From 1fe6ebd4b6c4a0c06329b66cf5b79dc0493addcd Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 5 Feb 2022 15:51:17 +0100 Subject: [PATCH] 5.15-stable patches added patches: alsa-hda-fix-uaf-of-leds-class-devs-at-unbinding.patch alsa-hda-realtek-add-missing-fixup-model-entry-for-gigabyte-x570-alc1220-quirks.patch alsa-hda-realtek-add-quirk-for-asus-gu603.patch alsa-hda-realtek-fix-race-at-concurrent-coef-updates.patch alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-xtreme-after-reboot-from-windows.patch alsa-hda-realtek-fix-silent-output-on-gigabyte-x570s-aorus-master-newer-chipset.patch alsa-usb-audio-correct-quirk-for-vf0770.patch asoc-hdmi-codec-fix-oob-memory-accesses.patch asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch block-bio-integrity-advance-seed-correctly-for-larger-interval-sizes.patch btrfs-don-t-start-transaction-for-scrub-if-the-fs-is-mounted-read-only.patch btrfs-fix-deadlock-between-quota-disable-and-qgroup-rescan-worker.patch btrfs-fix-use-after-free-after-failure-to-create-a-snapshot.patch dma-buf-heaps-fix-potential-spectre-v1-gadget.patch drm-amd-display-force-link_rate-as-link_rate_rbr2-for-2018-15-apple-retina-panels.patch drm-amd-display-watermark-latencies-is-not-enough-on-dcn31.patch drm-amd-pm-correct-the-mgpufanboost-support-for-beige-goby.patch drm-i915-adlp-fix-typec-phy-ready-status-readout.patch drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch fbcon-add-option-to-enable-legacy-hardware-acceleration.patch ib-hfi1-fix-aip-early-init-panic.patch ipc-sem-do-not-sleep-with-a-spin-lock-held.patch mm-debug_vm_pgtable-remove-pte-entry-from-the-page-table.patch mm-kmemleak-avoid-scanning-potential-huge-holes.patch mm-pgtable-define-pte_index-so-that-preprocessor-could-recognize-it.patch mptcp-fix-msk-traversal-in-mptcp_nl_cmd_set_flags.patch nvme-fabrics-fix-state-check-in-nvmf_ctlr_matches_baseopts.patch revert-fbcon-disable-accelerated-scrolling.patch revert-fs-9p-search-open-fids-first.patch spi-stm32-qspi-update-spi-registering.patch --- ...-uaf-of-leds-class-devs-at-unbinding.patch | 86 ++++ ...try-for-gigabyte-x570-alc1220-quirks.patch | 32 ++ ...hda-realtek-add-quirk-for-asus-gu603.patch | 36 ++ ...-fix-race-at-concurrent-coef-updates.patch | 148 +++++++ ...rus-xtreme-after-reboot-from-windows.patch | 34 ++ ...yte-x570s-aorus-master-newer-chipset.patch | 51 +++ ...a-usb-audio-correct-quirk-for-vf0770.patch | 44 +++ ...c-hdmi-codec-fix-oob-memory-accesses.patch | 49 +++ ...f-bounds-values-in-snd_soc_put_volsw.patch | 54 +++ ...ounds-values-in-snd_soc_put_volsw_sx.patch | 41 ++ ...f-bounds-values-in-snd_soc_put_xr_sx.patch | 33 ++ ...eue-handling-when-audit-1-on-cmdline.patch | 207 ++++++++++ ...-correctly-for-larger-interval-sizes.patch | 43 ++ ...scrub-if-the-fs-is-mounted-read-only.patch | 84 ++++ ...ota-disable-and-qgroup-rescan-worker.patch | 305 ++++++++++++++ ...e-after-failure-to-create-a-snapshot.patch | 125 ++++++ ...eaps-fix-potential-spectre-v1-gadget.patch | 44 +++ ...rbr2-for-2018-15-apple-retina-panels.patch | 64 +++ ...ark-latencies-is-not-enough-on-dcn31.patch | 87 ++++ ...-mgpufanboost-support-for-beige-goby.patch | 42 ++ ...p-fix-typec-phy-ready-status-readout.patch | 48 +++ ...off-by-one-in-bios-boundary-checking.patch | 42 ++ ...-enable-legacy-hardware-acceleration.patch | 373 ++++++++++++++++++ .../ib-hfi1-fix-aip-early-init-panic.patch | 123 ++++++ ...m-do-not-sleep-with-a-spin-lock-held.patch | 52 +++ ...remove-pte-entry-from-the-page-table.patch | 75 ++++ ...-avoid-scanning-potential-huge-holes.patch | 121 ++++++ ...that-preprocessor-could-recognize-it.patch | 39 ++ ...-traversal-in-mptcp_nl_cmd_set_flags.patch | 84 ++++ ...-check-in-nvmf_ctlr_matches_baseopts.patch | 46 +++ ...-fbcon-disable-accelerated-scrolling.patch | 195 +++++++++ .../revert-fs-9p-search-open-fids-first.patch | 67 ++++ queue-5.15/series | 33 ++ ...pi-stm32-qspi-update-spi-registering.patch | 144 +++++++ 34 files changed, 3051 insertions(+) create mode 100644 queue-5.15/alsa-hda-fix-uaf-of-leds-class-devs-at-unbinding.patch create mode 100644 queue-5.15/alsa-hda-realtek-add-missing-fixup-model-entry-for-gigabyte-x570-alc1220-quirks.patch create mode 100644 queue-5.15/alsa-hda-realtek-add-quirk-for-asus-gu603.patch create mode 100644 queue-5.15/alsa-hda-realtek-fix-race-at-concurrent-coef-updates.patch create mode 100644 queue-5.15/alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-xtreme-after-reboot-from-windows.patch create mode 100644 queue-5.15/alsa-hda-realtek-fix-silent-output-on-gigabyte-x570s-aorus-master-newer-chipset.patch create mode 100644 queue-5.15/alsa-usb-audio-correct-quirk-for-vf0770.patch create mode 100644 queue-5.15/asoc-hdmi-codec-fix-oob-memory-accesses.patch create mode 100644 queue-5.15/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch create mode 100644 queue-5.15/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch create mode 100644 queue-5.15/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch create mode 100644 queue-5.15/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch create mode 100644 queue-5.15/block-bio-integrity-advance-seed-correctly-for-larger-interval-sizes.patch create mode 100644 queue-5.15/btrfs-don-t-start-transaction-for-scrub-if-the-fs-is-mounted-read-only.patch create mode 100644 queue-5.15/btrfs-fix-deadlock-between-quota-disable-and-qgroup-rescan-worker.patch create mode 100644 queue-5.15/btrfs-fix-use-after-free-after-failure-to-create-a-snapshot.patch create mode 100644 queue-5.15/dma-buf-heaps-fix-potential-spectre-v1-gadget.patch create mode 100644 queue-5.15/drm-amd-display-force-link_rate-as-link_rate_rbr2-for-2018-15-apple-retina-panels.patch create mode 100644 queue-5.15/drm-amd-display-watermark-latencies-is-not-enough-on-dcn31.patch create mode 100644 queue-5.15/drm-amd-pm-correct-the-mgpufanboost-support-for-beige-goby.patch create mode 100644 queue-5.15/drm-i915-adlp-fix-typec-phy-ready-status-readout.patch create mode 100644 queue-5.15/drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch create mode 100644 queue-5.15/fbcon-add-option-to-enable-legacy-hardware-acceleration.patch create mode 100644 queue-5.15/ib-hfi1-fix-aip-early-init-panic.patch create mode 100644 queue-5.15/ipc-sem-do-not-sleep-with-a-spin-lock-held.patch create mode 100644 queue-5.15/mm-debug_vm_pgtable-remove-pte-entry-from-the-page-table.patch create mode 100644 queue-5.15/mm-kmemleak-avoid-scanning-potential-huge-holes.patch create mode 100644 queue-5.15/mm-pgtable-define-pte_index-so-that-preprocessor-could-recognize-it.patch create mode 100644 queue-5.15/mptcp-fix-msk-traversal-in-mptcp_nl_cmd_set_flags.patch create mode 100644 queue-5.15/nvme-fabrics-fix-state-check-in-nvmf_ctlr_matches_baseopts.patch create mode 100644 queue-5.15/revert-fbcon-disable-accelerated-scrolling.patch create mode 100644 queue-5.15/revert-fs-9p-search-open-fids-first.patch create mode 100644 queue-5.15/spi-stm32-qspi-update-spi-registering.patch diff --git a/queue-5.15/alsa-hda-fix-uaf-of-leds-class-devs-at-unbinding.patch b/queue-5.15/alsa-hda-fix-uaf-of-leds-class-devs-at-unbinding.patch new file mode 100644 index 00000000000..fb398957a69 --- /dev/null +++ b/queue-5.15/alsa-hda-fix-uaf-of-leds-class-devs-at-unbinding.patch @@ -0,0 +1,86 @@ +From 549f8ffc7b2f7561bea7f90930b6c5104318e87b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 26 Jan 2022 15:50:11 +0100 +Subject: ALSA: hda: Fix UAF of leds class devs at unbinding + +From: Takashi Iwai + +commit 549f8ffc7b2f7561bea7f90930b6c5104318e87b upstream. + +The LED class devices that are created by HD-audio codec drivers are +registered via devm_led_classdev_register() and associated with the +HD-audio codec device. Unfortunately, it turned out that the devres +release doesn't work for this case; namely, since the codec resource +release happens before the devm call chain, it triggers a NULL +dereference or a UAF for a stale set_brightness_delay callback. + +For fixing the bug, this patch changes the LED class device register +and unregister in a manual manner without devres, keeping the +instances in hda_gen_spec. + +Reported-by: Alexander Sergeyev +Cc: +Link: https://lore.kernel.org/r/20220111195229.a77wrpjclqwrx4bx@localhost.localdomain +Link: https://lore.kernel.org/r/20220126145011.16728-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_generic.c | 17 +++++++++++++++-- + sound/pci/hda/hda_generic.h | 3 +++ + 2 files changed, 18 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -91,6 +91,12 @@ static void snd_hda_gen_spec_free(struct + free_kctls(spec); + snd_array_free(&spec->paths); + snd_array_free(&spec->loopback_list); ++#ifdef CONFIG_SND_HDA_GENERIC_LEDS ++ if (spec->led_cdevs[LED_AUDIO_MUTE]) ++ led_classdev_unregister(spec->led_cdevs[LED_AUDIO_MUTE]); ++ if (spec->led_cdevs[LED_AUDIO_MICMUTE]) ++ led_classdev_unregister(spec->led_cdevs[LED_AUDIO_MICMUTE]); ++#endif + } + + /* +@@ -3922,7 +3928,10 @@ static int create_mute_led_cdev(struct h + enum led_brightness), + bool micmute) + { ++ struct hda_gen_spec *spec = codec->spec; + struct led_classdev *cdev; ++ int idx = micmute ? LED_AUDIO_MICMUTE : LED_AUDIO_MUTE; ++ int err; + + cdev = devm_kzalloc(&codec->core.dev, sizeof(*cdev), GFP_KERNEL); + if (!cdev) +@@ -3932,10 +3941,14 @@ static int create_mute_led_cdev(struct h + cdev->max_brightness = 1; + cdev->default_trigger = micmute ? "audio-micmute" : "audio-mute"; + cdev->brightness_set_blocking = callback; +- cdev->brightness = ledtrig_audio_get(micmute ? LED_AUDIO_MICMUTE : LED_AUDIO_MUTE); ++ cdev->brightness = ledtrig_audio_get(idx); + cdev->flags = LED_CORE_SUSPENDRESUME; + +- return devm_led_classdev_register(&codec->core.dev, cdev); ++ err = led_classdev_register(&codec->core.dev, cdev); ++ if (err < 0) ++ return err; ++ spec->led_cdevs[idx] = cdev; ++ return 0; + } + + /** +--- a/sound/pci/hda/hda_generic.h ++++ b/sound/pci/hda/hda_generic.h +@@ -294,6 +294,9 @@ struct hda_gen_spec { + struct hda_jack_callback *cb); + void (*mic_autoswitch_hook)(struct hda_codec *codec, + struct hda_jack_callback *cb); ++ ++ /* leds */ ++ struct led_classdev *led_cdevs[NUM_AUDIO_LEDS]; + }; + + /* values for add_stereo_mix_input flag */ diff --git a/queue-5.15/alsa-hda-realtek-add-missing-fixup-model-entry-for-gigabyte-x570-alc1220-quirks.patch b/queue-5.15/alsa-hda-realtek-add-missing-fixup-model-entry-for-gigabyte-x570-alc1220-quirks.patch new file mode 100644 index 00000000000..1e34bc31e99 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-missing-fixup-model-entry-for-gigabyte-x570-alc1220-quirks.patch @@ -0,0 +1,32 @@ +From 63394a16086fc2152869d7902621e2525e14bc40 Mon Sep 17 00:00:00 2001 +From: Christian Lachner +Date: Sat, 29 Jan 2022 12:32:41 +0100 +Subject: ALSA: hda/realtek: Add missing fixup-model entry for Gigabyte X570 ALC1220 quirks + +From: Christian Lachner + +commit 63394a16086fc2152869d7902621e2525e14bc40 upstream. + +The initial commit of the new Gigabyte X570 ALC1220 quirks lacked the +fixup-model entry in alc882_fixup_models[]. It seemed not to cause any ill +effects but for completeness sake this commit makes up for that. + +Signed-off-by: Christian Lachner +Cc: +Link: https://lore.kernel.org/r/20220129113243.93068-2-gladiac@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2660,6 +2660,7 @@ static const struct hda_model_fixup alc8 + {.id = ALC882_FIXUP_NO_PRIMARY_HP, .name = "no-primary-hp"}, + {.id = ALC887_FIXUP_ASUS_BASS, .name = "asus-bass"}, + {.id = ALC1220_FIXUP_GB_DUAL_CODECS, .name = "dual-codecs"}, ++ {.id = ALC1220_FIXUP_GB_X570, .name = "gb-x570"}, + {.id = ALC1220_FIXUP_CLEVO_P950, .name = "clevo-p950"}, + {} + }; diff --git a/queue-5.15/alsa-hda-realtek-add-quirk-for-asus-gu603.patch b/queue-5.15/alsa-hda-realtek-add-quirk-for-asus-gu603.patch new file mode 100644 index 00000000000..71b1c2a8830 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-quirk-for-asus-gu603.patch @@ -0,0 +1,36 @@ +From 94db9cc8f8fa2d5426ce79ec4ca16028f7084224 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Albert=20Geant=C4=83?= +Date: Mon, 31 Jan 2022 03:05:23 +0200 +Subject: ALSA: hda/realtek: Add quirk for ASUS GU603 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Albert Geantă + +commit 94db9cc8f8fa2d5426ce79ec4ca16028f7084224 upstream. + +The ASUS GU603 (Zephyrus M16 - SSID 1043:16b2) requires a quirk similar to +other ASUS devices for correctly routing the 4 integrated speakers. This +fixes it by adding a corresponding quirk entry, which connects the bass +speakers to the proper DAC. + +Signed-off-by: Albert Geantă +Cc: +Link: https://lore.kernel.org/r/20220131010523.546386-1-albertgeanta@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8854,6 +8854,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x1e51, "ASUS Zephyrus M15", ALC294_FIXUP_ASUS_GU502_PINS), + SND_PCI_QUIRK(0x1043, 0x1e8e, "ASUS Zephyrus G15", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1f11, "ASUS Zephyrus G14", ALC289_FIXUP_ASUS_GA401), ++ SND_PCI_QUIRK(0x1043, 0x16b2, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2), + SND_PCI_QUIRK(0x1043, 0x831a, "ASUS P901", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x834a, "ASUS S101", ALC269_FIXUP_STEREO_DMIC), diff --git a/queue-5.15/alsa-hda-realtek-fix-race-at-concurrent-coef-updates.patch b/queue-5.15/alsa-hda-realtek-fix-race-at-concurrent-coef-updates.patch new file mode 100644 index 00000000000..f3db0a36456 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-race-at-concurrent-coef-updates.patch @@ -0,0 +1,148 @@ +From b837a9f5ab3bdfab9233c9f98a6bef717673a3e5 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 31 Jan 2022 08:57:38 +0100 +Subject: ALSA: hda: realtek: Fix race at concurrent COEF updates + +From: Takashi Iwai + +commit b837a9f5ab3bdfab9233c9f98a6bef717673a3e5 upstream. + +The COEF access is done with two steps: setting the index then read or +write the data. When multiple COEF accesses are performed +concurrently, the index and data might be paired unexpectedly. +In most cases, this isn't a big problem as the COEF setup is done at +the initialization, but some dynamic changes like the mute LED may hit +such a race. + +For avoiding the racy COEF accesses, this patch introduces a new +mutex coef_mutex to alc_spec, and wrap the COEF accessing functions +with it. + +Reported-by: Alexander Sergeyev +Cc: +Link: https://lore.kernel.org/r/20220111195229.a77wrpjclqwrx4bx@localhost.localdomain +Link: https://lore.kernel.org/r/20220131075738.24323-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 61 ++++++++++++++++++++++++++++++++++-------- + 1 file changed, 50 insertions(+), 11 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -97,6 +97,7 @@ struct alc_spec { + unsigned int gpio_mic_led_mask; + struct alc_coef_led mute_led_coef; + struct alc_coef_led mic_led_coef; ++ struct mutex coef_mutex; + + hda_nid_t headset_mic_pin; + hda_nid_t headphone_mic_pin; +@@ -132,8 +133,8 @@ struct alc_spec { + * COEF access helper functions + */ + +-static int alc_read_coefex_idx(struct hda_codec *codec, hda_nid_t nid, +- unsigned int coef_idx) ++static int __alc_read_coefex_idx(struct hda_codec *codec, hda_nid_t nid, ++ unsigned int coef_idx) + { + unsigned int val; + +@@ -142,28 +143,61 @@ static int alc_read_coefex_idx(struct hd + return val; + } + ++static int alc_read_coefex_idx(struct hda_codec *codec, hda_nid_t nid, ++ unsigned int coef_idx) ++{ ++ struct alc_spec *spec = codec->spec; ++ unsigned int val; ++ ++ mutex_lock(&spec->coef_mutex); ++ val = __alc_read_coefex_idx(codec, nid, coef_idx); ++ mutex_unlock(&spec->coef_mutex); ++ return val; ++} ++ + #define alc_read_coef_idx(codec, coef_idx) \ + alc_read_coefex_idx(codec, 0x20, coef_idx) + +-static void alc_write_coefex_idx(struct hda_codec *codec, hda_nid_t nid, +- unsigned int coef_idx, unsigned int coef_val) ++static void __alc_write_coefex_idx(struct hda_codec *codec, hda_nid_t nid, ++ unsigned int coef_idx, unsigned int coef_val) + { + snd_hda_codec_write(codec, nid, 0, AC_VERB_SET_COEF_INDEX, coef_idx); + snd_hda_codec_write(codec, nid, 0, AC_VERB_SET_PROC_COEF, coef_val); + } + ++static void alc_write_coefex_idx(struct hda_codec *codec, hda_nid_t nid, ++ unsigned int coef_idx, unsigned int coef_val) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ mutex_lock(&spec->coef_mutex); ++ __alc_write_coefex_idx(codec, nid, coef_idx, coef_val); ++ mutex_unlock(&spec->coef_mutex); ++} ++ + #define alc_write_coef_idx(codec, coef_idx, coef_val) \ + alc_write_coefex_idx(codec, 0x20, coef_idx, coef_val) + ++static void __alc_update_coefex_idx(struct hda_codec *codec, hda_nid_t nid, ++ unsigned int coef_idx, unsigned int mask, ++ unsigned int bits_set) ++{ ++ unsigned int val = __alc_read_coefex_idx(codec, nid, coef_idx); ++ ++ if (val != -1) ++ __alc_write_coefex_idx(codec, nid, coef_idx, ++ (val & ~mask) | bits_set); ++} ++ + static void alc_update_coefex_idx(struct hda_codec *codec, hda_nid_t nid, + unsigned int coef_idx, unsigned int mask, + unsigned int bits_set) + { +- unsigned int val = alc_read_coefex_idx(codec, nid, coef_idx); ++ struct alc_spec *spec = codec->spec; + +- if (val != -1) +- alc_write_coefex_idx(codec, nid, coef_idx, +- (val & ~mask) | bits_set); ++ mutex_lock(&spec->coef_mutex); ++ __alc_update_coefex_idx(codec, nid, coef_idx, mask, bits_set); ++ mutex_unlock(&spec->coef_mutex); + } + + #define alc_update_coef_idx(codec, coef_idx, mask, bits_set) \ +@@ -196,13 +230,17 @@ struct coef_fw { + static void alc_process_coef_fw(struct hda_codec *codec, + const struct coef_fw *fw) + { ++ struct alc_spec *spec = codec->spec; ++ ++ mutex_lock(&spec->coef_mutex); + for (; fw->nid; fw++) { + if (fw->mask == (unsigned short)-1) +- alc_write_coefex_idx(codec, fw->nid, fw->idx, fw->val); ++ __alc_write_coefex_idx(codec, fw->nid, fw->idx, fw->val); + else +- alc_update_coefex_idx(codec, fw->nid, fw->idx, +- fw->mask, fw->val); ++ __alc_update_coefex_idx(codec, fw->nid, fw->idx, ++ fw->mask, fw->val); + } ++ mutex_unlock(&spec->coef_mutex); + } + + /* +@@ -1148,6 +1186,7 @@ static int alc_alloc_spec(struct hda_cod + codec->spdif_status_reset = 1; + codec->forced_resume = 1; + codec->patch_ops = alc_patch_ops; ++ mutex_init(&spec->coef_mutex); + + err = alc_codec_rename_from_preset(codec); + if (err < 0) { diff --git a/queue-5.15/alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-xtreme-after-reboot-from-windows.patch b/queue-5.15/alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-xtreme-after-reboot-from-windows.patch new file mode 100644 index 00000000000..e8695e91c2e --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-xtreme-after-reboot-from-windows.patch @@ -0,0 +1,34 @@ +From ea3541961376f733373839cc90493aafa8a7f733 Mon Sep 17 00:00:00 2001 +From: Christian Lachner +Date: Sat, 29 Jan 2022 12:32:43 +0100 +Subject: ALSA: hda/realtek: Fix silent output on Gigabyte X570 Aorus Xtreme after reboot from Windows + +From: Christian Lachner + +commit ea3541961376f733373839cc90493aafa8a7f733 upstream. + +This commit switches the Gigabyte X570 Aorus Xtreme from using the +ALC1220_FIXUP_CLEVO_P950 to the ALC1220_FIXUP_GB_X570 quirk. This fixes +the no-audio after reboot from windows problem. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205275 +Signed-off-by: Christian Lachner +Cc: +Link: https://lore.kernel.org/r/20220129113243.93068-4-gladiac@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2586,7 +2586,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1458, 0xa002, "Gigabyte EP45-DS3/Z87X-UD3H", ALC889_FIXUP_FRONT_HP_NO_PRESENCE), + SND_PCI_QUIRK(0x1458, 0xa0b8, "Gigabyte AZ370-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), + SND_PCI_QUIRK(0x1458, 0xa0cd, "Gigabyte X570 Aorus Master", ALC1220_FIXUP_GB_X570), +- SND_PCI_QUIRK(0x1458, 0xa0ce, "Gigabyte X570 Aorus Xtreme", ALC1220_FIXUP_CLEVO_P950), ++ SND_PCI_QUIRK(0x1458, 0xa0ce, "Gigabyte X570 Aorus Xtreme", ALC1220_FIXUP_GB_X570), + SND_PCI_QUIRK(0x1458, 0xa0d5, "Gigabyte X570S Aorus Master", ALC1220_FIXUP_GB_X570), + SND_PCI_QUIRK(0x1462, 0x11f7, "MSI-GE63", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1228, "MSI-GP63", ALC1220_FIXUP_CLEVO_P950), diff --git a/queue-5.15/alsa-hda-realtek-fix-silent-output-on-gigabyte-x570s-aorus-master-newer-chipset.patch b/queue-5.15/alsa-hda-realtek-fix-silent-output-on-gigabyte-x570s-aorus-master-newer-chipset.patch new file mode 100644 index 00000000000..4f401aab046 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-silent-output-on-gigabyte-x570s-aorus-master-newer-chipset.patch @@ -0,0 +1,51 @@ +From 41a8601302ecbe704ac970552c33dc942300fc37 Mon Sep 17 00:00:00 2001 +From: Christian Lachner +Date: Sat, 29 Jan 2022 12:32:42 +0100 +Subject: ALSA: hda/realtek: Fix silent output on Gigabyte X570S Aorus Master (newer chipset) + +From: Christian Lachner + +commit 41a8601302ecbe704ac970552c33dc942300fc37 upstream. + +Newer versions of the X570 Master come with a newer revision of the +mainboard chipset - the X570S. These boards have the same ALC1220 codec +but seem to initialize the codec with a different parameter in Coef 0x7 +which causes the output audio to be very low. We therefore write a +known-good value to Coef 0x7 to fix that. As the value is the exact same +as on the other X570(non-S) boards the same quirk-function can be shared +between both generations. + +This commit adds the Gigabyte X570S Aorus Master to the list of boards +using the ALC1220_FIXUP_GB_X570 quirk. This fixes both, the silent output +and the no-audio after reboot from windows problems. + +This work has been tested by the folks over at the level1techs forum here: +https://forum.level1techs.com/t/has-anybody-gotten-audio-working-in-linux-on-aorus-x570-master/154072 + +Signed-off-by: Christian Lachner +Cc: +Link: https://lore.kernel.org/r/20220129113243.93068-3-gladiac@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2159,6 +2159,7 @@ static void alc1220_fixup_gb_x570(struct + { + static const hda_nid_t conn1[] = { 0x0c }; + static const struct coef_fw gb_x570_coefs[] = { ++ WRITE_COEF(0x07, 0x03c0), + WRITE_COEF(0x1a, 0x01c1), + WRITE_COEF(0x1b, 0x0202), + WRITE_COEF(0x43, 0x3005), +@@ -2586,6 +2587,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1458, 0xa0b8, "Gigabyte AZ370-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), + SND_PCI_QUIRK(0x1458, 0xa0cd, "Gigabyte X570 Aorus Master", ALC1220_FIXUP_GB_X570), + SND_PCI_QUIRK(0x1458, 0xa0ce, "Gigabyte X570 Aorus Xtreme", ALC1220_FIXUP_CLEVO_P950), ++ SND_PCI_QUIRK(0x1458, 0xa0d5, "Gigabyte X570S Aorus Master", ALC1220_FIXUP_GB_X570), + SND_PCI_QUIRK(0x1462, 0x11f7, "MSI-GE63", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1228, "MSI-GP63", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1229, "MSI-GP73", ALC1220_FIXUP_CLEVO_P950), diff --git a/queue-5.15/alsa-usb-audio-correct-quirk-for-vf0770.patch b/queue-5.15/alsa-usb-audio-correct-quirk-for-vf0770.patch new file mode 100644 index 00000000000..024c52e9316 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-correct-quirk-for-vf0770.patch @@ -0,0 +1,44 @@ +From 4ee02e20893d2f9e951c7888f2284fa608ddaa35 Mon Sep 17 00:00:00 2001 +From: Jonas Hahnfeld +Date: Mon, 31 Jan 2022 19:35:16 +0100 +Subject: ALSA: usb-audio: Correct quirk for VF0770 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Hahnfeld + +commit 4ee02e20893d2f9e951c7888f2284fa608ddaa35 upstream. + +This device provides both audio and video. The original quirk added in +commit 48827e1d6af5 ("ALSA: usb-audio: Add quirk for VF0770") used +USB_DEVICE to match the vendor and product ID. Depending on module order, +if snd-usb-audio was asked first, it would match the entire device and +uvcvideo wouldn't get to see it. Change the matching to USB_AUDIO_DEVICE +to restore uvcvideo matching in all cases. + +Fixes: 48827e1d6af5 ("ALSA: usb-audio: Add quirk for VF0770") +Reported-by: Jukka Heikintalo +Tested-by: Jukka Heikintalo +Reported-by: Paweł Susicki +Tested-by: Paweł Susicki +Cc: # 5.4, 5.10, 5.14, 5.15 +Signed-off-by: Jonas Hahnfeld +Link: https://lore.kernel.org/r/20220131183516.61191-1-hahnjo@hahnjo.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks-table.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -84,7 +84,7 @@ + * combination. + */ + { +- USB_DEVICE(0x041e, 0x4095), ++ USB_AUDIO_DEVICE(0x041e, 0x4095), + .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { + .ifnum = QUIRK_ANY_INTERFACE, + .type = QUIRK_COMPOSITE, diff --git a/queue-5.15/asoc-hdmi-codec-fix-oob-memory-accesses.patch b/queue-5.15/asoc-hdmi-codec-fix-oob-memory-accesses.patch new file mode 100644 index 00000000000..610dfbac26c --- /dev/null +++ b/queue-5.15/asoc-hdmi-codec-fix-oob-memory-accesses.patch @@ -0,0 +1,49 @@ +From 06feec6005c9d9500cd286ec440aabf8b2ddd94d Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Wed, 12 Jan 2022 22:50:39 +0300 +Subject: ASoC: hdmi-codec: Fix OOB memory accesses + +From: Dmitry Osipenko + +commit 06feec6005c9d9500cd286ec440aabf8b2ddd94d upstream. + +Correct size of iec_status array by changing it to the size of status +array of the struct snd_aes_iec958. This fixes out-of-bounds slab +read accesses made by memcpy() of the hdmi-codec driver. This problem +is reported by KASAN. + +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Osipenko +Link: https://lore.kernel.org/r/20220112195039.1329-1-digetx@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/sound/asound.h | 4 +++- + sound/soc/codecs/hdmi-codec.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/include/uapi/sound/asound.h ++++ b/include/uapi/sound/asound.h +@@ -56,8 +56,10 @@ + * * + ****************************************************************************/ + ++#define AES_IEC958_STATUS_SIZE 24 ++ + struct snd_aes_iec958 { +- unsigned char status[24]; /* AES/IEC958 channel status bits */ ++ unsigned char status[AES_IEC958_STATUS_SIZE]; /* AES/IEC958 channel status bits */ + unsigned char subcode[147]; /* AES/IEC958 subcode bits */ + unsigned char pad; /* nothing */ + unsigned char dig_subframe[4]; /* AES/IEC958 subframe bits */ +--- a/sound/soc/codecs/hdmi-codec.c ++++ b/sound/soc/codecs/hdmi-codec.c +@@ -277,7 +277,7 @@ struct hdmi_codec_priv { + bool busy; + struct snd_soc_jack *jack; + unsigned int jack_status; +- u8 iec_status[5]; ++ u8 iec_status[AES_IEC958_STATUS_SIZE]; + }; + + static const struct snd_soc_dapm_widget hdmi_widgets[] = { diff --git a/queue-5.15/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch b/queue-5.15/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch new file mode 100644 index 00000000000..0afbe9a94c1 --- /dev/null +++ b/queue-5.15/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch @@ -0,0 +1,54 @@ +From 817f7c9335ec01e0f5e8caffc4f1dcd5e458a4c0 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 24 Jan 2022 15:32:51 +0000 +Subject: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() + +From: Mark Brown + +commit 817f7c9335ec01e0f5e8caffc4f1dcd5e458a4c0 upstream. + +We don't currently validate that the values being set are within the range +we advertised to userspace as being valid, do so and reject any values +that are out of range. + +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220124153253.3548853-2-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-ops.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -316,13 +316,27 @@ int snd_soc_put_volsw(struct snd_kcontro + if (sign_bit) + mask = BIT(sign_bit + 1) - 1; + +- val = ((ucontrol->value.integer.value[0] + min) & mask); ++ val = ucontrol->value.integer.value[0]; ++ if (mc->platform_max && val > mc->platform_max) ++ return -EINVAL; ++ if (val > max - min) ++ return -EINVAL; ++ if (val < 0) ++ return -EINVAL; ++ val = (val + min) & mask; + if (invert) + val = max - val; + val_mask = mask << shift; + val = val << shift; + if (snd_soc_volsw_is_stereo(mc)) { +- val2 = ((ucontrol->value.integer.value[1] + min) & mask); ++ val2 = ucontrol->value.integer.value[1]; ++ if (mc->platform_max && val2 > mc->platform_max) ++ return -EINVAL; ++ if (val2 > max - min) ++ return -EINVAL; ++ if (val2 < 0) ++ return -EINVAL; ++ val2 = (val2 + min) & mask; + if (invert) + val2 = max - val2; + if (reg == reg2) { diff --git a/queue-5.15/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch b/queue-5.15/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch new file mode 100644 index 00000000000..b9598a5ad5b --- /dev/null +++ b/queue-5.15/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch @@ -0,0 +1,41 @@ +From 4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 24 Jan 2022 15:32:52 +0000 +Subject: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx() + +From: Mark Brown + +commit 4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e upstream. + +We don't currently validate that the values being set are within the range +we advertised to userspace as being valid, do so and reject any values +that are out of range. + +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220124153253.3548853-3-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-ops.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -423,8 +423,15 @@ int snd_soc_put_volsw_sx(struct snd_kcon + int err = 0; + unsigned int val, val_mask; + ++ val = ucontrol->value.integer.value[0]; ++ if (mc->platform_max && val > mc->platform_max) ++ return -EINVAL; ++ if (val > max - min) ++ return -EINVAL; ++ if (val < 0) ++ return -EINVAL; + val_mask = mask << shift; +- val = (ucontrol->value.integer.value[0] + min) & mask; ++ val = (val + min) & mask; + val = val << shift; + + err = snd_soc_component_update_bits(component, reg, val_mask, val); diff --git a/queue-5.15/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch b/queue-5.15/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch new file mode 100644 index 00000000000..d38a3c42eb1 --- /dev/null +++ b/queue-5.15/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch @@ -0,0 +1,33 @@ +From 4cf28e9ae6e2e11a044be1bcbcfa1b0d8675fe4d Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 24 Jan 2022 15:32:53 +0000 +Subject: ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx() + +From: Mark Brown + +commit 4cf28e9ae6e2e11a044be1bcbcfa1b0d8675fe4d upstream. + +We don't currently validate that the values being set are within the range +we advertised to userspace as being valid, do so and reject any values +that are out of range. + +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220124153253.3548853-4-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-ops.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -879,6 +879,8 @@ int snd_soc_put_xr_sx(struct snd_kcontro + long val = ucontrol->value.integer.value[0]; + unsigned int i; + ++ if (val < mc->min || val > mc->max) ++ return -EINVAL; + if (invert) + val = max - val; + val &= mask; diff --git a/queue-5.15/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch b/queue-5.15/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch new file mode 100644 index 00000000000..d8c69777213 --- /dev/null +++ b/queue-5.15/audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch @@ -0,0 +1,207 @@ +From f26d04331360d42dbd6b58448bd98e4edbfbe1c5 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Thu, 13 Jan 2022 18:54:38 -0500 +Subject: audit: improve audit queue handling when "audit=1" on cmdline + +From: Paul Moore + +commit f26d04331360d42dbd6b58448bd98e4edbfbe1c5 upstream. + +When an admin enables audit at early boot via the "audit=1" kernel +command line the audit queue behavior is slightly different; the +audit subsystem goes to greater lengths to avoid dropping records, +which unfortunately can result in problems when the audit daemon is +forcibly stopped for an extended period of time. + +This patch makes a number of changes designed to improve the audit +queuing behavior so that leaving the audit daemon in a stopped state +for an extended period does not cause a significant impact to the +system. + +- kauditd_send_queue() is now limited to looping through the + passed queue only once per call. This not only prevents the + function from looping indefinitely when records are returned + to the current queue, it also allows any recovery handling in + kauditd_thread() to take place when kauditd_send_queue() + returns. + +- Transient netlink send errors seen as -EAGAIN now cause the + record to be returned to the retry queue instead of going to + the hold queue. The intention of the hold queue is to store, + perhaps for an extended period of time, the events which led + up to the audit daemon going offline. The retry queue remains + a temporary queue intended to protect against transient issues + between the kernel and the audit daemon. + +- The retry queue is now limited by the audit_backlog_limit + setting, the same as the other queues. This allows admins + to bound the size of all of the audit queues on the system. + +- kauditd_rehold_skb() now returns records to the end of the + hold queue to ensure ordering is preserved in the face of + recent changes to kauditd_send_queue(). + +Cc: stable@vger.kernel.org +Fixes: 5b52330bbfe63 ("audit: fix auditd/kernel connection state tracking") +Fixes: f4b3ee3c85551 ("audit: improve robustness of the audit queue handling") +Reported-by: Gaosheng Cui +Tested-by: Gaosheng Cui +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + kernel/audit.c | 62 +++++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 43 insertions(+), 19 deletions(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -541,20 +541,22 @@ static void kauditd_printk_skb(struct sk + /** + * kauditd_rehold_skb - Handle a audit record send failure in the hold queue + * @skb: audit record ++ * @error: error code (unused) + * + * Description: + * This should only be used by the kauditd_thread when it fails to flush the + * hold queue. + */ +-static void kauditd_rehold_skb(struct sk_buff *skb) ++static void kauditd_rehold_skb(struct sk_buff *skb, __always_unused int error) + { +- /* put the record back in the queue at the same place */ +- skb_queue_head(&audit_hold_queue, skb); ++ /* put the record back in the queue */ ++ skb_queue_tail(&audit_hold_queue, skb); + } + + /** + * kauditd_hold_skb - Queue an audit record, waiting for auditd + * @skb: audit record ++ * @error: error code + * + * Description: + * Queue the audit record, waiting for an instance of auditd. When this +@@ -564,19 +566,31 @@ static void kauditd_rehold_skb(struct sk + * and queue it, if we have room. If we want to hold on to the record, but we + * don't have room, record a record lost message. + */ +-static void kauditd_hold_skb(struct sk_buff *skb) ++static void kauditd_hold_skb(struct sk_buff *skb, int error) + { + /* at this point it is uncertain if we will ever send this to auditd so + * try to send the message via printk before we go any further */ + kauditd_printk_skb(skb); + + /* can we just silently drop the message? */ +- if (!audit_default) { +- kfree_skb(skb); +- return; ++ if (!audit_default) ++ goto drop; ++ ++ /* the hold queue is only for when the daemon goes away completely, ++ * not -EAGAIN failures; if we are in a -EAGAIN state requeue the ++ * record on the retry queue unless it's full, in which case drop it ++ */ ++ if (error == -EAGAIN) { ++ if (!audit_backlog_limit || ++ skb_queue_len(&audit_retry_queue) < audit_backlog_limit) { ++ skb_queue_tail(&audit_retry_queue, skb); ++ return; ++ } ++ audit_log_lost("kauditd retry queue overflow"); ++ goto drop; + } + +- /* if we have room, queue the message */ ++ /* if we have room in the hold queue, queue the message */ + if (!audit_backlog_limit || + skb_queue_len(&audit_hold_queue) < audit_backlog_limit) { + skb_queue_tail(&audit_hold_queue, skb); +@@ -585,24 +599,32 @@ static void kauditd_hold_skb(struct sk_b + + /* we have no other options - drop the message */ + audit_log_lost("kauditd hold queue overflow"); ++drop: + kfree_skb(skb); + } + + /** + * kauditd_retry_skb - Queue an audit record, attempt to send again to auditd + * @skb: audit record ++ * @error: error code (unused) + * + * Description: + * Not as serious as kauditd_hold_skb() as we still have a connected auditd, + * but for some reason we are having problems sending it audit records so + * queue the given record and attempt to resend. + */ +-static void kauditd_retry_skb(struct sk_buff *skb) ++static void kauditd_retry_skb(struct sk_buff *skb, __always_unused int error) + { +- /* NOTE: because records should only live in the retry queue for a +- * short period of time, before either being sent or moved to the hold +- * queue, we don't currently enforce a limit on this queue */ +- skb_queue_tail(&audit_retry_queue, skb); ++ if (!audit_backlog_limit || ++ skb_queue_len(&audit_retry_queue) < audit_backlog_limit) { ++ skb_queue_tail(&audit_retry_queue, skb); ++ return; ++ } ++ ++ /* we have to drop the record, send it via printk as a last effort */ ++ kauditd_printk_skb(skb); ++ audit_log_lost("kauditd retry queue overflow"); ++ kfree_skb(skb); + } + + /** +@@ -640,7 +662,7 @@ static void auditd_reset(const struct au + /* flush the retry queue to the hold queue, but don't touch the main + * queue since we need to process that normally for multicast */ + while ((skb = skb_dequeue(&audit_retry_queue))) +- kauditd_hold_skb(skb); ++ kauditd_hold_skb(skb, -ECONNREFUSED); + } + + /** +@@ -714,16 +736,18 @@ static int kauditd_send_queue(struct soc + struct sk_buff_head *queue, + unsigned int retry_limit, + void (*skb_hook)(struct sk_buff *skb), +- void (*err_hook)(struct sk_buff *skb)) ++ void (*err_hook)(struct sk_buff *skb, int error)) + { + int rc = 0; +- struct sk_buff *skb; ++ struct sk_buff *skb = NULL; ++ struct sk_buff *skb_tail; + unsigned int failed = 0; + + /* NOTE: kauditd_thread takes care of all our locking, we just use + * the netlink info passed to us (e.g. sk and portid) */ + +- while ((skb = skb_dequeue(queue))) { ++ skb_tail = skb_peek_tail(queue); ++ while ((skb != skb_tail) && (skb = skb_dequeue(queue))) { + /* call the skb_hook for each skb we touch */ + if (skb_hook) + (*skb_hook)(skb); +@@ -731,7 +755,7 @@ static int kauditd_send_queue(struct soc + /* can we send to anyone via unicast? */ + if (!sk) { + if (err_hook) +- (*err_hook)(skb); ++ (*err_hook)(skb, -ECONNREFUSED); + continue; + } + +@@ -745,7 +769,7 @@ retry: + rc == -ECONNREFUSED || rc == -EPERM) { + sk = NULL; + if (err_hook) +- (*err_hook)(skb); ++ (*err_hook)(skb, rc); + if (rc == -EAGAIN) + rc = 0; + /* continue to drain the queue */ diff --git a/queue-5.15/block-bio-integrity-advance-seed-correctly-for-larger-interval-sizes.patch b/queue-5.15/block-bio-integrity-advance-seed-correctly-for-larger-interval-sizes.patch new file mode 100644 index 00000000000..27b13e7086e --- /dev/null +++ b/queue-5.15/block-bio-integrity-advance-seed-correctly-for-larger-interval-sizes.patch @@ -0,0 +1,43 @@ +From b13e0c71856817fca67159b11abac350e41289f5 Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" +Date: Thu, 3 Feb 2022 22:42:09 -0500 +Subject: block: bio-integrity: Advance seed correctly for larger interval sizes + +From: Martin K. Petersen + +commit b13e0c71856817fca67159b11abac350e41289f5 upstream. + +Commit 309a62fa3a9e ("bio-integrity: bio_integrity_advance must update +integrity seed") added code to update the integrity seed value when +advancing a bio. However, it failed to take into account that the +integrity interval might be larger than the 512-byte block layer +sector size. This broke bio splitting on PI devices with 4KB logical +blocks. + +The seed value should be advanced by bio_integrity_intervals() and not +the number of sectors. + +Cc: Dmitry Monakhov +Cc: stable@vger.kernel.org +Fixes: 309a62fa3a9e ("bio-integrity: bio_integrity_advance must update integrity seed") +Tested-by: Dmitry Ivanov +Reported-by: Alexey Lyashkov +Signed-off-by: Martin K. Petersen +Link: https://lore.kernel.org/r/20220204034209.4193-1-martin.petersen@oracle.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/bio-integrity.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/bio-integrity.c ++++ b/block/bio-integrity.c +@@ -373,7 +373,7 @@ void bio_integrity_advance(struct bio *b + struct blk_integrity *bi = blk_get_integrity(bio->bi_bdev->bd_disk); + unsigned bytes = bio_integrity_bytes(bi, bytes_done >> 9); + +- bip->bip_iter.bi_sector += bytes_done >> 9; ++ bip->bip_iter.bi_sector += bio_integrity_intervals(bi, bytes_done >> 9); + bvec_iter_advance(bip->bip_vec, &bip->bip_iter, bytes); + } + diff --git a/queue-5.15/btrfs-don-t-start-transaction-for-scrub-if-the-fs-is-mounted-read-only.patch b/queue-5.15/btrfs-don-t-start-transaction-for-scrub-if-the-fs-is-mounted-read-only.patch new file mode 100644 index 00000000000..e75e5af0b7e --- /dev/null +++ b/queue-5.15/btrfs-don-t-start-transaction-for-scrub-if-the-fs-is-mounted-read-only.patch @@ -0,0 +1,84 @@ +From 2d192fc4c1abeb0d04d1c8cd54405ff4a0b0255b Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Thu, 16 Dec 2021 19:47:35 +0800 +Subject: btrfs: don't start transaction for scrub if the fs is mounted read-only + +From: Qu Wenruo + +commit 2d192fc4c1abeb0d04d1c8cd54405ff4a0b0255b upstream. + +[BUG] +The following super simple script would crash btrfs at unmount time, if +CONFIG_BTRFS_ASSERT() is set. + + mkfs.btrfs -f $dev + mount $dev $mnt + xfs_io -f -c "pwrite 0 4k" $mnt/file + umount $mnt + mount -r ro $dev $mnt + btrfs scrub start -Br $mnt + umount $mnt + +This will trigger the following ASSERT() introduced by commit +0a31daa4b602 ("btrfs: add assertion for empty list of transactions at +late stage of umount"). + +That patch is definitely not the cause, it just makes enough noise for +developers. + +[CAUSE] +We will start transaction for the following call chain during scrub: + + scrub_enumerate_chunks() + |- btrfs_inc_block_group_ro() + |- btrfs_join_transaction() + +However for RO mount, there is no running transaction at all, thus +btrfs_join_transaction() will start a new transaction. + +Furthermore, since it's read-only mount, btrfs_sync_fs() will not call +btrfs_commit_super() to commit the new but empty transaction. + +And leads to the ASSERT(). + +The bug has been there for a long time. Only the new ASSERT() makes it +noisy enough to be noticed. + +[FIX] +For read-only scrub on read-only mount, there is no need to start a +transaction nor to allocate new chunks in btrfs_inc_block_group_ro(). + +Just do extra read-only mount check in btrfs_inc_block_group_ro(), and +if it's read-only, skip all chunk allocation and go inc_block_group_ro() +directly. + +CC: stable@vger.kernel.org # 5.4+ +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -2511,6 +2511,19 @@ int btrfs_inc_block_group_ro(struct btrf + int ret; + bool dirty_bg_running; + ++ /* ++ * This can only happen when we are doing read-only scrub on read-only ++ * mount. ++ * In that case we should not start a new transaction on read-only fs. ++ * Thus here we skip all chunk allocations. ++ */ ++ if (sb_rdonly(fs_info->sb)) { ++ mutex_lock(&fs_info->ro_block_group_mutex); ++ ret = inc_block_group_ro(cache, 0); ++ mutex_unlock(&fs_info->ro_block_group_mutex); ++ return ret; ++ } ++ + do { + trans = btrfs_join_transaction(fs_info->extent_root); + if (IS_ERR(trans)) diff --git a/queue-5.15/btrfs-fix-deadlock-between-quota-disable-and-qgroup-rescan-worker.patch b/queue-5.15/btrfs-fix-deadlock-between-quota-disable-and-qgroup-rescan-worker.patch new file mode 100644 index 00000000000..00f47717699 --- /dev/null +++ b/queue-5.15/btrfs-fix-deadlock-between-quota-disable-and-qgroup-rescan-worker.patch @@ -0,0 +1,305 @@ +From e804861bd4e69cc5fe1053eedcb024982dde8e48 Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki +Date: Thu, 20 Jan 2022 20:09:16 +0900 +Subject: btrfs: fix deadlock between quota disable and qgroup rescan worker + +From: Shin'ichiro Kawasaki + +commit e804861bd4e69cc5fe1053eedcb024982dde8e48 upstream. + +Quota disable ioctl starts a transaction before waiting for the qgroup +rescan worker completes. However, this wait can be infinite and results +in deadlock because of circular dependency among the quota disable +ioctl, the qgroup rescan worker and the other task with transaction such +as block group relocation task. + +The deadlock happens with the steps following: + +1) Task A calls ioctl to disable quota. It starts a transaction and + waits for qgroup rescan worker completes. +2) Task B such as block group relocation task starts a transaction and + joins to the transaction that task A started. Then task B commits to + the transaction. In this commit, task B waits for a commit by task A. +3) Task C as the qgroup rescan worker starts its job and starts a + transaction. In this transaction start, task C waits for completion + of the transaction that task A started and task B committed. + +This deadlock was found with fstests test case btrfs/115 and a zoned +null_blk device. The test case enables and disables quota, and the +block group reclaim was triggered during the quota disable by chance. +The deadlock was also observed by running quota enable and disable in +parallel with 'btrfs balance' command on regular null_blk devices. + +An example report of the deadlock: + + [372.469894] INFO: task kworker/u16:6:103 blocked for more than 122 seconds. + [372.479944] Not tainted 5.16.0-rc8 #7 + [372.485067] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + [372.493898] task:kworker/u16:6 state:D stack: 0 pid: 103 ppid: 2 flags:0x00004000 + [372.503285] Workqueue: btrfs-qgroup-rescan btrfs_work_helper [btrfs] + [372.510782] Call Trace: + [372.514092] + [372.521684] __schedule+0xb56/0x4850 + [372.530104] ? io_schedule_timeout+0x190/0x190 + [372.538842] ? lockdep_hardirqs_on+0x7e/0x100 + [372.547092] ? _raw_spin_unlock_irqrestore+0x3e/0x60 + [372.555591] schedule+0xe0/0x270 + [372.561894] btrfs_commit_transaction+0x18bb/0x2610 [btrfs] + [372.570506] ? btrfs_apply_pending_changes+0x50/0x50 [btrfs] + [372.578875] ? free_unref_page+0x3f2/0x650 + [372.585484] ? finish_wait+0x270/0x270 + [372.591594] ? release_extent_buffer+0x224/0x420 [btrfs] + [372.599264] btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs] + [372.607157] ? lock_release+0x3a9/0x6d0 + [372.613054] ? btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs] + [372.620960] ? do_raw_spin_lock+0x11e/0x250 + [372.627137] ? rwlock_bug.part.0+0x90/0x90 + [372.633215] ? lock_is_held_type+0xe4/0x140 + [372.639404] btrfs_work_helper+0x1ae/0xa90 [btrfs] + [372.646268] process_one_work+0x7e9/0x1320 + [372.652321] ? lock_release+0x6d0/0x6d0 + [372.658081] ? pwq_dec_nr_in_flight+0x230/0x230 + [372.664513] ? rwlock_bug.part.0+0x90/0x90 + [372.670529] worker_thread+0x59e/0xf90 + [372.676172] ? process_one_work+0x1320/0x1320 + [372.682440] kthread+0x3b9/0x490 + [372.687550] ? _raw_spin_unlock_irq+0x24/0x50 + [372.693811] ? set_kthread_struct+0x100/0x100 + [372.700052] ret_from_fork+0x22/0x30 + [372.705517] + [372.709747] INFO: task btrfs-transacti:2347 blocked for more than 123 seconds. + [372.729827] Not tainted 5.16.0-rc8 #7 + [372.745907] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + [372.767106] task:btrfs-transacti state:D stack: 0 pid: 2347 ppid: 2 flags:0x00004000 + [372.787776] Call Trace: + [372.801652] + [372.812961] __schedule+0xb56/0x4850 + [372.830011] ? io_schedule_timeout+0x190/0x190 + [372.852547] ? lockdep_hardirqs_on+0x7e/0x100 + [372.871761] ? _raw_spin_unlock_irqrestore+0x3e/0x60 + [372.886792] schedule+0xe0/0x270 + [372.901685] wait_current_trans+0x22c/0x310 [btrfs] + [372.919743] ? btrfs_put_transaction+0x3d0/0x3d0 [btrfs] + [372.938923] ? finish_wait+0x270/0x270 + [372.959085] ? join_transaction+0xc75/0xe30 [btrfs] + [372.977706] start_transaction+0x938/0x10a0 [btrfs] + [372.997168] transaction_kthread+0x19d/0x3c0 [btrfs] + [373.013021] ? btrfs_cleanup_transaction.isra.0+0xfc0/0xfc0 [btrfs] + [373.031678] kthread+0x3b9/0x490 + [373.047420] ? _raw_spin_unlock_irq+0x24/0x50 + [373.064645] ? set_kthread_struct+0x100/0x100 + [373.078571] ret_from_fork+0x22/0x30 + [373.091197] + [373.105611] INFO: task btrfs:3145 blocked for more than 123 seconds. + [373.114147] Not tainted 5.16.0-rc8 #7 + [373.120401] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + [373.130393] task:btrfs state:D stack: 0 pid: 3145 ppid: 3141 flags:0x00004000 + [373.140998] Call Trace: + [373.145501] + [373.149654] __schedule+0xb56/0x4850 + [373.155306] ? io_schedule_timeout+0x190/0x190 + [373.161965] ? lockdep_hardirqs_on+0x7e/0x100 + [373.168469] ? _raw_spin_unlock_irqrestore+0x3e/0x60 + [373.175468] schedule+0xe0/0x270 + [373.180814] wait_for_commit+0x104/0x150 [btrfs] + [373.187643] ? test_and_set_bit+0x20/0x20 [btrfs] + [373.194772] ? kmem_cache_free+0x124/0x550 + [373.201191] ? btrfs_put_transaction+0x69/0x3d0 [btrfs] + [373.208738] ? finish_wait+0x270/0x270 + [373.214704] ? __btrfs_end_transaction+0x347/0x7b0 [btrfs] + [373.222342] btrfs_commit_transaction+0x44d/0x2610 [btrfs] + [373.230233] ? join_transaction+0x255/0xe30 [btrfs] + [373.237334] ? btrfs_record_root_in_trans+0x4d/0x170 [btrfs] + [373.245251] ? btrfs_apply_pending_changes+0x50/0x50 [btrfs] + [373.253296] relocate_block_group+0x105/0xc20 [btrfs] + [373.260533] ? mutex_lock_io_nested+0x1270/0x1270 + [373.267516] ? btrfs_wait_nocow_writers+0x85/0x180 [btrfs] + [373.275155] ? merge_reloc_roots+0x710/0x710 [btrfs] + [373.283602] ? btrfs_wait_ordered_extents+0xd30/0xd30 [btrfs] + [373.291934] ? kmem_cache_free+0x124/0x550 + [373.298180] btrfs_relocate_block_group+0x35c/0x930 [btrfs] + [373.306047] btrfs_relocate_chunk+0x85/0x210 [btrfs] + [373.313229] btrfs_balance+0x12f4/0x2d20 [btrfs] + [373.320227] ? lock_release+0x3a9/0x6d0 + [373.326206] ? btrfs_relocate_chunk+0x210/0x210 [btrfs] + [373.333591] ? lock_is_held_type+0xe4/0x140 + [373.340031] ? rcu_read_lock_sched_held+0x3f/0x70 + [373.346910] btrfs_ioctl_balance+0x548/0x700 [btrfs] + [373.354207] btrfs_ioctl+0x7f2/0x71b0 [btrfs] + [373.360774] ? lockdep_hardirqs_on_prepare+0x410/0x410 + [373.367957] ? lockdep_hardirqs_on_prepare+0x410/0x410 + [373.375327] ? btrfs_ioctl_get_supported_features+0x20/0x20 [btrfs] + [373.383841] ? find_held_lock+0x2c/0x110 + [373.389993] ? lock_release+0x3a9/0x6d0 + [373.395828] ? mntput_no_expire+0xf7/0xad0 + [373.402083] ? lock_is_held_type+0xe4/0x140 + [373.408249] ? vfs_fileattr_set+0x9f0/0x9f0 + [373.414486] ? selinux_file_ioctl+0x349/0x4e0 + [373.420938] ? trace_raw_output_lock+0xb4/0xe0 + [373.427442] ? selinux_inode_getsecctx+0x80/0x80 + [373.434224] ? lockdep_hardirqs_on+0x7e/0x100 + [373.440660] ? force_qs_rnp+0x2a0/0x6b0 + [373.446534] ? lock_is_held_type+0x9b/0x140 + [373.452763] ? __blkcg_punt_bio_submit+0x1b0/0x1b0 + [373.459732] ? security_file_ioctl+0x50/0x90 + [373.466089] __x64_sys_ioctl+0x127/0x190 + [373.472022] do_syscall_64+0x3b/0x90 + [373.477513] entry_SYSCALL_64_after_hwframe+0x44/0xae + [373.484823] RIP: 0033:0x7f8f4af7e2bb + [373.490493] RSP: 002b:00007ffcbf936178 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [373.500197] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8f4af7e2bb + [373.509451] RDX: 00007ffcbf936220 RSI: 00000000c4009420 RDI: 0000000000000003 + [373.518659] RBP: 00007ffcbf93774a R08: 0000000000000013 R09: 00007f8f4b02d4e0 + [373.527872] R10: 00007f8f4ae87740 R11: 0000000000000246 R12: 0000000000000001 + [373.537222] R13: 00007ffcbf936220 R14: 0000000000000000 R15: 0000000000000002 + [373.546506] + [373.550878] INFO: task btrfs:3146 blocked for more than 123 seconds. + [373.559383] Not tainted 5.16.0-rc8 #7 + [373.565748] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + [373.575748] task:btrfs state:D stack: 0 pid: 3146 ppid: 2168 flags:0x00000000 + [373.586314] Call Trace: + [373.590846] + [373.595121] __schedule+0xb56/0x4850 + [373.600901] ? __lock_acquire+0x23db/0x5030 + [373.607176] ? io_schedule_timeout+0x190/0x190 + [373.613954] schedule+0xe0/0x270 + [373.619157] schedule_timeout+0x168/0x220 + [373.625170] ? usleep_range_state+0x150/0x150 + [373.631653] ? mark_held_locks+0x9e/0xe0 + [373.637767] ? do_raw_spin_lock+0x11e/0x250 + [373.643993] ? lockdep_hardirqs_on_prepare+0x17b/0x410 + [373.651267] ? _raw_spin_unlock_irq+0x24/0x50 + [373.657677] ? lockdep_hardirqs_on+0x7e/0x100 + [373.664103] wait_for_completion+0x163/0x250 + [373.670437] ? bit_wait_timeout+0x160/0x160 + [373.676585] btrfs_quota_disable+0x176/0x9a0 [btrfs] + [373.683979] ? btrfs_quota_enable+0x12f0/0x12f0 [btrfs] + [373.691340] ? down_write+0xd0/0x130 + [373.696880] ? down_write_killable+0x150/0x150 + [373.703352] btrfs_ioctl+0x3945/0x71b0 [btrfs] + [373.710061] ? find_held_lock+0x2c/0x110 + [373.716192] ? lock_release+0x3a9/0x6d0 + [373.722047] ? __handle_mm_fault+0x23cd/0x3050 + [373.728486] ? btrfs_ioctl_get_supported_features+0x20/0x20 [btrfs] + [373.737032] ? set_pte+0x6a/0x90 + [373.742271] ? do_raw_spin_unlock+0x55/0x1f0 + [373.748506] ? lock_is_held_type+0xe4/0x140 + [373.754792] ? vfs_fileattr_set+0x9f0/0x9f0 + [373.761083] ? selinux_file_ioctl+0x349/0x4e0 + [373.767521] ? selinux_inode_getsecctx+0x80/0x80 + [373.774247] ? __up_read+0x182/0x6e0 + [373.780026] ? count_memcg_events.constprop.0+0x46/0x60 + [373.787281] ? up_write+0x460/0x460 + [373.792932] ? security_file_ioctl+0x50/0x90 + [373.799232] __x64_sys_ioctl+0x127/0x190 + [373.805237] do_syscall_64+0x3b/0x90 + [373.810947] entry_SYSCALL_64_after_hwframe+0x44/0xae + [373.818102] RIP: 0033:0x7f1383ea02bb + [373.823847] RSP: 002b:00007fffeb4d71f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 + [373.833641] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1383ea02bb + [373.842961] RDX: 00007fffeb4d7210 RSI: 00000000c0109428 RDI: 0000000000000003 + [373.852179] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000078 + [373.861408] R10: 00007f1383daec78 R11: 0000000000000202 R12: 00007fffeb4d874a + [373.870647] R13: 0000000000493099 R14: 0000000000000001 R15: 0000000000000000 + [373.879838] + [373.884018] + Showing all locks held in the system: + [373.894250] 3 locks held by kworker/4:1/58: + [373.900356] 1 lock held by khungtaskd/63: + [373.906333] #0: ffffffff8945ff60 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 + [373.917307] 3 locks held by kworker/u16:6/103: + [373.923938] #0: ffff888127b4f138 ((wq_completion)btrfs-qgroup-rescan){+.+.}-{0:0}, at: process_one_work+0x712/0x1320 + [373.936555] #1: ffff88810b817dd8 ((work_completion)(&work->normal_work)){+.+.}-{0:0}, at: process_one_work+0x73f/0x1320 + [373.951109] #2: ffff888102dd4650 (sb_internal#2){.+.+}-{0:0}, at: btrfs_qgroup_rescan_worker+0x1f6/0x10c0 [btrfs] + [373.964027] 2 locks held by less/1803: + [373.969982] #0: ffff88813ed56098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 + [373.981295] #1: ffffc90000b3b2e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x9e2/0x1060 + [373.992969] 1 lock held by btrfs-transacti/2347: + [373.999893] #0: ffff88813d4887a8 (&fs_info->transaction_kthread_mutex){+.+.}-{3:3}, at: transaction_kthread+0xe3/0x3c0 [btrfs] + [374.015872] 3 locks held by btrfs/3145: + [374.022298] #0: ffff888102dd4460 (sb_writers#18){.+.+}-{0:0}, at: btrfs_ioctl_balance+0xc3/0x700 [btrfs] + [374.034456] #1: ffff88813d48a0a0 (&fs_info->reclaim_bgs_lock){+.+.}-{3:3}, at: btrfs_balance+0xfe5/0x2d20 [btrfs] + [374.047646] #2: ffff88813d488838 (&fs_info->cleaner_mutex){+.+.}-{3:3}, at: btrfs_relocate_block_group+0x354/0x930 [btrfs] + [374.063295] 4 locks held by btrfs/3146: + [374.069647] #0: ffff888102dd4460 (sb_writers#18){.+.+}-{0:0}, at: btrfs_ioctl+0x38b1/0x71b0 [btrfs] + [374.081601] #1: ffff88813d488bb8 (&fs_info->subvol_sem){+.+.}-{3:3}, at: btrfs_ioctl+0x38fd/0x71b0 [btrfs] + [374.094283] #2: ffff888102dd4650 (sb_internal#2){.+.+}-{0:0}, at: btrfs_quota_disable+0xc8/0x9a0 [btrfs] + [374.106885] #3: ffff88813d489800 (&fs_info->qgroup_ioctl_lock){+.+.}-{3:3}, at: btrfs_quota_disable+0xd5/0x9a0 [btrfs] + + [374.126780] ============================================= + +To avoid the deadlock, wait for the qgroup rescan worker to complete +before starting the transaction for the quota disable ioctl. Clear +BTRFS_FS_QUOTA_ENABLE flag before the wait and the transaction to +request the worker to complete. On transaction start failure, set the +BTRFS_FS_QUOTA_ENABLE flag again. These BTRFS_FS_QUOTA_ENABLE flag +changes can be done safely since the function btrfs_quota_disable is not +called concurrently because of fs_info->subvol_sem. + +Also check the BTRFS_FS_QUOTA_ENABLE flag in qgroup_rescan_init to avoid +another qgroup rescan worker to start after the previous qgroup worker +completed. + +CC: stable@vger.kernel.org # 5.4+ +Suggested-by: Nikolay Borisov +Reviewed-by: Filipe Manana +Signed-off-by: Shin'ichiro Kawasaki +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -1185,9 +1185,24 @@ int btrfs_quota_disable(struct btrfs_fs_ + struct btrfs_trans_handle *trans = NULL; + int ret = 0; + ++ /* ++ * We need to have subvol_sem write locked, to prevent races between ++ * concurrent tasks trying to disable quotas, because we will unlock ++ * and relock qgroup_ioctl_lock across BTRFS_FS_QUOTA_ENABLED changes. ++ */ ++ lockdep_assert_held_write(&fs_info->subvol_sem); ++ + mutex_lock(&fs_info->qgroup_ioctl_lock); + if (!fs_info->quota_root) + goto out; ++ ++ /* ++ * Request qgroup rescan worker to complete and wait for it. This wait ++ * must be done before transaction start for quota disable since it may ++ * deadlock with transaction by the qgroup rescan worker. ++ */ ++ clear_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags); ++ btrfs_qgroup_wait_for_completion(fs_info, false); + mutex_unlock(&fs_info->qgroup_ioctl_lock); + + /* +@@ -1205,14 +1220,13 @@ int btrfs_quota_disable(struct btrfs_fs_ + if (IS_ERR(trans)) { + ret = PTR_ERR(trans); + trans = NULL; ++ set_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags); + goto out; + } + + if (!fs_info->quota_root) + goto out; + +- clear_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags); +- btrfs_qgroup_wait_for_completion(fs_info, false); + spin_lock(&fs_info->qgroup_lock); + quota_root = fs_info->quota_root; + fs_info->quota_root = NULL; +@@ -3379,6 +3393,9 @@ qgroup_rescan_init(struct btrfs_fs_info + btrfs_warn(fs_info, + "qgroup rescan init failed, qgroup is not enabled"); + ret = -EINVAL; ++ } else if (!test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags)) { ++ /* Quota disable is in progress */ ++ ret = -EBUSY; + } + + if (ret) { diff --git a/queue-5.15/btrfs-fix-use-after-free-after-failure-to-create-a-snapshot.patch b/queue-5.15/btrfs-fix-use-after-free-after-failure-to-create-a-snapshot.patch new file mode 100644 index 00000000000..3757d90fa50 --- /dev/null +++ b/queue-5.15/btrfs-fix-use-after-free-after-failure-to-create-a-snapshot.patch @@ -0,0 +1,125 @@ +From 28b21c558a3753171097193b6f6602a94169093a Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 21 Jan 2022 15:44:39 +0000 +Subject: btrfs: fix use-after-free after failure to create a snapshot + +From: Filipe Manana + +commit 28b21c558a3753171097193b6f6602a94169093a upstream. + +At ioctl.c:create_snapshot(), we allocate a pending snapshot structure and +then attach it to the transaction's list of pending snapshots. After that +we call btrfs_commit_transaction(), and if that returns an error we jump +to 'fail' label, where we kfree() the pending snapshot structure. This can +result in a later use-after-free of the pending snapshot: + +1) We allocated the pending snapshot and added it to the transaction's + list of pending snapshots; + +2) We call btrfs_commit_transaction(), and it fails either at the first + call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups(). + In both cases, we don't abort the transaction and we release our + transaction handle. We jump to the 'fail' label and free the pending + snapshot structure. We return with the pending snapshot still in the + transaction's list; + +3) Another task commits the transaction. This time there's no error at + all, and then during the transaction commit it accesses a pointer + to the pending snapshot structure that the snapshot creation task + has already freed, resulting in a user-after-free. + +This issue could actually be detected by smatch, which produced the +following warning: + + fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list + +So fix this by not having the snapshot creation ioctl directly add the +pending snapshot to the transaction's list. Instead add the pending +snapshot to the transaction handle, and then at btrfs_commit_transaction() +we add the snapshot to the list only when we can guarantee that any error +returned after that point will result in a transaction abort, in which +case the ioctl code can safely free the pending snapshot and no one can +access it anymore. + +CC: stable@vger.kernel.org # 5.10+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 5 +---- + fs/btrfs/transaction.c | 24 ++++++++++++++++++++++++ + fs/btrfs/transaction.h | 2 ++ + 3 files changed, 27 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -775,10 +775,7 @@ static int create_snapshot(struct btrfs_ + goto fail; + } + +- spin_lock(&fs_info->trans_lock); +- list_add(&pending_snapshot->list, +- &trans->transaction->pending_snapshots); +- spin_unlock(&fs_info->trans_lock); ++ trans->pending_snapshot = pending_snapshot; + + ret = btrfs_commit_transaction(trans); + if (ret) +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -2033,6 +2033,27 @@ static inline void btrfs_wait_delalloc_f + btrfs_wait_ordered_roots(fs_info, U64_MAX, 0, (u64)-1); + } + ++/* ++ * Add a pending snapshot associated with the given transaction handle to the ++ * respective handle. This must be called after the transaction commit started ++ * and while holding fs_info->trans_lock. ++ * This serves to guarantee a caller of btrfs_commit_transaction() that it can ++ * safely free the pending snapshot pointer in case btrfs_commit_transaction() ++ * returns an error. ++ */ ++static void add_pending_snapshot(struct btrfs_trans_handle *trans) ++{ ++ struct btrfs_transaction *cur_trans = trans->transaction; ++ ++ if (!trans->pending_snapshot) ++ return; ++ ++ lockdep_assert_held(&trans->fs_info->trans_lock); ++ ASSERT(cur_trans->state >= TRANS_STATE_COMMIT_START); ++ ++ list_add(&trans->pending_snapshot->list, &cur_trans->pending_snapshots); ++} ++ + int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + { + struct btrfs_fs_info *fs_info = trans->fs_info; +@@ -2106,6 +2127,8 @@ int btrfs_commit_transaction(struct btrf + if (cur_trans->state >= TRANS_STATE_COMMIT_START) { + enum btrfs_trans_state want_state = TRANS_STATE_COMPLETED; + ++ add_pending_snapshot(trans); ++ + spin_unlock(&fs_info->trans_lock); + refcount_inc(&cur_trans->use_count); + +@@ -2196,6 +2219,7 @@ int btrfs_commit_transaction(struct btrf + * COMMIT_DOING so make sure to wait for num_writers to == 1 again. + */ + spin_lock(&fs_info->trans_lock); ++ add_pending_snapshot(trans); + cur_trans->state = TRANS_STATE_COMMIT_DOING; + spin_unlock(&fs_info->trans_lock); + wait_event(cur_trans->writer_wait, +--- a/fs/btrfs/transaction.h ++++ b/fs/btrfs/transaction.h +@@ -123,6 +123,8 @@ struct btrfs_trans_handle { + struct btrfs_transaction *transaction; + struct btrfs_block_rsv *block_rsv; + struct btrfs_block_rsv *orig_rsv; ++ /* Set by a task that wants to create a snapshot. */ ++ struct btrfs_pending_snapshot *pending_snapshot; + refcount_t use_count; + unsigned int type; + /* diff --git a/queue-5.15/dma-buf-heaps-fix-potential-spectre-v1-gadget.patch b/queue-5.15/dma-buf-heaps-fix-potential-spectre-v1-gadget.patch new file mode 100644 index 00000000000..5f37e530040 --- /dev/null +++ b/queue-5.15/dma-buf-heaps-fix-potential-spectre-v1-gadget.patch @@ -0,0 +1,44 @@ +From 92c4cfaee6872038563c5b6f2e8e613f9d84d47d Mon Sep 17 00:00:00 2001 +From: Jordy Zomer +Date: Sat, 29 Jan 2022 16:06:04 +0100 +Subject: dma-buf: heaps: Fix potential spectre v1 gadget + +From: Jordy Zomer + +commit 92c4cfaee6872038563c5b6f2e8e613f9d84d47d upstream. + +It appears like nr could be a Spectre v1 gadget as it's supplied by a +user and used as an array index. Prevent the contents +of kernel memory from being leaked to userspace via speculative +execution by using array_index_nospec. + +Signed-off-by: Jordy Zomer +Fixes: c02a81fba74f ("dma-buf: Add dma-buf heaps framework") +Cc: # v5.6+ +Acked-by: John Stultz +Signed-off-by: Sumit Semwal + [sumits: added fixes and cc: stable tags] +Link: https://patchwork.freedesktop.org/patch/msgid/20220129150604.3461652-1-jordy@pwning.systems +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/dma-heap.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/dma-buf/dma-heap.c ++++ b/drivers/dma-buf/dma-heap.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -135,6 +136,7 @@ static long dma_heap_ioctl(struct file * + if (nr >= ARRAY_SIZE(dma_heap_ioctl_cmds)) + return -EINVAL; + ++ nr = array_index_nospec(nr, ARRAY_SIZE(dma_heap_ioctl_cmds)); + /* Get the kernel ioctl cmd that matches */ + kcmd = dma_heap_ioctl_cmds[nr]; + diff --git a/queue-5.15/drm-amd-display-force-link_rate-as-link_rate_rbr2-for-2018-15-apple-retina-panels.patch b/queue-5.15/drm-amd-display-force-link_rate-as-link_rate_rbr2-for-2018-15-apple-retina-panels.patch new file mode 100644 index 00000000000..35dc4467beb --- /dev/null +++ b/queue-5.15/drm-amd-display-force-link_rate-as-link_rate_rbr2-for-2018-15-apple-retina-panels.patch @@ -0,0 +1,64 @@ +From 30fbce374745a9c6af93c775a5ac49a97f822fda Mon Sep 17 00:00:00 2001 +From: Aun-Ali Zaidi +Date: Sat, 29 Jan 2022 05:49:55 +0000 +Subject: drm/amd/display: Force link_rate as LINK_RATE_RBR2 for 2018 15" Apple Retina panels + +From: Aun-Ali Zaidi + +commit 30fbce374745a9c6af93c775a5ac49a97f822fda upstream. + +The eDP link rate reported by the DP_MAX_LINK_RATE dpcd register (0xa) is +contradictory to the highest rate supported reported by +EDID (0xc = LINK_RATE_RBR2). The effects of this compounded with commit +'4a8ca46bae8a ("drm/amd/display: Default max bpc to 16 for eDP")' results +in no display modes being found and a dark panel. + +For now, simply force the maximum supported link rate for the eDP attached +2018 15" Apple Retina panels. + +Additionally, we must also check the firmware revision since the device ID +reported by the DPCD is identical to that of the more capable 16,1, +incorrectly quirking it. We also use said firmware check to quirk the +refreshed 15,1 models with Vega graphics as they use a slightly newer +firmware version. + +Tested-by: Aun-Ali Zaidi +Reviewed-by: Harry Wentland +Signed-off-by: Aun-Ali Zaidi +Signed-off-by: Aditya Garg +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +@@ -3913,6 +3913,26 @@ static bool retrieve_link_cap(struct dc_ + dp_hw_fw_revision.ieee_fw_rev, + sizeof(dp_hw_fw_revision.ieee_fw_rev)); + ++ /* Quirk for Apple MBP 2018 15" Retina panels: wrong DP_MAX_LINK_RATE */ ++ { ++ uint8_t str_mbp_2018[] = { 101, 68, 21, 103, 98, 97 }; ++ uint8_t fwrev_mbp_2018[] = { 7, 4 }; ++ uint8_t fwrev_mbp_2018_vega[] = { 8, 4 }; ++ ++ /* We also check for the firmware revision as 16,1 models have an ++ * identical device id and are incorrectly quirked otherwise. ++ */ ++ if ((link->dpcd_caps.sink_dev_id == 0x0010fa) && ++ !memcmp(link->dpcd_caps.sink_dev_id_str, str_mbp_2018, ++ sizeof(str_mbp_2018)) && ++ (!memcmp(link->dpcd_caps.sink_fw_revision, fwrev_mbp_2018, ++ sizeof(fwrev_mbp_2018)) || ++ !memcmp(link->dpcd_caps.sink_fw_revision, fwrev_mbp_2018_vega, ++ sizeof(fwrev_mbp_2018_vega)))) { ++ link->reported_link_cap.link_rate = LINK_RATE_RBR2; ++ } ++ } ++ + memset(&link->dpcd_caps.dsc_caps, '\0', + sizeof(link->dpcd_caps.dsc_caps)); + memset(&link->dpcd_caps.fec_cap, '\0', sizeof(link->dpcd_caps.fec_cap)); diff --git a/queue-5.15/drm-amd-display-watermark-latencies-is-not-enough-on-dcn31.patch b/queue-5.15/drm-amd-display-watermark-latencies-is-not-enough-on-dcn31.patch new file mode 100644 index 00000000000..b39692a2aae --- /dev/null +++ b/queue-5.15/drm-amd-display-watermark-latencies-is-not-enough-on-dcn31.patch @@ -0,0 +1,87 @@ +From f5fa54f45ab41cbb1f99b1208f49554132ffb207 Mon Sep 17 00:00:00 2001 +From: Paul Hsieh +Date: Fri, 28 Jan 2022 22:03:57 +0800 +Subject: drm/amd/display: watermark latencies is not enough on DCN31 + +From: Paul Hsieh + +commit f5fa54f45ab41cbb1f99b1208f49554132ffb207 upstream. + +[Why] +The original latencies were causing underflow in some modes. +Resolution: 2880x1620@60p when HDR enable + +[How] +1. Replace with the up-to-date watermark values based on new measurments +2. Correct the ddr_wm_table name to DDR5 on DCN31 + +Tested-by: Daniel Wheeler +Reviewed-by: Aric Cyr +Acked-by: Stylon Wang +Signed-off-by: Paul Hsieh +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c | 20 +++++------ + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c +@@ -324,38 +324,38 @@ static struct clk_bw_params dcn31_bw_par + + }; + +-static struct wm_table ddr4_wm_table = { ++static struct wm_table ddr5_wm_table = { + .entries = { + { + .wm_inst = WM_A, + .wm_type = WM_TYPE_PSTATE_CHG, + .pstate_latency_us = 11.72, +- .sr_exit_time_us = 6.09, +- .sr_enter_plus_exit_time_us = 7.14, ++ .sr_exit_time_us = 9, ++ .sr_enter_plus_exit_time_us = 11, + .valid = true, + }, + { + .wm_inst = WM_B, + .wm_type = WM_TYPE_PSTATE_CHG, + .pstate_latency_us = 11.72, +- .sr_exit_time_us = 10.12, +- .sr_enter_plus_exit_time_us = 11.48, ++ .sr_exit_time_us = 9, ++ .sr_enter_plus_exit_time_us = 11, + .valid = true, + }, + { + .wm_inst = WM_C, + .wm_type = WM_TYPE_PSTATE_CHG, + .pstate_latency_us = 11.72, +- .sr_exit_time_us = 10.12, +- .sr_enter_plus_exit_time_us = 11.48, ++ .sr_exit_time_us = 9, ++ .sr_enter_plus_exit_time_us = 11, + .valid = true, + }, + { + .wm_inst = WM_D, + .wm_type = WM_TYPE_PSTATE_CHG, + .pstate_latency_us = 11.72, +- .sr_exit_time_us = 10.12, +- .sr_enter_plus_exit_time_us = 11.48, ++ .sr_exit_time_us = 9, ++ .sr_enter_plus_exit_time_us = 11, + .valid = true, + }, + } +@@ -683,7 +683,7 @@ void dcn31_clk_mgr_construct( + if (ctx->dc_bios->integrated_info->memory_type == LpDdr5MemType) { + dcn31_bw_params.wm_table = lpddr5_wm_table; + } else { +- dcn31_bw_params.wm_table = ddr4_wm_table; ++ dcn31_bw_params.wm_table = ddr5_wm_table; + } + /* Saved clocks configured at boot for debug purposes */ + dcn31_dump_clk_registers(&clk_mgr->base.base.boot_snapshot, &clk_mgr->base.base, &log_info); diff --git a/queue-5.15/drm-amd-pm-correct-the-mgpufanboost-support-for-beige-goby.patch b/queue-5.15/drm-amd-pm-correct-the-mgpufanboost-support-for-beige-goby.patch new file mode 100644 index 00000000000..97381d5f4d5 --- /dev/null +++ b/queue-5.15/drm-amd-pm-correct-the-mgpufanboost-support-for-beige-goby.patch @@ -0,0 +1,42 @@ +From 3ec5586b4699cfb75cdfa09425e11d121db40773 Mon Sep 17 00:00:00 2001 +From: Evan Quan +Date: Mon, 24 Jan 2022 13:40:35 +0800 +Subject: drm/amd/pm: correct the MGpuFanBoost support for Beige Goby + +From: Evan Quan + +commit 3ec5586b4699cfb75cdfa09425e11d121db40773 upstream. + +The existing way cannot handle Beige Goby well as a different +PPTable data structure(PPTable_beige_goby_t instead of PPTable_t) +is used there. + +Signed-off-by: Evan Quan +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c +@@ -3728,14 +3728,14 @@ static ssize_t sienna_cichlid_get_gpu_me + + static int sienna_cichlid_enable_mgpu_fan_boost(struct smu_context *smu) + { +- struct smu_table_context *table_context = &smu->smu_table; +- PPTable_t *smc_pptable = table_context->driver_pptable; ++ uint16_t *mgpu_fan_boost_limit_rpm; + ++ GET_PPTABLE_MEMBER(MGpuFanBoostLimitRpm, &mgpu_fan_boost_limit_rpm); + /* + * Skip the MGpuFanBoost setting for those ASICs + * which do not support it + */ +- if (!smc_pptable->MGpuFanBoostLimitRpm) ++ if (*mgpu_fan_boost_limit_rpm == 0) + return 0; + + return smu_cmn_send_smc_msg_with_param(smu, diff --git a/queue-5.15/drm-i915-adlp-fix-typec-phy-ready-status-readout.patch b/queue-5.15/drm-i915-adlp-fix-typec-phy-ready-status-readout.patch new file mode 100644 index 00000000000..39b97777aac --- /dev/null +++ b/queue-5.15/drm-i915-adlp-fix-typec-phy-ready-status-readout.patch @@ -0,0 +1,48 @@ +From 3c6f13ad723e7206f03bb2752b01d18202b7fc9d Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Wed, 26 Jan 2022 12:43:56 +0200 +Subject: drm/i915/adlp: Fix TypeC PHY-ready status readout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Imre Deak + +commit 3c6f13ad723e7206f03bb2752b01d18202b7fc9d upstream. + +The TCSS_DDI_STATUS register is indexed by tc_port not by the FIA port +index, fix this up. This only caused an issue on TC#3/4 ports in legacy +mode, as in all other cases the two indices either match (on TC#1/2) or +the TCSS_DDI_STATUS_READY flag is set regardless of something being +connected or not (on TC#1/2/3/4 in dp-alt and tbt-alt modes). + +Reported-and-tested-by: Chia-Lin Kao (AceLan) +Fixes: 55ce306c2aa1 ("drm/i915/adl_p: Implement TC sequences") +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/4698 +Cc: José Roberto de Souza +Cc: # v5.14+ +Signed-off-by: Imre Deak +Reviewed-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20220126104356.2022975-1-imre.deak@intel.com +(cherry picked from commit 516b33460c5bee78b2055637b0547bdb0e6af754) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_tc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/display/intel_tc.c ++++ b/drivers/gpu/drm/i915/display/intel_tc.c +@@ -291,10 +291,11 @@ static bool icl_tc_phy_status_complete(s + static bool adl_tc_phy_status_complete(struct intel_digital_port *dig_port) + { + struct drm_i915_private *i915 = to_i915(dig_port->base.base.dev); ++ enum tc_port tc_port = intel_port_to_tc(i915, dig_port->base.port); + struct intel_uncore *uncore = &i915->uncore; + u32 val; + +- val = intel_uncore_read(uncore, TCSS_DDI_STATUS(dig_port->tc_phy_fia_idx)); ++ val = intel_uncore_read(uncore, TCSS_DDI_STATUS(tc_port)); + if (val == 0xffffffff) { + drm_dbg_kms(&i915->drm, + "Port %s: PHY in TCCOLD, assuming not complete\n", diff --git a/queue-5.15/drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch b/queue-5.15/drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch new file mode 100644 index 00000000000..7c0f03776fc --- /dev/null +++ b/queue-5.15/drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch @@ -0,0 +1,42 @@ +From 1b777d4d9e383d2744fc9b3a09af6ec1893c8b1a Mon Sep 17 00:00:00 2001 +From: Nick Lopez +Date: Sat, 22 Jan 2022 01:19:06 -0700 +Subject: drm/nouveau: fix off by one in BIOS boundary checking + +From: Nick Lopez + +commit 1b777d4d9e383d2744fc9b3a09af6ec1893c8b1a upstream. + +Bounds checking when parsing init scripts embedded in the BIOS reject +access to the last byte. This causes driver initialization to fail on +Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working +console. + +This is probably only seen on OpenFirmware machines like PowerPC Macs +because the BIOS image provided by OF is only the used parts of the ROM, +not a power-of-two blocks read from PCI directly so PCs always have +empty bytes at the end that are never accessed. + +Signed-off-by: Nick Lopez +Fixes: 4d4e9907ff572 ("drm/nouveau/bios: guard against out-of-bounds accesses to image") +Cc: # v4.10+ +Reviewed-by: Ilia Mirkin +Reviewed-by: Karol Herbst +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/20220122081906.2633061-1-github@glowingmonkey.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c +@@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 + *addr += bios->imaged_addr; + } + +- if (unlikely(*addr + size >= bios->size)) { ++ if (unlikely(*addr + size > bios->size)) { + nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr); + return false; + } diff --git a/queue-5.15/fbcon-add-option-to-enable-legacy-hardware-acceleration.patch b/queue-5.15/fbcon-add-option-to-enable-legacy-hardware-acceleration.patch new file mode 100644 index 00000000000..8a1a2bc0982 --- /dev/null +++ b/queue-5.15/fbcon-add-option-to-enable-legacy-hardware-acceleration.patch @@ -0,0 +1,373 @@ +From a3f781a9d6114c1d1e01defb7aa234dec45d2a5f Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 2 Feb 2022 14:55:31 +0100 +Subject: fbcon: Add option to enable legacy hardware acceleration + +From: Helge Deller + +commit a3f781a9d6114c1d1e01defb7aa234dec45d2a5f upstream. + +Add a config option CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION to +enable bitblt and fillrect hardware acceleration in the framebuffer +console. If disabled, such acceleration will not be used, even if it is +supported by the graphics hardware driver. + +If you plan to use DRM as your main graphics output system, you should +disable this option since it will prevent compiling in code which isn't +used later on when DRM takes over. + +For all other configurations, e.g. if none of your graphic cards support +DRM (yet), DRM isn't available for your architecture, or you can't be +sure that the graphic card in the target system will support DRM, you +most likely want to enable this option. + +In the non-accelerated case (e.g. when DRM is used), the inlined +fb_scrollmode() function is hardcoded to return SCROLL_REDRAW and as such the +compiler is able to optimize much unneccesary code away. + +In this v3 patch version I additionally changed the GETVYRES() and GETVXRES() +macros to take a pointer to the fbcon_display struct. This fixes the build when +console rotation is enabled and helps the compiler again to optimize out code. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Helge Deller +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20220202135531.92183-4-deller@gmx.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/console/Kconfig | 20 ++++++++++++++++ + drivers/video/fbdev/core/fbcon.c | 39 ++++++++++++++++++++++---------- + drivers/video/fbdev/core/fbcon.h | 15 +++++++++++- + drivers/video/fbdev/core/fbcon_ccw.c | 10 ++++---- + drivers/video/fbdev/core/fbcon_cw.c | 10 ++++---- + drivers/video/fbdev/core/fbcon_rotate.h | 4 +-- + drivers/video/fbdev/core/fbcon_ud.c | 20 ++++++++-------- + 7 files changed, 84 insertions(+), 34 deletions(-) + +--- a/drivers/video/console/Kconfig ++++ b/drivers/video/console/Kconfig +@@ -78,6 +78,26 @@ config FRAMEBUFFER_CONSOLE + help + Low-level framebuffer-based console driver. + ++config FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION ++ bool "Enable legacy fbcon hardware acceleration code" ++ depends on FRAMEBUFFER_CONSOLE ++ default y if PARISC ++ default n ++ help ++ This option enables the fbcon (framebuffer text-based) hardware ++ acceleration for graphics drivers which were written for the fbdev ++ graphics interface. ++ ++ On modern machines, on mainstream machines (like x86-64) or when ++ using a modern Linux distribution those fbdev drivers usually aren't used. ++ So enabling this option wouldn't have any effect, which is why you want ++ to disable this option on such newer machines. ++ ++ If you compile this kernel for older machines which still require the ++ fbdev drivers, you may want to say Y. ++ ++ If unsure, select n. ++ + config FRAMEBUFFER_CONSOLE_DETECT_PRIMARY + bool "Map the console to the primary display device" + depends on FRAMEBUFFER_CONSOLE +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -1136,11 +1136,13 @@ static void fbcon_init(struct vc_data *v + + ops->graphics = 0; + ++#ifdef CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION + if ((cap & FBINFO_HWACCEL_COPYAREA) && + !(cap & FBINFO_HWACCEL_DISABLED)) + p->scrollmode = SCROLL_MOVE; + else /* default to something safe */ + p->scrollmode = SCROLL_REDRAW; ++#endif + + /* + * ++guenther: console.c:vc_allocate() relies on initializing +@@ -1705,7 +1707,7 @@ static bool fbcon_scroll(struct vc_data + count = vc->vc_rows; + if (logo_shown >= 0) + goto redraw_up; +- switch (p->scrollmode) { ++ switch (fb_scrollmode(p)) { + case SCROLL_MOVE: + fbcon_redraw_blit(vc, info, p, t, b - t - count, + count); +@@ -1795,7 +1797,7 @@ static bool fbcon_scroll(struct vc_data + count = vc->vc_rows; + if (logo_shown >= 0) + goto redraw_down; +- switch (p->scrollmode) { ++ switch (fb_scrollmode(p)) { + case SCROLL_MOVE: + fbcon_redraw_blit(vc, info, p, b - 1, b - t - count, + -count); +@@ -1946,12 +1948,12 @@ static void fbcon_bmove_rec(struct vc_da + height, width); + } + +-static void updatescrollmode(struct fbcon_display *p, ++static void updatescrollmode_accel(struct fbcon_display *p, + struct fb_info *info, + struct vc_data *vc) + { ++#ifdef CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION + struct fbcon_ops *ops = info->fbcon_par; +- int fh = vc->vc_font.height; + int cap = info->flags; + u16 t = 0; + int ypan = FBCON_SWAP(ops->rotate, info->fix.ypanstep, +@@ -1972,12 +1974,6 @@ static void updatescrollmode(struct fbco + int fast_imageblit = (cap & FBINFO_HWACCEL_IMAGEBLIT) && + !(cap & FBINFO_HWACCEL_DISABLED); + +- p->vrows = vyres/fh; +- if (yres > (fh * (vc->vc_rows + 1))) +- p->vrows -= (yres - (fh * vc->vc_rows)) / fh; +- if ((yres % fh) && (vyres % fh < yres % fh)) +- p->vrows--; +- + if (good_wrap || good_pan) { + if (reading_fast || fast_copyarea) + p->scrollmode = good_wrap ? +@@ -1991,6 +1987,27 @@ static void updatescrollmode(struct fbco + else + p->scrollmode = SCROLL_REDRAW; + } ++#endif ++} ++ ++static void updatescrollmode(struct fbcon_display *p, ++ struct fb_info *info, ++ struct vc_data *vc) ++{ ++ struct fbcon_ops *ops = info->fbcon_par; ++ int fh = vc->vc_font.height; ++ int yres = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); ++ int vyres = FBCON_SWAP(ops->rotate, info->var.yres_virtual, ++ info->var.xres_virtual); ++ ++ p->vrows = vyres/fh; ++ if (yres > (fh * (vc->vc_rows + 1))) ++ p->vrows -= (yres - (fh * vc->vc_rows)) / fh; ++ if ((yres % fh) && (vyres % fh < yres % fh)) ++ p->vrows--; ++ ++ /* update scrollmode in case hardware acceleration is used */ ++ updatescrollmode_accel(p, info, vc); + } + + #define PITCH(w) (((w) + 7) >> 3) +@@ -2148,7 +2165,7 @@ static int fbcon_switch(struct vc_data * + + updatescrollmode(p, info, vc); + +- switch (p->scrollmode) { ++ switch (fb_scrollmode(p)) { + case SCROLL_WRAP_MOVE: + scrollback_phys_max = p->vrows - vc->vc_rows; + break; +--- a/drivers/video/fbdev/core/fbcon.h ++++ b/drivers/video/fbdev/core/fbcon.h +@@ -29,7 +29,9 @@ struct fbcon_display { + /* Filled in by the low-level console driver */ + const u_char *fontdata; + int userfont; /* != 0 if fontdata kmalloc()ed */ +- u_short scrollmode; /* Scroll Method */ ++#ifdef CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION ++ u_short scrollmode; /* Scroll Method, use fb_scrollmode() */ ++#endif + u_short inverse; /* != 0 text black on white as default */ + short yscroll; /* Hardware scrolling */ + int vrows; /* number of virtual rows */ +@@ -208,6 +210,17 @@ static inline int attr_col_ec(int shift, + #define SCROLL_REDRAW 0x004 + #define SCROLL_PAN_REDRAW 0x005 + ++static inline u_short fb_scrollmode(struct fbcon_display *fb) ++{ ++#ifdef CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION ++ return fb->scrollmode; ++#else ++ /* hardcoded to SCROLL_REDRAW if acceleration was disabled. */ ++ return SCROLL_REDRAW; ++#endif ++} ++ ++ + #ifdef CONFIG_FB_TILEBLITTING + extern void fbcon_set_tileops(struct vc_data *vc, struct fb_info *info); + #endif +--- a/drivers/video/fbdev/core/fbcon_ccw.c ++++ b/drivers/video/fbdev/core/fbcon_ccw.c +@@ -65,7 +65,7 @@ static void ccw_bmove(struct vc_data *vc + { + struct fbcon_ops *ops = info->fbcon_par; + struct fb_copyarea area; +- u32 vyres = GETVYRES(ops->p->scrollmode, info); ++ u32 vyres = GETVYRES(ops->p, info); + + area.sx = sy * vc->vc_font.height; + area.sy = vyres - ((sx + width) * vc->vc_font.width); +@@ -83,7 +83,7 @@ static void ccw_clear(struct vc_data *vc + struct fbcon_ops *ops = info->fbcon_par; + struct fb_fillrect region; + int bgshift = (vc->vc_hi_font_mask) ? 13 : 12; +- u32 vyres = GETVYRES(ops->p->scrollmode, info); ++ u32 vyres = GETVYRES(ops->p, info); + + region.color = attr_bgcol_ec(bgshift,vc,info); + region.dx = sy * vc->vc_font.height; +@@ -140,7 +140,7 @@ static void ccw_putcs(struct vc_data *vc + u32 cnt, pitch, size; + u32 attribute = get_attribute(info, scr_readw(s)); + u8 *dst, *buf = NULL; +- u32 vyres = GETVYRES(ops->p->scrollmode, info); ++ u32 vyres = GETVYRES(ops->p, info); + + if (!ops->fontbuffer) + return; +@@ -229,7 +229,7 @@ static void ccw_cursor(struct vc_data *v + int attribute, use_sw = vc->vc_cursor_type & CUR_SW; + int err = 1, dx, dy; + char *src; +- u32 vyres = GETVYRES(ops->p->scrollmode, info); ++ u32 vyres = GETVYRES(ops->p, info); + + if (!ops->fontbuffer) + return; +@@ -387,7 +387,7 @@ static int ccw_update_start(struct fb_in + { + struct fbcon_ops *ops = info->fbcon_par; + u32 yoffset; +- u32 vyres = GETVYRES(ops->p->scrollmode, info); ++ u32 vyres = GETVYRES(ops->p, info); + int err; + + yoffset = (vyres - info->var.yres) - ops->var.xoffset; +--- a/drivers/video/fbdev/core/fbcon_cw.c ++++ b/drivers/video/fbdev/core/fbcon_cw.c +@@ -50,7 +50,7 @@ static void cw_bmove(struct vc_data *vc, + { + struct fbcon_ops *ops = info->fbcon_par; + struct fb_copyarea area; +- u32 vxres = GETVXRES(ops->p->scrollmode, info); ++ u32 vxres = GETVXRES(ops->p, info); + + area.sx = vxres - ((sy + height) * vc->vc_font.height); + area.sy = sx * vc->vc_font.width; +@@ -68,7 +68,7 @@ static void cw_clear(struct vc_data *vc, + struct fbcon_ops *ops = info->fbcon_par; + struct fb_fillrect region; + int bgshift = (vc->vc_hi_font_mask) ? 13 : 12; +- u32 vxres = GETVXRES(ops->p->scrollmode, info); ++ u32 vxres = GETVXRES(ops->p, info); + + region.color = attr_bgcol_ec(bgshift,vc,info); + region.dx = vxres - ((sy + height) * vc->vc_font.height); +@@ -125,7 +125,7 @@ static void cw_putcs(struct vc_data *vc, + u32 cnt, pitch, size; + u32 attribute = get_attribute(info, scr_readw(s)); + u8 *dst, *buf = NULL; +- u32 vxres = GETVXRES(ops->p->scrollmode, info); ++ u32 vxres = GETVXRES(ops->p, info); + + if (!ops->fontbuffer) + return; +@@ -212,7 +212,7 @@ static void cw_cursor(struct vc_data *vc + int attribute, use_sw = vc->vc_cursor_type & CUR_SW; + int err = 1, dx, dy; + char *src; +- u32 vxres = GETVXRES(ops->p->scrollmode, info); ++ u32 vxres = GETVXRES(ops->p, info); + + if (!ops->fontbuffer) + return; +@@ -369,7 +369,7 @@ static void cw_cursor(struct vc_data *vc + static int cw_update_start(struct fb_info *info) + { + struct fbcon_ops *ops = info->fbcon_par; +- u32 vxres = GETVXRES(ops->p->scrollmode, info); ++ u32 vxres = GETVXRES(ops->p, info); + u32 xoffset; + int err; + +--- a/drivers/video/fbdev/core/fbcon_rotate.h ++++ b/drivers/video/fbdev/core/fbcon_rotate.h +@@ -12,11 +12,11 @@ + #define _FBCON_ROTATE_H + + #define GETVYRES(s,i) ({ \ +- (s == SCROLL_REDRAW || s == SCROLL_MOVE) ? \ ++ (fb_scrollmode(s) == SCROLL_REDRAW || fb_scrollmode(s) == SCROLL_MOVE) ? \ + (i)->var.yres : (i)->var.yres_virtual; }) + + #define GETVXRES(s,i) ({ \ +- (s == SCROLL_REDRAW || s == SCROLL_MOVE || !(i)->fix.xpanstep) ? \ ++ (fb_scrollmode(s) == SCROLL_REDRAW || fb_scrollmode(s) == SCROLL_MOVE || !(i)->fix.xpanstep) ? \ + (i)->var.xres : (i)->var.xres_virtual; }) + + +--- a/drivers/video/fbdev/core/fbcon_ud.c ++++ b/drivers/video/fbdev/core/fbcon_ud.c +@@ -50,8 +50,8 @@ static void ud_bmove(struct vc_data *vc, + { + struct fbcon_ops *ops = info->fbcon_par; + struct fb_copyarea area; +- u32 vyres = GETVYRES(ops->p->scrollmode, info); +- u32 vxres = GETVXRES(ops->p->scrollmode, info); ++ u32 vyres = GETVYRES(ops->p, info); ++ u32 vxres = GETVXRES(ops->p, info); + + area.sy = vyres - ((sy + height) * vc->vc_font.height); + area.sx = vxres - ((sx + width) * vc->vc_font.width); +@@ -69,8 +69,8 @@ static void ud_clear(struct vc_data *vc, + struct fbcon_ops *ops = info->fbcon_par; + struct fb_fillrect region; + int bgshift = (vc->vc_hi_font_mask) ? 13 : 12; +- u32 vyres = GETVYRES(ops->p->scrollmode, info); +- u32 vxres = GETVXRES(ops->p->scrollmode, info); ++ u32 vyres = GETVYRES(ops->p, info); ++ u32 vxres = GETVXRES(ops->p, info); + + region.color = attr_bgcol_ec(bgshift,vc,info); + region.dy = vyres - ((sy + height) * vc->vc_font.height); +@@ -162,8 +162,8 @@ static void ud_putcs(struct vc_data *vc, + u32 mod = vc->vc_font.width % 8, cnt, pitch, size; + u32 attribute = get_attribute(info, scr_readw(s)); + u8 *dst, *buf = NULL; +- u32 vyres = GETVYRES(ops->p->scrollmode, info); +- u32 vxres = GETVXRES(ops->p->scrollmode, info); ++ u32 vyres = GETVYRES(ops->p, info); ++ u32 vxres = GETVXRES(ops->p, info); + + if (!ops->fontbuffer) + return; +@@ -259,8 +259,8 @@ static void ud_cursor(struct vc_data *vc + int attribute, use_sw = vc->vc_cursor_type & CUR_SW; + int err = 1, dx, dy; + char *src; +- u32 vyres = GETVYRES(ops->p->scrollmode, info); +- u32 vxres = GETVXRES(ops->p->scrollmode, info); ++ u32 vyres = GETVYRES(ops->p, info); ++ u32 vxres = GETVXRES(ops->p, info); + + if (!ops->fontbuffer) + return; +@@ -410,8 +410,8 @@ static int ud_update_start(struct fb_inf + { + struct fbcon_ops *ops = info->fbcon_par; + int xoffset, yoffset; +- u32 vyres = GETVYRES(ops->p->scrollmode, info); +- u32 vxres = GETVXRES(ops->p->scrollmode, info); ++ u32 vyres = GETVYRES(ops->p, info); ++ u32 vxres = GETVXRES(ops->p, info); + int err; + + xoffset = vxres - info->var.xres - ops->var.xoffset; diff --git a/queue-5.15/ib-hfi1-fix-aip-early-init-panic.patch b/queue-5.15/ib-hfi1-fix-aip-early-init-panic.patch new file mode 100644 index 00000000000..a15ecbe1cf8 --- /dev/null +++ b/queue-5.15/ib-hfi1-fix-aip-early-init-panic.patch @@ -0,0 +1,123 @@ +From 5f8f55b92edd621f056bdf09e572092849fabd83 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Sat, 15 Jan 2022 18:02:35 -0500 +Subject: IB/hfi1: Fix AIP early init panic + +From: Mike Marciniszyn + +commit 5f8f55b92edd621f056bdf09e572092849fabd83 upstream. + +An early failure in hfi1_ipoib_setup_rn() can lead to the following panic: + + BUG: unable to handle kernel NULL pointer dereference at 00000000000001b0 + PGD 0 P4D 0 + Oops: 0002 [#1] SMP NOPTI + Workqueue: events work_for_cpu_fn + RIP: 0010:try_to_grab_pending+0x2b/0x140 + Code: 1f 44 00 00 41 55 41 54 55 48 89 d5 53 48 89 fb 9c 58 0f 1f 44 00 00 48 89 c2 fa 66 0f 1f 44 00 00 48 89 55 00 40 84 f6 75 77 48 0f ba 2b 00 72 09 31 c0 5b 5d 41 5c 41 5d c3 48 89 df e8 6c + RSP: 0018:ffffb6b3cf7cfa48 EFLAGS: 00010046 + RAX: 0000000000000246 RBX: 00000000000001b0 RCX: 0000000000000000 + RDX: 0000000000000246 RSI: 0000000000000000 RDI: 00000000000001b0 + RBP: ffffb6b3cf7cfa70 R08: 0000000000000f09 R09: 0000000000000001 + R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 + R13: ffffb6b3cf7cfa90 R14: ffffffff9b2fbfc0 R15: ffff8a4fdf244690 + FS: 0000000000000000(0000) GS:ffff8a527f400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00000000000001b0 CR3: 00000017e2410003 CR4: 00000000007706f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + __cancel_work_timer+0x42/0x190 + ? dev_printk_emit+0x4e/0x70 + iowait_cancel_work+0x15/0x30 [hfi1] + hfi1_ipoib_txreq_deinit+0x5a/0x220 [hfi1] + ? dev_err+0x6c/0x90 + hfi1_ipoib_netdev_dtor+0x15/0x30 [hfi1] + hfi1_ipoib_setup_rn+0x10e/0x150 [hfi1] + rdma_init_netdev+0x5a/0x80 [ib_core] + ? hfi1_ipoib_free_rdma_netdev+0x20/0x20 [hfi1] + ipoib_intf_init+0x6c/0x350 [ib_ipoib] + ipoib_intf_alloc+0x5c/0xc0 [ib_ipoib] + ipoib_add_one+0xbe/0x300 [ib_ipoib] + add_client_context+0x12c/0x1a0 [ib_core] + enable_device_and_get+0xdc/0x1d0 [ib_core] + ib_register_device+0x572/0x6b0 [ib_core] + rvt_register_device+0x11b/0x220 [rdmavt] + hfi1_register_ib_device+0x6b4/0x770 [hfi1] + do_init_one.isra.20+0x3e3/0x680 [hfi1] + local_pci_probe+0x41/0x90 + work_for_cpu_fn+0x16/0x20 + process_one_work+0x1a7/0x360 + ? create_worker+0x1a0/0x1a0 + worker_thread+0x1cf/0x390 + ? create_worker+0x1a0/0x1a0 + kthread+0x116/0x130 + ? kthread_flush_work_fn+0x10/0x10 + ret_from_fork+0x1f/0x40 + +The panic happens in hfi1_ipoib_txreq_deinit() because there is a NULL +deref when hfi1_ipoib_netdev_dtor() is called in this error case. + +hfi1_ipoib_txreq_init() and hfi1_ipoib_rxq_init() are self unwinding so +fix by adjusting the error paths accordingly. + +Other changes: +- hfi1_ipoib_free_rdma_netdev() is deleted including the free_netdev() + since the netdev core code deletes calls free_netdev() +- The switch to the accelerated entrances is moved to the success path. + +Cc: stable@vger.kernel.org +Fixes: d99dc602e2a5 ("IB/hfi1: Add functions to transmit datagram ipoib packets") +Link: https://lore.kernel.org/r/1642287756-182313-4-git-send-email-mike.marciniszyn@cornelisnetworks.com +Reviewed-by: Dennis Dalessandro +Signed-off-by: Mike Marciniszyn +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/ipoib_main.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/ipoib_main.c ++++ b/drivers/infiniband/hw/hfi1/ipoib_main.c +@@ -168,12 +168,6 @@ static void hfi1_ipoib_netdev_dtor(struc + free_percpu(dev->tstats); + } + +-static void hfi1_ipoib_free_rdma_netdev(struct net_device *dev) +-{ +- hfi1_ipoib_netdev_dtor(dev); +- free_netdev(dev); +-} +- + static void hfi1_ipoib_set_id(struct net_device *dev, int id) + { + struct hfi1_ipoib_dev_priv *priv = hfi1_ipoib_priv(dev); +@@ -211,24 +205,23 @@ static int hfi1_ipoib_setup_rn(struct ib + priv->port_num = port_num; + priv->netdev_ops = netdev->netdev_ops; + +- netdev->netdev_ops = &hfi1_ipoib_netdev_ops; +- + ib_query_pkey(device, port_num, priv->pkey_index, &priv->pkey); + + rc = hfi1_ipoib_txreq_init(priv); + if (rc) { + dd_dev_err(dd, "IPoIB netdev TX init - failed(%d)\n", rc); +- hfi1_ipoib_free_rdma_netdev(netdev); + return rc; + } + + rc = hfi1_ipoib_rxq_init(netdev); + if (rc) { + dd_dev_err(dd, "IPoIB netdev RX init - failed(%d)\n", rc); +- hfi1_ipoib_free_rdma_netdev(netdev); ++ hfi1_ipoib_txreq_deinit(priv); + return rc; + } + ++ netdev->netdev_ops = &hfi1_ipoib_netdev_ops; ++ + netdev->priv_destructor = hfi1_ipoib_netdev_dtor; + netdev->needs_free_netdev = true; + diff --git a/queue-5.15/ipc-sem-do-not-sleep-with-a-spin-lock-held.patch b/queue-5.15/ipc-sem-do-not-sleep-with-a-spin-lock-held.patch new file mode 100644 index 00000000000..ba1ad358bdd --- /dev/null +++ b/queue-5.15/ipc-sem-do-not-sleep-with-a-spin-lock-held.patch @@ -0,0 +1,52 @@ +From 520ba724061cef59763e2b6f5b26e8387c2e5822 Mon Sep 17 00:00:00 2001 +From: Minghao Chi +Date: Thu, 3 Feb 2022 20:49:33 -0800 +Subject: ipc/sem: do not sleep with a spin lock held + +From: Minghao Chi + +commit 520ba724061cef59763e2b6f5b26e8387c2e5822 upstream. + +We can't call kvfree() with a spin lock held, so defer it. + +Link: https://lkml.kernel.org/r/20211223031207.556189-1-chi.minghao@zte.com.cn +Fixes: fc37a3b8b438 ("[PATCH] ipc sem: use kvmalloc for sem_undo allocation") +Reported-by: Zeal Robot +Signed-off-by: Minghao Chi +Reviewed-by: Shakeel Butt +Reviewed-by: Manfred Spraul +Cc: Arnd Bergmann +Cc: Yang Guang +Cc: Davidlohr Bueso +Cc: Randy Dunlap +Cc: Bhaskar Chowdhury +Cc: Vasily Averin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + ipc/sem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/ipc/sem.c ++++ b/ipc/sem.c +@@ -1964,6 +1964,7 @@ static struct sem_undo *find_alloc_undo( + */ + un = lookup_undo(ulp, semid); + if (un) { ++ spin_unlock(&ulp->lock); + kvfree(new); + goto success; + } +@@ -1976,9 +1977,8 @@ static struct sem_undo *find_alloc_undo( + ipc_assert_locked_object(&sma->sem_perm); + list_add(&new->list_id, &sma->list_id); + un = new; +- +-success: + spin_unlock(&ulp->lock); ++success: + sem_unlock(sma, -1); + out: + return un; diff --git a/queue-5.15/mm-debug_vm_pgtable-remove-pte-entry-from-the-page-table.patch b/queue-5.15/mm-debug_vm_pgtable-remove-pte-entry-from-the-page-table.patch new file mode 100644 index 00000000000..b78db4029b7 --- /dev/null +++ b/queue-5.15/mm-debug_vm_pgtable-remove-pte-entry-from-the-page-table.patch @@ -0,0 +1,75 @@ +From fb5222aae64fe25e5f3ebefde8214dcf3ba33ca5 Mon Sep 17 00:00:00 2001 +From: Pasha Tatashin +Date: Thu, 3 Feb 2022 20:49:10 -0800 +Subject: mm/debug_vm_pgtable: remove pte entry from the page table + +From: Pasha Tatashin + +commit fb5222aae64fe25e5f3ebefde8214dcf3ba33ca5 upstream. + +Patch series "page table check fixes and cleanups", v5. + +This patch (of 4): + +The pte entry that is used in pte_advanced_tests() is never removed from +the page table at the end of the test. + +The issue is detected by page_table_check, to repro compile kernel with +the following configs: + +CONFIG_DEBUG_VM_PGTABLE=y +CONFIG_PAGE_TABLE_CHECK=y +CONFIG_PAGE_TABLE_CHECK_ENFORCED=y + +During the boot the following BUG is printed: + + debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers + ------------[ cut here ]------------ + kernel BUG at mm/page_table_check.c:162! + invalid opcode: 0000 [#1] PREEMPT SMP PTI + CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.16.0-11413-g2c271fe77d52 #3 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 + ... + +The entry should be properly removed from the page table before the page +is released to the free list. + +Link: https://lkml.kernel.org/r/20220131203249.2832273-1-pasha.tatashin@soleen.com +Link: https://lkml.kernel.org/r/20220131203249.2832273-2-pasha.tatashin@soleen.com +Fixes: a5c3b9ffb0f4 ("mm/debug_vm_pgtable: add tests validating advanced arch page table helpers") +Signed-off-by: Pasha Tatashin +Reviewed-by: Zi Yan +Tested-by: Zi Yan +Acked-by: David Rientjes +Reviewed-by: Anshuman Khandual +Cc: Paul Turner +Cc: Wei Xu +Cc: Greg Thelen +Cc: Ingo Molnar +Cc: Will Deacon +Cc: Mike Rapoport +Cc: Dave Hansen +Cc: H. Peter Anvin +Cc: Aneesh Kumar K.V +Cc: Jiri Slaby +Cc: Muchun Song +Cc: Hugh Dickins +Cc: [5.9+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/debug_vm_pgtable.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/debug_vm_pgtable.c ++++ b/mm/debug_vm_pgtable.c +@@ -171,6 +171,8 @@ static void __init pte_advanced_tests(st + ptep_test_and_clear_young(args->vma, args->vaddr, args->ptep); + pte = ptep_get(args->ptep); + WARN_ON(pte_young(pte)); ++ ++ ptep_get_and_clear_full(args->mm, args->vaddr, args->ptep, 1); + } + + static void __init pte_savedwrite_tests(struct pgtable_debug_args *args) diff --git a/queue-5.15/mm-kmemleak-avoid-scanning-potential-huge-holes.patch b/queue-5.15/mm-kmemleak-avoid-scanning-potential-huge-holes.patch new file mode 100644 index 00000000000..06a5f3dfe05 --- /dev/null +++ b/queue-5.15/mm-kmemleak-avoid-scanning-potential-huge-holes.patch @@ -0,0 +1,121 @@ +From c10a0f877fe007021d70f9cada240f42adc2b5db Mon Sep 17 00:00:00 2001 +From: Lang Yu +Date: Thu, 3 Feb 2022 20:49:37 -0800 +Subject: mm/kmemleak: avoid scanning potential huge holes + +From: Lang Yu + +commit c10a0f877fe007021d70f9cada240f42adc2b5db upstream. + +When using devm_request_free_mem_region() and devm_memremap_pages() to +add ZONE_DEVICE memory, if requested free mem region's end pfn were +huge(e.g., 0x400000000), the node_end_pfn() will be also huge (see +move_pfn_range_to_zone()). Thus it creates a huge hole between +node_start_pfn() and node_end_pfn(). + +We found on some AMD APUs, amdkfd requested such a free mem region and +created a huge hole. In such a case, following code snippet was just +doing busy test_bit() looping on the huge hole. + + for (pfn = start_pfn; pfn < end_pfn; pfn++) { + struct page *page = pfn_to_online_page(pfn); + if (!page) + continue; + ... + } + +So we got a soft lockup: + + watchdog: BUG: soft lockup - CPU#6 stuck for 26s! [bash:1221] + CPU: 6 PID: 1221 Comm: bash Not tainted 5.15.0-custom #1 + RIP: 0010:pfn_to_online_page+0x5/0xd0 + Call Trace: + ? kmemleak_scan+0x16a/0x440 + kmemleak_write+0x306/0x3a0 + ? common_file_perm+0x72/0x170 + full_proxy_write+0x5c/0x90 + vfs_write+0xb9/0x260 + ksys_write+0x67/0xe0 + __x64_sys_write+0x1a/0x20 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +I did some tests with the patch. + +(1) amdgpu module unloaded + +before the patch: + + real 0m0.976s + user 0m0.000s + sys 0m0.968s + +after the patch: + + real 0m0.981s + user 0m0.000s + sys 0m0.973s + +(2) amdgpu module loaded + +before the patch: + + real 0m35.365s + user 0m0.000s + sys 0m35.354s + +after the patch: + + real 0m1.049s + user 0m0.000s + sys 0m1.042s + +Link: https://lkml.kernel.org/r/20211108140029.721144-1-lang.yu@amd.com +Signed-off-by: Lang Yu +Acked-by: David Hildenbrand +Acked-by: Catalin Marinas +Cc: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -1403,7 +1403,8 @@ static void kmemleak_scan(void) + { + unsigned long flags; + struct kmemleak_object *object; +- int i; ++ struct zone *zone; ++ int __maybe_unused i; + int new_leaks = 0; + + jiffies_last_scan = jiffies; +@@ -1443,9 +1444,9 @@ static void kmemleak_scan(void) + * Struct page scanning for each node. + */ + get_online_mems(); +- for_each_online_node(i) { +- unsigned long start_pfn = node_start_pfn(i); +- unsigned long end_pfn = node_end_pfn(i); ++ for_each_populated_zone(zone) { ++ unsigned long start_pfn = zone->zone_start_pfn; ++ unsigned long end_pfn = zone_end_pfn(zone); + unsigned long pfn; + + for (pfn = start_pfn; pfn < end_pfn; pfn++) { +@@ -1454,8 +1455,8 @@ static void kmemleak_scan(void) + if (!page) + continue; + +- /* only scan pages belonging to this node */ +- if (page_to_nid(page) != i) ++ /* only scan pages belonging to this zone */ ++ if (page_zone(page) != zone) + continue; + /* only scan if page is in use */ + if (page_count(page) == 0) diff --git a/queue-5.15/mm-pgtable-define-pte_index-so-that-preprocessor-could-recognize-it.patch b/queue-5.15/mm-pgtable-define-pte_index-so-that-preprocessor-could-recognize-it.patch new file mode 100644 index 00000000000..7bf4c34d0f3 --- /dev/null +++ b/queue-5.15/mm-pgtable-define-pte_index-so-that-preprocessor-could-recognize-it.patch @@ -0,0 +1,39 @@ +From 314c459a6fe0957b5885fbc65c53d51444092880 Mon Sep 17 00:00:00 2001 +From: Mike Rapoport +Date: Thu, 3 Feb 2022 20:49:29 -0800 +Subject: mm/pgtable: define pte_index so that preprocessor could recognize it + +From: Mike Rapoport + +commit 314c459a6fe0957b5885fbc65c53d51444092880 upstream. + +Since commit 974b9b2c68f3 ("mm: consolidate pte_index() and +pte_offset_*() definitions") pte_index is a static inline and there is +no define for it that can be recognized by the preprocessor. As a +result, vm_insert_pages() uses slower loop over vm_insert_page() instead +of insert_pages() that amortizes the cost of spinlock operations when +inserting multiple pages. + +Link: https://lkml.kernel.org/r/20220111145457.20748-1-rppt@kernel.org +Fixes: 974b9b2c68f3 ("mm: consolidate pte_index() and pte_offset_*() definitions") +Signed-off-by: Mike Rapoport +Reported-by: Christian Dietrich +Reviewed-by: Khalid Aziz +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/pgtable.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/pgtable.h ++++ b/include/linux/pgtable.h +@@ -62,6 +62,7 @@ static inline unsigned long pte_index(un + { + return (address >> PAGE_SHIFT) & (PTRS_PER_PTE - 1); + } ++#define pte_index pte_index + + #ifndef pmd_index + static inline unsigned long pmd_index(unsigned long address) diff --git a/queue-5.15/mptcp-fix-msk-traversal-in-mptcp_nl_cmd_set_flags.patch b/queue-5.15/mptcp-fix-msk-traversal-in-mptcp_nl_cmd_set_flags.patch new file mode 100644 index 00000000000..1e1a4c5167e --- /dev/null +++ b/queue-5.15/mptcp-fix-msk-traversal-in-mptcp_nl_cmd_set_flags.patch @@ -0,0 +1,84 @@ +From 8e9eacad7ec7a9cbf262649ebf1fa6e6f6cc7d82 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Thu, 20 Jan 2022 16:35:27 -0800 +Subject: mptcp: fix msk traversal in mptcp_nl_cmd_set_flags() + +From: Paolo Abeni + +commit 8e9eacad7ec7a9cbf262649ebf1fa6e6f6cc7d82 upstream. + +The MPTCP endpoint list is under RCU protection, guarded by the +pernet spinlock. mptcp_nl_cmd_set_flags() traverses the list +without acquiring the spin-lock nor under the RCU critical section. + +This change addresses the issue performing the lookup and the endpoint +update under the pernet spinlock. + +[The upstream commit had to handle a lookup_by_id variable that is only + present in 5.17. This version of the patch removes that variable, so + the __lookup_addr() function only handles the lookup as it is + implemented in 5.15 and 5.16. It also removes one 'const' keyword to + prevent a warning due to differing const-ness in the 5.17 version of + addresses_equal().] + +Fixes: 0f9f696a502e ("mptcp: add set_flags command in PM netlink") +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 34 +++++++++++++++++++++++++--------- + 1 file changed, 25 insertions(+), 9 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -459,6 +459,18 @@ static unsigned int fill_remote_addresse + return i; + } + ++static struct mptcp_pm_addr_entry * ++__lookup_addr(struct pm_nl_pernet *pernet, struct mptcp_addr_info *info) ++{ ++ struct mptcp_pm_addr_entry *entry; ++ ++ list_for_each_entry(entry, &pernet->local_addr_list, list) { ++ if (addresses_equal(&entry->addr, info, true)) ++ return entry; ++ } ++ return NULL; ++} ++ + static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) + { + struct sock *sk = (struct sock *)msk; +@@ -1725,17 +1737,21 @@ static int mptcp_nl_cmd_set_flags(struct + if (addr.flags & MPTCP_PM_ADDR_FLAG_BACKUP) + bkup = 1; + +- list_for_each_entry(entry, &pernet->local_addr_list, list) { +- if (addresses_equal(&entry->addr, &addr.addr, true)) { +- mptcp_nl_addr_backup(net, &entry->addr, bkup); +- +- if (bkup) +- entry->flags |= MPTCP_PM_ADDR_FLAG_BACKUP; +- else +- entry->flags &= ~MPTCP_PM_ADDR_FLAG_BACKUP; +- } ++ spin_lock_bh(&pernet->lock); ++ entry = __lookup_addr(pernet, &addr.addr); ++ if (!entry) { ++ spin_unlock_bh(&pernet->lock); ++ return -EINVAL; + } + ++ if (bkup) ++ entry->flags |= MPTCP_PM_ADDR_FLAG_BACKUP; ++ else ++ entry->flags &= ~MPTCP_PM_ADDR_FLAG_BACKUP; ++ addr = *entry; ++ spin_unlock_bh(&pernet->lock); ++ ++ mptcp_nl_addr_backup(net, &addr.addr, bkup); + return 0; + } + diff --git a/queue-5.15/nvme-fabrics-fix-state-check-in-nvmf_ctlr_matches_baseopts.patch b/queue-5.15/nvme-fabrics-fix-state-check-in-nvmf_ctlr_matches_baseopts.patch new file mode 100644 index 00000000000..97a25db224f --- /dev/null +++ b/queue-5.15/nvme-fabrics-fix-state-check-in-nvmf_ctlr_matches_baseopts.patch @@ -0,0 +1,46 @@ +From 6a51abdeb259a56d95f13cc67e3a0838bcda0377 Mon Sep 17 00:00:00 2001 +From: Uday Shankar +Date: Thu, 20 Jan 2022 12:17:37 -0800 +Subject: nvme-fabrics: fix state check in nvmf_ctlr_matches_baseopts() + +From: Uday Shankar + +commit 6a51abdeb259a56d95f13cc67e3a0838bcda0377 upstream. + +Controller deletion/reset, immediately followed by or concurrent with +a reconnect, is hard failing the connect attempt resulting in a +complete loss of connectivity to the controller. + +In the connect request, fabrics looks for an existing controller with +the same address components and aborts the connect if a controller +already exists and the duplicate connect option isn't set. The match +routine filters out controllers that are dead or dying, so they don't +interfere with the new connect request. + +When NVME_CTRL_DELETING_NOIO was added, it missed updating the state +filters in the nvmf_ctlr_matches_baseopts() routine. Thus, when in this +new state, it's seen as a live controller and fails the connect request. + +Correct by adding the DELETING_NIO state to the match checks. + +Fixes: ecca390e8056 ("nvme: fix deadlock in disconnect during scan_work and/or ana_work") +Cc: # v5.7+ +Signed-off-by: Uday Shankar +Reviewed-by: James Smart +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fabrics.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nvme/host/fabrics.h ++++ b/drivers/nvme/host/fabrics.h +@@ -169,6 +169,7 @@ nvmf_ctlr_matches_baseopts(struct nvme_c + struct nvmf_ctrl_options *opts) + { + if (ctrl->state == NVME_CTRL_DELETING || ++ ctrl->state == NVME_CTRL_DELETING_NOIO || + ctrl->state == NVME_CTRL_DEAD || + strcmp(opts->subsysnqn, ctrl->opts->subsysnqn) || + strcmp(opts->host->nqn, ctrl->opts->host->nqn) || diff --git a/queue-5.15/revert-fbcon-disable-accelerated-scrolling.patch b/queue-5.15/revert-fbcon-disable-accelerated-scrolling.patch new file mode 100644 index 00000000000..cc38e1d18e1 --- /dev/null +++ b/queue-5.15/revert-fbcon-disable-accelerated-scrolling.patch @@ -0,0 +1,195 @@ +From 87ab9f6b7417349aa197a6c7098d4fdd4beebb74 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 2 Feb 2022 14:55:30 +0100 +Subject: Revert "fbcon: Disable accelerated scrolling" + +From: Helge Deller + +commit 87ab9f6b7417349aa197a6c7098d4fdd4beebb74 upstream. + +This reverts commit 39aead8373b3c20bb5965c024dfb51a94e526151. + +Revert the first (of 2) commits which disabled scrolling acceleration in +fbcon/fbdev. It introduced a regression for fbdev-supported graphic cards +because of the performance penalty by doing screen scrolling by software +instead of using the existing graphic card 2D hardware acceleration. + +Console scrolling acceleration was disabled by dropping code which +checked at runtime the driver hardware capabilities for the +BINFO_HWACCEL_COPYAREA or FBINFO_HWACCEL_FILLRECT flags and if set, it +enabled scrollmode SCROLL_MOVE which uses hardware acceleration to move +screen contents. After dropping those checks scrollmode was hard-wired +to SCROLL_REDRAW instead, which forces all graphic cards to redraw every +character at the new screen position when scrolling. + +This change effectively disabled all hardware-based scrolling acceleration for +ALL drivers, because now all kind of 2D hardware acceleration (bitblt, +fillrect) in the drivers isn't used any longer. + +The original commit message mentions that only 3 DRM drivers (nouveau, omapdrm +and gma500) used hardware acceleration in the past and thus code for checking +and using scrolling acceleration is obsolete. + +This statement is NOT TRUE, because beside the DRM drivers there are around 35 +other fbdev drivers which depend on fbdev/fbcon and still provide hardware +acceleration for fbdev/fbcon. + +The original commit message also states that syzbot found lots of bugs in fbcon +and thus it's "often the solution to just delete code and remove features". +This is true, and the bugs - which actually affected all users of fbcon, +including DRM - were fixed, or code was dropped like e.g. the support for +software scrollback in vgacon (commit 973c096f6a85). + +So to further analyze which bugs were found by syzbot, I've looked through all +patches in drivers/video which were tagged with syzbot or syzkaller back to +year 2005. The vast majority fixed the reported issues on a higher level, e.g. +when screen is to be resized, or when font size is to be changed. The few ones +which touched driver code fixed a real driver bug, e.g. by adding a check. + +But NONE of those patches touched code of either the SCROLL_MOVE or the +SCROLL_REDRAW case. + +That means, there was no real reason why SCROLL_MOVE had to be ripped-out and +just SCROLL_REDRAW had to be used instead. The only reason I can imagine so far +was that SCROLL_MOVE wasn't used by DRM and as such it was assumed that it +could go away. That argument completely missed the fact that SCROLL_MOVE is +still heavily used by fbdev (non-DRM) drivers. + +Some people mention that using memcpy() instead of the hardware acceleration is +pretty much the same speed. But that's not true, at least not for older graphic +cards and machines where we see speed decreases by factor 10 and more and thus +this change leads to console responsiveness way worse than before. + +That's why the original commit is to be reverted. By reverting we +reintroduce hardware-based scrolling acceleration and fix the +performance regression for fbdev drivers. + +There isn't any impact on DRM when reverting those patches. + +Signed-off-by: Helge Deller +Acked-by: Geert Uytterhoeven +Acked-by: Sven Schnelle +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Helge Deller +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20220202135531.92183-3-deller@gmx.de +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/gpu/todo.rst | 21 ------------------ + drivers/video/fbdev/core/fbcon.c | 45 ++++++++++++++++++++++++++++++++------- + 2 files changed, 37 insertions(+), 29 deletions(-) + +--- a/Documentation/gpu/todo.rst ++++ b/Documentation/gpu/todo.rst +@@ -311,27 +311,6 @@ Contact: Daniel Vetter, Noralf Tronnes + + Level: Advanced + +-Garbage collect fbdev scrolling acceleration +--------------------------------------------- +- +-Scroll acceleration is disabled in fbcon by hard-wiring p->scrollmode = +-SCROLL_REDRAW. There's a ton of code this will allow us to remove: +- +-- lots of code in fbcon.c +- +-- a bunch of the hooks in fbcon_ops, maybe the remaining hooks could be called +- directly instead of the function table (with a switch on p->rotate) +- +-- fb_copyarea is unused after this, and can be deleted from all drivers +- +-Note that not all acceleration code can be deleted, since clearing and cursor +-support is still accelerated, which might be good candidates for further +-deletion projects. +- +-Contact: Daniel Vetter +- +-Level: Intermediate +- + idr_init_base() + --------------- + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -1025,7 +1025,7 @@ static void fbcon_init(struct vc_data *v + struct vc_data *svc = *default_mode; + struct fbcon_display *t, *p = &fb_display[vc->vc_num]; + int logo = 1, new_rows, new_cols, rows, cols; +- int ret; ++ int cap, ret; + + if (WARN_ON(info_idx == -1)) + return; +@@ -1034,6 +1034,7 @@ static void fbcon_init(struct vc_data *v + con2fb_map[vc->vc_num] = info_idx; + + info = registered_fb[con2fb_map[vc->vc_num]]; ++ cap = info->flags; + + if (logo_shown < 0 && console_loglevel <= CONSOLE_LOGLEVEL_QUIET) + logo_shown = FBCON_LOGO_DONTSHOW; +@@ -1135,13 +1136,11 @@ static void fbcon_init(struct vc_data *v + + ops->graphics = 0; + +- /* +- * No more hw acceleration for fbcon. +- * +- * FIXME: Garbage collect all the now dead code after sufficient time +- * has passed. +- */ +- p->scrollmode = SCROLL_REDRAW; ++ if ((cap & FBINFO_HWACCEL_COPYAREA) && ++ !(cap & FBINFO_HWACCEL_DISABLED)) ++ p->scrollmode = SCROLL_MOVE; ++ else /* default to something safe */ ++ p->scrollmode = SCROLL_REDRAW; + + /* + * ++guenther: console.c:vc_allocate() relies on initializing +@@ -1953,15 +1952,45 @@ static void updatescrollmode(struct fbco + { + struct fbcon_ops *ops = info->fbcon_par; + int fh = vc->vc_font.height; ++ int cap = info->flags; ++ u16 t = 0; ++ int ypan = FBCON_SWAP(ops->rotate, info->fix.ypanstep, ++ info->fix.xpanstep); ++ int ywrap = FBCON_SWAP(ops->rotate, info->fix.ywrapstep, t); + int yres = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); + int vyres = FBCON_SWAP(ops->rotate, info->var.yres_virtual, + info->var.xres_virtual); ++ int good_pan = (cap & FBINFO_HWACCEL_YPAN) && ++ divides(ypan, vc->vc_font.height) && vyres > yres; ++ int good_wrap = (cap & FBINFO_HWACCEL_YWRAP) && ++ divides(ywrap, vc->vc_font.height) && ++ divides(vc->vc_font.height, vyres) && ++ divides(vc->vc_font.height, yres); ++ int reading_fast = cap & FBINFO_READS_FAST; ++ int fast_copyarea = (cap & FBINFO_HWACCEL_COPYAREA) && ++ !(cap & FBINFO_HWACCEL_DISABLED); ++ int fast_imageblit = (cap & FBINFO_HWACCEL_IMAGEBLIT) && ++ !(cap & FBINFO_HWACCEL_DISABLED); + + p->vrows = vyres/fh; + if (yres > (fh * (vc->vc_rows + 1))) + p->vrows -= (yres - (fh * vc->vc_rows)) / fh; + if ((yres % fh) && (vyres % fh < yres % fh)) + p->vrows--; ++ ++ if (good_wrap || good_pan) { ++ if (reading_fast || fast_copyarea) ++ p->scrollmode = good_wrap ? ++ SCROLL_WRAP_MOVE : SCROLL_PAN_MOVE; ++ else ++ p->scrollmode = good_wrap ? SCROLL_REDRAW : ++ SCROLL_PAN_REDRAW; ++ } else { ++ if (reading_fast || (fast_copyarea && !fast_imageblit)) ++ p->scrollmode = SCROLL_MOVE; ++ else ++ p->scrollmode = SCROLL_REDRAW; ++ } + } + + #define PITCH(w) (((w) + 7) >> 3) diff --git a/queue-5.15/revert-fs-9p-search-open-fids-first.patch b/queue-5.15/revert-fs-9p-search-open-fids-first.patch new file mode 100644 index 00000000000..bf2ab03668c --- /dev/null +++ b/queue-5.15/revert-fs-9p-search-open-fids-first.patch @@ -0,0 +1,67 @@ +From 22e424feb6658c5d6789e45121830357809c59cb Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Sat, 29 Jan 2022 18:42:59 +0900 +Subject: Revert "fs/9p: search open fids first" + +From: Dominique Martinet + +commit 22e424feb6658c5d6789e45121830357809c59cb upstream. + +This reverts commit 478ba09edc1f2f2ee27180a06150cb2d1a686f9c. + +That commit was meant as a fix for setattrs with by fd (e.g. ftruncate) +to use an open fid instead of the first fid it found on lookup. +The proper fix for that is to use the fid associated with the open file +struct, available in iattr->ia_file for such operations, and was +actually done just before in 66246641609b ("9p: retrieve fid from file +when file instance exist.") +As such, this commit is no longer required. + +Furthermore, changing lookup to return open fids first had unwanted side +effects, as it turns out the protocol forbids the use of open fids for +further walks (e.g. clone_fid) and we broke mounts for some servers +enforcing this rule. + +Note this only reverts to the old working behaviour, but it's still +possible for lookup to return open fids if dentry->d_fsdata is not set, +so more work is needed to make sure we respect this rule in the future, +for example by adding a flag to the lookup functions to only match +certain fid open modes depending on caller requirements. + +Link: https://lkml.kernel.org/r/20220130130651.712293-1-asmadeus@codewreck.org +Fixes: 478ba09edc1f ("fs/9p: search open fids first") +Cc: stable@vger.kernel.org # v5.11+ +Reported-by: ron minnich +Reported-by: ng@0x80.stream +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman +--- + fs/9p/fid.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/9p/fid.c ++++ b/fs/9p/fid.c +@@ -96,12 +96,8 @@ static struct p9_fid *v9fs_fid_find(stru + dentry, dentry, from_kuid(&init_user_ns, uid), + any); + ret = NULL; +- +- if (d_inode(dentry)) +- ret = v9fs_fid_find_inode(d_inode(dentry), uid); +- + /* we'll recheck under lock if there's anything to look in */ +- if (!ret && dentry->d_fsdata) { ++ if (dentry->d_fsdata) { + struct hlist_head *h = (struct hlist_head *)&dentry->d_fsdata; + spin_lock(&dentry->d_lock); + hlist_for_each_entry(fid, h, dlist) { +@@ -112,6 +108,9 @@ static struct p9_fid *v9fs_fid_find(stru + } + } + spin_unlock(&dentry->d_lock); ++ } else { ++ if (dentry->d_inode) ++ ret = v9fs_fid_find_inode(dentry->d_inode, uid); + } + + return ret; diff --git a/queue-5.15/series b/queue-5.15/series index 8fdfe0c57c6..5317dd11a7a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1,2 +1,35 @@ drm-i915-disable-dsb-usage-for-now.patch selinux-fix-double-free-of-cond_list-on-error-paths.patch +audit-improve-audit-queue-handling-when-audit-1-on-cmdline.patch +ipc-sem-do-not-sleep-with-a-spin-lock-held.patch +spi-stm32-qspi-update-spi-registering.patch +asoc-hdmi-codec-fix-oob-memory-accesses.patch +asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch +asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch +asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch +alsa-usb-audio-correct-quirk-for-vf0770.patch +alsa-hda-fix-uaf-of-leds-class-devs-at-unbinding.patch +alsa-hda-realtek-fix-race-at-concurrent-coef-updates.patch +alsa-hda-realtek-add-quirk-for-asus-gu603.patch +alsa-hda-realtek-add-missing-fixup-model-entry-for-gigabyte-x570-alc1220-quirks.patch +alsa-hda-realtek-fix-silent-output-on-gigabyte-x570s-aorus-master-newer-chipset.patch +alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-xtreme-after-reboot-from-windows.patch +btrfs-don-t-start-transaction-for-scrub-if-the-fs-is-mounted-read-only.patch +btrfs-fix-deadlock-between-quota-disable-and-qgroup-rescan-worker.patch +btrfs-fix-use-after-free-after-failure-to-create-a-snapshot.patch +revert-fs-9p-search-open-fids-first.patch +drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch +drm-i915-adlp-fix-typec-phy-ready-status-readout.patch +drm-amd-pm-correct-the-mgpufanboost-support-for-beige-goby.patch +drm-amd-display-watermark-latencies-is-not-enough-on-dcn31.patch +drm-amd-display-force-link_rate-as-link_rate_rbr2-for-2018-15-apple-retina-panels.patch +nvme-fabrics-fix-state-check-in-nvmf_ctlr_matches_baseopts.patch +mm-debug_vm_pgtable-remove-pte-entry-from-the-page-table.patch +mm-pgtable-define-pte_index-so-that-preprocessor-could-recognize-it.patch +mm-kmemleak-avoid-scanning-potential-huge-holes.patch +block-bio-integrity-advance-seed-correctly-for-larger-interval-sizes.patch +dma-buf-heaps-fix-potential-spectre-v1-gadget.patch +ib-hfi1-fix-aip-early-init-panic.patch +revert-fbcon-disable-accelerated-scrolling.patch +fbcon-add-option-to-enable-legacy-hardware-acceleration.patch +mptcp-fix-msk-traversal-in-mptcp_nl_cmd_set_flags.patch diff --git a/queue-5.15/spi-stm32-qspi-update-spi-registering.patch b/queue-5.15/spi-stm32-qspi-update-spi-registering.patch new file mode 100644 index 00000000000..b6883ae5ace --- /dev/null +++ b/queue-5.15/spi-stm32-qspi-update-spi-registering.patch @@ -0,0 +1,144 @@ +From e4d63473d3110afd170e6e0e48494d3789d26136 Mon Sep 17 00:00:00 2001 +From: Patrice Chotard +Date: Mon, 17 Jan 2022 13:17:44 +0100 +Subject: spi: stm32-qspi: Update spi registering + +From: Patrice Chotard + +commit e4d63473d3110afd170e6e0e48494d3789d26136 upstream. + +Some device driver need to communicate to qspi device during the remove +process, qspi controller must be functional when spi_unregister_master() +is called. + +To ensure this, replace devm_spi_register_master() by spi_register_master() +and spi_unregister_master() is called directly in .remove callback before +stopping the qspi controller. + +This issue was put in evidence using kernel v5.11 and later +with a spi-nor which supports the software reset feature introduced +by commit d73ee7534cc5 ("mtd: spi-nor: core: perform a Soft Reset on +shutdown") + +Fixes: c530cd1d9d5e ("spi: spi-mem: add stm32 qspi controller") + +Signed-off-by: Patrice Chotard +Cc: # 5.8.x +Reviewed-by: Lukas Wunner +Link: https://lore.kernel.org/r/20220117121744.29729-1-patrice.chotard@foss.st.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-stm32-qspi.c | 47 +++++++++++++++---------------------------- + 1 file changed, 17 insertions(+), 30 deletions(-) + +--- a/drivers/spi/spi-stm32-qspi.c ++++ b/drivers/spi/spi-stm32-qspi.c +@@ -688,7 +688,7 @@ static int stm32_qspi_probe(struct platf + struct resource *res; + int ret, irq; + +- ctrl = spi_alloc_master(dev, sizeof(*qspi)); ++ ctrl = devm_spi_alloc_master(dev, sizeof(*qspi)); + if (!ctrl) + return -ENOMEM; + +@@ -697,58 +697,46 @@ static int stm32_qspi_probe(struct platf + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "qspi"); + qspi->io_base = devm_ioremap_resource(dev, res); +- if (IS_ERR(qspi->io_base)) { +- ret = PTR_ERR(qspi->io_base); +- goto err_master_put; +- } ++ if (IS_ERR(qspi->io_base)) ++ return PTR_ERR(qspi->io_base); + + qspi->phys_base = res->start; + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "qspi_mm"); + qspi->mm_base = devm_ioremap_resource(dev, res); +- if (IS_ERR(qspi->mm_base)) { +- ret = PTR_ERR(qspi->mm_base); +- goto err_master_put; +- } ++ if (IS_ERR(qspi->mm_base)) ++ return PTR_ERR(qspi->mm_base); + + qspi->mm_size = resource_size(res); +- if (qspi->mm_size > STM32_QSPI_MAX_MMAP_SZ) { +- ret = -EINVAL; +- goto err_master_put; +- } ++ if (qspi->mm_size > STM32_QSPI_MAX_MMAP_SZ) ++ return -EINVAL; + + irq = platform_get_irq(pdev, 0); +- if (irq < 0) { +- ret = irq; +- goto err_master_put; +- } ++ if (irq < 0) ++ return irq; + + ret = devm_request_irq(dev, irq, stm32_qspi_irq, 0, + dev_name(dev), qspi); + if (ret) { + dev_err(dev, "failed to request irq\n"); +- goto err_master_put; ++ return ret; + } + + init_completion(&qspi->data_completion); + init_completion(&qspi->match_completion); + + qspi->clk = devm_clk_get(dev, NULL); +- if (IS_ERR(qspi->clk)) { +- ret = PTR_ERR(qspi->clk); +- goto err_master_put; +- } ++ if (IS_ERR(qspi->clk)) ++ return PTR_ERR(qspi->clk); + + qspi->clk_rate = clk_get_rate(qspi->clk); +- if (!qspi->clk_rate) { +- ret = -EINVAL; +- goto err_master_put; +- } ++ if (!qspi->clk_rate) ++ return -EINVAL; + + ret = clk_prepare_enable(qspi->clk); + if (ret) { + dev_err(dev, "can not enable the clock\n"); +- goto err_master_put; ++ return ret; + } + + rstc = devm_reset_control_get_exclusive(dev, NULL); +@@ -784,7 +772,7 @@ static int stm32_qspi_probe(struct platf + pm_runtime_enable(dev); + pm_runtime_get_noresume(dev); + +- ret = devm_spi_register_master(dev, ctrl); ++ ret = spi_register_master(ctrl); + if (ret) + goto err_pm_runtime_free; + +@@ -806,8 +794,6 @@ err_dma_free: + stm32_qspi_dma_free(qspi); + err_clk_disable: + clk_disable_unprepare(qspi->clk); +-err_master_put: +- spi_master_put(qspi->ctrl); + + return ret; + } +@@ -817,6 +803,7 @@ static int stm32_qspi_remove(struct plat + struct stm32_qspi *qspi = platform_get_drvdata(pdev); + + pm_runtime_get_sync(qspi->dev); ++ spi_unregister_master(qspi->ctrl); + /* disable qspi */ + writel_relaxed(0, qspi->io_base + QSPI_CR); + stm32_qspi_dma_free(qspi); -- 2.47.3