From f3674b4692c4019e8924461b7ec521b24603f3ed Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 11 May 2023 11:48:37 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- .../crypto-inside-secure-irq-balance.patch | 102 +++++++++++ ...cleanup-ring-irq-workqueues-on-load-.patch | 159 ++++++++++++++++++ ...ror-handling-for-check_at_most_once-.patch | 49 ++++++ ...edundant-verity_handle_err-on-i-o-er.patch | 62 +++++++ ...ix-read_pos-error-when-multiple-read.patch | 92 ++++++++++ ...tch-to-flexible-array-to-simplify-co.patch | 56 ++++++ ...box-zynqmp-fix-counts-of-child-nodes.patch | 45 +++++ queue-5.4/nohz-add-tick_dep_bit_rcu.patch | 113 +++++++++++++ ...-of-bounds-access-in-relay_file_read.patch | 82 +++++++++ queue-5.4/series | 10 ++ ...u_is_hotpluggable-by-checking-with-n.patch | 106 ++++++++++++ 11 files changed, 876 insertions(+) create mode 100644 queue-5.4/crypto-inside-secure-irq-balance.patch create mode 100644 queue-5.4/crypto-safexcel-cleanup-ring-irq-workqueues-on-load-.patch create mode 100644 queue-5.4/dm-verity-fix-error-handling-for-check_at_most_once-.patch create mode 100644 queue-5.4/dm-verity-skip-redundant-verity_handle_err-on-i-o-er.patch create mode 100644 queue-5.4/kernel-relay.c-fix-read_pos-error-when-multiple-read.patch create mode 100644 queue-5.4/mailbox-zynq-switch-to-flexible-array-to-simplify-co.patch create mode 100644 queue-5.4/mailbox-zynqmp-fix-counts-of-child-nodes.patch create mode 100644 queue-5.4/nohz-add-tick_dep_bit_rcu.patch create mode 100644 queue-5.4/relayfs-fix-out-of-bounds-access-in-relay_file_read.patch create mode 100644 queue-5.4/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-n.patch diff --git a/queue-5.4/crypto-inside-secure-irq-balance.patch b/queue-5.4/crypto-inside-secure-irq-balance.patch new file mode 100644 index 00000000000..b40a9167ea5 --- /dev/null +++ b/queue-5.4/crypto-inside-secure-irq-balance.patch @@ -0,0 +1,102 @@ +From 4e518de9135e00d5276c46fcca91da8ac5c50b46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 06:37:59 +0200 +Subject: crypto: inside-secure - irq balance + +From: Sven Auhagen + +[ Upstream commit c6720415907f21b9c53efbe679b96c3cc9d06404 ] + +Balance the irqs of the inside secure driver over all +available cpus. +Currently all interrupts are handled by the first CPU. + +From my testing with IPSec AES-GCM 256 +on my MCbin with 4 Cores I get a 50% speed increase: + +Before the patch: 99.73 Kpps +With the patch: 151.25 Kpps + +Signed-off-by: Sven Auhagen +Signed-off-by: Herbert Xu +Stable-dep-of: ca25c00ccbc5 ("crypto: safexcel - Cleanup ring IRQ workqueues on load failure") +Signed-off-by: Sasha Levin +--- + drivers/crypto/inside-secure/safexcel.c | 13 +++++++++++-- + drivers/crypto/inside-secure/safexcel.h | 3 +++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/inside-secure/safexcel.c b/drivers/crypto/inside-secure/safexcel.c +index 9534f52210af0..2d34a3832d8e6 100644 +--- a/drivers/crypto/inside-secure/safexcel.c ++++ b/drivers/crypto/inside-secure/safexcel.c +@@ -1090,11 +1090,12 @@ static irqreturn_t safexcel_irq_ring_thread(int irq, void *data) + + static int safexcel_request_ring_irq(void *pdev, int irqid, + int is_pci_dev, ++ int ring_id, + irq_handler_t handler, + irq_handler_t threaded_handler, + struct safexcel_ring_irq_data *ring_irq_priv) + { +- int ret, irq; ++ int ret, irq, cpu; + struct device *dev; + + if (IS_ENABLED(CONFIG_PCI) && is_pci_dev) { +@@ -1132,6 +1133,10 @@ static int safexcel_request_ring_irq(void *pdev, int irqid, + return ret; + } + ++ /* Set affinity */ ++ cpu = cpumask_local_spread(ring_id, NUMA_NO_NODE); ++ irq_set_affinity_hint(irq, get_cpu_mask(cpu)); ++ + return irq; + } + +@@ -1482,6 +1487,7 @@ static int safexcel_probe_generic(void *pdev, + irq = safexcel_request_ring_irq(pdev, + EIP197_IRQ_NUMBER(i, is_pci_dev), + is_pci_dev, ++ i, + safexcel_irq_ring, + safexcel_irq_ring_thread, + ring_irq); +@@ -1490,6 +1496,7 @@ static int safexcel_probe_generic(void *pdev, + return irq; + } + ++ priv->ring[i].irq = irq; + priv->ring[i].work_data.priv = priv; + priv->ring[i].work_data.ring = i; + INIT_WORK(&priv->ring[i].work_data.work, +@@ -1627,8 +1634,10 @@ static int safexcel_remove(struct platform_device *pdev) + + clk_disable_unprepare(priv->clk); + +- for (i = 0; i < priv->config.rings; i++) ++ for (i = 0; i < priv->config.rings; i++) { ++ irq_set_affinity_hint(priv->ring[i].irq, NULL); + destroy_workqueue(priv->ring[i].workqueue); ++ } + + return 0; + } +diff --git a/drivers/crypto/inside-secure/safexcel.h b/drivers/crypto/inside-secure/safexcel.h +index 930cc48a6f859..6a4d7f09bca96 100644 +--- a/drivers/crypto/inside-secure/safexcel.h ++++ b/drivers/crypto/inside-secure/safexcel.h +@@ -640,6 +640,9 @@ struct safexcel_ring { + */ + struct crypto_async_request *req; + struct crypto_async_request *backlog; ++ ++ /* irq of this ring */ ++ int irq; + }; + + /* EIP integration context flags */ +-- +2.39.2 + diff --git a/queue-5.4/crypto-safexcel-cleanup-ring-irq-workqueues-on-load-.patch b/queue-5.4/crypto-safexcel-cleanup-ring-irq-workqueues-on-load-.patch new file mode 100644 index 00000000000..1e4953abd3a --- /dev/null +++ b/queue-5.4/crypto-safexcel-cleanup-ring-irq-workqueues-on-load-.patch @@ -0,0 +1,159 @@ +From 97e854e54221c28926b0088ae0b0ae6d0da7e7e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Feb 2023 18:28:58 +0000 +Subject: crypto: safexcel - Cleanup ring IRQ workqueues on load failure + +From: Jonathan McDowell + +[ Upstream commit ca25c00ccbc5f942c63897ed23584cfc66e8ec81 ] + +A failure loading the safexcel driver results in the following warning +on boot, because the IRQ affinity has not been correctly cleaned up. +Ensure we clean up the affinity and workqueues on a failure to load the +driver. + +crypto-safexcel: probe of f2800000.crypto failed with error -2 +------------[ cut here ]------------ +WARNING: CPU: 1 PID: 232 at kernel/irq/manage.c:1913 free_irq+0x300/0x340 +Modules linked in: hwmon mdio_i2c crypto_safexcel(+) md5 sha256_generic libsha256 authenc libdes omap_rng rng_core nft_masq nft_nat nft_chain_nat nf_nat nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink fuse autofs4 +CPU: 1 PID: 232 Comm: systemd-udevd Tainted: G W 6.1.6-00002-g9d4898824677 #3 +Hardware name: MikroTik RB5009 (DT) +pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : free_irq+0x300/0x340 +lr : free_irq+0x2e0/0x340 +sp : ffff800008fa3890 +x29: ffff800008fa3890 x28: 0000000000000000 x27: 0000000000000000 +x26: ffff8000008e6dc0 x25: ffff000009034cac x24: ffff000009034d50 +x23: 0000000000000000 x22: 000000000000004a x21: ffff0000093e0d80 +x20: ffff000009034c00 x19: ffff00000615fc00 x18: 0000000000000000 +x17: 0000000000000000 x16: 0000000000000000 x15: 000075f5c1584c5e +x14: 0000000000000017 x13: 0000000000000000 x12: 0000000000000040 +x11: ffff000000579b60 x10: ffff000000579b62 x9 : ffff800008bbe370 +x8 : ffff000000579dd0 x7 : 0000000000000000 x6 : ffff000000579e18 +x5 : ffff000000579da8 x4 : ffff800008ca0000 x3 : ffff800008ca0188 +x2 : 0000000013033204 x1 : ffff000009034c00 x0 : ffff8000087eadf0 +Call trace: + free_irq+0x300/0x340 + devm_irq_release+0x14/0x20 + devres_release_all+0xa0/0x100 + device_unbind_cleanup+0x14/0x60 + really_probe+0x198/0x2d4 + __driver_probe_device+0x74/0xdc + driver_probe_device+0x3c/0x110 + __driver_attach+0x8c/0x190 + bus_for_each_dev+0x6c/0xc0 + driver_attach+0x20/0x30 + bus_add_driver+0x148/0x1fc + driver_register+0x74/0x120 + __platform_driver_register+0x24/0x30 + safexcel_init+0x48/0x1000 [crypto_safexcel] + do_one_initcall+0x4c/0x1b0 + do_init_module+0x44/0x1cc + load_module+0x1724/0x1be4 + __do_sys_finit_module+0xbc/0x110 + __arm64_sys_finit_module+0x1c/0x24 + invoke_syscall+0x44/0x110 + el0_svc_common.constprop.0+0xc0/0xe0 + do_el0_svc+0x20/0x80 + el0_svc+0x14/0x4c + el0t_64_sync_handler+0xb0/0xb4 + el0t_64_sync+0x148/0x14c +---[ end trace 0000000000000000 ]--- + +Fixes: 1b44c5a60c13 ("inside-secure - add SafeXcel EIP197 crypto engine driver") +Signed-off-by: Jonathan McDowell +Cc: stable@vger.kernel.org +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/inside-secure/safexcel.c | 37 ++++++++++++++++++------- + 1 file changed, 27 insertions(+), 10 deletions(-) + +diff --git a/drivers/crypto/inside-secure/safexcel.c b/drivers/crypto/inside-secure/safexcel.c +index 2d34a3832d8e6..04638e1833513 100644 +--- a/drivers/crypto/inside-secure/safexcel.c ++++ b/drivers/crypto/inside-secure/safexcel.c +@@ -1467,19 +1467,23 @@ static int safexcel_probe_generic(void *pdev, + &priv->ring[i].rdr); + if (ret) { + dev_err(dev, "Failed to initialize rings\n"); +- return ret; ++ goto err_cleanup_rings; + } + + priv->ring[i].rdr_req = devm_kcalloc(dev, + EIP197_DEFAULT_RING_SIZE, + sizeof(*priv->ring[i].rdr_req), + GFP_KERNEL); +- if (!priv->ring[i].rdr_req) +- return -ENOMEM; ++ if (!priv->ring[i].rdr_req) { ++ ret = -ENOMEM; ++ goto err_cleanup_rings; ++ } + + ring_irq = devm_kzalloc(dev, sizeof(*ring_irq), GFP_KERNEL); +- if (!ring_irq) +- return -ENOMEM; ++ if (!ring_irq) { ++ ret = -ENOMEM; ++ goto err_cleanup_rings; ++ } + + ring_irq->priv = priv; + ring_irq->ring = i; +@@ -1493,7 +1497,8 @@ static int safexcel_probe_generic(void *pdev, + ring_irq); + if (irq < 0) { + dev_err(dev, "Failed to get IRQ ID for ring %d\n", i); +- return irq; ++ ret = irq; ++ goto err_cleanup_rings; + } + + priv->ring[i].irq = irq; +@@ -1505,8 +1510,10 @@ static int safexcel_probe_generic(void *pdev, + snprintf(wq_name, 9, "wq_ring%d", i); + priv->ring[i].workqueue = + create_singlethread_workqueue(wq_name); +- if (!priv->ring[i].workqueue) +- return -ENOMEM; ++ if (!priv->ring[i].workqueue) { ++ ret = -ENOMEM; ++ goto err_cleanup_rings; ++ } + + priv->ring[i].requests = 0; + priv->ring[i].busy = false; +@@ -1523,16 +1530,26 @@ static int safexcel_probe_generic(void *pdev, + ret = safexcel_hw_init(priv); + if (ret) { + dev_err(dev, "HW init failed (%d)\n", ret); +- return ret; ++ goto err_cleanup_rings; + } + + ret = safexcel_register_algorithms(priv); + if (ret) { + dev_err(dev, "Failed to register algorithms (%d)\n", ret); +- return ret; ++ goto err_cleanup_rings; + } + + return 0; ++ ++err_cleanup_rings: ++ for (i = 0; i < priv->config.rings; i++) { ++ if (priv->ring[i].irq) ++ irq_set_affinity_hint(priv->ring[i].irq, NULL); ++ if (priv->ring[i].workqueue) ++ destroy_workqueue(priv->ring[i].workqueue); ++ } ++ ++ return ret; + } + + static void safexcel_hw_reset_rings(struct safexcel_crypto_priv *priv) +-- +2.39.2 + diff --git a/queue-5.4/dm-verity-fix-error-handling-for-check_at_most_once-.patch b/queue-5.4/dm-verity-fix-error-handling-for-check_at_most_once-.patch new file mode 100644 index 00000000000..b8e538412af --- /dev/null +++ b/queue-5.4/dm-verity-fix-error-handling-for-check_at_most_once-.patch @@ -0,0 +1,49 @@ +From 979171f8a48bdd2007e9640deef1b184a1f9bf63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Mar 2023 15:59:32 +0900 +Subject: dm verity: fix error handling for check_at_most_once on FEC + +From: Yeongjin Gil + +[ Upstream commit e8c5d45f82ce0c238a4817739892fe8897a3dcc3 ] + +In verity_end_io(), if bi_status is not BLK_STS_OK, it can be return +directly. But if FEC configured, it is desired to correct the data page +through verity_verify_io. And the return value will be converted to +blk_status and passed to verity_finish_io(). + +BTW, when a bit is set in v->validated_blocks, verity_verify_io() skips +verification regardless of I/O error for the corresponding bio. In this +case, the I/O error could not be returned properly, and as a result, +there is a problem that abnormal data could be read for the +corresponding block. + +To fix this problem, when an I/O error occurs, do not skip verification +even if the bit related is set in v->validated_blocks. + +Fixes: 843f38d382b1 ("dm verity: add 'check_at_most_once' option to only validate hashes once") +Cc: stable@vger.kernel.org +Reviewed-by: Sungjong Seo +Signed-off-by: Yeongjin Gil +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-verity-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c +index aad0018cc7b2d..965b5139c8970 100644 +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -478,7 +478,7 @@ static int verity_verify_io(struct dm_verity_io *io) + sector_t cur_block = io->block + b; + struct ahash_request *req = verity_io_hash_req(v, io); + +- if (v->validated_blocks && ++ if (v->validated_blocks && bio->bi_status == BLK_STS_OK && + likely(test_bit(cur_block, v->validated_blocks))) { + verity_bv_skip_block(v, io, &io->iter); + continue; +-- +2.39.2 + diff --git a/queue-5.4/dm-verity-skip-redundant-verity_handle_err-on-i-o-er.patch b/queue-5.4/dm-verity-skip-redundant-verity_handle_err-on-i-o-er.patch new file mode 100644 index 00000000000..afca4ffe6d5 --- /dev/null +++ b/queue-5.4/dm-verity-skip-redundant-verity_handle_err-on-i-o-er.patch @@ -0,0 +1,62 @@ +From 2c62be506cff39c7694a6cd3b0bb781c04d6e461 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Sep 2021 09:26:42 +0000 +Subject: dm verity: skip redundant verity_handle_err() on I/O errors + +From: Akilesh Kailash + +[ Upstream commit 2c0468e054c0adb660ac055fc396622ec7235df9 ] + +Without FEC, dm-verity won't call verity_handle_err() when I/O fails, +but with FEC enabled, it currently does even if an I/O error has +occurred. + +If there is an I/O error and FEC correction fails, return the error +instead of calling verity_handle_err() again. + +Suggested-by: Sami Tolvanen +Signed-off-by: Akilesh Kailash +Reviewed-by: Sami Tolvanen +Signed-off-by: Mike Snitzer +Stable-dep-of: e8c5d45f82ce ("dm verity: fix error handling for check_at_most_once on FEC") +Signed-off-by: Sasha Levin +--- + drivers/md/dm-verity-target.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c +index 9dcdf34b7e32d..aad0018cc7b2d 100644 +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -471,6 +471,7 @@ static int verity_verify_io(struct dm_verity_io *io) + struct bvec_iter start; + unsigned b; + struct crypto_wait wait; ++ struct bio *bio = dm_bio_from_per_bio_data(io, v->ti->per_io_data_size); + + for (b = 0; b < io->n_blocks; b++) { + int r; +@@ -525,9 +526,17 @@ static int verity_verify_io(struct dm_verity_io *io) + else if (verity_fec_decode(v, io, DM_VERITY_BLOCK_TYPE_DATA, + cur_block, NULL, &start) == 0) + continue; +- else if (verity_handle_err(v, DM_VERITY_BLOCK_TYPE_DATA, +- cur_block)) +- return -EIO; ++ else { ++ if (bio->bi_status) { ++ /* ++ * Error correction failed; Just return error ++ */ ++ return -EIO; ++ } ++ if (verity_handle_err(v, DM_VERITY_BLOCK_TYPE_DATA, ++ cur_block)) ++ return -EIO; ++ } + } + + return 0; +-- +2.39.2 + diff --git a/queue-5.4/kernel-relay.c-fix-read_pos-error-when-multiple-read.patch b/queue-5.4/kernel-relay.c-fix-read_pos-error-when-multiple-read.patch new file mode 100644 index 00000000000..c14ab443c5a --- /dev/null +++ b/queue-5.4/kernel-relay.c-fix-read_pos-error-when-multiple-read.patch @@ -0,0 +1,92 @@ +From 2bef0d6a31e110d2aff8668b5c5d395b17af6fa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 16:51:30 -0700 +Subject: kernel/relay.c: fix read_pos error when multiple readers + +From: Pengcheng Yang + +[ Upstream commit 341a7213e5c1ce274cc0f02270054905800ea660 ] + +When reading, read_pos should start with bytes_consumed, not file->f_pos. +Because when there is more than one reader, the read_pos corresponding to +file->f_pos may have been consumed, which will cause the data that has +been consumed to be read and the bytes_consumed update error. + +Signed-off-by: Pengcheng Yang +Signed-off-by: Andrew Morton +Reviewed-by: Jens Axboe +Cc: Greg Kroah-Hartman +Cc: Jann Horn +Cc: Al Viro e +Link: http://lkml.kernel.org/r/1579691175-28949-1-git-send-email-yangpc@wangsu.com +Signed-off-by: Linus Torvalds +Stable-dep-of: 43ec16f1450f ("relayfs: fix out-of-bounds access in relay_file_read") +Signed-off-by: Sasha Levin +--- + kernel/relay.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/kernel/relay.c b/kernel/relay.c +index 9b1cfcd8dc6b1..989f78f16ad5c 100644 +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -997,14 +997,14 @@ static void relay_file_read_consume(struct rchan_buf *buf, + /* + * relay_file_read_avail - boolean, are there unconsumed bytes available? + */ +-static int relay_file_read_avail(struct rchan_buf *buf, size_t read_pos) ++static int relay_file_read_avail(struct rchan_buf *buf) + { + size_t subbuf_size = buf->chan->subbuf_size; + size_t n_subbufs = buf->chan->n_subbufs; + size_t produced = buf->subbufs_produced; + size_t consumed = buf->subbufs_consumed; + +- relay_file_read_consume(buf, read_pos, 0); ++ relay_file_read_consume(buf, 0, 0); + + consumed = buf->subbufs_consumed; + +@@ -1065,23 +1065,20 @@ static size_t relay_file_read_subbuf_avail(size_t read_pos, + + /** + * relay_file_read_start_pos - find the first available byte to read +- * @read_pos: file read position + * @buf: relay channel buffer + * +- * If the @read_pos is in the middle of padding, return the ++ * If the read_pos is in the middle of padding, return the + * position of the first actually available byte, otherwise + * return the original value. + */ +-static size_t relay_file_read_start_pos(size_t read_pos, +- struct rchan_buf *buf) ++static size_t relay_file_read_start_pos(struct rchan_buf *buf) + { + size_t read_subbuf, padding, padding_start, padding_end; + size_t subbuf_size = buf->chan->subbuf_size; + size_t n_subbufs = buf->chan->n_subbufs; + size_t consumed = buf->subbufs_consumed % n_subbufs; ++ size_t read_pos = consumed * subbuf_size + buf->bytes_consumed; + +- if (!read_pos) +- read_pos = consumed * subbuf_size + buf->bytes_consumed; + read_subbuf = read_pos / subbuf_size; + padding = buf->padding[read_subbuf]; + padding_start = (read_subbuf + 1) * subbuf_size - padding; +@@ -1137,10 +1134,10 @@ static ssize_t relay_file_read(struct file *filp, + do { + void *from; + +- if (!relay_file_read_avail(buf, *ppos)) ++ if (!relay_file_read_avail(buf)) + break; + +- read_start = relay_file_read_start_pos(*ppos, buf); ++ read_start = relay_file_read_start_pos(buf); + avail = relay_file_read_subbuf_avail(read_start, buf); + if (!avail) + break; +-- +2.39.2 + diff --git a/queue-5.4/mailbox-zynq-switch-to-flexible-array-to-simplify-co.patch b/queue-5.4/mailbox-zynq-switch-to-flexible-array-to-simplify-co.patch new file mode 100644 index 00000000000..6655cfca094 --- /dev/null +++ b/queue-5.4/mailbox-zynq-switch-to-flexible-array-to-simplify-co.patch @@ -0,0 +1,56 @@ +From dc165f48b8bf2590f4b3d28434cc6bea251eeb54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 09:25:54 +0100 +Subject: mailbox: zynq: Switch to flexible array to simplify code + +From: Christophe JAILLET + +[ Upstream commit 043f85ce81cb1714e14d31c322c5646513dde3fb ] + +Using flexible array is more straight forward. It + - saves 1 pointer in the 'zynqmp_ipi_pdata' structure + - saves an indirection when using this array + - saves some LoC and avoids some always spurious pointer arithmetic + +Signed-off-by: Christophe JAILLET +Signed-off-by: Jassi Brar +Stable-dep-of: f72f805e7288 ("mailbox: zynqmp: Fix counts of child nodes") +Signed-off-by: Sasha Levin +--- + drivers/mailbox/zynqmp-ipi-mailbox.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c +index 392df6b37bf55..1abeff7656462 100644 +--- a/drivers/mailbox/zynqmp-ipi-mailbox.c ++++ b/drivers/mailbox/zynqmp-ipi-mailbox.c +@@ -110,7 +110,7 @@ struct zynqmp_ipi_pdata { + unsigned int method; + u32 local_id; + int num_mboxes; +- struct zynqmp_ipi_mbox *ipi_mboxes; ++ struct zynqmp_ipi_mbox ipi_mboxes[]; + }; + + static struct device_driver zynqmp_ipi_mbox_driver = { +@@ -635,7 +635,7 @@ static int zynqmp_ipi_probe(struct platform_device *pdev) + int num_mboxes, ret = -EINVAL; + + num_mboxes = of_get_child_count(np); +- pdata = devm_kzalloc(dev, sizeof(*pdata) + (num_mboxes * sizeof(*mbox)), ++ pdata = devm_kzalloc(dev, struct_size(pdata, ipi_mboxes, num_mboxes), + GFP_KERNEL); + if (!pdata) + return -ENOMEM; +@@ -649,8 +649,6 @@ static int zynqmp_ipi_probe(struct platform_device *pdev) + } + + pdata->num_mboxes = num_mboxes; +- pdata->ipi_mboxes = (struct zynqmp_ipi_mbox *) +- ((char *)pdata + sizeof(*pdata)); + + mbox = pdata->ipi_mboxes; + for_each_available_child_of_node(np, nc) { +-- +2.39.2 + diff --git a/queue-5.4/mailbox-zynqmp-fix-counts-of-child-nodes.patch b/queue-5.4/mailbox-zynqmp-fix-counts-of-child-nodes.patch new file mode 100644 index 00000000000..c4f36c680e0 --- /dev/null +++ b/queue-5.4/mailbox-zynqmp-fix-counts-of-child-nodes.patch @@ -0,0 +1,45 @@ +From 8690435e9e6b21b6881025c8d8ab00f739dc68e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 17:24:04 -0800 +Subject: mailbox: zynqmp: Fix counts of child nodes + +From: Tanmay Shah + +[ Upstream commit f72f805e72882c361e2a612c64a6e549f3da7152 ] + +If child mailbox node status is disabled it causes +crash in interrupt handler. Fix this by assigning +only available child node during driver probe. + +Fixes: 4981b82ba2ff ("mailbox: ZynqMP IPI mailbox controller") +Signed-off-by: Tanmay Shah +Acked-by: Michal Simek +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230311012407.1292118-2-tanmay.shah@amd.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/mailbox/zynqmp-ipi-mailbox.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c +index 1abeff7656462..bb7bb17386475 100644 +--- a/drivers/mailbox/zynqmp-ipi-mailbox.c ++++ b/drivers/mailbox/zynqmp-ipi-mailbox.c +@@ -634,7 +634,12 @@ static int zynqmp_ipi_probe(struct platform_device *pdev) + struct zynqmp_ipi_mbox *mbox; + int num_mboxes, ret = -EINVAL; + +- num_mboxes = of_get_child_count(np); ++ num_mboxes = of_get_available_child_count(np); ++ if (num_mboxes == 0) { ++ dev_err(dev, "mailbox nodes not available\n"); ++ return -EINVAL; ++ } ++ + pdata = devm_kzalloc(dev, struct_size(pdata, ipi_mboxes, num_mboxes), + GFP_KERNEL); + if (!pdata) +-- +2.39.2 + diff --git a/queue-5.4/nohz-add-tick_dep_bit_rcu.patch b/queue-5.4/nohz-add-tick_dep_bit_rcu.patch new file mode 100644 index 00000000000..1522e014861 --- /dev/null +++ b/queue-5.4/nohz-add-tick_dep_bit_rcu.patch @@ -0,0 +1,113 @@ +From 620d86a5b9b63b51aa28b67ce64bd56fb90a2fc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2019 15:22:59 +0200 +Subject: nohz: Add TICK_DEP_BIT_RCU + +From: Frederic Weisbecker + +[ Upstream commit 01b4c39901e087ceebae2733857248de81476bd8 ] + +If a nohz_full CPU is looping in the kernel, the scheduling-clock tick +might nevertheless remain disabled. In !PREEMPT kernels, this can +prevent RCU's attempts to enlist the aid of that CPU's executions of +cond_resched(), which can in turn result in an arbitrarily delayed grace +period and thus an OOM. RCU therefore needs a way to enable a holdout +nohz_full CPU's scheduler-clock interrupt. + +This commit therefore provides a new TICK_DEP_BIT_RCU value which RCU can +pass to tick_dep_set_cpu() and friends to force on the scheduler-clock +interrupt for a specified CPU or task. In some cases, rcutorture needs +to turn on the scheduler-clock tick, so this commit also exports the +relevant symbols to GPL-licensed modules. + +Signed-off-by: Frederic Weisbecker +Signed-off-by: Paul E. McKenney +Stable-dep-of: 58d766824264 ("tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem") +Signed-off-by: Sasha Levin +--- + include/linux/tick.h | 7 ++++++- + include/trace/events/timer.h | 3 ++- + kernel/time/tick-sched.c | 7 +++++++ + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/include/linux/tick.h b/include/linux/tick.h +index f92a10b5e1128..39eb44564058b 100644 +--- a/include/linux/tick.h ++++ b/include/linux/tick.h +@@ -108,7 +108,8 @@ enum tick_dep_bits { + TICK_DEP_BIT_POSIX_TIMER = 0, + TICK_DEP_BIT_PERF_EVENTS = 1, + TICK_DEP_BIT_SCHED = 2, +- TICK_DEP_BIT_CLOCK_UNSTABLE = 3 ++ TICK_DEP_BIT_CLOCK_UNSTABLE = 3, ++ TICK_DEP_BIT_RCU = 4 + }; + + #define TICK_DEP_MASK_NONE 0 +@@ -116,6 +117,7 @@ enum tick_dep_bits { + #define TICK_DEP_MASK_PERF_EVENTS (1 << TICK_DEP_BIT_PERF_EVENTS) + #define TICK_DEP_MASK_SCHED (1 << TICK_DEP_BIT_SCHED) + #define TICK_DEP_MASK_CLOCK_UNSTABLE (1 << TICK_DEP_BIT_CLOCK_UNSTABLE) ++#define TICK_DEP_MASK_RCU (1 << TICK_DEP_BIT_RCU) + + #ifdef CONFIG_NO_HZ_COMMON + extern bool tick_nohz_enabled; +@@ -268,6 +270,9 @@ static inline bool tick_nohz_full_enabled(void) { return false; } + static inline bool tick_nohz_full_cpu(int cpu) { return false; } + static inline void tick_nohz_full_add_cpus_to(struct cpumask *mask) { } + ++static inline void tick_nohz_dep_set_cpu(int cpu, enum tick_dep_bits bit) { } ++static inline void tick_nohz_dep_clear_cpu(int cpu, enum tick_dep_bits bit) { } ++ + static inline void tick_dep_set(enum tick_dep_bits bit) { } + static inline void tick_dep_clear(enum tick_dep_bits bit) { } + static inline void tick_dep_set_cpu(int cpu, enum tick_dep_bits bit) { } +diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h +index b7a904825e7df..295517f109d71 100644 +--- a/include/trace/events/timer.h ++++ b/include/trace/events/timer.h +@@ -367,7 +367,8 @@ TRACE_EVENT(itimer_expire, + tick_dep_name(POSIX_TIMER) \ + tick_dep_name(PERF_EVENTS) \ + tick_dep_name(SCHED) \ +- tick_dep_name_end(CLOCK_UNSTABLE) ++ tick_dep_name(CLOCK_UNSTABLE) \ ++ tick_dep_name_end(RCU) + + #undef tick_dep_name + #undef tick_dep_mask_name +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index 1b5037ba4ec40..69bdaad4abe17 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -225,6 +225,11 @@ static bool check_tick_dependency(atomic_t *dep) + return true; + } + ++ if (val & TICK_DEP_MASK_RCU) { ++ trace_tick_stop(0, TICK_DEP_MASK_RCU); ++ return true; ++ } ++ + return false; + } + +@@ -351,6 +356,7 @@ void tick_nohz_dep_set_cpu(int cpu, enum tick_dep_bits bit) + preempt_enable(); + } + } ++EXPORT_SYMBOL_GPL(tick_nohz_dep_set_cpu); + + void tick_nohz_dep_clear_cpu(int cpu, enum tick_dep_bits bit) + { +@@ -358,6 +364,7 @@ void tick_nohz_dep_clear_cpu(int cpu, enum tick_dep_bits bit) + + atomic_andnot(BIT(bit), &ts->tick_dep_mask); + } ++EXPORT_SYMBOL_GPL(tick_nohz_dep_clear_cpu); + + /* + * Set a per-task tick dependency. Posix CPU timers need this in order to elapse +-- +2.39.2 + diff --git a/queue-5.4/relayfs-fix-out-of-bounds-access-in-relay_file_read.patch b/queue-5.4/relayfs-fix-out-of-bounds-access-in-relay_file_read.patch new file mode 100644 index 00000000000..d9cc4e779d2 --- /dev/null +++ b/queue-5.4/relayfs-fix-out-of-bounds-access-in-relay_file_read.patch @@ -0,0 +1,82 @@ +From 8142395ee9eda6d53dc9244adc6f16643eb8df22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 12:02:03 +0800 +Subject: relayfs: fix out-of-bounds access in relay_file_read + +From: Zhang Zhengming + +[ Upstream commit 43ec16f1450f4936025a9bdf1a273affdb9732c1 ] + +There is a crash in relay_file_read, as the var from +point to the end of last subbuf. + +The oops looks something like: +pc : __arch_copy_to_user+0x180/0x310 +lr : relay_file_read+0x20c/0x2c8 +Call trace: + __arch_copy_to_user+0x180/0x310 + full_proxy_read+0x68/0x98 + vfs_read+0xb0/0x1d0 + ksys_read+0x6c/0xf0 + __arm64_sys_read+0x20/0x28 + el0_svc_common.constprop.3+0x84/0x108 + do_el0_svc+0x74/0x90 + el0_svc+0x1c/0x28 + el0_sync_handler+0x88/0xb0 + el0_sync+0x148/0x180 + +We get the condition by analyzing the vmcore: + +1). The last produced byte and last consumed byte + both at the end of the last subbuf + +2). A softirq calls function(e.g __blk_add_trace) + to write relay buffer occurs when an program is calling + relay_file_read_avail(). + + relay_file_read + relay_file_read_avail + relay_file_read_consume(buf, 0, 0); + //interrupted by softirq who will write subbuf + .... + return 1; + //read_start point to the end of the last subbuf + read_start = relay_file_read_start_pos + //avail is equal to subsize + avail = relay_file_read_subbuf_avail + //from points to an invalid memory address + from = buf->start + read_start + //system is crashed + copy_to_user(buffer, from, avail) + +Link: https://lkml.kernel.org/r/20230419040203.37676-1-zhang.zhengming@h3c.com +Fixes: 8d62fdebdaf9 ("relay file read: start-pos fix") +Signed-off-by: Zhang Zhengming +Reviewed-by: Zhao Lei +Reviewed-by: Zhou Kete +Reviewed-by: Pengcheng Yang +Cc: Jens Axboe +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/relay.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/relay.c b/kernel/relay.c +index 989f78f16ad5c..1e11199c7d7cc 100644 +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -1077,7 +1077,8 @@ static size_t relay_file_read_start_pos(struct rchan_buf *buf) + size_t subbuf_size = buf->chan->subbuf_size; + size_t n_subbufs = buf->chan->n_subbufs; + size_t consumed = buf->subbufs_consumed % n_subbufs; +- size_t read_pos = consumed * subbuf_size + buf->bytes_consumed; ++ size_t read_pos = (consumed * subbuf_size + buf->bytes_consumed) ++ % (n_subbufs * subbuf_size); + + read_subbuf = read_pos / subbuf_size; + padding = buf->padding[read_subbuf]; +-- +2.39.2 + diff --git a/queue-5.4/series b/queue-5.4/series index a029d929194..6d6f0105f59 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -209,3 +209,13 @@ perf-auxtrace-fix-address-filter-entire-kernel-size.patch perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch debugobject-ensure-pool-refill-again.patch netfilter-nf_tables-deactivate-anonymous-set-from-preparation-phase.patch +nohz-add-tick_dep_bit_rcu.patch +tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-n.patch +mailbox-zynq-switch-to-flexible-array-to-simplify-co.patch +mailbox-zynqmp-fix-counts-of-child-nodes.patch +dm-verity-skip-redundant-verity_handle_err-on-i-o-er.patch +dm-verity-fix-error-handling-for-check_at_most_once-.patch +crypto-inside-secure-irq-balance.patch +crypto-safexcel-cleanup-ring-irq-workqueues-on-load-.patch +kernel-relay.c-fix-read_pos-error-when-multiple-read.patch +relayfs-fix-out-of-bounds-access-in-relay_file_read.patch diff --git a/queue-5.4/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-n.patch b/queue-5.4/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-n.patch new file mode 100644 index 00000000000..5dbca412a6c --- /dev/null +++ b/queue-5.4/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-n.patch @@ -0,0 +1,106 @@ +From 52526c639b4a319cf76cc80d5c108e983154720f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 17:31:26 +0000 +Subject: tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem + +From: Joel Fernandes (Google) + +[ Upstream commit 58d7668242647e661a20efe065519abd6454287e ] + +For CONFIG_NO_HZ_FULL systems, the tick_do_timer_cpu cannot be offlined. +However, cpu_is_hotpluggable() still returns true for those CPUs. This causes +torture tests that do offlining to end up trying to offline this CPU causing +test failures. Such failure happens on all architectures. + +Fix the repeated error messages thrown by this (even if the hotplug errors are +harmless) by asking the opinion of the nohz subsystem on whether the CPU can be +hotplugged. + +[ Apply Frederic Weisbecker feedback on refactoring tick_nohz_cpu_down(). ] + +For drivers/base/ portion: +Acked-by: Greg Kroah-Hartman +Acked-by: Frederic Weisbecker +Cc: Frederic Weisbecker +Cc: "Paul E. McKenney" +Cc: Zhouyi Zhou +Cc: Will Deacon +Cc: Marc Zyngier +Cc: rcu +Cc: stable@vger.kernel.org +Fixes: 2987557f52b9 ("driver-core/cpu: Expose hotpluggability to the rest of the kernel") +Signed-off-by: Paul E. McKenney +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Sasha Levin +--- + drivers/base/cpu.c | 3 ++- + include/linux/tick.h | 2 ++ + kernel/time/tick-sched.c | 11 ++++++++--- + 3 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c +index 7000c836951c5..980e9a76e1723 100644 +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -491,7 +491,8 @@ static const struct attribute_group *cpu_root_attr_groups[] = { + bool cpu_is_hotpluggable(unsigned cpu) + { + struct device *dev = get_cpu_device(cpu); +- return dev && container_of(dev, struct cpu, dev)->hotpluggable; ++ return dev && container_of(dev, struct cpu, dev)->hotpluggable ++ && tick_nohz_cpu_hotpluggable(cpu); + } + EXPORT_SYMBOL_GPL(cpu_is_hotpluggable); + +diff --git a/include/linux/tick.h b/include/linux/tick.h +index 39eb44564058b..cf6c92060929e 100644 +--- a/include/linux/tick.h ++++ b/include/linux/tick.h +@@ -208,6 +208,7 @@ extern void tick_nohz_dep_set_signal(struct signal_struct *signal, + enum tick_dep_bits bit); + extern void tick_nohz_dep_clear_signal(struct signal_struct *signal, + enum tick_dep_bits bit); ++extern bool tick_nohz_cpu_hotpluggable(unsigned int cpu); + + /* + * The below are tick_nohz_[set,clear]_dep() wrappers that optimize off-cases +@@ -272,6 +273,7 @@ static inline void tick_nohz_full_add_cpus_to(struct cpumask *mask) { } + + static inline void tick_nohz_dep_set_cpu(int cpu, enum tick_dep_bits bit) { } + static inline void tick_nohz_dep_clear_cpu(int cpu, enum tick_dep_bits bit) { } ++static inline bool tick_nohz_cpu_hotpluggable(unsigned int cpu) { return true; } + + static inline void tick_dep_set(enum tick_dep_bits bit) { } + static inline void tick_dep_clear(enum tick_dep_bits bit) { } +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index 69bdaad4abe17..a70c611df137c 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -432,7 +432,7 @@ void __init tick_nohz_full_setup(cpumask_var_t cpumask) + tick_nohz_full_running = true; + } + +-static int tick_nohz_cpu_down(unsigned int cpu) ++bool tick_nohz_cpu_hotpluggable(unsigned int cpu) + { + /* + * The tick_do_timer_cpu CPU handles housekeeping duty (unbound +@@ -440,8 +440,13 @@ static int tick_nohz_cpu_down(unsigned int cpu) + * CPUs. It must remain online when nohz full is enabled. + */ + if (tick_nohz_full_running && tick_do_timer_cpu == cpu) +- return -EBUSY; +- return 0; ++ return false; ++ return true; ++} ++ ++static int tick_nohz_cpu_down(unsigned int cpu) ++{ ++ return tick_nohz_cpu_hotpluggable(cpu) ? 0 : -EBUSY; + } + + void __init tick_nohz_init(void) +-- +2.39.2 + -- 2.47.3