1,43 @@ +From e0caaf75d443e02e55e146fd75fe2efc8aed5540 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 8 Feb 2022 13:38:23 -0500 +Subject: NFS: LOOKUP_DIRECTORY is also ok with symlinks + +From: Trond Myklebust + +commit e0caaf75d443e02e55e146fd75fe2efc8aed5540 upstream. + +Commit ac795161c936 (NFSv4: Handle case where the lookup of a directory +fails) [1], part of Linux since 5.17-rc2, introduced a regression, where +a symbolic link on an NFS mount to a directory on another NFS does not +resolve(?) the first time it is accessed: + +Reported-by: Paul Menzel +Fixes: ac795161c936 ("NFSv4: Handle case where the lookup of a directory fails") +Signed-off-by: Trond Myklebust +Tested-by: Donald Buczek +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1987,14 +1987,14 @@ no_open: + if (!res) { + inode = d_inode(dentry); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && +- !S_ISDIR(inode->i_mode)) ++ !(S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode))) + res = ERR_PTR(-ENOTDIR); + else if (inode && S_ISREG(inode->i_mode)) + res = ERR_PTR(-EOPENSTALE); + } else if (!IS_ERR(res)) { + inode = d_inode(res); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && +- !S_ISDIR(inode->i_mode)) { ++ !(S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode))) { + dput(res); + res = ERR_PTR(-ENOTDIR); + } else if (inode && S_ISREG(inode->i_mode)) { diff --git a/queue-5.15/nfs-remove-an-incorrect-revalidation-in-nfs4_update_changeattr_locked.patch b/queue-5.15/nfs-remove-an-incorrect-revalidation-in-nfs4_update_changeattr_locked.patch new file mode 100644 index 00000000000..d9a595ba9c6 --- /dev/null +++ b/queue-5.15/nfs-remove-an-incorrect-revalidation-in-nfs4_update_changeattr_locked.patch @@ -0,0 +1,38 @@ +From 9d047bf68fe8cdb4086deaf4edd119731a9481ed Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 8 Feb 2022 12:14:44 -0500 +Subject: NFS: Remove an incorrect revalidation in nfs4_update_changeattr_locked() + +From: Trond Myklebust + +commit 9d047bf68fe8cdb4086deaf4edd119731a9481ed upstream. + +In nfs4_update_changeattr_locked(), we don't need to set the +NFS_INO_REVAL_PAGECACHE flag, because we already know the value of the +change attribute, and we're already flagging the size. In fact, this +forces us to revalidate the change attribute a second time for no good +reason. +This extra flag appears to have been introduced as part of the xattr +feature, when update_changeattr_locked() was converted for use by the +xattr code. + +Fixes: 1b523ca972ed ("nfs: modify update_changeattr to deal with regular files") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1232,8 +1232,7 @@ nfs4_update_changeattr_locked(struct ino + NFS_INO_INVALID_ACCESS | NFS_INO_INVALID_ACL | + NFS_INO_INVALID_SIZE | NFS_INO_INVALID_OTHER | + NFS_INO_INVALID_BLOCKS | NFS_INO_INVALID_NLINK | +- NFS_INO_INVALID_MODE | NFS_INO_INVALID_XATTR | +- NFS_INO_REVAL_PAGECACHE; ++ NFS_INO_INVALID_MODE | NFS_INO_INVALID_XATTR; + nfsi->attrtimeo = NFS_MINATTRTIMEO(inode); + } + nfsi->attrtimeo_timestamp = jiffies; diff --git a/queue-5.15/series b/queue-5.15/series index f8b0ea4ac36..489a0acd4ca 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -125,3 +125,16 @@ smb3-fix-snapshot-mount-option.patch tipc-fix-wrong-notification-node-addresses.patch scsi-ufs-remove-dead-code.patch scsi-ufs-fix-a-deadlock-in-the-error-handler.patch +asoc-tas2770-insert-post-reset-delay.patch +asoc-qcom-actually-clear-dma-interrupt-register-for-hdmi.patch +block-wbt-fix-negative-inflight-counter-when-remove-scsi-device.patch +nfs-remove-an-incorrect-revalidation-in-nfs4_update_changeattr_locked.patch +nfs-lookup_directory-is-also-ok-with-symlinks.patch +nfs-do-not-report-writeback-errors-in-nfs_getattr.patch +tty-n_tty-do-not-look-ahead-for-eol-character-past-the-end-of-the-buffer.patch +block-fix-surprise-removal-for-drivers-calling-blk_set_queue_dying.patch +mtd-rawnand-qcom-fix-clock-sequencing-in-qcom_nandc_probe.patch +mtd-parsers-qcom-fix-kernel-panic-on-skipped-partition.patch +mtd-parsers-qcom-fix-missing-free-for-pparts-in-cleanup.patch +mtd-phram-prevent-divide-by-zero-bug-in-phram_setup.patch +mtd-rawnand-brcmnand-fixed-incorrect-sub-page-ecc-status.patch diff --git a/queue-5.15/tty-n_tty-do-not-look-ahead-for-eol-character-past-the-end-of-the-buffer.patch b/queue-5.15/tty-n_tty-do-not-look-ahead-for-eol-character-past-the-end-of-the-buffer.patch new file mode 100644 index 00000000000..ee281ead16d --- /dev/null +++ b/queue-5.15/tty-n_tty-do-not-look-ahead-for-eol-character-past-the-end-of-the-buffer.patch @@ -0,0 +1,106 @@ +From 3593030761630e09200072a4bd06468892c27be3 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Tue, 15 Feb 2022 15:28:00 -0800 +Subject: tty: n_tty: do not look ahead for EOL character past the end of the buffer + +From: Linus Torvalds + +commit 3593030761630e09200072a4bd06468892c27be3 upstream. + +Daniel Gibson reports that the n_tty code gets line termination wrong in +very specific cases: + + "If you feed a line with exactly 64 chars + terminating newline, and + directly afterwards (without reading) another line into a pseudo + terminal, the the first read() on the other side will return the 64 + char line *without* terminating newline, and the next read() will + return the missing terminating newline AND the complete next line (if + it fits in the buffer)" + +and bisected the behavior to commit 3b830a9c34d5 ("tty: convert +tty_ldisc_ops 'read()' function to take a kernel pointer"). + +Now, digging deeper, it turns out that the behavior isn't exactly new: +what changed in commit 3b830a9c34d5 was that the tty line discipline +.read() function is now passed an intermediate kernel buffer rather than +the final user space buffer. + +And that intermediate kernel buffer is 64 bytes in size - thus that +special case with exactly 64 bytes plus terminating newline. + +The same problem did exist before, but historically the boundary was not +the 64-byte chunk, but the user-supplied buffer size, which is obviously +generally bigger (and potentially bigger than N_TTY_BUF_SIZE, which +would hide the issue entirely). + +The reason is that the n_tty canon_copy_from_read_buf() code would look +ahead for the EOL character one byte further than it would actually +copy. It would then decide that it had found the terminator, and unmark +it as an EOL character - which in turn explains why the next read +wouldn't then be terminated by it. + +Now, the reason it did all this in the first place is related to some +historical and pretty obscure EOF behavior, see commit ac8f3bf8832a +("n_tty: Fix poll() after buffer-limited eof push read") and commit +40d5e0905a03 ("n_tty: Fix EOF push handling"). + +And the reason for the EOL confusion is that we treat EOF as a special +EOL condition, with the EOL character being NUL (aka "__DISABLED_CHAR" +in the kernel sources). + +So that EOF look-ahead also affects the normal EOL handling. + +This patch just removes the look-ahead that causes problems, because EOL +is much more critical than the historical "EOF in the middle of a line +that coincides with the end of the buffer" handling ever was. + +Now, it is possible that we should indeed re-introduce the "look at next +character to see if it's a EOF" behavior, but if so, that should be done +not at the kernel buffer chunk boundary in canon_copy_from_read_buf(), +but at a higher level, when we run out of the user buffer. + +In particular, the place to do that would be at the top of +'n_tty_read()', where we check if it's a continuation of a previously +started read, and there is no more buffer space left, we could decide to +just eat the __DISABLED_CHAR at that point. + +But that would be a separate patch, because I suspect nobody actually +cares, and I'd like to get a report about it before bothering. + +Fixes: 3b830a9c34d5 ("tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer") +Fixes: ac8f3bf8832a ("n_tty: Fix poll() after buffer-limited eof push read") +Fixes: 40d5e0905a03 ("n_tty: Fix EOF push handling") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215611 +Reported-and-tested-by: Daniel Gibson +Cc: Peter Hurley +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_tty.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -1963,7 +1963,7 @@ static bool canon_copy_from_read_buf(str + return false; + + canon_head = smp_load_acquire(&ldata->canon_head); +- n = min(*nr + 1, canon_head - ldata->read_tail); ++ n = min(*nr, canon_head - ldata->read_tail); + + tail = ldata->read_tail & (N_TTY_BUF_SIZE - 1); + size = min_t(size_t, tail + n, N_TTY_BUF_SIZE); +@@ -1985,10 +1985,8 @@ static bool canon_copy_from_read_buf(str + n += N_TTY_BUF_SIZE; + c = n + found; + +- if (!found || read_buf(ldata, eol) != __DISABLED_CHAR) { +- c = min(*nr, c); ++ if (!found || read_buf(ldata, eol) != __DISABLED_CHAR) + n = c; +- } + + n_tty_trace("%s: eol:%zu found:%d n:%zu c:%zu tail:%zu more:%zu\n", + __func__, eol, found, n, c, tail, more);