From df83f36fcce50770c40e58256139849e64bc4530 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 16 May 2021 23:14:56 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...memory-leak-in-an-error-handling-pat.patch | 36 ++++ ...k-mq-plug-request-for-shared-sbitmap.patch | 53 ++++++ ...-swap-two-calls-in-blk_mq_exit_queue.patch | 51 +++++ ...-mode-parameter-to-put_unlocked_entr.patch | 84 +++++++++ ...n-enum-for-specifying-dax-wakup-mode.patch | 106 +++++++++++ ...waiters-after-invalidating-dax-entry.patch | 81 ++++++++ ...tialize-audio_comp-when-audio-starts.patch | 98 ++++++++++ ...x-race-condition-of-overwrite-vs-tru.patch | 148 +++++++++++++++ ...x-to-assign-cc.cluster_idx-correctly.patch | 145 +++++++++++++++ ...-fix-to-free-compress-page-correctly.patch | 37 ++++ .../hwmon-occ-fix-poll-rate-limiting.patch | 64 +++++++ ...select-iio_triggered_buffer-under-hi.patch | 174 ++++++++++++++++++ ...02-fix-rumtime-pm-imbalance-on-error.patch | 51 +++++ ...lsedlight-fix-rumtime-pm-imbalance-o.patch | 37 ++++ ...tely-guarantee-busy-wait-for-timer-t.patch | 45 +++++ ...-pvclock_gtod_work-on-module-removal.patch | 49 +++++ ...prevent-deadlock-against-tk_core.seq.patch | 88 +++++++++ ...-out-of-bounds-access-when-preempted.patch | 162 ++++++++++++++++ ...-fix-null-pointer-in-flush_workqueue.patch | 86 +++++++++ ...t-add-lba-to-sect-conversion-helpers.patch | 79 ++++++++ ...met-fix-inline-bio-check-for-bdev-ns.patch | 82 +++++++++ ...ull-deref-when-send-is-completed-wit.patch | 82 +++++++++ .../perf-tools-fix-dynamic-libbpf-link.patch | 74 ++++++++ queue-5.10/series | 29 ++- ...free-gadget-structure-only-after-fre.patch | 64 +++++++ ...usb-fotg210-hcd-fix-an-error-message.patch | 53 ++++++ .../usb-musb-fix-an-error-message.patch | 38 ++++ ...alloc-consolidate-pgmap-manipulation.patch | 69 +++++++ ...alloc-fix-error-return-code-in-fill_.patch | 42 +++++ 29 files changed, 2206 insertions(+), 1 deletion(-) create mode 100644 queue-5.10/acpi-scan-fix-a-memory-leak-in-an-error-handling-pat.patch create mode 100644 queue-5.10/blk-mq-plug-request-for-shared-sbitmap.patch create mode 100644 queue-5.10/blk-mq-swap-two-calls-in-blk_mq_exit_queue.patch create mode 100644 queue-5.10/dax-add-a-wakeup-mode-parameter-to-put_unlocked_entr.patch create mode 100644 queue-5.10/dax-add-an-enum-for-specifying-dax-wakup-mode.patch create mode 100644 queue-5.10/dax-wake-up-all-waiters-after-invalidating-dax-entry.patch create mode 100644 queue-5.10/drm-msm-dp-initialize-audio_comp-when-audio-starts.patch create mode 100644 queue-5.10/f2fs-compress-fix-race-condition-of-overwrite-vs-tru.patch create mode 100644 queue-5.10/f2fs-compress-fix-to-assign-cc.cluster_idx-correctly.patch create mode 100644 queue-5.10/f2fs-compress-fix-to-free-compress-page-correctly.patch create mode 100644 queue-5.10/hwmon-occ-fix-poll-rate-limiting.patch create mode 100644 queue-5.10/iio-hid-sensors-select-iio_triggered_buffer-under-hi.patch create mode 100644 queue-5.10/iio-light-gp2ap002-fix-rumtime-pm-imbalance-on-error.patch create mode 100644 queue-5.10/iio-proximity-pulsedlight-fix-rumtime-pm-imbalance-o.patch create mode 100644 queue-5.10/kvm-lapic-accurately-guarantee-busy-wait-for-timer-t.patch create mode 100644 queue-5.10/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch create mode 100644 queue-5.10/kvm-x86-prevent-deadlock-against-tk_core.seq.patch create mode 100644 queue-5.10/kyber-fix-out-of-bounds-access-when-preempted.patch create mode 100644 queue-5.10/nbd-fix-null-pointer-in-flush_workqueue.patch create mode 100644 queue-5.10/nvmet-add-lba-to-sect-conversion-helpers.patch create mode 100644 queue-5.10/nvmet-fix-inline-bio-check-for-bdev-ns.patch create mode 100644 queue-5.10/nvmet-rdma-fix-null-deref-when-send-is-completed-wit.patch create mode 100644 queue-5.10/perf-tools-fix-dynamic-libbpf-link.patch create mode 100644 queue-5.10/usb-dwc3-gadget-free-gadget-structure-only-after-fre.patch create mode 100644 queue-5.10/usb-fotg210-hcd-fix-an-error-message.patch create mode 100644 queue-5.10/usb-musb-fix-an-error-message.patch create mode 100644 queue-5.10/xen-unpopulated-alloc-consolidate-pgmap-manipulation.patch create mode 100644 queue-5.10/xen-unpopulated-alloc-fix-error-return-code-in-fill_.patch diff --git a/queue-5.10/acpi-scan-fix-a-memory-leak-in-an-error-handling-pat.patch b/queue-5.10/acpi-scan-fix-a-memory-leak-in-an-error-handling-pat.patch new file mode 100644 index 00000000000..27501b75279 --- /dev/null +++ b/queue-5.10/acpi-scan-fix-a-memory-leak-in-an-error-handling-pat.patch @@ -0,0 +1,36 @@ +From 2b4c3f62e1956d380730b1e7a139a60850de98a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 09:23:09 +0200 +Subject: ACPI: scan: Fix a memory leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit 0c8bd174f0fc131bc9dfab35cd8784f59045da87 ] + +If 'acpi_device_set_name()' fails, we must free +'acpi_device_bus_id->bus_id' or there is a (potential) memory leak. + +Fixes: eb50aaf960e3 ("ACPI: scan: Use unique number for instance_no") +Signed-off-by: Christophe JAILLET +Reviewed-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/scan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c +index b47f14ac75ae..de0533bd4e08 100644 +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -705,6 +705,7 @@ int acpi_device_add(struct acpi_device *device, + + result = acpi_device_set_name(device, acpi_device_bus_id); + if (result) { ++ kfree_const(acpi_device_bus_id->bus_id); + kfree(acpi_device_bus_id); + goto err_unlock; + } +-- +2.30.2 + diff --git a/queue-5.10/blk-mq-plug-request-for-shared-sbitmap.patch b/queue-5.10/blk-mq-plug-request-for-shared-sbitmap.patch new file mode 100644 index 00000000000..eaf4fe62b6a --- /dev/null +++ b/queue-5.10/blk-mq-plug-request-for-shared-sbitmap.patch @@ -0,0 +1,53 @@ +From 194e7128fd2490a1fc56ef61d66a794962ecf3e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 10:20:52 +0800 +Subject: blk-mq: plug request for shared sbitmap + +From: Ming Lei + +[ Upstream commit 03f26d8f11403295de445b6e4e0e57ac57755791 ] + +In case of shared sbitmap, request won't be held in plug list any more +sine commit 32bc15afed04 ("blk-mq: Facilitate a shared sbitmap per +tagset"), this way makes request merge from flush plug list & batching +submission not possible, so cause performance regression. + +Yanhui reports performance regression when running sequential IO +test(libaio, 16 jobs, 8 depth for each job) in VM, and the VM disk +is emulated with image stored on xfs/megaraid_sas. + +Fix the issue by recovering original behavior to allow to hold request +in plug list. + +Cc: Yanhui Ma +Cc: John Garry +Cc: Bart Van Assche +Cc: kashyap.desai@broadcom.com +Fixes: 32bc15afed04 ("blk-mq: Facilitate a shared sbitmap per tagset") +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20210514022052.1047665-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 2a1eff60c797..4cd623a7383c 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2203,8 +2203,9 @@ blk_qc_t blk_mq_submit_bio(struct bio *bio) + /* Bypass scheduler for flush requests */ + blk_insert_flush(rq); + blk_mq_run_hw_queue(data.hctx, true); +- } else if (plug && (q->nr_hw_queues == 1 || q->mq_ops->commit_rqs || +- !blk_queue_nonrot(q))) { ++ } else if (plug && (q->nr_hw_queues == 1 || ++ blk_mq_is_sbitmap_shared(rq->mq_hctx->flags) || ++ q->mq_ops->commit_rqs || !blk_queue_nonrot(q))) { + /* + * Use plugging if we have a ->commit_rqs() hook as well, as + * we know the driver uses bd->last in a smart fashion. +-- +2.30.2 + diff --git a/queue-5.10/blk-mq-swap-two-calls-in-blk_mq_exit_queue.patch b/queue-5.10/blk-mq-swap-two-calls-in-blk_mq_exit_queue.patch new file mode 100644 index 00000000000..9b7c1a78689 --- /dev/null +++ b/queue-5.10/blk-mq-swap-two-calls-in-blk_mq_exit_queue.patch @@ -0,0 +1,51 @@ +From f258bc119d0fdf78963807b88763bd2cd74454b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 10:15:29 -0700 +Subject: blk-mq: Swap two calls in blk_mq_exit_queue() + +From: Bart Van Assche + +[ Upstream commit 630ef623ed26c18a457cdc070cf24014e50129c2 ] + +If a tag set is shared across request queues (e.g. SCSI LUNs) then the +block layer core keeps track of the number of active request queues in +tags->active_queues. blk_mq_tag_busy() and blk_mq_tag_idle() update that +atomic counter if the hctx flag BLK_MQ_F_TAG_QUEUE_SHARED is set. Make +sure that blk_mq_exit_queue() calls blk_mq_tag_idle() before that flag is +cleared by blk_mq_del_queue_tag_set(). + +Cc: Christoph Hellwig +Cc: Ming Lei +Cc: Hannes Reinecke +Fixes: 0d2602ca30e4 ("blk-mq: improve support for shared tags maps") +Signed-off-by: Bart Van Assche +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20210513171529.7977-1-bvanassche@acm.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 4cd623a7383c..4bf9449b4586 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -3256,10 +3256,12 @@ EXPORT_SYMBOL(blk_mq_init_allocated_queue); + /* tags can _not_ be used after returning from blk_mq_exit_queue */ + void blk_mq_exit_queue(struct request_queue *q) + { +- struct blk_mq_tag_set *set = q->tag_set; ++ struct blk_mq_tag_set *set = q->tag_set; + +- blk_mq_del_queue_tag_set(q); ++ /* Checks hctx->flags & BLK_MQ_F_TAG_QUEUE_SHARED. */ + blk_mq_exit_hw_queues(q, set, set->nr_hw_queues); ++ /* May clear BLK_MQ_F_TAG_QUEUE_SHARED in hctx->flags. */ ++ blk_mq_del_queue_tag_set(q); + } + + static int __blk_mq_alloc_rq_maps(struct blk_mq_tag_set *set) +-- +2.30.2 + diff --git a/queue-5.10/dax-add-a-wakeup-mode-parameter-to-put_unlocked_entr.patch b/queue-5.10/dax-add-a-wakeup-mode-parameter-to-put_unlocked_entr.patch new file mode 100644 index 00000000000..7ffa8807444 --- /dev/null +++ b/queue-5.10/dax-add-a-wakeup-mode-parameter-to-put_unlocked_entr.patch @@ -0,0 +1,84 @@ +From b66bcfe101ddab8522876d4339e6426f1ca2086d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 15:03:13 -0400 +Subject: dax: Add a wakeup mode parameter to put_unlocked_entry() + +From: Vivek Goyal + +[ Upstream commit 4c3d043d271d4d629aa2328796cdfc96b37d3b3c ] + +As of now put_unlocked_entry() always wakes up next waiter. In next +patches we want to wake up all waiters at one callsite. Hence, add a +parameter to the function. + +This patch does not introduce any change of behavior. + +Reviewed-by: Greg Kurz +Reviewed-by: Jan Kara +Suggested-by: Dan Williams +Signed-off-by: Vivek Goyal +Link: https://lore.kernel.org/r/20210428190314.1865312-3-vgoyal@redhat.com +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + fs/dax.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/fs/dax.c b/fs/dax.c +index 5ecee51c44ee..56eb1c759ca5 100644 +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -275,11 +275,11 @@ static void wait_entry_unlocked(struct xa_state *xas, void *entry) + finish_wait(wq, &ewait.wait); + } + +-static void put_unlocked_entry(struct xa_state *xas, void *entry) ++static void put_unlocked_entry(struct xa_state *xas, void *entry, ++ enum dax_wake_mode mode) + { +- /* If we were the only waiter woken, wake the next one */ + if (entry && !dax_is_conflict(entry)) +- dax_wake_entry(xas, entry, WAKE_NEXT); ++ dax_wake_entry(xas, entry, mode); + } + + /* +@@ -633,7 +633,7 @@ struct page *dax_layout_busy_page_range(struct address_space *mapping, + entry = get_unlocked_entry(&xas, 0); + if (entry) + page = dax_busy_page(entry); +- put_unlocked_entry(&xas, entry); ++ put_unlocked_entry(&xas, entry, WAKE_NEXT); + if (page) + break; + if (++scanned % XA_CHECK_SCHED) +@@ -675,7 +675,7 @@ static int __dax_invalidate_entry(struct address_space *mapping, + mapping->nrexceptional--; + ret = 1; + out: +- put_unlocked_entry(&xas, entry); ++ put_unlocked_entry(&xas, entry, WAKE_NEXT); + xas_unlock_irq(&xas); + return ret; + } +@@ -954,7 +954,7 @@ static int dax_writeback_one(struct xa_state *xas, struct dax_device *dax_dev, + return ret; + + put_unlocked: +- put_unlocked_entry(xas, entry); ++ put_unlocked_entry(xas, entry, WAKE_NEXT); + return ret; + } + +@@ -1695,7 +1695,7 @@ dax_insert_pfn_mkwrite(struct vm_fault *vmf, pfn_t pfn, unsigned int order) + /* Did we race with someone splitting entry or so? */ + if (!entry || dax_is_conflict(entry) || + (order == 0 && !dax_is_pte_entry(entry))) { +- put_unlocked_entry(&xas, entry); ++ put_unlocked_entry(&xas, entry, WAKE_NEXT); + xas_unlock_irq(&xas); + trace_dax_insert_pfn_mkwrite_no_entry(mapping->host, vmf, + VM_FAULT_NOPAGE); +-- +2.30.2 + diff --git a/queue-5.10/dax-add-an-enum-for-specifying-dax-wakup-mode.patch b/queue-5.10/dax-add-an-enum-for-specifying-dax-wakup-mode.patch new file mode 100644 index 00000000000..0137a715a57 --- /dev/null +++ b/queue-5.10/dax-add-an-enum-for-specifying-dax-wakup-mode.patch @@ -0,0 +1,106 @@ +From 928ec8aaed5570e45a3d00f2fb55d1bc4eadd3c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 15:03:12 -0400 +Subject: dax: Add an enum for specifying dax wakup mode + +From: Vivek Goyal + +[ Upstream commit 698ab77aebffe08b312fbcdddeb0e8bd08b78717 ] + +Dan mentioned that he is not very fond of passing around a boolean true/false +to specify if only next waiter should be woken up or all waiters should be +woken up. He instead prefers that we introduce an enum and make it very +explicity at the callsite itself. Easier to read code. + +This patch should not introduce any change of behavior. + +Reviewed-by: Greg Kurz +Reviewed-by: Jan Kara +Suggested-by: Dan Williams +Signed-off-by: Vivek Goyal +Link: https://lore.kernel.org/r/20210428190314.1865312-2-vgoyal@redhat.com +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + fs/dax.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/fs/dax.c b/fs/dax.c +index b3d27fdc6775..5ecee51c44ee 100644 +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -144,6 +144,16 @@ struct wait_exceptional_entry_queue { + struct exceptional_entry_key key; + }; + ++/** ++ * enum dax_wake_mode: waitqueue wakeup behaviour ++ * @WAKE_ALL: wake all waiters in the waitqueue ++ * @WAKE_NEXT: wake only the first waiter in the waitqueue ++ */ ++enum dax_wake_mode { ++ WAKE_ALL, ++ WAKE_NEXT, ++}; ++ + static wait_queue_head_t *dax_entry_waitqueue(struct xa_state *xas, + void *entry, struct exceptional_entry_key *key) + { +@@ -182,7 +192,8 @@ static int wake_exceptional_entry_func(wait_queue_entry_t *wait, + * The important information it's conveying is whether the entry at + * this index used to be a PMD entry. + */ +-static void dax_wake_entry(struct xa_state *xas, void *entry, bool wake_all) ++static void dax_wake_entry(struct xa_state *xas, void *entry, ++ enum dax_wake_mode mode) + { + struct exceptional_entry_key key; + wait_queue_head_t *wq; +@@ -196,7 +207,7 @@ static void dax_wake_entry(struct xa_state *xas, void *entry, bool wake_all) + * must be in the waitqueue and the following check will see them. + */ + if (waitqueue_active(wq)) +- __wake_up(wq, TASK_NORMAL, wake_all ? 0 : 1, &key); ++ __wake_up(wq, TASK_NORMAL, mode == WAKE_ALL ? 0 : 1, &key); + } + + /* +@@ -268,7 +279,7 @@ static void put_unlocked_entry(struct xa_state *xas, void *entry) + { + /* If we were the only waiter woken, wake the next one */ + if (entry && !dax_is_conflict(entry)) +- dax_wake_entry(xas, entry, false); ++ dax_wake_entry(xas, entry, WAKE_NEXT); + } + + /* +@@ -286,7 +297,7 @@ static void dax_unlock_entry(struct xa_state *xas, void *entry) + old = xas_store(xas, entry); + xas_unlock_irq(xas); + BUG_ON(!dax_is_locked(old)); +- dax_wake_entry(xas, entry, false); ++ dax_wake_entry(xas, entry, WAKE_NEXT); + } + + /* +@@ -524,7 +535,7 @@ static void *grab_mapping_entry(struct xa_state *xas, + + dax_disassociate_entry(entry, mapping, false); + xas_store(xas, NULL); /* undo the PMD join */ +- dax_wake_entry(xas, entry, true); ++ dax_wake_entry(xas, entry, WAKE_ALL); + mapping->nrexceptional--; + entry = NULL; + xas_set(xas, index); +@@ -937,7 +948,7 @@ static int dax_writeback_one(struct xa_state *xas, struct dax_device *dax_dev, + xas_lock_irq(xas); + xas_store(xas, entry); + xas_clear_mark(xas, PAGECACHE_TAG_DIRTY); +- dax_wake_entry(xas, entry, false); ++ dax_wake_entry(xas, entry, WAKE_NEXT); + + trace_dax_writeback_one(mapping->host, index, count); + return ret; +-- +2.30.2 + diff --git a/queue-5.10/dax-wake-up-all-waiters-after-invalidating-dax-entry.patch b/queue-5.10/dax-wake-up-all-waiters-after-invalidating-dax-entry.patch new file mode 100644 index 00000000000..185def9d47d --- /dev/null +++ b/queue-5.10/dax-wake-up-all-waiters-after-invalidating-dax-entry.patch @@ -0,0 +1,81 @@ +From 79048d516414dd8403f0ac3e62c627d5595d841a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 15:03:14 -0400 +Subject: dax: Wake up all waiters after invalidating dax entry + +From: Vivek Goyal + +[ Upstream commit 237388320deffde7c2d65ed8fc9eef670dc979b3 ] + +I am seeing missed wakeups which ultimately lead to a deadlock when I am +using virtiofs with DAX enabled and running "make -j". I had to mount +virtiofs as rootfs and also reduce to dax window size to 256M to reproduce +the problem consistently. + +So here is the problem. put_unlocked_entry() wakes up waiters only +if entry is not null as well as !dax_is_conflict(entry). But if I +call multiple instances of invalidate_inode_pages2() in parallel, +then I can run into a situation where there are waiters on +this index but nobody will wake these waiters. + +invalidate_inode_pages2() + invalidate_inode_pages2_range() + invalidate_exceptional_entry2() + dax_invalidate_mapping_entry_sync() + __dax_invalidate_entry() { + xas_lock_irq(&xas); + entry = get_unlocked_entry(&xas, 0); + ... + ... + dax_disassociate_entry(entry, mapping, trunc); + xas_store(&xas, NULL); + ... + ... + put_unlocked_entry(&xas, entry); + xas_unlock_irq(&xas); + } + +Say a fault in in progress and it has locked entry at offset say "0x1c". +Now say three instances of invalidate_inode_pages2() are in progress +(A, B, C) and they all try to invalidate entry at offset "0x1c". Given +dax entry is locked, all tree instances A, B, C will wait in wait queue. + +When dax fault finishes, say A is woken up. It will store NULL entry +at index "0x1c" and wake up B. When B comes along it will find "entry=0" +at page offset 0x1c and it will call put_unlocked_entry(&xas, 0). And +this means put_unlocked_entry() will not wake up next waiter, given +the current code. And that means C continues to wait and is not woken +up. + +This patch fixes the issue by waking up all waiters when a dax entry +has been invalidated. This seems to fix the deadlock I am facing +and I can make forward progress. + +Reported-by: Sergio Lopez +Fixes: ac401cc78242 ("dax: New fault locking") +Reviewed-by: Jan Kara +Suggested-by: Dan Williams +Signed-off-by: Vivek Goyal +Link: https://lore.kernel.org/r/20210428190314.1865312-4-vgoyal@redhat.com +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + fs/dax.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dax.c b/fs/dax.c +index 56eb1c759ca5..df5485b4bddf 100644 +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -675,7 +675,7 @@ static int __dax_invalidate_entry(struct address_space *mapping, + mapping->nrexceptional--; + ret = 1; + out: +- put_unlocked_entry(&xas, entry, WAKE_NEXT); ++ put_unlocked_entry(&xas, entry, WAKE_ALL); + xas_unlock_irq(&xas); + return ret; + } +-- +2.30.2 + diff --git a/queue-5.10/drm-msm-dp-initialize-audio_comp-when-audio-starts.patch b/queue-5.10/drm-msm-dp-initialize-audio_comp-when-audio-starts.patch new file mode 100644 index 00000000000..a58f2a299ea --- /dev/null +++ b/queue-5.10/drm-msm-dp-initialize-audio_comp-when-audio-starts.patch @@ -0,0 +1,98 @@ +From 9d024d4df7ec494dc4870634146b059b59366260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Apr 2021 16:37:36 -0700 +Subject: drm/msm/dp: initialize audio_comp when audio starts + +From: Kuogee Hsieh + +[ Upstream commit f2f46b878777e0d3f885c7ddad48f477b4dea247 ] + +Initialize audio_comp when audio starts and wait for audio_comp at +dp_display_disable(). This will take care of both dongle unplugged +and display off (suspend) cases. + +Changes in v2: +-- add dp_display_signal_audio_start() + +Changes in v3: +-- restore dp_display_handle_plugged_change() at dp_hpd_unplug_handle(). + +Changes in v4: +-- none + +Signed-off-by: Kuogee Hsieh +Reviewed-by: Stephen Boyd +Tested-by: Stephen Boyd +Fixes: c703d5789590 ("drm/msm/dp: trigger unplug event in msm_dp_display_disable") +Link: https://lore.kernel.org/r/1619048258-8717-3-git-send-email-khsieh@codeaurora.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_audio.c | 1 + + drivers/gpu/drm/msm/dp/dp_display.c | 11 +++++++++-- + drivers/gpu/drm/msm/dp/dp_display.h | 1 + + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_audio.c b/drivers/gpu/drm/msm/dp/dp_audio.c +index 82a8673ab8da..d7e4a39a904e 100644 +--- a/drivers/gpu/drm/msm/dp/dp_audio.c ++++ b/drivers/gpu/drm/msm/dp/dp_audio.c +@@ -527,6 +527,7 @@ int dp_audio_hw_params(struct device *dev, + dp_audio_setup_acr(audio); + dp_audio_safe_to_exit_level(audio); + dp_audio_enable(audio, true); ++ dp_display_signal_audio_start(dp_display); + dp_display->audio_enabled = true; + + end: +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index a2db14f852f1..66f2ea3d42fc 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -176,6 +176,15 @@ static int dp_del_event(struct dp_display_private *dp_priv, u32 event) + return 0; + } + ++void dp_display_signal_audio_start(struct msm_dp *dp_display) ++{ ++ struct dp_display_private *dp; ++ ++ dp = container_of(dp_display, struct dp_display_private, dp_display); ++ ++ reinit_completion(&dp->audio_comp); ++} ++ + void dp_display_signal_audio_complete(struct msm_dp *dp_display) + { + struct dp_display_private *dp; +@@ -620,7 +629,6 @@ static int dp_hpd_unplug_handle(struct dp_display_private *dp, u32 data) + dp_add_event(dp, EV_DISCONNECT_PENDING_TIMEOUT, 0, DP_TIMEOUT_5_SECOND); + + /* signal the disconnect event early to ensure proper teardown */ +- reinit_completion(&dp->audio_comp); + dp_display_handle_plugged_change(g_dp_display, false); + + dp_catalog_hpd_config_intr(dp->catalog, DP_DP_HPD_PLUG_INT_MASK | +@@ -841,7 +849,6 @@ static int dp_display_disable(struct dp_display_private *dp, u32 data) + /* wait only if audio was enabled */ + if (dp_display->audio_enabled) { + /* signal the disconnect event */ +- reinit_completion(&dp->audio_comp); + dp_display_handle_plugged_change(dp_display, false); + if (!wait_for_completion_timeout(&dp->audio_comp, + HZ * 5)) +diff --git a/drivers/gpu/drm/msm/dp/dp_display.h b/drivers/gpu/drm/msm/dp/dp_display.h +index 6092ba1ed85e..5173c89eedf7 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.h ++++ b/drivers/gpu/drm/msm/dp/dp_display.h +@@ -34,6 +34,7 @@ int dp_display_get_modes(struct msm_dp *dp_display, + int dp_display_request_irq(struct msm_dp *dp_display); + bool dp_display_check_video_test(struct msm_dp *dp_display); + int dp_display_get_test_bpp(struct msm_dp *dp_display); ++void dp_display_signal_audio_start(struct msm_dp *dp_display); + void dp_display_signal_audio_complete(struct msm_dp *dp_display); + + #endif /* _DP_DISPLAY_H_ */ +-- +2.30.2 + diff --git a/queue-5.10/f2fs-compress-fix-race-condition-of-overwrite-vs-tru.patch b/queue-5.10/f2fs-compress-fix-race-condition-of-overwrite-vs-tru.patch new file mode 100644 index 00000000000..7546f7cd0b9 --- /dev/null +++ b/queue-5.10/f2fs-compress-fix-race-condition-of-overwrite-vs-tru.patch @@ -0,0 +1,148 @@ +From bcbbb07b7ac7bd3abcca7d8d11e9f05a919e88bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 17:30:31 +0800 +Subject: f2fs: compress: fix race condition of overwrite vs truncate + +From: Chao Yu + +[ Upstream commit a949dc5f2c5cfe0c910b664650f45371254c0744 ] + +pos_fsstress testcase complains a panic as belew: + +------------[ cut here ]------------ +kernel BUG at fs/f2fs/compress.c:1082! +invalid opcode: 0000 [#1] SMP PTI +CPU: 4 PID: 2753477 Comm: kworker/u16:2 Tainted: G OE 5.12.0-rc1-custom #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +Workqueue: writeback wb_workfn (flush-252:16) +RIP: 0010:prepare_compress_overwrite+0x4c0/0x760 [f2fs] +Call Trace: + f2fs_prepare_compress_overwrite+0x5f/0x80 [f2fs] + f2fs_write_cache_pages+0x468/0x8a0 [f2fs] + f2fs_write_data_pages+0x2a4/0x2f0 [f2fs] + do_writepages+0x38/0xc0 + __writeback_single_inode+0x44/0x2a0 + writeback_sb_inodes+0x223/0x4d0 + __writeback_inodes_wb+0x56/0xf0 + wb_writeback+0x1dd/0x290 + wb_workfn+0x309/0x500 + process_one_work+0x220/0x3c0 + worker_thread+0x53/0x420 + kthread+0x12f/0x150 + ret_from_fork+0x22/0x30 + +The root cause is truncate() may race with overwrite as below, +so that one reference count left in page can not guarantee the +page attaching in mapping tree all the time, after truncation, +later find_lock_page() may return NULL pointer. + +- prepare_compress_overwrite + - f2fs_pagecache_get_page + - unlock_page + - f2fs_setattr + - truncate_setsize + - truncate_inode_page + - delete_from_page_cache + - find_lock_page + +Fix this by avoiding referencing updated page. + +Fixes: 4c8ff7095bef ("f2fs: support data compression") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/compress.c | 35 ++++++++++++----------------------- + 1 file changed, 12 insertions(+), 23 deletions(-) + +diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c +index b6b7b1552769..58eb5eefe268 100644 +--- a/fs/f2fs/compress.c ++++ b/fs/f2fs/compress.c +@@ -123,19 +123,6 @@ static void f2fs_unlock_rpages(struct compress_ctx *cc, int len) + f2fs_drop_rpages(cc, len, true); + } + +-static void f2fs_put_rpages_mapping(struct address_space *mapping, +- pgoff_t start, int len) +-{ +- int i; +- +- for (i = 0; i < len; i++) { +- struct page *page = find_get_page(mapping, start + i); +- +- put_page(page); +- put_page(page); +- } +-} +- + static void f2fs_put_rpages_wbc(struct compress_ctx *cc, + struct writeback_control *wbc, bool redirty, int unlock) + { +@@ -986,7 +973,7 @@ static int prepare_compress_overwrite(struct compress_ctx *cc, + } + + if (PageUptodate(page)) +- unlock_page(page); ++ f2fs_put_page(page, 1); + else + f2fs_compress_ctx_add_page(cc, page); + } +@@ -996,32 +983,34 @@ static int prepare_compress_overwrite(struct compress_ctx *cc, + + ret = f2fs_read_multi_pages(cc, &bio, cc->cluster_size, + &last_block_in_bio, false, true); ++ f2fs_put_rpages(cc); + f2fs_destroy_compress_ctx(cc); + if (ret) +- goto release_pages; ++ goto out; + if (bio) + f2fs_submit_bio(sbi, bio, DATA); + + ret = f2fs_init_compress_ctx(cc); + if (ret) +- goto release_pages; ++ goto out; + } + + for (i = 0; i < cc->cluster_size; i++) { + f2fs_bug_on(sbi, cc->rpages[i]); + + page = find_lock_page(mapping, start_idx + i); +- f2fs_bug_on(sbi, !page); ++ if (!page) { ++ /* page can be truncated */ ++ goto release_and_retry; ++ } + + f2fs_wait_on_page_writeback(page, DATA, true, true); +- + f2fs_compress_ctx_add_page(cc, page); +- f2fs_put_page(page, 0); + + if (!PageUptodate(page)) { ++release_and_retry: ++ f2fs_put_rpages(cc); + f2fs_unlock_rpages(cc, i + 1); +- f2fs_put_rpages_mapping(mapping, start_idx, +- cc->cluster_size); + f2fs_destroy_compress_ctx(cc); + goto retry; + } +@@ -1053,10 +1042,10 @@ static int prepare_compress_overwrite(struct compress_ctx *cc, + } + + unlock_pages: ++ f2fs_put_rpages(cc); + f2fs_unlock_rpages(cc, i); +-release_pages: +- f2fs_put_rpages_mapping(mapping, start_idx, i); + f2fs_destroy_compress_ctx(cc); ++out: + return ret; + } + +-- +2.30.2 + diff --git a/queue-5.10/f2fs-compress-fix-to-assign-cc.cluster_idx-correctly.patch b/queue-5.10/f2fs-compress-fix-to-assign-cc.cluster_idx-correctly.patch new file mode 100644 index 00000000000..c1cde546994 --- /dev/null +++ b/queue-5.10/f2fs-compress-fix-to-assign-cc.cluster_idx-correctly.patch @@ -0,0 +1,145 @@ +From 085aa9f46f24a83208a039bb164f124d6a398bbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 17:30:32 +0800 +Subject: f2fs: compress: fix to assign cc.cluster_idx correctly + +From: Chao Yu + +[ Upstream commit 8bfbfb0ddd706b1ce2e89259ecc45f192c0ec2bf ] + +In f2fs_destroy_compress_ctx(), after f2fs_destroy_compress_ctx(), +cc.cluster_idx will be cleared w/ NULL_CLUSTER, f2fs_cluster_blocks() +may check wrong cluster metadata, fix it. + +Fixes: 4c8ff7095bef ("f2fs: support data compression") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/compress.c | 17 +++++++++-------- + fs/f2fs/data.c | 6 +++--- + fs/f2fs/f2fs.h | 2 +- + 3 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c +index 58eb5eefe268..f94b13075ea4 100644 +--- a/fs/f2fs/compress.c ++++ b/fs/f2fs/compress.c +@@ -151,13 +151,14 @@ int f2fs_init_compress_ctx(struct compress_ctx *cc) + return cc->rpages ? 0 : -ENOMEM; + } + +-void f2fs_destroy_compress_ctx(struct compress_ctx *cc) ++void f2fs_destroy_compress_ctx(struct compress_ctx *cc, bool reuse) + { + page_array_free(cc->inode, cc->rpages, cc->cluster_size); + cc->rpages = NULL; + cc->nr_rpages = 0; + cc->nr_cpages = 0; +- cc->cluster_idx = NULL_CLUSTER; ++ if (!reuse) ++ cc->cluster_idx = NULL_CLUSTER; + } + + void f2fs_compress_ctx_add_page(struct compress_ctx *cc, struct page *page) +@@ -984,7 +985,7 @@ static int prepare_compress_overwrite(struct compress_ctx *cc, + ret = f2fs_read_multi_pages(cc, &bio, cc->cluster_size, + &last_block_in_bio, false, true); + f2fs_put_rpages(cc); +- f2fs_destroy_compress_ctx(cc); ++ f2fs_destroy_compress_ctx(cc, true); + if (ret) + goto out; + if (bio) +@@ -1011,7 +1012,7 @@ static int prepare_compress_overwrite(struct compress_ctx *cc, + release_and_retry: + f2fs_put_rpages(cc); + f2fs_unlock_rpages(cc, i + 1); +- f2fs_destroy_compress_ctx(cc); ++ f2fs_destroy_compress_ctx(cc, true); + goto retry; + } + } +@@ -1044,7 +1045,7 @@ static int prepare_compress_overwrite(struct compress_ctx *cc, + unlock_pages: + f2fs_put_rpages(cc); + f2fs_unlock_rpages(cc, i); +- f2fs_destroy_compress_ctx(cc); ++ f2fs_destroy_compress_ctx(cc, true); + out: + return ret; + } +@@ -1080,7 +1081,7 @@ bool f2fs_compress_write_end(struct inode *inode, void *fsdata, + set_cluster_dirty(&cc); + + f2fs_put_rpages_wbc(&cc, NULL, false, 1); +- f2fs_destroy_compress_ctx(&cc); ++ f2fs_destroy_compress_ctx(&cc, false); + + return first_index; + } +@@ -1299,7 +1300,7 @@ static int f2fs_write_compressed_pages(struct compress_ctx *cc, + f2fs_put_rpages(cc); + page_array_free(cc->inode, cc->cpages, cc->nr_cpages); + cc->cpages = NULL; +- f2fs_destroy_compress_ctx(cc); ++ f2fs_destroy_compress_ctx(cc, false); + return 0; + + out_destroy_crypt: +@@ -1461,7 +1462,7 @@ int f2fs_write_multi_pages(struct compress_ctx *cc, + err = f2fs_write_raw_pages(cc, submitted, wbc, io_type); + f2fs_put_rpages_wbc(cc, wbc, false, 0); + destroy_out: +- f2fs_destroy_compress_ctx(cc); ++ f2fs_destroy_compress_ctx(cc, false); + return err; + } + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 901bd1d963ee..bdc0f3b2d7ab 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2419,7 +2419,7 @@ static int f2fs_mpage_readpages(struct inode *inode, + max_nr_pages, + &last_block_in_bio, + rac != NULL, false); +- f2fs_destroy_compress_ctx(&cc); ++ f2fs_destroy_compress_ctx(&cc, false); + if (ret) + goto set_error_page; + } +@@ -2464,7 +2464,7 @@ static int f2fs_mpage_readpages(struct inode *inode, + max_nr_pages, + &last_block_in_bio, + rac != NULL, false); +- f2fs_destroy_compress_ctx(&cc); ++ f2fs_destroy_compress_ctx(&cc, false); + } + } + #endif +@@ -3168,7 +3168,7 @@ static int f2fs_write_cache_pages(struct address_space *mapping, + } + } + if (f2fs_compressed_file(inode)) +- f2fs_destroy_compress_ctx(&cc); ++ f2fs_destroy_compress_ctx(&cc, false); + #endif + if (retry) { + index = 0; +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 036d2a3a2f41..69a390c6064c 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3856,7 +3856,7 @@ void f2fs_free_dic(struct decompress_io_ctx *dic); + void f2fs_decompress_end_io(struct page **rpages, + unsigned int cluster_size, bool err, bool verity); + int f2fs_init_compress_ctx(struct compress_ctx *cc); +-void f2fs_destroy_compress_ctx(struct compress_ctx *cc); ++void f2fs_destroy_compress_ctx(struct compress_ctx *cc, bool reuse); + void f2fs_init_compress_info(struct f2fs_sb_info *sbi); + int f2fs_init_page_array_cache(struct f2fs_sb_info *sbi); + void f2fs_destroy_page_array_cache(struct f2fs_sb_info *sbi); +-- +2.30.2 + diff --git a/queue-5.10/f2fs-compress-fix-to-free-compress-page-correctly.patch b/queue-5.10/f2fs-compress-fix-to-free-compress-page-correctly.patch new file mode 100644 index 00000000000..86f5a212365 --- /dev/null +++ b/queue-5.10/f2fs-compress-fix-to-free-compress-page-correctly.patch @@ -0,0 +1,37 @@ +From b11cec13c79eea9cea88c0e9ce936391387cf040 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 17:00:43 +0800 +Subject: f2fs: compress: fix to free compress page correctly + +From: Chao Yu + +[ Upstream commit a12cc5b423d4f36dc1a1ea3911e49cf9dff43898 ] + +In error path of f2fs_write_compressed_pages(), it needs to call +f2fs_compress_free_page() to release temporary page. + +Fixes: 5e6bbde95982 ("f2fs: introduce mempool for {,de}compress intermediate page allocation") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/compress.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c +index d3f407ba64c9..b6b7b1552769 100644 +--- a/fs/f2fs/compress.c ++++ b/fs/f2fs/compress.c +@@ -1321,7 +1321,8 @@ static int f2fs_write_compressed_pages(struct compress_ctx *cc, + for (i = 0; i < cc->nr_cpages; i++) { + if (!cc->cpages[i]) + continue; +- f2fs_put_page(cc->cpages[i], 1); ++ f2fs_compress_free_page(cc->cpages[i]); ++ cc->cpages[i] = NULL; + } + out_put_cic: + kmem_cache_free(cic_entry_slab, cic); +-- +2.30.2 + diff --git a/queue-5.10/hwmon-occ-fix-poll-rate-limiting.patch b/queue-5.10/hwmon-occ-fix-poll-rate-limiting.patch new file mode 100644 index 00000000000..8bc4d587abe --- /dev/null +++ b/queue-5.10/hwmon-occ-fix-poll-rate-limiting.patch @@ -0,0 +1,64 @@ +From 59c2f22c926021b04224676760561ed154839178 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 10:13:36 -0500 +Subject: hwmon: (occ) Fix poll rate limiting + +From: Eddie James + +[ Upstream commit 5216dff22dc2bbbbe6f00335f9fd2879670e753b ] + +The poll rate limiter time was initialized at zero. This breaks the +comparison in time_after if jiffies is large. Switch to storing the +next update time rather than the previous time, and initialize the +time when the device is probed. + +Fixes: c10e753d43eb ("hwmon (occ): Add sensor types and versions") +Signed-off-by: Eddie James +Link: https://lore.kernel.org/r/20210429151336.18980-1-eajames@linux.ibm.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/occ/common.c | 5 +++-- + drivers/hwmon/occ/common.h | 2 +- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c +index a71777990d49..d052502dc2c0 100644 +--- a/drivers/hwmon/occ/common.c ++++ b/drivers/hwmon/occ/common.c +@@ -209,9 +209,9 @@ int occ_update_response(struct occ *occ) + return rc; + + /* limit the maximum rate of polling the OCC */ +- if (time_after(jiffies, occ->last_update + OCC_UPDATE_FREQUENCY)) { ++ if (time_after(jiffies, occ->next_update)) { + rc = occ_poll(occ); +- occ->last_update = jiffies; ++ occ->next_update = jiffies + OCC_UPDATE_FREQUENCY; + } else { + rc = occ->last_error; + } +@@ -1089,6 +1089,7 @@ int occ_setup(struct occ *occ, const char *name) + return rc; + } + ++ occ->next_update = jiffies + OCC_UPDATE_FREQUENCY; + occ_parse_poll_response(occ); + + rc = occ_setup_sensor_attrs(occ); +diff --git a/drivers/hwmon/occ/common.h b/drivers/hwmon/occ/common.h +index 67e6968b8978..e6df719770e8 100644 +--- a/drivers/hwmon/occ/common.h ++++ b/drivers/hwmon/occ/common.h +@@ -99,7 +99,7 @@ struct occ { + u8 poll_cmd_data; /* to perform OCC poll command */ + int (*send_cmd)(struct occ *occ, u8 *cmd); + +- unsigned long last_update; ++ unsigned long next_update; + struct mutex lock; /* lock OCC access */ + + struct device *hwmon; +-- +2.30.2 + diff --git a/queue-5.10/iio-hid-sensors-select-iio_triggered_buffer-under-hi.patch b/queue-5.10/iio-hid-sensors-select-iio_triggered_buffer-under-hi.patch new file mode 100644 index 00000000000..12c3f2640ee --- /dev/null +++ b/queue-5.10/iio-hid-sensors-select-iio_triggered_buffer-under-hi.patch @@ -0,0 +1,174 @@ +From 338726ea85d7fd8847af76d17d87e0f76695d29b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 11:49:55 +0300 +Subject: iio: hid-sensors: select IIO_TRIGGERED_BUFFER under + HID_SENSOR_IIO_TRIGGER + +From: Alexandru Ardelean + +[ Upstream commit 7061803522ee7876df1ca18cdd1e1551f761352d ] + +During commit 067fda1c065ff ("iio: hid-sensors: move triggered buffer +setup into hid_sensor_setup_trigger"), the +iio_triggered_buffer_{setup,cleanup}() functions got moved under the +hid-sensor-trigger module. + +The above change works fine, if any of the sensors get built. However, when +only the common hid-sensor-trigger module gets built (and none of the +drivers), then the IIO_TRIGGERED_BUFFER symbol isn't selected/enforced. + +Previously, each driver would enforce/select the IIO_TRIGGERED_BUFFER +symbol. With this change the HID_SENSOR_IIO_TRIGGER (for the +hid-sensor-trigger module) will enforce that IIO_TRIGGERED_BUFFER gets +selected. + +All HID sensor drivers select the HID_SENSOR_IIO_TRIGGER symbol. So, this +change removes the IIO_TRIGGERED_BUFFER enforcement from each driver. + +Fixes: 067fda1c065ff ("iio: hid-sensors: move triggered buffer setup into hid_sensor_setup_trigger") +Reported-by: Thomas Deutschmann +Cc: Srinivas Pandruvada +Signed-off-by: Alexandru Ardelean +Acked-by: Srinivas Pandruvada +Link: https://lore.kernel.org/r/20210414084955.260117-1-aardelean@deviqon.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/Kconfig | 1 - + drivers/iio/common/hid-sensors/Kconfig | 1 + + drivers/iio/gyro/Kconfig | 1 - + drivers/iio/humidity/Kconfig | 1 - + drivers/iio/light/Kconfig | 2 -- + drivers/iio/magnetometer/Kconfig | 1 - + drivers/iio/orientation/Kconfig | 2 -- + drivers/iio/pressure/Kconfig | 1 - + drivers/iio/temperature/Kconfig | 1 - + 9 files changed, 1 insertion(+), 10 deletions(-) + +diff --git a/drivers/iio/accel/Kconfig b/drivers/iio/accel/Kconfig +index 2e0c62c39155..8acf277b8b25 100644 +--- a/drivers/iio/accel/Kconfig ++++ b/drivers/iio/accel/Kconfig +@@ -211,7 +211,6 @@ config DMARD10 + config HID_SENSOR_ACCEL_3D + depends on HID_SENSOR_HUB + select IIO_BUFFER +- select IIO_TRIGGERED_BUFFER + select HID_SENSOR_IIO_COMMON + select HID_SENSOR_IIO_TRIGGER + tristate "HID Accelerometers 3D" +diff --git a/drivers/iio/common/hid-sensors/Kconfig b/drivers/iio/common/hid-sensors/Kconfig +index 24d492567336..2a3dd3b907be 100644 +--- a/drivers/iio/common/hid-sensors/Kconfig ++++ b/drivers/iio/common/hid-sensors/Kconfig +@@ -19,6 +19,7 @@ config HID_SENSOR_IIO_TRIGGER + tristate "Common module (trigger) for all HID Sensor IIO drivers" + depends on HID_SENSOR_HUB && HID_SENSOR_IIO_COMMON && IIO_BUFFER + select IIO_TRIGGER ++ select IIO_TRIGGERED_BUFFER + help + Say yes here to build trigger support for HID sensors. + Triggers will be send if all requested attributes were read. +diff --git a/drivers/iio/gyro/Kconfig b/drivers/iio/gyro/Kconfig +index 5824f2edf975..20b5ac7ab66a 100644 +--- a/drivers/iio/gyro/Kconfig ++++ b/drivers/iio/gyro/Kconfig +@@ -111,7 +111,6 @@ config FXAS21002C_SPI + config HID_SENSOR_GYRO_3D + depends on HID_SENSOR_HUB + select IIO_BUFFER +- select IIO_TRIGGERED_BUFFER + select HID_SENSOR_IIO_COMMON + select HID_SENSOR_IIO_TRIGGER + tristate "HID Gyroscope 3D" +diff --git a/drivers/iio/humidity/Kconfig b/drivers/iio/humidity/Kconfig +index 6549fcf6db69..2de5494e7c22 100644 +--- a/drivers/iio/humidity/Kconfig ++++ b/drivers/iio/humidity/Kconfig +@@ -52,7 +52,6 @@ config HID_SENSOR_HUMIDITY + tristate "HID Environmental humidity sensor" + depends on HID_SENSOR_HUB + select IIO_BUFFER +- select IIO_TRIGGERED_BUFFER + select HID_SENSOR_IIO_COMMON + select HID_SENSOR_IIO_TRIGGER + help +diff --git a/drivers/iio/light/Kconfig b/drivers/iio/light/Kconfig +index 33ad4dd0b5c7..917f9becf9c7 100644 +--- a/drivers/iio/light/Kconfig ++++ b/drivers/iio/light/Kconfig +@@ -256,7 +256,6 @@ config ISL29125 + config HID_SENSOR_ALS + depends on HID_SENSOR_HUB + select IIO_BUFFER +- select IIO_TRIGGERED_BUFFER + select HID_SENSOR_IIO_COMMON + select HID_SENSOR_IIO_TRIGGER + tristate "HID ALS" +@@ -270,7 +269,6 @@ config HID_SENSOR_ALS + config HID_SENSOR_PROX + depends on HID_SENSOR_HUB + select IIO_BUFFER +- select IIO_TRIGGERED_BUFFER + select HID_SENSOR_IIO_COMMON + select HID_SENSOR_IIO_TRIGGER + tristate "HID PROX" +diff --git a/drivers/iio/magnetometer/Kconfig b/drivers/iio/magnetometer/Kconfig +index 1697a8c03506..7e9489a35571 100644 +--- a/drivers/iio/magnetometer/Kconfig ++++ b/drivers/iio/magnetometer/Kconfig +@@ -95,7 +95,6 @@ config MAG3110 + config HID_SENSOR_MAGNETOMETER_3D + depends on HID_SENSOR_HUB + select IIO_BUFFER +- select IIO_TRIGGERED_BUFFER + select HID_SENSOR_IIO_COMMON + select HID_SENSOR_IIO_TRIGGER + tristate "HID Magenetometer 3D" +diff --git a/drivers/iio/orientation/Kconfig b/drivers/iio/orientation/Kconfig +index a505583cc2fd..396cbbb867f4 100644 +--- a/drivers/iio/orientation/Kconfig ++++ b/drivers/iio/orientation/Kconfig +@@ -9,7 +9,6 @@ menu "Inclinometer sensors" + config HID_SENSOR_INCLINOMETER_3D + depends on HID_SENSOR_HUB + select IIO_BUFFER +- select IIO_TRIGGERED_BUFFER + select HID_SENSOR_IIO_COMMON + select HID_SENSOR_IIO_TRIGGER + tristate "HID Inclinometer 3D" +@@ -20,7 +19,6 @@ config HID_SENSOR_INCLINOMETER_3D + config HID_SENSOR_DEVICE_ROTATION + depends on HID_SENSOR_HUB + select IIO_BUFFER +- select IIO_TRIGGERED_BUFFER + select HID_SENSOR_IIO_COMMON + select HID_SENSOR_IIO_TRIGGER + tristate "HID Device Rotation" +diff --git a/drivers/iio/pressure/Kconfig b/drivers/iio/pressure/Kconfig +index 689b978db4f9..fc0d3cfca418 100644 +--- a/drivers/iio/pressure/Kconfig ++++ b/drivers/iio/pressure/Kconfig +@@ -79,7 +79,6 @@ config DPS310 + config HID_SENSOR_PRESS + depends on HID_SENSOR_HUB + select IIO_BUFFER +- select IIO_TRIGGERED_BUFFER + select HID_SENSOR_IIO_COMMON + select HID_SENSOR_IIO_TRIGGER + tristate "HID PRESS" +diff --git a/drivers/iio/temperature/Kconfig b/drivers/iio/temperature/Kconfig +index f1f2a1499c9e..4df60082c1fa 100644 +--- a/drivers/iio/temperature/Kconfig ++++ b/drivers/iio/temperature/Kconfig +@@ -45,7 +45,6 @@ config HID_SENSOR_TEMP + tristate "HID Environmental temperature sensor" + depends on HID_SENSOR_HUB + select IIO_BUFFER +- select IIO_TRIGGERED_BUFFER + select HID_SENSOR_IIO_COMMON + select HID_SENSOR_IIO_TRIGGER + help +-- +2.30.2 + diff --git a/queue-5.10/iio-light-gp2ap002-fix-rumtime-pm-imbalance-on-error.patch b/queue-5.10/iio-light-gp2ap002-fix-rumtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..54b01faa459 --- /dev/null +++ b/queue-5.10/iio-light-gp2ap002-fix-rumtime-pm-imbalance-on-error.patch @@ -0,0 +1,51 @@ +From 32e50df64f9cf555d10e7246c1cfca1755b58956 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 11:49:27 +0800 +Subject: iio: light: gp2ap002: Fix rumtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit 8edb79af88efc6e49e735f9baf61d9f0748b881f ] + +When devm_request_threaded_irq() fails, we should decrease the +runtime PM counter to keep the counter balanced. But when +iio_device_register() fails, we need not to decrease it because +we have already decreased it before. + +Signed-off-by: Dinghao Liu +Reviewed-by: Linus Walleij +Fixes: 97d642e23037 ("iio: light: Add a driver for Sharp GP2AP002x00F") +Link: https://lore.kernel.org/r/20210407034927.16882-1-dinghao.liu@zju.edu.cn +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/light/gp2ap002.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/light/gp2ap002.c b/drivers/iio/light/gp2ap002.c +index 7ba7aa59437c..040d8429a6e0 100644 +--- a/drivers/iio/light/gp2ap002.c ++++ b/drivers/iio/light/gp2ap002.c +@@ -583,7 +583,7 @@ static int gp2ap002_probe(struct i2c_client *client, + "gp2ap002", indio_dev); + if (ret) { + dev_err(dev, "unable to request IRQ\n"); +- goto out_disable_vio; ++ goto out_put_pm; + } + gp2ap002->irq = client->irq; + +@@ -613,8 +613,9 @@ static int gp2ap002_probe(struct i2c_client *client, + + return 0; + +-out_disable_pm: ++out_put_pm: + pm_runtime_put_noidle(dev); ++out_disable_pm: + pm_runtime_disable(dev); + out_disable_vio: + regulator_disable(gp2ap002->vio); +-- +2.30.2 + diff --git a/queue-5.10/iio-proximity-pulsedlight-fix-rumtime-pm-imbalance-o.patch b/queue-5.10/iio-proximity-pulsedlight-fix-rumtime-pm-imbalance-o.patch new file mode 100644 index 00000000000..694bb1b4d18 --- /dev/null +++ b/queue-5.10/iio-proximity-pulsedlight-fix-rumtime-pm-imbalance-o.patch @@ -0,0 +1,37 @@ +From ec2578a5f054a223d1c93f3b9847ef19766b4a2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Apr 2021 13:32:02 +0800 +Subject: iio: proximity: pulsedlight: Fix rumtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit a2fa9242e89f27696515699fe0f0296bf1ac1815 ] + +When lidar_write_control() fails, a pairing PM usage counter +decrement is needed to keep the counter balanced. + +Fixes: 4ac4e086fd8c5 ("iio: pulsedlight-lidar-lite: add runtime PM") +Signed-off-by: Dinghao Liu +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210412053204.4889-1-dinghao.liu@zju.edu.cn +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/proximity/pulsedlight-lidar-lite-v2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c b/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c +index c685f10b5ae4..cc206bfa09c7 100644 +--- a/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c ++++ b/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c +@@ -160,6 +160,7 @@ static int lidar_get_measurement(struct lidar_data *data, u16 *reg) + ret = lidar_write_control(data, LIDAR_REG_CONTROL_ACQUIRE); + if (ret < 0) { + dev_err(&client->dev, "cannot send start measurement command"); ++ pm_runtime_put_noidle(&client->dev); + return ret; + } + +-- +2.30.2 + diff --git a/queue-5.10/kvm-lapic-accurately-guarantee-busy-wait-for-timer-t.patch b/queue-5.10/kvm-lapic-accurately-guarantee-busy-wait-for-timer-t.patch new file mode 100644 index 00000000000..f25f4432e39 --- /dev/null +++ b/queue-5.10/kvm-lapic-accurately-guarantee-busy-wait-for-timer-t.patch @@ -0,0 +1,45 @@ +From aec4a5af96454e65b3cfec4aa589d452512bae27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 19:08:02 +0800 +Subject: KVM: LAPIC: Accurately guarantee busy wait for timer to expire when + using hv_timer + +From: Wanpeng Li + +[ Upstream commit d981dd15498b188636ec5a7d8ad485e650f63d8d ] + +Commit ee66e453db13d (KVM: lapic: Busy wait for timer to expire when +using hv_timer) tries to set ktime->expired_tscdeadline by checking +ktime->hv_timer_in_use since lapic timer oneshot/periodic modes which +are emulated by vmx preemption timer also get advanced, they leverage +the same vmx preemption timer logic with tsc-deadline mode. However, +ktime->hv_timer_in_use is cleared before apic_timer_expired() handling, +let's delay this clearing in preemption-disabled region. + +Fixes: ee66e453db13d ("KVM: lapic: Busy wait for timer to expire when using hv_timer") +Reviewed-by: Sean Christopherson +Signed-off-by: Wanpeng Li +Message-Id: <1619608082-4187-1-git-send-email-wanpengli@tencent.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/lapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 4ca81ae9bc8a..5759eb075d2f 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1908,8 +1908,8 @@ void kvm_lapic_expired_hv_timer(struct kvm_vcpu *vcpu) + if (!apic->lapic_timer.hv_timer_in_use) + goto out; + WARN_ON(rcuwait_active(&vcpu->wait)); +- cancel_hv_timer(apic); + apic_timer_expired(apic, false); ++ cancel_hv_timer(apic); + + if (apic_lvtt_period(apic) && apic->lapic_timer.period) { + advance_periodic_target_expiration(apic); +-- +2.30.2 + diff --git a/queue-5.10/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch b/queue-5.10/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch new file mode 100644 index 00000000000..33ad6c3e2b7 --- /dev/null +++ b/queue-5.10/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch @@ -0,0 +1,49 @@ +From 8a33afeec761c43e940728c1a6d175f37ee889f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 23:48:17 +0200 +Subject: KVM: x86: Cancel pvclock_gtod_work on module removal + +From: Thomas Gleixner + +[ Upstream commit 594b27e677b35f9734b1969d175ebc6146741109 ] + +Nothing prevents the following: + + pvclock_gtod_notify() + queue_work(system_long_wq, &pvclock_gtod_work); + ... + remove_module(kvm); + ... + work_queue_run() + pvclock_gtod_work() <- UAF + +Ditto for any other operation on that workqueue list head which touches +pvclock_gtod_work after module removal. + +Cancel the work in kvm_arch_exit() to prevent that. + +Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes") +Signed-off-by: Thomas Gleixner +Message-Id: <87czu4onry.ffs@nanos.tec.linutronix.de> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 25660cac6ad4..4bd99f046b0c 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -7981,6 +7981,7 @@ void kvm_arch_exit(void) + cpuhp_remove_state_nocalls(CPUHP_AP_X86_KVM_CLK_ONLINE); + #ifdef CONFIG_X86_64 + pvclock_gtod_unregister_notifier(&pvclock_gtod_notifier); ++ cancel_work_sync(&pvclock_gtod_work); + #endif + kvm_x86_ops.hardware_enable = NULL; + kvm_mmu_module_exit(); +-- +2.30.2 + diff --git a/queue-5.10/kvm-x86-prevent-deadlock-against-tk_core.seq.patch b/queue-5.10/kvm-x86-prevent-deadlock-against-tk_core.seq.patch new file mode 100644 index 00000000000..212eec4f0b1 --- /dev/null +++ b/queue-5.10/kvm-x86-prevent-deadlock-against-tk_core.seq.patch @@ -0,0 +1,88 @@ +From 9cf7c4497845bebc52d092ec33bbdebbb02dfad3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 15:21:37 +0200 +Subject: KVM: x86: Prevent deadlock against tk_core.seq + +From: Thomas Gleixner + +[ Upstream commit 3f804f6d201ca93adf4c3df04d1bfd152c1129d6 ] + +syzbot reported a possible deadlock in pvclock_gtod_notify(): + +CPU 0 CPU 1 +write_seqcount_begin(&tk_core.seq); + pvclock_gtod_notify() spin_lock(&pool->lock); + queue_work(..., &pvclock_gtod_work) ktime_get() + spin_lock(&pool->lock); do { + seq = read_seqcount_begin(tk_core.seq) + ... + } while (read_seqcount_retry(&tk_core.seq, seq); + +While this is unlikely to happen, it's possible. + +Delegate queue_work() to irq_work() which postpones it until the +tk_core.seq write held region is left and interrupts are reenabled. + +Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes") +Reported-by: syzbot+6beae4000559d41d80f8@syzkaller.appspotmail.com +Signed-off-by: Thomas Gleixner +Message-Id: <87h7jgm1zy.ffs@nanos.tec.linutronix.de> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 4bd99f046b0c..39ab3d78bf57 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -7848,6 +7848,18 @@ static void pvclock_gtod_update_fn(struct work_struct *work) + + static DECLARE_WORK(pvclock_gtod_work, pvclock_gtod_update_fn); + ++/* ++ * Indirection to move queue_work() out of the tk_core.seq write held ++ * region to prevent possible deadlocks against time accessors which ++ * are invoked with work related locks held. ++ */ ++static void pvclock_irq_work_fn(struct irq_work *w) ++{ ++ queue_work(system_long_wq, &pvclock_gtod_work); ++} ++ ++static DEFINE_IRQ_WORK(pvclock_irq_work, pvclock_irq_work_fn); ++ + /* + * Notification about pvclock gtod data update. + */ +@@ -7859,13 +7871,14 @@ static int pvclock_gtod_notify(struct notifier_block *nb, unsigned long unused, + + update_pvclock_gtod(tk); + +- /* disable master clock if host does not trust, or does not +- * use, TSC based clocksource. ++ /* ++ * Disable master clock if host does not trust, or does not use, ++ * TSC based clocksource. Delegate queue_work() to irq_work as ++ * this is invoked with tk_core.seq write held. + */ + if (!gtod_is_based_on_tsc(gtod->clock.vclock_mode) && + atomic_read(&kvm_guest_has_master_clock) != 0) +- queue_work(system_long_wq, &pvclock_gtod_work); +- ++ irq_work_queue(&pvclock_irq_work); + return 0; + } + +@@ -7981,6 +7994,7 @@ void kvm_arch_exit(void) + cpuhp_remove_state_nocalls(CPUHP_AP_X86_KVM_CLK_ONLINE); + #ifdef CONFIG_X86_64 + pvclock_gtod_unregister_notifier(&pvclock_gtod_notifier); ++ irq_work_sync(&pvclock_irq_work); + cancel_work_sync(&pvclock_gtod_work); + #endif + kvm_x86_ops.hardware_enable = NULL; +-- +2.30.2 + diff --git a/queue-5.10/kyber-fix-out-of-bounds-access-when-preempted.patch b/queue-5.10/kyber-fix-out-of-bounds-access-when-preempted.patch new file mode 100644 index 00000000000..47c13d6d4d5 --- /dev/null +++ b/queue-5.10/kyber-fix-out-of-bounds-access-when-preempted.patch @@ -0,0 +1,162 @@ +From 8c36b71cace4670427bf513b996343c545876f7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 17:05:35 -0700 +Subject: kyber: fix out of bounds access when preempted + +From: Omar Sandoval + +[ Upstream commit efed9a3337e341bd0989161b97453b52567bc59d ] + +__blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and +passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx +for the current CPU again and uses that to get the corresponding Kyber +context in the passed hctx. However, the thread may be preempted between +the two calls to blk_mq_get_ctx(), and the ctx returned the second time +may no longer correspond to the passed hctx. This "works" accidentally +most of the time, but it can cause us to read garbage if the second ctx +came from an hctx with more ctx's than the first one (i.e., if +ctx->index_hw[hctx->type] > hctx->nr_ctx). + +This manifested as this UBSAN array index out of bounds error reported +by Jakub: + +UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9 +index 13106 is out of range for type 'long unsigned int [128]' +Call Trace: + dump_stack+0xa4/0xe5 + ubsan_epilogue+0x5/0x40 + __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34 + queued_spin_lock_slowpath+0x476/0x480 + do_raw_spin_lock+0x1c2/0x1d0 + kyber_bio_merge+0x112/0x180 + blk_mq_submit_bio+0x1f5/0x1100 + submit_bio_noacct+0x7b0/0x870 + submit_bio+0xc2/0x3a0 + btrfs_map_bio+0x4f0/0x9d0 + btrfs_submit_data_bio+0x24e/0x310 + submit_one_bio+0x7f/0xb0 + submit_extent_page+0xc4/0x440 + __extent_writepage_io+0x2b8/0x5e0 + __extent_writepage+0x28d/0x6e0 + extent_write_cache_pages+0x4d7/0x7a0 + extent_writepages+0xa2/0x110 + do_writepages+0x8f/0x180 + __writeback_single_inode+0x99/0x7f0 + writeback_sb_inodes+0x34e/0x790 + __writeback_inodes_wb+0x9e/0x120 + wb_writeback+0x4d2/0x660 + wb_workfn+0x64d/0xa10 + process_one_work+0x53a/0xa80 + worker_thread+0x69/0x5b0 + kthread+0x20b/0x240 + ret_from_fork+0x1f/0x30 + +Only Kyber uses the hctx, so fix it by passing the request_queue to +->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can +map the queues itself to avoid the mismatch. + +Fixes: a6088845c2bf ("block: kyber: make kyber more friendly with merging") +Reported-by: Jakub Kicinski +Signed-off-by: Omar Sandoval +Link: https://lore.kernel.org/r/c7598605401a48d5cfeadebb678abd10af22b83f.1620691329.git.osandov@fb.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 3 +-- + block/blk-mq-sched.c | 8 +++++--- + block/kyber-iosched.c | 5 +++-- + block/mq-deadline.c | 3 +-- + include/linux/elevator.h | 2 +- + 5 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 5720978e4d09..c91dca641eb4 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2210,10 +2210,9 @@ static void bfq_remove_request(struct request_queue *q, + + } + +-static bool bfq_bio_merge(struct blk_mq_hw_ctx *hctx, struct bio *bio, ++static bool bfq_bio_merge(struct request_queue *q, struct bio *bio, + unsigned int nr_segs) + { +- struct request_queue *q = hctx->queue; + struct bfq_data *bfqd = q->elevator->elevator_data; + struct request *free = NULL; + /* +diff --git a/block/blk-mq-sched.c b/block/blk-mq-sched.c +index d1eafe2c045c..581be65a53c1 100644 +--- a/block/blk-mq-sched.c ++++ b/block/blk-mq-sched.c +@@ -348,14 +348,16 @@ bool __blk_mq_sched_bio_merge(struct request_queue *q, struct bio *bio, + unsigned int nr_segs) + { + struct elevator_queue *e = q->elevator; +- struct blk_mq_ctx *ctx = blk_mq_get_ctx(q); +- struct blk_mq_hw_ctx *hctx = blk_mq_map_queue(q, bio->bi_opf, ctx); ++ struct blk_mq_ctx *ctx; ++ struct blk_mq_hw_ctx *hctx; + bool ret = false; + enum hctx_type type; + + if (e && e->type->ops.bio_merge) +- return e->type->ops.bio_merge(hctx, bio, nr_segs); ++ return e->type->ops.bio_merge(q, bio, nr_segs); + ++ ctx = blk_mq_get_ctx(q); ++ hctx = blk_mq_map_queue(q, bio->bi_opf, ctx); + type = hctx->type; + if (!(hctx->flags & BLK_MQ_F_SHOULD_MERGE) || + list_empty_careful(&ctx->rq_lists[type])) +diff --git a/block/kyber-iosched.c b/block/kyber-iosched.c +index dc89199bc8c6..7f9ef773bf44 100644 +--- a/block/kyber-iosched.c ++++ b/block/kyber-iosched.c +@@ -562,11 +562,12 @@ static void kyber_limit_depth(unsigned int op, struct blk_mq_alloc_data *data) + } + } + +-static bool kyber_bio_merge(struct blk_mq_hw_ctx *hctx, struct bio *bio, ++static bool kyber_bio_merge(struct request_queue *q, struct bio *bio, + unsigned int nr_segs) + { ++ struct blk_mq_ctx *ctx = blk_mq_get_ctx(q); ++ struct blk_mq_hw_ctx *hctx = blk_mq_map_queue(q, bio->bi_opf, ctx); + struct kyber_hctx_data *khd = hctx->sched_data; +- struct blk_mq_ctx *ctx = blk_mq_get_ctx(hctx->queue); + struct kyber_ctx_queue *kcq = &khd->kcqs[ctx->index_hw[hctx->type]]; + unsigned int sched_domain = kyber_sched_domain(bio->bi_opf); + struct list_head *rq_list = &kcq->rq_list[sched_domain]; +diff --git a/block/mq-deadline.c b/block/mq-deadline.c +index 800ac902809b..2b9635d0dcba 100644 +--- a/block/mq-deadline.c ++++ b/block/mq-deadline.c +@@ -461,10 +461,9 @@ static int dd_request_merge(struct request_queue *q, struct request **rq, + return ELEVATOR_NO_MERGE; + } + +-static bool dd_bio_merge(struct blk_mq_hw_ctx *hctx, struct bio *bio, ++static bool dd_bio_merge(struct request_queue *q, struct bio *bio, + unsigned int nr_segs) + { +- struct request_queue *q = hctx->queue; + struct deadline_data *dd = q->elevator->elevator_data; + struct request *free = NULL; + bool ret; +diff --git a/include/linux/elevator.h b/include/linux/elevator.h +index bacc40a0bdf3..bc26b4e11f62 100644 +--- a/include/linux/elevator.h ++++ b/include/linux/elevator.h +@@ -34,7 +34,7 @@ struct elevator_mq_ops { + void (*depth_updated)(struct blk_mq_hw_ctx *); + + bool (*allow_merge)(struct request_queue *, struct request *, struct bio *); +- bool (*bio_merge)(struct blk_mq_hw_ctx *, struct bio *, unsigned int); ++ bool (*bio_merge)(struct request_queue *, struct bio *, unsigned int); + int (*request_merge)(struct request_queue *q, struct request **, struct bio *); + void (*request_merged)(struct request_queue *, struct request *, enum elv_merge); + void (*requests_merged)(struct request_queue *, struct request *, struct request *); +-- +2.30.2 + diff --git a/queue-5.10/nbd-fix-null-pointer-in-flush_workqueue.patch b/queue-5.10/nbd-fix-null-pointer-in-flush_workqueue.patch new file mode 100644 index 00000000000..5057490873a --- /dev/null +++ b/queue-5.10/nbd-fix-null-pointer-in-flush_workqueue.patch @@ -0,0 +1,86 @@ +From b930143d330476b83be7fbfdcd907429197a63a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 19:43:30 +0800 +Subject: nbd: Fix NULL pointer in flush_workqueue + +From: Sun Ke + +[ Upstream commit 79ebe9110fa458d58f1fceb078e2068d7ad37390 ] + +Open /dev/nbdX first, the config_refs will be 1 and +the pointers in nbd_device are still null. Disconnect +/dev/nbdX, then reference a null recv_workq. The +protection by config_refs in nbd_genl_disconnect is useless. + +[ 656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020 +[ 656.368943] #PF: supervisor write access in kernel mode +[ 656.369844] #PF: error_code(0x0002) - not-present page +[ 656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0 +[ 656.371693] Oops: 0002 [#1] SMP +[ 656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c84d28 #1 +[ 656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 +[ 656.375904] RIP: 0010:mutex_lock+0x29/0x60 +[ 656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 48 0f b1 55 d +[ 656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246 +[ 656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[ 656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020 +[ 656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318 +[ 656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40 +[ 656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00 +[ 656.382166] FS: 00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000 +[ 656.382806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0 +[ 656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 656.384927] Call Trace: +[ 656.385111] flush_workqueue+0x92/0x6c0 +[ 656.385395] nbd_disconnect_and_put+0x81/0xd0 +[ 656.385716] nbd_genl_disconnect+0x125/0x2a0 +[ 656.386034] genl_family_rcv_msg_doit.isra.0+0x102/0x1b0 +[ 656.386422] genl_rcv_msg+0xfc/0x2b0 +[ 656.386685] ? nbd_ioctl+0x490/0x490 +[ 656.386954] ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0 +[ 656.387354] netlink_rcv_skb+0x62/0x180 +[ 656.387638] genl_rcv+0x34/0x60 +[ 656.387874] netlink_unicast+0x26d/0x590 +[ 656.388162] netlink_sendmsg+0x398/0x6c0 +[ 656.388451] ? netlink_rcv_skb+0x180/0x180 +[ 656.388750] ____sys_sendmsg+0x1da/0x320 +[ 656.389038] ? ____sys_recvmsg+0x130/0x220 +[ 656.389334] ___sys_sendmsg+0x8e/0xf0 +[ 656.389605] ? ___sys_recvmsg+0xa2/0xf0 +[ 656.389889] ? handle_mm_fault+0x1671/0x21d0 +[ 656.390201] __sys_sendmsg+0x6d/0xe0 +[ 656.390464] __x64_sys_sendmsg+0x23/0x30 +[ 656.390751] do_syscall_64+0x45/0x70 +[ 656.391017] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +To fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put(). + +Fixes: e9e006f5fcf2 ("nbd: fix max number of supported devs") +Signed-off-by: Sun Ke +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20210512114331.1233964-2-sunke32@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 5e45eddbe2ab..9a70eab7edbf 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -2031,7 +2031,8 @@ static void nbd_disconnect_and_put(struct nbd_device *nbd) + * config ref and try to destroy the workqueue from inside the work + * queue. + */ +- flush_workqueue(nbd->recv_workq); ++ if (nbd->recv_workq) ++ flush_workqueue(nbd->recv_workq); + if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, + &nbd->config->runtime_flags)) + nbd_config_put(nbd); +-- +2.30.2 + diff --git a/queue-5.10/nvmet-add-lba-to-sect-conversion-helpers.patch b/queue-5.10/nvmet-add-lba-to-sect-conversion-helpers.patch new file mode 100644 index 00000000000..4b8a0d7dcec --- /dev/null +++ b/queue-5.10/nvmet-add-lba-to-sect-conversion-helpers.patch @@ -0,0 +1,79 @@ +From 2bd9870adcfa9c51ffa14477653980f7e3bf1491 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jan 2021 20:26:16 -0800 +Subject: nvmet: add lba to sect conversion helpers + +From: Chaitanya Kulkarni + +[ Upstream commit 193fcf371f9e3705c14a0bf1d4bfc44af0f7c124 ] + +In this preparation patch, we add helpers to convert lbas to sectors & +sectors to lba. This is needed to eliminate code duplication in the ZBD +backend. + +Use these helpers in the block device backend. + +Signed-off-by: Chaitanya Kulkarni +Reviewed-by: Damien Le Moal +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/io-cmd-bdev.c | 8 +++----- + drivers/nvme/target/nvmet.h | 10 ++++++++++ + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c +index 125dde3f410e..23095bdfce06 100644 +--- a/drivers/nvme/target/io-cmd-bdev.c ++++ b/drivers/nvme/target/io-cmd-bdev.c +@@ -256,8 +256,7 @@ static void nvmet_bdev_execute_rw(struct nvmet_req *req) + if (is_pci_p2pdma_page(sg_page(req->sg))) + op |= REQ_NOMERGE; + +- sector = le64_to_cpu(req->cmd->rw.slba); +- sector <<= (req->ns->blksize_shift - 9); ++ sector = nvmet_lba_to_sect(req->ns, req->cmd->rw.slba); + + if (req->transfer_len <= NVMET_MAX_INLINE_DATA_LEN) { + bio = &req->b.inline_bio; +@@ -345,7 +344,7 @@ static u16 nvmet_bdev_discard_range(struct nvmet_req *req, + int ret; + + ret = __blkdev_issue_discard(ns->bdev, +- le64_to_cpu(range->slba) << (ns->blksize_shift - 9), ++ nvmet_lba_to_sect(ns, range->slba), + le32_to_cpu(range->nlb) << (ns->blksize_shift - 9), + GFP_KERNEL, 0, bio); + if (ret && ret != -EOPNOTSUPP) { +@@ -414,8 +413,7 @@ static void nvmet_bdev_execute_write_zeroes(struct nvmet_req *req) + if (!nvmet_check_transfer_len(req, 0)) + return; + +- sector = le64_to_cpu(write_zeroes->slba) << +- (req->ns->blksize_shift - 9); ++ sector = nvmet_lba_to_sect(req->ns, write_zeroes->slba); + nr_sector = (((sector_t)le16_to_cpu(write_zeroes->length) + 1) << + (req->ns->blksize_shift - 9)); + +diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h +index 559a15ccc322..c585f4152535 100644 +--- a/drivers/nvme/target/nvmet.h ++++ b/drivers/nvme/target/nvmet.h +@@ -601,4 +601,14 @@ static inline bool nvmet_ns_has_pi(struct nvmet_ns *ns) + return ns->pi_type && ns->metadata_size == sizeof(struct t10_pi_tuple); + } + ++static inline __le64 nvmet_sect_to_lba(struct nvmet_ns *ns, sector_t sect) ++{ ++ return cpu_to_le64(sect >> (ns->blksize_shift - SECTOR_SHIFT)); ++} ++ ++static inline sector_t nvmet_lba_to_sect(struct nvmet_ns *ns, __le64 lba) ++{ ++ return le64_to_cpu(lba) << (ns->blksize_shift - SECTOR_SHIFT); ++} ++ + #endif /* _NVMET_H */ +-- +2.30.2 + diff --git a/queue-5.10/nvmet-fix-inline-bio-check-for-bdev-ns.patch b/queue-5.10/nvmet-fix-inline-bio-check-for-bdev-ns.patch new file mode 100644 index 00000000000..be5e220393d --- /dev/null +++ b/queue-5.10/nvmet-fix-inline-bio-check-for-bdev-ns.patch @@ -0,0 +1,82 @@ +From 7d39f2b9a5ead49150f00175a5f4a69df7f668bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 18:51:35 -0700 +Subject: nvmet: fix inline bio check for bdev-ns + +From: Chaitanya Kulkarni + +[ Upstream commit 608a969046e6e0567d05a166be66c77d2dd8220b ] + +When handling rw commands, for inline bio case we only consider +transfer size. This works well when req->sg_cnt fits into the +req->inline_bvec, but it will result in the warning in +__bio_add_page() when req->sg_cnt > NVMET_MAX_INLINE_BVEC. + +Consider an I/O size 32768 and first page is not aligned to the page +boundary, then I/O is split in following manner :- + +[ 2206.256140] nvmet: sg->length 3440 sg->offset 656 +[ 2206.256144] nvmet: sg->length 4096 sg->offset 0 +[ 2206.256148] nvmet: sg->length 4096 sg->offset 0 +[ 2206.256152] nvmet: sg->length 4096 sg->offset 0 +[ 2206.256155] nvmet: sg->length 4096 sg->offset 0 +[ 2206.256159] nvmet: sg->length 4096 sg->offset 0 +[ 2206.256163] nvmet: sg->length 4096 sg->offset 0 +[ 2206.256166] nvmet: sg->length 4096 sg->offset 0 +[ 2206.256170] nvmet: sg->length 656 sg->offset 0 + +Now the req->transfer_size == NVMET_MAX_INLINE_DATA_LEN i.e. 32768, but +the req->sg_cnt is (9) > NVMET_MAX_INLINE_BIOVEC which is (8). +This will result in the following warning message :- + +nvmet_bdev_execute_rw() + bio_add_page() + __bio_add_page() + WARN_ON_ONCE(bio_full(bio, len)); + +This scenario is very hard to reproduce on the nvme-loop transport only +with rw commands issued with the passthru IOCTL interface from the host +application and the data buffer is allocated with the malloc() and not +the posix_memalign(). + +Fixes: 73383adfad24 ("nvmet: don't split large I/Os unconditionally") +Signed-off-by: Chaitanya Kulkarni +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/io-cmd-bdev.c | 2 +- + drivers/nvme/target/nvmet.h | 6 ++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c +index 23095bdfce06..6a9626ff0713 100644 +--- a/drivers/nvme/target/io-cmd-bdev.c ++++ b/drivers/nvme/target/io-cmd-bdev.c +@@ -258,7 +258,7 @@ static void nvmet_bdev_execute_rw(struct nvmet_req *req) + + sector = nvmet_lba_to_sect(req->ns, req->cmd->rw.slba); + +- if (req->transfer_len <= NVMET_MAX_INLINE_DATA_LEN) { ++ if (nvmet_use_inline_bvec(req)) { + bio = &req->b.inline_bio; + bio_init(bio, req->inline_bvec, ARRAY_SIZE(req->inline_bvec)); + } else { +diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h +index c585f4152535..bc91336080e0 100644 +--- a/drivers/nvme/target/nvmet.h ++++ b/drivers/nvme/target/nvmet.h +@@ -611,4 +611,10 @@ static inline sector_t nvmet_lba_to_sect(struct nvmet_ns *ns, __le64 lba) + return le64_to_cpu(lba) << (ns->blksize_shift - SECTOR_SHIFT); + } + ++static inline bool nvmet_use_inline_bvec(struct nvmet_req *req) ++{ ++ return req->transfer_len <= NVMET_MAX_INLINE_DATA_LEN && ++ req->sg_cnt <= NVMET_MAX_INLINE_BIOVEC; ++} ++ + #endif /* _NVMET_H */ +-- +2.30.2 + diff --git a/queue-5.10/nvmet-rdma-fix-null-deref-when-send-is-completed-wit.patch b/queue-5.10/nvmet-rdma-fix-null-deref-when-send-is-completed-wit.patch new file mode 100644 index 00000000000..5f4ba49d758 --- /dev/null +++ b/queue-5.10/nvmet-rdma-fix-null-deref-when-send-is-completed-wit.patch @@ -0,0 +1,82 @@ +From a20916b203f1253dcd7e35de76519bceff8a742a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 10:08:19 +0300 +Subject: nvmet-rdma: Fix NULL deref when SEND is completed with error + +From: Michal Kalderon + +[ Upstream commit 8cc365f9559b86802afc0208389f5c8d46b4ad61 ] + +When running some traffic and taking down the link on peer, a +retry counter exceeded error is received. This leads to +nvmet_rdma_error_comp which tried accessing the cq_context to +obtain the queue. The cq_context is no longer valid after the +fix to use shared CQ mechanism and should be obtained similar +to how it is obtained in other functions from the wc->qp. + +[ 905.786331] nvmet_rdma: SEND for CQE 0x00000000e3337f90 failed with status transport retry counter exceeded (12). +[ 905.832048] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 +[ 905.839919] PGD 0 P4D 0 +[ 905.842464] Oops: 0000 1 SMP NOPTI +[ 905.846144] CPU: 13 PID: 1557 Comm: kworker/13:1H Kdump: loaded Tainted: G OE --------- - - 4.18.0-304.el8.x86_64 #1 +[ 905.872135] RIP: 0010:nvmet_rdma_error_comp+0x5/0x1b [nvmet_rdma] +[ 905.878259] Code: 19 4f c0 e8 89 b3 a5 f6 e9 5b e0 ff ff 0f b7 75 14 4c 89 ea 48 c7 c7 08 1a 4f c0 e8 71 b3 a5 f6 e9 4b e0 ff ff 0f 1f 44 00 00 <48> 8b 47 48 48 85 c0 74 08 48 89 c7 e9 98 bf 49 00 e9 c3 e3 ff ff +[ 905.897135] RSP: 0018:ffffab601c45fe28 EFLAGS: 00010246 +[ 905.902387] RAX: 0000000000000065 RBX: ffff9e729ea2f800 RCX: 0000000000000000 +[ 905.909558] RDX: 0000000000000000 RSI: ffff9e72df9567c8 RDI: 0000000000000000 +[ 905.916731] RBP: ffff9e729ea2b400 R08: 000000000000074d R09: 0000000000000074 +[ 905.923903] R10: 0000000000000000 R11: ffffab601c45fcc0 R12: 0000000000000010 +[ 905.931074] R13: 0000000000000000 R14: 0000000000000010 R15: ffff9e729ea2f400 +[ 905.938247] FS: 0000000000000000(0000) GS:ffff9e72df940000(0000) knlGS:0000000000000000 +[ 905.938249] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 905.950067] nvmet_rdma: SEND for CQE 0x00000000c7356cca failed with status transport retry counter exceeded (12). +[ 905.961855] CR2: 0000000000000048 CR3: 000000678d010004 CR4: 00000000007706e0 +[ 905.961855] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 905.961856] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 905.961857] PKRU: 55555554 +[ 906.010315] Call Trace: +[ 906.012778] __ib_process_cq+0x89/0x170 [ib_core] +[ 906.017509] ib_cq_poll_work+0x26/0x80 [ib_core] +[ 906.022152] process_one_work+0x1a7/0x360 +[ 906.026182] ? create_worker+0x1a0/0x1a0 +[ 906.030123] worker_thread+0x30/0x390 +[ 906.033802] ? create_worker+0x1a0/0x1a0 +[ 906.037744] kthread+0x116/0x130 +[ 906.040988] ? kthread_flush_work_fn+0x10/0x10 +[ 906.045456] ret_from_fork+0x1f/0x40 + +Fixes: ca0f1a8055be2 ("nvmet-rdma: use new shared CQ mechanism") +Signed-off-by: Shai Malin +Signed-off-by: Michal Kalderon +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/rdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c +index 6c1f3ab7649c..7d607f435e36 100644 +--- a/drivers/nvme/target/rdma.c ++++ b/drivers/nvme/target/rdma.c +@@ -700,7 +700,7 @@ static void nvmet_rdma_send_done(struct ib_cq *cq, struct ib_wc *wc) + { + struct nvmet_rdma_rsp *rsp = + container_of(wc->wr_cqe, struct nvmet_rdma_rsp, send_cqe); +- struct nvmet_rdma_queue *queue = cq->cq_context; ++ struct nvmet_rdma_queue *queue = wc->qp->qp_context; + + nvmet_rdma_release_rsp(rsp); + +@@ -786,7 +786,7 @@ static void nvmet_rdma_write_data_done(struct ib_cq *cq, struct ib_wc *wc) + { + struct nvmet_rdma_rsp *rsp = + container_of(wc->wr_cqe, struct nvmet_rdma_rsp, write_cqe); +- struct nvmet_rdma_queue *queue = cq->cq_context; ++ struct nvmet_rdma_queue *queue = wc->qp->qp_context; + struct rdma_cm_id *cm_id = rsp->queue->cm_id; + u16 status; + +-- +2.30.2 + diff --git a/queue-5.10/perf-tools-fix-dynamic-libbpf-link.patch b/queue-5.10/perf-tools-fix-dynamic-libbpf-link.patch new file mode 100644 index 00000000000..f46e40a9eb3 --- /dev/null +++ b/queue-5.10/perf-tools-fix-dynamic-libbpf-link.patch @@ -0,0 +1,74 @@ +From da612e8c1ed3c191547a25d645001b5de03aa868 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 22:50:20 +0200 +Subject: perf tools: Fix dynamic libbpf link + +From: Jiri Olsa + +[ Upstream commit ad1237c30d975535a669746496cbed136aa5a045 ] + +Justin reported broken build with LIBBPF_DYNAMIC=1. + +When linking libbpf dynamically we need to use perf's +hashmap object, because it's not exported in libbpf.so +(only in libbpf.a). + +Following build is now passing: + + $ make LIBBPF_DYNAMIC=1 + BUILD: Doing 'make -j8' parallel build + ... + $ ldd perf | grep libbpf + libbpf.so.0 => /lib64/libbpf.so.0 (0x00007fa7630db000) + +Fixes: eee19501926d ("perf tools: Grab a copy of libbpf's hashmap") +Reported-by: Justin M. Forbes +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Mark Rutland +Cc: Michael Petlan +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/20210508205020.617984-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 1 + + tools/perf/util/Build | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index ce8516e4de34..2abbd75fbf2e 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -530,6 +530,7 @@ ifndef NO_LIBELF + ifdef LIBBPF_DYNAMIC + ifeq ($(feature-libbpf), 1) + EXTLIBS += -lbpf ++ $(call detected,CONFIG_LIBBPF_DYNAMIC) + else + dummy := $(error Error: No libbpf devel library found, please install libbpf-devel); + endif +diff --git a/tools/perf/util/Build b/tools/perf/util/Build +index e2563d0154eb..0cf27354aa45 100644 +--- a/tools/perf/util/Build ++++ b/tools/perf/util/Build +@@ -140,7 +140,14 @@ perf-$(CONFIG_LIBELF) += symbol-elf.o + perf-$(CONFIG_LIBELF) += probe-file.o + perf-$(CONFIG_LIBELF) += probe-event.o + ++ifdef CONFIG_LIBBPF_DYNAMIC ++ hashmap := 1 ++endif + ifndef CONFIG_LIBBPF ++ hashmap := 1 ++endif ++ ++ifdef hashmap + perf-y += hashmap.o + endif + +-- +2.30.2 + diff --git a/queue-5.10/series b/queue-5.10/series index 987626376e8..1a16310f681 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -204,9 +204,36 @@ mm-hugetlb-fix-f_seal_future_write.patch blk-iocost-fix-weight-updates-of-inner-active-iocgs.patch arm64-mte-initialize-rgsr_el1.seed-in-__cpu_setup.patch arm64-fix-race-condition-on-pg_dcache_clean-in-__sync_icache_dcache.patch -btrfs-fix-deadlock-when-cloning-inline-extents-and-using-qgroups.patch btrfs-fix-race-leading-to-unpersisted-data-and-metadata-on-fsync.patch drm-radeon-dpm-disable-sclk-switching-on-oland-when-two-4k-60hz-monitors-are-connected.patch drm-amd-display-initialize-attribute-for-hdcp_srm-sysfs-file.patch drm-i915-avoid-div-by-zero-on-gen2.patch kvm-exit-halt-polling-on-need_resched-as-well.patch +kvm-lapic-accurately-guarantee-busy-wait-for-timer-t.patch +drm-msm-dp-initialize-audio_comp-when-audio-starts.patch +kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch +kvm-x86-prevent-deadlock-against-tk_core.seq.patch +dax-add-an-enum-for-specifying-dax-wakup-mode.patch +dax-add-a-wakeup-mode-parameter-to-put_unlocked_entr.patch +dax-wake-up-all-waiters-after-invalidating-dax-entry.patch +xen-unpopulated-alloc-consolidate-pgmap-manipulation.patch +xen-unpopulated-alloc-fix-error-return-code-in-fill_.patch +perf-tools-fix-dynamic-libbpf-link.patch +usb-dwc3-gadget-free-gadget-structure-only-after-fre.patch +iio-light-gp2ap002-fix-rumtime-pm-imbalance-on-error.patch +iio-proximity-pulsedlight-fix-rumtime-pm-imbalance-o.patch +iio-hid-sensors-select-iio_triggered_buffer-under-hi.patch +usb-fotg210-hcd-fix-an-error-message.patch +hwmon-occ-fix-poll-rate-limiting.patch +usb-musb-fix-an-error-message.patch +acpi-scan-fix-a-memory-leak-in-an-error-handling-pat.patch +kyber-fix-out-of-bounds-access-when-preempted.patch +nvmet-add-lba-to-sect-conversion-helpers.patch +nvmet-fix-inline-bio-check-for-bdev-ns.patch +nvmet-rdma-fix-null-deref-when-send-is-completed-wit.patch +f2fs-compress-fix-to-free-compress-page-correctly.patch +f2fs-compress-fix-race-condition-of-overwrite-vs-tru.patch +f2fs-compress-fix-to-assign-cc.cluster_idx-correctly.patch +nbd-fix-null-pointer-in-flush_workqueue.patch +blk-mq-plug-request-for-shared-sbitmap.patch +blk-mq-swap-two-calls-in-blk_mq_exit_queue.patch diff --git a/queue-5.10/usb-dwc3-gadget-free-gadget-structure-only-after-fre.patch b/queue-5.10/usb-dwc3-gadget-free-gadget-structure-only-after-fre.patch new file mode 100644 index 00000000000..26f8e53c9d0 --- /dev/null +++ b/queue-5.10/usb-dwc3-gadget-free-gadget-structure-only-after-fre.patch @@ -0,0 +1,64 @@ +From 83b28d9be70e85ec9e7f8ab4b47d68413078b2d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 02:35:58 -0700 +Subject: usb: dwc3: gadget: Free gadget structure only after freeing endpoints + +From: Jack Pham + +[ Upstream commit bb9c74a5bd1462499fe5ccb1e3c5ac40dcfa9139 ] + +As part of commit e81a7018d93a ("usb: dwc3: allocate gadget structure +dynamically") the dwc3_gadget_release() was added which will free +the dwc->gadget structure upon the device's removal when +usb_del_gadget_udc() is called in dwc3_gadget_exit(). + +However, simply freeing the gadget results a dangling pointer +situation: the endpoints created in dwc3_gadget_init_endpoints() +have their dep->endpoint.ep_list members chained off the list_head +anchored at dwc->gadget->ep_list. Thus when dwc->gadget is freed, +the first dwc3_ep in the list now has a dangling prev pointer and +likewise for the next pointer of the dwc3_ep at the tail of the list. +The dwc3_gadget_free_endpoints() that follows will result in a +use-after-free when it calls list_del(). + +This was caught by enabling KASAN and performing a driver unbind. +The recent commit 568262bf5492 ("usb: dwc3: core: Add shutdown +callback for dwc3") also exposes this as a panic during shutdown. + +There are a few possibilities to fix this. One could be to perform +a list_del() of the gadget->ep_list itself which removes it from +the rest of the dwc3_ep chain. + +Another approach is what this patch does, by splitting up the +usb_del_gadget_udc() call into its separate "del" and "put" +components. This allows dwc3_gadget_free_endpoints() to be +called before the gadget is finally freed with usb_put_gadget(). + +Fixes: e81a7018d93a ("usb: dwc3: allocate gadget structure dynamically") +Reviewed-by: Peter Chen +Signed-off-by: Jack Pham +Link: https://lore.kernel.org/r/20210501093558.7375-1-jackp@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 84d1487e9f06..dab9b5fd15a9 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3948,8 +3948,9 @@ int dwc3_gadget_init(struct dwc3 *dwc) + + void dwc3_gadget_exit(struct dwc3 *dwc) + { +- usb_del_gadget_udc(dwc->gadget); ++ usb_del_gadget(dwc->gadget); + dwc3_gadget_free_endpoints(dwc); ++ usb_put_gadget(dwc->gadget); + dma_free_coherent(dwc->sysdev, DWC3_BOUNCE_SIZE, dwc->bounce, + dwc->bounce_addr); + kfree(dwc->setup_buf); +-- +2.30.2 + diff --git a/queue-5.10/usb-fotg210-hcd-fix-an-error-message.patch b/queue-5.10/usb-fotg210-hcd-fix-an-error-message.patch new file mode 100644 index 00000000000..4af3475b4cb --- /dev/null +++ b/queue-5.10/usb-fotg210-hcd-fix-an-error-message.patch @@ -0,0 +1,53 @@ +From 3c0d0f9d6bce9a1915b9c1634d892716cd1b6c5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 22:39:10 +0200 +Subject: usb: fotg210-hcd: Fix an error message + +From: Christophe JAILLET + +[ Upstream commit a60a34366e0d09ca002c966dd7c43a68c28b1f82 ] + +'retval' is known to be -ENODEV here. +This is a hard-coded default error code which is not useful in the error +message. Moreover, another error message is printed at the end of the +error handling path. The corresponding error code (-ENOMEM) is more +informative. + +So remove simplify the first error message. + +While at it, also remove the useless initialization of 'retval'. + +Fixes: 7d50195f6c50 ("usb: host: Faraday fotg210-hcd driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/94531bcff98e46d4f9c20183a90b7f47f699126c.1620333419.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/fotg210-hcd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c +index 1d94fcfac2c2..bd958f059fe6 100644 +--- a/drivers/usb/host/fotg210-hcd.c ++++ b/drivers/usb/host/fotg210-hcd.c +@@ -5568,7 +5568,7 @@ static int fotg210_hcd_probe(struct platform_device *pdev) + struct usb_hcd *hcd; + struct resource *res; + int irq; +- int retval = -ENODEV; ++ int retval; + struct fotg210_hcd *fotg210; + + if (usb_disabled()) +@@ -5588,7 +5588,7 @@ static int fotg210_hcd_probe(struct platform_device *pdev) + hcd = usb_create_hcd(&fotg210_fotg210_hc_driver, dev, + dev_name(dev)); + if (!hcd) { +- dev_err(dev, "failed to create hcd with err %d\n", retval); ++ dev_err(dev, "failed to create hcd\n"); + retval = -ENOMEM; + goto fail_create_hcd; + } +-- +2.30.2 + diff --git a/queue-5.10/usb-musb-fix-an-error-message.patch b/queue-5.10/usb-musb-fix-an-error-message.patch new file mode 100644 index 00000000000..77f76b7b3f5 --- /dev/null +++ b/queue-5.10/usb-musb-fix-an-error-message.patch @@ -0,0 +1,38 @@ +From 4daca96590ef3dfb3cda7ea529e98521f2f0ccac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 22:26:29 +0200 +Subject: usb: musb: Fix an error message + +From: Christophe JAILLET + +[ Upstream commit d9ff1096a840dddea3d5cfa2149ff7da9f499fb2 ] + +'ret' is known to be 0 here. +Initialize 'ret' with the expected error code before using it. + +Fixes: 0990366bab3c ("usb: musb: Add support for MediaTek musb controller") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/69f514dc7134e3c917cad208e73cc650cb9e2bd6.1620159879.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/mediatek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/musb/mediatek.c b/drivers/usb/musb/mediatek.c +index eebeadd26946..6b92d037d8fc 100644 +--- a/drivers/usb/musb/mediatek.c ++++ b/drivers/usb/musb/mediatek.c +@@ -518,8 +518,8 @@ static int mtk_musb_probe(struct platform_device *pdev) + + glue->xceiv = devm_usb_get_phy(dev, USB_PHY_TYPE_USB2); + if (IS_ERR(glue->xceiv)) { +- dev_err(dev, "fail to getting usb-phy %d\n", ret); + ret = PTR_ERR(glue->xceiv); ++ dev_err(dev, "fail to getting usb-phy %d\n", ret); + goto err_unregister_usb_phy; + } + +-- +2.30.2 + diff --git a/queue-5.10/xen-unpopulated-alloc-consolidate-pgmap-manipulation.patch b/queue-5.10/xen-unpopulated-alloc-consolidate-pgmap-manipulation.patch new file mode 100644 index 00000000000..68576dc8567 --- /dev/null +++ b/queue-5.10/xen-unpopulated-alloc-consolidate-pgmap-manipulation.patch @@ -0,0 +1,69 @@ +From 865c5bee56cd4f2debbc8ccd2f63d8371a423719 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Dec 2020 19:07:21 -0800 +Subject: xen/unpopulated-alloc: consolidate pgmap manipulation + +From: Dan Williams + +[ Upstream commit 3a250629d7325f27b278dad1aaf44eab00090e76 ] + +Cleanup fill_list() to keep all the pgmap manipulations in a single +location of the function. Update the exit unwind path accordingly. + +Link: http://lore.kernel.org/r/6186fa28-d123-12db-6171-a75cb6e615a5@oracle.com +Link: https://lkml.kernel.org/r/160272253442.3136502.16683842453317773487.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Dan Williams +Reported-by: Boris Ostrovsky +Cc: Juergen Gross +Cc: Stefano Stabellini +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/xen/unpopulated-alloc.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/xen/unpopulated-alloc.c b/drivers/xen/unpopulated-alloc.c +index 7762c1bb23cb..e64e6befc63b 100644 +--- a/drivers/xen/unpopulated-alloc.c ++++ b/drivers/xen/unpopulated-alloc.c +@@ -27,11 +27,6 @@ static int fill_list(unsigned int nr_pages) + if (!res) + return -ENOMEM; + +- pgmap = kzalloc(sizeof(*pgmap), GFP_KERNEL); +- if (!pgmap) +- goto err_pgmap; +- +- pgmap->type = MEMORY_DEVICE_GENERIC; + res->name = "Xen scratch"; + res->flags = IORESOURCE_MEM | IORESOURCE_BUSY; + +@@ -43,6 +38,11 @@ static int fill_list(unsigned int nr_pages) + goto err_resource; + } + ++ pgmap = kzalloc(sizeof(*pgmap), GFP_KERNEL); ++ if (!pgmap) ++ goto err_pgmap; ++ ++ pgmap->type = MEMORY_DEVICE_GENERIC; + pgmap->range = (struct range) { + .start = res->start, + .end = res->end, +@@ -92,10 +92,10 @@ static int fill_list(unsigned int nr_pages) + return 0; + + err_memremap: +- release_resource(res); +-err_resource: + kfree(pgmap); + err_pgmap: ++ release_resource(res); ++err_resource: + kfree(res); + return ret; + } +-- +2.30.2 + diff --git a/queue-5.10/xen-unpopulated-alloc-fix-error-return-code-in-fill_.patch b/queue-5.10/xen-unpopulated-alloc-fix-error-return-code-in-fill_.patch new file mode 100644 index 00000000000..60f11d7feb2 --- /dev/null +++ b/queue-5.10/xen-unpopulated-alloc-fix-error-return-code-in-fill_.patch @@ -0,0 +1,42 @@ +From c94f26f019360149308e6eab7e7d97f3594e1f7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 10:19:13 +0800 +Subject: xen/unpopulated-alloc: fix error return code in fill_list() + +From: Zhen Lei + +[ Upstream commit dbc03e81586fc33e4945263fd6e09e22eb4b980f ] + +Fix to return a negative error code from the error handling case instead +of 0, as done elsewhere in this function. + +Fixes: a4574f63edc6 ("mm/memremap_pages: convert to 'struct range'") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20210508021913.1727-1-thunder.leizhen@huawei.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/unpopulated-alloc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/xen/unpopulated-alloc.c b/drivers/xen/unpopulated-alloc.c +index e64e6befc63b..87e6b7db892f 100644 +--- a/drivers/xen/unpopulated-alloc.c ++++ b/drivers/xen/unpopulated-alloc.c +@@ -39,8 +39,10 @@ static int fill_list(unsigned int nr_pages) + } + + pgmap = kzalloc(sizeof(*pgmap), GFP_KERNEL); +- if (!pgmap) ++ if (!pgmap) { ++ ret = -ENOMEM; + goto err_pgmap; ++ } + + pgmap->type = MEMORY_DEVICE_GENERIC; + pgmap->range = (struct range) { +-- +2.30.2 + -- 2.47.3