From b973828f1057ca77cabc174fd9982bf3b9f1685b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 31 Jul 2021 08:56:51 +0200 Subject: [PATCH] 5.13-stable patches added patches: acpi-dptf-fix-reading-of-attributes.patch alpha-register-early-reserved-memory-in-memblock.patch blk-iocost-fix-operation-ordering-in-iocg_wake_fn.patch btrfs-fix-lost-inode-on-log-replay-after-mix-of-fsync-rename-and-inode-eviction.patch btrfs-fix-rw-device-counting-in-__btrfs_free_extra_devids.patch btrfs-mark-compressed-range-uptodate-only-if-all-bio-succeed.patch can-ems_usb-fix-memory-leak.patch can-esd_usb2-fix-memory-leak.patch can-j1939-j1939_xtp_rx_dat_one-fix-rxtimer-value-between-consecutive-tp.dt-to-750ms.patch can-mcba_usb_start-add-missing-urb-transfer_dma-initialization.patch can-peak_usb-pcan_usb_handle_bus_evt-fix-reading-rxerr-txerr-values.patch can-raw-raw_setsockopt-fix-raw_rcv-panic-for-sock-uaf.patch can-usb_8dev-fix-memory-leak.patch drm-amd-display-ensure-dentist-display-clock-update-finished-in-dcn20.patch drm-amdgpu-avoid-printing-of-stack-contents-on-firmware-load-error.patch drm-amdgpu-check-pmops-for-desired-suspend-state.patch drm-amdgpu-fix-resource-leak-on-probe-error-path.patch fs-ext2-avoid-page_address-on-pages-returned-by-ext2_get_page.patch hid-wacom-re-enable-touch-by-default-for-cintiq-24hdt-27qhdt.patch io_uring-don-t-block-level-reissue-off-completion-path.patch io_uring-fix-io_prep_async_link-locking.patch io_uring-fix-poll-requests-leaking-second-poll-entries.patch kvm-add-missing-compat-kvm_clear_dirty_log.patch mm-memcg-fix-null-pointer-dereference-in-memcg_slab_free_hook.patch mm-memcontrol-fix-blocking-rstat-function-called-from-atomic-cgroup1-thresholding-code.patch net-stmmac-add-est_irq_status-callback-function-for-gmac-4.10-and-5.10.patch nfc-nfcsim-fix-use-after-free-during-module-unload.patch niu-fix-incorrect-error-return-missed-in-previous-revert.patch ocfs2-fix-zero-out-valid-data.patch ocfs2-issue-zeroout-to-eof-blocks.patch pipe-make-pipe-writes-always-wake-up-readers.patch revert-acpi-resources-add-checks-for-acpi-irq-override.patch x86-kvm-fix-vcpu-id-indexed-array-sizes.patch --- .../acpi-dptf-fix-reading-of-attributes.patch | 97 +++++++++ ...er-early-reserved-memory-in-memblock.patch | 82 ++++++++ ...x-operation-ordering-in-iocg_wake_fn.patch | 82 ++++++++ ...x-of-fsync-rename-and-inode-eviction.patch | 100 ++++++++++ ...ounting-in-__btrfs_free_extra_devids.patch | 113 +++++++++++ ...nge-uptodate-only-if-all-bio-succeed.patch | 40 ++++ queue-5.13/can-ems_usb-fix-memory-leak.patch | 93 +++++++++ queue-5.13/can-esd_usb2-fix-memory-leak.patch | 97 +++++++++ ...e-between-consecutive-tp.dt-to-750ms.patch | 34 ++++ ...sing-urb-transfer_dma-initialization.patch | 52 +++++ ...s_evt-fix-reading-rxerr-txerr-values.patch | 52 +++++ ...ckopt-fix-raw_rcv-panic-for-sock-uaf.patch | 163 +++++++++++++++ queue-5.13/can-usb_8dev-fix-memory-leak.patch | 94 +++++++++ ...splay-clock-update-finished-in-dcn20.patch | 42 ++++ ...tack-contents-on-firmware-load-error.patch | 69 +++++++ ...heck-pmops-for-desired-suspend-state.patch | 48 +++++ ...ix-resource-leak-on-probe-error-path.patch | 64 ++++++ ...s-on-pages-returned-by-ext2_get_page.patch | 115 +++++++++++ ...h-by-default-for-cintiq-24hdt-27qhdt.patch | 43 ++++ ...ck-level-reissue-off-completion-path.patch | 46 +++++ ...uring-fix-io_prep_async_link-locking.patch | 44 +++++ ...requests-leaking-second-poll-entries.patch | 60 ++++++ ...d-missing-compat-kvm_clear_dirty_log.patch | 69 +++++++ ...-dereference-in-memcg_slab_free_hook.patch | 72 +++++++ ...rom-atomic-cgroup1-thresholding-code.patch | 79 ++++++++ ...back-function-for-gmac-4.10-and-5.10.patch | 41 ++++ ...-use-after-free-during-module-unload.patch | 93 +++++++++ ...ror-return-missed-in-previous-revert.patch | 42 ++++ .../ocfs2-fix-zero-out-valid-data.patch | 60 ++++++ .../ocfs2-issue-zeroout-to-eof-blocks.patch | 186 ++++++++++++++++++ ...e-pipe-writes-always-wake-up-readers.patch | 100 ++++++++++ ...ces-add-checks-for-acpi-irq-override.patch | 52 +++++ queue-5.13/series | 33 ++++ ...-kvm-fix-vcpu-id-indexed-array-sizes.patch | 59 ++++++ 34 files changed, 2516 insertions(+) create mode 100644 queue-5.13/acpi-dptf-fix-reading-of-attributes.patch create mode 100644 queue-5.13/alpha-register-early-reserved-memory-in-memblock.patch create mode 100644 queue-5.13/blk-iocost-fix-operation-ordering-in-iocg_wake_fn.patch create mode 100644 queue-5.13/btrfs-fix-lost-inode-on-log-replay-after-mix-of-fsync-rename-and-inode-eviction.patch create mode 100644 queue-5.13/btrfs-fix-rw-device-counting-in-__btrfs_free_extra_devids.patch create mode 100644 queue-5.13/btrfs-mark-compressed-range-uptodate-only-if-all-bio-succeed.patch create mode 100644 queue-5.13/can-ems_usb-fix-memory-leak.patch create mode 100644 queue-5.13/can-esd_usb2-fix-memory-leak.patch create mode 100644 queue-5.13/can-j1939-j1939_xtp_rx_dat_one-fix-rxtimer-value-between-consecutive-tp.dt-to-750ms.patch create mode 100644 queue-5.13/can-mcba_usb_start-add-missing-urb-transfer_dma-initialization.patch create mode 100644 queue-5.13/can-peak_usb-pcan_usb_handle_bus_evt-fix-reading-rxerr-txerr-values.patch create mode 100644 queue-5.13/can-raw-raw_setsockopt-fix-raw_rcv-panic-for-sock-uaf.patch create mode 100644 queue-5.13/can-usb_8dev-fix-memory-leak.patch create mode 100644 queue-5.13/drm-amd-display-ensure-dentist-display-clock-update-finished-in-dcn20.patch create mode 100644 queue-5.13/drm-amdgpu-avoid-printing-of-stack-contents-on-firmware-load-error.patch create mode 100644 queue-5.13/drm-amdgpu-check-pmops-for-desired-suspend-state.patch create mode 100644 queue-5.13/drm-amdgpu-fix-resource-leak-on-probe-error-path.patch create mode 100644 queue-5.13/fs-ext2-avoid-page_address-on-pages-returned-by-ext2_get_page.patch create mode 100644 queue-5.13/hid-wacom-re-enable-touch-by-default-for-cintiq-24hdt-27qhdt.patch create mode 100644 queue-5.13/io_uring-don-t-block-level-reissue-off-completion-path.patch create mode 100644 queue-5.13/io_uring-fix-io_prep_async_link-locking.patch create mode 100644 queue-5.13/io_uring-fix-poll-requests-leaking-second-poll-entries.patch create mode 100644 queue-5.13/kvm-add-missing-compat-kvm_clear_dirty_log.patch create mode 100644 queue-5.13/mm-memcg-fix-null-pointer-dereference-in-memcg_slab_free_hook.patch create mode 100644 queue-5.13/mm-memcontrol-fix-blocking-rstat-function-called-from-atomic-cgroup1-thresholding-code.patch create mode 100644 queue-5.13/net-stmmac-add-est_irq_status-callback-function-for-gmac-4.10-and-5.10.patch create mode 100644 queue-5.13/nfc-nfcsim-fix-use-after-free-during-module-unload.patch create mode 100644 queue-5.13/niu-fix-incorrect-error-return-missed-in-previous-revert.patch create mode 100644 queue-5.13/ocfs2-fix-zero-out-valid-data.patch create mode 100644 queue-5.13/ocfs2-issue-zeroout-to-eof-blocks.patch create mode 100644 queue-5.13/pipe-make-pipe-writes-always-wake-up-readers.patch create mode 100644 queue-5.13/revert-acpi-resources-add-checks-for-acpi-irq-override.patch create mode 100644 queue-5.13/series create mode 100644 queue-5.13/x86-kvm-fix-vcpu-id-indexed-array-sizes.patch diff --git a/queue-5.13/acpi-dptf-fix-reading-of-attributes.patch b/queue-5.13/acpi-dptf-fix-reading-of-attributes.patch new file mode 100644 index 00000000000..63e047cccb9 --- /dev/null +++ b/queue-5.13/acpi-dptf-fix-reading-of-attributes.patch @@ -0,0 +1,97 @@ +From 41a8457f3f6f829be1f8f8fa7577a46b9b7223ef Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Tue, 27 Jul 2021 09:18:24 -0700 +Subject: ACPI: DPTF: Fix reading of attributes + +From: Srinivas Pandruvada + +commit 41a8457f3f6f829be1f8f8fa7577a46b9b7223ef upstream. + +The current assumption that methods to read PCH FIVR attributes will +return integer, is not correct. There is no good way to return integer +as negative numbers are also valid. + +These read methods return a package of integers. The first integer returns +status, which is 0 on success and any other value for failure. When the +returned status is zero, then the second integer returns the actual value. + +This change fixes this issue by replacing acpi_evaluate_integer() with +acpi_evaluate_object() and use acpi_extract_package() to extract results. + +Fixes: 2ce6324eadb01 ("ACPI: DPTF: Add PCH FIVR participant driver") +Signed-off-by: Srinivas Pandruvada +Cc: 5.10+ # 5.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/dptf/dptf_pch_fivr.c | 51 ++++++++++++++++++++++++++++++++------ + 1 file changed, 43 insertions(+), 8 deletions(-) + +--- a/drivers/acpi/dptf/dptf_pch_fivr.c ++++ b/drivers/acpi/dptf/dptf_pch_fivr.c +@@ -9,6 +9,42 @@ + #include + #include + ++struct pch_fivr_resp { ++ u64 status; ++ u64 result; ++}; ++ ++static int pch_fivr_read(acpi_handle handle, char *method, struct pch_fivr_resp *fivr_resp) ++{ ++ struct acpi_buffer resp = { sizeof(struct pch_fivr_resp), fivr_resp}; ++ struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; ++ struct acpi_buffer format = { sizeof("NN"), "NN" }; ++ union acpi_object *obj; ++ acpi_status status; ++ int ret = -EFAULT; ++ ++ status = acpi_evaluate_object(handle, method, NULL, &buffer); ++ if (ACPI_FAILURE(status)) ++ return ret; ++ ++ obj = buffer.pointer; ++ if (!obj || obj->type != ACPI_TYPE_PACKAGE) ++ goto release_buffer; ++ ++ status = acpi_extract_package(obj, &format, &resp); ++ if (ACPI_FAILURE(status)) ++ goto release_buffer; ++ ++ if (fivr_resp->status) ++ goto release_buffer; ++ ++ ret = 0; ++ ++release_buffer: ++ kfree(buffer.pointer); ++ return ret; ++} ++ + /* + * Presentation of attributes which are defined for INT1045 + * They are: +@@ -23,15 +59,14 @@ static ssize_t name##_show(struct device + char *buf)\ + {\ + struct acpi_device *acpi_dev = dev_get_drvdata(dev);\ +- unsigned long long val;\ +- acpi_status status;\ ++ struct pch_fivr_resp fivr_resp;\ ++ int status;\ ++\ ++ status = pch_fivr_read(acpi_dev->handle, #method, &fivr_resp);\ ++ if (status)\ ++ return status;\ + \ +- status = acpi_evaluate_integer(acpi_dev->handle, #method,\ +- NULL, &val);\ +- if (ACPI_SUCCESS(status))\ +- return sprintf(buf, "%d\n", (int)val);\ +- else\ +- return -EINVAL;\ ++ return sprintf(buf, "%llu\n", fivr_resp.result);\ + } + + #define PCH_FIVR_STORE(name, method) \ diff --git a/queue-5.13/alpha-register-early-reserved-memory-in-memblock.patch b/queue-5.13/alpha-register-early-reserved-memory-in-memblock.patch new file mode 100644 index 00000000000..1d91732e780 --- /dev/null +++ b/queue-5.13/alpha-register-early-reserved-memory-in-memblock.patch @@ -0,0 +1,82 @@ +From 640b7ea5f888b521dcf28e2564ce75d08a783fd7 Mon Sep 17 00:00:00 2001 +From: Mike Rapoport +Date: Tue, 27 Jul 2021 23:38:24 +0300 +Subject: alpha: register early reserved memory in memblock + +From: Mike Rapoport + +commit 640b7ea5f888b521dcf28e2564ce75d08a783fd7 upstream. + +The memory reserved by console/PALcode or non-volatile memory is not added +to memblock.memory. + +Since commit fa3354e4ea39 (mm: free_area_init: use maximal zone PFNs rather +than zone sizes) the initialization of the memory map relies on the +accuracy of memblock.memory to properly calculate zone sizes. The holes in +memblock.memory caused by absent regions reserved by the firmware cause +incorrect initialization of struct pages which leads to BUG() during the +initial page freeing: + +BUG: Bad page state in process swapper pfn:2ffc53 +page:fffffc000ecf14c0 refcount:0 mapcount:1 mapping:0000000000000000 index:0x0 +flags: 0x0() +raw: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +raw: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +page dumped because: nonzero mapcount +Modules linked in: +CPU: 0 PID: 0 Comm: swapper Not tainted 5.7.0-03841-gfa3354e4ea39-dirty #26 + fffffc0001b5bd68 fffffc0001b5be80 fffffc00011cd148 fffffc000ecf14c0 + fffffc00019803df fffffc0001b5be80 fffffc00011ce340 fffffc000ecf14c0 + 0000000000000000 fffffc0001b5be80 fffffc0001b482c0 fffffc00027d6618 + fffffc00027da7d0 00000000002ff97a 0000000000000000 fffffc0001b5be80 + fffffc00011d1abc fffffc000ecf14c0 fffffc0002d00000 fffffc0001b5be80 + fffffc0001b2350c 0000000000300000 fffffc0001b48298 fffffc0001b482c0 +Trace: +[] bad_page+0x168/0x1b0 +[] free_pcp_prepare+0x1e0/0x290 +[] free_unref_page+0x2c/0xa0 +[] cmp_ex_sort+0x0/0x30 +[] cmp_ex_sort+0x0/0x30 +[] _stext+0x1c/0x20 + +Fix this by registering the reserved ranges in memblock.memory. + +Link: https://lore.kernel.org/lkml/20210726192311.uffqnanxw3ac5wwi@ivybridge +Fixes: fa3354e4ea39 ("mm: free_area_init: use maximal zone PFNs rather than zone sizes") +Reported-by: Matt Turner +Cc: +Signed-off-by: Mike Rapoport +Signed-off-by: Matt Turner +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/kernel/setup.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/arch/alpha/kernel/setup.c ++++ b/arch/alpha/kernel/setup.c +@@ -325,18 +325,19 @@ setup_memory(void *kernel_end) + i, cluster->usage, cluster->start_pfn, + cluster->start_pfn + cluster->numpages); + +- /* Bit 0 is console/PALcode reserved. Bit 1 is +- non-volatile memory -- we might want to mark +- this for later. */ +- if (cluster->usage & 3) +- continue; +- + end = cluster->start_pfn + cluster->numpages; + if (end > max_low_pfn) + max_low_pfn = end; + + memblock_add(PFN_PHYS(cluster->start_pfn), + cluster->numpages << PAGE_SHIFT); ++ ++ /* Bit 0 is console/PALcode reserved. Bit 1 is ++ non-volatile memory -- we might want to mark ++ this for later. */ ++ if (cluster->usage & 3) ++ memblock_reserve(PFN_PHYS(cluster->start_pfn), ++ cluster->numpages << PAGE_SHIFT); + } + + /* diff --git a/queue-5.13/blk-iocost-fix-operation-ordering-in-iocg_wake_fn.patch b/queue-5.13/blk-iocost-fix-operation-ordering-in-iocg_wake_fn.patch new file mode 100644 index 00000000000..4df9444e1e8 --- /dev/null +++ b/queue-5.13/blk-iocost-fix-operation-ordering-in-iocg_wake_fn.patch @@ -0,0 +1,82 @@ +From 5ab189cf3abbc9994bae3be524c5b88589ed56e2 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 27 Jul 2021 14:38:09 -1000 +Subject: blk-iocost: fix operation ordering in iocg_wake_fn() + +From: Tejun Heo + +commit 5ab189cf3abbc9994bae3be524c5b88589ed56e2 upstream. + +iocg_wake_fn() open-codes wait_queue_entry removal and wakeup because it +wants the wq_entry to be always removed whether it ended up waking the +task or not. finish_wait() tests whether wq_entry needs removal without +grabbing the wait_queue lock and expects the waker to use +list_del_init_careful() after all waking operations are complete, which +iocg_wake_fn() didn't do. The operation order was wrong and the regular +list_del_init() was used. + +The result is that if a waiter wakes up racing the waker, it can free pop +the wq_entry off stack before the waker is still looking at it, which can +lead to a backtrace like the following. + + [7312084.588951] general protection fault, probably for non-canonical address 0x586bf4005b2b88: 0000 [#1] SMP + ... + [7312084.647079] RIP: 0010:queued_spin_lock_slowpath+0x171/0x1b0 + ... + [7312084.858314] Call Trace: + [7312084.863548] _raw_spin_lock_irqsave+0x22/0x30 + [7312084.872605] try_to_wake_up+0x4c/0x4f0 + [7312084.880444] iocg_wake_fn+0x71/0x80 + [7312084.887763] __wake_up_common+0x71/0x140 + [7312084.895951] iocg_kick_waitq+0xe8/0x2b0 + [7312084.903964] ioc_rqos_throttle+0x275/0x650 + [7312084.922423] __rq_qos_throttle+0x20/0x30 + [7312084.930608] blk_mq_make_request+0x120/0x650 + [7312084.939490] generic_make_request+0xca/0x310 + [7312084.957600] submit_bio+0x173/0x200 + [7312084.981806] swap_readpage+0x15c/0x240 + [7312084.989646] read_swap_cache_async+0x58/0x60 + [7312084.998527] swap_cluster_readahead+0x201/0x320 + [7312085.023432] swapin_readahead+0x2df/0x450 + [7312085.040672] do_swap_page+0x52f/0x820 + [7312085.058259] handle_mm_fault+0xa16/0x1420 + [7312085.066620] do_page_fault+0x2c6/0x5c0 + [7312085.074459] page_fault+0x2f/0x40 + +Fix it by switching to list_del_init_careful() and putting it at the end. + +Signed-off-by: Tejun Heo +Reported-by: Rik van Riel +Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-iocost.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/block/blk-iocost.c ++++ b/block/blk-iocost.c +@@ -1440,16 +1440,17 @@ static int iocg_wake_fn(struct wait_queu + return -1; + + iocg_commit_bio(ctx->iocg, wait->bio, wait->abs_cost, cost); ++ wait->committed = true; + + /* + * autoremove_wake_function() removes the wait entry only when it +- * actually changed the task state. We want the wait always +- * removed. Remove explicitly and use default_wake_function(). ++ * actually changed the task state. We want the wait always removed. ++ * Remove explicitly and use default_wake_function(). Note that the ++ * order of operations is important as finish_wait() tests whether ++ * @wq_entry is removed without grabbing the lock. + */ +- list_del_init(&wq_entry->entry); +- wait->committed = true; +- + default_wake_function(wq_entry, mode, flags, key); ++ list_del_init_careful(&wq_entry->entry); + return 0; + } + diff --git a/queue-5.13/btrfs-fix-lost-inode-on-log-replay-after-mix-of-fsync-rename-and-inode-eviction.patch b/queue-5.13/btrfs-fix-lost-inode-on-log-replay-after-mix-of-fsync-rename-and-inode-eviction.patch new file mode 100644 index 00000000000..44567a94b6c --- /dev/null +++ b/queue-5.13/btrfs-fix-lost-inode-on-log-replay-after-mix-of-fsync-rename-and-inode-eviction.patch @@ -0,0 +1,100 @@ +From ecc64fab7d49c678e70bd4c35fe64d2ab3e3d212 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 27 Jul 2021 11:24:43 +0100 +Subject: btrfs: fix lost inode on log replay after mix of fsync, rename and inode eviction + +From: Filipe Manana + +commit ecc64fab7d49c678e70bd4c35fe64d2ab3e3d212 upstream. + +When checking if we need to log the new name of a renamed inode, we are +checking if the inode and its parent inode have been logged before, and if +not we don't log the new name. The check however is buggy, as it directly +compares the logged_trans field of the inodes versus the ID of the current +transaction. The problem is that logged_trans is a transient field, only +stored in memory and never persisted in the inode item, so if an inode +was logged before, evicted and reloaded, its logged_trans field is set to +a value of 0, meaning the check will return false and the new name of the +renamed inode is not logged. If the old parent directory was previously +fsynced and we deleted the logged directory entries corresponding to the +old name, we end up with a log that when replayed will delete the renamed +inode. + +The following example triggers the problem: + + $ mkfs.btrfs -f /dev/sdc + $ mount /dev/sdc /mnt + + $ mkdir /mnt/A + $ mkdir /mnt/B + $ echo -n "hello world" > /mnt/A/foo + + $ sync + + # Add some new file to A and fsync directory A. + $ touch /mnt/A/bar + $ xfs_io -c "fsync" /mnt/A + + # Now trigger inode eviction. We are only interested in triggering + # eviction for the inode of directory A. + $ echo 2 > /proc/sys/vm/drop_caches + + # Move foo from directory A to directory B. + # This deletes the directory entries for foo in A from the log, and + # does not add the new name for foo in directory B to the log, because + # logged_trans of A is 0, which is less than the current transaction ID. + $ mv /mnt/A/foo /mnt/B/foo + + # Now make an fsync to anything except A, B or any file inside them, + # like for example create a file at the root directory and fsync this + # new file. This syncs the log that contains all the changes done by + # previous rename operation. + $ touch /mnt/baz + $ xfs_io -c "fsync" /mnt/baz + + + + # Mount the filesystem and replay the log. + $ mount /dev/sdc /mnt + + # Check the filesystem content. + $ ls -1R /mnt + /mnt/: + A + B + baz + + /mnt/A: + bar + + /mnt/B: + $ + + # File foo is gone, it's neither in A/ nor in B/. + +Fix this by using the inode_logged() helper at btrfs_log_new_name(), which +safely checks if an inode was logged before in the current transaction. + +A test case for fstests will follow soon. + +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -6492,8 +6492,8 @@ void btrfs_log_new_name(struct btrfs_tra + * if this inode hasn't been logged and directory we're renaming it + * from hasn't been logged, we don't need to log it + */ +- if (inode->logged_trans < trans->transid && +- (!old_dir || old_dir->logged_trans < trans->transid)) ++ if (!inode_logged(trans, inode) && ++ (!old_dir || !inode_logged(trans, old_dir))) + return; + + /* diff --git a/queue-5.13/btrfs-fix-rw-device-counting-in-__btrfs_free_extra_devids.patch b/queue-5.13/btrfs-fix-rw-device-counting-in-__btrfs_free_extra_devids.patch new file mode 100644 index 00000000000..91bfd3806a0 --- /dev/null +++ b/queue-5.13/btrfs-fix-rw-device-counting-in-__btrfs_free_extra_devids.patch @@ -0,0 +1,113 @@ +From b2a616676839e2a6b02c8e40be7f886f882ed194 Mon Sep 17 00:00:00 2001 +From: Desmond Cheong Zhi Xi +Date: Tue, 27 Jul 2021 15:13:03 +0800 +Subject: btrfs: fix rw device counting in __btrfs_free_extra_devids + +From: Desmond Cheong Zhi Xi + +commit b2a616676839e2a6b02c8e40be7f886f882ed194 upstream. + +When removing a writeable device in __btrfs_free_extra_devids, the rw +device count should be decremented. + +This error was caught by Syzbot which reported a warning in +close_fs_devices: + + WARNING: CPU: 1 PID: 9355 at fs/btrfs/volumes.c:1168 close_fs_devices+0x763/0x880 fs/btrfs/volumes.c:1168 + Modules linked in: + CPU: 0 PID: 9355 Comm: syz-executor552 Not tainted 5.13.0-rc1-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + RIP: 0010:close_fs_devices+0x763/0x880 fs/btrfs/volumes.c:1168 + RSP: 0018:ffffc9000333f2f0 EFLAGS: 00010293 + RAX: ffffffff8365f5c3 RBX: 0000000000000001 RCX: ffff888029afd4c0 + RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 + RBP: ffff88802846f508 R08: ffffffff8365f525 R09: ffffed100337d128 + R10: ffffed100337d128 R11: 0000000000000000 R12: dffffc0000000000 + R13: ffff888019be8868 R14: 1ffff1100337d10d R15: 1ffff1100337d10a + FS: 00007f6f53828700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000000047c410 CR3: 00000000302a6000 CR4: 00000000001506f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + btrfs_close_devices+0xc9/0x450 fs/btrfs/volumes.c:1180 + open_ctree+0x8e1/0x3968 fs/btrfs/disk-io.c:3693 + btrfs_fill_super fs/btrfs/super.c:1382 [inline] + btrfs_mount_root+0xac5/0xc60 fs/btrfs/super.c:1749 + legacy_get_tree+0xea/0x180 fs/fs_context.c:592 + vfs_get_tree+0x86/0x270 fs/super.c:1498 + fc_mount fs/namespace.c:993 [inline] + vfs_kern_mount+0xc9/0x160 fs/namespace.c:1023 + btrfs_mount+0x3d3/0xb50 fs/btrfs/super.c:1809 + legacy_get_tree+0xea/0x180 fs/fs_context.c:592 + vfs_get_tree+0x86/0x270 fs/super.c:1498 + do_new_mount fs/namespace.c:2905 [inline] + path_mount+0x196f/0x2be0 fs/namespace.c:3235 + do_mount fs/namespace.c:3248 [inline] + __do_sys_mount fs/namespace.c:3456 [inline] + __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433 + do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Because fs_devices->rw_devices was not 0 after +closing all devices. Here is the call trace that was observed: + + btrfs_mount_root(): + btrfs_scan_one_device(): + device_list_add(); <---------------- device added + btrfs_open_devices(): + open_fs_devices(): + btrfs_open_one_device(); <-------- writable device opened, + rw device count ++ + btrfs_fill_super(): + open_ctree(): + btrfs_free_extra_devids(): + __btrfs_free_extra_devids(); <--- writable device removed, + rw device count not decremented + fail_tree_roots: + btrfs_close_devices(): + close_fs_devices(); <------- rw device count off by 1 + +As a note, prior to commit cf89af146b7e ("btrfs: dev-replace: fail +mount if we don't have replace item with target device"), rw_devices +was decremented on removing a writable device in +__btrfs_free_extra_devids only if the BTRFS_DEV_STATE_REPLACE_TGT bit +was not set for the device. However, this check does not need to be +reinstated as it is now redundant and incorrect. + +In __btrfs_free_extra_devids, we skip removing the device if it is the +target for replacement. This is done by checking whether device->devid +== BTRFS_DEV_REPLACE_DEVID. Since BTRFS_DEV_STATE_REPLACE_TGT is set +only on the device with devid BTRFS_DEV_REPLACE_DEVID, no devices +should have the BTRFS_DEV_STATE_REPLACE_TGT bit set after the check, +and so it's redundant to test for that bit. + +Additionally, following commit 82372bc816d7 ("Btrfs: make +the logic of source device removing more clear"), rw_devices is +incremented whenever a writeable device is added to the alloc +list (including the target device in btrfs_dev_replace_finishing), so +all removals of writable devices from the alloc list should also be +accompanied by a decrement to rw_devices. + +Reported-by: syzbot+a70e2ad0879f160b9217@syzkaller.appspotmail.com +Fixes: cf89af146b7e ("btrfs: dev-replace: fail mount if we don't have replace item with target device") +CC: stable@vger.kernel.org # 5.10+ +Tested-by: syzbot+a70e2ad0879f160b9217@syzkaller.appspotmail.com +Reviewed-by: Anand Jain +Signed-off-by: Desmond Cheong Zhi Xi +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1078,6 +1078,7 @@ static void __btrfs_free_extra_devids(st + if (test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state)) { + list_del_init(&device->dev_alloc_list); + clear_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state); ++ fs_devices->rw_devices--; + } + list_del_init(&device->dev_list); + fs_devices->num_devices--; diff --git a/queue-5.13/btrfs-mark-compressed-range-uptodate-only-if-all-bio-succeed.patch b/queue-5.13/btrfs-mark-compressed-range-uptodate-only-if-all-bio-succeed.patch new file mode 100644 index 00000000000..ca948a00cae --- /dev/null +++ b/queue-5.13/btrfs-mark-compressed-range-uptodate-only-if-all-bio-succeed.patch @@ -0,0 +1,40 @@ +From 240246f6b913b0c23733cfd2def1d283f8cc9bbe Mon Sep 17 00:00:00 2001 +From: Goldwyn Rodrigues +Date: Fri, 9 Jul 2021 11:29:22 -0500 +Subject: btrfs: mark compressed range uptodate only if all bio succeed + +From: Goldwyn Rodrigues + +commit 240246f6b913b0c23733cfd2def1d283f8cc9bbe upstream. + +In compression write endio sequence, the range which the compressed_bio +writes is marked as uptodate if the last bio of the compressed (sub)bios +is completed successfully. There could be previous bio which may +have failed which is recorded in cb->errors. + +Set the writeback range as uptodate only if cb->errors is zero, as opposed +to checking only the last bio's status. + +Backporting notes: in all versions up to 4.4 the last argument is always +replaced by "!cb->errors". + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Goldwyn Rodrigues +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/compression.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/compression.c ++++ b/fs/btrfs/compression.c +@@ -353,7 +353,7 @@ static void end_compressed_bio_write(str + btrfs_record_physical_zoned(inode, cb->start, bio); + btrfs_writepage_endio_finish_ordered(cb->compressed_pages[0], + cb->start, cb->start + cb->len - 1, +- bio->bi_status == BLK_STS_OK); ++ !cb->errors); + cb->compressed_pages[0]->mapping = NULL; + + end_compressed_writeback(inode, cb); diff --git a/queue-5.13/can-ems_usb-fix-memory-leak.patch b/queue-5.13/can-ems_usb-fix-memory-leak.patch new file mode 100644 index 00000000000..852bf27ac59 --- /dev/null +++ b/queue-5.13/can-ems_usb-fix-memory-leak.patch @@ -0,0 +1,93 @@ +From 9969e3c5f40c166e3396acc36c34f9de502929f6 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 27 Jul 2021 20:00:33 +0300 +Subject: can: ems_usb: fix memory leak + +From: Pavel Skripkin + +commit 9969e3c5f40c166e3396acc36c34f9de502929f6 upstream. + +In ems_usb_start() MAX_RX_URBS coherent buffers are allocated and +there is nothing, that frees them: + +1) In callback function the urb is resubmitted and that's all +2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER + is not set (see ems_usb_start) and this flag cannot be used with + coherent buffers. + +So, all allocated buffers should be freed with usb_free_coherent() +explicitly. + +Side note: This code looks like a copy-paste of other can drivers. The +same patch was applied to mcba_usb driver and it works nice with real +hardware. There is no change in functionality, only clean-up code for +coherent buffers. + +Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") +Link: https://lore.kernel.org/r/59aa9fbc9a8cbf9af2bbd2f61a659c480b415800.1627404470.git.paskripkin@gmail.com +Cc: linux-stable +Signed-off-by: Pavel Skripkin +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/ems_usb.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -255,6 +255,8 @@ struct ems_usb { + unsigned int free_slots; /* remember number of available slots */ + + struct ems_cpc_msg active_params; /* active controller parameters */ ++ void *rxbuf[MAX_RX_URBS]; ++ dma_addr_t rxbuf_dma[MAX_RX_URBS]; + }; + + static void ems_usb_read_interrupt_callback(struct urb *urb) +@@ -587,6 +589,7 @@ static int ems_usb_start(struct ems_usb + for (i = 0; i < MAX_RX_URBS; i++) { + struct urb *urb = NULL; + u8 *buf = NULL; ++ dma_addr_t buf_dma; + + /* create a URB, and a buffer for it */ + urb = usb_alloc_urb(0, GFP_KERNEL); +@@ -596,7 +599,7 @@ static int ems_usb_start(struct ems_usb + } + + buf = usb_alloc_coherent(dev->udev, RX_BUFFER_SIZE, GFP_KERNEL, +- &urb->transfer_dma); ++ &buf_dma); + if (!buf) { + netdev_err(netdev, "No memory left for USB buffer\n"); + usb_free_urb(urb); +@@ -604,6 +607,8 @@ static int ems_usb_start(struct ems_usb + break; + } + ++ urb->transfer_dma = buf_dma; ++ + usb_fill_bulk_urb(urb, dev->udev, usb_rcvbulkpipe(dev->udev, 2), + buf, RX_BUFFER_SIZE, + ems_usb_read_bulk_callback, dev); +@@ -619,6 +624,9 @@ static int ems_usb_start(struct ems_usb + break; + } + ++ dev->rxbuf[i] = buf; ++ dev->rxbuf_dma[i] = buf_dma; ++ + /* Drop reference, USB core will take care of freeing it */ + usb_free_urb(urb); + } +@@ -684,6 +692,10 @@ static void unlink_all_urbs(struct ems_u + + usb_kill_anchored_urbs(&dev->rx_submitted); + ++ for (i = 0; i < MAX_RX_URBS; ++i) ++ usb_free_coherent(dev->udev, RX_BUFFER_SIZE, ++ dev->rxbuf[i], dev->rxbuf_dma[i]); ++ + usb_kill_anchored_urbs(&dev->tx_submitted); + atomic_set(&dev->active_tx_urbs, 0); + diff --git a/queue-5.13/can-esd_usb2-fix-memory-leak.patch b/queue-5.13/can-esd_usb2-fix-memory-leak.patch new file mode 100644 index 00000000000..70a9c58f443 --- /dev/null +++ b/queue-5.13/can-esd_usb2-fix-memory-leak.patch @@ -0,0 +1,97 @@ +From 928150fad41ba16df7fcc9f7f945747d0f56cbb6 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 27 Jul 2021 20:00:46 +0300 +Subject: can: esd_usb2: fix memory leak + +From: Pavel Skripkin + +commit 928150fad41ba16df7fcc9f7f945747d0f56cbb6 upstream. + +In esd_usb2_setup_rx_urbs() MAX_RX_URBS coherent buffers are allocated +and there is nothing, that frees them: + +1) In callback function the urb is resubmitted and that's all +2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER + is not set (see esd_usb2_setup_rx_urbs) and this flag cannot be used + with coherent buffers. + +So, all allocated buffers should be freed with usb_free_coherent() +explicitly. + +Side note: This code looks like a copy-paste of other can drivers. The +same patch was applied to mcba_usb driver and it works nice with real +hardware. There is no change in functionality, only clean-up code for +coherent buffers. + +Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") +Link: https://lore.kernel.org/r/b31b096926dcb35998ad0271aac4b51770ca7cc8.1627404470.git.paskripkin@gmail.com +Cc: linux-stable +Signed-off-by: Pavel Skripkin +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/esd_usb2.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/esd_usb2.c ++++ b/drivers/net/can/usb/esd_usb2.c +@@ -195,6 +195,8 @@ struct esd_usb2 { + int net_count; + u32 version; + int rxinitdone; ++ void *rxbuf[MAX_RX_URBS]; ++ dma_addr_t rxbuf_dma[MAX_RX_URBS]; + }; + + struct esd_usb2_net_priv { +@@ -545,6 +547,7 @@ static int esd_usb2_setup_rx_urbs(struct + for (i = 0; i < MAX_RX_URBS; i++) { + struct urb *urb = NULL; + u8 *buf = NULL; ++ dma_addr_t buf_dma; + + /* create a URB, and a buffer for it */ + urb = usb_alloc_urb(0, GFP_KERNEL); +@@ -554,7 +557,7 @@ static int esd_usb2_setup_rx_urbs(struct + } + + buf = usb_alloc_coherent(dev->udev, RX_BUFFER_SIZE, GFP_KERNEL, +- &urb->transfer_dma); ++ &buf_dma); + if (!buf) { + dev_warn(dev->udev->dev.parent, + "No memory left for USB buffer\n"); +@@ -562,6 +565,8 @@ static int esd_usb2_setup_rx_urbs(struct + goto freeurb; + } + ++ urb->transfer_dma = buf_dma; ++ + usb_fill_bulk_urb(urb, dev->udev, + usb_rcvbulkpipe(dev->udev, 1), + buf, RX_BUFFER_SIZE, +@@ -574,8 +579,12 @@ static int esd_usb2_setup_rx_urbs(struct + usb_unanchor_urb(urb); + usb_free_coherent(dev->udev, RX_BUFFER_SIZE, buf, + urb->transfer_dma); ++ goto freeurb; + } + ++ dev->rxbuf[i] = buf; ++ dev->rxbuf_dma[i] = buf_dma; ++ + freeurb: + /* Drop reference, USB core will take care of freeing it */ + usb_free_urb(urb); +@@ -663,6 +672,11 @@ static void unlink_all_urbs(struct esd_u + int i, j; + + usb_kill_anchored_urbs(&dev->rx_submitted); ++ ++ for (i = 0; i < MAX_RX_URBS; ++i) ++ usb_free_coherent(dev->udev, RX_BUFFER_SIZE, ++ dev->rxbuf[i], dev->rxbuf_dma[i]); ++ + for (i = 0; i < dev->net_count; i++) { + priv = dev->nets[i]; + if (priv) { diff --git a/queue-5.13/can-j1939-j1939_xtp_rx_dat_one-fix-rxtimer-value-between-consecutive-tp.dt-to-750ms.patch b/queue-5.13/can-j1939-j1939_xtp_rx_dat_one-fix-rxtimer-value-between-consecutive-tp.dt-to-750ms.patch new file mode 100644 index 00000000000..64d7fde8d30 --- /dev/null +++ b/queue-5.13/can-j1939-j1939_xtp_rx_dat_one-fix-rxtimer-value-between-consecutive-tp.dt-to-750ms.patch @@ -0,0 +1,34 @@ +From c6eea1c8bda56737752465a298dc6ce07d6b8ce3 Mon Sep 17 00:00:00 2001 +From: Zhang Changzhong +Date: Tue, 6 Jul 2021 19:00:08 +0800 +Subject: can: j1939: j1939_xtp_rx_dat_one(): fix rxtimer value between consecutive TP.DT to 750ms + +From: Zhang Changzhong + +commit c6eea1c8bda56737752465a298dc6ce07d6b8ce3 upstream. + +For receive side, the max time interval between two consecutive TP.DT +should be 750ms. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Link: https://lore.kernel.org/r/1625569210-47506-1-git-send-email-zhangchangzhong@huawei.com +Cc: linux-stable +Signed-off-by: Zhang Changzhong +Acked-by: Oleksij Rempel +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1869,7 +1869,7 @@ static void j1939_xtp_rx_dat_one(struct + if (!session->transmission) + j1939_tp_schedule_txtimer(session, 0); + } else { +- j1939_tp_set_rxtimeout(session, 250); ++ j1939_tp_set_rxtimeout(session, 750); + } + session->last_cmd = 0xff; + consume_skb(se_skb); diff --git a/queue-5.13/can-mcba_usb_start-add-missing-urb-transfer_dma-initialization.patch b/queue-5.13/can-mcba_usb_start-add-missing-urb-transfer_dma-initialization.patch new file mode 100644 index 00000000000..9c39fc09eab --- /dev/null +++ b/queue-5.13/can-mcba_usb_start-add-missing-urb-transfer_dma-initialization.patch @@ -0,0 +1,52 @@ +From fc43fb69a7af92839551f99c1a96a37b77b3ae7a Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Sun, 25 Jul 2021 13:36:30 +0300 +Subject: can: mcba_usb_start(): add missing urb->transfer_dma initialization + +From: Pavel Skripkin + +commit fc43fb69a7af92839551f99c1a96a37b77b3ae7a upstream. + +Yasushi reported, that his Microchip CAN Analyzer stopped working +since commit 91c02557174b ("can: mcba_usb: fix memory leak in +mcba_usb"). The problem was in missing urb->transfer_dma +initialization. + +In my previous patch to this driver I refactored mcba_usb_start() code +to avoid leaking usb coherent buffers. To archive it, I passed local +stack variable to usb_alloc_coherent() and then saved it to private +array to correctly free all coherent buffers on ->close() call. But I +forgot to initialize urb->transfer_dma with variable passed to +usb_alloc_coherent(). + +All of this was causing device to not work, since dma addr 0 is not +valid and following log can be found on bug report page, which points +exactly to problem described above. + +| DMAR: [DMA Write] Request device [00:14.0] PASID ffffffff fault addr 0 [fault reason 05] PTE Write access is not set + +Fixes: 91c02557174b ("can: mcba_usb: fix memory leak in mcba_usb") +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990850 +Link: https://lore.kernel.org/r/20210725103630.23864-1-paskripkin@gmail.com +Cc: linux-stable +Reported-by: Yasushi SHOJI +Signed-off-by: Pavel Skripkin +Tested-by: Yasushi SHOJI +[mkl: fixed typos in commit message - thanks Yasushi SHOJI] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/mcba_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/can/usb/mcba_usb.c ++++ b/drivers/net/can/usb/mcba_usb.c +@@ -653,6 +653,8 @@ static int mcba_usb_start(struct mcba_pr + break; + } + ++ urb->transfer_dma = buf_dma; ++ + usb_fill_bulk_urb(urb, priv->udev, + usb_rcvbulkpipe(priv->udev, MCBA_USB_EP_IN), + buf, MCBA_USB_RX_BUFF_SIZE, diff --git a/queue-5.13/can-peak_usb-pcan_usb_handle_bus_evt-fix-reading-rxerr-txerr-values.patch b/queue-5.13/can-peak_usb-pcan_usb_handle_bus_evt-fix-reading-rxerr-txerr-values.patch new file mode 100644 index 00000000000..cb0961f3e01 --- /dev/null +++ b/queue-5.13/can-peak_usb-pcan_usb_handle_bus_evt-fix-reading-rxerr-txerr-values.patch @@ -0,0 +1,52 @@ +From 590eb2b7d8cfafb27e8108d52d4bf4850626d31d Mon Sep 17 00:00:00 2001 +From: Stephane Grosjean +Date: Fri, 25 Jun 2021 15:09:29 +0200 +Subject: can: peak_usb: pcan_usb_handle_bus_evt(): fix reading rxerr/txerr values + +From: Stephane Grosjean + +commit 590eb2b7d8cfafb27e8108d52d4bf4850626d31d upstream. + +This patch fixes an incorrect way of reading error counters in messages +received for this purpose from the PCAN-USB interface. These messages +inform about the increase or decrease of the error counters, whose values +are placed in bytes 1 and 2 of the message data (not 0 and 1). + +Fixes: ea8b33bde76c ("can: pcan_usb: add support of rxerr/txerr counters") +Link: https://lore.kernel.org/r/20210625130931.27438-4-s.grosjean@peak-system.com +Cc: linux-stable +Signed-off-by: Stephane Grosjean +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/peak_usb/pcan_usb.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c +@@ -117,7 +117,8 @@ + #define PCAN_USB_BERR_MASK (PCAN_USB_ERR_RXERR | PCAN_USB_ERR_TXERR) + + /* identify bus event packets with rx/tx error counters */ +-#define PCAN_USB_ERR_CNT 0x80 ++#define PCAN_USB_ERR_CNT_DEC 0x00 /* counters are decreasing */ ++#define PCAN_USB_ERR_CNT_INC 0x80 /* counters are increasing */ + + /* private to PCAN-USB adapter */ + struct pcan_usb { +@@ -608,11 +609,12 @@ static int pcan_usb_handle_bus_evt(struc + + /* acccording to the content of the packet */ + switch (ir) { +- case PCAN_USB_ERR_CNT: ++ case PCAN_USB_ERR_CNT_DEC: ++ case PCAN_USB_ERR_CNT_INC: + + /* save rx/tx error counters from in the device context */ +- pdev->bec.rxerr = mc->ptr[0]; +- pdev->bec.txerr = mc->ptr[1]; ++ pdev->bec.rxerr = mc->ptr[1]; ++ pdev->bec.txerr = mc->ptr[2]; + break; + + default: diff --git a/queue-5.13/can-raw-raw_setsockopt-fix-raw_rcv-panic-for-sock-uaf.patch b/queue-5.13/can-raw-raw_setsockopt-fix-raw_rcv-panic-for-sock-uaf.patch new file mode 100644 index 00000000000..67bbc59a8e3 --- /dev/null +++ b/queue-5.13/can-raw-raw_setsockopt-fix-raw_rcv-panic-for-sock-uaf.patch @@ -0,0 +1,163 @@ +From 54f93336d000229f72c26d8a3f69dd256b744528 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Thu, 22 Jul 2021 15:08:19 +0800 +Subject: can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF + +From: Ziyang Xuan + +commit 54f93336d000229f72c26d8a3f69dd256b744528 upstream. + +We get a bug during ltp can_filter test as following. + +=========================================== +[60919.264984] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 +[60919.265223] PGD 8000003dda726067 P4D 8000003dda726067 PUD 3dda727067 PMD 0 +[60919.265443] Oops: 0000 [#1] SMP PTI +[60919.265550] CPU: 30 PID: 3638365 Comm: can_filter Kdump: loaded Tainted: G W 4.19.90+ #1 +[60919.266068] RIP: 0010:selinux_socket_sock_rcv_skb+0x3e/0x200 +[60919.293289] RSP: 0018:ffff8d53bfc03cf8 EFLAGS: 00010246 +[60919.307140] RAX: 0000000000000000 RBX: 000000000000001d RCX: 0000000000000007 +[60919.320756] RDX: 0000000000000001 RSI: ffff8d5104a8ed00 RDI: ffff8d53bfc03d30 +[60919.334319] RBP: ffff8d9338056800 R08: ffff8d53bfc29d80 R09: 0000000000000001 +[60919.347969] R10: ffff8d53bfc03ec0 R11: ffffb8526ef47c98 R12: ffff8d53bfc03d30 +[60919.350320] perf: interrupt took too long (3063 > 2500), lowering kernel.perf_event_max_sample_rate to 65000 +[60919.361148] R13: 0000000000000001 R14: ffff8d53bcf90000 R15: 0000000000000000 +[60919.361151] FS: 00007fb78b6b3600(0000) GS:ffff8d53bfc00000(0000) knlGS:0000000000000000 +[60919.400812] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[60919.413730] CR2: 0000000000000010 CR3: 0000003e3f784006 CR4: 00000000007606e0 +[60919.426479] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[60919.439339] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[60919.451608] PKRU: 55555554 +[60919.463622] Call Trace: +[60919.475617] +[60919.487122] ? update_load_avg+0x89/0x5d0 +[60919.498478] ? update_load_avg+0x89/0x5d0 +[60919.509822] ? account_entity_enqueue+0xc5/0xf0 +[60919.520709] security_sock_rcv_skb+0x2a/0x40 +[60919.531413] sk_filter_trim_cap+0x47/0x1b0 +[60919.542178] ? kmem_cache_alloc+0x38/0x1b0 +[60919.552444] sock_queue_rcv_skb+0x17/0x30 +[60919.562477] raw_rcv+0x110/0x190 [can_raw] +[60919.572539] can_rcv_filter+0xbc/0x1b0 [can] +[60919.582173] can_receive+0x6b/0xb0 [can] +[60919.591595] can_rcv+0x31/0x70 [can] +[60919.600783] __netif_receive_skb_one_core+0x5a/0x80 +[60919.609864] process_backlog+0x9b/0x150 +[60919.618691] net_rx_action+0x156/0x400 +[60919.627310] ? sched_clock_cpu+0xc/0xa0 +[60919.635714] __do_softirq+0xe8/0x2e9 +[60919.644161] do_softirq_own_stack+0x2a/0x40 +[60919.652154] +[60919.659899] do_softirq.part.17+0x4f/0x60 +[60919.667475] __local_bh_enable_ip+0x60/0x70 +[60919.675089] __dev_queue_xmit+0x539/0x920 +[60919.682267] ? finish_wait+0x80/0x80 +[60919.689218] ? finish_wait+0x80/0x80 +[60919.695886] ? sock_alloc_send_pskb+0x211/0x230 +[60919.702395] ? can_send+0xe5/0x1f0 [can] +[60919.708882] can_send+0xe5/0x1f0 [can] +[60919.715037] raw_sendmsg+0x16d/0x268 [can_raw] + +It's because raw_setsockopt() concurrently with +unregister_netdevice_many(). Concurrent scenario as following. + + cpu0 cpu1 +raw_bind +raw_setsockopt unregister_netdevice_many + unlist_netdevice +dev_get_by_index raw_notifier +raw_enable_filters ...... +can_rx_register +can_rcv_list_find(..., net->can.rx_alldev_list) + +...... + +sock_close +raw_release(sock_a) + +...... + +can_receive +can_rcv_filter(net->can.rx_alldev_list, ...) +raw_rcv(skb, sock_a) +BUG + +After unlist_netdevice(), dev_get_by_index() return NULL in +raw_setsockopt(). Function raw_enable_filters() will add sock +and can_filter to net->can.rx_alldev_list. Then the sock is closed. +Followed by, we sock_sendmsg() to a new vcan device use the same +can_filter. Protocol stack match the old receiver whose sock has +been released on net->can.rx_alldev_list in can_rcv_filter(). +Function raw_rcv() uses the freed sock. UAF BUG is triggered. + +We can find that the key issue is that net_device has not been +protected in raw_setsockopt(). Use rtnl_lock to protect net_device +in raw_setsockopt(). + +Fixes: c18ce101f2e4 ("[CAN]: Add raw protocol") +Link: https://lore.kernel.org/r/20210722070819.1048263-1-william.xuanziyang@huawei.com +Cc: linux-stable +Signed-off-by: Ziyang Xuan +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/raw.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -546,10 +546,18 @@ static int raw_setsockopt(struct socket + return -EFAULT; + } + ++ rtnl_lock(); + lock_sock(sk); + +- if (ro->bound && ro->ifindex) ++ if (ro->bound && ro->ifindex) { + dev = dev_get_by_index(sock_net(sk), ro->ifindex); ++ if (!dev) { ++ if (count > 1) ++ kfree(filter); ++ err = -ENODEV; ++ goto out_fil; ++ } ++ } + + if (ro->bound) { + /* (try to) register the new filters */ +@@ -588,6 +596,7 @@ static int raw_setsockopt(struct socket + dev_put(dev); + + release_sock(sk); ++ rtnl_unlock(); + + break; + +@@ -600,10 +609,16 @@ static int raw_setsockopt(struct socket + + err_mask &= CAN_ERR_MASK; + ++ rtnl_lock(); + lock_sock(sk); + +- if (ro->bound && ro->ifindex) ++ if (ro->bound && ro->ifindex) { + dev = dev_get_by_index(sock_net(sk), ro->ifindex); ++ if (!dev) { ++ err = -ENODEV; ++ goto out_err; ++ } ++ } + + /* remove current error mask */ + if (ro->bound) { +@@ -627,6 +642,7 @@ static int raw_setsockopt(struct socket + dev_put(dev); + + release_sock(sk); ++ rtnl_unlock(); + + break; + diff --git a/queue-5.13/can-usb_8dev-fix-memory-leak.patch b/queue-5.13/can-usb_8dev-fix-memory-leak.patch new file mode 100644 index 00000000000..8bbe2f46160 --- /dev/null +++ b/queue-5.13/can-usb_8dev-fix-memory-leak.patch @@ -0,0 +1,94 @@ +From 0e865f0c31928d6a313269ef624907eec55287c4 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 27 Jul 2021 19:59:57 +0300 +Subject: can: usb_8dev: fix memory leak + +From: Pavel Skripkin + +commit 0e865f0c31928d6a313269ef624907eec55287c4 upstream. + +In usb_8dev_start() MAX_RX_URBS coherent buffers are allocated and +there is nothing, that frees them: + +1) In callback function the urb is resubmitted and that's all +2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER + is not set (see usb_8dev_start) and this flag cannot be used with + coherent buffers. + +So, all allocated buffers should be freed with usb_free_coherent() +explicitly. + +Side note: This code looks like a copy-paste of other can drivers. The +same patch was applied to mcba_usb driver and it works nice with real +hardware. There is no change in functionality, only clean-up code for +coherent buffers. + +Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") +Link: https://lore.kernel.org/r/d39b458cd425a1cf7f512f340224e6e9563b07bd.1627404470.git.paskripkin@gmail.com +Cc: linux-stable +Signed-off-by: Pavel Skripkin +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/usb_8dev.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/usb/usb_8dev.c ++++ b/drivers/net/can/usb/usb_8dev.c +@@ -137,7 +137,8 @@ struct usb_8dev_priv { + u8 *cmd_msg_buffer; + + struct mutex usb_8dev_cmd_lock; +- ++ void *rxbuf[MAX_RX_URBS]; ++ dma_addr_t rxbuf_dma[MAX_RX_URBS]; + }; + + /* tx frame */ +@@ -733,6 +734,7 @@ static int usb_8dev_start(struct usb_8de + for (i = 0; i < MAX_RX_URBS; i++) { + struct urb *urb = NULL; + u8 *buf; ++ dma_addr_t buf_dma; + + /* create a URB, and a buffer for it */ + urb = usb_alloc_urb(0, GFP_KERNEL); +@@ -742,7 +744,7 @@ static int usb_8dev_start(struct usb_8de + } + + buf = usb_alloc_coherent(priv->udev, RX_BUFFER_SIZE, GFP_KERNEL, +- &urb->transfer_dma); ++ &buf_dma); + if (!buf) { + netdev_err(netdev, "No memory left for USB buffer\n"); + usb_free_urb(urb); +@@ -750,6 +752,8 @@ static int usb_8dev_start(struct usb_8de + break; + } + ++ urb->transfer_dma = buf_dma; ++ + usb_fill_bulk_urb(urb, priv->udev, + usb_rcvbulkpipe(priv->udev, + USB_8DEV_ENDP_DATA_RX), +@@ -767,6 +771,9 @@ static int usb_8dev_start(struct usb_8de + break; + } + ++ priv->rxbuf[i] = buf; ++ priv->rxbuf_dma[i] = buf_dma; ++ + /* Drop reference, USB core will take care of freeing it */ + usb_free_urb(urb); + } +@@ -836,6 +843,10 @@ static void unlink_all_urbs(struct usb_8 + + usb_kill_anchored_urbs(&priv->rx_submitted); + ++ for (i = 0; i < MAX_RX_URBS; ++i) ++ usb_free_coherent(priv->udev, RX_BUFFER_SIZE, ++ priv->rxbuf[i], priv->rxbuf_dma[i]); ++ + usb_kill_anchored_urbs(&priv->tx_submitted); + atomic_set(&priv->active_tx_urbs, 0); + diff --git a/queue-5.13/drm-amd-display-ensure-dentist-display-clock-update-finished-in-dcn20.patch b/queue-5.13/drm-amd-display-ensure-dentist-display-clock-update-finished-in-dcn20.patch new file mode 100644 index 00000000000..c9446780c16 --- /dev/null +++ b/queue-5.13/drm-amd-display-ensure-dentist-display-clock-update-finished-in-dcn20.patch @@ -0,0 +1,42 @@ +From b53e041d8e4308f7324999398aec092dbcb130f5 Mon Sep 17 00:00:00 2001 +From: Dale Zhao +Date: Fri, 16 Jul 2021 09:38:17 +0800 +Subject: drm/amd/display: ensure dentist display clock update finished in DCN20 + +From: Dale Zhao + +commit b53e041d8e4308f7324999398aec092dbcb130f5 upstream. + +[Why] +We don't check DENTIST_DISPCLK_CHG_DONE to ensure dentist +display clockis updated to target value. In some scenarios with large +display clock margin, it will deliver unfinished display clock and cause +issues like display black screen. + +[How] +Checking DENTIST_DISPCLK_CHG_DONE to ensure display clock +has been update to target value before driver do other clock related +actions. + +Reviewed-by: Cyr Aric +Acked-by: Solomon Chiu +Signed-off-by: Dale Zhao +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn20/dcn20_clk_mgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn20/dcn20_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn20/dcn20_clk_mgr.c +@@ -135,7 +135,7 @@ void dcn20_update_clocks_update_dentist( + + REG_UPDATE(DENTIST_DISPCLK_CNTL, + DENTIST_DISPCLK_WDIVIDER, dispclk_wdivider); +-// REG_WAIT(DENTIST_DISPCLK_CNTL, DENTIST_DISPCLK_CHG_DONE, 1, 5, 100); ++ REG_WAIT(DENTIST_DISPCLK_CNTL, DENTIST_DISPCLK_CHG_DONE, 1, 50, 1000); + REG_UPDATE(DENTIST_DISPCLK_CNTL, + DENTIST_DPPCLK_WDIVIDER, dppclk_wdivider); + REG_WAIT(DENTIST_DISPCLK_CNTL, DENTIST_DPPCLK_CHG_DONE, 1, 5, 100); diff --git a/queue-5.13/drm-amdgpu-avoid-printing-of-stack-contents-on-firmware-load-error.patch b/queue-5.13/drm-amdgpu-avoid-printing-of-stack-contents-on-firmware-load-error.patch new file mode 100644 index 00000000000..5ab3a63a081 --- /dev/null +++ b/queue-5.13/drm-amdgpu-avoid-printing-of-stack-contents-on-firmware-load-error.patch @@ -0,0 +1,69 @@ +From 6aade587d329ebe88319dfdb8e8c7b6aede80417 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Thu, 24 Jun 2021 13:11:36 +0200 +Subject: drm/amdgpu: Avoid printing of stack contents on firmware load error + +From: Jiri Kosina + +commit 6aade587d329ebe88319dfdb8e8c7b6aede80417 upstream. + +In case when psp_init_asd_microcode() fails to load ASD microcode file, +psp_v12_0_init_microcode() tries to print the firmware filename that +failed to load before bailing out. + +This is wrong because: + +- the firmware filename it would want it print is an incorrect one as + psp_init_asd_microcode() and psp_v12_0_init_microcode() are loading + different filenames +- it tries to print fw_name, but that's not yet been initialized by that + time, so it prints random stack contents, e.g. + + amdgpu 0000:04:00.0: Direct firmware load for amdgpu/renoir_asd.bin failed with error -2 + amdgpu 0000:04:00.0: amdgpu: fail to initialize asd microcode + amdgpu 0000:04:00.0: amdgpu: psp v12.0: Failed to load firmware "\xfeTO\x8e\xff\xff" + +Fix that by bailing out immediately, instead of priting the bogus error +message. + +Reported-by: Vojtech Pavlik +Signed-off-by: Jiri Kosina +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/psp_v12_0.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/psp_v12_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/psp_v12_0.c +@@ -67,7 +67,7 @@ static int psp_v12_0_init_microcode(stru + + err = psp_init_asd_microcode(psp, chip_name); + if (err) +- goto out; ++ return err; + + snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_ta.bin", chip_name); + err = request_firmware(&adev->psp.ta_fw, fw_name, adev->dev); +@@ -80,7 +80,7 @@ static int psp_v12_0_init_microcode(stru + } else { + err = amdgpu_ucode_validate(adev->psp.ta_fw); + if (err) +- goto out2; ++ goto out; + + ta_hdr = (const struct ta_firmware_header_v1_0 *) + adev->psp.ta_fw->data; +@@ -105,10 +105,9 @@ static int psp_v12_0_init_microcode(stru + + return 0; + +-out2: ++out: + release_firmware(adev->psp.ta_fw); + adev->psp.ta_fw = NULL; +-out: + if (err) { + dev_err(adev->dev, + "psp v12.0: Failed to load firmware \"%s\"\n", diff --git a/queue-5.13/drm-amdgpu-check-pmops-for-desired-suspend-state.patch b/queue-5.13/drm-amdgpu-check-pmops-for-desired-suspend-state.patch new file mode 100644 index 00000000000..1d35c1c857e --- /dev/null +++ b/queue-5.13/drm-amdgpu-check-pmops-for-desired-suspend-state.patch @@ -0,0 +1,48 @@ +From 91e273712ab8dd8c31924ac7714b21e011137e98 Mon Sep 17 00:00:00 2001 +From: Pratik Vishwakarma +Date: Fri, 23 Jul 2021 18:08:40 +0530 +Subject: drm/amdgpu: Check pmops for desired suspend state + +From: Pratik Vishwakarma + +commit 91e273712ab8dd8c31924ac7714b21e011137e98 upstream. + +[Why] +User might change the suspend behaviour from OS. + +[How] +Check with pm for target suspend state and set s0ix +flag only for s2idle state. + +v2: User might change default suspend state, use target state +v3: squash in build fix + +Suggested-by: Lijo Lazar +Signed-off-by: Pratik Vishwakarma +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -906,7 +907,7 @@ bool amdgpu_acpi_is_s0ix_supported(struc + #if defined(CONFIG_AMD_PMC) || defined(CONFIG_AMD_PMC_MODULE) + if (acpi_gbl_FADT.flags & ACPI_FADT_LOW_POWER_S0) { + if (adev->flags & AMD_IS_APU) +- return true; ++ return pm_suspend_target_state == PM_SUSPEND_TO_IDLE; + } + #endif + return false; diff --git a/queue-5.13/drm-amdgpu-fix-resource-leak-on-probe-error-path.patch b/queue-5.13/drm-amdgpu-fix-resource-leak-on-probe-error-path.patch new file mode 100644 index 00000000000..fd6bc063689 --- /dev/null +++ b/queue-5.13/drm-amdgpu-fix-resource-leak-on-probe-error-path.patch @@ -0,0 +1,64 @@ +From d47255d3f87338164762ac56df1f28d751e27246 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Thu, 24 Jun 2021 13:20:21 +0200 +Subject: drm/amdgpu: Fix resource leak on probe error path + +From: Jiri Kosina + +commit d47255d3f87338164762ac56df1f28d751e27246 upstream. + +This reverts commit 4192f7b5768912ceda82be2f83c87ea7181f9980. + +It is not true (as stated in the reverted commit changelog) that we never +unmap the BAR on failure; it actually does happen properly on +amdgpu_driver_load_kms() -> amdgpu_driver_unload_kms() -> +amdgpu_device_fini() error path. + +What's worse, this commit actually completely breaks resource freeing on +probe failure (like e.g. failure to load microcode), as +amdgpu_driver_unload_kms() notices adev->rmmio being NULL and bails too +early, leaving all the resources that'd normally be freed in +amdgpu_acpi_fini() and amdgpu_device_fini() still hanging around, leading +to all sorts of oopses when someone tries to, for example, access the +sysfs and procfs resources which are still around while the driver is +gone. + +Fixes: 4192f7b57689 ("drm/amdgpu: unmap register bar on device init failure") +Reported-by: Vojtech Pavlik +Signed-off-by: Jiri Kosina +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3412,13 +3412,13 @@ int amdgpu_device_init(struct amdgpu_dev + r = amdgpu_device_get_job_timeout_settings(adev); + if (r) { + dev_err(adev->dev, "invalid lockup_timeout parameter syntax\n"); +- goto failed_unmap; ++ return r; + } + + /* early init functions */ + r = amdgpu_device_ip_early_init(adev); + if (r) +- goto failed_unmap; ++ return r; + + /* doorbell bar mapping and doorbell index init*/ + amdgpu_device_doorbell_init(adev); +@@ -3644,10 +3644,6 @@ release_ras_con: + failed: + amdgpu_vf_error_trans_all(adev); + +-failed_unmap: +- iounmap(adev->rmmio); +- adev->rmmio = NULL; +- + return r; + } + diff --git a/queue-5.13/fs-ext2-avoid-page_address-on-pages-returned-by-ext2_get_page.patch b/queue-5.13/fs-ext2-avoid-page_address-on-pages-returned-by-ext2_get_page.patch new file mode 100644 index 00000000000..3ec4df42256 --- /dev/null +++ b/queue-5.13/fs-ext2-avoid-page_address-on-pages-returned-by-ext2_get_page.patch @@ -0,0 +1,115 @@ +From 728d392f8a799f037812d0f2b254fb3b5e115fcf Mon Sep 17 00:00:00 2001 +From: Javier Pello +Date: Wed, 14 Jul 2021 18:54:48 +0200 +Subject: fs/ext2: Avoid page_address on pages returned by ext2_get_page + +From: Javier Pello + +commit 728d392f8a799f037812d0f2b254fb3b5e115fcf upstream. + +Commit 782b76d7abdf02b12c46ed6f1e9bf715569027f7 ("fs/ext2: Replace +kmap() with kmap_local_page()") replaced the kmap/kunmap calls in +ext2_get_page/ext2_put_page with kmap_local_page/kunmap_local for +efficiency reasons. As a necessary side change, the commit also +made ext2_get_page (and ext2_find_entry and ext2_dotdot) return +the mapping address along with the page itself, as it is required +for kunmap_local, and converted uses of page_address on such pages +to use the newly returned address instead. However, uses of +page_address on such pages were missed in ext2_check_page and +ext2_delete_entry, which triggers oopses if kmap_local_page happens +to return an address from high memory. Fix this now by converting +the remaining uses of page_address to use the right address, as +returned by kmap_local_page. + +Link: https://lore.kernel.org/r/20210714185448.8707ac239e9f12b3a7f5b9f9@urjc.es +Reviewed-by: Ira Weiny +Signed-off-by: Javier Pello +Fixes: 782b76d7abdf ("fs/ext2: Replace kmap() with kmap_local_page()") +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext2/dir.c | 12 ++++++------ + fs/ext2/ext2.h | 3 ++- + fs/ext2/namei.c | 4 ++-- + 3 files changed, 10 insertions(+), 9 deletions(-) + +--- a/fs/ext2/dir.c ++++ b/fs/ext2/dir.c +@@ -106,12 +106,11 @@ static int ext2_commit_chunk(struct page + return err; + } + +-static bool ext2_check_page(struct page *page, int quiet) ++static bool ext2_check_page(struct page *page, int quiet, char *kaddr) + { + struct inode *dir = page->mapping->host; + struct super_block *sb = dir->i_sb; + unsigned chunk_size = ext2_chunk_size(dir); +- char *kaddr = page_address(page); + u32 max_inumber = le32_to_cpu(EXT2_SB(sb)->s_es->s_inodes_count); + unsigned offs, rec_len; + unsigned limit = PAGE_SIZE; +@@ -205,7 +204,8 @@ static struct page * ext2_get_page(struc + if (!IS_ERR(page)) { + *page_addr = kmap_local_page(page); + if (unlikely(!PageChecked(page))) { +- if (PageError(page) || !ext2_check_page(page, quiet)) ++ if (PageError(page) || !ext2_check_page(page, quiet, ++ *page_addr)) + goto fail; + } + } +@@ -584,10 +584,10 @@ out_unlock: + * ext2_delete_entry deletes a directory entry by merging it with the + * previous entry. Page is up-to-date. + */ +-int ext2_delete_entry (struct ext2_dir_entry_2 * dir, struct page * page ) ++int ext2_delete_entry (struct ext2_dir_entry_2 *dir, struct page *page, ++ char *kaddr) + { + struct inode *inode = page->mapping->host; +- char *kaddr = page_address(page); + unsigned from = ((char*)dir - kaddr) & ~(ext2_chunk_size(inode)-1); + unsigned to = ((char *)dir - kaddr) + + ext2_rec_len_from_disk(dir->rec_len); +@@ -607,7 +607,7 @@ int ext2_delete_entry (struct ext2_dir_e + de = ext2_next_entry(de); + } + if (pde) +- from = (char*)pde - (char*)page_address(page); ++ from = (char *)pde - kaddr; + pos = page_offset(page) + from; + lock_page(page); + err = ext2_prepare_chunk(page, pos, to - from); +--- a/fs/ext2/ext2.h ++++ b/fs/ext2/ext2.h +@@ -740,7 +740,8 @@ extern int ext2_inode_by_name(struct ino + extern int ext2_make_empty(struct inode *, struct inode *); + extern struct ext2_dir_entry_2 *ext2_find_entry(struct inode *, const struct qstr *, + struct page **, void **res_page_addr); +-extern int ext2_delete_entry (struct ext2_dir_entry_2 *, struct page *); ++extern int ext2_delete_entry(struct ext2_dir_entry_2 *dir, struct page *page, ++ char *kaddr); + extern int ext2_empty_dir (struct inode *); + extern struct ext2_dir_entry_2 *ext2_dotdot(struct inode *dir, struct page **p, void **pa); + extern void ext2_set_link(struct inode *, struct ext2_dir_entry_2 *, struct page *, void *, +--- a/fs/ext2/namei.c ++++ b/fs/ext2/namei.c +@@ -293,7 +293,7 @@ static int ext2_unlink(struct inode * di + goto out; + } + +- err = ext2_delete_entry (de, page); ++ err = ext2_delete_entry (de, page, page_addr); + ext2_put_page(page, page_addr); + if (err) + goto out; +@@ -397,7 +397,7 @@ static int ext2_rename (struct user_name + old_inode->i_ctime = current_time(old_inode); + mark_inode_dirty(old_inode); + +- ext2_delete_entry(old_de, old_page); ++ ext2_delete_entry(old_de, old_page, old_page_addr); + + if (dir_de) { + if (old_dir != new_dir) diff --git a/queue-5.13/hid-wacom-re-enable-touch-by-default-for-cintiq-24hdt-27qhdt.patch b/queue-5.13/hid-wacom-re-enable-touch-by-default-for-cintiq-24hdt-27qhdt.patch new file mode 100644 index 00000000000..b2d9a48fd72 --- /dev/null +++ b/queue-5.13/hid-wacom-re-enable-touch-by-default-for-cintiq-24hdt-27qhdt.patch @@ -0,0 +1,43 @@ +From 6ca2350e11f09d5d3e53777d1eff8ff6d300ed93 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Mon, 19 Jul 2021 13:55:28 -0700 +Subject: HID: wacom: Re-enable touch by default for Cintiq 24HDT / 27QHDT + +From: Jason Gerecke + +commit 6ca2350e11f09d5d3e53777d1eff8ff6d300ed93 upstream. + +Commit 670e90924bfe ("HID: wacom: support named keys on older devices") +added support for sending named events from the soft buttons on the +24HDT and 27QHDT. In the process, however, it inadvertantly disabled the +touchscreen of the 24HDT and 27QHDT by default. The +`wacom_set_shared_values` function would normally enable touch by default +but because it checks the state of the non-shared `has_mute_touch_switch` +flag and `wacom_setup_touch_input_capabilities` sets the state of the +/shared/ version, touch ends up being disabled by default. + +This patch sets the non-shared flag, letting `wacom_set_shared_values` +take care of copying the value over to the shared version and setting +the default touch state to "on". + +Fixes: 670e90924bfe ("HID: wacom: support named keys on older devices") +CC: stable@vger.kernel.org # 5.4+ +Signed-off-by: Jason Gerecke +Reviewed-by: Ping Cheng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -3831,7 +3831,7 @@ int wacom_setup_touch_input_capabilities + wacom_wac->shared->touch->product == 0xF6) { + input_dev->evbit[0] |= BIT_MASK(EV_SW); + __set_bit(SW_MUTE_DEVICE, input_dev->swbit); +- wacom_wac->shared->has_mute_touch_switch = true; ++ wacom_wac->has_mute_touch_switch = true; + } + fallthrough; + diff --git a/queue-5.13/io_uring-don-t-block-level-reissue-off-completion-path.patch b/queue-5.13/io_uring-don-t-block-level-reissue-off-completion-path.patch new file mode 100644 index 00000000000..73a7a4e231f --- /dev/null +++ b/queue-5.13/io_uring-don-t-block-level-reissue-off-completion-path.patch @@ -0,0 +1,46 @@ +From ef04688871f3386b6d40ade8f5c664290420f819 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 27 Jul 2021 10:50:31 -0600 +Subject: io_uring: don't block level reissue off completion path + +From: Jens Axboe + +commit ef04688871f3386b6d40ade8f5c664290420f819 upstream. + +Some setups, like SCSI, can throw spurious -EAGAIN off the softirq +completion path. Normally we expect this to happen inline as part +of submission, but apparently SCSI has a weird corner case where it +can happen as part of normal completions. + +This should be solved by having the -EAGAIN bubble back up the stack +as part of submission, but previous attempts at this failed and we're +not just quite there yet. Instead we currently use REQ_F_REISSUE to +handle this case. + +For now, catch it in io_rw_should_reissue() and prevent a reissue +from a bogus path. + +Cc: stable@vger.kernel.org +Reported-by: Fabian Ebner +Tested-by: Fabian Ebner +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2457,6 +2457,12 @@ static bool io_rw_should_reissue(struct + */ + if (percpu_ref_is_dying(&ctx->refs)) + return false; ++ /* ++ * Play it safe and assume not safe to re-import and reissue if we're ++ * not in the original thread group (or in task context). ++ */ ++ if (!same_thread_group(req->task, current) || !in_task()) ++ return false; + return true; + } + #else diff --git a/queue-5.13/io_uring-fix-io_prep_async_link-locking.patch b/queue-5.13/io_uring-fix-io_prep_async_link-locking.patch new file mode 100644 index 00000000000..ea902dae971 --- /dev/null +++ b/queue-5.13/io_uring-fix-io_prep_async_link-locking.patch @@ -0,0 +1,44 @@ +From 44eff40a32e8f5228ae041006352e32638ad2368 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Mon, 26 Jul 2021 14:14:31 +0100 +Subject: io_uring: fix io_prep_async_link locking + +From: Pavel Begunkov + +commit 44eff40a32e8f5228ae041006352e32638ad2368 upstream. + +io_prep_async_link() may be called after arming a linked timeout, +automatically making it unsafe to traverse the linked list. Guard +with completion_lock if there was a linked timeout. + +Cc: stable@vger.kernel.org # 5.9+ +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/93f7c617e2b4f012a2a175b3dab6bc2f27cebc48.1627304436.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1258,8 +1258,17 @@ static void io_prep_async_link(struct io + { + struct io_kiocb *cur; + +- io_for_each_link(cur, req) +- io_prep_async_work(cur); ++ if (req->flags & REQ_F_LINK_TIMEOUT) { ++ struct io_ring_ctx *ctx = req->ctx; ++ ++ spin_lock_irq(&ctx->completion_lock); ++ io_for_each_link(cur, req) ++ io_prep_async_work(cur); ++ spin_unlock_irq(&ctx->completion_lock); ++ } else { ++ io_for_each_link(cur, req) ++ io_prep_async_work(cur); ++ } + } + + static void io_queue_async_work(struct io_kiocb *req) diff --git a/queue-5.13/io_uring-fix-poll-requests-leaking-second-poll-entries.patch b/queue-5.13/io_uring-fix-poll-requests-leaking-second-poll-entries.patch new file mode 100644 index 00000000000..cdcaf186527 --- /dev/null +++ b/queue-5.13/io_uring-fix-poll-requests-leaking-second-poll-entries.patch @@ -0,0 +1,60 @@ +From a890d01e4ee016978776e45340e521b3bbbdf41f Mon Sep 17 00:00:00 2001 +From: Hao Xu +Date: Wed, 28 Jul 2021 11:03:22 +0800 +Subject: io_uring: fix poll requests leaking second poll entries + +From: Hao Xu + +commit a890d01e4ee016978776e45340e521b3bbbdf41f upstream. + +For pure poll requests, it doesn't remove the second poll wait entry +when it's done, neither after vfs_poll() or in the poll completion +handler. We should remove the second poll wait entry. +And we use io_poll_remove_double() rather than io_poll_remove_waitqs() +since the latter has some redundant logic. + +Fixes: 88e41cf928a6 ("io_uring: add multishot mode for IORING_OP_POLL_ADD") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Hao Xu +Link: https://lore.kernel.org/r/20210728030322.12307-1-haoxu@linux.alibaba.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4924,7 +4924,6 @@ static bool io_poll_complete(struct io_k + if (req->poll.events & EPOLLONESHOT) + flags = 0; + if (!io_cqring_fill_event(ctx, req->user_data, error, flags)) { +- io_poll_remove_waitqs(req); + req->poll.done = true; + flags = 0; + } +@@ -4948,6 +4947,7 @@ static void io_poll_task_func(struct cal + + done = io_poll_complete(req, req->result); + if (done) { ++ io_poll_remove_double(req); + hash_del(&req->hash_node); + } else { + req->result = 0; +@@ -5136,7 +5136,7 @@ static __poll_t __io_arm_poll_handler(st + ipt->error = -EINVAL; + + spin_lock_irq(&ctx->completion_lock); +- if (ipt->error) ++ if (ipt->error || (mask && (poll->events & EPOLLONESHOT))) + io_poll_remove_double(req); + if (likely(poll->head)) { + spin_lock(&poll->head->lock); +@@ -5207,7 +5207,6 @@ static bool io_arm_poll_handler(struct i + ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask, + io_async_wake); + if (ret || ipt.error) { +- io_poll_remove_double(req); + spin_unlock_irq(&ctx->completion_lock); + return false; + } diff --git a/queue-5.13/kvm-add-missing-compat-kvm_clear_dirty_log.patch b/queue-5.13/kvm-add-missing-compat-kvm_clear_dirty_log.patch new file mode 100644 index 00000000000..b685edbd78c --- /dev/null +++ b/queue-5.13/kvm-add-missing-compat-kvm_clear_dirty_log.patch @@ -0,0 +1,69 @@ +From 8750f9bbda115f3f79bfe43be85551ee5e12b6ff Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 27 Jul 2021 08:43:10 -0400 +Subject: KVM: add missing compat KVM_CLEAR_DIRTY_LOG + +From: Paolo Bonzini + +commit 8750f9bbda115f3f79bfe43be85551ee5e12b6ff upstream. + +The arguments to the KVM_CLEAR_DIRTY_LOG ioctl include a pointer, +therefore it needs a compat ioctl implementation. Otherwise, +32-bit userspace fails to invoke it on 64-bit kernels; for x86 +it might work fine by chance if the padding is zero, but not +on big-endian architectures. + +Reported-by: Thomas Sattler +Cc: stable@vger.kernel.org +Fixes: 2a31b9db1535 ("kvm: introduce manual dirty log reprotect") +Reviewed-by: Peter Xu +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -4183,6 +4183,16 @@ struct compat_kvm_dirty_log { + }; + }; + ++struct compat_kvm_clear_dirty_log { ++ __u32 slot; ++ __u32 num_pages; ++ __u64 first_page; ++ union { ++ compat_uptr_t dirty_bitmap; /* one bit per page */ ++ __u64 padding2; ++ }; ++}; ++ + static long kvm_vm_compat_ioctl(struct file *filp, + unsigned int ioctl, unsigned long arg) + { +@@ -4192,6 +4202,24 @@ static long kvm_vm_compat_ioctl(struct f + if (kvm->mm != current->mm) + return -EIO; + switch (ioctl) { ++#ifdef CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT ++ case KVM_CLEAR_DIRTY_LOG: { ++ struct compat_kvm_clear_dirty_log compat_log; ++ struct kvm_clear_dirty_log log; ++ ++ if (copy_from_user(&compat_log, (void __user *)arg, ++ sizeof(compat_log))) ++ return -EFAULT; ++ log.slot = compat_log.slot; ++ log.num_pages = compat_log.num_pages; ++ log.first_page = compat_log.first_page; ++ log.padding2 = compat_log.padding2; ++ log.dirty_bitmap = compat_ptr(compat_log.dirty_bitmap); ++ ++ r = kvm_vm_ioctl_clear_dirty_log(kvm, &log); ++ break; ++ } ++#endif + case KVM_GET_DIRTY_LOG: { + struct compat_kvm_dirty_log compat_log; + struct kvm_dirty_log log; diff --git a/queue-5.13/mm-memcg-fix-null-pointer-dereference-in-memcg_slab_free_hook.patch b/queue-5.13/mm-memcg-fix-null-pointer-dereference-in-memcg_slab_free_hook.patch new file mode 100644 index 00000000000..a70940f2535 --- /dev/null +++ b/queue-5.13/mm-memcg-fix-null-pointer-dereference-in-memcg_slab_free_hook.patch @@ -0,0 +1,72 @@ +From 121dffe20b141c9b27f39d49b15882469cbebae7 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Thu, 29 Jul 2021 14:53:54 -0700 +Subject: mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook() + +From: Wang Hai + +commit 121dffe20b141c9b27f39d49b15882469cbebae7 upstream. + +When I use kfree_rcu() to free a large memory allocated by kmalloc_node(), +the following dump occurs. + + BUG: kernel NULL pointer dereference, address: 0000000000000020 + [...] + Oops: 0000 [#1] SMP + [...] + Workqueue: events kfree_rcu_work + RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline] + RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline] + RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363 + [...] + Call Trace: + kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293 + kfree_bulk include/linux/slab.h:413 [inline] + kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300 + process_one_work+0x207/0x530 kernel/workqueue.c:2276 + worker_thread+0x320/0x610 kernel/workqueue.c:2422 + kthread+0x13d/0x160 kernel/kthread.c:313 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 + +When kmalloc_node() a large memory, page is allocated, not slab, so when +freeing memory via kfree_rcu(), this large memory should not be used by +memcg_slab_free_hook(), because memcg_slab_free_hook() is is used for +slab. + +Using page_objcgs_check() instead of page_objcgs() in +memcg_slab_free_hook() to fix this bug. + +Link: https://lkml.kernel.org/r/20210728145655.274476-1-wanghai38@huawei.com +Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data") +Signed-off-by: Wang Hai +Reviewed-by: Shakeel Butt +Acked-by: Michal Hocko +Acked-by: Roman Gushchin +Reviewed-by: Kefeng Wang +Reviewed-by: Muchun Song +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Vlastimil Babka +Cc: Johannes Weiner +Cc: Alexei Starovoitov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -350,7 +350,7 @@ static inline void memcg_slab_free_hook( + continue; + + page = virt_to_head_page(p[i]); +- objcgs = page_objcgs(page); ++ objcgs = page_objcgs_check(page); + if (!objcgs) + continue; + diff --git a/queue-5.13/mm-memcontrol-fix-blocking-rstat-function-called-from-atomic-cgroup1-thresholding-code.patch b/queue-5.13/mm-memcontrol-fix-blocking-rstat-function-called-from-atomic-cgroup1-thresholding-code.patch new file mode 100644 index 00000000000..f63e1832a80 --- /dev/null +++ b/queue-5.13/mm-memcontrol-fix-blocking-rstat-function-called-from-atomic-cgroup1-thresholding-code.patch @@ -0,0 +1,79 @@ +From 30def93565e5ba08676aa2b9083f253fc586dbed Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Thu, 29 Jul 2021 14:53:44 -0700 +Subject: mm: memcontrol: fix blocking rstat function called from atomic cgroup1 thresholding code + +From: Johannes Weiner + +commit 30def93565e5ba08676aa2b9083f253fc586dbed upstream. + +Dan Carpenter reports: + + The patch 2d146aa3aa84: "mm: memcontrol: switch to rstat" from Apr + 29, 2021, leads to the following static checker warning: + + kernel/cgroup/rstat.c:200 cgroup_rstat_flush() + warn: sleeping in atomic context + + mm/memcontrol.c + 3572 static unsigned long mem_cgroup_usage(struct mem_cgroup *memcg, bool swap) + 3573 { + 3574 unsigned long val; + 3575 + 3576 if (mem_cgroup_is_root(memcg)) { + 3577 cgroup_rstat_flush(memcg->css.cgroup); + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + This is from static analysis and potentially a false positive. The + problem is that mem_cgroup_usage() is called from __mem_cgroup_threshold() + which holds an rcu_read_lock(). And the cgroup_rstat_flush() function + can sleep. + + 3578 val = memcg_page_state(memcg, NR_FILE_PAGES) + + 3579 memcg_page_state(memcg, NR_ANON_MAPPED); + 3580 if (swap) + 3581 val += memcg_page_state(memcg, MEMCG_SWAP); + 3582 } else { + 3583 if (!swap) + 3584 val = page_counter_read(&memcg->memory); + 3585 else + 3586 val = page_counter_read(&memcg->memsw); + 3587 } + 3588 return val; + 3589 } + +__mem_cgroup_threshold() indeed holds the rcu lock. In addition, the +thresholding code is invoked during stat changes, and those contexts +have irqs disabled as well. If the lock breaking occurs inside the +flush function, it will result in a sleep from an atomic context. + +Use the irqsafe flushing variant in mem_cgroup_usage() to fix this. + +Link: https://lkml.kernel.org/r/20210726150019.251820-1-hannes@cmpxchg.org +Fixes: 2d146aa3aa84 ("mm: memcontrol: switch to rstat") +Signed-off-by: Johannes Weiner +Reported-by: Dan Carpenter +Acked-by: Chris Down +Reviewed-by: Rik van Riel +Acked-by: Michal Hocko +Reviewed-by: Shakeel Butt +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -3394,7 +3394,8 @@ static unsigned long mem_cgroup_usage(st + unsigned long val; + + if (mem_cgroup_is_root(memcg)) { +- cgroup_rstat_flush(memcg->css.cgroup); ++ /* mem_cgroup_threshold() calls here from irqsafe context */ ++ cgroup_rstat_flush_irqsafe(memcg->css.cgroup); + val = memcg_page_state(memcg, NR_FILE_PAGES) + + memcg_page_state(memcg, NR_ANON_MAPPED); + if (swap) diff --git a/queue-5.13/net-stmmac-add-est_irq_status-callback-function-for-gmac-4.10-and-5.10.patch b/queue-5.13/net-stmmac-add-est_irq_status-callback-function-for-gmac-4.10-and-5.10.patch new file mode 100644 index 00000000000..15383d67486 --- /dev/null +++ b/queue-5.13/net-stmmac-add-est_irq_status-callback-function-for-gmac-4.10-and-5.10.patch @@ -0,0 +1,41 @@ +From 94cbe7db7d757c2d481c3617ab5579a28cfc2175 Mon Sep 17 00:00:00 2001 +From: Mohammad Athari Bin Ismail +Date: Mon, 26 Jul 2021 10:20:20 +0800 +Subject: net: stmmac: add est_irq_status callback function for GMAC 4.10 and 5.10 + +From: Mohammad Athari Bin Ismail + +commit 94cbe7db7d757c2d481c3617ab5579a28cfc2175 upstream. + +Assign dwmac5_est_irq_status to est_irq_status callback function for +GMAC 4.10 and 5.10. With this, EST related interrupts could be handled +properly. + +Fixes: e49aa315cb01 ("net: stmmac: EST interrupts handling and error reporting") +Cc: # 5.13.x +Signed-off-by: Mohammad Athari Bin Ismail +Acked-by: Wong Vee Khee +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -1249,6 +1249,7 @@ const struct stmmac_ops dwmac410_ops = { + .config_l3_filter = dwmac4_config_l3_filter, + .config_l4_filter = dwmac4_config_l4_filter, + .est_configure = dwmac5_est_configure, ++ .est_irq_status = dwmac5_est_irq_status, + .fpe_configure = dwmac5_fpe_configure, + .fpe_send_mpacket = dwmac5_fpe_send_mpacket, + .fpe_irq_status = dwmac5_fpe_irq_status, +@@ -1300,6 +1301,7 @@ const struct stmmac_ops dwmac510_ops = { + .config_l3_filter = dwmac4_config_l3_filter, + .config_l4_filter = dwmac4_config_l4_filter, + .est_configure = dwmac5_est_configure, ++ .est_irq_status = dwmac5_est_irq_status, + .fpe_configure = dwmac5_fpe_configure, + .fpe_send_mpacket = dwmac5_fpe_send_mpacket, + .fpe_irq_status = dwmac5_fpe_irq_status, diff --git a/queue-5.13/nfc-nfcsim-fix-use-after-free-during-module-unload.patch b/queue-5.13/nfc-nfcsim-fix-use-after-free-during-module-unload.patch new file mode 100644 index 00000000000..8f5de834b71 --- /dev/null +++ b/queue-5.13/nfc-nfcsim-fix-use-after-free-during-module-unload.patch @@ -0,0 +1,93 @@ +From 5e7b30d24a5b8cb691c173b45b50e3ca0191be19 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 28 Jul 2021 08:49:09 +0200 +Subject: nfc: nfcsim: fix use after free during module unload +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Kozlowski + +commit 5e7b30d24a5b8cb691c173b45b50e3ca0191be19 upstream. + +There is a use after free memory corruption during module exit: + - nfcsim_exit() + - nfcsim_device_free(dev0) + - nfc_digital_unregister_device() + This iterates over command queue and frees all commands, + - dev->up = false + - nfcsim_link_shutdown() + - nfcsim_link_recv_wake() + This wakes the sleeping thread nfcsim_link_recv_skb(). + + - nfcsim_link_recv_skb() + Wake from wait_event_interruptible_timeout(), + call directly the deb->cb callback even though (dev->up == false), + - digital_send_cmd_complete() + Dereference of "struct digital_cmd" cmd which was freed earlier by + nfc_digital_unregister_device(). + +This causes memory corruption shortly after (with unrelated stack +trace): + + nfc nfc0: NFC: nfcsim_recv_wq: Device is down + llcp: nfc_llcp_recv: err -19 + nfc nfc1: NFC: nfcsim_recv_wq: Device is down + BUG: unable to handle page fault for address: ffffffffffffffed + Call Trace: + fsnotify+0x54b/0x5c0 + __fsnotify_parent+0x1fe/0x300 + ? vfs_write+0x27c/0x390 + vfs_write+0x27c/0x390 + ksys_write+0x63/0xe0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +KASAN report: + + BUG: KASAN: use-after-free in digital_send_cmd_complete+0x16/0x50 + Write of size 8 at addr ffff88800a05f720 by task kworker/0:2/71 + Workqueue: events nfcsim_recv_wq [nfcsim] + Call Trace: +  dump_stack_lvl+0x45/0x59 +  print_address_description.constprop.0+0x21/0x140 +  ? digital_send_cmd_complete+0x16/0x50 +  ? digital_send_cmd_complete+0x16/0x50 +  kasan_report.cold+0x7f/0x11b +  ? digital_send_cmd_complete+0x16/0x50 +  ? digital_dep_link_down+0x60/0x60 +  digital_send_cmd_complete+0x16/0x50 +  nfcsim_recv_wq+0x38f/0x3d5 [nfcsim] +  ? nfcsim_in_send_cmd+0x4a/0x4a [nfcsim] +  ? lock_is_held_type+0x98/0x110 +  ? finish_wait+0x110/0x110 +  ? rcu_read_lock_sched_held+0x9c/0xd0 +  ? rcu_read_lock_bh_held+0xb0/0xb0 +  ? lockdep_hardirqs_on_prepare+0x12e/0x1f0 + +This flow of calling digital_send_cmd_complete() callback on driver exit +is specific to nfcsim which implements reading and sending work queues. +Since the NFC digital device was unregistered, the callback should not +be called. + +Fixes: 204bddcb508f ("NFC: nfcsim: Make use of the Digital layer") +Cc: +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/nfcsim.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/nfc/nfcsim.c ++++ b/drivers/nfc/nfcsim.c +@@ -192,8 +192,7 @@ static void nfcsim_recv_wq(struct work_s + + if (!IS_ERR(skb)) + dev_kfree_skb(skb); +- +- skb = ERR_PTR(-ENODEV); ++ return; + } + + dev->cb(dev->nfc_digital_dev, dev->arg, skb); diff --git a/queue-5.13/niu-fix-incorrect-error-return-missed-in-previous-revert.patch b/queue-5.13/niu-fix-incorrect-error-return-missed-in-previous-revert.patch new file mode 100644 index 00000000000..ec546fd021e --- /dev/null +++ b/queue-5.13/niu-fix-incorrect-error-return-missed-in-previous-revert.patch @@ -0,0 +1,42 @@ +From 15bbf8bb4d4ab87108ecf5f4155ec8ffa3c141d6 Mon Sep 17 00:00:00 2001 +From: Paul Jakma +Date: Fri, 23 Jul 2021 16:13:04 +0100 +Subject: NIU: fix incorrect error return, missed in previous revert + +From: Paul Jakma + +commit 15bbf8bb4d4ab87108ecf5f4155ec8ffa3c141d6 upstream. + +Commit 7930742d6, reverting 26fd962, missed out on reverting an incorrect +change to a return value. The niu_pci_vpd_scan_props(..) == 1 case appears +to be a normal path - treating it as an error and return -EINVAL was +breaking VPD_SCAN and causing the driver to fail to load. + +Fix, so my Neptune card works again. + +Cc: Kangjie Lu +Cc: Shannon Nelson +Cc: David S. Miller +Cc: Greg Kroah-Hartman +Cc: stable +Fixes: 7930742d ('Revert "niu: fix missing checks of niu_pci_eeprom_read"') +Signed-off-by: Paul Jakma +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sun/niu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -8191,8 +8191,9 @@ static int niu_pci_vpd_fetch(struct niu + err = niu_pci_vpd_scan_props(np, here, end); + if (err < 0) + return err; ++ /* ret == 1 is not an error */ + if (err == 1) +- return -EINVAL; ++ return 0; + } + return 0; + } diff --git a/queue-5.13/ocfs2-fix-zero-out-valid-data.patch b/queue-5.13/ocfs2-fix-zero-out-valid-data.patch new file mode 100644 index 00000000000..d3ba8a2a0b8 --- /dev/null +++ b/queue-5.13/ocfs2-fix-zero-out-valid-data.patch @@ -0,0 +1,60 @@ +From f267aeb6dea5e468793e5b8eb6a9c72c0020d418 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Thu, 29 Jul 2021 14:53:38 -0700 +Subject: ocfs2: fix zero out valid data + +From: Junxiao Bi + +commit f267aeb6dea5e468793e5b8eb6a9c72c0020d418 upstream. + +If append-dio feature is enabled, direct-io write and fallocate could +run in parallel to extend file size, fallocate used "orig_isize" to +record i_size before taking "ip_alloc_sem", when +ocfs2_zeroout_partial_cluster() zeroout EOF blocks, i_size maybe already +extended by ocfs2_dio_end_io_write(), that will cause valid data zeroed +out. + +Link: https://lkml.kernel.org/r/20210722054923.24389-1-junxiao.bi@oracle.com +Fixes: 6bba4471f0cc ("ocfs2: fix data corruption by fallocate") +Signed-off-by: Junxiao Bi +Reviewed-by: Joseph Qi +Cc: Changwei Ge +Cc: Gang He +Cc: Joel Becker +Cc: Jun Piao +Cc: Mark Fasheh +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -1935,7 +1935,6 @@ static int __ocfs2_change_file_space(str + goto out_inode_unlock; + } + +- orig_isize = i_size_read(inode); + switch (sr->l_whence) { + case 0: /*SEEK_SET*/ + break; +@@ -1943,7 +1942,7 @@ static int __ocfs2_change_file_space(str + sr->l_start += f_pos; + break; + case 2: /*SEEK_END*/ +- sr->l_start += orig_isize; ++ sr->l_start += i_size_read(inode); + break; + default: + ret = -EINVAL; +@@ -1998,6 +1997,7 @@ static int __ocfs2_change_file_space(str + ret = -EINVAL; + } + ++ orig_isize = i_size_read(inode); + /* zeroout eof blocks in the cluster. */ + if (!ret && change_size && orig_isize < size) { + ret = ocfs2_zeroout_partial_cluster(inode, orig_isize, diff --git a/queue-5.13/ocfs2-issue-zeroout-to-eof-blocks.patch b/queue-5.13/ocfs2-issue-zeroout-to-eof-blocks.patch new file mode 100644 index 00000000000..1ca3d01fd11 --- /dev/null +++ b/queue-5.13/ocfs2-issue-zeroout-to-eof-blocks.patch @@ -0,0 +1,186 @@ +From 9449ad33be8480f538b11a593e2dda2fb33ca06d Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Thu, 29 Jul 2021 14:53:41 -0700 +Subject: ocfs2: issue zeroout to EOF blocks + +From: Junxiao Bi + +commit 9449ad33be8480f538b11a593e2dda2fb33ca06d upstream. + +For punch holes in EOF blocks, fallocate used buffer write to zero the +EOF blocks in last cluster. But since ->writepage will ignore EOF +pages, those zeros will not be flushed. + +This "looks" ok as commit 6bba4471f0cc ("ocfs2: fix data corruption by +fallocate") will zero the EOF blocks when extend the file size, but it +isn't. The problem happened on those EOF pages, before writeback, those +pages had DIRTY flag set and all buffer_head in them also had DIRTY flag +set, when writeback run by write_cache_pages(), DIRTY flag on the page +was cleared, but DIRTY flag on the buffer_head not. + +When next write happened to those EOF pages, since buffer_head already +had DIRTY flag set, it would not mark page DIRTY again. That made +writeback ignore them forever. That will cause data corruption. Even +directio write can't work because it will fail when trying to drop pages +caches before direct io, as it found the buffer_head for those pages +still had DIRTY flag set, then it will fall back to buffer io mode. + +To make a summary of the issue, as writeback ingores EOF pages, once any +EOF page is generated, any write to it will only go to the page cache, +it will never be flushed to disk even file size extends and that page is +not EOF page any more. The fix is to avoid zero EOF blocks with buffer +write. + +The following code snippet from qemu-img could trigger the corruption. + + 656 open("6b3711ae-3306-4bdd-823c-cf1c0060a095.conv.2", O_RDWR|O_DIRECT|O_CLOEXEC) = 11 + ... + 660 fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2275868672, 327680 + 660 fallocate(11, 0, 2275868672, 327680) = 0 + 658 pwrite64(11, " + +Link: https://lkml.kernel.org/r/20210722054923.24389-2-junxiao.bi@oracle.com +Signed-off-by: Junxiao Bi +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/file.c | 99 +++++++++++++++++++++++++++++++++----------------------- + 1 file changed, 60 insertions(+), 39 deletions(-) + +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -1529,6 +1529,45 @@ static void ocfs2_truncate_cluster_pages + } + } + ++/* ++ * zero out partial blocks of one cluster. ++ * ++ * start: file offset where zero starts, will be made upper block aligned. ++ * len: it will be trimmed to the end of current cluster if "start + len" ++ * is bigger than it. ++ */ ++static int ocfs2_zeroout_partial_cluster(struct inode *inode, ++ u64 start, u64 len) ++{ ++ int ret; ++ u64 start_block, end_block, nr_blocks; ++ u64 p_block, offset; ++ u32 cluster, p_cluster, nr_clusters; ++ struct super_block *sb = inode->i_sb; ++ u64 end = ocfs2_align_bytes_to_clusters(sb, start); ++ ++ if (start + len < end) ++ end = start + len; ++ ++ start_block = ocfs2_blocks_for_bytes(sb, start); ++ end_block = ocfs2_blocks_for_bytes(sb, end); ++ nr_blocks = end_block - start_block; ++ if (!nr_blocks) ++ return 0; ++ ++ cluster = ocfs2_bytes_to_clusters(sb, start); ++ ret = ocfs2_get_clusters(inode, cluster, &p_cluster, ++ &nr_clusters, NULL); ++ if (ret) ++ return ret; ++ if (!p_cluster) ++ return 0; ++ ++ offset = start_block - ocfs2_clusters_to_blocks(sb, cluster); ++ p_block = ocfs2_clusters_to_blocks(sb, p_cluster) + offset; ++ return sb_issue_zeroout(sb, p_block, nr_blocks, GFP_NOFS); ++} ++ + static int ocfs2_zero_partial_clusters(struct inode *inode, + u64 start, u64 len) + { +@@ -1538,6 +1577,7 @@ static int ocfs2_zero_partial_clusters(s + struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); + unsigned int csize = osb->s_clustersize; + handle_t *handle; ++ loff_t isize = i_size_read(inode); + + /* + * The "start" and "end" values are NOT necessarily part of +@@ -1558,6 +1598,26 @@ static int ocfs2_zero_partial_clusters(s + if ((start & (csize - 1)) == 0 && (end & (csize - 1)) == 0) + goto out; + ++ /* No page cache for EOF blocks, issue zero out to disk. */ ++ if (end > isize) { ++ /* ++ * zeroout eof blocks in last cluster starting from ++ * "isize" even "start" > "isize" because it is ++ * complicated to zeroout just at "start" as "start" ++ * may be not aligned with block size, buffer write ++ * would be required to do that, but out of eof buffer ++ * write is not supported. ++ */ ++ ret = ocfs2_zeroout_partial_cluster(inode, isize, ++ end - isize); ++ if (ret) { ++ mlog_errno(ret); ++ goto out; ++ } ++ if (start >= isize) ++ goto out; ++ end = isize; ++ } + handle = ocfs2_start_trans(osb, OCFS2_INODE_UPDATE_CREDITS); + if (IS_ERR(handle)) { + ret = PTR_ERR(handle); +@@ -1856,45 +1916,6 @@ out: + } + + /* +- * zero out partial blocks of one cluster. +- * +- * start: file offset where zero starts, will be made upper block aligned. +- * len: it will be trimmed to the end of current cluster if "start + len" +- * is bigger than it. +- */ +-static int ocfs2_zeroout_partial_cluster(struct inode *inode, +- u64 start, u64 len) +-{ +- int ret; +- u64 start_block, end_block, nr_blocks; +- u64 p_block, offset; +- u32 cluster, p_cluster, nr_clusters; +- struct super_block *sb = inode->i_sb; +- u64 end = ocfs2_align_bytes_to_clusters(sb, start); +- +- if (start + len < end) +- end = start + len; +- +- start_block = ocfs2_blocks_for_bytes(sb, start); +- end_block = ocfs2_blocks_for_bytes(sb, end); +- nr_blocks = end_block - start_block; +- if (!nr_blocks) +- return 0; +- +- cluster = ocfs2_bytes_to_clusters(sb, start); +- ret = ocfs2_get_clusters(inode, cluster, &p_cluster, +- &nr_clusters, NULL); +- if (ret) +- return ret; +- if (!p_cluster) +- return 0; +- +- offset = start_block - ocfs2_clusters_to_blocks(sb, cluster); +- p_block = ocfs2_clusters_to_blocks(sb, p_cluster) + offset; +- return sb_issue_zeroout(sb, p_block, nr_blocks, GFP_NOFS); +-} +- +-/* + * Parts of this function taken from xfs_change_file_space() + */ + static int __ocfs2_change_file_space(struct file *file, struct inode *inode, diff --git a/queue-5.13/pipe-make-pipe-writes-always-wake-up-readers.patch b/queue-5.13/pipe-make-pipe-writes-always-wake-up-readers.patch new file mode 100644 index 00000000000..2055b291294 --- /dev/null +++ b/queue-5.13/pipe-make-pipe-writes-always-wake-up-readers.patch @@ -0,0 +1,100 @@ +From 3a34b13a88caeb2800ab44a4918f230041b37dd9 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 30 Jul 2021 15:42:34 -0700 +Subject: pipe: make pipe writes always wake up readers + +From: Linus Torvalds + +commit 3a34b13a88caeb2800ab44a4918f230041b37dd9 upstream. + +Since commit 1b6b26ae7053 ("pipe: fix and clarify pipe write wakeup +logic") we have sanitized the pipe write logic, and would only try to +wake up readers if they needed it. + +In particular, if the pipe already had data in it before the write, +there was no point in trying to wake up a reader, since any existing +readers must have been aware of the pre-existing data already. Doing +extraneous wakeups will only cause potential thundering herd problems. + +However, it turns out that some Android libraries have misused the EPOLL +interface, and expected "edge triggered" be to "any new write will +trigger it". Even if there was no edge in sight. + +Quoting Sandeep Patil: + "The commit 1b6b26ae7053 ('pipe: fix and clarify pipe write wakeup + logic') changed pipe write logic to wakeup readers only if the pipe + was empty at the time of write. However, there are libraries that + relied upon the older behavior for notification scheme similar to + what's described in [1] + + One such library 'realm-core'[2] is used by numerous Android + applications. The library uses a similar notification mechanism as GNU + Make but it never drains the pipe until it is full. When Android moved + to v5.10 kernel, all applications using this library stopped working. + + The library has since been fixed[3] but it will be a while before all + applications incorporate the updated library" + +Our regression rule for the kernel is that if applications break from +new behavior, it's a regression, even if it was because the application +did something patently wrong. Also note the original report [4] by +Michal Kerrisk about a test for this epoll behavior - but at that point +we didn't know of any actual broken use case. + +So add the extraneous wakeup, to approximate the old behavior. + +[ I say "approximate", because the exact old behavior was to do a wakeup + not for each write(), but for each pipe buffer chunk that was filled + in. The behavior introduced by this change is not that - this is just + "every write will cause a wakeup, whether necessary or not", which + seems to be sufficient for the broken library use. ] + +It's worth noting that this adds the extraneous wakeup only for the +write side, while the read side still considers the "edge" to be purely +about reading enough from the pipe to allow further writes. + +See commit f467a6a66419 ("pipe: fix and clarify pipe read wakeup logic") +for the pipe read case, which remains that "only wake up if the pipe was +full, and we read something from it". + +Link: https://lore.kernel.org/lkml/CAHk-=wjeG0q1vgzu4iJhW5juPkTsjTYmiqiMUYAebWW+0bam6w@mail.gmail.com/ [1] +Link: https://github.com/realm/realm-core [2] +Link: https://github.com/realm/realm-core/issues/4666 [3] +Link: https://lore.kernel.org/lkml/CAKgNAkjMBGeAwF=2MKK758BhxvW58wYTgYKB2V-gY1PwXxrH+Q@mail.gmail.com/ [4] +Link: https://lore.kernel.org/lkml/20210729222635.2937453-1-sspatil@android.com/ +Reported-by: Sandeep Patil +Cc: Michael Kerrisk +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/pipe.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -429,20 +429,20 @@ pipe_write(struct kiocb *iocb, struct io + #endif + + /* +- * Only wake up if the pipe started out empty, since +- * otherwise there should be no readers waiting. ++ * Epoll nonsensically wants a wakeup whether the pipe ++ * was already empty or not. + * + * If it wasn't empty we try to merge new data into + * the last buffer. + * + * That naturally merges small writes, but it also +- * page-aligs the rest of the writes for large writes ++ * page-aligns the rest of the writes for large writes + * spanning multiple pages. + */ + head = pipe->head; +- was_empty = pipe_empty(head, pipe->tail); ++ was_empty = true; + chars = total_len & (PAGE_SIZE-1); +- if (chars && !was_empty) { ++ if (chars && !pipe_empty(head, pipe->tail)) { + unsigned int mask = pipe->ring_size - 1; + struct pipe_buffer *buf = &pipe->bufs[(head - 1) & mask]; + int offset = buf->offset + buf->len; diff --git a/queue-5.13/revert-acpi-resources-add-checks-for-acpi-irq-override.patch b/queue-5.13/revert-acpi-resources-add-checks-for-acpi-irq-override.patch new file mode 100644 index 00000000000..0d6a8526fc0 --- /dev/null +++ b/queue-5.13/revert-acpi-resources-add-checks-for-acpi-irq-override.patch @@ -0,0 +1,52 @@ +From e0eef3690dc66b3ecc6e0f1267f332403eb22bea Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Wed, 28 Jul 2021 23:19:58 +0800 +Subject: Revert "ACPI: resources: Add checks for ACPI IRQ override" + +From: Hui Wang + +commit e0eef3690dc66b3ecc6e0f1267f332403eb22bea upstream. + +The commit 0ec4e55e9f57 ("ACPI: resources: Add checks for ACPI IRQ +override") introduces regression on some platforms, at least it makes +the UART can't get correct irq setting on two different platforms, +and it makes the kernel can't bootup on these two platforms. + +This reverts commit 0ec4e55e9f571f08970ed115ec0addc691eda613. + +Regression-discuss: https://bugzilla.kernel.org/show_bug.cgi?id=213031 +Reported-by: PGNd +Cc: 5.4+ # 5.4+ +Signed-off-by: Hui Wang +Acked-by: Greg Kroah-Hartman +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -423,13 +423,6 @@ static void acpi_dev_get_irqresource(str + } + } + +-static bool irq_is_legacy(struct acpi_resource_irq *irq) +-{ +- return irq->triggering == ACPI_EDGE_SENSITIVE && +- irq->polarity == ACPI_ACTIVE_HIGH && +- irq->shareable == ACPI_EXCLUSIVE; +-} +- + /** + * acpi_dev_resource_interrupt - Extract ACPI interrupt resource information. + * @ares: Input ACPI resource object. +@@ -468,7 +461,7 @@ bool acpi_dev_resource_interrupt(struct + } + acpi_dev_get_irqresource(res, irq->interrupts[index], + irq->triggering, irq->polarity, +- irq->shareable, irq_is_legacy(irq)); ++ irq->shareable, true); + break; + case ACPI_RESOURCE_TYPE_EXTENDED_IRQ: + ext_irq = &ares->data.extended_irq; diff --git a/queue-5.13/series b/queue-5.13/series new file mode 100644 index 00000000000..c97e5245f8a --- /dev/null +++ b/queue-5.13/series @@ -0,0 +1,33 @@ +pipe-make-pipe-writes-always-wake-up-readers.patch +fs-ext2-avoid-page_address-on-pages-returned-by-ext2_get_page.patch +btrfs-fix-lost-inode-on-log-replay-after-mix-of-fsync-rename-and-inode-eviction.patch +btrfs-fix-rw-device-counting-in-__btrfs_free_extra_devids.patch +btrfs-mark-compressed-range-uptodate-only-if-all-bio-succeed.patch +revert-acpi-resources-add-checks-for-acpi-irq-override.patch +acpi-dptf-fix-reading-of-attributes.patch +x86-kvm-fix-vcpu-id-indexed-array-sizes.patch +kvm-add-missing-compat-kvm_clear_dirty_log.patch +ocfs2-fix-zero-out-valid-data.patch +ocfs2-issue-zeroout-to-eof-blocks.patch +mm-memcontrol-fix-blocking-rstat-function-called-from-atomic-cgroup1-thresholding-code.patch +mm-memcg-fix-null-pointer-dereference-in-memcg_slab_free_hook.patch +can-j1939-j1939_xtp_rx_dat_one-fix-rxtimer-value-between-consecutive-tp.dt-to-750ms.patch +can-raw-raw_setsockopt-fix-raw_rcv-panic-for-sock-uaf.patch +can-peak_usb-pcan_usb_handle_bus_evt-fix-reading-rxerr-txerr-values.patch +can-mcba_usb_start-add-missing-urb-transfer_dma-initialization.patch +can-usb_8dev-fix-memory-leak.patch +can-ems_usb-fix-memory-leak.patch +can-esd_usb2-fix-memory-leak.patch +alpha-register-early-reserved-memory-in-memblock.patch +hid-wacom-re-enable-touch-by-default-for-cintiq-24hdt-27qhdt.patch +net-stmmac-add-est_irq_status-callback-function-for-gmac-4.10-and-5.10.patch +niu-fix-incorrect-error-return-missed-in-previous-revert.patch +drm-amd-display-ensure-dentist-display-clock-update-finished-in-dcn20.patch +drm-amdgpu-check-pmops-for-desired-suspend-state.patch +drm-amdgpu-avoid-printing-of-stack-contents-on-firmware-load-error.patch +drm-amdgpu-fix-resource-leak-on-probe-error-path.patch +blk-iocost-fix-operation-ordering-in-iocg_wake_fn.patch +nfc-nfcsim-fix-use-after-free-during-module-unload.patch +io_uring-fix-io_prep_async_link-locking.patch +io_uring-don-t-block-level-reissue-off-completion-path.patch +io_uring-fix-poll-requests-leaking-second-poll-entries.patch diff --git a/queue-5.13/x86-kvm-fix-vcpu-id-indexed-array-sizes.patch b/queue-5.13/x86-kvm-fix-vcpu-id-indexed-array-sizes.patch new file mode 100644 index 00000000000..e3847db36a0 --- /dev/null +++ b/queue-5.13/x86-kvm-fix-vcpu-id-indexed-array-sizes.patch @@ -0,0 +1,59 @@ +From 76b4f357d0e7d8f6f0013c733e6cba1773c266d3 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Thu, 1 Jul 2021 17:41:00 +0200 +Subject: x86/kvm: fix vcpu-id indexed array sizes + +From: Juergen Gross + +commit 76b4f357d0e7d8f6f0013c733e6cba1773c266d3 upstream. + +KVM_MAX_VCPU_ID is the maximum vcpu-id of a guest, and not the number +of vcpu-ids. Fix array indexed by vcpu-id to have KVM_MAX_VCPU_ID+1 +elements. + +Note that this is currently no real problem, as KVM_MAX_VCPU_ID is +an odd number, resulting in always enough padding being available at +the end of those arrays. + +Nevertheless this should be fixed in order to avoid rare problems in +case someone is using an even number for KVM_MAX_VCPU_ID. + +Signed-off-by: Juergen Gross +Message-Id: <20210701154105.23215-2-jgross@suse.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/ioapic.c | 2 +- + arch/x86/kvm/ioapic.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -96,7 +96,7 @@ static unsigned long ioapic_read_indirec + static void rtc_irq_eoi_tracking_reset(struct kvm_ioapic *ioapic) + { + ioapic->rtc_status.pending_eoi = 0; +- bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID); ++ bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID + 1); + } + + static void kvm_rtc_eoi_tracking_restore_all(struct kvm_ioapic *ioapic); +--- a/arch/x86/kvm/ioapic.h ++++ b/arch/x86/kvm/ioapic.h +@@ -43,13 +43,13 @@ struct kvm_vcpu; + + struct dest_map { + /* vcpu bitmap where IRQ has been sent */ +- DECLARE_BITMAP(map, KVM_MAX_VCPU_ID); ++ DECLARE_BITMAP(map, KVM_MAX_VCPU_ID + 1); + + /* + * Vector sent to a given vcpu, only valid when + * the vcpu's bit in map is set + */ +- u8 vectors[KVM_MAX_VCPU_ID]; ++ u8 vectors[KVM_MAX_VCPU_ID + 1]; + }; + + -- 2.47.3