From: Greg Kroah-Hartman Date: Sat, 31 Oct 2020 10:24:53 +0000 (+0100) Subject: 5.9-stable patches X-Git-Tag: v5.4.74~10 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0b8cb0d9e8f8e1ffbb4c9ef56758f64ae2b0dc22;p=thirdparty%2Fkernel%2Fstable-queue.git 5.9-stable patches added patches: arch-x86-amd-ibs-fix-re-arming-ibs-fetch.patch ata-ahci-mvebu-make-sata-phy-optional-for-armada-3720.patch ata-sata_rcar-fix-dma-boundary-mask.patch bpf-fix-comment-for-helper-bpf_current_task_under_cgroup.patch cxl-rework-error-message-for-incompatible-slots.patch drm-i915-gem-serialise-debugfs-i915_gem_objects-with-ctx-mutex.patch evm-check-size-of-security.evm-before-using-it.patch fuse-fix-page-dereference-after-free.patch mm-mark-async-iocb-read-as-nowait-once-some-data-has-been-copied.patch mtd-lpddr-fix-bad-logic-in-print_drs_error.patch p54-avoid-accessing-the-data-mapped-to-streaming-dma.patch pci-aardvark-fix-initialization-with-old-marvell-s-arm-trusted-firmware.patch pm-runtime-fix-timer_expires-data-type-on-32-bit-arches.patch rdma-addr-fix-race-with-netevent_callback-rdma_addr_cancel.patch serial-pl011-fix-lockdep-splat-when-handling-magic-sysrq-interrupt.patch serial-qcom_geni_serial-to-correct-qup-version-detection-logic.patch x86-traps-fix-de-oops-message-regression.patch x86-xen-disable-firmware-first-mode-for-correctable-memory-errors.patch xen-gntdev.c-mark-pages-as-dirty.patch --- diff --git a/queue-5.9/arch-x86-amd-ibs-fix-re-arming-ibs-fetch.patch b/queue-5.9/arch-x86-amd-ibs-fix-re-arming-ibs-fetch.patch new file mode 100644 index 00000000000..557c0fb1d33 --- /dev/null +++ b/queue-5.9/arch-x86-amd-ibs-fix-re-arming-ibs-fetch.patch @@ -0,0 +1,76 @@ +From 221bfce5ebbdf72ff08b3bf2510ae81058ee568b Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Tue, 8 Sep 2020 16:47:36 -0500 +Subject: arch/x86/amd/ibs: Fix re-arming IBS Fetch + +From: Kim Phillips + +commit 221bfce5ebbdf72ff08b3bf2510ae81058ee568b upstream. + +Stephane Eranian found a bug in that IBS' current Fetch counter was not +being reset when the driver would write the new value to clear it along +with the enable bit set, and found that adding an MSR write that would +first disable IBS Fetch would make IBS Fetch reset its current count. + +Indeed, the PPR for AMD Family 17h Model 31h B0 55803 Rev 0.54 - Sep 12, +2019 states "The periodic fetch counter is set to IbsFetchCnt [...] when +IbsFetchEn is changed from 0 to 1." + +Explicitly set IbsFetchEn to 0 and then to 1 when re-enabling IBS Fetch, +so the driver properly resets the internal counter to 0 and IBS +Fetch starts counting again. + +A family 15h machine tested does not have this problem, and the extra +wrmsr is also not needed on Family 19h, so only do the extra wrmsr on +families 16h through 18h. + +Reported-by: Stephane Eranian +Signed-off-by: Kim Phillips +[peterz: optimized] +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/amd/ibs.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/amd/ibs.c ++++ b/arch/x86/events/amd/ibs.c +@@ -89,6 +89,7 @@ struct perf_ibs { + u64 max_period; + unsigned long offset_mask[1]; + int offset_max; ++ unsigned int fetch_count_reset_broken : 1; + struct cpu_perf_ibs __percpu *pcpu; + + struct attribute **format_attrs; +@@ -363,7 +364,12 @@ perf_ibs_event_update(struct perf_ibs *p + static inline void perf_ibs_enable_event(struct perf_ibs *perf_ibs, + struct hw_perf_event *hwc, u64 config) + { +- wrmsrl(hwc->config_base, hwc->config | config | perf_ibs->enable_mask); ++ u64 tmp = hwc->config | config; ++ ++ if (perf_ibs->fetch_count_reset_broken) ++ wrmsrl(hwc->config_base, tmp & ~perf_ibs->enable_mask); ++ ++ wrmsrl(hwc->config_base, tmp | perf_ibs->enable_mask); + } + + /* +@@ -733,6 +739,13 @@ static __init void perf_event_ibs_init(v + { + struct attribute **attr = ibs_op_format_attrs; + ++ /* ++ * Some chips fail to reset the fetch count when it is written; instead ++ * they need a 0-1 transition of IbsFetchEn. ++ */ ++ if (boot_cpu_data.x86 >= 0x16 && boot_cpu_data.x86 <= 0x18) ++ perf_ibs_fetch.fetch_count_reset_broken = 1; ++ + perf_ibs_pmu_init(&perf_ibs_fetch, "ibs_fetch"); + + if (ibs_caps & IBS_CAPS_OPCNT) { diff --git a/queue-5.9/ata-ahci-mvebu-make-sata-phy-optional-for-armada-3720.patch b/queue-5.9/ata-ahci-mvebu-make-sata-phy-optional-for-armada-3720.patch new file mode 100644 index 00000000000..53a9a6bcff3 --- /dev/null +++ b/queue-5.9/ata-ahci-mvebu-make-sata-phy-optional-for-armada-3720.patch @@ -0,0 +1,74 @@ +From 45aefe3d2251e4e229d7662052739f96ad1d08d9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Fri, 9 Oct 2020 10:42:44 +0200 +Subject: ata: ahci: mvebu: Make SATA PHY optional for Armada 3720 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit 45aefe3d2251e4e229d7662052739f96ad1d08d9 upstream. + +Older ATF does not provide SMC call for SATA phy power on functionality and +therefore initialization of ahci_mvebu is failing when older version of ATF +is using. In this case phy_power_on() function returns -EOPNOTSUPP. + +This patch adds a new hflag AHCI_HFLAG_IGN_NOTSUPP_POWER_ON which cause +that ahci_platform_enable_phys() would ignore -EOPNOTSUPP errors from +phy_power_on() call. + +It fixes initialization of ahci_mvebu on Espressobin boards where is older +Marvell's Arm Trusted Firmware without SMC call for SATA phy power. + +This is regression introduced in commit 8e18c8e58da64 ("arm64: dts: marvell: +armada-3720-espressobin: declare SATA PHY property") where SATA phy was +defined and therefore ahci_platform_enable_phys() on Espressobin started +failing. + +Fixes: 8e18c8e58da64 ("arm64: dts: marvell: armada-3720-espressobin: declare SATA PHY property") +Signed-off-by: Pali Rohár +Tested-by: Tomasz Maciej Nowak +Cc: # 5.1+: ea17a0f153af: phy: marvell: comphy: Convert internal SMCC firmware return codes to errno +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.h | 2 ++ + drivers/ata/ahci_mvebu.c | 2 +- + drivers/ata/libahci_platform.c | 2 +- + 3 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/ata/ahci.h ++++ b/drivers/ata/ahci.h +@@ -240,6 +240,8 @@ enum { + as default lpm_policy */ + AHCI_HFLAG_SUSPEND_PHYS = (1 << 26), /* handle PHYs during + suspend/resume */ ++ AHCI_HFLAG_IGN_NOTSUPP_POWER_ON = (1 << 27), /* ignore -EOPNOTSUPP ++ from phy_power_on() */ + + /* ap->flags bits */ + +--- a/drivers/ata/ahci_mvebu.c ++++ b/drivers/ata/ahci_mvebu.c +@@ -227,7 +227,7 @@ static const struct ahci_mvebu_plat_data + + static const struct ahci_mvebu_plat_data ahci_mvebu_armada_3700_plat_data = { + .plat_config = ahci_mvebu_armada_3700_config, +- .flags = AHCI_HFLAG_SUSPEND_PHYS, ++ .flags = AHCI_HFLAG_SUSPEND_PHYS | AHCI_HFLAG_IGN_NOTSUPP_POWER_ON, + }; + + static const struct of_device_id ahci_mvebu_of_match[] = { +--- a/drivers/ata/libahci_platform.c ++++ b/drivers/ata/libahci_platform.c +@@ -59,7 +59,7 @@ int ahci_platform_enable_phys(struct ahc + } + + rc = phy_power_on(hpriv->phys[i]); +- if (rc) { ++ if (rc && !(rc == -EOPNOTSUPP && (hpriv->flags & AHCI_HFLAG_IGN_NOTSUPP_POWER_ON))) { + phy_exit(hpriv->phys[i]); + goto disable_phys; + } diff --git a/queue-5.9/ata-sata_rcar-fix-dma-boundary-mask.patch b/queue-5.9/ata-sata_rcar-fix-dma-boundary-mask.patch new file mode 100644 index 00000000000..4b7c9fbb56b --- /dev/null +++ b/queue-5.9/ata-sata_rcar-fix-dma-boundary-mask.patch @@ -0,0 +1,70 @@ +From df9c590986fdb6db9d5636d6cd93bc919c01b451 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 17 Sep 2020 15:09:20 +0200 +Subject: ata: sata_rcar: Fix DMA boundary mask + +From: Geert Uytterhoeven + +commit df9c590986fdb6db9d5636d6cd93bc919c01b451 upstream. + +Before commit 9495b7e92f716ab2 ("driver core: platform: Initialize +dma_parms for platform devices"), the R-Car SATA device didn't have DMA +parameters. Hence the DMA boundary mask supplied by its driver was +silently ignored, as __scsi_init_queue() doesn't check the return value +of dma_set_seg_boundary(), and the default value of 0xffffffff was used. + +Now the device has gained DMA parameters, the driver-supplied value is +used, and the following warning is printed on Salvator-XS: + + DMA-API: sata_rcar ee300000.sata: mapping sg segment across boundary [start=0x00000000ffffe000] [end=0x00000000ffffefff] [boundary=0x000000001ffffffe] + WARNING: CPU: 5 PID: 38 at kernel/dma/debug.c:1233 debug_dma_map_sg+0x298/0x300 + +(the range of start/end values depend on whether IOMMU support is + enabled or not) + +The issue here is that SATA_RCAR_DMA_BOUNDARY doesn't have bit 0 set, so +any typical end value, which is odd, will trigger the check. + +Fix this by increasing the DMA boundary value by 1. + +This also fixes the following WRITE DMA EXT timeout issue: + + # dd if=/dev/urandom of=/mnt/de1/file1-1024M bs=1M count=1024 + ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen + ata1.00: failed command: WRITE DMA EXT + ata1.00: cmd 35/00:00:00:e6:0c/00:0a:00:00:00/e0 tag 0 dma 1310720 out + res 40/00:01:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout) + ata1.00: status: { DRDY } + +as seen by Shimoda-san since commit 429120f3df2dba2b ("block: fix +splitting segments on boundary masks"). + +Fixes: 8bfbeed58665dbbf ("sata_rcar: correct 'sata_rcar_sht'") +Fixes: 9495b7e92f716ab2 ("driver core: platform: Initialize dma_parms for platform devices") +Fixes: 429120f3df2dba2b ("block: fix splitting segments on boundary masks") +Signed-off-by: Geert Uytterhoeven +Tested-by: Lad Prabhakar +Tested-by: Yoshihiro Shimoda +Reviewed-by: Christoph Hellwig +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Sergei Shtylyov +Reviewed-by: Ulf Hansson +Cc: stable +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/sata_rcar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/sata_rcar.c ++++ b/drivers/ata/sata_rcar.c +@@ -120,7 +120,7 @@ + /* Descriptor table word 0 bit (when DTA32M = 1) */ + #define SATA_RCAR_DTEND BIT(0) + +-#define SATA_RCAR_DMA_BOUNDARY 0x1FFFFFFEUL ++#define SATA_RCAR_DMA_BOUNDARY 0x1FFFFFFFUL + + /* Gen2 Physical Layer Control Registers */ + #define RCAR_GEN2_PHY_CTL1_REG 0x1704 diff --git a/queue-5.9/bpf-fix-comment-for-helper-bpf_current_task_under_cgroup.patch b/queue-5.9/bpf-fix-comment-for-helper-bpf_current_task_under_cgroup.patch new file mode 100644 index 00000000000..029ea30b731 --- /dev/null +++ b/queue-5.9/bpf-fix-comment-for-helper-bpf_current_task_under_cgroup.patch @@ -0,0 +1,49 @@ +From 1aef5b4391f0c75c0a1523706a7b0311846ee12f Mon Sep 17 00:00:00 2001 +From: Song Liu +Date: Thu, 10 Sep 2020 13:33:14 -0700 +Subject: bpf: Fix comment for helper bpf_current_task_under_cgroup() + +From: Song Liu + +commit 1aef5b4391f0c75c0a1523706a7b0311846ee12f upstream. + +This should be "current" not "skb". + +Fixes: c6b5fb8690fa ("bpf: add documentation for eBPF helpers (42-50)") +Signed-off-by: Song Liu +Signed-off-by: Alexei Starovoitov +Cc: +Link: https://lore.kernel.org/bpf/20200910203314.70018-1-songliubraving@fb.com +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/bpf.h | 4 ++-- + tools/include/uapi/linux/bpf.h | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -1438,8 +1438,8 @@ union bpf_attr { + * Return + * The return value depends on the result of the test, and can be: + * +- * * 0, if the *skb* task belongs to the cgroup2. +- * * 1, if the *skb* task does not belong to the cgroup2. ++ * * 0, if current task belongs to the cgroup2. ++ * * 1, if current task does not belong to the cgroup2. + * * A negative error code, if an error occurred. + * + * long bpf_skb_change_tail(struct sk_buff *skb, u32 len, u64 flags) +--- a/tools/include/uapi/linux/bpf.h ++++ b/tools/include/uapi/linux/bpf.h +@@ -1438,8 +1438,8 @@ union bpf_attr { + * Return + * The return value depends on the result of the test, and can be: + * +- * * 0, if the *skb* task belongs to the cgroup2. +- * * 1, if the *skb* task does not belong to the cgroup2. ++ * * 0, if current task belongs to the cgroup2. ++ * * 1, if current task does not belong to the cgroup2. + * * A negative error code, if an error occurred. + * + * long bpf_skb_change_tail(struct sk_buff *skb, u32 len, u64 flags) diff --git a/queue-5.9/cxl-rework-error-message-for-incompatible-slots.patch b/queue-5.9/cxl-rework-error-message-for-incompatible-slots.patch new file mode 100644 index 00000000000..83250b3a0ca --- /dev/null +++ b/queue-5.9/cxl-rework-error-message-for-incompatible-slots.patch @@ -0,0 +1,37 @@ +From 40ac790d99c6dd16b367d5c2339e446a5f1b0593 Mon Sep 17 00:00:00 2001 +From: Frederic Barrat +Date: Tue, 7 Apr 2020 13:56:01 +0200 +Subject: cxl: Rework error message for incompatible slots + +From: Frederic Barrat + +commit 40ac790d99c6dd16b367d5c2339e446a5f1b0593 upstream. + +Improve the error message shown if a capi adapter is plugged on a +capi-incompatible slot directly under the PHB (no intermediate switch). + +Fixes: 5632874311db ("cxl: Add support for POWER9 DD2") +Cc: stable@vger.kernel.org # 4.14+ +Signed-off-by: Frederic Barrat +Reviewed-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200407115601.25453-1-fbarrat@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/cxl/pci.c ++++ b/drivers/misc/cxl/pci.c +@@ -393,8 +393,8 @@ int cxl_calc_capp_routing(struct pci_dev + *capp_unit_id = get_capp_unit_id(np, *phb_index); + of_node_put(np); + if (!*capp_unit_id) { +- pr_err("cxl: invalid capp unit id (phb_index: %d)\n", +- *phb_index); ++ pr_err("cxl: No capp unit found for PHB[%lld,%d]. Make sure the adapter is on a capi-compatible slot\n", ++ *chipid, *phb_index); + return -ENODEV; + } + diff --git a/queue-5.9/drm-i915-gem-serialise-debugfs-i915_gem_objects-with-ctx-mutex.patch b/queue-5.9/drm-i915-gem-serialise-debugfs-i915_gem_objects-with-ctx-mutex.patch new file mode 100644 index 00000000000..a72630358fb --- /dev/null +++ b/queue-5.9/drm-i915-gem-serialise-debugfs-i915_gem_objects-with-ctx-mutex.patch @@ -0,0 +1,48 @@ +From 4fe9af8e881d946bf60790eeb37a7c4f96e28382 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Thu, 23 Jul 2020 18:21:19 +0100 +Subject: drm/i915/gem: Serialise debugfs i915_gem_objects with ctx->mutex + +From: Chris Wilson + +commit 4fe9af8e881d946bf60790eeb37a7c4f96e28382 upstream. + +Since the debugfs may peek into the GEM contexts as the corresponding +client/fd is being closed, we may try and follow a dangling pointer. +However, the context closure itself is serialised with the ctx->mutex, +so if we hold that mutex as we inspect the state coupled in the context, +we know the pointers within the context are stable and will remain valid +as we inspect their tables. + +Signed-off-by: Chris Wilson +Cc: CQ Tang +Cc: Daniel Vetter +Cc: stable@vger.kernel.org +Reviewed-by: Tvrtko Ursulin +Link: https://patchwork.freedesktop.org/patch/msgid/20200723172119.17649-3-chris@chris-wilson.co.uk +(cherry picked from commit 102f5aa491f262c818e607fc4fee08a724a76c69) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_debugfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_debugfs.c ++++ b/drivers/gpu/drm/i915/i915_debugfs.c +@@ -326,6 +326,7 @@ static void print_context_stats(struct s + } + i915_gem_context_unlock_engines(ctx); + ++ mutex_lock(&ctx->mutex); + if (!IS_ERR_OR_NULL(ctx->file_priv)) { + struct file_stats stats = { + .vm = rcu_access_pointer(ctx->vm), +@@ -346,6 +347,7 @@ static void print_context_stats(struct s + + print_file_stats(m, name, stats); + } ++ mutex_unlock(&ctx->mutex); + + spin_lock(&i915->gem.contexts.lock); + list_safe_reset_next(ctx, cn, link); diff --git a/queue-5.9/evm-check-size-of-security.evm-before-using-it.patch b/queue-5.9/evm-check-size-of-security.evm-before-using-it.patch new file mode 100644 index 00000000000..972bb40f2ce --- /dev/null +++ b/queue-5.9/evm-check-size-of-security.evm-before-using-it.patch @@ -0,0 +1,38 @@ +From 455b6c9112eff8d249e32ba165742085678a80a4 Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Fri, 4 Sep 2020 11:23:30 +0200 +Subject: evm: Check size of security.evm before using it + +From: Roberto Sassu + +commit 455b6c9112eff8d249e32ba165742085678a80a4 upstream. + +This patch checks the size for the EVM_IMA_XATTR_DIGSIG and +EVM_XATTR_PORTABLE_DIGSIG types to ensure that the algorithm is read from +the buffer returned by vfs_getxattr_alloc(). + +Cc: stable@vger.kernel.org # 4.19.x +Fixes: 5feeb61183dde ("evm: Allow non-SHA1 digital signatures") +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/evm/evm_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -181,6 +181,12 @@ static enum integrity_status evm_verify_ + break; + case EVM_IMA_XATTR_DIGSIG: + case EVM_XATTR_PORTABLE_DIGSIG: ++ /* accept xattr with non-empty signature field */ ++ if (xattr_len <= sizeof(struct signature_v2_hdr)) { ++ evm_status = INTEGRITY_FAIL; ++ goto out; ++ } ++ + hdr = (struct signature_v2_hdr *)xattr_data; + digest.hdr.algo = hdr->hash_algo; + rc = evm_calc_hash(dentry, xattr_name, xattr_value, diff --git a/queue-5.9/fuse-fix-page-dereference-after-free.patch b/queue-5.9/fuse-fix-page-dereference-after-free.patch new file mode 100644 index 00000000000..7a3a6111cb0 --- /dev/null +++ b/queue-5.9/fuse-fix-page-dereference-after-free.patch @@ -0,0 +1,111 @@ +From d78092e4937de9ce55edcb4ee4c5e3c707be0190 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 18 Sep 2020 10:36:50 +0200 +Subject: fuse: fix page dereference after free + +From: Miklos Szeredi + +commit d78092e4937de9ce55edcb4ee4c5e3c707be0190 upstream. + +After unlock_request() pages from the ap->pages[] array may be put (e.g. by +aborting the connection) and the pages can be freed. + +Prevent use after free by grabbing a reference to the page before calling +unlock_request(). + +The original patch was created by Pradeep P V K. + +Reported-by: Pradeep P V K +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -785,15 +785,16 @@ static int fuse_try_move_page(struct fus + struct page *newpage; + struct pipe_buffer *buf = cs->pipebufs; + ++ get_page(oldpage); + err = unlock_request(cs->req); + if (err) +- return err; ++ goto out_put_old; + + fuse_copy_finish(cs); + + err = pipe_buf_confirm(cs->pipe, buf); + if (err) +- return err; ++ goto out_put_old; + + BUG_ON(!cs->nr_segs); + cs->currbuf = buf; +@@ -833,7 +834,7 @@ static int fuse_try_move_page(struct fus + err = replace_page_cache_page(oldpage, newpage, GFP_KERNEL); + if (err) { + unlock_page(newpage); +- return err; ++ goto out_put_old; + } + + get_page(newpage); +@@ -852,14 +853,19 @@ static int fuse_try_move_page(struct fus + if (err) { + unlock_page(newpage); + put_page(newpage); +- return err; ++ goto out_put_old; + } + + unlock_page(oldpage); ++ /* Drop ref for ap->pages[] array */ + put_page(oldpage); + cs->len = 0; + +- return 0; ++ err = 0; ++out_put_old: ++ /* Drop ref obtained in this function */ ++ put_page(oldpage); ++ return err; + + out_fallback_unlock: + unlock_page(newpage); +@@ -868,10 +874,10 @@ out_fallback: + cs->offset = buf->offset; + + err = lock_request(cs->req); +- if (err) +- return err; ++ if (!err) ++ err = 1; + +- return 1; ++ goto out_put_old; + } + + static int fuse_ref_page(struct fuse_copy_state *cs, struct page *page, +@@ -883,14 +889,16 @@ static int fuse_ref_page(struct fuse_cop + if (cs->nr_segs >= cs->pipe->max_usage) + return -EIO; + ++ get_page(page); + err = unlock_request(cs->req); +- if (err) ++ if (err) { ++ put_page(page); + return err; ++ } + + fuse_copy_finish(cs); + + buf = cs->pipebufs; +- get_page(page); + buf->page = page; + buf->offset = offset; + buf->len = count; diff --git a/queue-5.9/mm-mark-async-iocb-read-as-nowait-once-some-data-has-been-copied.patch b/queue-5.9/mm-mark-async-iocb-read-as-nowait-once-some-data-has-been-copied.patch new file mode 100644 index 00000000000..5ec1eefa488 --- /dev/null +++ b/queue-5.9/mm-mark-async-iocb-read-as-nowait-once-some-data-has-been-copied.patch @@ -0,0 +1,45 @@ +From 13bd691421bc191a402d2e0d3da5f248d170a632 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sat, 17 Oct 2020 08:31:29 -0600 +Subject: mm: mark async iocb read as NOWAIT once some data has been copied + +From: Jens Axboe + +commit 13bd691421bc191a402d2e0d3da5f248d170a632 upstream. + +Once we've copied some data for an iocb that is marked with IOCB_WAITQ, +we should no longer attempt to async lock a new page. Instead make sure +we return the copied amount, and let the caller retry, instead of +returning -EIOCBQUEUED for a new page. + +This should only be possible with read-ahead disabled on the below +device, and multiple threads racing on the same file. Haven't been able +to reproduce on anything else. + +Cc: stable@vger.kernel.org # v5.9 +Fixes: 1a0a7853b901 ("mm: support async buffered reads in generic_file_buffered_read()") +Reported-by: Kent Overstreet +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + mm/filemap.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2179,6 +2179,14 @@ ssize_t generic_file_buffered_read(struc + last_index = (*ppos + iter->count + PAGE_SIZE-1) >> PAGE_SHIFT; + offset = *ppos & ~PAGE_MASK; + ++ /* ++ * If we've already successfully copied some data, then we ++ * can no longer safely return -EIOCBQUEUED. Hence mark ++ * an async read NOWAIT at that point. ++ */ ++ if (written && (iocb->ki_flags & IOCB_WAITQ)) ++ iocb->ki_flags |= IOCB_NOWAIT; ++ + for (;;) { + struct page *page; + pgoff_t end_index; diff --git a/queue-5.9/mtd-lpddr-fix-bad-logic-in-print_drs_error.patch b/queue-5.9/mtd-lpddr-fix-bad-logic-in-print_drs_error.patch new file mode 100644 index 00000000000..9714dc4200d --- /dev/null +++ b/queue-5.9/mtd-lpddr-fix-bad-logic-in-print_drs_error.patch @@ -0,0 +1,51 @@ +From 1c9c02bb22684f6949d2e7ddc0a3ff364fd5a6fc Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 27 Apr 2020 14:50:37 -0500 +Subject: mtd: lpddr: Fix bad logic in print_drs_error + +From: Gustavo A. R. Silva + +commit 1c9c02bb22684f6949d2e7ddc0a3ff364fd5a6fc upstream. + +Update logic for broken test. Use a more common logging style. + +It appears the logic in this function is broken for the +consecutive tests of + + if (prog_status & 0x3) + ... + else if (prog_status & 0x2) + ... + else (prog_status & 0x1) + ... + +Likely the first test should be + + if ((prog_status & 0x3) == 0x3) + +Found by inspection of include files using printk. + +Fixes: eb3db27507f7 ("[MTD] LPDDR PFOW definition") +Cc: stable@vger.kernel.org +Reported-by: Joe Perches +Signed-off-by: Gustavo A. R. Silva +Acked-by: Miquel Raynal +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/3fb0e29f5b601db8be2938a01d974b00c8788501.1588016644.git.gustavo@embeddedor.com +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mtd/pfow.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/mtd/pfow.h ++++ b/include/linux/mtd/pfow.h +@@ -128,7 +128,7 @@ static inline void print_drs_error(unsig + + if (!(dsr & DSR_AVAILABLE)) + printk(KERN_NOTICE"DSR.15: (0) Device not Available\n"); +- if (prog_status & 0x03) ++ if ((prog_status & 0x03) == 0x03) + printk(KERN_NOTICE"DSR.9,8: (11) Attempt to program invalid " + "half with 41h command\n"); + else if (prog_status & 0x02) diff --git a/queue-5.9/p54-avoid-accessing-the-data-mapped-to-streaming-dma.patch b/queue-5.9/p54-avoid-accessing-the-data-mapped-to-streaming-dma.patch new file mode 100644 index 00000000000..7776eba6f8e --- /dev/null +++ b/queue-5.9/p54-avoid-accessing-the-data-mapped-to-streaming-dma.patch @@ -0,0 +1,56 @@ +From 478762855b5ae9f68fa6ead1edf7abada70fcd5f Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Sun, 2 Aug 2020 21:29:49 +0800 +Subject: p54: avoid accessing the data mapped to streaming DMA + +From: Jia-Ju Bai + +commit 478762855b5ae9f68fa6ead1edf7abada70fcd5f upstream. + +In p54p_tx(), skb->data is mapped to streaming DMA on line 337: + mapping = pci_map_single(..., skb->data, ...); + +Then skb->data is accessed on line 349: + desc->device_addr = ((struct p54_hdr *)skb->data)->req_id; + +This access may cause data inconsistency between CPU cache and hardware. + +To fix this problem, ((struct p54_hdr *)skb->data)->req_id is stored in +a local variable before DMA mapping, and then the driver accesses this +local variable instead of skb->data. + +Cc: +Signed-off-by: Jia-Ju Bai +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200802132949.26788-1-baijiaju@tsinghua.edu.cn +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intersil/p54/p54pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intersil/p54/p54pci.c ++++ b/drivers/net/wireless/intersil/p54/p54pci.c +@@ -333,10 +333,12 @@ static void p54p_tx(struct ieee80211_hw + struct p54p_desc *desc; + dma_addr_t mapping; + u32 idx, i; ++ __le32 device_addr; + + spin_lock_irqsave(&priv->lock, flags); + idx = le32_to_cpu(ring_control->host_idx[1]); + i = idx % ARRAY_SIZE(ring_control->tx_data); ++ device_addr = ((struct p54_hdr *)skb->data)->req_id; + + mapping = dma_map_single(&priv->pdev->dev, skb->data, skb->len, + DMA_TO_DEVICE); +@@ -350,7 +352,7 @@ static void p54p_tx(struct ieee80211_hw + + desc = &ring_control->tx_data[i]; + desc->host_addr = cpu_to_le32(mapping); +- desc->device_addr = ((struct p54_hdr *)skb->data)->req_id; ++ desc->device_addr = device_addr; + desc->len = cpu_to_le16(skb->len); + desc->flags = 0; + diff --git a/queue-5.9/pci-aardvark-fix-initialization-with-old-marvell-s-arm-trusted-firmware.patch b/queue-5.9/pci-aardvark-fix-initialization-with-old-marvell-s-arm-trusted-firmware.patch new file mode 100644 index 00000000000..911da885316 --- /dev/null +++ b/queue-5.9/pci-aardvark-fix-initialization-with-old-marvell-s-arm-trusted-firmware.patch @@ -0,0 +1,49 @@ +From b0c6ae0f8948a2be6bf4e8b4bbab9ca1343289b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Wed, 2 Sep 2020 16:43:44 +0200 +Subject: PCI: aardvark: Fix initialization with old Marvell's Arm Trusted Firmware +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit b0c6ae0f8948a2be6bf4e8b4bbab9ca1343289b6 upstream. + +Old ATF automatically power on pcie phy and does not provide SMC call for +phy power on functionality which leads to aardvark initialization failure: + +[ 0.330134] mvebu-a3700-comphy d0018300.phy: unsupported SMC call, try updating your firmware +[ 0.338846] phy phy-d0018300.phy.1: phy poweron failed --> -95 +[ 0.344753] advk-pcie d0070000.pcie: Failed to initialize PHY (-95) +[ 0.351160] advk-pcie: probe of d0070000.pcie failed with error -95 + +This patch fixes above failure by ignoring 'not supported' error in +aardvark driver. In this case it is expected that phy is already power on. + +Tested-by: Tomasz Maciej Nowak +Link: https://lore.kernel.org/r/20200902144344.16684-3-pali@kernel.org +Fixes: 366697018c9a ("PCI: aardvark: Add PHY support") +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Rob Herring +Cc: # 5.8+: ea17a0f153af: phy: marvell: comphy: Convert internal SMCC firmware return codes to errno +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/controller/pci-aardvark.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pci/controller/pci-aardvark.c ++++ b/drivers/pci/controller/pci-aardvark.c +@@ -1076,7 +1076,9 @@ static int advk_pcie_enable_phy(struct a + } + + ret = phy_power_on(pcie->phy); +- if (ret) { ++ if (ret == -EOPNOTSUPP) { ++ dev_warn(&pcie->pdev->dev, "PHY unsupported by firmware\n"); ++ } else if (ret) { + phy_exit(pcie->phy); + return ret; + } diff --git a/queue-5.9/pm-runtime-fix-timer_expires-data-type-on-32-bit-arches.patch b/queue-5.9/pm-runtime-fix-timer_expires-data-type-on-32-bit-arches.patch new file mode 100644 index 00000000000..7d758a3cdd9 --- /dev/null +++ b/queue-5.9/pm-runtime-fix-timer_expires-data-type-on-32-bit-arches.patch @@ -0,0 +1,46 @@ +From 6b61d49a55796dbbc479eeb4465e59fd656c719c Mon Sep 17 00:00:00 2001 +From: Grygorii Strashko +Date: Fri, 18 Sep 2020 19:55:18 +0300 +Subject: PM: runtime: Fix timer_expires data type on 32-bit arches + +From: Grygorii Strashko + +commit 6b61d49a55796dbbc479eeb4465e59fd656c719c upstream. + +Commit 8234f6734c5d ("PM-runtime: Switch autosuspend over to using +hrtimers") switched PM runtime autosuspend to use hrtimers and all +related time accounting in ns, but missed to update the timer_expires +data type in struct dev_pm_info to u64. + +This causes the timer_expires value to be truncated on 32-bit +architectures when assignment is done from u64 values: + +rpm_suspend() +|- dev->power.timer_expires = expires; + +Fix it by changing the timer_expires type to u64. + +Fixes: 8234f6734c5d ("PM-runtime: Switch autosuspend over to using hrtimers") +Signed-off-by: Grygorii Strashko +Acked-by: Pavel Machek +Acked-by: Vincent Guittot +Cc: 5.0+ # 5.0+ +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/pm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/pm.h ++++ b/include/linux/pm.h +@@ -590,7 +590,7 @@ struct dev_pm_info { + #endif + #ifdef CONFIG_PM + struct hrtimer suspend_timer; +- unsigned long timer_expires; ++ u64 timer_expires; + struct work_struct work; + wait_queue_head_t wait_queue; + struct wake_irq *wakeirq; diff --git a/queue-5.9/rdma-addr-fix-race-with-netevent_callback-rdma_addr_cancel.patch b/queue-5.9/rdma-addr-fix-race-with-netevent_callback-rdma_addr_cancel.patch new file mode 100644 index 00000000000..7cfc6a482a2 --- /dev/null +++ b/queue-5.9/rdma-addr-fix-race-with-netevent_callback-rdma_addr_cancel.patch @@ -0,0 +1,71 @@ +From 2ee9bf346fbfd1dad0933b9eb3a4c2c0979b633e Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Wed, 30 Sep 2020 10:20:07 +0300 +Subject: RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel() + +From: Jason Gunthorpe + +commit 2ee9bf346fbfd1dad0933b9eb3a4c2c0979b633e upstream. + +This three thread race can result in the work being run once the callback +becomes NULL: + + CPU1 CPU2 CPU3 + netevent_callback() + process_one_req() rdma_addr_cancel() + [..] + spin_lock_bh() + set_timeout() + spin_unlock_bh() + + spin_lock_bh() + list_del_init(&req->list); + spin_unlock_bh() + + req->callback = NULL + spin_lock_bh() + if (!list_empty(&req->list)) + // Skipped! + // cancel_delayed_work(&req->work); + spin_unlock_bh() + + process_one_req() // again + req->callback() // BOOM + cancel_delayed_work_sync() + +The solution is to always cancel the work once it is completed so any +in between set_timeout() does not result in it running again. + +Cc: stable@vger.kernel.org +Fixes: 44e75052bc2a ("RDMA/rdma_cm: Make rdma_addr_cancel into a fence") +Link: https://lore.kernel.org/r/20200930072007.1009692-1-leon@kernel.org +Reported-by: Dan Aloni +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/addr.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -647,13 +647,12 @@ static void process_one_req(struct work_ + req->callback = NULL; + + spin_lock_bh(&lock); ++ /* ++ * Although the work will normally have been canceled by the workqueue, ++ * it can still be requeued as long as it is on the req_list. ++ */ ++ cancel_delayed_work(&req->work); + if (!list_empty(&req->list)) { +- /* +- * Although the work will normally have been canceled by the +- * workqueue, it can still be requeued as long as it is on the +- * req_list. +- */ +- cancel_delayed_work(&req->work); + list_del_init(&req->list); + kfree(req); + } diff --git a/queue-5.9/serial-pl011-fix-lockdep-splat-when-handling-magic-sysrq-interrupt.patch b/queue-5.9/serial-pl011-fix-lockdep-splat-when-handling-magic-sysrq-interrupt.patch new file mode 100644 index 00000000000..e70829b21bc --- /dev/null +++ b/queue-5.9/serial-pl011-fix-lockdep-splat-when-handling-magic-sysrq-interrupt.patch @@ -0,0 +1,92 @@ +From 534cf755d9df99e214ddbe26b91cd4d81d2603e2 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 30 Sep 2020 13:04:32 +0100 +Subject: serial: pl011: Fix lockdep splat when handling magic-sysrq interrupt + +From: Peter Zijlstra + +commit 534cf755d9df99e214ddbe26b91cd4d81d2603e2 upstream. + +Issuing a magic-sysrq via the PL011 causes the following lockdep splat, +which is easily reproducible under QEMU: + + | sysrq: Changing Loglevel + | sysrq: Loglevel set to 9 + | + | ====================================================== + | WARNING: possible circular locking dependency detected + | 5.9.0-rc7 #1 Not tainted + | ------------------------------------------------------ + | systemd-journal/138 is trying to acquire lock: + | ffffab133ad950c0 (console_owner){-.-.}-{0:0}, at: console_lock_spinning_enable+0x34/0x70 + | + | but task is already holding lock: + | ffff0001fd47b098 (&port_lock_key){-.-.}-{2:2}, at: pl011_int+0x40/0x488 + | + | which lock already depends on the new lock. + + [...] + + | Possible unsafe locking scenario: + | + | CPU0 CPU1 + | ---- ---- + | lock(&port_lock_key); + | lock(console_owner); + | lock(&port_lock_key); + | lock(console_owner); + | + | *** DEADLOCK *** + +The issue being that CPU0 takes 'port_lock' on the irq path in pl011_int() +before taking 'console_owner' on the printk() path, whereas CPU1 takes +the two locks in the opposite order on the printk() path due to setting +the "console_owner" prior to calling into into the actual console driver. + +Fix this in the same way as the msm-serial driver by dropping 'port_lock' +before handling the sysrq. + +Cc: # 4.19+ +Cc: Russell King +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Link: https://lore.kernel.org/r/20200811101313.GA6970@willie-the-truck +Signed-off-by: Peter Zijlstra +Tested-by: Will Deacon +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20200930120432.16551-1-will@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/amba-pl011.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -308,8 +308,9 @@ static void pl011_write(unsigned int val + */ + static int pl011_fifo_to_tty(struct uart_amba_port *uap) + { +- u16 status; + unsigned int ch, flag, fifotaken; ++ int sysrq; ++ u16 status; + + for (fifotaken = 0; fifotaken != 256; fifotaken++) { + status = pl011_read(uap, REG_FR); +@@ -344,10 +345,12 @@ static int pl011_fifo_to_tty(struct uart + flag = TTY_FRAME; + } + +- if (uart_handle_sysrq_char(&uap->port, ch & 255)) +- continue; ++ spin_unlock(&uap->port.lock); ++ sysrq = uart_handle_sysrq_char(&uap->port, ch & 255); ++ spin_lock(&uap->port.lock); + +- uart_insert_char(&uap->port, ch, UART011_DR_OE, ch, flag); ++ if (!sysrq) ++ uart_insert_char(&uap->port, ch, UART011_DR_OE, ch, flag); + } + + return fifotaken; diff --git a/queue-5.9/serial-qcom_geni_serial-to-correct-qup-version-detection-logic.patch b/queue-5.9/serial-qcom_geni_serial-to-correct-qup-version-detection-logic.patch new file mode 100644 index 00000000000..b0f4e4e805e --- /dev/null +++ b/queue-5.9/serial-qcom_geni_serial-to-correct-qup-version-detection-logic.patch @@ -0,0 +1,57 @@ +From c9ca43d42ed8d5fd635d327a664ed1d8579eb2af Mon Sep 17 00:00:00 2001 +From: Paras Sharma +Date: Wed, 30 Sep 2020 11:35:26 +0530 +Subject: serial: qcom_geni_serial: To correct QUP Version detection logic + +From: Paras Sharma + +commit c9ca43d42ed8d5fd635d327a664ed1d8579eb2af upstream. + +For QUP IP versions 2.5 and above the oversampling rate is +halved from 32 to 16. + +Commit ce734600545f ("tty: serial: qcom_geni_serial: Update +the oversampling rate") is pushed to handle this scenario. +But the existing logic is failing to classify QUP Version 3.0 +into the correct group ( 2.5 and above). + +As result Serial Engine clocks are not configured properly for +baud rate and garbage data is sampled to FIFOs from the line. + +So, fix the logic to detect QUP with versions 2.5 and above. + +Fixes: ce734600545f ("tty: serial: qcom_geni_serial: Update the oversampling rate") +Cc: stable +Signed-off-by: Paras Sharma +Reviewed-by: Akash Asthana +Link: https://lore.kernel.org/r/1601445926-23673-1-git-send-email-parashar@codeaurora.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/qcom_geni_serial.c | 2 +- + include/linux/qcom-geni-se.h | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/qcom_geni_serial.c ++++ b/drivers/tty/serial/qcom_geni_serial.c +@@ -1000,7 +1000,7 @@ static void qcom_geni_serial_set_termios + sampling_rate = UART_OVERSAMPLING; + /* Sampling rate is halved for IP versions >= 2.5 */ + ver = geni_se_get_qup_hw_version(&port->se); +- if (GENI_SE_VERSION_MAJOR(ver) >= 2 && GENI_SE_VERSION_MINOR(ver) >= 5) ++ if (ver >= QUP_SE_VERSION_2_5) + sampling_rate /= 2; + + clk_rate = get_clk_div_rate(baud, sampling_rate, &clk_div); +--- a/include/linux/qcom-geni-se.h ++++ b/include/linux/qcom-geni-se.h +@@ -248,6 +248,9 @@ struct geni_se { + #define GENI_SE_VERSION_MINOR(ver) ((ver & HW_VER_MINOR_MASK) >> HW_VER_MINOR_SHFT) + #define GENI_SE_VERSION_STEP(ver) (ver & HW_VER_STEP_MASK) + ++/* QUP SE VERSION value for major number 2 and minor number 5 */ ++#define QUP_SE_VERSION_2_5 0x20050000 ++ + /* + * Define bandwidth thresholds that cause the underlying Core 2X interconnect + * clock to run at the named frequency. These baseline values are recommended diff --git a/queue-5.9/series b/queue-5.9/series index ac72908105f..15ab230a4d4 100644 --- a/queue-5.9/series +++ b/queue-5.9/series @@ -50,3 +50,22 @@ net-smc-fix-invalid-return-code-in-smcd_new_buf_create.patch net-smc-fix-suppressed-return-code.patch net-protect-tcf_block_unbind-with-block-lock.patch erofs-avoid-duplicated-permission-check-for-trusted.-xattrs.patch +arch-x86-amd-ibs-fix-re-arming-ibs-fetch.patch +x86-traps-fix-de-oops-message-regression.patch +x86-xen-disable-firmware-first-mode-for-correctable-memory-errors.patch +pci-aardvark-fix-initialization-with-old-marvell-s-arm-trusted-firmware.patch +ata-ahci-mvebu-make-sata-phy-optional-for-armada-3720.patch +fuse-fix-page-dereference-after-free.patch +bpf-fix-comment-for-helper-bpf_current_task_under_cgroup.patch +evm-check-size-of-security.evm-before-using-it.patch +p54-avoid-accessing-the-data-mapped-to-streaming-dma.patch +cxl-rework-error-message-for-incompatible-slots.patch +rdma-addr-fix-race-with-netevent_callback-rdma_addr_cancel.patch +mtd-lpddr-fix-bad-logic-in-print_drs_error.patch +drm-i915-gem-serialise-debugfs-i915_gem_objects-with-ctx-mutex.patch +serial-qcom_geni_serial-to-correct-qup-version-detection-logic.patch +serial-pl011-fix-lockdep-splat-when-handling-magic-sysrq-interrupt.patch +pm-runtime-fix-timer_expires-data-type-on-32-bit-arches.patch +ata-sata_rcar-fix-dma-boundary-mask.patch +mm-mark-async-iocb-read-as-nowait-once-some-data-has-been-copied.patch +xen-gntdev.c-mark-pages-as-dirty.patch diff --git a/queue-5.9/x86-traps-fix-de-oops-message-regression.patch b/queue-5.9/x86-traps-fix-de-oops-message-regression.patch new file mode 100644 index 00000000000..61b4235ad7f --- /dev/null +++ b/queue-5.9/x86-traps-fix-de-oops-message-regression.patch @@ -0,0 +1,36 @@ +From 5f1ec1fd32252af5130dac23b5542e8e66fe0bcb Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 12 Oct 2020 15:11:47 +0200 +Subject: x86/traps: Fix #DE Oops message regression + +From: Thomas Gleixner + +commit 5f1ec1fd32252af5130dac23b5542e8e66fe0bcb upstream. + +The conversion of #DE to the idtentry mechanism introduced a change in the +Ooops message which confuses tools which parse crash information in dmesg. + +Remove the underscore from 'divide_error' to restore previous behaviour. + +Fixes: 9d06c4027f21 ("x86/entry: Convert Divide Error to IDTENTRY") +Reported-by: Dmitry Vyukov +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/CACT4Y+bTZFkuZd7+bPArowOv-7Die+WZpfOWnEO_Wgs3U59+oA@mail.gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/traps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -195,7 +195,7 @@ static __always_inline void __user *erro + + DEFINE_IDTENTRY(exc_divide_error) + { +- do_error_trap(regs, 0, "divide_error", X86_TRAP_DE, SIGFPE, ++ do_error_trap(regs, 0, "divide error", X86_TRAP_DE, SIGFPE, + FPE_INTDIV, error_get_trap_addr(regs)); + } + diff --git a/queue-5.9/x86-xen-disable-firmware-first-mode-for-correctable-memory-errors.patch b/queue-5.9/x86-xen-disable-firmware-first-mode-for-correctable-memory-errors.patch new file mode 100644 index 00000000000..cbd98150a0c --- /dev/null +++ b/queue-5.9/x86-xen-disable-firmware-first-mode-for-correctable-memory-errors.patch @@ -0,0 +1,56 @@ +From d759af38572f97321112a0852353613d18126038 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 25 Sep 2020 16:07:51 +0200 +Subject: x86/xen: disable Firmware First mode for correctable memory errors + +From: Juergen Gross + +commit d759af38572f97321112a0852353613d18126038 upstream. + +When running as Xen dom0 the kernel isn't responsible for selecting the +error handling mode, this should be handled by the hypervisor. + +So disable setting FF mode when running as Xen pv guest. Not doing so +might result in boot splats like: + +[ 7.509696] HEST: Enabling Firmware First mode for corrected errors. +[ 7.510382] mce: [Firmware Bug]: Ignoring request to disable invalid MCA bank 2. +[ 7.510383] mce: [Firmware Bug]: Ignoring request to disable invalid MCA bank 3. +[ 7.510384] mce: [Firmware Bug]: Ignoring request to disable invalid MCA bank 4. +[ 7.510384] mce: [Firmware Bug]: Ignoring request to disable invalid MCA bank 5. +[ 7.510385] mce: [Firmware Bug]: Ignoring request to disable invalid MCA bank 6. +[ 7.510386] mce: [Firmware Bug]: Ignoring request to disable invalid MCA bank 7. +[ 7.510386] mce: [Firmware Bug]: Ignoring request to disable invalid MCA bank 8. + +Reason is that the HEST ACPI table contains the real number of MCA +banks, while the hypervisor is emulating only 2 banks for guests. + +Cc: stable@vger.kernel.org +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/r/20200925140751.31381-1-jgross@suse.com +Signed-off-by: Boris Ostrovsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/enlighten_pv.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/x86/xen/enlighten_pv.c ++++ b/arch/x86/xen/enlighten_pv.c +@@ -1376,6 +1376,15 @@ asmlinkage __visible void __init xen_sta + x86_init.mpparse.get_smp_config = x86_init_uint_noop; + + xen_boot_params_init_edd(); ++ ++#ifdef CONFIG_ACPI ++ /* ++ * Disable selecting "Firmware First mode" for correctable ++ * memory errors, as this is the duty of the hypervisor to ++ * decide. ++ */ ++ acpi_disable_cmcff = 1; ++#endif + } + + if (!boot_params.screen_info.orig_video_isVGA) diff --git a/queue-5.9/xen-gntdev.c-mark-pages-as-dirty.patch b/queue-5.9/xen-gntdev.c-mark-pages-as-dirty.patch new file mode 100644 index 00000000000..77f0d05b8aa --- /dev/null +++ b/queue-5.9/xen-gntdev.c-mark-pages-as-dirty.patch @@ -0,0 +1,95 @@ +From 779055842da5b2e508f3ccf9a8153cb1f704f566 Mon Sep 17 00:00:00 2001 +From: Souptick Joarder +Date: Sun, 6 Sep 2020 12:21:53 +0530 +Subject: xen/gntdev.c: Mark pages as dirty + +From: Souptick Joarder + +commit 779055842da5b2e508f3ccf9a8153cb1f704f566 upstream. + +There seems to be a bug in the original code when gntdev_get_page() +is called with writeable=true then the page needs to be marked dirty +before being put. + +To address this, a bool writeable is added in gnt_dev_copy_batch, set +it in gntdev_grant_copy_seg() (and drop `writeable` argument to +gntdev_get_page()) and then, based on batch->writeable, use +set_page_dirty_lock(). + +Fixes: a4cdb556cae0 (xen/gntdev: add ioctl for grant copy) +Suggested-by: Boris Ostrovsky +Signed-off-by: Souptick Joarder +Cc: John Hubbard +Cc: Boris Ostrovsky +Cc: Juergen Gross +Cc: David Vrabel +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1599375114-32360-1-git-send-email-jrdr.linux@gmail.com +Reviewed-by: Boris Ostrovsky +Signed-off-by: Boris Ostrovsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/gntdev.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -720,17 +720,18 @@ struct gntdev_copy_batch { + s16 __user *status[GNTDEV_COPY_BATCH]; + unsigned int nr_ops; + unsigned int nr_pages; ++ bool writeable; + }; + + static int gntdev_get_page(struct gntdev_copy_batch *batch, void __user *virt, +- bool writeable, unsigned long *gfn) ++ unsigned long *gfn) + { + unsigned long addr = (unsigned long)virt; + struct page *page; + unsigned long xen_pfn; + int ret; + +- ret = get_user_pages_fast(addr, 1, writeable ? FOLL_WRITE : 0, &page); ++ ret = get_user_pages_fast(addr, 1, batch->writeable ? FOLL_WRITE : 0, &page); + if (ret < 0) + return ret; + +@@ -746,9 +747,13 @@ static void gntdev_put_pages(struct gntd + { + unsigned int i; + +- for (i = 0; i < batch->nr_pages; i++) ++ for (i = 0; i < batch->nr_pages; i++) { ++ if (batch->writeable && !PageDirty(batch->pages[i])) ++ set_page_dirty_lock(batch->pages[i]); + put_page(batch->pages[i]); ++ } + batch->nr_pages = 0; ++ batch->writeable = false; + } + + static int gntdev_copy(struct gntdev_copy_batch *batch) +@@ -837,8 +842,9 @@ static int gntdev_grant_copy_seg(struct + virt = seg->source.virt + copied; + off = (unsigned long)virt & ~XEN_PAGE_MASK; + len = min(len, (size_t)XEN_PAGE_SIZE - off); ++ batch->writeable = false; + +- ret = gntdev_get_page(batch, virt, false, &gfn); ++ ret = gntdev_get_page(batch, virt, &gfn); + if (ret < 0) + return ret; + +@@ -856,8 +862,9 @@ static int gntdev_grant_copy_seg(struct + virt = seg->dest.virt + copied; + off = (unsigned long)virt & ~XEN_PAGE_MASK; + len = min(len, (size_t)XEN_PAGE_SIZE - off); ++ batch->writeable = true; + +- ret = gntdev_get_page(batch, virt, true, &gfn); ++ ret = gntdev_get_page(batch, virt, &gfn); + if (ret < 0) + return ret; +