From: Greg Kroah-Hartman Date: Sat, 6 May 2023 02:18:09 +0000 (+0900) Subject: 5.10-stable patches X-Git-Tag: v5.15.111~139 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eec35a2ce7e0a8644a8136331410ddb1e9e2b506;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: blk-crypto-make-blk_crypto_evict_key-more-robust.patch blk-crypto-make-blk_crypto_evict_key-return-void.patch blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch ima-allow-fix-uml-builds.patch ipmi-fix-ssif-not-responding-under-certain-cond.patch ipmi-ssif-add-send_retries-increment.patch kheaders-use-array-declaration-instead-of-char.patch mips-fw-allow-firmware-to-pass-a-empty-env.patch pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch perf-sched-cast-pthread_stack_min-to-int-as-it-may-turn-into-sysconf-__sc_thread_stack_min_value.patch posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch staging-iio-resolver-ads1210-fix-config-mode.patch tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch xhci-fix-debugfs-register-accesses-while-suspended.patch --- diff --git a/queue-5.10/blk-crypto-make-blk_crypto_evict_key-more-robust.patch b/queue-5.10/blk-crypto-make-blk_crypto_evict_key-more-robust.patch new file mode 100644 index 00000000000..51c7c6520d6 --- /dev/null +++ b/queue-5.10/blk-crypto-make-blk_crypto_evict_key-more-robust.patch @@ -0,0 +1,157 @@ +From stable-owner@vger.kernel.org Thu May 4 13:10:15 2023 +From: Eric Biggers +Date: Wed, 3 May 2023 21:09:41 -0700 +Subject: blk-crypto: make blk_crypto_evict_key() more robust +To: stable@vger.kernel.org +Cc: linux-block@vger.kernel.org, Christoph Hellwig , Jens Axboe +Message-ID: <20230504040941.152614-4-ebiggers@kernel.org> + +From: Eric Biggers + +commit 5c7cb94452901a93e90c2230632e2c12a681bc92 upstream. + +If blk_crypto_evict_key() sees that the key is still in-use (due to a +bug) or that ->keyslot_evict failed, it currently just returns while +leaving the key linked into the keyslot management structures. + +However, blk_crypto_evict_key() is only called in contexts such as inode +eviction where failure is not an option. So actually the caller +proceeds with freeing the blk_crypto_key regardless of the return value +of blk_crypto_evict_key(). + +These two assumptions don't match, and the result is that there can be a +use-after-free in blk_crypto_reprogram_all_keys() after one of these +errors occurs. (Note, these errors *shouldn't* happen; we're just +talking about what happens if they do anyway.) + +Fix this by making blk_crypto_evict_key() unlink the key from the +keyslot management structures even on failure. + +Also improve some comments. + +Fixes: 1b2628397058 ("block: Keyslot Manager for Inline Encryption") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-crypto.c | 29 +++++++++++++++++++++-------- + block/keyslot-manager.c | 43 +++++++++++++++++++++---------------------- + 2 files changed, 42 insertions(+), 30 deletions(-) + +--- a/block/blk-crypto.c ++++ b/block/blk-crypto.c +@@ -385,15 +385,20 @@ int blk_crypto_start_using_key(const str + } + + /** +- * blk_crypto_evict_key() - Evict a key from any inline encryption hardware +- * it may have been programmed into +- * @q: The request queue who's associated inline encryption hardware this key +- * might have been programmed into +- * @key: The key to evict ++ * blk_crypto_evict_key() - Evict a blk_crypto_key from a request_queue ++ * @q: a request_queue on which I/O using the key may have been done ++ * @key: the key to evict + * +- * Upper layers (filesystems) must call this function to ensure that a key is +- * evicted from any hardware that it might have been programmed into. The key +- * must not be in use by any in-flight IO when this function is called. ++ * For a given request_queue, this function removes the given blk_crypto_key ++ * from the keyslot management structures and evicts it from any underlying ++ * hardware keyslot(s) or blk-crypto-fallback keyslot it may have been ++ * programmed into. ++ * ++ * Upper layers must call this before freeing the blk_crypto_key. It must be ++ * called for every request_queue the key may have been used on. The key must ++ * no longer be in use by any I/O when this function is called. ++ * ++ * Context: May sleep. + */ + void blk_crypto_evict_key(struct request_queue *q, + const struct blk_crypto_key *key) +@@ -404,6 +409,14 @@ void blk_crypto_evict_key(struct request + err = blk_ksm_evict_key(q->ksm, key); + else + err = blk_crypto_fallback_evict_key(key); ++ /* ++ * An error can only occur here if the key failed to be evicted from a ++ * keyslot (due to a hardware or driver issue) or is allegedly still in ++ * use by I/O (due to a kernel bug). Even in these cases, the key is ++ * still unlinked from the keyslot management structures, and the caller ++ * is allowed and expected to free it right away. There's nothing ++ * callers can do to handle errors, so just log them and return void. ++ */ + if (err) + pr_warn_ratelimited("error %d evicting key\n", err); + } +--- a/block/keyslot-manager.c ++++ b/block/keyslot-manager.c +@@ -305,44 +305,43 @@ bool blk_ksm_crypto_cfg_supported(struct + return true; + } + +-/** +- * blk_ksm_evict_key() - Evict a key from the lower layer device. +- * @ksm: The keyslot manager to evict from +- * @key: The key to evict +- * +- * Find the keyslot that the specified key was programmed into, and evict that +- * slot from the lower layer device. The slot must not be in use by any +- * in-flight IO when this function is called. +- * +- * Context: Process context. Takes and releases ksm->lock. +- * Return: 0 on success or if there's no keyslot with the specified key, -EBUSY +- * if the keyslot is still in use, or another -errno value on other +- * error. ++/* ++ * This is an internal function that evicts a key from an inline encryption ++ * device that can be either a real device or the blk-crypto-fallback "device". ++ * It is used only by blk_crypto_evict_key(); see that function for details. + */ + int blk_ksm_evict_key(struct blk_keyslot_manager *ksm, + const struct blk_crypto_key *key) + { + struct blk_ksm_keyslot *slot; +- int err = 0; ++ int err; + + blk_ksm_hw_enter(ksm); + slot = blk_ksm_find_keyslot(ksm, key); +- if (!slot) +- goto out_unlock; ++ if (!slot) { ++ /* ++ * Not an error, since a key not in use by I/O is not guaranteed ++ * to be in a keyslot. There can be more keys than keyslots. ++ */ ++ err = 0; ++ goto out; ++ } + + if (WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)) { ++ /* BUG: key is still in use by I/O */ + err = -EBUSY; +- goto out_unlock; ++ goto out_remove; + } + err = ksm->ksm_ll_ops.keyslot_evict(ksm, key, + blk_ksm_get_slot_idx(slot)); +- if (err) +- goto out_unlock; +- ++out_remove: ++ /* ++ * Callers free the key even on error, so unlink the key from the hash ++ * table and clear slot->key even on error. ++ */ + hlist_del(&slot->hash_node); + slot->key = NULL; +- err = 0; +-out_unlock: ++out: + blk_ksm_hw_exit(ksm); + return err; + } diff --git a/queue-5.10/blk-crypto-make-blk_crypto_evict_key-return-void.patch b/queue-5.10/blk-crypto-make-blk_crypto_evict_key-return-void.patch new file mode 100644 index 00000000000..81274c81968 --- /dev/null +++ b/queue-5.10/blk-crypto-make-blk_crypto_evict_key-return-void.patch @@ -0,0 +1,82 @@ +From stable-owner@vger.kernel.org Thu May 4 13:10:12 2023 +From: Eric Biggers +Date: Wed, 3 May 2023 21:09:40 -0700 +Subject: blk-crypto: make blk_crypto_evict_key() return void +To: stable@vger.kernel.org +Cc: linux-block@vger.kernel.org, Christoph Hellwig , Jens Axboe +Message-ID: <20230504040941.152614-3-ebiggers@kernel.org> + +From: Eric Biggers + +commit 70493a63ba04f754f7a7dd53a4fcc82700181490 upstream. + +blk_crypto_evict_key() is only called in contexts such as inode eviction +where failure is not an option. So there is nothing the caller can do +with errors except log them. (dm-table.c does "use" the error code, but +only to pass on to upper layers, so it doesn't really count.) + +Just make blk_crypto_evict_key() return void and log errors itself. + +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-crypto.c | 22 ++++++++++------------ + include/linux/blk-crypto.h | 4 ++-- + 2 files changed, 12 insertions(+), 14 deletions(-) + +--- a/block/blk-crypto.c ++++ b/block/blk-crypto.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + + #include "blk-crypto-internal.h" +@@ -393,19 +394,16 @@ int blk_crypto_start_using_key(const str + * Upper layers (filesystems) must call this function to ensure that a key is + * evicted from any hardware that it might have been programmed into. The key + * must not be in use by any in-flight IO when this function is called. +- * +- * Return: 0 on success or if key is not present in the q's ksm, -err on error. + */ +-int blk_crypto_evict_key(struct request_queue *q, +- const struct blk_crypto_key *key) ++void blk_crypto_evict_key(struct request_queue *q, ++ const struct blk_crypto_key *key) + { +- if (blk_ksm_crypto_cfg_supported(q->ksm, &key->crypto_cfg)) +- return blk_ksm_evict_key(q->ksm, key); ++ int err; + +- /* +- * If the request queue's associated inline encryption hardware didn't +- * have support for the key, then the key might have been programmed +- * into the fallback keyslot manager, so try to evict from there. +- */ +- return blk_crypto_fallback_evict_key(key); ++ if (blk_ksm_crypto_cfg_supported(q->ksm, &key->crypto_cfg)) ++ err = blk_ksm_evict_key(q->ksm, key); ++ else ++ err = blk_crypto_fallback_evict_key(key); ++ if (err) ++ pr_warn_ratelimited("error %d evicting key\n", err); + } +--- a/include/linux/blk-crypto.h ++++ b/include/linux/blk-crypto.h +@@ -97,8 +97,8 @@ int blk_crypto_init_key(struct blk_crypt + int blk_crypto_start_using_key(const struct blk_crypto_key *key, + struct request_queue *q); + +-int blk_crypto_evict_key(struct request_queue *q, +- const struct blk_crypto_key *key); ++void blk_crypto_evict_key(struct request_queue *q, ++ const struct blk_crypto_key *key); + + bool blk_crypto_config_supported(struct request_queue *q, + const struct blk_crypto_config *cfg); diff --git a/queue-5.10/blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch b/queue-5.10/blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch new file mode 100644 index 00000000000..aa29a4aa7f4 --- /dev/null +++ b/queue-5.10/blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch @@ -0,0 +1,186 @@ +From stable-owner@vger.kernel.org Thu May 4 13:10:13 2023 +From: Eric Biggers +Date: Wed, 3 May 2023 21:09:39 -0700 +Subject: blk-mq: release crypto keyslot before reporting I/O complete +To: stable@vger.kernel.org +Cc: linux-block@vger.kernel.org, Nathan Huckleberry , Christoph Hellwig , Jens Axboe +Message-ID: <20230504040941.152614-2-ebiggers@kernel.org> + +From: Eric Biggers + +commit 9cd1e566676bbcb8a126acd921e4e194e6339603 upstream. + +Once all I/O using a blk_crypto_key has completed, filesystems can call +blk_crypto_evict_key(). However, the block layer currently doesn't call +blk_crypto_put_keyslot() until the request is being freed, which happens +after upper layers have been told (via bio_endio()) the I/O has +completed. This causes a race condition where blk_crypto_evict_key() +can see 'slot_refs != 0' without there being an actual bug. + +This makes __blk_crypto_evict_key() hit the +'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without +doing anything, eventually causing a use-after-free in +blk_crypto_reprogram_all_keys(). (This is a very rare bug and has only +been seen when per-file keys are being used with fscrypt.) + +There are two options to fix this: either release the keyslot before +bio_endio() is called on the request's last bio, or make +__blk_crypto_evict_key() ignore slot_refs. Let's go with the first +solution, since it preserves the ability to report bugs (via +WARN_ON_ONCE) where a key is evicted while still in-use. + +Fixes: a892c8d52c02 ("block: Inline encryption support for blk-mq") +Cc: stable@vger.kernel.org +Reviewed-by: Nathan Huckleberry +Reviewed-by: Christoph Hellwig +Signed-off-by: Eric Biggers +Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-core.c | 7 +++++++ + block/blk-crypto-internal.h | 25 +++++++++++++++++++++---- + block/blk-crypto.c | 24 ++++++++++++------------ + block/blk-merge.c | 2 ++ + block/blk-mq.c | 2 +- + 5 files changed, 43 insertions(+), 17 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -1444,6 +1444,13 @@ bool blk_update_request(struct request * + req->q->integrity.profile->complete_fn(req, nr_bytes); + #endif + ++ /* ++ * Upper layers may call blk_crypto_evict_key() anytime after the last ++ * bio_endio(). Therefore, the keyslot must be released before that. ++ */ ++ if (blk_crypto_rq_has_keyslot(req) && nr_bytes >= blk_rq_bytes(req)) ++ __blk_crypto_rq_put_keyslot(req); ++ + if (unlikely(error && !blk_rq_is_passthrough(req) && + !(req->rq_flags & RQF_QUIET))) + print_req_error(req, error, __func__); +--- a/block/blk-crypto-internal.h ++++ b/block/blk-crypto-internal.h +@@ -60,6 +60,11 @@ static inline bool blk_crypto_rq_is_encr + return rq->crypt_ctx; + } + ++static inline bool blk_crypto_rq_has_keyslot(struct request *rq) ++{ ++ return rq->crypt_keyslot; ++} ++ + #else /* CONFIG_BLK_INLINE_ENCRYPTION */ + + static inline bool bio_crypt_rq_ctx_compatible(struct request *rq, +@@ -93,6 +98,11 @@ static inline bool blk_crypto_rq_is_encr + return false; + } + ++static inline bool blk_crypto_rq_has_keyslot(struct request *rq) ++{ ++ return false; ++} ++ + #endif /* CONFIG_BLK_INLINE_ENCRYPTION */ + + void __bio_crypt_advance(struct bio *bio, unsigned int bytes); +@@ -127,14 +137,21 @@ static inline bool blk_crypto_bio_prep(s + return true; + } + +-blk_status_t __blk_crypto_init_request(struct request *rq); +-static inline blk_status_t blk_crypto_init_request(struct request *rq) ++blk_status_t __blk_crypto_rq_get_keyslot(struct request *rq); ++static inline blk_status_t blk_crypto_rq_get_keyslot(struct request *rq) + { + if (blk_crypto_rq_is_encrypted(rq)) +- return __blk_crypto_init_request(rq); ++ return __blk_crypto_rq_get_keyslot(rq); + return BLK_STS_OK; + } + ++void __blk_crypto_rq_put_keyslot(struct request *rq); ++static inline void blk_crypto_rq_put_keyslot(struct request *rq) ++{ ++ if (blk_crypto_rq_has_keyslot(rq)) ++ __blk_crypto_rq_put_keyslot(rq); ++} ++ + void __blk_crypto_free_request(struct request *rq); + static inline void blk_crypto_free_request(struct request *rq) + { +@@ -173,7 +190,7 @@ static inline blk_status_t blk_crypto_in + { + + if (blk_crypto_rq_is_encrypted(rq)) +- return blk_crypto_init_request(rq); ++ return blk_crypto_rq_get_keyslot(rq); + return BLK_STS_OK; + } + +--- a/block/blk-crypto.c ++++ b/block/blk-crypto.c +@@ -216,26 +216,26 @@ static bool bio_crypt_check_alignment(st + return true; + } + +-blk_status_t __blk_crypto_init_request(struct request *rq) ++blk_status_t __blk_crypto_rq_get_keyslot(struct request *rq) + { + return blk_ksm_get_slot_for_key(rq->q->ksm, rq->crypt_ctx->bc_key, + &rq->crypt_keyslot); + } + +-/** +- * __blk_crypto_free_request - Uninitialize the crypto fields of a request. +- * +- * @rq: The request whose crypto fields to uninitialize. +- * +- * Completely uninitializes the crypto fields of a request. If a keyslot has +- * been programmed into some inline encryption hardware, that keyslot is +- * released. The rq->crypt_ctx is also freed. +- */ +-void __blk_crypto_free_request(struct request *rq) ++void __blk_crypto_rq_put_keyslot(struct request *rq) + { + blk_ksm_put_slot(rq->crypt_keyslot); ++ rq->crypt_keyslot = NULL; ++} ++ ++void __blk_crypto_free_request(struct request *rq) ++{ ++ /* The keyslot, if one was needed, should have been released earlier. */ ++ if (WARN_ON_ONCE(rq->crypt_keyslot)) ++ __blk_crypto_rq_put_keyslot(rq); ++ + mempool_free(rq->crypt_ctx, bio_crypt_ctx_pool); +- blk_crypto_rq_set_defaults(rq); ++ rq->crypt_ctx = NULL; + } + + /** +--- a/block/blk-merge.c ++++ b/block/blk-merge.c +@@ -801,6 +801,8 @@ static struct request *attempt_merge(str + if (!blk_discard_mergable(req)) + elv_merge_requests(q, req, next); + ++ blk_crypto_rq_put_keyslot(next); ++ + /* + * 'next' is going away, so update stats accordingly + */ +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2193,7 +2193,7 @@ blk_qc_t blk_mq_submit_bio(struct bio *b + + blk_mq_bio_to_request(rq, bio, nr_segs); + +- ret = blk_crypto_init_request(rq); ++ ret = blk_crypto_rq_get_keyslot(rq); + if (ret != BLK_STS_OK) { + bio->bi_status = ret; + bio_endio(bio); diff --git a/queue-5.10/ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch b/queue-5.10/ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch new file mode 100644 index 00000000000..0006adf6699 --- /dev/null +++ b/queue-5.10/ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch @@ -0,0 +1,178 @@ +From 2729cfdcfa1cc49bef5a90d046fa4a187fdfcc69 Mon Sep 17 00:00:00 2001 +From: Harshad Shirwadkar +Date: Thu, 23 Dec 2021 12:21:37 -0800 +Subject: ext4: use ext4_journal_start/stop for fast commit transactions + +From: Harshad Shirwadkar + +commit 2729cfdcfa1cc49bef5a90d046fa4a187fdfcc69 upstream. + +This patch drops all calls to ext4_fc_start_update() and +ext4_fc_stop_update(). To ensure that there are no ongoing journal +updates during fast commit, we also make jbd2_fc_begin_commit() lock +journal for updates. This way we don't have to maintain two different +transaction start stop APIs for fast commit and full commit. This +patch doesn't remove the functions altogether since in future we want +to have inode level locking for fast commits. + +Signed-off-by: Harshad Shirwadkar +Link: https://lore.kernel.org/r/20211223202140.2061101-2-harshads@google.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/acl.c | 2 -- + fs/ext4/extents.c | 2 -- + fs/ext4/file.c | 4 ---- + fs/ext4/inode.c | 7 +------ + fs/ext4/ioctl.c | 8 +------- + fs/jbd2/journal.c | 2 ++ + 6 files changed, 4 insertions(+), 21 deletions(-) + +--- a/fs/ext4/acl.c ++++ b/fs/ext4/acl.c +@@ -242,7 +242,6 @@ retry: + handle = ext4_journal_start(inode, EXT4_HT_XATTR, credits); + if (IS_ERR(handle)) + return PTR_ERR(handle); +- ext4_fc_start_update(inode); + + if ((type == ACL_TYPE_ACCESS) && acl) { + error = posix_acl_update_mode(inode, &mode, &acl); +@@ -260,7 +259,6 @@ retry: + } + out_stop: + ext4_journal_stop(handle); +- ext4_fc_stop_update(inode); + if (error == -ENOSPC && ext4_should_retry_alloc(inode->i_sb, &retries)) + goto retry; + return error; +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4694,7 +4694,6 @@ long ext4_fallocate(struct file *file, i + FALLOC_FL_INSERT_RANGE)) + return -EOPNOTSUPP; + +- ext4_fc_start_update(inode); + inode_lock(inode); + ret = ext4_convert_inline_data(inode); + inode_unlock(inode); +@@ -4764,7 +4763,6 @@ out: + inode_unlock(inode); + trace_ext4_fallocate_exit(inode, offset, max_blocks, ret); + exit: +- ext4_fc_stop_update(inode); + return ret; + } + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -260,7 +260,6 @@ static ssize_t ext4_buffered_write_iter( + if (iocb->ki_flags & IOCB_NOWAIT) + return -EOPNOTSUPP; + +- ext4_fc_start_update(inode); + inode_lock(inode); + ret = ext4_write_checks(iocb, from); + if (ret <= 0) +@@ -272,7 +271,6 @@ static ssize_t ext4_buffered_write_iter( + + out: + inode_unlock(inode); +- ext4_fc_stop_update(inode); + if (likely(ret > 0)) { + iocb->ki_pos += ret; + ret = generic_write_sync(iocb, ret); +@@ -559,9 +557,7 @@ static ssize_t ext4_dio_write_iter(struc + goto out; + } + +- ext4_fc_start_update(inode); + ret = ext4_orphan_add(handle, inode); +- ext4_fc_stop_update(inode); + if (ret) { + ext4_journal_stop(handle); + goto out; +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5437,7 +5437,7 @@ int ext4_setattr(struct dentry *dentry, + if (error) + return error; + } +- ext4_fc_start_update(inode); ++ + if ((ia_valid & ATTR_UID && !uid_eq(attr->ia_uid, inode->i_uid)) || + (ia_valid & ATTR_GID && !gid_eq(attr->ia_gid, inode->i_gid))) { + handle_t *handle; +@@ -5461,7 +5461,6 @@ int ext4_setattr(struct dentry *dentry, + + if (error) { + ext4_journal_stop(handle); +- ext4_fc_stop_update(inode); + return error; + } + /* Update corresponding info in inode so that everything is in +@@ -5473,7 +5472,6 @@ int ext4_setattr(struct dentry *dentry, + error = ext4_mark_inode_dirty(handle, inode); + ext4_journal_stop(handle); + if (unlikely(error)) { +- ext4_fc_stop_update(inode); + return error; + } + } +@@ -5488,12 +5486,10 @@ int ext4_setattr(struct dentry *dentry, + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + + if (attr->ia_size > sbi->s_bitmap_maxbytes) { +- ext4_fc_stop_update(inode); + return -EFBIG; + } + } + if (!S_ISREG(inode->i_mode)) { +- ext4_fc_stop_update(inode); + return -EINVAL; + } + +@@ -5619,7 +5615,6 @@ err_out: + ext4_std_error(inode->i_sb, error); + if (!error) + error = rc; +- ext4_fc_stop_update(inode); + return error; + } + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -1322,13 +1322,7 @@ out: + + long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + { +- long ret; +- +- ext4_fc_start_update(file_inode(filp)); +- ret = __ext4_ioctl(filp, cmd, arg); +- ext4_fc_stop_update(file_inode(filp)); +- +- return ret; ++ return __ext4_ioctl(filp, cmd, arg); + } + + #ifdef CONFIG_COMPAT +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -757,6 +757,7 @@ int jbd2_fc_begin_commit(journal_t *jour + } + journal->j_flags |= JBD2_FAST_COMMIT_ONGOING; + write_unlock(&journal->j_state_lock); ++ jbd2_journal_lock_updates(journal); + + return 0; + } +@@ -768,6 +769,7 @@ EXPORT_SYMBOL(jbd2_fc_begin_commit); + */ + static int __jbd2_fc_end_commit(journal_t *journal, tid_t tid, bool fallback) + { ++ jbd2_journal_unlock_updates(journal); + if (journal->j_fc_cleanup_callback) + journal->j_fc_cleanup_callback(journal, 0); + write_lock(&journal->j_state_lock); diff --git a/queue-5.10/hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch b/queue-5.10/hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch new file mode 100644 index 00000000000..ae92076a0f9 --- /dev/null +++ b/queue-5.10/hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch @@ -0,0 +1,44 @@ +From 2a8e41ad337508fc5d598c0f9288890214f8e318 Mon Sep 17 00:00:00 2001 +From: Chris Packham +Date: Wed, 19 Apr 2023 11:36:55 +1200 +Subject: hwmon: (adt7475) Use device_property APIs when configuring polarity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Packham + +commit 2a8e41ad337508fc5d598c0f9288890214f8e318 upstream. + +On DT unaware platforms of_property_read_u32_array() returns -ENOSYS +which wasn't handled by the code treating adi,pwm-active-state as +optional. Update the code to use device_property_read_u32_array() which +deals gracefully with DT unaware platforms. + +Fixes: 86da28eed4fb ("hwmon: (adt7475) Add support for inverting pwm output") +Reported-by: Mariusz Białończyk +Link: https://lore.kernel.org/linux-hwmon/52e26a67-9131-2dc0-40cb-db5c07370027@alliedtelesis.co.nz/T/#mdd0505801e0a4e72340de009a47c0fca4f771ed3 +Signed-off-by: Chris Packham +Link: https://lore.kernel.org/r/20230418233656.869055-2-chris.packham@alliedtelesis.co.nz +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/adt7475.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/adt7475.c ++++ b/drivers/hwmon/adt7475.c +@@ -1515,9 +1515,9 @@ static int adt7475_set_pwm_polarity(stru + int ret, i; + u8 val; + +- ret = of_property_read_u32_array(client->dev.of_node, +- "adi,pwm-active-state", states, +- ARRAY_SIZE(states)); ++ ret = device_property_read_u32_array(&client->dev, ++ "adi,pwm-active-state", states, ++ ARRAY_SIZE(states)); + if (ret) + return ret; + diff --git a/queue-5.10/hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch b/queue-5.10/hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch new file mode 100644 index 00000000000..df094902da9 --- /dev/null +++ b/queue-5.10/hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch @@ -0,0 +1,76 @@ +From 0c072385348e3ac5229145644055d3e2afb5b3db Mon Sep 17 00:00:00 2001 +From: Babu Moger +Date: Thu, 13 Apr 2023 16:39:58 -0500 +Subject: hwmon: (k10temp) Check range scale when CUR_TEMP register is read-write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Babu Moger + +commit 0c072385348e3ac5229145644055d3e2afb5b3db upstream. + +Spec says, when CUR_TEMP_TJ_SEL == 3 and CUR_TEMP_RANGE_SEL == 0, +it should use RangeUnadjusted is 0, which is (CurTmp*0.125 -49) C. The +CUR_TEMP register is read-write when CUR_TEMP_TJ_SEL == 3 (bit 17-16). + +Add the check to detect it. + +Sensors command's output before the patch. +$sensors + k10temp-pci-00c3 + Adapter: PCI adapter + Tctl: +76.6°C <- Wrong value + Tccd1: +26.5°C + Tccd2: +27.5°C + Tccd3: +27.2°C + Tccd4: +27.5°C + Tccd5: +26.0°C + Tccd6: +26.2°C + Tccd7: +25.0°C + Tccd8: +26.5°C + +Sensors command's output after the patch. +$sensors + k10temp-pci-00c3 + Adapter: PCI adapter + Tctl: +28.8°C <- corrected value + Tccd1: +27.5°C + Tccd2: +28.5°C + Tccd3: +28.5°C + Tccd4: +28.5°C + Tccd5: +27.0°C + Tccd6: +27.5°C + Tccd7: +27.0°C + Tccd8: +27.5°C + +Signed-off-by: Babu Moger +Fixes: 1b59788979ac ("hwmon: (k10temp) Add temperature offset for Ryzen 2700X") +Link: https://lore.kernel.org/r/20230413213958.847634-1-babu.moger@amd.com +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/k10temp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hwmon/k10temp.c ++++ b/drivers/hwmon/k10temp.c +@@ -74,6 +74,7 @@ static DEFINE_MUTEX(nb_smu_ind_mutex); + + #define ZEN_CUR_TEMP_SHIFT 21 + #define ZEN_CUR_TEMP_RANGE_SEL_MASK BIT(19) ++#define ZEN_CUR_TEMP_TJ_SEL_MASK GENMASK(17, 16) + + #define ZEN_SVI_BASE 0x0005A000 + +@@ -173,7 +174,8 @@ static long get_raw_temp(struct k10temp_ + + data->read_tempreg(data->pdev, ®val); + temp = (regval >> ZEN_CUR_TEMP_SHIFT) * 125; +- if (regval & data->temp_adjust_mask) ++ if ((regval & data->temp_adjust_mask) || ++ (regval & ZEN_CUR_TEMP_TJ_SEL_MASK) == ZEN_CUR_TEMP_TJ_SEL_MASK) + temp -= 49000; + return temp; + } diff --git a/queue-5.10/ima-allow-fix-uml-builds.patch b/queue-5.10/ima-allow-fix-uml-builds.patch new file mode 100644 index 00000000000..b2c8eaffec5 --- /dev/null +++ b/queue-5.10/ima-allow-fix-uml-builds.patch @@ -0,0 +1,51 @@ +From 644f17412f5acf01a19af9d04a921937a2bc86c6 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Thu, 23 Feb 2023 19:27:03 -0800 +Subject: IMA: allow/fix UML builds + +From: Randy Dunlap + +commit 644f17412f5acf01a19af9d04a921937a2bc86c6 upstream. + +UML supports HAS_IOMEM since 0bbadafdc49d (um: allow disabling +NO_IOMEM). + +Current IMA build on UML fails on allmodconfig (with TCG_TPM=m): + +ld: security/integrity/ima/ima_queue.o: in function `ima_add_template_entry': +ima_queue.c:(.text+0x2d9): undefined reference to `tpm_pcr_extend' +ld: security/integrity/ima/ima_init.o: in function `ima_init': +ima_init.c:(.init.text+0x43f): undefined reference to `tpm_default_chip' +ld: security/integrity/ima/ima_crypto.o: in function `ima_calc_boot_aggregate_tfm': +ima_crypto.c:(.text+0x1044): undefined reference to `tpm_pcr_read' +ld: ima_crypto.c:(.text+0x10d8): undefined reference to `tpm_pcr_read' + +Modify the IMA Kconfig entry so that it selects TCG_TPM if HAS_IOMEM +is set, regardless of the UML Kconfig setting. +This updates TCG_TPM from =m to =y and fixes the linker errors. + +Fixes: f4a0391dfa91 ("ima: fix Kconfig dependencies") +Cc: Stable # v5.14+ +Signed-off-by: Randy Dunlap +Cc: Fabio Estevam +Cc: Richard Weinberger +Cc: Anton Ivanov +Cc: Johannes Berg +Cc: linux-um@lists.infradead.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -8,7 +8,7 @@ config IMA + select CRYPTO_HMAC + select CRYPTO_SHA1 + select CRYPTO_HASH_INFO +- select TCG_TPM if HAS_IOMEM && !UML ++ select TCG_TPM if HAS_IOMEM + select TCG_TIS if TCG_TPM && X86 + select TCG_CRB if TCG_TPM && ACPI + select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES diff --git a/queue-5.10/ipmi-fix-ssif-not-responding-under-certain-cond.patch b/queue-5.10/ipmi-fix-ssif-not-responding-under-certain-cond.patch new file mode 100644 index 00000000000..bde60cf8468 --- /dev/null +++ b/queue-5.10/ipmi-fix-ssif-not-responding-under-certain-cond.patch @@ -0,0 +1,73 @@ +From 6d2555cde2918409b0331560e66f84a0ad4849c6 Mon Sep 17 00:00:00 2001 +From: Zhang Yuchen +Date: Wed, 12 Apr 2023 15:49:07 +0800 +Subject: ipmi: fix SSIF not responding under certain cond. + +From: Zhang Yuchen + +commit 6d2555cde2918409b0331560e66f84a0ad4849c6 upstream. + +The ipmi communication is not restored after a specific version of BMC is +upgraded on our server. +The ipmi driver does not respond after printing the following log: + + ipmi_ssif: Invalid response getting flags: 1c 1 + +I found that after entering this branch, ssif_info->ssif_state always +holds SSIF_GETTING_FLAGS and never return to IDLE. + +As a result, the driver cannot be loaded, because the driver status is +checked during the unload process and must be IDLE in shutdown_ssif(): + + while (ssif_info->ssif_state != SSIF_IDLE) + schedule_timeout(1); + +The process trigger this problem is: + +1. One msg timeout and next msg start send, and call +ssif_set_need_watch(). + +2. ssif_set_need_watch()->watch_timeout()->start_flag_fetch() change +ssif_state to SSIF_GETTING_FLAGS. + +3. In msg_done_handler() ssif_state == SSIF_GETTING_FLAGS, if an error +message is received, the second branch does not modify the ssif_state. + +4. All retry action need IS_SSIF_IDLE() == True. Include retry action in +watch_timeout(), msg_done_handler(). Sending msg does not work either. +SSIF_IDLE is also checked in start_next_msg(). + +5. The only thing that can be triggered in the SSIF driver is +watch_timeout(), after destory_user(), this timer will stop too. + +So, if enter this branch, the ssif_state will remain SSIF_GETTING_FLAGS +and can't send msg, no timer started, can't unload. + +We did a comparative test before and after adding this patch, and the +result is effective. + +Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)") + +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Yuchen +Message-Id: <20230412074907.80046-1-zhangyuchen.lcr@bytedance.com> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -794,9 +794,9 @@ static void msg_done_handler(struct ssif + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_GET_MSG_FLAGS_CMD) { + /* +- * Don't abort here, maybe it was a queued +- * response to a previous command. ++ * Recv error response, give up. + */ ++ ssif_info->ssif_state = SSIF_IDLE; + ipmi_ssif_unlock_cond(ssif_info, flags); + dev_warn(&ssif_info->client->dev, + "Invalid response getting flags: %x %x\n", diff --git a/queue-5.10/ipmi-ssif-add-send_retries-increment.patch b/queue-5.10/ipmi-ssif-add-send_retries-increment.patch new file mode 100644 index 00000000000..333f71d8d1d --- /dev/null +++ b/queue-5.10/ipmi-ssif-add-send_retries-increment.patch @@ -0,0 +1,34 @@ +From 6ce7995a43febe693d4894033c6e29314970646a Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Tue, 4 Apr 2023 12:09:14 +0000 +Subject: ipmi:ssif: Add send_retries increment + +From: Corey Minyard + +commit 6ce7995a43febe693d4894033c6e29314970646a upstream. + +A recent change removed an increment of send_retries, re-add it. + +Fixes: 95767ed78a18 ipmi:ssif: resend_msg() cannot fail +Reported-by: Pavel Machek +Cc: stable@vger.kernel.org +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -564,8 +564,10 @@ static void retry_timeout(struct timer_l + + if (waiting) + start_get(ssif_info); +- if (resend) ++ if (resend) { + start_resend(ssif_info); ++ ssif_inc_stat(ssif_info, send_retries); ++ } + } + + static void watch_timeout(struct timer_list *t) diff --git a/queue-5.10/kheaders-use-array-declaration-instead-of-char.patch b/queue-5.10/kheaders-use-array-declaration-instead-of-char.patch new file mode 100644 index 00000000000..0db69d95c2a --- /dev/null +++ b/queue-5.10/kheaders-use-array-declaration-instead-of-char.patch @@ -0,0 +1,75 @@ +From b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 2 Mar 2023 14:49:50 -0800 +Subject: kheaders: Use array declaration instead of char + +From: Kees Cook + +commit b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb upstream. + +Under CONFIG_FORTIFY_SOURCE, memcpy() will check the size of destination +and source buffers. Defining kernel_headers_data as "char" would trip +this check. Since these addresses are treated as byte arrays, define +them as arrays (as done everywhere else). + +This was seen with: + + $ cat /sys/kernel/kheaders.tar.xz >> /dev/null + + detected buffer overflow in memcpy + kernel BUG at lib/string_helpers.c:1027! + ... + RIP: 0010:fortify_panic+0xf/0x20 + [...] + Call Trace: + + ikheaders_read+0x45/0x50 [kheaders] + kernfs_fop_read_iter+0x1a4/0x2f0 + ... + +Reported-by: Jakub Kicinski +Link: https://lore.kernel.org/bpf/20230302112130.6e402a98@kernel.org/ +Acked-by: Joel Fernandes (Google) +Reviewed-by: Alexander Lobakin +Tested-by: Jakub Kicinski +Fixes: 43d8ce9d65a5 ("Provide in-kernel headers to make extending kernel easier") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230302224946.never.243-kees@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kheaders.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/kernel/kheaders.c ++++ b/kernel/kheaders.c +@@ -26,15 +26,15 @@ asm ( + " .popsection \n" + ); + +-extern char kernel_headers_data; +-extern char kernel_headers_data_end; ++extern char kernel_headers_data[]; ++extern char kernel_headers_data_end[]; + + static ssize_t + ikheaders_read(struct file *file, struct kobject *kobj, + struct bin_attribute *bin_attr, + char *buf, loff_t off, size_t len) + { +- memcpy(buf, &kernel_headers_data + off, len); ++ memcpy(buf, &kernel_headers_data[off], len); + return len; + } + +@@ -48,8 +48,8 @@ static struct bin_attribute kheaders_att + + static int __init ikheaders_init(void) + { +- kheaders_attr.size = (&kernel_headers_data_end - +- &kernel_headers_data); ++ kheaders_attr.size = (kernel_headers_data_end - ++ kernel_headers_data); + return sysfs_create_bin_file(kernel_kobj, &kheaders_attr); + } + diff --git a/queue-5.10/mips-fw-allow-firmware-to-pass-a-empty-env.patch b/queue-5.10/mips-fw-allow-firmware-to-pass-a-empty-env.patch new file mode 100644 index 00000000000..051ff595482 --- /dev/null +++ b/queue-5.10/mips-fw-allow-firmware-to-pass-a-empty-env.patch @@ -0,0 +1,35 @@ +From ee1809ed7bc456a72dc8410b475b73021a3a68d5 Mon Sep 17 00:00:00 2001 +From: Jiaxun Yang +Date: Tue, 11 Apr 2023 12:14:26 +0100 +Subject: MIPS: fw: Allow firmware to pass a empty env + +From: Jiaxun Yang + +commit ee1809ed7bc456a72dc8410b475b73021a3a68d5 upstream. + +fw_getenv will use env entry to determine style of env, +however it is legal for firmware to just pass a empty list. + +Check if first entry exist before running strchr to avoid +null pointer dereference. + +Cc: stable@vger.kernel.org +Link: https://github.com/clbr/n64bootloader/issues/5 +Signed-off-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/fw/lib/cmdline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/fw/lib/cmdline.c ++++ b/arch/mips/fw/lib/cmdline.c +@@ -53,7 +53,7 @@ char *fw_getenv(char *envname) + { + char *result = NULL; + +- if (_fw_envp != NULL) { ++ if (_fw_envp != NULL && fw_envp(0) != NULL) { + /* + * Return a pointer to the given environment variable. + * YAMON uses "name", "value" pairs, while U-Boot uses diff --git a/queue-5.10/pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch b/queue-5.10/pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch new file mode 100644 index 00000000000..38ef98435ef --- /dev/null +++ b/queue-5.10/pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch @@ -0,0 +1,178 @@ +From f5eff5591b8f9c5effd25c92c758a127765f74c1 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Tue, 11 Apr 2023 08:21:02 +0200 +Subject: PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock + +From: Lukas Wunner + +commit f5eff5591b8f9c5effd25c92c758a127765f74c1 upstream. + +In 2013, commits + + 2e35afaefe64 ("PCI: pciehp: Add reset_slot() method") + 608c388122c7 ("PCI: Add slot reset option to pci_dev_reset()") + +amended PCIe hotplug to mask Presence Detect Changed events during a +Secondary Bus Reset. The reset thus no longer causes gratuitous slot +bringdown and bringup. + +However the commits neglected to serialize reset with code paths reading +slot registers. For instance, a slot bringup due to an earlier hotplug +event may see the Presence Detect State bit cleared during a concurrent +Secondary Bus Reset. + +In 2018, commit + + 5b3f7b7d062b ("PCI: pciehp: Avoid slot access during reset") + +retrofitted the missing locking. It introduced a reset_lock which +serializes a Secondary Bus Reset with other parts of pciehp. + +Unfortunately the locking turns out to be overzealous: reset_lock is +held for the entire enumeration and de-enumeration of hotplugged devices, +including driver binding and unbinding. + +Driver binding and unbinding acquires device_lock while the reset_lock +of the ancestral hotplug port is held. A concurrent Secondary Bus Reset +acquires the ancestral reset_lock while already holding the device_lock. +The asymmetric locking order in the two code paths can lead to AB-BA +deadlocks. + +Michael Haeuptle reports such deadlocks on simultaneous hot-removal and +vfio release (the latter implies a Secondary Bus Reset): + + pciehp_ist() # down_read(reset_lock) + pciehp_handle_presence_or_link_change() + pciehp_disable_slot() + __pciehp_disable_slot() + remove_board() + pciehp_unconfigure_device() + pci_stop_and_remove_bus_device() + pci_stop_bus_device() + pci_stop_dev() + device_release_driver() + device_release_driver_internal() + __device_driver_lock() # device_lock() + + SYS_munmap() + vfio_device_fops_release() + vfio_device_group_close() + vfio_device_close() + vfio_device_last_close() + vfio_pci_core_close_device() + vfio_pci_core_disable() # device_lock() + __pci_reset_function_locked() + pci_reset_bus_function() + pci_dev_reset_slot_function() + pci_reset_hotplug_slot() + pciehp_reset_slot() # down_write(reset_lock) + +Ian May reports the same deadlock on simultaneous hot-removal and an +AER-induced Secondary Bus Reset: + + aer_recover_work_func() + pcie_do_recovery() + aer_root_reset() + pci_bus_error_reset() + pci_slot_reset() + pci_slot_lock() # device_lock() + pci_reset_hotplug_slot() + pciehp_reset_slot() # down_write(reset_lock) + +Fix by releasing the reset_lock during driver binding and unbinding, +thereby splitting and shrinking the critical section. + +Driver binding and unbinding is protected by the device_lock() and thus +serialized with a Secondary Bus Reset. There's no need to additionally +protect it with the reset_lock. However, pciehp does not bind and +unbind devices directly, but rather invokes PCI core functions which +also perform certain enumeration and de-enumeration steps. + +The reset_lock's purpose is to protect slot registers, not enumeration +and de-enumeration of hotplugged devices. That would arguably be the +job of the PCI core, not the PCIe hotplug driver. After all, an +AER-induced Secondary Bus Reset may as well happen during boot-time +enumeration of the PCI hierarchy and there's no locking to prevent that +either. + +Exempting *de-enumeration* from the reset_lock is relatively harmless: +A concurrent Secondary Bus Reset may foil config space accesses such as +PME interrupt disablement. But if the device is physically gone, those +accesses are pointless anyway. If the device is physically present and +only logically removed through an Attention Button press or the sysfs +"power" attribute, PME interrupts as well as DMA cannot come through +because pciehp_unconfigure_device() disables INTx and Bus Master bits. +That's still protected by the reset_lock in the present commit. + +Exempting *enumeration* from the reset_lock also has limited impact: +The exempted call to pci_bus_add_device() may perform device accesses +through pcibios_bus_add_device() and pci_fixup_device() which are now +no longer protected from a concurrent Secondary Bus Reset. Otherwise +there should be no impact. + +In essence, the present commit seeks to fix the AB-BA deadlocks while +still retaining a best-effort reset protection for enumeration and +de-enumeration of hotplugged devices -- until a general solution is +implemented in the PCI core. + +Link: https://lore.kernel.org/linux-pci/CS1PR8401MB0728FC6FDAB8A35C22BD90EC95F10@CS1PR8401MB0728.NAMPRD84.PROD.OUTLOOK.COM +Link: https://lore.kernel.org/linux-pci/20200615143250.438252-1-ian.may@canonical.com +Link: https://lore.kernel.org/linux-pci/ce878dab-c0c4-5bd0-a725-9805a075682d@amd.com +Link: https://lore.kernel.org/linux-pci/ed831249-384a-6d35-0831-70af191e9bce@huawei.com +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215590 +Fixes: 5b3f7b7d062b ("PCI: pciehp: Avoid slot access during reset") +Link: https://lore.kernel.org/r/fef2b2e9edf245c049a8c5b94743c0f74ff5008a.1681191902.git.lukas@wunner.de +Reported-by: Michael Haeuptle +Reported-by: Ian May +Reported-by: Andrey Grodzovsky +Reported-by: Rahul Kumar +Reported-by: Jialin Zhang +Tested-by: Anatoli Antonovitch +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v4.19+ +Cc: Dan Stein +Cc: Ashok Raj +Cc: Alex Michon +Cc: Xiongfeng Wang +Cc: Alex Williamson +Cc: Mika Westerberg +Cc: Sathyanarayanan Kuppuswamy +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/hotplug/pciehp_pci.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/pci/hotplug/pciehp_pci.c ++++ b/drivers/pci/hotplug/pciehp_pci.c +@@ -63,7 +63,14 @@ int pciehp_configure_device(struct contr + + pci_assign_unassigned_bridge_resources(bridge); + pcie_bus_configure_settings(parent); ++ ++ /* ++ * Release reset_lock during driver binding ++ * to avoid AB-BA deadlock with device_lock. ++ */ ++ up_read(&ctrl->reset_lock); + pci_bus_add_devices(parent); ++ down_read_nested(&ctrl->reset_lock, ctrl->depth); + + out: + pci_unlock_rescan_remove(); +@@ -104,7 +111,15 @@ void pciehp_unconfigure_device(struct co + list_for_each_entry_safe_reverse(dev, temp, &parent->devices, + bus_list) { + pci_dev_get(dev); ++ ++ /* ++ * Release reset_lock during driver unbinding ++ * to avoid AB-BA deadlock with device_lock. ++ */ ++ up_read(&ctrl->reset_lock); + pci_stop_and_remove_bus_device(dev); ++ down_read_nested(&ctrl->reset_lock, ctrl->depth); ++ + /* + * Ensure that no new Requests will be generated from + * the device. diff --git a/queue-5.10/pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch b/queue-5.10/pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch new file mode 100644 index 00000000000..7fe0a45e87d --- /dev/null +++ b/queue-5.10/pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch @@ -0,0 +1,44 @@ +From 2542e16c392508800f1d9037feee881a9c444951 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 16 Mar 2023 13:40:59 +0530 +Subject: PCI: qcom: Fix the incorrect register usage in v2.7.0 config + +From: Manivannan Sadhasivam + +commit 2542e16c392508800f1d9037feee881a9c444951 upstream. + +Qcom PCIe IP version v2.7.0 and its derivatives don't contain the +PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT register. Instead, they have the new +PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2 register. So fix the incorrect +register usage which is modifying a different register. + +Also in this IP version, this register change doesn't depend on MSI +being enabled. So remove that check also. + +Link: https://lore.kernel.org/r/20230316081117.14288-2-manivannan.sadhasivam@linaro.org +Fixes: ed8cc3b1fc84 ("PCI: qcom: Add support for SDM845 PCIe controller") +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Lorenzo Pieralisi +Cc: # 5.6+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-qcom.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -1210,11 +1210,9 @@ static int qcom_pcie_init_2_7_0(struct q + val |= BIT(4); + writel(val, pcie->parf + PCIE20_PARF_MHI_CLOCK_RESET_CTRL); + +- if (IS_ENABLED(CONFIG_PCI_MSI)) { +- val = readl(pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT); +- val |= BIT(31); +- writel(val, pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT); +- } ++ val = readl(pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2); ++ val |= BIT(31); ++ writel(val, pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2); + + return 0; + err_disable_clocks: diff --git a/queue-5.10/perf-sched-cast-pthread_stack_min-to-int-as-it-may-turn-into-sysconf-__sc_thread_stack_min_value.patch b/queue-5.10/perf-sched-cast-pthread_stack_min-to-int-as-it-may-turn-into-sysconf-__sc_thread_stack_min_value.patch new file mode 100644 index 00000000000..c1c5abf472f --- /dev/null +++ b/queue-5.10/perf-sched-cast-pthread_stack_min-to-int-as-it-may-turn-into-sysconf-__sc_thread_stack_min_value.patch @@ -0,0 +1,49 @@ +From d08c84e01afa7a7eee6badab25d5420fa847f783 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Wed, 14 Jul 2021 13:06:38 -0300 +Subject: perf sched: Cast PTHREAD_STACK_MIN to int as it may turn into sysconf(__SC_THREAD_STACK_MIN_VALUE) + +From: Arnaldo Carvalho de Melo + +commit d08c84e01afa7a7eee6badab25d5420fa847f783 upstream. + +In fedora rawhide the PTHREAD_STACK_MIN define may end up expanded to a +sysconf() call, and that will return 'long int', breaking the build: + + 45 fedora:rawhide : FAIL gcc version 11.1.1 20210623 (Red Hat 11.1.1-6) (GCC) + builtin-sched.c: In function 'create_tasks': + /git/perf-5.14.0-rc1/tools/include/linux/kernel.h:43:24: error: comparison of distinct pointer types lacks a cast [-Werror] + 43 | (void) (&_max1 == &_max2); \ + | ^~ + builtin-sched.c:673:34: note: in expansion of macro 'max' + 673 | (size_t) max(16 * 1024, PTHREAD_STACK_MIN)); + | ^~~ + cc1: all warnings being treated as errors + + $ grep __sysconf /usr/include/*/*.h + /usr/include/bits/pthread_stack_min-dynamic.h:extern long int __sysconf (int __name) __THROW; + /usr/include/bits/pthread_stack_min-dynamic.h:# define PTHREAD_STACK_MIN __sysconf (__SC_THREAD_STACK_MIN_VALUE) + /usr/include/bits/time.h:extern long int __sysconf (int); + /usr/include/bits/time.h:# define CLK_TCK ((__clock_t) __sysconf (2)) /* 2 is _SC_CLK_TCK */ + $ + +So cast it to int to cope with that. + +Signed-off-by: Arnaldo Carvalho de Melo +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-sched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -670,7 +670,7 @@ static void create_tasks(struct perf_sch + err = pthread_attr_init(&attr); + BUG_ON(err); + err = pthread_attr_setstacksize(&attr, +- (size_t) max(16 * 1024, PTHREAD_STACK_MIN)); ++ (size_t) max(16 * 1024, (int)PTHREAD_STACK_MIN)); + BUG_ON(err); + err = pthread_mutex_lock(&sched->start_work_mutex); + BUG_ON(err); diff --git a/queue-5.10/posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch b/queue-5.10/posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch new file mode 100644 index 00000000000..76ad5c83f94 --- /dev/null +++ b/queue-5.10/posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch @@ -0,0 +1,268 @@ +From f7abf14f0001a5a47539d9f60bbdca649e43536b Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 17 Apr 2023 15:37:55 +0200 +Subject: posix-cpu-timers: Implement the missing timer_wait_running callback + +From: Thomas Gleixner + +commit f7abf14f0001a5a47539d9f60bbdca649e43536b upstream. + +For some unknown reason the introduction of the timer_wait_running callback +missed to fixup posix CPU timers, which went unnoticed for almost four years. +Marco reported recently that the WARN_ON() in timer_wait_running() +triggers with a posix CPU timer test case. + +Posix CPU timers have two execution models for expiring timers depending on +CONFIG_POSIX_CPU_TIMERS_TASK_WORK: + +1) If not enabled, the expiry happens in hard interrupt context so + spin waiting on the remote CPU is reasonably time bound. + + Implement an empty stub function for that case. + +2) If enabled, the expiry happens in task work before returning to user + space or guest mode. The expired timers are marked as firing and moved + from the timer queue to a local list head with sighand lock held. Once + the timers are moved, sighand lock is dropped and the expiry happens in + fully preemptible context. That means the expiring task can be scheduled + out, migrated, interrupted etc. So spin waiting on it is more than + suboptimal. + + The timer wheel has a timer_wait_running() mechanism for RT, which uses + a per CPU timer-base expiry lock which is held by the expiry code and the + task waiting for the timer function to complete blocks on that lock. + + This does not work in the same way for posix CPU timers as there is no + timer base and expiry for process wide timers can run on any task + belonging to that process, but the concept of waiting on an expiry lock + can be used too in a slightly different way: + + - Add a mutex to struct posix_cputimers_work. This struct is per task + and used to schedule the expiry task work from the timer interrupt. + + - Add a task_struct pointer to struct cpu_timer which is used to store + a the task which runs the expiry. That's filled in when the task + moves the expired timers to the local expiry list. That's not + affecting the size of the k_itimer union as there are bigger union + members already + + - Let the task take the expiry mutex around the expiry function + + - Let the waiter acquire a task reference with rcu_read_lock() held and + block on the expiry mutex + + This avoids spin-waiting on a task which might not even be on a CPU and + works nicely for RT too. + +Fixes: ec8f954a40da ("posix-timers: Use a callback for cancel synchronization on PREEMPT_RT") +Reported-by: Marco Elver +Signed-off-by: Thomas Gleixner +Tested-by: Marco Elver +Tested-by: Sebastian Andrzej Siewior +Reviewed-by: Frederic Weisbecker +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/87zg764ojw.ffs@tglx +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/posix-timers.h | 17 +++++--- + kernel/time/posix-cpu-timers.c | 81 +++++++++++++++++++++++++++++++++-------- + kernel/time/posix-timers.c | 4 ++ + 3 files changed, 82 insertions(+), 20 deletions(-) + +--- a/include/linux/posix-timers.h ++++ b/include/linux/posix-timers.h +@@ -4,6 +4,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -63,16 +64,18 @@ static inline int clockid_to_fd(const cl + * cpu_timer - Posix CPU timer representation for k_itimer + * @node: timerqueue node to queue in the task/sig + * @head: timerqueue head on which this timer is queued +- * @task: Pointer to target task ++ * @pid: Pointer to target task PID + * @elist: List head for the expiry list + * @firing: Timer is currently firing ++ * @handling: Pointer to the task which handles expiry + */ + struct cpu_timer { +- struct timerqueue_node node; +- struct timerqueue_head *head; +- struct pid *pid; +- struct list_head elist; +- int firing; ++ struct timerqueue_node node; ++ struct timerqueue_head *head; ++ struct pid *pid; ++ struct list_head elist; ++ int firing; ++ struct task_struct __rcu *handling; + }; + + static inline bool cpu_timer_enqueue(struct timerqueue_head *head, +@@ -129,10 +132,12 @@ struct posix_cputimers { + /** + * posix_cputimers_work - Container for task work based posix CPU timer expiry + * @work: The task work to be scheduled ++ * @mutex: Mutex held around expiry in context of this task work + * @scheduled: @work has been scheduled already, no further processing + */ + struct posix_cputimers_work { + struct callback_head work; ++ struct mutex mutex; + unsigned int scheduled; + }; + +--- a/kernel/time/posix-cpu-timers.c ++++ b/kernel/time/posix-cpu-timers.c +@@ -782,6 +782,8 @@ static u64 collect_timerqueue(struct tim + return expires; + + ctmr->firing = 1; ++ /* See posix_cpu_timer_wait_running() */ ++ rcu_assign_pointer(ctmr->handling, current); + cpu_timer_dequeue(ctmr); + list_add_tail(&ctmr->elist, firing); + } +@@ -1097,7 +1099,49 @@ static void handle_posix_cpu_timers(stru + #ifdef CONFIG_POSIX_CPU_TIMERS_TASK_WORK + static void posix_cpu_timers_work(struct callback_head *work) + { ++ struct posix_cputimers_work *cw = container_of(work, typeof(*cw), work); ++ ++ mutex_lock(&cw->mutex); + handle_posix_cpu_timers(current); ++ mutex_unlock(&cw->mutex); ++} ++ ++/* ++ * Invoked from the posix-timer core when a cancel operation failed because ++ * the timer is marked firing. The caller holds rcu_read_lock(), which ++ * protects the timer and the task which is expiring it from being freed. ++ */ ++static void posix_cpu_timer_wait_running(struct k_itimer *timr) ++{ ++ struct task_struct *tsk = rcu_dereference(timr->it.cpu.handling); ++ ++ /* Has the handling task completed expiry already? */ ++ if (!tsk) ++ return; ++ ++ /* Ensure that the task cannot go away */ ++ get_task_struct(tsk); ++ /* Now drop the RCU protection so the mutex can be locked */ ++ rcu_read_unlock(); ++ /* Wait on the expiry mutex */ ++ mutex_lock(&tsk->posix_cputimers_work.mutex); ++ /* Release it immediately again. */ ++ mutex_unlock(&tsk->posix_cputimers_work.mutex); ++ /* Drop the task reference. */ ++ put_task_struct(tsk); ++ /* Relock RCU so the callsite is balanced */ ++ rcu_read_lock(); ++} ++ ++static void posix_cpu_timer_wait_running_nsleep(struct k_itimer *timr) ++{ ++ /* Ensure that timr->it.cpu.handling task cannot go away */ ++ rcu_read_lock(); ++ spin_unlock_irq(&timr->it_lock); ++ posix_cpu_timer_wait_running(timr); ++ rcu_read_unlock(); ++ /* @timr is on stack and is valid */ ++ spin_lock_irq(&timr->it_lock); + } + + /* +@@ -1113,6 +1157,7 @@ void clear_posix_cputimers_work(struct t + sizeof(p->posix_cputimers_work.work)); + init_task_work(&p->posix_cputimers_work.work, + posix_cpu_timers_work); ++ mutex_init(&p->posix_cputimers_work.mutex); + p->posix_cputimers_work.scheduled = false; + } + +@@ -1191,6 +1236,18 @@ static inline void __run_posix_cpu_timer + lockdep_posixtimer_exit(); + } + ++static void posix_cpu_timer_wait_running(struct k_itimer *timr) ++{ ++ cpu_relax(); ++} ++ ++static void posix_cpu_timer_wait_running_nsleep(struct k_itimer *timr) ++{ ++ spin_unlock_irq(&timr->it_lock); ++ cpu_relax(); ++ spin_lock_irq(&timr->it_lock); ++} ++ + static inline bool posix_cpu_timers_work_scheduled(struct task_struct *tsk) + { + return false; +@@ -1299,6 +1356,8 @@ static void handle_posix_cpu_timers(stru + */ + if (likely(cpu_firing >= 0)) + cpu_timer_fire(timer); ++ /* See posix_cpu_timer_wait_running() */ ++ rcu_assign_pointer(timer->it.cpu.handling, NULL); + spin_unlock(&timer->it_lock); + } + } +@@ -1434,23 +1493,16 @@ static int do_cpu_nanosleep(const clocki + expires = cpu_timer_getexpires(&timer.it.cpu); + error = posix_cpu_timer_set(&timer, 0, &zero_it, &it); + if (!error) { +- /* +- * Timer is now unarmed, deletion can not fail. +- */ ++ /* Timer is now unarmed, deletion can not fail. */ + posix_cpu_timer_del(&timer); ++ } else { ++ while (error == TIMER_RETRY) { ++ posix_cpu_timer_wait_running_nsleep(&timer); ++ error = posix_cpu_timer_del(&timer); ++ } + } +- spin_unlock_irq(&timer.it_lock); + +- while (error == TIMER_RETRY) { +- /* +- * We need to handle case when timer was or is in the +- * middle of firing. In other cases we already freed +- * resources. +- */ +- spin_lock_irq(&timer.it_lock); +- error = posix_cpu_timer_del(&timer); +- spin_unlock_irq(&timer.it_lock); +- } ++ spin_unlock_irq(&timer.it_lock); + + if ((it.it_value.tv_sec | it.it_value.tv_nsec) == 0) { + /* +@@ -1560,6 +1612,7 @@ const struct k_clock clock_posix_cpu = { + .timer_del = posix_cpu_timer_del, + .timer_get = posix_cpu_timer_get, + .timer_rearm = posix_cpu_timer_rearm, ++ .timer_wait_running = posix_cpu_timer_wait_running, + }; + + const struct k_clock clock_process = { +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -846,6 +846,10 @@ static struct k_itimer *timer_wait_runni + rcu_read_lock(); + unlock_timer(timer, *flags); + ++ /* ++ * kc->timer_wait_running() might drop RCU lock. So @timer ++ * cannot be touched anymore after the function returns! ++ */ + if (!WARN_ON_ONCE(!kc->timer_wait_running)) + kc->timer_wait_running(timer); + diff --git a/queue-5.10/series b/queue-5.10/series index 4ad8f7ae860..dd2c337785c 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -12,3 +12,23 @@ iio-adc-palmas_gpadc-fix-null-dereference-on-rmmod.patch asoc-intel-bytcr_rt5640-add-quirk-for-the-acer-iconi.patch asm-generic-io.h-suppress-endianness-warnings-for-re.patch wireguard-timers-cast-enum-limits-members-to-int-in-prints.patch +pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch +pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch +ima-allow-fix-uml-builds.patch +usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch +usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch +hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch +hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch +posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch +perf-sched-cast-pthread_stack_min-to-int-as-it-may-turn-into-sysconf-__sc_thread_stack_min_value.patch +blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch +blk-crypto-make-blk_crypto_evict_key-return-void.patch +blk-crypto-make-blk_crypto_evict_key-more-robust.patch +ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch +staging-iio-resolver-ads1210-fix-config-mode.patch +xhci-fix-debugfs-register-accesses-while-suspended.patch +tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch +mips-fw-allow-firmware-to-pass-a-empty-env.patch +ipmi-ssif-add-send_retries-increment.patch +ipmi-fix-ssif-not-responding-under-certain-cond.patch +kheaders-use-array-declaration-instead-of-char.patch diff --git a/queue-5.10/staging-iio-resolver-ads1210-fix-config-mode.patch b/queue-5.10/staging-iio-resolver-ads1210-fix-config-mode.patch new file mode 100644 index 00000000000..6f853d0c46c --- /dev/null +++ b/queue-5.10/staging-iio-resolver-ads1210-fix-config-mode.patch @@ -0,0 +1,37 @@ +From 16313403d873ff17a587818b61f84c8cb4971cef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Mon, 27 Mar 2023 16:54:14 +0200 +Subject: staging: iio: resolver: ads1210: fix config mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 16313403d873ff17a587818b61f84c8cb4971cef upstream. + +As stated in the device datasheet [1], bits a0 and a1 have to be set to +1 for the configuration mode. + +[1]: https://www.analog.com/media/en/technical-documentation/data-sheets/ad2s1210.pdf + +Fixes: b19e9ad5e2cb9 ("staging:iio:resolver:ad2s1210 general driver cleanup") +Cc: stable +Signed-off-by: Nuno Sá +Link: https://lore.kernel.org/r/20230327145414.1505537-1-nuno.sa@analog.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/iio/resolver/ad2s1210.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/iio/resolver/ad2s1210.c ++++ b/drivers/staging/iio/resolver/ad2s1210.c +@@ -101,7 +101,7 @@ struct ad2s1210_state { + static const int ad2s1210_mode_vals[4][2] = { + [MOD_POS] = { 0, 0 }, + [MOD_VEL] = { 0, 1 }, +- [MOD_CONFIG] = { 1, 0 }, ++ [MOD_CONFIG] = { 1, 1 }, + }; + + static inline void ad2s1210_set_mode(enum ad2s1210_mode mode, diff --git a/queue-5.10/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch b/queue-5.10/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch new file mode 100644 index 00000000000..f204e80afa4 --- /dev/null +++ b/queue-5.10/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch @@ -0,0 +1,97 @@ +From 58d7668242647e661a20efe065519abd6454287e Mon Sep 17 00:00:00 2001 +From: "Joel Fernandes (Google)" +Date: Tue, 24 Jan 2023 17:31:26 +0000 +Subject: tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem + +From: Joel Fernandes (Google) + +commit 58d7668242647e661a20efe065519abd6454287e upstream. + +For CONFIG_NO_HZ_FULL systems, the tick_do_timer_cpu cannot be offlined. +However, cpu_is_hotpluggable() still returns true for those CPUs. This causes +torture tests that do offlining to end up trying to offline this CPU causing +test failures. Such failure happens on all architectures. + +Fix the repeated error messages thrown by this (even if the hotplug errors are +harmless) by asking the opinion of the nohz subsystem on whether the CPU can be +hotplugged. + +[ Apply Frederic Weisbecker feedback on refactoring tick_nohz_cpu_down(). ] + +For drivers/base/ portion: +Acked-by: Greg Kroah-Hartman +Acked-by: Frederic Weisbecker +Cc: Frederic Weisbecker +Cc: "Paul E. McKenney" +Cc: Zhouyi Zhou +Cc: Will Deacon +Cc: Marc Zyngier +Cc: rcu +Cc: stable@vger.kernel.org +Fixes: 2987557f52b9 ("driver-core/cpu: Expose hotpluggability to the rest of the kernel") +Signed-off-by: Paul E. McKenney +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/cpu.c | 3 ++- + include/linux/tick.h | 2 ++ + kernel/time/tick-sched.c | 11 ++++++++--- + 3 files changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -489,7 +489,8 @@ static const struct attribute_group *cpu + bool cpu_is_hotpluggable(unsigned cpu) + { + struct device *dev = get_cpu_device(cpu); +- return dev && container_of(dev, struct cpu, dev)->hotpluggable; ++ return dev && container_of(dev, struct cpu, dev)->hotpluggable ++ && tick_nohz_cpu_hotpluggable(cpu); + } + EXPORT_SYMBOL_GPL(cpu_is_hotpluggable); + +--- a/include/linux/tick.h ++++ b/include/linux/tick.h +@@ -211,6 +211,7 @@ extern void tick_nohz_dep_set_signal(str + enum tick_dep_bits bit); + extern void tick_nohz_dep_clear_signal(struct signal_struct *signal, + enum tick_dep_bits bit); ++extern bool tick_nohz_cpu_hotpluggable(unsigned int cpu); + + /* + * The below are tick_nohz_[set,clear]_dep() wrappers that optimize off-cases +@@ -275,6 +276,7 @@ static inline void tick_nohz_full_add_cp + + static inline void tick_nohz_dep_set_cpu(int cpu, enum tick_dep_bits bit) { } + static inline void tick_nohz_dep_clear_cpu(int cpu, enum tick_dep_bits bit) { } ++static inline bool tick_nohz_cpu_hotpluggable(unsigned int cpu) { return true; } + + static inline void tick_dep_set(enum tick_dep_bits bit) { } + static inline void tick_dep_clear(enum tick_dep_bits bit) { } +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -426,7 +426,7 @@ void __init tick_nohz_full_setup(cpumask + tick_nohz_full_running = true; + } + +-static int tick_nohz_cpu_down(unsigned int cpu) ++bool tick_nohz_cpu_hotpluggable(unsigned int cpu) + { + /* + * The tick_do_timer_cpu CPU handles housekeeping duty (unbound +@@ -434,8 +434,13 @@ static int tick_nohz_cpu_down(unsigned i + * CPUs. It must remain online when nohz full is enabled. + */ + if (tick_nohz_full_running && tick_do_timer_cpu == cpu) +- return -EBUSY; +- return 0; ++ return false; ++ return true; ++} ++ ++static int tick_nohz_cpu_down(unsigned int cpu) ++{ ++ return tick_nohz_cpu_hotpluggable(cpu) ? 0 : -EBUSY; + } + + void __init tick_nohz_init(void) diff --git a/queue-5.10/usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch b/queue-5.10/usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch new file mode 100644 index 00000000000..bda350f43dc --- /dev/null +++ b/queue-5.10/usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch @@ -0,0 +1,57 @@ +From 9a8ad10c9f2e0925ff26308ec6756b93fc2f4977 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 4 Apr 2023 09:25:14 +0200 +Subject: USB: dwc3: fix runtime pm imbalance on probe errors + +From: Johan Hovold + +commit 9a8ad10c9f2e0925ff26308ec6756b93fc2f4977 upstream. + +Make sure not to suspend the device when probe fails to avoid disabling +clocks and phys multiple times. + +Fixes: 328082376aea ("usb: dwc3: fix runtime PM in error path") +Cc: stable@vger.kernel.org # 4.8 +Cc: Roger Quadros +Acked-by: Thinh Nguyen +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230404072524.19014-2-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1567,13 +1567,11 @@ static int dwc3_probe(struct platform_de + spin_lock_init(&dwc->lock); + mutex_init(&dwc->mutex); + ++ pm_runtime_get_noresume(dev); + pm_runtime_set_active(dev); + pm_runtime_use_autosuspend(dev); + pm_runtime_set_autosuspend_delay(dev, DWC3_DEFAULT_AUTOSUSPEND_DELAY); + pm_runtime_enable(dev); +- ret = pm_runtime_get_sync(dev); +- if (ret < 0) +- goto err1; + + pm_runtime_forbid(dev); + +@@ -1633,12 +1631,10 @@ err3: + dwc3_free_event_buffers(dwc); + + err2: +- pm_runtime_allow(&pdev->dev); +- +-err1: +- pm_runtime_put_sync(&pdev->dev); +- pm_runtime_disable(&pdev->dev); +- ++ pm_runtime_allow(dev); ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ pm_runtime_put_noidle(dev); + disable_clks: + clk_bulk_disable_unprepare(dwc->num_clks, dwc->clks); + assert_reset: diff --git a/queue-5.10/usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch b/queue-5.10/usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch new file mode 100644 index 00000000000..191215e068a --- /dev/null +++ b/queue-5.10/usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch @@ -0,0 +1,34 @@ +From 44d257e9012ee8040e41d224d0e5bfb5ef5427ea Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 4 Apr 2023 09:25:15 +0200 +Subject: USB: dwc3: fix runtime pm imbalance on unbind + +From: Johan Hovold + +commit 44d257e9012ee8040e41d224d0e5bfb5ef5427ea upstream. + +Make sure to balance the runtime PM usage count on driver unbind by +adding back the pm_runtime_allow() call that had been erroneously +removed. + +Fixes: 266d0493900a ("usb: dwc3: core: don't trigger runtime pm when remove driver") +Cc: stable@vger.kernel.org # 5.9 +Cc: Li Jun +Acked-by: Thinh Nguyen +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230404072524.19014-3-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1655,6 +1655,7 @@ static int dwc3_remove(struct platform_d + dwc3_core_exit(dwc); + dwc3_ulpi_exit(dwc); + ++ pm_runtime_allow(&pdev->dev); + pm_runtime_disable(&pdev->dev); + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_set_suspended(&pdev->dev); diff --git a/queue-5.10/xhci-fix-debugfs-register-accesses-while-suspended.patch b/queue-5.10/xhci-fix-debugfs-register-accesses-while-suspended.patch new file mode 100644 index 00000000000..6f7010a1564 --- /dev/null +++ b/queue-5.10/xhci-fix-debugfs-register-accesses-while-suspended.patch @@ -0,0 +1,33 @@ +From 735baf1b23458f71a8b15cb924af22c9ff9cd125 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Apr 2023 11:03:42 +0200 +Subject: xhci: fix debugfs register accesses while suspended + +From: Johan Hovold + +commit 735baf1b23458f71a8b15cb924af22c9ff9cd125 upstream. + +Wire up the debugfs regset device pointer so that the controller is +resumed before accessing registers to avoid crashing or locking up if it +happens to be runtime suspended. + +Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver") +Cc: stable@vger.kernel.org # 4.15: 30332eeefec8: debugfs: regset32: Add Runtime PM support +Cc: stable@vger.kernel.org # 4.15 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230405090342.7363-1-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-debugfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-debugfs.c ++++ b/drivers/usb/host/xhci-debugfs.c +@@ -133,6 +133,7 @@ static void xhci_debugfs_regset(struct x + regset->regs = regs; + regset->nregs = nregs; + regset->base = hcd->regs + base; ++ regset->dev = hcd->self.controller; + + debugfs_create_regset32((const char *)rgs->name, 0444, parent, regset); + }