From: Sasha Levin Date: Mon, 27 Sep 2021 05:02:46 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.4.150~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0e664c81f20d7fb68861ab1efa57849246d4be60;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch b/queue-5.10/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch new file mode 100644 index 00000000000..52477abc5ff --- /dev/null +++ b/queue-5.10/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch @@ -0,0 +1,69 @@ +From 1762aff77c5c4e0d3ada24663ece5df61175249d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 22:00:33 -0700 +Subject: alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to + volatile + +From: Guenter Roeck + +[ Upstream commit 35a3f4ef0ab543daa1725b0c963eb8c05e3376f8 ] + +Some drivers pass a pointer to volatile data to virt_to_bus() and +virt_to_phys(), and that works fine. One exception is alpha. This +results in a number of compile errors such as + + drivers/net/wan/lmc/lmc_main.c: In function 'lmc_softreset': + drivers/net/wan/lmc/lmc_main.c:1782:50: error: + passing argument 1 of 'virt_to_bus' discards 'volatile' + qualifier from pointer target type + + drivers/atm/ambassador.c: In function 'do_loader_command': + drivers/atm/ambassador.c:1747:58: error: + passing argument 1 of 'virt_to_bus' discards 'volatile' + qualifier from pointer target type + +Declare the parameter of virt_to_phys and virt_to_bus as pointer to +volatile to fix the problem. + +Signed-off-by: Guenter Roeck +Acked-by: Arnd Bergmann +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/alpha/include/asm/io.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h +index 1f6a909d1fa5..7bc2f444a89a 100644 +--- a/arch/alpha/include/asm/io.h ++++ b/arch/alpha/include/asm/io.h +@@ -60,7 +60,7 @@ extern inline void set_hae(unsigned long new_hae) + * Change virtual addresses to physical addresses and vv. + */ + #ifdef USE_48_BIT_KSEG +-static inline unsigned long virt_to_phys(void *address) ++static inline unsigned long virt_to_phys(volatile void *address) + { + return (unsigned long)address - IDENT_ADDR; + } +@@ -70,7 +70,7 @@ static inline void * phys_to_virt(unsigned long address) + return (void *) (address + IDENT_ADDR); + } + #else +-static inline unsigned long virt_to_phys(void *address) ++static inline unsigned long virt_to_phys(volatile void *address) + { + unsigned long phys = (unsigned long)address; + +@@ -106,7 +106,7 @@ static inline void * phys_to_virt(unsigned long address) + extern unsigned long __direct_map_base; + extern unsigned long __direct_map_size; + +-static inline unsigned long __deprecated virt_to_bus(void *address) ++static inline unsigned long __deprecated virt_to_bus(volatile void *address) + { + unsigned long phys = virt_to_phys(address); + unsigned long bus = phys + __direct_map_base; +-- +2.33.0 + diff --git a/queue-5.10/amd-display-downgrade-validation-failure-log-level.patch b/queue-5.10/amd-display-downgrade-validation-failure-log-level.patch new file mode 100644 index 00000000000..3725943fe73 --- /dev/null +++ b/queue-5.10/amd-display-downgrade-validation-failure-log-level.patch @@ -0,0 +1,50 @@ +From 6a27d9f64dcec41694e36c6f89974f77b5352d54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 14:19:34 +0000 +Subject: amd/display: downgrade validation failure log level + +From: Simon Ser + +[ Upstream commit 7bbee36d71502ab9a341505da89a017c7ae2e6b2 ] + +In amdgpu_dm_atomic_check, dc_validate_global_state is called. On +failure this logs a warning to the kernel journal. However warnings +shouldn't be used for atomic test-only commit failures: user-space +might be perfoming a lot of atomic test-only commits to find the +best hardware configuration. + +Downgrade the log to a regular DRM atomic message. While at it, use +the new device-aware logging infrastructure. + +This fixes error messages in the kernel when running gamescope [1]. + +[1]: https://github.com/Plagman/gamescope/issues/245 + +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Simon Ser +Cc: Alex Deucher +Cc: Harry Wentland +Cc: Nicholas Kazlauskas +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index bc9df3f216f5..ce21a21ddb23 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -8962,7 +8962,8 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev, + goto fail; + status = dc_validate_global_state(dc, dm_state->context, false); + if (status != DC_OK) { +- DC_LOG_WARNING("DC global validation failure: %s (%d)", ++ drm_dbg_atomic(dev, ++ "DC global validation failure: %s (%d)", + dc_status_to_str(status), status); + ret = -EINVAL; + goto fail; +-- +2.33.0 + diff --git a/queue-5.10/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch b/queue-5.10/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch new file mode 100644 index 00000000000..13d19c49dba --- /dev/null +++ b/queue-5.10/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch @@ -0,0 +1,42 @@ +From f9566caa50a9eb0a6dd2bef7597b706eb21d1649 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 17:44:02 +0800 +Subject: arm64: Mark __stack_chk_guard as __ro_after_init + +From: Dan Li + +[ Upstream commit 9fcb2e93f41c07a400885325e7dbdfceba6efaec ] + +__stack_chk_guard is setup once while init stage and never changed +after that. + +Although the modification of this variable at runtime will usually +cause the kernel to crash (so does the attacker), it should be marked +as __ro_after_init, and it should not affect performance if it is +placed in the ro_after_init section. + +Signed-off-by: Dan Li +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/1631612642-102881-1-git-send-email-ashimida@linux.alibaba.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/process.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c +index ed919f633ed8..4999caff3281 100644 +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -60,7 +60,7 @@ + + #if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_STACKPROTECTOR_PER_TASK) + #include +-unsigned long __stack_chk_guard __read_mostly; ++unsigned long __stack_chk_guard __ro_after_init; + EXPORT_SYMBOL(__stack_chk_guard); + #endif + +-- +2.33.0 + diff --git a/queue-5.10/blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch b/queue-5.10/blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch new file mode 100644 index 00000000000..c9d1ef4b705 --- /dev/null +++ b/queue-5.10/blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch @@ -0,0 +1,181 @@ +From fa2c85ed99229f7f863ffeb5777d44259452c476 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 12:26:05 +0800 +Subject: blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd + +From: Li Jinlin + +[ Upstream commit 858560b27645e7e97aca37ee8f232cccd658fbd2 ] + +KASAN reports a use-after-free report when doing fuzz test: + +[693354.104835] ================================================================== +[693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160 +[693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338 + +[693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147 +[693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018 +[693354.105612] Call Trace: +[693354.105621] dump_stack+0xf1/0x19b +[693354.105626] ? show_regs_print_info+0x5/0x5 +[693354.105634] ? printk+0x9c/0xc3 +[693354.105638] ? cpumask_weight+0x1f/0x1f +[693354.105648] print_address_description+0x70/0x360 +[693354.105654] kasan_report+0x1b2/0x330 +[693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160 +[693354.105665] ? bfq_io_set_weight_legacy+0xd3/0x160 +[693354.105670] bfq_io_set_weight_legacy+0xd3/0x160 +[693354.105675] ? bfq_cpd_init+0x20/0x20 +[693354.105683] cgroup_file_write+0x3aa/0x510 +[693354.105693] ? ___slab_alloc+0x507/0x540 +[693354.105698] ? cgroup_file_poll+0x60/0x60 +[693354.105702] ? 0xffffffff89600000 +[693354.105708] ? usercopy_abort+0x90/0x90 +[693354.105716] ? mutex_lock+0xef/0x180 +[693354.105726] kernfs_fop_write+0x1ab/0x280 +[693354.105732] ? cgroup_file_poll+0x60/0x60 +[693354.105738] vfs_write+0xe7/0x230 +[693354.105744] ksys_write+0xb0/0x140 +[693354.105749] ? __ia32_sys_read+0x50/0x50 +[693354.105760] do_syscall_64+0x112/0x370 +[693354.105766] ? syscall_return_slowpath+0x260/0x260 +[693354.105772] ? do_page_fault+0x9b/0x270 +[693354.105779] ? prepare_exit_to_usermode+0xf9/0x1a0 +[693354.105784] ? enter_from_user_mode+0x30/0x30 +[693354.105793] entry_SYSCALL_64_after_hwframe+0x65/0xca + +[693354.105875] Allocated by task 1453337: +[693354.106001] kasan_kmalloc+0xa0/0xd0 +[693354.106006] kmem_cache_alloc_node_trace+0x108/0x220 +[693354.106010] bfq_pd_alloc+0x96/0x120 +[693354.106015] blkcg_activate_policy+0x1b7/0x2b0 +[693354.106020] bfq_create_group_hierarchy+0x1e/0x80 +[693354.106026] bfq_init_queue+0x678/0x8c0 +[693354.106031] blk_mq_init_sched+0x1f8/0x460 +[693354.106037] elevator_switch_mq+0xe1/0x240 +[693354.106041] elevator_switch+0x25/0x40 +[693354.106045] elv_iosched_store+0x1a1/0x230 +[693354.106049] queue_attr_store+0x78/0xb0 +[693354.106053] kernfs_fop_write+0x1ab/0x280 +[693354.106056] vfs_write+0xe7/0x230 +[693354.106060] ksys_write+0xb0/0x140 +[693354.106064] do_syscall_64+0x112/0x370 +[693354.106069] entry_SYSCALL_64_after_hwframe+0x65/0xca + +[693354.106114] Freed by task 1453336: +[693354.106225] __kasan_slab_free+0x130/0x180 +[693354.106229] kfree+0x90/0x1b0 +[693354.106233] blkcg_deactivate_policy+0x12c/0x220 +[693354.106238] bfq_exit_queue+0xf5/0x110 +[693354.106241] blk_mq_exit_sched+0x104/0x130 +[693354.106245] __elevator_exit+0x45/0x60 +[693354.106249] elevator_switch_mq+0xd6/0x240 +[693354.106253] elevator_switch+0x25/0x40 +[693354.106257] elv_iosched_store+0x1a1/0x230 +[693354.106261] queue_attr_store+0x78/0xb0 +[693354.106264] kernfs_fop_write+0x1ab/0x280 +[693354.106268] vfs_write+0xe7/0x230 +[693354.106271] ksys_write+0xb0/0x140 +[693354.106275] do_syscall_64+0x112/0x370 +[693354.106280] entry_SYSCALL_64_after_hwframe+0x65/0xca + +[693354.106329] The buggy address belongs to the object at ffff888be0a35580 + which belongs to the cache kmalloc-1k of size 1024 +[693354.106736] The buggy address is located 228 bytes inside of + 1024-byte region [ffff888be0a35580, ffff888be0a35980) +[693354.107114] The buggy address belongs to the page: +[693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0 +[693354.107606] flags: 0x17ffffc0008100(slab|head) +[693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080 +[693354.108020] raw: 0000000000000000 00000000001c001c 00000001ffffffff 0000000000000000 +[693354.108278] page dumped because: kasan: bad access detected + +[693354.108511] Memory state around the buggy address: +[693354.108671] ffff888be0a35500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[693354.116396] ffff888be0a35580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[693354.124473] >ffff888be0a35600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[693354.132421] ^ +[693354.140284] ffff888be0a35680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[693354.147912] ffff888be0a35700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[693354.155281] ================================================================== + +blkgs are protected by both queue and blkcg locks and holding +either should stabilize them. However, the path of destroying +blkg policy data is only protected by queue lock in +blkcg_activate_policy()/blkcg_deactivate_policy(). Other tasks +can get the blkg policy data before the blkg policy data is +destroyed, and use it after destroyed, which will result in a +use-after-free. + +CPU0 CPU1 +blkcg_deactivate_policy + spin_lock_irq(&q->queue_lock) + bfq_io_set_weight_legacy + spin_lock_irq(&blkcg->lock) + blkg_to_bfqg(blkg) + pd_to_bfqg(blkg->pd[pol->plid]) + ^^^^^^blkg->pd[pol->plid] != NULL + bfqg != NULL + pol->pd_free_fn(blkg->pd[pol->plid]) + pd_to_bfqg(blkg->pd[pol->plid]) + bfqg_put(bfqg) + kfree(bfqg) + blkg->pd[pol->plid] = NULL + spin_unlock_irq(q->queue_lock); + bfq_group_set_weight(bfqg, val, 0) + bfqg->entity.new_weight + ^^^^^^trigger uaf here + spin_unlock_irq(&blkcg->lock); + +Fix by grabbing the matching blkcg lock before trying to +destroy blkg policy data. + +Suggested-by: Tejun Heo +Signed-off-by: Li Jinlin +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20210914042605.3260596-1-lijinlin3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-cgroup.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c +index f13688c4b931..5b19665bc486 100644 +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -1387,10 +1387,14 @@ enomem: + /* alloc failed, nothing's initialized yet, free everything */ + spin_lock_irq(&q->queue_lock); + list_for_each_entry(blkg, &q->blkg_list, q_node) { ++ struct blkcg *blkcg = blkg->blkcg; ++ ++ spin_lock(&blkcg->lock); + if (blkg->pd[pol->plid]) { + pol->pd_free_fn(blkg->pd[pol->plid]); + blkg->pd[pol->plid] = NULL; + } ++ spin_unlock(&blkcg->lock); + } + spin_unlock_irq(&q->queue_lock); + ret = -ENOMEM; +@@ -1422,12 +1426,16 @@ void blkcg_deactivate_policy(struct request_queue *q, + __clear_bit(pol->plid, q->blkcg_pols); + + list_for_each_entry(blkg, &q->blkg_list, q_node) { ++ struct blkcg *blkcg = blkg->blkcg; ++ ++ spin_lock(&blkcg->lock); + if (blkg->pd[pol->plid]) { + if (pol->pd_offline_fn) + pol->pd_offline_fn(blkg->pd[pol->plid]); + pol->pd_free_fn(blkg->pd[pol->plid]); + blkg->pd[pol->plid] = NULL; + } ++ spin_unlock(&blkcg->lock); + } + + spin_unlock_irq(&q->queue_lock); +-- +2.33.0 + diff --git a/queue-5.10/blk-mq-avoid-to-iterate-over-stale-request.patch b/queue-5.10/blk-mq-avoid-to-iterate-over-stale-request.patch new file mode 100644 index 00000000000..bfc8bcf757b --- /dev/null +++ b/queue-5.10/blk-mq-avoid-to-iterate-over-stale-request.patch @@ -0,0 +1,54 @@ +From 227bd808d7d712a1b5cf2e04c54d8c6a4fda6e4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 14:50:03 +0800 +Subject: blk-mq: avoid to iterate over stale request + +From: Ming Lei + +[ Upstream commit 67f3b2f822b7e71cfc9b42dbd9f3144fa2933e0b ] + +blk-mq can't run allocating driver tag and updating ->rqs[tag] +atomically, meantime blk-mq doesn't clear ->rqs[tag] after the driver +tag is released. + +So there is chance to iterating over one stale request just after the +tag is allocated and before updating ->rqs[tag]. + +scsi_host_busy_iter() calls scsi_host_check_in_flight() to count scsi +in-flight requests after scsi host is blocked, so no new scsi command can +be marked as SCMD_STATE_INFLIGHT. However, driver tag allocation still can +be run by blk-mq core. One request is marked as SCMD_STATE_INFLIGHT, +but this request may have been kept in another slot of ->rqs[], meantime +the slot can be allocated out but ->rqs[] isn't updated yet. Then this +in-flight request is counted twice as SCMD_STATE_INFLIGHT. This way causes +trouble in handling scsi error. + +Fixes the issue by not iterating over stale request. + +Cc: linux-scsi@vger.kernel.org +Cc: "Martin K. Petersen" +Reported-by: luojiaxing +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20210906065003.439019-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq-tag.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c +index c4f2f6c123ae..16ad9e656610 100644 +--- a/block/blk-mq-tag.c ++++ b/block/blk-mq-tag.c +@@ -207,7 +207,7 @@ static struct request *blk_mq_find_and_get_req(struct blk_mq_tags *tags, + + spin_lock_irqsave(&tags->lock, flags); + rq = tags->rqs[bitnr]; +- if (!rq || !refcount_inc_not_zero(&rq->ref)) ++ if (!rq || rq->tag != bitnr || !refcount_inc_not_zero(&rq->ref)) + rq = NULL; + spin_unlock_irqrestore(&tags->lock, flags); + return rq; +-- +2.33.0 + diff --git a/queue-5.10/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch b/queue-5.10/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch new file mode 100644 index 00000000000..baf7326aa2e --- /dev/null +++ b/queue-5.10/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch @@ -0,0 +1,93 @@ +From ec28ccbdf9a75095d928a05d8bfaf4699be05e23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 21:49:21 +0800 +Subject: blktrace: Fix uaf in blk_trace access after removing by sysfs + +From: Zhihao Cheng + +[ Upstream commit 5afedf670caf30a2b5a52da96eb7eac7dee6a9c9 ] + +There is an use-after-free problem triggered by following process: + + P1(sda) P2(sdb) + echo 0 > /sys/block/sdb/trace/enable + blk_trace_remove_queue + synchronize_rcu + blk_trace_free + relay_close +rcu_read_lock +__blk_add_trace + trace_note_tsk + (Iterate running_trace_list) + relay_close_buf + relay_destroy_buf + kfree(buf) + trace_note(sdb's bt) + relay_reserve + buf->offset <- nullptr deference (use-after-free) !!! +rcu_read_unlock + +[ 502.714379] BUG: kernel NULL pointer dereference, address: +0000000000000010 +[ 502.715260] #PF: supervisor read access in kernel mode +[ 502.715903] #PF: error_code(0x0000) - not-present page +[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 +[ 502.717252] Oops: 0000 [#1] SMP +[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360 +[ 502.732872] Call Trace: +[ 502.733193] __blk_add_trace.cold+0x137/0x1a3 +[ 502.733734] blk_add_trace_rq+0x7b/0xd0 +[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0 +[ 502.734755] blk_mq_start_request+0xde/0x1b0 +[ 502.735287] scsi_queue_rq+0x528/0x1140 +... +[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0 +[ 502.747501] sg_ioctl+0x466/0x1100 + +Reproduce method: + ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) + ioctl(/dev/sda, BLKTRACESTART) + ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) + ioctl(/dev/sdb, BLKTRACESTART) + + echo 0 > /sys/block/sdb/trace/enable & + // Add delay(mdelay/msleep) before kernel enters blk_trace_free() + + ioctl$SG_IO(/dev/sda, SG_IO, ...) + // Enters trace_note_tsk() after blk_trace_free() returned + // Use mdelay in rcu region rather than msleep(which may schedule out) + +Remove blk_trace from running_list before calling blk_trace_free() by +sysfs if blk_trace is at Blktrace_running state. + +Fixes: c71a896154119f ("blktrace: add ftrace plugin") +Signed-off-by: Zhihao Cheng +Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index f1022945e346..b89ff188a618 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1670,6 +1670,14 @@ static int blk_trace_remove_queue(struct request_queue *q) + if (bt == NULL) + return -EINVAL; + ++ if (bt->trace_state == Blktrace_running) { ++ bt->trace_state = Blktrace_stopped; ++ spin_lock_irq(&running_trace_lock); ++ list_del_init(&bt->running_list); ++ spin_unlock_irq(&running_trace_lock); ++ relay_flush(bt->rchan); ++ } ++ + put_probe_ref(); + synchronize_rcu(); + blk_trace_free(bt); +-- +2.33.0 + diff --git a/queue-5.10/block-check-if-a-profile-is-actually-registered-in-b.patch b/queue-5.10/block-check-if-a-profile-is-actually-registered-in-b.patch new file mode 100644 index 00000000000..6687e77e453 --- /dev/null +++ b/queue-5.10/block-check-if-a-profile-is-actually-registered-in-b.patch @@ -0,0 +1,45 @@ +From edb88edac4306db98fb38eb936e56bfe64b0442b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 09:06:55 +0200 +Subject: block: check if a profile is actually registered in + blk_integrity_unregister + +From: Christoph Hellwig + +[ Upstream commit 783a40a1b3ac7f3714d2776fa8ac8cce3535e4f6 ] + +While clearing the profile itself is harmless, we really should not clear +the stable writes flag if it wasn't set due to a registered integrity +profile. + +Reported-by: Lihong Kou +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Link: https://lore.kernel.org/r/20210914070657.87677-2-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-integrity.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/block/blk-integrity.c b/block/blk-integrity.c +index 410da060d1f5..e9f943de377a 100644 +--- a/block/blk-integrity.c ++++ b/block/blk-integrity.c +@@ -426,8 +426,12 @@ EXPORT_SYMBOL(blk_integrity_register); + */ + void blk_integrity_unregister(struct gendisk *disk) + { ++ struct blk_integrity *bi = &disk->queue->integrity; ++ ++ if (!bi->profile) ++ return; + blk_queue_flag_clear(QUEUE_FLAG_STABLE_WRITES, disk->queue); +- memset(&disk->queue->integrity, 0, sizeof(struct blk_integrity)); ++ memset(bi, 0, sizeof(*bi)); + } + EXPORT_SYMBOL(blk_integrity_unregister); + +-- +2.33.0 + diff --git a/queue-5.10/block-flush-the-integrity-workqueue-in-blk_integrity.patch b/queue-5.10/block-flush-the-integrity-workqueue-in-blk_integrity.patch new file mode 100644 index 00000000000..1963f6e1ced --- /dev/null +++ b/queue-5.10/block-flush-the-integrity-workqueue-in-blk_integrity.patch @@ -0,0 +1,54 @@ +From f8a1fadc26a0de9a85093ee809455f9999997406 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 09:06:56 +0200 +Subject: block: flush the integrity workqueue in blk_integrity_unregister + +From: Lihong Kou + +[ Upstream commit 3df49967f6f1d2121b0c27c381ca1c8386b1dab9 ] + +When the integrity profile is unregistered there can still be integrity +reads queued up which could see a NULL verify_fn as shown by the race +window below: + +CPU0 CPU1 + process_one_work nvme_validate_ns + bio_integrity_verify_fn nvme_update_ns_info + nvme_update_disk_info + blk_integrity_unregister + ---set queue->integrity as 0 + bio_integrity_process + --access bi->profile->verify_fn(bi is a pointer of queue->integity) + +Before calling blk_integrity_unregister in nvme_update_disk_info, we must +make sure that there is no work item in the kintegrityd_wq. Just call +blk_flush_integrity to flush the work queue so the bug can be resolved. + +Signed-off-by: Lihong Kou +[hch: split up and shortened the changelog] +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Link: https://lore.kernel.org/r/20210914070657.87677-3-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-integrity.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/block/blk-integrity.c b/block/blk-integrity.c +index e9f943de377a..9e83159f5a52 100644 +--- a/block/blk-integrity.c ++++ b/block/blk-integrity.c +@@ -430,6 +430,9 @@ void blk_integrity_unregister(struct gendisk *disk) + + if (!bi->profile) + return; ++ ++ /* ensure all bios are off the integrity workqueue */ ++ blk_flush_integrity(); + blk_queue_flag_clear(QUEUE_FLAG_STABLE_WRITES, disk->queue); + memset(bi, 0, sizeof(*bi)); + } +-- +2.33.0 + diff --git a/queue-5.10/bpf-add-oversize-check-before-call-kvcalloc.patch b/queue-5.10/bpf-add-oversize-check-before-call-kvcalloc.patch new file mode 100644 index 00000000000..294e50c3f47 --- /dev/null +++ b/queue-5.10/bpf-add-oversize-check-before-call-kvcalloc.patch @@ -0,0 +1,60 @@ +From 589e2ba599559d98ef80ac20454a425b51d37539 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Sep 2021 08:55:57 +0800 +Subject: bpf: Add oversize check before call kvcalloc() + +From: Bixuan Cui + +[ Upstream commit 0e6491b559704da720f6da09dd0a52c4df44c514 ] + +Commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") add the +oversize check. When the allocation is larger than what kmalloc() supports, +the following warning triggered: + +WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597 +Modules linked in: +CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597 +Call Trace: + kvmalloc include/linux/mm.h:806 [inline] + kvmalloc_array include/linux/mm.h:824 [inline] + kvcalloc include/linux/mm.h:829 [inline] + check_btf_line kernel/bpf/verifier.c:9925 [inline] + check_btf_info kernel/bpf/verifier.c:10049 [inline] + bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759 + bpf_prog_load kernel/bpf/syscall.c:2301 [inline] + __sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587 + __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] + __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] + __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com +Signed-off-by: Bixuan Cui +Signed-off-by: Alexei Starovoitov +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20210911005557.45518-1-cuibixuan@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index cba1f86e75cd..0c26757ea7fb 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -8822,6 +8822,8 @@ static int check_btf_line(struct bpf_verifier_env *env, + nr_linfo = attr->line_info_cnt; + if (!nr_linfo) + return 0; ++ if (nr_linfo > INT_MAX / sizeof(struct bpf_line_info)) ++ return -EINVAL; + + rec_size = attr->line_info_rec_size; + if (rec_size < MIN_BPF_LINEINFO_SIZE || +-- +2.33.0 + diff --git a/queue-5.10/cifs-fix-a-sign-extension-bug.patch b/queue-5.10/cifs-fix-a-sign-extension-bug.patch new file mode 100644 index 00000000000..489bd38672a --- /dev/null +++ b/queue-5.10/cifs-fix-a-sign-extension-bug.patch @@ -0,0 +1,46 @@ +From f8fa6eb81209765f53acc34c5bb481c42fc6daf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 23:33:35 +0300 +Subject: cifs: fix a sign extension bug + +From: Dan Carpenter + +[ Upstream commit e946d3c887a9dc33aa82a349c6284f4a084163f4 ] + +The problem is the mismatched types between "ctx->total_len" which is +an unsigned int, "rc" which is an int, and "ctx->rc" which is a +ssize_t. The code does: + + ctx->rc = (rc == 0) ? ctx->total_len : rc; + +We want "ctx->rc" to store the negative "rc" error code. But what +happens is that "rc" is type promoted to a high unsigned int and +'ctx->rc" will store the high positive value instead of a negative +value. + +The fix is to change "rc" from an int to a ssize_t. + +Fixes: c610c4b619e5 ("CIFS: Add asynchronous write support through kernel AIO") +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index f46904a4ead3..67139f9d583f 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -3039,7 +3039,7 @@ static void collect_uncached_write_data(struct cifs_aio_ctx *ctx) + struct cifs_tcon *tcon; + struct cifs_sb_info *cifs_sb; + struct dentry *dentry = ctx->cfile->dentry; +- int rc; ++ ssize_t rc; + + tcon = tlink_tcon(ctx->cfile->tlink); + cifs_sb = CIFS_SB(dentry->d_sb); +-- +2.33.0 + diff --git a/queue-5.10/compiler.h-introduce-absolute_pointer-macro.patch b/queue-5.10/compiler.h-introduce-absolute_pointer-macro.patch new file mode 100644 index 00000000000..c19f7f2d65a --- /dev/null +++ b/queue-5.10/compiler.h-introduce-absolute_pointer-macro.patch @@ -0,0 +1,44 @@ +From ed30063cf690d64d74c121d80a79f1ee96ba3688 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 20:52:24 -0700 +Subject: compiler.h: Introduce absolute_pointer macro + +From: Guenter Roeck + +[ Upstream commit f6b5f1a56987de837f8e25cd560847106b8632a8 ] + +absolute_pointer() disassociates a pointer from its originating symbol +type and context. Use it to prevent compiler warnings/errors such as + + drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe': + arch/m68k/include/asm/string.h:72:25: error: + '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread] + +Such warnings may be reported by gcc 11.x for string and memory +operations on fixed addresses. + +Suggested-by: Linus Torvalds +Signed-off-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/compiler.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index b8fe0c23cfff..475d0a3ce059 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -180,6 +180,8 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val, + (typeof(ptr)) (__ptr + (off)); }) + #endif + ++#define absolute_pointer(val) RELOC_HIDE((void *)(val), 0) ++ + #ifndef OPTIMIZER_HIDE_VAR + /* Make the optimizer believe the variable can be manipulated arbitrarily. */ + #define OPTIMIZER_HIDE_VAR(var) \ +-- +2.33.0 + diff --git a/queue-5.10/cpufreq-intel_pstate-override-parameters-if-hwp-forc.patch b/queue-5.10/cpufreq-intel_pstate-override-parameters-if-hwp-forc.patch new file mode 100644 index 00000000000..05ffab56b90 --- /dev/null +++ b/queue-5.10/cpufreq-intel_pstate-override-parameters-if-hwp-forc.patch @@ -0,0 +1,82 @@ +From 99c835edb5e04ef22a441f514c5b28436e67d352 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Sep 2021 11:50:29 -0700 +Subject: cpufreq: intel_pstate: Override parameters if HWP forced by BIOS + +From: Doug Smythies + +[ Upstream commit d9a7e9df731670acdc69e81748941ad338f47fab ] + +If HWP has been already been enabled by BIOS, it may be +necessary to override some kernel command line parameters. +Once it has been enabled it requires a reset to be disabled. + +Suggested-by: Rafael J. Wysocki +Signed-off-by: Doug Smythies +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 44a5d15a7572..1686705bee7b 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -3035,11 +3035,15 @@ static int __init intel_pstate_init(void) + if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) + return -ENODEV; + +- if (no_load) +- return -ENODEV; +- + id = x86_match_cpu(hwp_support_ids); + if (id) { ++ bool hwp_forced = intel_pstate_hwp_is_enabled(); ++ ++ if (hwp_forced) ++ pr_info("HWP enabled by BIOS\n"); ++ else if (no_load) ++ return -ENODEV; ++ + copy_cpu_funcs(&core_funcs); + /* + * Avoid enabling HWP for processors without EPP support, +@@ -3049,8 +3053,7 @@ static int __init intel_pstate_init(void) + * If HWP is enabled already, though, there is no choice but to + * deal with it. + */ +- if ((!no_hwp && boot_cpu_has(X86_FEATURE_HWP_EPP)) || +- intel_pstate_hwp_is_enabled()) { ++ if ((!no_hwp && boot_cpu_has(X86_FEATURE_HWP_EPP)) || hwp_forced) { + hwp_active++; + hwp_mode_bdw = id->driver_data; + intel_pstate.attr = hwp_cpufreq_attrs; +@@ -3061,7 +3064,11 @@ static int __init intel_pstate_init(void) + + goto hwp_cpu_matched; + } ++ pr_info("HWP not enabled\n"); + } else { ++ if (no_load) ++ return -ENODEV; ++ + id = x86_match_cpu(intel_pstate_cpu_ids); + if (!id) { + pr_info("CPU model not supported\n"); +@@ -3138,10 +3145,9 @@ static int __init intel_pstate_setup(char *str) + else if (!strcmp(str, "passive")) + default_driver = &intel_cpufreq; + +- if (!strcmp(str, "no_hwp")) { +- pr_info("HWP disabled\n"); ++ if (!strcmp(str, "no_hwp")) + no_hwp = 1; +- } ++ + if (!strcmp(str, "force")) + force_load = 1; + if (!strcmp(str, "hwp_only")) +-- +2.33.0 + diff --git a/queue-5.10/fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch b/queue-5.10/fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch new file mode 100644 index 00000000000..551b41bdd92 --- /dev/null +++ b/queue-5.10/fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch @@ -0,0 +1,42 @@ +From f613534abd8a20b79f668cef72f73a6d51661f13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 14:40:42 +0800 +Subject: fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() + +From: Jiapeng Chong + +[ Upstream commit a1e4470823d99e75b596748086e120dea169ed3c ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'ret'. + +Eliminate the follow smatch warning: + +drivers/fpga/machxo2-spi.c:341 machxo2_write_complete() + warn: missing error code 'ret'. + +[mdf@kernel.org: Reworded commit message] +Fixes: 88fb3a002330 ("fpga: lattice machxo2: Add Lattice MachXO2 support") +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Signed-off-by: Moritz Fischer +Signed-off-by: Sasha Levin +--- + drivers/fpga/machxo2-spi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/fpga/machxo2-spi.c b/drivers/fpga/machxo2-spi.c +index 7688ff3b31e4..9eef18349eee 100644 +--- a/drivers/fpga/machxo2-spi.c ++++ b/drivers/fpga/machxo2-spi.c +@@ -338,6 +338,7 @@ static int machxo2_write_complete(struct fpga_manager *mgr, + break; + if (++refreshloop == MACHXO2_MAX_REFRESH_LOOP) { + machxo2_cleanup(mgr); ++ ret = -EINVAL; + goto fail; + } + } while (1); +-- +2.33.0 + diff --git a/queue-5.10/fpga-machxo2-spi-return-an-error-on-failure.patch b/queue-5.10/fpga-machxo2-spi-return-an-error-on-failure.patch new file mode 100644 index 00000000000..76f4c170909 --- /dev/null +++ b/queue-5.10/fpga-machxo2-spi-return-an-error-on-failure.patch @@ -0,0 +1,56 @@ +From f2d195e659a0a9c68d4215b97f1343fcaa6a7c3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 09:40:36 -0700 +Subject: fpga: machxo2-spi: Return an error on failure + +From: Tom Rix + +[ Upstream commit 34331739e19fd6a293d488add28832ad49c9fc54 ] + +Earlier successes leave 'ret' in a non error state, so these errors are +not reported. Set ret to -EINVAL before going to the error handler. + +This addresses two issues reported by smatch: +drivers/fpga/machxo2-spi.c:229 machxo2_write_init() + warn: missing error code 'ret' + +drivers/fpga/machxo2-spi.c:316 machxo2_write_complete() + warn: missing error code 'ret' + +[mdf@kernel.org: Reworded commit message] +Fixes: 88fb3a002330 ("fpga: lattice machxo2: Add Lattice MachXO2 support") +Reported-by: Dan Carpenter +Signed-off-by: Tom Rix +Signed-off-by: Moritz Fischer +Signed-off-by: Sasha Levin +--- + drivers/fpga/machxo2-spi.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/fpga/machxo2-spi.c b/drivers/fpga/machxo2-spi.c +index b316369156fe..7688ff3b31e4 100644 +--- a/drivers/fpga/machxo2-spi.c ++++ b/drivers/fpga/machxo2-spi.c +@@ -225,8 +225,10 @@ static int machxo2_write_init(struct fpga_manager *mgr, + goto fail; + + get_status(spi, &status); +- if (test_bit(FAIL, &status)) ++ if (test_bit(FAIL, &status)) { ++ ret = -EINVAL; + goto fail; ++ } + dump_status_reg(&status); + + spi_message_init(&msg); +@@ -313,6 +315,7 @@ static int machxo2_write_complete(struct fpga_manager *mgr, + dump_status_reg(&status); + if (!test_bit(DONE, &status)) { + machxo2_cleanup(mgr); ++ ret = -EINVAL; + goto fail; + } + +-- +2.33.0 + diff --git a/queue-5.10/io_uring-put-provided-buffer-meta-data-under-memcg-a.patch b/queue-5.10/io_uring-put-provided-buffer-meta-data-under-memcg-a.patch new file mode 100644 index 00000000000..20a50cf6bf5 --- /dev/null +++ b/queue-5.10/io_uring-put-provided-buffer-meta-data-under-memcg-a.patch @@ -0,0 +1,36 @@ +From 03e2022638d2026e5141cbc85a9a78ab0a006b73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 07:39:08 -0600 +Subject: io_uring: put provided buffer meta data under memcg accounting + +From: Jens Axboe + +[ Upstream commit 9990da93d2bf9892c2c14c958bef050d4e461a1a ] + +For each provided buffer, we allocate a struct io_buffer to hold the +data associated with it. As a large number of buffers can be provided, +account that data with memcg. + +Fixes: ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index a8d07273ddc0..26753d0cb431 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4041,7 +4041,7 @@ static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head) + int i, bid = pbuf->bid; + + for (i = 0; i < pbuf->nbufs; i++) { +- buf = kmalloc(sizeof(*buf), GFP_KERNEL); ++ buf = kmalloc(sizeof(*buf), GFP_KERNEL_ACCOUNT); + if (!buf) + break; + +-- +2.33.0 + diff --git a/queue-5.10/ipv6-delay-fib6_sernum-increase-in-fib6_add.patch b/queue-5.10/ipv6-delay-fib6_sernum-increase-in-fib6_add.patch new file mode 100644 index 00000000000..275f64dbd07 --- /dev/null +++ b/queue-5.10/ipv6-delay-fib6_sernum-increase-in-fib6_add.patch @@ -0,0 +1,44 @@ +From ff46809a43db9ee173b0b8822e8c0b56e76ce504 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 16:39:18 +0800 +Subject: ipv6: delay fib6_sernum increase in fib6_add + +From: zhang kai + +[ Upstream commit e87b5052271e39d62337ade531992b7e5d8c2cfa ] + +only increase fib6_sernum in net namespace after add fib6_info +successfully. + +Signed-off-by: zhang kai +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_fib.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index 1fb79dbde0cb..e43f1fbac28b 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1376,7 +1376,6 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt, + int err = -ENOMEM; + int allow_create = 1; + int replace_required = 0; +- int sernum = fib6_new_sernum(info->nl_net); + + if (info->nlh) { + if (!(info->nlh->nlmsg_flags & NLM_F_CREATE)) +@@ -1476,7 +1475,7 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt, + if (!err) { + if (rt->nh) + list_add(&rt->nh_list, &rt->nh->f6i_list); +- __fib6_update_sernum_upto_root(rt, sernum); ++ __fib6_update_sernum_upto_root(rt, fib6_new_sernum(info->nl_net)); + fib6_start_gc(info->nl_net, rt); + } + +-- +2.33.0 + diff --git a/queue-5.10/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch b/queue-5.10/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch new file mode 100644 index 00000000000..5f8517f96ed --- /dev/null +++ b/queue-5.10/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch @@ -0,0 +1,41 @@ +From 8028d841639ab74a337b77f34875bc9f980a3a02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 10:20:55 +0800 +Subject: irqchip/gic-v3-its: Fix potential VPE leak on error + +From: Kaige Fu + +[ Upstream commit 280bef512933b2dda01d681d8cbe499b98fc5bdd ] + +In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error, +there is an off-by-one in the number of VPEs to be freed. + +Fix it by simply passing the number of VPEs allocated, which is the +index of the loop iterating over the VPEs. + +Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown") +Signed-off-by: Kaige Fu +[maz: fixed commit message] +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/d9e36dee512e63670287ed9eff884a5d8d6d27f2.1631672311.git.kaige.fu@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index 4069c215328b..95e0b82b6c66 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -4489,7 +4489,7 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq + + if (err) { + if (i > 0) +- its_vpe_irq_domain_free(domain, virq, i - 1); ++ its_vpe_irq_domain_free(domain, virq, i); + + its_lpi_free(bitmap, base, nr_ids); + its_free_prop_table(vprop_page); +-- +2.33.0 + diff --git a/queue-5.10/irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch b/queue-5.10/irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch new file mode 100644 index 00000000000..5ca22369e3e --- /dev/null +++ b/queue-5.10/irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch @@ -0,0 +1,55 @@ +From c5d8fd52d5e3a0e58d9177fe4f84499c8dad3e05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Sep 2021 09:25:19 -0700 +Subject: irqchip/goldfish-pic: Select GENERIC_IRQ_CHIP to fix build + +From: Randy Dunlap + +[ Upstream commit 969ac78db78c723a24e9410666b457cc1b0cb3c3 ] + +irq-goldfish-pic uses GENERIC_IRQ_CHIP interfaces so select that symbol +to fix build errors. + +Fixes these build errors: + +mips-linux-ld: drivers/irqchip/irq-goldfish-pic.o: in function `goldfish_pic_of_init': +irq-goldfish-pic.c:(.init.text+0xc0): undefined reference to `irq_alloc_generic_chip' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0xf4): undefined reference to `irq_gc_unmask_enable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0xf8): undefined reference to `irq_gc_unmask_enable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x100): undefined reference to `irq_gc_mask_disable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x104): undefined reference to `irq_gc_mask_disable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x11c): undefined reference to `irq_setup_generic_chip' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x168): undefined reference to `irq_remove_generic_chip' + +Fixes: 4235ff50cf98 ("irqchip/irq-goldfish-pic: Add Goldfish PIC driver") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Miodrag Dinic +Cc: Geert Uytterhoeven +Cc: Bartosz Golaszewski +Cc: Thomas Gleixner +Cc: Marc Zyngier +Cc: Goran Ferenc +Cc: Aleksandar Markovic +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210905162519.21507-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/irqchip/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig +index 6156a065681b..dc062e8c2caf 100644 +--- a/drivers/irqchip/Kconfig ++++ b/drivers/irqchip/Kconfig +@@ -425,6 +425,7 @@ config MESON_IRQ_GPIO + config GOLDFISH_PIC + bool "Goldfish programmable interrupt controller" + depends on MIPS && (GOLDFISH || COMPILE_TEST) ++ select GENERIC_IRQ_CHIP + select IRQ_DOMAIN + help + Say yes here to enable Goldfish interrupt controller driver used +-- +2.33.0 + diff --git a/queue-5.10/m68k-double-cast-io-functions-to-unsigned-long.patch b/queue-5.10/m68k-double-cast-io-functions-to-unsigned-long.patch new file mode 100644 index 00000000000..595f1962686 --- /dev/null +++ b/queue-5.10/m68k-double-cast-io-functions-to-unsigned-long.patch @@ -0,0 +1,68 @@ +From 0987727570d23b3b666462523f005fc168673644 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 23:07:29 -0700 +Subject: m68k: Double cast io functions to unsigned long + +From: Guenter Roeck + +[ Upstream commit b1a89856fbf63fffde6a4771d8f1ac21df549e50 ] + +m68k builds fail widely with errors such as + +arch/m68k/include/asm/raw_io.h:20:19: error: + cast to pointer from integer of different size +arch/m68k/include/asm/raw_io.h:30:32: error: + cast to pointer from integer of different size [-Werror=int-to-p + +On m68k, io functions are defined as macros. The problem is seen if the +macro parameter variable size differs from the size of a pointer. Cast +the parameter of all io macros to unsigned long before casting it to +a pointer to fix the problem. + +Signed-off-by: Guenter Roeck +Link: https://lore.kernel.org/r/20210907060729.2391992-1-linux@roeck-us.net +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/raw_io.h | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/m68k/include/asm/raw_io.h b/arch/m68k/include/asm/raw_io.h +index 911826ea83ce..80eb2396d01e 100644 +--- a/arch/m68k/include/asm/raw_io.h ++++ b/arch/m68k/include/asm/raw_io.h +@@ -17,21 +17,21 @@ + * two accesses to memory, which may be undesirable for some devices. + */ + #define in_8(addr) \ +- ({ u8 __v = (*(__force volatile u8 *) (addr)); __v; }) ++ ({ u8 __v = (*(__force volatile u8 *) (unsigned long)(addr)); __v; }) + #define in_be16(addr) \ +- ({ u16 __v = (*(__force volatile u16 *) (addr)); __v; }) ++ ({ u16 __v = (*(__force volatile u16 *) (unsigned long)(addr)); __v; }) + #define in_be32(addr) \ +- ({ u32 __v = (*(__force volatile u32 *) (addr)); __v; }) ++ ({ u32 __v = (*(__force volatile u32 *) (unsigned long)(addr)); __v; }) + #define in_le16(addr) \ +- ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (addr)); __v; }) ++ ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (unsigned long)(addr)); __v; }) + #define in_le32(addr) \ +- ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (addr)); __v; }) ++ ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (unsigned long)(addr)); __v; }) + +-#define out_8(addr,b) (void)((*(__force volatile u8 *) (addr)) = (b)) +-#define out_be16(addr,w) (void)((*(__force volatile u16 *) (addr)) = (w)) +-#define out_be32(addr,l) (void)((*(__force volatile u32 *) (addr)) = (l)) +-#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (addr)) = cpu_to_le16(w)) +-#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (addr)) = cpu_to_le32(l)) ++#define out_8(addr,b) (void)((*(__force volatile u8 *) (unsigned long)(addr)) = (b)) ++#define out_be16(addr,w) (void)((*(__force volatile u16 *) (unsigned long)(addr)) = (w)) ++#define out_be32(addr,l) (void)((*(__force volatile u32 *) (unsigned long)(addr)) = (l)) ++#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (unsigned long)(addr)) = cpu_to_le16(w)) ++#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (unsigned long)(addr)) = cpu_to_le32(l)) + + #define raw_inb in_8 + #define raw_inw in_be16 +-- +2.33.0 + diff --git a/queue-5.10/md-fix-a-lock-order-reversal-in-md_alloc.patch b/queue-5.10/md-fix-a-lock-order-reversal-in-md_alloc.patch new file mode 100644 index 00000000000..213647c9632 --- /dev/null +++ b/queue-5.10/md-fix-a-lock-order-reversal-in-md_alloc.patch @@ -0,0 +1,61 @@ +From dbcbe9d9af02788d074714b300765ac9aa777867 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 13:38:29 +0200 +Subject: md: fix a lock order reversal in md_alloc + +From: Christoph Hellwig + +[ Upstream commit 7df835a32a8bedf7ce88efcfa7c9b245b52ff139 ] + +Commit b0140891a8cea3 ("md: Fix race when creating a new md device.") +not only moved assigning mddev->gendisk before calling add_disk, which +fixes the races described in the commit log, but also added a +mddev->open_mutex critical section over add_disk and creation of the +md kobj. Adding a kobject after add_disk is racy vs deleting the gendisk +right after adding it, but md already prevents against that by holding +a mddev->active reference. + +On the other hand taking this lock added a lock order reversal with what +is not disk->open_mutex (used to be bdev->bd_mutex when the commit was +added) for partition devices, which need that lock for the internal open +for the partition scan, and a recent commit also takes it for +non-partitioned devices, leading to further lockdep splatter. + +Fixes: b0140891a8ce ("md: Fix race when creating a new md device.") +Fixes: d62633873590 ("block: support delayed holder registration") +Reported-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com +Signed-off-by: Christoph Hellwig +Tested-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com +Reviewed-by: NeilBrown +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 288d26013de2..f16f190546ef 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5759,10 +5759,6 @@ static int md_alloc(dev_t dev, char *name) + disk->flags |= GENHD_FL_EXT_DEVT; + disk->events |= DISK_EVENT_MEDIA_CHANGE; + mddev->gendisk = disk; +- /* As soon as we call add_disk(), another thread could get +- * through to md_open, so make sure it doesn't get too far +- */ +- mutex_lock(&mddev->open_mutex); + add_disk(disk); + + error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, "%s", "md"); +@@ -5777,7 +5773,6 @@ static int md_alloc(dev_t dev, char *name) + if (mddev->kobj.sd && + sysfs_create_group(&mddev->kobj, &md_bitmap_group)) + pr_debug("pointless warning\n"); +- mutex_unlock(&mddev->open_mutex); + abort: + mutex_unlock(&disks_mutex); + if (!error && mddev->kobj.sd) { +-- +2.33.0 + diff --git a/queue-5.10/net-6pack-fix-tx-timeout-and-slot-time.patch b/queue-5.10/net-6pack-fix-tx-timeout-and-slot-time.patch new file mode 100644 index 00000000000..93a84dd5e7a --- /dev/null +++ b/queue-5.10/net-6pack-fix-tx-timeout-and-slot-time.patch @@ -0,0 +1,59 @@ +From 1dbfb026e3eb3ad40552b1f2e4a6bde10d8171b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 20:57:43 -0700 +Subject: net: 6pack: Fix tx timeout and slot time + +From: Guenter Roeck + +[ Upstream commit 3c0d2a46c0141913dc6fd126c57d0615677d946e ] + +tx timeout and slot time are currently specified in units of HZ. On +Alpha, HZ is defined as 1024. When building alpha:allmodconfig, this +results in the following error message. + + drivers/net/hamradio/6pack.c: In function 'sixpack_open': + drivers/net/hamradio/6pack.c:71:41: error: + unsigned conversion from 'int' to 'unsigned char' + changes value from '256' to '0' + +In the 6PACK protocol, tx timeout is specified in units of 10 ms and +transmitted over the wire: + + https://www.linux-ax25.org/wiki/6PACK + +Defining a value dependent on HZ doesn't really make sense, and +presumably comes from the (very historical) situation where HZ was +originally 100. + +Note that the SIXP_SLOTTIME use explicitly is about 10ms granularity: + + mod_timer(&sp->tx_t, jiffies + ((when + 1) * HZ) / 100); + +and the SIXP_TXDELAY walue is sent as a byte over the wire. + +Signed-off-by: Guenter Roeck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/6pack.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c +index da13683d52d1..bd0beb16d68a 100644 +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -68,9 +68,9 @@ + #define SIXP_DAMA_OFF 0 + + /* default level 2 parameters */ +-#define SIXP_TXDELAY (HZ/4) /* in 1 s */ ++#define SIXP_TXDELAY 25 /* 250 ms */ + #define SIXP_PERSIST 50 /* in 256ths */ +-#define SIXP_SLOTTIME (HZ/10) /* in 1 s */ ++#define SIXP_SLOTTIME 10 /* 100 ms */ + #define SIXP_INIT_RESYNC_TIMEOUT (3*HZ/2) /* in 1 s */ + #define SIXP_RESYNC_TIMEOUT 5*HZ /* in 1 s */ + +-- +2.33.0 + diff --git a/queue-5.10/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch b/queue-5.10/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch new file mode 100644 index 00000000000..01e296745c0 --- /dev/null +++ b/queue-5.10/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch @@ -0,0 +1,43 @@ +From d334cedb5fb826d034c0ab8e5e9ccb65182e8593 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 20:52:25 -0700 +Subject: net: i825xx: Use absolute_pointer for memcpy from fixed memory + location + +From: Guenter Roeck + +[ Upstream commit dff2d13114f0beec448da9b3716204eb34b0cf41 ] + +gcc 11.x reports the following compiler warning/error. + + drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe': + arch/m68k/include/asm/string.h:72:25: error: + '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread] + +Use absolute_pointer() to work around the problem. + +Cc: Geert Uytterhoeven +Signed-off-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/i825xx/82596.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/i825xx/82596.c b/drivers/net/ethernet/i825xx/82596.c +index fc8c7cd67471..8b12a5ab3818 100644 +--- a/drivers/net/ethernet/i825xx/82596.c ++++ b/drivers/net/ethernet/i825xx/82596.c +@@ -1155,7 +1155,7 @@ struct net_device * __init i82596_probe(int unit) + err = -ENODEV; + goto out; + } +- memcpy(eth_addr, (void *) 0xfffc1f2c, ETH_ALEN); /* YUCK! Get addr from NOVRAM */ ++ memcpy(eth_addr, absolute_pointer(0xfffc1f2c), ETH_ALEN); /* YUCK! Get addr from NOVRAM */ + dev->base_addr = MVME_I596_BASE; + dev->irq = (unsigned) MVME16x_IRQ_I596; + goto found; +-- +2.33.0 + diff --git a/queue-5.10/net-macb-fix-use-after-free-on-rmmod.patch b/queue-5.10/net-macb-fix-use-after-free-on-rmmod.patch new file mode 100644 index 00000000000..454df0132b3 --- /dev/null +++ b/queue-5.10/net-macb-fix-use-after-free-on-rmmod.patch @@ -0,0 +1,44 @@ +From d1cbc4df4ed2681a40e818377e4cfd7bce80ae1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 12:02:32 -0700 +Subject: net: macb: fix use after free on rmmod + +From: Tong Zhang + +[ Upstream commit d82d5303c4c539db86588ffb5dc5b26c3f1513e8 ] + +plat_dev->dev->platform_data is released by platform_device_unregister(), +use of pclk and hclk is a use-after-free. Since device unregister won't +need a clk device we adjust the function call sequence to fix this issue. + +[ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] +[ 31.275563] Freed by task 306: +[ 30.276782] platform_device_release+0x25/0x80 + +Suggested-by: Nicolas Ferre +Signed-off-by: Tong Zhang +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c +index 353393dea639..3593b310c325 100644 +--- a/drivers/net/ethernet/cadence/macb_pci.c ++++ b/drivers/net/ethernet/cadence/macb_pci.c +@@ -111,9 +111,9 @@ static void macb_remove(struct pci_dev *pdev) + struct platform_device *plat_dev = pci_get_drvdata(pdev); + struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev); + +- platform_device_unregister(plat_dev); + clk_unregister(plat_data->pclk); + clk_unregister(plat_data->hclk); ++ platform_device_unregister(plat_dev); + } + + static const struct pci_device_id dev_id_table[] = { +-- +2.33.0 + diff --git a/queue-5.10/net-phylink-update-sfp-selected-interface-on-adverti.patch b/queue-5.10/net-phylink-update-sfp-selected-interface-on-adverti.patch new file mode 100644 index 00000000000..1400d2f3ced --- /dev/null +++ b/queue-5.10/net-phylink-update-sfp-selected-interface-on-adverti.patch @@ -0,0 +1,86 @@ +From 99ef1fd843faef967489d0012a2bad3020809ee6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 05:14:49 +0000 +Subject: net: phylink: Update SFP selected interface on advertising changes + +From: Nathan Rossi + +[ Upstream commit ea269a6f720782ed94171fb962b14ce07c372138 ] + +Currently changes to the advertising state via ethtool do not cause any +reselection of the configured interface mode after the SFP is already +inserted and initially configured. + +While it is not typical to change the advertised link modes for an +interface using an SFP in certain use cases it is desirable. In the case +of a SFP port that is capable of handling both SFP and SFP+ modules it +will automatically select between 1G and 10G modes depending on the +supported mode of the SFP. However if the SFP module is capable of +working in multiple modes (e.g. a SFP+ DAC that can operate at 1G or +10G), one end of the cable may be attached to a SFP 1000base-x port thus +the SFP+ end must be manually configured to the 1000base-x mode in order +for the link to be established. + +This change causes the ethtool setting of advertised mode changes to +reselect the interface mode so that the link can be established. +Additionally when a module is inserted the advertising mode is reset to +match the supported modes of the module. + +Signed-off-by: Nathan Rossi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phylink.c | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index 6072e87ed6c3..025c3246f339 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -1493,6 +1493,32 @@ int phylink_ethtool_ksettings_set(struct phylink *pl, + if (config.an_enabled && phylink_is_empty_linkmode(config.advertising)) + return -EINVAL; + ++ /* If this link is with an SFP, ensure that changes to advertised modes ++ * also cause the associated interface to be selected such that the ++ * link can be configured correctly. ++ */ ++ if (pl->sfp_port && pl->sfp_bus) { ++ config.interface = sfp_select_interface(pl->sfp_bus, ++ config.advertising); ++ if (config.interface == PHY_INTERFACE_MODE_NA) { ++ phylink_err(pl, ++ "selection of interface failed, advertisement %*pb\n", ++ __ETHTOOL_LINK_MODE_MASK_NBITS, ++ config.advertising); ++ return -EINVAL; ++ } ++ ++ /* Revalidate with the selected interface */ ++ linkmode_copy(support, pl->supported); ++ if (phylink_validate(pl, support, &config)) { ++ phylink_err(pl, "validation of %s/%s with support %*pb failed\n", ++ phylink_an_mode_str(pl->cur_link_an_mode), ++ phy_modes(config.interface), ++ __ETHTOOL_LINK_MODE_MASK_NBITS, support); ++ return -EINVAL; ++ } ++ } ++ + mutex_lock(&pl->state_mutex); + pl->link_config.speed = config.speed; + pl->link_config.duplex = config.duplex; +@@ -2072,7 +2098,9 @@ static int phylink_sfp_config(struct phylink *pl, u8 mode, + if (phy_interface_mode_is_8023z(iface) && pl->phydev) + return -EINVAL; + +- changed = !linkmode_equal(pl->supported, support); ++ changed = !linkmode_equal(pl->supported, support) || ++ !linkmode_equal(pl->link_config.advertising, ++ config.advertising); + if (changed) { + linkmode_copy(pl->supported, support); + linkmode_copy(pl->link_config.advertising, config.advertising); +-- +2.33.0 + diff --git a/queue-5.10/net-stmmac-allow-csr-clock-of-300mhz.patch b/queue-5.10/net-stmmac-allow-csr-clock-of-300mhz.patch new file mode 100644 index 00000000000..e1cad4c2c3d --- /dev/null +++ b/queue-5.10/net-stmmac-allow-csr-clock-of-300mhz.patch @@ -0,0 +1,59 @@ +From 721dba1a83652cf1055d9d8715dd4f84c477e7eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 21:55:34 +0200 +Subject: net: stmmac: allow CSR clock of 300MHz + +From: Jesper Nilsson + +[ Upstream commit 08dad2f4d541fcfe5e7bfda72cc6314bbfd2802f ] + +The Synopsys Ethernet IP uses the CSR clock as a base clock for MDC. +The divisor used is set in the MAC_MDIO_Address register field CR +(Clock Rate) + +The divisor is there to change the CSR clock into a clock that falls +below the IEEE 802.3 specified max frequency of 2.5MHz. + +If the CSR clock is 300MHz, the code falls back to using the reset +value in the MAC_MDIO_Address register, as described in the comment +above this code. + +However, 300MHz is actually an allowed value and the proper divider +can be estimated quite easily (it's just 1Hz difference!) + +A CSR frequency of 300MHz with the maximum clock rate value of 0x5 +(STMMAC_CSR_250_300M, a divisor of 124) gives somewhere around +~2.42MHz which is below the IEEE 802.3 specified maximum. + +For the ARTPEC-8 SoC, the CSR clock is this problematic 300MHz, +and unfortunately, the reset-value of the MAC_MDIO_Address CR field +is 0x0. + +This leads to a clock rate of zero and a divisor of 42, and gives an +MDC frequency of ~7.14MHz. + +Allow CSR clock of 300MHz by making the comparison inclusive. + +Signed-off-by: Jesper Nilsson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 3134f7e669f8..6133b2fe8a78 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -226,7 +226,7 @@ static void stmmac_clk_csr_set(struct stmmac_priv *priv) + priv->clk_csr = STMMAC_CSR_100_150M; + else if ((clk_rate >= CSR_F_150M) && (clk_rate < CSR_F_250M)) + priv->clk_csr = STMMAC_CSR_150_250M; +- else if ((clk_rate >= CSR_F_250M) && (clk_rate < CSR_F_300M)) ++ else if ((clk_rate >= CSR_F_250M) && (clk_rate <= CSR_F_300M)) + priv->clk_csr = STMMAC_CSR_250_300M; + } + +-- +2.33.0 + diff --git a/queue-5.10/nvme-keep-ctrl-namespaces-ordered.patch b/queue-5.10/nvme-keep-ctrl-namespaces-ordered.patch new file mode 100644 index 00000000000..c45c105c6d2 --- /dev/null +++ b/queue-5.10/nvme-keep-ctrl-namespaces-ordered.patch @@ -0,0 +1,101 @@ +From 1d537265b13b09ac91938dd543b111cde9c5e0b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 08:38:20 +0200 +Subject: nvme: keep ctrl->namespaces ordered + +From: Christoph Hellwig + +[ Upstream commit 298ba0e3d4af539cc37f982d4c011a0f07fca48c ] + +Various places in the nvme code that rely on ctrl->namespace to be +ordered. Ensure that the namespae is inserted into the list at the +right position from the start instead of sorting it after the fact. + +Fixes: 540c801c65eb ("NVMe: Implement namespace list scanning") +Reported-by: Anton Eidelman +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 33 +++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 16 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 9c97628519e0..bbc3efef5027 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -13,7 +13,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -3801,15 +3800,6 @@ out_unlock: + return ret; + } + +-static int ns_cmp(void *priv, const struct list_head *a, +- const struct list_head *b) +-{ +- struct nvme_ns *nsa = container_of(a, struct nvme_ns, list); +- struct nvme_ns *nsb = container_of(b, struct nvme_ns, list); +- +- return nsa->head->ns_id - nsb->head->ns_id; +-} +- + struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid) + { + struct nvme_ns *ns, *ret = NULL; +@@ -3830,6 +3820,22 @@ struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid) + } + EXPORT_SYMBOL_NS_GPL(nvme_find_get_ns, NVME_TARGET_PASSTHRU); + ++/* ++ * Add the namespace to the controller list while keeping the list ordered. ++ */ ++static void nvme_ns_add_to_ctrl_list(struct nvme_ns *ns) ++{ ++ struct nvme_ns *tmp; ++ ++ list_for_each_entry_reverse(tmp, &ns->ctrl->namespaces, list) { ++ if (tmp->head->ns_id < ns->head->ns_id) { ++ list_add(&ns->list, &tmp->list); ++ return; ++ } ++ } ++ list_add(&ns->list, &ns->ctrl->namespaces); ++} ++ + static void nvme_alloc_ns(struct nvme_ctrl *ctrl, unsigned nsid, + struct nvme_ns_ids *ids) + { +@@ -3889,9 +3895,8 @@ static void nvme_alloc_ns(struct nvme_ctrl *ctrl, unsigned nsid, + } + + down_write(&ctrl->namespaces_rwsem); +- list_add_tail(&ns->list, &ctrl->namespaces); ++ nvme_ns_add_to_ctrl_list(ns); + up_write(&ctrl->namespaces_rwsem); +- + nvme_get_ctrl(ctrl); + + device_add_disk(ctrl->device, ns->disk, nvme_ns_id_attr_groups); +@@ -4160,10 +4165,6 @@ static void nvme_scan_work(struct work_struct *work) + if (nvme_scan_ns_list(ctrl) != 0) + nvme_scan_ns_sequential(ctrl); + mutex_unlock(&ctrl->scan_lock); +- +- down_write(&ctrl->namespaces_rwsem); +- list_sort(NULL, &ctrl->namespaces, ns_cmp); +- up_write(&ctrl->namespaces_rwsem); + } + + /* +-- +2.33.0 + diff --git a/queue-5.10/nvme-multipath-fix-ana-state-updates-when-a-namespac.patch b/queue-5.10/nvme-multipath-fix-ana-state-updates-when-a-namespac.patch new file mode 100644 index 00000000000..57ac91a9707 --- /dev/null +++ b/queue-5.10/nvme-multipath-fix-ana-state-updates-when-a-namespac.patch @@ -0,0 +1,61 @@ +From 265b0ff7072ff4a4600aba19901cf8bf0c9e8099 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Sep 2021 12:54:57 -0600 +Subject: nvme-multipath: fix ANA state updates when a namespace is not present + +From: Anton Eidelman + +[ Upstream commit 79f528afa93918519574773ea49a444c104bc1bd ] + +nvme_update_ana_state() has a deficiency that results in a failure to +properly update the ana state for a namespace in the following case: + + NSIDs in ctrl->namespaces: 1, 3, 4 + NSIDs in desc->nsids: 1, 2, 3, 4 + +Loop iteration 0: + ns index = 0, n = 0, ns->head->ns_id = 1, nsid = 1, MATCH. +Loop iteration 1: + ns index = 1, n = 1, ns->head->ns_id = 3, nsid = 2, NO MATCH. +Loop iteration 2: + ns index = 2, n = 2, ns->head->ns_id = 4, nsid = 4, MATCH. + +Where the update to the ANA state of NSID 3 is missed. To fix this +increment n and retry the update with the same ns when ns->head->ns_id is +higher than nsid, + +Signed-off-by: Anton Eidelman +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 2747efc03825..46a1e24ba6f4 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -509,14 +509,17 @@ static int nvme_update_ana_state(struct nvme_ctrl *ctrl, + + down_read(&ctrl->namespaces_rwsem); + list_for_each_entry(ns, &ctrl->namespaces, list) { +- unsigned nsid = le32_to_cpu(desc->nsids[n]); +- ++ unsigned nsid; ++again: ++ nsid = le32_to_cpu(desc->nsids[n]); + if (ns->head->ns_id < nsid) + continue; + if (ns->head->ns_id == nsid) + nvme_update_ns_ana_state(desc, ns); + if (++n == nr_nsids) + break; ++ if (ns->head->ns_id > nsid) ++ goto again; + } + up_read(&ctrl->namespaces_rwsem); + return 0; +-- +2.33.0 + diff --git a/queue-5.10/nvme-rdma-destroy-cm-id-before-destroy-qp-to-avoid-u.patch b/queue-5.10/nvme-rdma-destroy-cm-id-before-destroy-qp-to-avoid-u.patch new file mode 100644 index 00000000000..15c1b1552c0 --- /dev/null +++ b/queue-5.10/nvme-rdma-destroy-cm-id-before-destroy-qp-to-avoid-u.patch @@ -0,0 +1,81 @@ +From 2bb1ec7cb59a7fd5b6e19c3a7a1d35aca2f0cbe9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 11:51:34 +0800 +Subject: nvme-rdma: destroy cm id before destroy qp to avoid use after free + +From: Ruozhu Li + +[ Upstream commit 9817d763dbe15327b9b3ff4404fa6f27f927e744 ] + +We should always destroy cm_id before destroy qp to avoid to get cma +event after qp was destroyed, which may lead to use after free. +In RDMA connection establishment error flow, don't destroy qp in cm +event handler.Just report cm_error to upper level, qp will be destroy +in nvme_rdma_alloc_queue() after destroy cm id. + +Signed-off-by: Ruozhu Li +Reviewed-by: Max Gurtovoy +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 9c356be7f016..51f4647ea214 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -655,8 +655,8 @@ static void nvme_rdma_free_queue(struct nvme_rdma_queue *queue) + if (!test_and_clear_bit(NVME_RDMA_Q_ALLOCATED, &queue->flags)) + return; + +- nvme_rdma_destroy_queue_ib(queue); + rdma_destroy_id(queue->cm_id); ++ nvme_rdma_destroy_queue_ib(queue); + mutex_destroy(&queue->queue_lock); + } + +@@ -1823,14 +1823,10 @@ static int nvme_rdma_conn_established(struct nvme_rdma_queue *queue) + for (i = 0; i < queue->queue_size; i++) { + ret = nvme_rdma_post_recv(queue, &queue->rsp_ring[i]); + if (ret) +- goto out_destroy_queue_ib; ++ return ret; + } + + return 0; +- +-out_destroy_queue_ib: +- nvme_rdma_destroy_queue_ib(queue); +- return ret; + } + + static int nvme_rdma_conn_rejected(struct nvme_rdma_queue *queue, +@@ -1924,14 +1920,10 @@ static int nvme_rdma_route_resolved(struct nvme_rdma_queue *queue) + if (ret) { + dev_err(ctrl->ctrl.device, + "rdma_connect_locked failed (%d).\n", ret); +- goto out_destroy_queue_ib; ++ return ret; + } + + return 0; +- +-out_destroy_queue_ib: +- nvme_rdma_destroy_queue_ib(queue); +- return ret; + } + + static int nvme_rdma_cm_handler(struct rdma_cm_id *cm_id, +@@ -1962,8 +1954,6 @@ static int nvme_rdma_cm_handler(struct rdma_cm_id *cm_id, + case RDMA_CM_EVENT_ROUTE_ERROR: + case RDMA_CM_EVENT_CONNECT_ERROR: + case RDMA_CM_EVENT_UNREACHABLE: +- nvme_rdma_destroy_queue_ib(queue); +- fallthrough; + case RDMA_CM_EVENT_ADDR_ERROR: + dev_dbg(queue->ctrl->ctrl.device, + "CM error event %d\n", ev->event); +-- +2.33.0 + diff --git a/queue-5.10/nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch b/queue-5.10/nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch new file mode 100644 index 00000000000..cc856d77ab6 --- /dev/null +++ b/queue-5.10/nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch @@ -0,0 +1,75 @@ +From a8d9e71abf1064d4b62f1cf22f35e27845220c67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 18:38:55 +0300 +Subject: nvme-tcp: fix incorrect h2cdata pdu offset accounting + +From: Sagi Grimberg + +[ Upstream commit e371af033c560b9dd1e861f8f0b503142bf0a06c ] + +When the controller sends us multiple r2t PDUs in a single +request we need to account for it correctly as our send/recv +context run concurrently (i.e. we get a new r2t with r2t_offset +before we updated our iterator and req->data_sent marker). This +can cause wrong offsets to be sent to the controller. + +To fix that, we will first know that this may happen only in +the send sequence of the last page, hence we will take +the r2t_offset to the h2c PDU data_offset, and in +nvme_tcp_try_send_data loop, we make sure to increment +the request markers also when we completed a PDU but +we are expecting more r2t PDUs as we still did not send +the entire data of the request. + +Fixes: 825619b09ad3 ("nvme-tcp: fix possible use-after-completion") +Reported-by: Nowak, Lukasz +Tested-by: Nowak, Lukasz +Signed-off-by: Sagi Grimberg +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index a6b3b0762763..05ad6bee085c 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -611,7 +611,7 @@ static int nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req, + cpu_to_le32(data->hdr.hlen + hdgst + req->pdu_len + ddgst); + data->ttag = pdu->ttag; + data->command_id = nvme_cid(rq); +- data->data_offset = cpu_to_le32(req->data_sent); ++ data->data_offset = pdu->r2t_offset; + data->data_length = cpu_to_le32(req->pdu_len); + return 0; + } +@@ -937,7 +937,15 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) + nvme_tcp_ddgst_update(queue->snd_hash, page, + offset, ret); + +- /* fully successful last write*/ ++ /* ++ * update the request iterator except for the last payload send ++ * in the request where we don't want to modify it as we may ++ * compete with the RX path completing the request. ++ */ ++ if (req->data_sent + ret < req->data_len) ++ nvme_tcp_advance_req(req, ret); ++ ++ /* fully successful last send in current PDU */ + if (last && ret == len) { + if (queue->data_digest) { + nvme_tcp_ddgst_final(queue->snd_hash, +@@ -949,7 +957,6 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) + } + return 1; + } +- nvme_tcp_advance_req(req, ret); + } + return -EAGAIN; + } +-- +2.33.0 + diff --git a/queue-5.10/parisc-use-absolute_pointer-to-define-page0.patch b/queue-5.10/parisc-use-absolute_pointer-to-define-page0.patch new file mode 100644 index 00000000000..d635ccaf92e --- /dev/null +++ b/queue-5.10/parisc-use-absolute_pointer-to-define-page0.patch @@ -0,0 +1,38 @@ +From f86da70963f42d38a942c38103427d728e7ca83b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 08:35:42 +0200 +Subject: parisc: Use absolute_pointer() to define PAGE0 + +From: Helge Deller + +[ Upstream commit 90cc7bed1ed19f869ae7221a6b41887fe762a6a3 ] + +Use absolute_pointer() wrapper for PAGE0 to avoid this compiler warning: + + arch/parisc/kernel/setup.c: In function 'start_parisc': + error: '__builtin_memcmp_eq' specified bound 8 exceeds source size 0 + +Signed-off-by: Helge Deller +Co-Developed-by: Guenter Roeck +Suggested-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/parisc/include/asm/page.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/parisc/include/asm/page.h b/arch/parisc/include/asm/page.h +index 6b3f6740a6a6..8802ce651a3a 100644 +--- a/arch/parisc/include/asm/page.h ++++ b/arch/parisc/include/asm/page.h +@@ -184,7 +184,7 @@ extern int npmem_ranges; + #include + #include + +-#define PAGE0 ((struct zeropage *)__PAGE_OFFSET) ++#define PAGE0 ((struct zeropage *)absolute_pointer(__PAGE_OFFSET)) + + /* DEFINITION OF THE ZERO-PAGE (PAG0) */ + /* based on work by Jason Eckhardt (jason@equator.com) */ +-- +2.33.0 + diff --git a/queue-5.10/qnx4-avoid-stringop-overread-errors.patch b/queue-5.10/qnx4-avoid-stringop-overread-errors.patch new file mode 100644 index 00000000000..eb3d115ab2b --- /dev/null +++ b/queue-5.10/qnx4-avoid-stringop-overread-errors.patch @@ -0,0 +1,134 @@ +From 22921850cc276078cd17ce9148a99de4107fca38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 13:56:37 -0700 +Subject: qnx4: avoid stringop-overread errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit b7213ffa0e585feb1aee3e7173e965e66ee0abaa ] + +The qnx4 directory entries are 64-byte blocks that have different +contents depending on the a status byte that is in the last byte of the +block. + +In particular, a directory entry can be either a "link info" entry with +a 48-byte name and pointers to the real inode information, or an "inode +entry" with a smaller 16-byte name and the full inode information. + +But the code was written to always just treat the directory name as if +it was part of that "inode entry", and just extend the name to the +longer case if the status byte said it was a link entry. + +That work just fine and gives the right results, but now that gcc is +tracking data structure accesses much more, the code can trigger a +compiler error about using up to 48 bytes (the long name) in a structure +that only has that shorter name in it: + + fs/qnx4/dir.c: In function ‘qnx4_readdir’: + fs/qnx4/dir.c:51:32: error: ‘strnlen’ specified bound 48 exceeds source size 16 [-Werror=stringop-overread] + 51 | size = strnlen(de->di_fname, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + In file included from fs/qnx4/qnx4.h:3, + from fs/qnx4/dir.c:16: + include/uapi/linux/qnx4_fs.h:45:25: note: source object declared here + 45 | char di_fname[QNX4_SHORT_NAME_MAX]; + | ^~~~~~~~ + +which is because the source code doesn't really make this whole "one of +two different types" explicit. + +Fix this by introducing a very explicit union of the two types, and +basically explaining to the compiler what is really going on. + +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/qnx4/dir.c | 51 ++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 34 insertions(+), 17 deletions(-) + +diff --git a/fs/qnx4/dir.c b/fs/qnx4/dir.c +index a6ee23aadd28..2a66844b7ff8 100644 +--- a/fs/qnx4/dir.c ++++ b/fs/qnx4/dir.c +@@ -15,13 +15,27 @@ + #include + #include "qnx4.h" + ++/* ++ * A qnx4 directory entry is an inode entry or link info ++ * depending on the status field in the last byte. The ++ * first byte is where the name start either way, and a ++ * zero means it's empty. ++ */ ++union qnx4_directory_entry { ++ struct { ++ char de_name; ++ char de_pad[62]; ++ char de_status; ++ }; ++ struct qnx4_inode_entry inode; ++ struct qnx4_link_info link; ++}; ++ + static int qnx4_readdir(struct file *file, struct dir_context *ctx) + { + struct inode *inode = file_inode(file); + unsigned int offset; + struct buffer_head *bh; +- struct qnx4_inode_entry *de; +- struct qnx4_link_info *le; + unsigned long blknum; + int ix, ino; + int size; +@@ -38,27 +52,30 @@ static int qnx4_readdir(struct file *file, struct dir_context *ctx) + } + ix = (ctx->pos >> QNX4_DIR_ENTRY_SIZE_BITS) % QNX4_INODES_PER_BLOCK; + for (; ix < QNX4_INODES_PER_BLOCK; ix++, ctx->pos += QNX4_DIR_ENTRY_SIZE) { ++ union qnx4_directory_entry *de; ++ const char *name; ++ + offset = ix * QNX4_DIR_ENTRY_SIZE; +- de = (struct qnx4_inode_entry *) (bh->b_data + offset); +- if (!de->di_fname[0]) ++ de = (union qnx4_directory_entry *) (bh->b_data + offset); ++ ++ if (!de->de_name) + continue; +- if (!(de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK))) ++ if (!(de->de_status & (QNX4_FILE_USED|QNX4_FILE_LINK))) + continue; +- if (!(de->di_status & QNX4_FILE_LINK)) +- size = QNX4_SHORT_NAME_MAX; +- else +- size = QNX4_NAME_MAX; +- size = strnlen(de->di_fname, size); +- QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, de->di_fname)); +- if (!(de->di_status & QNX4_FILE_LINK)) ++ if (!(de->de_status & QNX4_FILE_LINK)) { ++ size = sizeof(de->inode.di_fname); ++ name = de->inode.di_fname; + ino = blknum * QNX4_INODES_PER_BLOCK + ix - 1; +- else { +- le = (struct qnx4_link_info*)de; +- ino = ( le32_to_cpu(le->dl_inode_blk) - 1 ) * ++ } else { ++ size = sizeof(de->link.dl_fname); ++ name = de->link.dl_fname; ++ ino = ( le32_to_cpu(de->link.dl_inode_blk) - 1 ) * + QNX4_INODES_PER_BLOCK + +- le->dl_inode_ndx; ++ de->link.dl_inode_ndx; + } +- if (!dir_emit(ctx, de->di_fname, size, ino, DT_UNKNOWN)) { ++ size = strnlen(name, size); ++ QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, name)); ++ if (!dir_emit(ctx, name, size, ino, DT_UNKNOWN)) { + brelse(bh); + return 0; + } +-- +2.33.0 + diff --git a/queue-5.10/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch b/queue-5.10/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch new file mode 100644 index 00000000000..25f7dc9f09c --- /dev/null +++ b/queue-5.10/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch @@ -0,0 +1,53 @@ +From 824991c57241d77f2519c37835eb03fbafc20ef0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 16:53:36 +0800 +Subject: scsi: iscsi: Adjust iface sysfs attr detection + +From: Baokun Li + +[ Upstream commit 4e28550829258f7dab97383acaa477bd724c0ff4 ] + +ISCSI_NET_PARAM_IFACE_ENABLE belongs to enum iscsi_net_param instead of +iscsi_iface_param so move it to ISCSI_NET_PARAM. Otherwise, when we call +into the driver, we might not match and return that we don't want attr +visible in sysfs. Found in code review. + +Link: https://lore.kernel.org/r/20210901085336.2264295-1-libaokun1@huawei.com +Fixes: e746f3451ec7 ("scsi: iscsi: Fix iface sysfs attr detection") +Reviewed-by: Lee Duncan +Signed-off-by: Baokun Li +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index ac07a9ef3578..41772b88610a 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -442,9 +442,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + struct iscsi_transport *t = iface->transport; + int param = -1; + +- if (attr == &dev_attr_iface_enabled.attr) +- param = ISCSI_NET_PARAM_IFACE_ENABLE; +- else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) ++ if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) + param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO; + else if (attr == &dev_attr_iface_header_digest.attr) + param = ISCSI_IFACE_PARAM_HDRDGST_EN; +@@ -484,7 +482,9 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + if (param != -1) + return t->attr_is_visible(ISCSI_IFACE_PARAM, param); + +- if (attr == &dev_attr_iface_vlan_id.attr) ++ if (attr == &dev_attr_iface_enabled.attr) ++ param = ISCSI_NET_PARAM_IFACE_ENABLE; ++ else if (attr == &dev_attr_iface_vlan_id.attr) + param = ISCSI_NET_PARAM_VLAN_ID; + else if (attr == &dev_attr_iface_vlan_priority.attr) + param = ISCSI_NET_PARAM_VLAN_PRIORITY; +-- +2.33.0 + diff --git a/queue-5.10/scsi-lpfc-use-correct-scnprintf-limit.patch b/queue-5.10/scsi-lpfc-use-correct-scnprintf-limit.patch new file mode 100644 index 00000000000..5825857b117 --- /dev/null +++ b/queue-5.10/scsi-lpfc-use-correct-scnprintf-limit.patch @@ -0,0 +1,39 @@ +From e5bfc9df5722bc3bcf3d8224da3f7e39ee7acd97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 16:23:31 +0300 +Subject: scsi: lpfc: Use correct scnprintf() limit + +From: Dan Carpenter + +[ Upstream commit 6dacc371b77f473770ec646e220303a84fe96c11 ] + +The limit should be "PAGE_SIZE - len" instead of "PAGE_SIZE". We're not +going to hit the limit so this fix will not affect runtime. + +Link: https://lore.kernel.org/r/20210916132331.GE25094@kili +Fixes: 5b9e70b22cc5 ("scsi: lpfc: raise sg count for nvme to use available sg resources") +Reviewed-by: James Smart +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_attr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c +index bdea2867516c..2c59a5bf3539 100644 +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -6005,7 +6005,8 @@ lpfc_sg_seg_cnt_show(struct device *dev, struct device_attribute *attr, + len = scnprintf(buf, PAGE_SIZE, "SGL sz: %d total SGEs: %d\n", + phba->cfg_sg_dma_buf_size, phba->cfg_total_seg_cnt); + +- len += scnprintf(buf + len, PAGE_SIZE, "Cfg: %d SCSI: %d NVME: %d\n", ++ len += scnprintf(buf + len, PAGE_SIZE - len, ++ "Cfg: %d SCSI: %d NVME: %d\n", + phba->cfg_sg_seg_cnt, phba->cfg_scsi_seg_cnt, + phba->cfg_nvme_seg_cnt); + return len; +-- +2.33.0 + diff --git a/queue-5.10/scsi-qla2xxx-restore-initiator-in-dual-mode.patch b/queue-5.10/scsi-qla2xxx-restore-initiator-in-dual-mode.patch new file mode 100644 index 00000000000..0ac98361304 --- /dev/null +++ b/queue-5.10/scsi-qla2xxx-restore-initiator-in-dual-mode.patch @@ -0,0 +1,41 @@ +From a78c5abdbc964d4c429b1be107b2391da486a99f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 18:32:39 +0300 +Subject: scsi: qla2xxx: Restore initiator in dual mode + +From: Dmitry Bogdanov + +[ Upstream commit 5f8579038842d77e6ce05e1df6bf9dd493b0e3ef ] + +In dual mode in case of disabling the target, the whole port goes offline +and initiator is turned off too. + +Fix restoring initiator mode after disabling target in dual mode. + +Link: https://lore.kernel.org/r/20210915153239.8035-1-d.bogdanov@yadro.com +Fixes: 0645cb8350cd ("scsi: qla2xxx: Add mode control for each physical port") +Reviewed-by: Himanshu Madhani +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 6faf34fa6220..b7aac3116f2d 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -6934,7 +6934,8 @@ qla2x00_abort_isp(scsi_qla_host_t *vha) + return 0; + break; + case QLA2XXX_INI_MODE_DUAL: +- if (!qla_dual_mode_enabled(vha)) ++ if (!qla_dual_mode_enabled(vha) && ++ !qla_ini_mode_enabled(vha)) + return 0; + break; + case QLA2XXX_INI_MODE_ENABLED: +-- +2.33.0 + diff --git a/queue-5.10/scsi-target-fix-the-pgr-alua_support_store-functions.patch b/queue-5.10/scsi-target-fix-the-pgr-alua_support_store-functions.patch new file mode 100644 index 00000000000..3b2c5f6e6c1 --- /dev/null +++ b/queue-5.10/scsi-target-fix-the-pgr-alua_support_store-functions.patch @@ -0,0 +1,111 @@ +From e9c4a21afa025c4b1d6b6bcf6fe4731455e78c3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 17:18:09 +0200 +Subject: scsi: target: Fix the pgr/alua_support_store functions + +From: Maurizio Lombardi + +[ Upstream commit ef7ae7f746e95c6fa4ec2bcfacb949c36263da78 ] + +Commit 356ba2a8bc8d ("scsi: target: tcmu: Make pgr_support and alua_support +attributes writable") introduced support for changeable alua_support and +pgr_support target attributes. These can only be changed if the backstore +is user-backed, otherwise the kernel returns -EINVAL. + +This triggers a warning in the targetcli/rtslib code when performing a +target restore that includes non-userbacked backstores: + + # targetctl restore + Storage Object block/storage1: Cannot set attribute alua_support: + [Errno 22] Invalid argument, skipped + Storage Object block/storage1: Cannot set attribute pgr_support: + [Errno 22] Invalid argument, skipped + +Fix this warning by returning an error code only if we are really going to +flip the PGR/ALUA bit in the transport_flags field, otherwise we will do +nothing and return success. + +Return ENOSYS instead of EINVAL if the pgr/alua attributes can not be +changed, this way it will be possible for userspace to understand if the +operation failed because an invalid value has been passed to strtobool() or +because the attributes are fixed. + +Fixes: 356ba2a8bc8d ("scsi: target: tcmu: Make pgr_support and alua_support attributes writable") +Link: https://lore.kernel.org/r/20210906151809.52811-1-mlombard@redhat.com +Reviewed-by: Bodo Stroesser +Signed-off-by: Maurizio Lombardi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_configfs.c | 32 +++++++++++++++++---------- + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c +index f04352285155..56ae882fb7b3 100644 +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -1110,20 +1110,24 @@ static ssize_t alua_support_store(struct config_item *item, + { + struct se_dev_attrib *da = to_attrib(item); + struct se_device *dev = da->da_dev; +- bool flag; ++ bool flag, oldflag; + int ret; + ++ ret = strtobool(page, &flag); ++ if (ret < 0) ++ return ret; ++ ++ oldflag = !(dev->transport_flags & TRANSPORT_FLAG_PASSTHROUGH_ALUA); ++ if (flag == oldflag) ++ return count; ++ + if (!(dev->transport->transport_flags_changeable & + TRANSPORT_FLAG_PASSTHROUGH_ALUA)) { + pr_err("dev[%p]: Unable to change SE Device alua_support:" + " alua_support has fixed value\n", dev); +- return -EINVAL; ++ return -ENOSYS; + } + +- ret = strtobool(page, &flag); +- if (ret < 0) +- return ret; +- + if (flag) + dev->transport_flags &= ~TRANSPORT_FLAG_PASSTHROUGH_ALUA; + else +@@ -1145,20 +1149,24 @@ static ssize_t pgr_support_store(struct config_item *item, + { + struct se_dev_attrib *da = to_attrib(item); + struct se_device *dev = da->da_dev; +- bool flag; ++ bool flag, oldflag; + int ret; + ++ ret = strtobool(page, &flag); ++ if (ret < 0) ++ return ret; ++ ++ oldflag = !(dev->transport_flags & TRANSPORT_FLAG_PASSTHROUGH_PGR); ++ if (flag == oldflag) ++ return count; ++ + if (!(dev->transport->transport_flags_changeable & + TRANSPORT_FLAG_PASSTHROUGH_PGR)) { + pr_err("dev[%p]: Unable to change SE Device pgr_support:" + " pgr_support has fixed value\n", dev); +- return -EINVAL; ++ return -ENOSYS; + } + +- ret = strtobool(page, &flag); +- if (ret < 0) +- return ret; +- + if (flag) + dev->transport_flags &= ~TRANSPORT_FLAG_PASSTHROUGH_PGR; + else +-- +2.33.0 + diff --git a/queue-5.10/series b/queue-5.10/series index dedeebb1a8d..a3f57b35be1 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -37,7 +37,6 @@ enetc-fix-illegal-access-when-reading-affinity_hint.patch enetc-fix-uninitialized-struct-dim_sample-field-usag.patch bnxt_en-fix-tx-timeout-when-tx-ring-size-is-set-to-t.patch net-hns3-fix-change-rss-hfunc-ineffective-issue.patch -net-hns3-fix-misuse-vf-id-and-vport-id-in-some-logs.patch net-hns3-check-queue-id-range-before-using.patch net-smc-add-missing-error-check-in-smc_clc_prfx_set.patch net-smc-fix-workqueue-leaked-lock-in-smc_conn_abort_.patch @@ -51,3 +50,48 @@ gpio-uniphier-fix-void-functions-to-remove-return-va.patch qed-rdma-don-t-wait-for-resources-under-hw-error-rec.patch net-mlx4_en-don-t-allow-arfs-for-encapsulated-packet.patch atlantic-fix-issue-in-the-pm-resume-flow.patch +scsi-iscsi-adjust-iface-sysfs-attr-detection.patch +scsi-target-fix-the-pgr-alua_support_store-functions.patch +tty-synclink_gt-drop-unneeded-forward-declarations.patch +tty-synclink_gt-rename-a-conflicting-function-name.patch +fpga-machxo2-spi-return-an-error-on-failure.patch +fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch +nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch +treewide-change-list_sort-to-use-const-pointers.patch +nvme-keep-ctrl-namespaces-ordered.patch +thermal-core-potential-buffer-overflow-in-thermal_bu.patch +cifs-fix-a-sign-extension-bug.patch +scsi-qla2xxx-restore-initiator-in-dual-mode.patch +scsi-lpfc-use-correct-scnprintf-limit.patch +irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch +irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch +md-fix-a-lock-order-reversal-in-md_alloc.patch +x86-asm-add-a-missing-__iomem-annotation-in-enqcmds.patch +x86-asm-fix-setz-size-enqcmds-build-failure.patch +io_uring-put-provided-buffer-meta-data-under-memcg-a.patch +blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch +net-phylink-update-sfp-selected-interface-on-adverti.patch +net-macb-fix-use-after-free-on-rmmod.patch +net-stmmac-allow-csr-clock-of-300mhz.patch +blk-mq-avoid-to-iterate-over-stale-request.patch +m68k-double-cast-io-functions-to-unsigned-long.patch +ipv6-delay-fib6_sernum-increase-in-fib6_add.patch +cpufreq-intel_pstate-override-parameters-if-hwp-forc.patch +bpf-add-oversize-check-before-call-kvcalloc.patch +xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch +nvme-multipath-fix-ana-state-updates-when-a-namespac.patch +nvme-rdma-destroy-cm-id-before-destroy-qp-to-avoid-u.patch +sparc32-page-align-size-in-arch_dma_alloc.patch +amd-display-downgrade-validation-failure-log-level.patch +block-check-if-a-profile-is-actually-registered-in-b.patch +block-flush-the-integrity-workqueue-in-blk_integrity.patch +blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch +compiler.h-introduce-absolute_pointer-macro.patch +net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch +sparc-avoid-stringop-overread-errors.patch +qnx4-avoid-stringop-overread-errors.patch +parisc-use-absolute_pointer-to-define-page0.patch +arm64-mark-__stack_chk_guard-as-__ro_after_init.patch +alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch +net-6pack-fix-tx-timeout-and-slot-time.patch +spi-fix-tegra20-build-with-config_pm-n.patch diff --git a/queue-5.10/sparc-avoid-stringop-overread-errors.patch b/queue-5.10/sparc-avoid-stringop-overread-errors.patch new file mode 100644 index 00000000000..49844d65b6b --- /dev/null +++ b/queue-5.10/sparc-avoid-stringop-overread-errors.patch @@ -0,0 +1,65 @@ +From 3bfd6207e0e337aa1047b9e9e9d919ceb470db82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 16:06:04 -0700 +Subject: sparc: avoid stringop-overread errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit fc7c028dcdbfe981bca75d2a7b95f363eb691ef3 ] + +The sparc mdesc code does pointer games with 'struct mdesc_hdr', but +didn't describe to the compiler how that header is then followed by the +data that the header describes. + +As a result, gcc is now unhappy since it does stricter pointer range +tracking, and doesn't understand about how these things work. This +results in various errors like: + + arch/sparc/kernel/mdesc.c: In function ‘mdesc_node_by_name’: + arch/sparc/kernel/mdesc.c:647:22: error: ‘strcmp’ reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread] + 647 | if (!strcmp(names + ep[ret].name_offset, name)) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +which are easily avoided by just describing 'struct mdesc_hdr' better, +and making the node_block() helper function look into that unsized +data[] that follows the header. + +This makes the sparc64 build happy again at least for my cross-compiler +version (gcc version 11.2.1). + +Link: https://lore.kernel.org/lkml/CAHk-=wi4NW3NC0xWykkw=6LnjQD6D_rtRtxY9g8gQAJXtQMi8A@mail.gmail.com/ +Cc: Guenter Roeck +Cc: David S. Miller +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/mdesc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c +index 8e645ddac58e..30f171b7b00c 100644 +--- a/arch/sparc/kernel/mdesc.c ++++ b/arch/sparc/kernel/mdesc.c +@@ -39,6 +39,7 @@ struct mdesc_hdr { + u32 node_sz; /* node block size */ + u32 name_sz; /* name block size */ + u32 data_sz; /* data block size */ ++ char data[]; + } __attribute__((aligned(16))); + + struct mdesc_elem { +@@ -612,7 +613,7 @@ EXPORT_SYMBOL(mdesc_get_node_info); + + static struct mdesc_elem *node_block(struct mdesc_hdr *mdesc) + { +- return (struct mdesc_elem *) (mdesc + 1); ++ return (struct mdesc_elem *) mdesc->data; + } + + static void *name_block(struct mdesc_hdr *mdesc) +-- +2.33.0 + diff --git a/queue-5.10/sparc32-page-align-size-in-arch_dma_alloc.patch b/queue-5.10/sparc32-page-align-size-in-arch_dma_alloc.patch new file mode 100644 index 00000000000..7ea362588ce --- /dev/null +++ b/queue-5.10/sparc32-page-align-size-in-arch_dma_alloc.patch @@ -0,0 +1,40 @@ +From c24e93d275c1a6ca8700dda76b856211b638f47c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 09:48:22 +0200 +Subject: sparc32: page align size in arch_dma_alloc + +From: Andreas Larsson + +[ Upstream commit 59583f747664046aaae5588d56d5954fab66cce8 ] + +Commit 53b7670e5735 ("sparc: factor the dma coherent mapping into +helper") lost the page align for the calls to dma_make_coherent and +srmmu_unmapiorange. The latter cannot handle a non page aligned len +argument. + +Signed-off-by: Andreas Larsson +Reviewed-by: Sam Ravnborg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/ioport.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/sparc/kernel/ioport.c b/arch/sparc/kernel/ioport.c +index 8e1d72a16759..7ceae24b0ca9 100644 +--- a/arch/sparc/kernel/ioport.c ++++ b/arch/sparc/kernel/ioport.c +@@ -356,7 +356,9 @@ err_nomem: + void arch_dma_free(struct device *dev, size_t size, void *cpu_addr, + dma_addr_t dma_addr, unsigned long attrs) + { +- if (!sparc_dma_free_resource(cpu_addr, PAGE_ALIGN(size))) ++ size = PAGE_ALIGN(size); ++ ++ if (!sparc_dma_free_resource(cpu_addr, size)) + return; + + dma_make_coherent(dma_addr, size); +-- +2.33.0 + diff --git a/queue-5.10/spi-fix-tegra20-build-with-config_pm-n.patch b/queue-5.10/spi-fix-tegra20-build-with-config_pm-n.patch new file mode 100644 index 00000000000..5176924903d --- /dev/null +++ b/queue-5.10/spi-fix-tegra20-build-with-config_pm-n.patch @@ -0,0 +1,59 @@ +From 13a2d9f0df9c74c2968271b5d0889c0f47aa64ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 10:05:06 -0700 +Subject: spi: Fix tegra20 build with CONFIG_PM=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit efafec27c5658ed987e720130772f8933c685e87 ] + +Without CONFIG_PM enabled, the SET_RUNTIME_PM_OPS() macro ends up being +empty, and the only use of tegra_slink_runtime_{resume,suspend} goes +away, resulting in + + drivers/spi/spi-tegra20-slink.c:1200:12: error: ‘tegra_slink_runtime_resume’ defined but not used [-Werror=unused-function] + 1200 | static int tegra_slink_runtime_resume(struct device *dev) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/spi/spi-tegra20-slink.c:1188:12: error: ‘tegra_slink_runtime_suspend’ defined but not used [-Werror=unused-function] + 1188 | static int tegra_slink_runtime_suspend(struct device *dev) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + +mark the functions __maybe_unused to make the build happy. + +This hits the alpha allmodconfig build (and others). + +Reported-by: Guenter Roeck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra20-slink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-tegra20-slink.c b/drivers/spi/spi-tegra20-slink.c +index f7c832fd4003..669fc4286231 100644 +--- a/drivers/spi/spi-tegra20-slink.c ++++ b/drivers/spi/spi-tegra20-slink.c +@@ -1201,7 +1201,7 @@ static int tegra_slink_resume(struct device *dev) + } + #endif + +-static int tegra_slink_runtime_suspend(struct device *dev) ++static int __maybe_unused tegra_slink_runtime_suspend(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct tegra_slink_data *tspi = spi_master_get_devdata(master); +@@ -1213,7 +1213,7 @@ static int tegra_slink_runtime_suspend(struct device *dev) + return 0; + } + +-static int tegra_slink_runtime_resume(struct device *dev) ++static int __maybe_unused tegra_slink_runtime_resume(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct tegra_slink_data *tspi = spi_master_get_devdata(master); +-- +2.33.0 + diff --git a/queue-5.10/thermal-core-potential-buffer-overflow-in-thermal_bu.patch b/queue-5.10/thermal-core-potential-buffer-overflow-in-thermal_bu.patch new file mode 100644 index 00000000000..b0886bf6655 --- /dev/null +++ b/queue-5.10/thermal-core-potential-buffer-overflow-in-thermal_bu.patch @@ -0,0 +1,52 @@ +From c41b534594d14642ac426b5a039f75c223e42fae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 16:13:42 +0300 +Subject: thermal/core: Potential buffer overflow in + thermal_build_list_of_policies() + +From: Dan Carpenter + +[ Upstream commit 1bb30b20b49773369c299d4d6c65227201328663 ] + +After printing the list of thermal governors, then this function prints +a newline character. The problem is that "size" has not been updated +after printing the last governor. This means that it can write one +character (the NUL terminator) beyond the end of the buffer. + +Get rid of the "size" variable and just use "PAGE_SIZE - count" directly. + +Fixes: 1b4f48494eb2 ("thermal: core: group functions related to governor handling") +Signed-off-by: Dan Carpenter +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210916131342.GB25094@kili +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index e669f83faa3c..17de8a9b991e 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -224,15 +224,14 @@ int thermal_build_list_of_policies(char *buf) + { + struct thermal_governor *pos; + ssize_t count = 0; +- ssize_t size = PAGE_SIZE; + + mutex_lock(&thermal_governor_lock); + + list_for_each_entry(pos, &thermal_governor_list, governor_list) { +- size = PAGE_SIZE - count; +- count += scnprintf(buf + count, size, "%s ", pos->name); ++ count += scnprintf(buf + count, PAGE_SIZE - count, "%s ", ++ pos->name); + } +- count += scnprintf(buf + count, size, "\n"); ++ count += scnprintf(buf + count, PAGE_SIZE - count, "\n"); + + mutex_unlock(&thermal_governor_lock); + +-- +2.33.0 + diff --git a/queue-5.10/treewide-change-list_sort-to-use-const-pointers.patch b/queue-5.10/treewide-change-list_sort-to-use-const-pointers.patch new file mode 100644 index 00000000000..62ac894e4eb --- /dev/null +++ b/queue-5.10/treewide-change-list_sort-to-use-const-pointers.patch @@ -0,0 +1,738 @@ +From 6254fec54677c2c894bbb1f7671432d85dad080b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 11:28:34 -0700 +Subject: treewide: Change list_sort to use const pointers + +From: Sami Tolvanen + +[ Upstream commit 4f0f586bf0c898233d8f316f471a21db2abd522d ] + +list_sort() internally casts the comparison function passed to it +to a different type with constant struct list_head pointers, and +uses this pointer to call the functions, which trips indirect call +Control-Flow Integrity (CFI) checking. + +Instead of removing the consts, this change defines the +list_cmp_func_t type and changes the comparison function types of +all list_sort() callers to use const pointers, thus avoiding type +mismatches. + +Suggested-by: Nick Desaulniers +Signed-off-by: Sami Tolvanen +Reviewed-by: Nick Desaulniers +Reviewed-by: Christoph Hellwig +Reviewed-by: Kees Cook +Tested-by: Nick Desaulniers +Tested-by: Nathan Chancellor +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20210408182843.1754385-10-samitolvanen@google.com +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/vgic/vgic-its.c | 8 ++++---- + arch/arm64/kvm/vgic/vgic.c | 3 ++- + block/blk-mq-sched.c | 3 ++- + block/blk-mq.c | 3 ++- + drivers/acpi/nfit/core.c | 3 ++- + drivers/acpi/numa/hmat.c | 3 ++- + drivers/clk/keystone/sci-clk.c | 4 ++-- + drivers/gpu/drm/drm_modes.c | 3 ++- + drivers/gpu/drm/i915/gt/intel_engine_user.c | 3 ++- + drivers/gpu/drm/i915/gvt/debugfs.c | 2 +- + drivers/gpu/drm/i915/selftests/i915_gem_gtt.c | 3 ++- + drivers/gpu/drm/radeon/radeon_cs.c | 4 ++-- + .../hw/usnic/usnic_uiom_interval_tree.c | 3 ++- + drivers/interconnect/qcom/bcm-voter.c | 2 +- + drivers/md/raid5.c | 3 ++- + drivers/misc/sram.c | 4 ++-- + drivers/nvme/host/core.c | 3 ++- + .../pci/controller/cadence/pcie-cadence-host.c | 3 ++- + drivers/spi/spi-loopback-test.c | 3 ++- + fs/btrfs/raid56.c | 3 ++- + fs/btrfs/tree-log.c | 3 ++- + fs/btrfs/volumes.c | 3 ++- + fs/ext4/fsmap.c | 4 ++-- + fs/gfs2/glock.c | 3 ++- + fs/gfs2/log.c | 2 +- + fs/gfs2/lops.c | 3 ++- + fs/iomap/buffered-io.c | 3 ++- + fs/ubifs/gc.c | 7 ++++--- + fs/ubifs/replay.c | 4 ++-- + fs/xfs/scrub/bitmap.c | 4 ++-- + fs/xfs/xfs_bmap_item.c | 4 ++-- + fs/xfs/xfs_buf.c | 6 +++--- + fs/xfs/xfs_extent_busy.c | 4 ++-- + fs/xfs/xfs_extent_busy.h | 3 ++- + fs/xfs/xfs_extfree_item.c | 4 ++-- + fs/xfs/xfs_refcount_item.c | 4 ++-- + fs/xfs/xfs_rmap_item.c | 4 ++-- + include/linux/list_sort.h | 7 ++++--- + lib/list_sort.c | 17 ++++++----------- + lib/test_list_sort.c | 3 ++- + net/tipc/name_table.c | 4 ++-- + 41 files changed, 90 insertions(+), 72 deletions(-) + +diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c +index 40cbaca81333..b9518f94bd43 100644 +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -2190,8 +2190,8 @@ static int vgic_its_restore_ite(struct vgic_its *its, u32 event_id, + return offset; + } + +-static int vgic_its_ite_cmp(void *priv, struct list_head *a, +- struct list_head *b) ++static int vgic_its_ite_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct its_ite *itea = container_of(a, struct its_ite, ite_list); + struct its_ite *iteb = container_of(b, struct its_ite, ite_list); +@@ -2329,8 +2329,8 @@ static int vgic_its_restore_dte(struct vgic_its *its, u32 id, + return offset; + } + +-static int vgic_its_device_cmp(void *priv, struct list_head *a, +- struct list_head *b) ++static int vgic_its_device_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct its_device *deva = container_of(a, struct its_device, dev_list); + struct its_device *devb = container_of(b, struct its_device, dev_list); +diff --git a/arch/arm64/kvm/vgic/vgic.c b/arch/arm64/kvm/vgic/vgic.c +index c3643b7f101b..4abf7a867b65 100644 +--- a/arch/arm64/kvm/vgic/vgic.c ++++ b/arch/arm64/kvm/vgic/vgic.c +@@ -255,7 +255,8 @@ static struct kvm_vcpu *vgic_target_oracle(struct vgic_irq *irq) + * Return negative if "a" sorts before "b", 0 to preserve order, and positive + * to sort "b" before "a". + */ +-static int vgic_irq_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int vgic_irq_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct vgic_irq *irqa = container_of(a, struct vgic_irq, ap_list); + struct vgic_irq *irqb = container_of(b, struct vgic_irq, ap_list); +diff --git a/block/blk-mq-sched.c b/block/blk-mq-sched.c +index 581be65a53c1..24c08963890e 100644 +--- a/block/blk-mq-sched.c ++++ b/block/blk-mq-sched.c +@@ -75,7 +75,8 @@ void blk_mq_sched_restart(struct blk_mq_hw_ctx *hctx) + blk_mq_run_hw_queue(hctx, true); + } + +-static int sched_rq_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int sched_rq_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct request *rqa = container_of(a, struct request, queuelist); + struct request *rqb = container_of(b, struct request, queuelist); +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 6dcb86c1c985..eed9a4c1519d 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1866,7 +1866,8 @@ void blk_mq_insert_requests(struct blk_mq_hw_ctx *hctx, struct blk_mq_ctx *ctx, + spin_unlock(&ctx->lock); + } + +-static int plug_rq_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int plug_rq_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct request *rqa = container_of(a, struct request, queuelist); + struct request *rqb = container_of(b, struct request, queuelist); +diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c +index cb18cb5c51b1..d061bff5cc96 100644 +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -1194,7 +1194,8 @@ static int __nfit_mem_init(struct acpi_nfit_desc *acpi_desc, + return 0; + } + +-static int nfit_mem_cmp(void *priv, struct list_head *_a, struct list_head *_b) ++static int nfit_mem_cmp(void *priv, const struct list_head *_a, ++ const struct list_head *_b) + { + struct nfit_mem *a = container_of(_a, typeof(*a), list); + struct nfit_mem *b = container_of(_b, typeof(*b), list); +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index cb73a5d6ea76..137a5dd880c2 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -558,7 +558,8 @@ static bool hmat_update_best(u8 type, u32 value, u32 *best) + return updated; + } + +-static int initiator_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int initiator_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct memory_initiator *ia; + struct memory_initiator *ib; +diff --git a/drivers/clk/keystone/sci-clk.c b/drivers/clk/keystone/sci-clk.c +index aaf31abe1c8f..7e1b136e71ae 100644 +--- a/drivers/clk/keystone/sci-clk.c ++++ b/drivers/clk/keystone/sci-clk.c +@@ -503,8 +503,8 @@ static int ti_sci_scan_clocks_from_fw(struct sci_clk_provider *provider) + + #else + +-static int _cmp_sci_clk_list(void *priv, struct list_head *a, +- struct list_head *b) ++static int _cmp_sci_clk_list(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct sci_clk *ca = container_of(a, struct sci_clk, node); + struct sci_clk *cb = container_of(b, struct sci_clk, node); +diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c +index 511cde5c7fa6..0f99e5453f15 100644 +--- a/drivers/gpu/drm/drm_modes.c ++++ b/drivers/gpu/drm/drm_modes.c +@@ -1290,7 +1290,8 @@ EXPORT_SYMBOL(drm_mode_prune_invalid); + * Negative if @lh_a is better than @lh_b, zero if they're equivalent, or + * positive if @lh_b is better than @lh_a. + */ +-static int drm_mode_compare(void *priv, struct list_head *lh_a, struct list_head *lh_b) ++static int drm_mode_compare(void *priv, const struct list_head *lh_a, ++ const struct list_head *lh_b) + { + struct drm_display_mode *a = list_entry(lh_a, struct drm_display_mode, head); + struct drm_display_mode *b = list_entry(lh_b, struct drm_display_mode, head); +diff --git a/drivers/gpu/drm/i915/gt/intel_engine_user.c b/drivers/gpu/drm/i915/gt/intel_engine_user.c +index 34e6096f196e..da21d2a10cc9 100644 +--- a/drivers/gpu/drm/i915/gt/intel_engine_user.c ++++ b/drivers/gpu/drm/i915/gt/intel_engine_user.c +@@ -49,7 +49,8 @@ static const u8 uabi_classes[] = { + [VIDEO_ENHANCEMENT_CLASS] = I915_ENGINE_CLASS_VIDEO_ENHANCE, + }; + +-static int engine_cmp(void *priv, struct list_head *A, struct list_head *B) ++static int engine_cmp(void *priv, const struct list_head *A, ++ const struct list_head *B) + { + const struct intel_engine_cs *a = + container_of((struct rb_node *)A, typeof(*a), uabi_node); +diff --git a/drivers/gpu/drm/i915/gvt/debugfs.c b/drivers/gpu/drm/i915/gvt/debugfs.c +index 62e6a14ad58e..9f1c209d9251 100644 +--- a/drivers/gpu/drm/i915/gvt/debugfs.c ++++ b/drivers/gpu/drm/i915/gvt/debugfs.c +@@ -41,7 +41,7 @@ struct diff_mmio { + + /* Compare two diff_mmio items. */ + static int mmio_offset_compare(void *priv, +- struct list_head *a, struct list_head *b) ++ const struct list_head *a, const struct list_head *b) + { + struct diff_mmio *ma; + struct diff_mmio *mb; +diff --git a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c +index 713770fb2b92..65e28c4cd4ce 100644 +--- a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c ++++ b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c +@@ -1075,7 +1075,8 @@ static int igt_ppgtt_shrink_boom(void *arg) + return exercise_ppgtt(arg, shrink_boom); + } + +-static int sort_holes(void *priv, struct list_head *A, struct list_head *B) ++static int sort_holes(void *priv, const struct list_head *A, ++ const struct list_head *B) + { + struct drm_mm_node *a = list_entry(A, typeof(*a), hole_stack); + struct drm_mm_node *b = list_entry(B, typeof(*b), hole_stack); +diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c +index 21ce2f9502c0..a78b60b62caf 100644 +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -394,8 +394,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) + return 0; + } + +-static int cmp_size_smaller_first(void *priv, struct list_head *a, +- struct list_head *b) ++static int cmp_size_smaller_first(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct radeon_bo_list *la = list_entry(a, struct radeon_bo_list, tv.head); + struct radeon_bo_list *lb = list_entry(b, struct radeon_bo_list, tv.head); +diff --git a/drivers/infiniband/hw/usnic/usnic_uiom_interval_tree.c b/drivers/infiniband/hw/usnic/usnic_uiom_interval_tree.c +index d399523206c7..29d71267af78 100644 +--- a/drivers/infiniband/hw/usnic/usnic_uiom_interval_tree.c ++++ b/drivers/infiniband/hw/usnic/usnic_uiom_interval_tree.c +@@ -83,7 +83,8 @@ usnic_uiom_interval_node_alloc(long int start, long int last, int ref_cnt, + return interval; + } + +-static int interval_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int interval_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct usnic_uiom_interval_node *node_a, *node_b; + +diff --git a/drivers/interconnect/qcom/bcm-voter.c b/drivers/interconnect/qcom/bcm-voter.c +index dd0e3bd50b94..3c0809095a31 100644 +--- a/drivers/interconnect/qcom/bcm-voter.c ++++ b/drivers/interconnect/qcom/bcm-voter.c +@@ -39,7 +39,7 @@ struct bcm_voter { + u32 tcs_wait; + }; + +-static int cmp_vcd(void *priv, struct list_head *a, struct list_head *b) ++static int cmp_vcd(void *priv, const struct list_head *a, const struct list_head *b) + { + const struct qcom_icc_bcm *bcm_a = + list_entry(a, struct qcom_icc_bcm, list); +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 39343479ac2a..c82953a3299e 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -953,7 +953,8 @@ static void dispatch_bio_list(struct bio_list *tmp) + submit_bio_noacct(bio); + } + +-static int cmp_stripe(void *priv, struct list_head *a, struct list_head *b) ++static int cmp_stripe(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + const struct r5pending_data *da = list_entry(a, + struct r5pending_data, sibling); +diff --git a/drivers/misc/sram.c b/drivers/misc/sram.c +index 6c1a23cb3e8c..202bf951e909 100644 +--- a/drivers/misc/sram.c ++++ b/drivers/misc/sram.c +@@ -144,8 +144,8 @@ static void sram_free_partitions(struct sram_dev *sram) + } + } + +-static int sram_reserve_cmp(void *priv, struct list_head *a, +- struct list_head *b) ++static int sram_reserve_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct sram_reserve *ra = list_entry(a, struct sram_reserve, list); + struct sram_reserve *rb = list_entry(b, struct sram_reserve, list); +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 5a9b2f1b1418..9c97628519e0 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3801,7 +3801,8 @@ out_unlock: + return ret; + } + +-static int ns_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int ns_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct nvme_ns *nsa = container_of(a, struct nvme_ns, list); + struct nvme_ns *nsb = container_of(b, struct nvme_ns, list); +diff --git a/drivers/pci/controller/cadence/pcie-cadence-host.c b/drivers/pci/controller/cadence/pcie-cadence-host.c +index a40ed9e12b4b..fb96d37a135c 100644 +--- a/drivers/pci/controller/cadence/pcie-cadence-host.c ++++ b/drivers/pci/controller/cadence/pcie-cadence-host.c +@@ -345,7 +345,8 @@ static int cdns_pcie_host_bar_config(struct cdns_pcie_rc *rc, + return 0; + } + +-static int cdns_pcie_host_dma_ranges_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int cdns_pcie_host_dma_ranges_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct resource_entry *entry1, *entry2; + +diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c +index 89b91cdfb2a5..4d4f77a186a9 100644 +--- a/drivers/spi/spi-loopback-test.c ++++ b/drivers/spi/spi-loopback-test.c +@@ -454,7 +454,8 @@ struct rx_ranges { + u8 *end; + }; + +-static int rx_ranges_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int rx_ranges_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct rx_ranges *rx_a = list_entry(a, struct rx_ranges, list); + struct rx_ranges *rx_b = list_entry(b, struct rx_ranges, list); +diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c +index 9d33bf0154ab..e65d0fabb83e 100644 +--- a/fs/btrfs/raid56.c ++++ b/fs/btrfs/raid56.c +@@ -1646,7 +1646,8 @@ struct btrfs_plug_cb { + /* + * rbios on the plug list are sorted for easier merging. + */ +-static int plug_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int plug_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct btrfs_raid_bio *ra = container_of(a, struct btrfs_raid_bio, + plug_list); +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index ec25e5eab349..7bf3936aceda 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4070,7 +4070,8 @@ static noinline int copy_items(struct btrfs_trans_handle *trans, + return ret; + } + +-static int extent_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int extent_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct extent_map *em1, *em2; + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 509811aabb3f..d8b8764f5bd1 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1226,7 +1226,8 @@ static int open_fs_devices(struct btrfs_fs_devices *fs_devices, + return 0; + } + +-static int devid_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int devid_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct btrfs_device *dev1, *dev2; + +diff --git a/fs/ext4/fsmap.c b/fs/ext4/fsmap.c +index 4c2a9fe30067..4493ef0c715e 100644 +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -354,8 +354,8 @@ static unsigned int ext4_getfsmap_find_sb(struct super_block *sb, + + /* Compare two fsmap items. */ + static int ext4_getfsmap_compare(void *priv, +- struct list_head *a, +- struct list_head *b) ++ const struct list_head *a, ++ const struct list_head *b) + { + struct ext4_fsmap *fa; + struct ext4_fsmap *fb; +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index cd43c481df4b..03c3407c8e26 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -1744,7 +1744,8 @@ void gfs2_glock_complete(struct gfs2_glock *gl, int ret) + spin_unlock(&gl->gl_lockref.lock); + } + +-static int glock_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int glock_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct gfs2_glock *gla, *glb; + +diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c +index 1955dea999f7..7473b894e3c6 100644 +--- a/fs/gfs2/log.c ++++ b/fs/gfs2/log.c +@@ -605,7 +605,7 @@ void log_flush_wait(struct gfs2_sbd *sdp) + } + } + +-static int ip_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int ip_cmp(void *priv, const struct list_head *a, const struct list_head *b) + { + struct gfs2_inode *ipa, *ipb; + +diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c +index 3922b26264f5..383ac2190ded 100644 +--- a/fs/gfs2/lops.c ++++ b/fs/gfs2/lops.c +@@ -627,7 +627,8 @@ static void gfs2_check_magic(struct buffer_head *bh) + kunmap_atomic(kaddr); + } + +-static int blocknr_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int blocknr_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct gfs2_bufdata *bda, *bdb; + +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index caed9d98c64a..cd9f7baa5bb7 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -1155,7 +1155,8 @@ iomap_ioend_try_merge(struct iomap_ioend *ioend, struct list_head *more_ioends, + EXPORT_SYMBOL_GPL(iomap_ioend_try_merge); + + static int +-iomap_ioend_compare(void *priv, struct list_head *a, struct list_head *b) ++iomap_ioend_compare(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct iomap_ioend *ia = container_of(a, struct iomap_ioend, io_list); + struct iomap_ioend *ib = container_of(b, struct iomap_ioend, io_list); +diff --git a/fs/ubifs/gc.c b/fs/ubifs/gc.c +index a4aaeea63893..dc3e26e9ed7b 100644 +--- a/fs/ubifs/gc.c ++++ b/fs/ubifs/gc.c +@@ -102,7 +102,8 @@ static int switch_gc_head(struct ubifs_info *c) + * This function compares data nodes @a and @b. Returns %1 if @a has greater + * inode or block number, and %-1 otherwise. + */ +-static int data_nodes_cmp(void *priv, struct list_head *a, struct list_head *b) ++static int data_nodes_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + ino_t inuma, inumb; + struct ubifs_info *c = priv; +@@ -145,8 +146,8 @@ static int data_nodes_cmp(void *priv, struct list_head *a, struct list_head *b) + * first and sorted by length in descending order. Directory entry nodes go + * after inode nodes and are sorted in ascending hash valuer order. + */ +-static int nondata_nodes_cmp(void *priv, struct list_head *a, +- struct list_head *b) ++static int nondata_nodes_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + ino_t inuma, inumb; + struct ubifs_info *c = priv; +diff --git a/fs/ubifs/replay.c b/fs/ubifs/replay.c +index 1c6fc99fca30..b2f5563d1489 100644 +--- a/fs/ubifs/replay.c ++++ b/fs/ubifs/replay.c +@@ -299,8 +299,8 @@ static int apply_replay_entry(struct ubifs_info *c, struct replay_entry *r) + * entries @a and @b by comparing their sequence numer. Returns %1 if @a has + * greater sequence number and %-1 otherwise. + */ +-static int replay_entries_cmp(void *priv, struct list_head *a, +- struct list_head *b) ++static int replay_entries_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct ubifs_info *c = priv; + struct replay_entry *ra, *rb; +diff --git a/fs/xfs/scrub/bitmap.c b/fs/xfs/scrub/bitmap.c +index f88694f22d05..813b5f219113 100644 +--- a/fs/xfs/scrub/bitmap.c ++++ b/fs/xfs/scrub/bitmap.c +@@ -63,8 +63,8 @@ xbitmap_init( + static int + xbitmap_range_cmp( + void *priv, +- struct list_head *a, +- struct list_head *b) ++ const struct list_head *a, ++ const struct list_head *b) + { + struct xbitmap_range *ap; + struct xbitmap_range *bp; +diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c +index 9e16a4d0f97c..984bb480f177 100644 +--- a/fs/xfs/xfs_bmap_item.c ++++ b/fs/xfs/xfs_bmap_item.c +@@ -265,8 +265,8 @@ xfs_trans_log_finish_bmap_update( + static int + xfs_bmap_update_diff_items( + void *priv, +- struct list_head *a, +- struct list_head *b) ++ const struct list_head *a, ++ const struct list_head *b) + { + struct xfs_bmap_intent *ba; + struct xfs_bmap_intent *bb; +diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c +index 4e4cf91f4f9f..118819030dbb 100644 +--- a/fs/xfs/xfs_buf.c ++++ b/fs/xfs/xfs_buf.c +@@ -2114,9 +2114,9 @@ xfs_buf_delwri_queue( + */ + static int + xfs_buf_cmp( +- void *priv, +- struct list_head *a, +- struct list_head *b) ++ void *priv, ++ const struct list_head *a, ++ const struct list_head *b) + { + struct xfs_buf *ap = container_of(a, struct xfs_buf, b_list); + struct xfs_buf *bp = container_of(b, struct xfs_buf, b_list); +diff --git a/fs/xfs/xfs_extent_busy.c b/fs/xfs/xfs_extent_busy.c +index 3991e59cfd18..5c2695a42de1 100644 +--- a/fs/xfs/xfs_extent_busy.c ++++ b/fs/xfs/xfs_extent_busy.c +@@ -643,8 +643,8 @@ xfs_extent_busy_wait_all( + int + xfs_extent_busy_ag_cmp( + void *priv, +- struct list_head *l1, +- struct list_head *l2) ++ const struct list_head *l1, ++ const struct list_head *l2) + { + struct xfs_extent_busy *b1 = + container_of(l1, struct xfs_extent_busy, list); +diff --git a/fs/xfs/xfs_extent_busy.h b/fs/xfs/xfs_extent_busy.h +index 990ab3891971..8aea07100092 100644 +--- a/fs/xfs/xfs_extent_busy.h ++++ b/fs/xfs/xfs_extent_busy.h +@@ -58,7 +58,8 @@ void + xfs_extent_busy_wait_all(struct xfs_mount *mp); + + int +-xfs_extent_busy_ag_cmp(void *priv, struct list_head *a, struct list_head *b); ++xfs_extent_busy_ag_cmp(void *priv, const struct list_head *a, ++ const struct list_head *b); + + static inline void xfs_extent_busy_sort(struct list_head *list) + { +diff --git a/fs/xfs/xfs_extfree_item.c b/fs/xfs/xfs_extfree_item.c +index 6c11bfc3d452..5c0395256bd1 100644 +--- a/fs/xfs/xfs_extfree_item.c ++++ b/fs/xfs/xfs_extfree_item.c +@@ -397,8 +397,8 @@ xfs_trans_free_extent( + static int + xfs_extent_free_diff_items( + void *priv, +- struct list_head *a, +- struct list_head *b) ++ const struct list_head *a, ++ const struct list_head *b) + { + struct xfs_mount *mp = priv; + struct xfs_extent_free_item *ra; +diff --git a/fs/xfs/xfs_refcount_item.c b/fs/xfs/xfs_refcount_item.c +index 7529eb63ce94..0dee316283a9 100644 +--- a/fs/xfs/xfs_refcount_item.c ++++ b/fs/xfs/xfs_refcount_item.c +@@ -269,8 +269,8 @@ xfs_trans_log_finish_refcount_update( + static int + xfs_refcount_update_diff_items( + void *priv, +- struct list_head *a, +- struct list_head *b) ++ const struct list_head *a, ++ const struct list_head *b) + { + struct xfs_mount *mp = priv; + struct xfs_refcount_intent *ra; +diff --git a/fs/xfs/xfs_rmap_item.c b/fs/xfs/xfs_rmap_item.c +index 7adc996ca6e3..20905953fe76 100644 +--- a/fs/xfs/xfs_rmap_item.c ++++ b/fs/xfs/xfs_rmap_item.c +@@ -337,8 +337,8 @@ xfs_trans_log_finish_rmap_update( + static int + xfs_rmap_update_diff_items( + void *priv, +- struct list_head *a, +- struct list_head *b) ++ const struct list_head *a, ++ const struct list_head *b) + { + struct xfs_mount *mp = priv; + struct xfs_rmap_intent *ra; +diff --git a/include/linux/list_sort.h b/include/linux/list_sort.h +index 20f178c24e9d..453105f74e05 100644 +--- a/include/linux/list_sort.h ++++ b/include/linux/list_sort.h +@@ -6,8 +6,9 @@ + + struct list_head; + ++typedef int __attribute__((nonnull(2,3))) (*list_cmp_func_t)(void *, ++ const struct list_head *, const struct list_head *); ++ + __attribute__((nonnull(2,3))) +-void list_sort(void *priv, struct list_head *head, +- int (*cmp)(void *priv, struct list_head *a, +- struct list_head *b)); ++void list_sort(void *priv, struct list_head *head, list_cmp_func_t cmp); + #endif +diff --git a/lib/list_sort.c b/lib/list_sort.c +index 52f0c258c895..a926d96ffd44 100644 +--- a/lib/list_sort.c ++++ b/lib/list_sort.c +@@ -7,16 +7,13 @@ + #include + #include + +-typedef int __attribute__((nonnull(2,3))) (*cmp_func)(void *, +- struct list_head const *, struct list_head const *); +- + /* + * Returns a list organized in an intermediate format suited + * to chaining of merge() calls: null-terminated, no reserved or + * sentinel head node, "prev" links not maintained. + */ + __attribute__((nonnull(2,3,4))) +-static struct list_head *merge(void *priv, cmp_func cmp, ++static struct list_head *merge(void *priv, list_cmp_func_t cmp, + struct list_head *a, struct list_head *b) + { + struct list_head *head, **tail = &head; +@@ -52,7 +49,7 @@ static struct list_head *merge(void *priv, cmp_func cmp, + * throughout. + */ + __attribute__((nonnull(2,3,4,5))) +-static void merge_final(void *priv, cmp_func cmp, struct list_head *head, ++static void merge_final(void *priv, list_cmp_func_t cmp, struct list_head *head, + struct list_head *a, struct list_head *b) + { + struct list_head *tail = head; +@@ -185,9 +182,7 @@ static void merge_final(void *priv, cmp_func cmp, struct list_head *head, + * 2^(k+1) - 1 (second merge of case 5 when x == 2^(k-1) - 1). + */ + __attribute__((nonnull(2,3))) +-void list_sort(void *priv, struct list_head *head, +- int (*cmp)(void *priv, struct list_head *a, +- struct list_head *b)) ++void list_sort(void *priv, struct list_head *head, list_cmp_func_t cmp) + { + struct list_head *list = head->next, *pending = NULL; + size_t count = 0; /* Count of pending */ +@@ -227,7 +222,7 @@ void list_sort(void *priv, struct list_head *head, + if (likely(bits)) { + struct list_head *a = *tail, *b = a->prev; + +- a = merge(priv, (cmp_func)cmp, b, a); ++ a = merge(priv, cmp, b, a); + /* Install the merged result in place of the inputs */ + a->prev = b->prev; + *tail = a; +@@ -249,10 +244,10 @@ void list_sort(void *priv, struct list_head *head, + + if (!next) + break; +- list = merge(priv, (cmp_func)cmp, pending, list); ++ list = merge(priv, cmp, pending, list); + pending = next; + } + /* The final merge, rebuilding prev links */ +- merge_final(priv, (cmp_func)cmp, head, pending, list); ++ merge_final(priv, cmp, head, pending, list); + } + EXPORT_SYMBOL(list_sort); +diff --git a/lib/test_list_sort.c b/lib/test_list_sort.c +index 1f017d3b610e..00daaf23316f 100644 +--- a/lib/test_list_sort.c ++++ b/lib/test_list_sort.c +@@ -56,7 +56,8 @@ static int __init check(struct debug_el *ela, struct debug_el *elb) + return 0; + } + +-static int __init cmp(void *priv, struct list_head *a, struct list_head *b) ++static int __init cmp(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct debug_el *ela, *elb; + +diff --git a/net/tipc/name_table.c b/net/tipc/name_table.c +index 2ac33d32edc2..f6a6acef4223 100644 +--- a/net/tipc/name_table.c ++++ b/net/tipc/name_table.c +@@ -381,8 +381,8 @@ static struct publication *tipc_service_remove_publ(struct service_range *sr, + * Code reused: time_after32() for the same purpose + */ + #define publication_after(pa, pb) time_after32((pa)->id, (pb)->id) +-static int tipc_publ_sort(void *priv, struct list_head *a, +- struct list_head *b) ++static int tipc_publ_sort(void *priv, const struct list_head *a, ++ const struct list_head *b) + { + struct publication *pa, *pb; + +-- +2.33.0 + diff --git a/queue-5.10/tty-synclink_gt-drop-unneeded-forward-declarations.patch b/queue-5.10/tty-synclink_gt-drop-unneeded-forward-declarations.patch new file mode 100644 index 00000000000..bc379edde9f --- /dev/null +++ b/queue-5.10/tty-synclink_gt-drop-unneeded-forward-declarations.patch @@ -0,0 +1,154 @@ +From e268467fc1ce409f6172bec67fc9b47fc35da2b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Mar 2021 07:22:09 +0100 +Subject: tty: synclink_gt, drop unneeded forward declarations + +From: Jiri Slaby + +[ Upstream commit b9b90fe655c0bd816847ac1bcbf179cfa2981ecb ] + +Forward declarations make the code larger and rewrites harder. Harder as +they are often omitted from global changes. Remove forward declarations +which are not really needed, i.e. the definition of the function is +before its first use. + +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20210302062214.29627-39-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclink_gt.c | 57 +-------------------------------------- + 1 file changed, 1 insertion(+), 56 deletions(-) + +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index afa4cc52e48d..d728876b43c4 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -137,37 +137,14 @@ MODULE_PARM_DESC(maxframe, "Maximum frame size used by device (4096 to 65535)"); + */ + static struct tty_driver *serial_driver; + +-static int open(struct tty_struct *tty, struct file * filp); +-static void close(struct tty_struct *tty, struct file * filp); +-static void hangup(struct tty_struct *tty); +-static void set_termios(struct tty_struct *tty, struct ktermios *old_termios); +- +-static int write(struct tty_struct *tty, const unsigned char *buf, int count); +-static int put_char(struct tty_struct *tty, unsigned char ch); +-static void send_xchar(struct tty_struct *tty, char ch); + static void wait_until_sent(struct tty_struct *tty, int timeout); +-static int write_room(struct tty_struct *tty); +-static void flush_chars(struct tty_struct *tty); + static void flush_buffer(struct tty_struct *tty); +-static void tx_hold(struct tty_struct *tty); + static void tx_release(struct tty_struct *tty); + +-static int ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg); +-static int chars_in_buffer(struct tty_struct *tty); +-static void throttle(struct tty_struct * tty); +-static void unthrottle(struct tty_struct * tty); +-static int set_break(struct tty_struct *tty, int break_state); +- + /* +- * generic HDLC support and callbacks ++ * generic HDLC support + */ +-#if SYNCLINK_GENERIC_HDLC + #define dev_to_port(D) (dev_to_hdlc(D)->priv) +-static void hdlcdev_tx_done(struct slgt_info *info); +-static void hdlcdev_rx(struct slgt_info *info, char *buf, int size); +-static int hdlcdev_init(struct slgt_info *info); +-static void hdlcdev_exit(struct slgt_info *info); +-#endif + + + /* +@@ -186,9 +163,6 @@ struct cond_wait { + wait_queue_entry_t wait; + unsigned int data; + }; +-static void init_cond_wait(struct cond_wait *w, unsigned int data); +-static void add_cond_wait(struct cond_wait **head, struct cond_wait *w); +-static void remove_cond_wait(struct cond_wait **head, struct cond_wait *w); + static void flush_cond_wait(struct cond_wait **head); + + /* +@@ -443,12 +417,8 @@ static void shutdown(struct slgt_info *info); + static void program_hw(struct slgt_info *info); + static void change_params(struct slgt_info *info); + +-static int register_test(struct slgt_info *info); +-static int irq_test(struct slgt_info *info); +-static int loopback_test(struct slgt_info *info); + static int adapter_test(struct slgt_info *info); + +-static void reset_adapter(struct slgt_info *info); + static void reset_port(struct slgt_info *info); + static void async_mode(struct slgt_info *info); + static void sync_mode(struct slgt_info *info); +@@ -457,14 +427,12 @@ static void rx_stop(struct slgt_info *info); + static void rx_start(struct slgt_info *info); + static void reset_rbufs(struct slgt_info *info); + static void free_rbufs(struct slgt_info *info, unsigned int first, unsigned int last); +-static void rdma_reset(struct slgt_info *info); + static bool rx_get_frame(struct slgt_info *info); + static bool rx_get_buf(struct slgt_info *info); + + static void tx_start(struct slgt_info *info); + static void tx_stop(struct slgt_info *info); + static void tx_set_idle(struct slgt_info *info); +-static unsigned int free_tbuf_count(struct slgt_info *info); + static unsigned int tbuf_bytes(struct slgt_info *info); + static void reset_tbufs(struct slgt_info *info); + static void tdma_reset(struct slgt_info *info); +@@ -472,26 +440,10 @@ static bool tx_load(struct slgt_info *info, const char *buf, unsigned int count) + + static void get_signals(struct slgt_info *info); + static void set_signals(struct slgt_info *info); +-static void enable_loopback(struct slgt_info *info); + static void set_rate(struct slgt_info *info, u32 data_rate); + +-static int bh_action(struct slgt_info *info); +-static void bh_handler(struct work_struct *work); + static void bh_transmit(struct slgt_info *info); +-static void isr_serial(struct slgt_info *info); +-static void isr_rdma(struct slgt_info *info); + static void isr_txeom(struct slgt_info *info, unsigned short status); +-static void isr_tdma(struct slgt_info *info); +- +-static int alloc_dma_bufs(struct slgt_info *info); +-static void free_dma_bufs(struct slgt_info *info); +-static int alloc_desc(struct slgt_info *info); +-static void free_desc(struct slgt_info *info); +-static int alloc_bufs(struct slgt_info *info, struct slgt_desc *bufs, int count); +-static void free_bufs(struct slgt_info *info, struct slgt_desc *bufs, int count); +- +-static int alloc_tmp_rbuf(struct slgt_info *info); +-static void free_tmp_rbuf(struct slgt_info *info); + + static void tx_timeout(struct timer_list *t); + static void rx_timeout(struct timer_list *t); +@@ -509,10 +461,6 @@ static int tx_abort(struct slgt_info *info); + static int rx_enable(struct slgt_info *info, int enable); + static int modem_input_wait(struct slgt_info *info,int arg); + static int wait_mgsl_event(struct slgt_info *info, int __user *mask_ptr); +-static int tiocmget(struct tty_struct *tty); +-static int tiocmset(struct tty_struct *tty, +- unsigned int set, unsigned int clear); +-static int set_break(struct tty_struct *tty, int break_state); + static int get_interface(struct slgt_info *info, int __user *if_mode); + static int set_interface(struct slgt_info *info, int if_mode); + static int set_gpio(struct slgt_info *info, struct gpio_desc __user *gpio); +@@ -526,9 +474,6 @@ static int set_xctrl(struct slgt_info *info, int if_mode); + /* + * driver functions + */ +-static void add_device(struct slgt_info *info); +-static void device_init(int adapter_num, struct pci_dev *pdev); +-static int claim_resources(struct slgt_info *info); + static void release_resources(struct slgt_info *info); + + /* +-- +2.33.0 + diff --git a/queue-5.10/tty-synclink_gt-rename-a-conflicting-function-name.patch b/queue-5.10/tty-synclink_gt-rename-a-conflicting-function-name.patch new file mode 100644 index 00000000000..0a1ec116094 --- /dev/null +++ b/queue-5.10/tty-synclink_gt-rename-a-conflicting-function-name.patch @@ -0,0 +1,235 @@ +From 424705cc06e6fbd80050bfb1976028846a299f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 17:38:06 -0700 +Subject: tty: synclink_gt: rename a conflicting function name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 06e49073dfba24df4b1073a068631b13a0039c34 ] + +'set_signals()' in synclink_gt.c conflicts with an exported symbol +in arch/um/, so change set_signals() to set_gtsignals(). Keep +the function names similar by also changing get_signals() to +get_gtsignals(). + +../drivers/tty/synclink_gt.c:442:13: error: conflicting types for ‘set_signals’ + static void set_signals(struct slgt_info *info); + ^~~~~~~~~~~ +In file included from ../include/linux/irqflags.h:16:0, + from ../include/linux/spinlock.h:58, + from ../include/linux/mm_types.h:9, + from ../include/linux/buildid.h:5, + from ../include/linux/module.h:14, + from ../drivers/tty/synclink_gt.c:46: +../arch/um/include/asm/irqflags.h:6:5: note: previous declaration of ‘set_signals’ was here + int set_signals(int enable); + ^~~~~~~~~~~ + +Fixes: 705b6c7b34f2 ("[PATCH] new driver synclink_gt") +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: Paul Fulghum +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20210902003806.17054-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclink_gt.c | 44 +++++++++++++++++++-------------------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index d728876b43c4..1a0c7beec101 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -438,8 +438,8 @@ static void reset_tbufs(struct slgt_info *info); + static void tdma_reset(struct slgt_info *info); + static bool tx_load(struct slgt_info *info, const char *buf, unsigned int count); + +-static void get_signals(struct slgt_info *info); +-static void set_signals(struct slgt_info *info); ++static void get_gtsignals(struct slgt_info *info); ++static void set_gtsignals(struct slgt_info *info); + static void set_rate(struct slgt_info *info, u32 data_rate); + + static void bh_transmit(struct slgt_info *info); +@@ -721,7 +721,7 @@ static void set_termios(struct tty_struct *tty, struct ktermios *old_termios) + if ((old_termios->c_cflag & CBAUD) && !C_BAUD(tty)) { + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +@@ -731,7 +731,7 @@ static void set_termios(struct tty_struct *tty, struct ktermios *old_termios) + if (!C_CRTSCTS(tty) || !tty_throttled(tty)) + info->signals |= SerialSignal_RTS; + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +@@ -1182,7 +1182,7 @@ static inline void line_info(struct seq_file *m, struct slgt_info *info) + + /* output current serial signal states */ + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + + stat_buf[0] = 0; +@@ -1282,7 +1282,7 @@ static void throttle(struct tty_struct * tty) + if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->signals &= ~SerialSignal_RTS; +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -1307,7 +1307,7 @@ static void unthrottle(struct tty_struct * tty) + if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->signals |= SerialSignal_RTS; +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -1478,7 +1478,7 @@ static int hdlcdev_open(struct net_device *dev) + + /* inform generic HDLC layer of current DCD status */ + spin_lock_irqsave(&info->lock, flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock, flags); + if (info->signals & SerialSignal_DCD) + netif_carrier_on(dev); +@@ -2232,7 +2232,7 @@ static void isr_txeom(struct slgt_info *info, unsigned short status) + if (info->params.mode != MGSL_MODE_ASYNC && info->drop_rts_on_tx_done) { + info->signals &= ~SerialSignal_RTS; + info->drop_rts_on_tx_done = false; +- set_signals(info); ++ set_gtsignals(info); + } + + #if SYNCLINK_GENERIC_HDLC +@@ -2397,7 +2397,7 @@ static void shutdown(struct slgt_info *info) + + if (!info->port.tty || info->port.tty->termios.c_cflag & HUPCL) { + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_gtsignals(info); + } + + flush_cond_wait(&info->gpio_wait_q); +@@ -2425,7 +2425,7 @@ static void program_hw(struct slgt_info *info) + else + async_mode(info); + +- set_signals(info); ++ set_gtsignals(info); + + info->dcd_chkcount = 0; + info->cts_chkcount = 0; +@@ -2433,7 +2433,7 @@ static void program_hw(struct slgt_info *info) + info->dsr_chkcount = 0; + + slgt_irq_on(info, IRQ_DCD | IRQ_CTS | IRQ_DSR | IRQ_RI); +- get_signals(info); ++ get_gtsignals(info); + + if (info->netcount || + (info->port.tty && info->port.tty->termios.c_cflag & CREAD)) +@@ -2677,7 +2677,7 @@ static int wait_mgsl_event(struct slgt_info *info, int __user *mask_ptr) + spin_lock_irqsave(&info->lock,flags); + + /* return immediately if state matches requested events */ +- get_signals(info); ++ get_gtsignals(info); + s = info->signals; + + events = mask & +@@ -3095,7 +3095,7 @@ static int tiocmget(struct tty_struct *tty) + unsigned long flags; + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + + result = ((info->signals & SerialSignal_RTS) ? TIOCM_RTS:0) + +@@ -3134,7 +3134,7 @@ static int tiocmset(struct tty_struct *tty, + info->signals &= ~SerialSignal_DTR; + + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + return 0; + } +@@ -3145,7 +3145,7 @@ static int carrier_raised(struct tty_port *port) + struct slgt_info *info = container_of(port, struct slgt_info, port); + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + return (info->signals & SerialSignal_DCD) ? 1 : 0; + } +@@ -3160,7 +3160,7 @@ static void dtr_rts(struct tty_port *port, int on) + info->signals |= SerialSignal_RTS | SerialSignal_DTR; + else + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +@@ -3963,10 +3963,10 @@ static void tx_start(struct slgt_info *info) + + if (info->params.mode != MGSL_MODE_ASYNC) { + if (info->params.flags & HDLC_FLAG_AUTO_RTS) { +- get_signals(info); ++ get_gtsignals(info); + if (!(info->signals & SerialSignal_RTS)) { + info->signals |= SerialSignal_RTS; +- set_signals(info); ++ set_gtsignals(info); + info->drop_rts_on_tx_done = true; + } + } +@@ -4020,7 +4020,7 @@ static void reset_port(struct slgt_info *info) + rx_stop(info); + + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_gtsignals(info); + + slgt_irq_off(info, IRQ_ALL | IRQ_MASTER); + } +@@ -4442,7 +4442,7 @@ static void tx_set_idle(struct slgt_info *info) + /* + * get state of V24 status (input) signals + */ +-static void get_signals(struct slgt_info *info) ++static void get_gtsignals(struct slgt_info *info) + { + unsigned short status = rd_reg16(info, SSR); + +@@ -4504,7 +4504,7 @@ static void msc_set_vcr(struct slgt_info *info) + /* + * set state of V24 control (output) signals + */ +-static void set_signals(struct slgt_info *info) ++static void set_gtsignals(struct slgt_info *info) + { + unsigned char val = rd_reg8(info, VCR); + if (info->signals & SerialSignal_DTR) +-- +2.33.0 + diff --git a/queue-5.10/x86-asm-add-a-missing-__iomem-annotation-in-enqcmds.patch b/queue-5.10/x86-asm-add-a-missing-__iomem-annotation-in-enqcmds.patch new file mode 100644 index 00000000000..7ee885755bf --- /dev/null +++ b/queue-5.10/x86-asm-add-a-missing-__iomem-annotation-in-enqcmds.patch @@ -0,0 +1,58 @@ +From 04532bb66afa297df6e0eff0403a66d84842abb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 09:45:21 -0700 +Subject: x86/asm: Add a missing __iomem annotation in enqcmds() + +From: Dave Jiang + +[ Upstream commit 5c99720b28381bb400d4f546734c34ddaf608761 ] + +Add a missing __iomem annotation to address a sparse warning. The caller +is expected to pass an __iomem annotated pointer to this function. The +current usages send a 64-bytes command descriptor to an MMIO location +(portal) on a device for consumption. + +Also, from the comment in movdir64b(), which also applies to enqcmds(), +@__dst must be supplied as an lvalue because this tells the compiler +what the object is (its size) the instruction accesses. I.e., not the +pointers but what they point to, thus the deref'ing '*'." + +The actual sparse warning is: + + drivers/dma/idxd/submit.c: note: in included file (through arch/x86/include/asm/processor.h, \ + arch/x86/include/asm/timex.h, include/linux/timex.h, include/linux/time32.h, \ + include/linux/time.h, include/linux/stat.h, ...): + ./arch/x86/include/asm/special_insns.h:289:41: warning: incorrect type in initializer (different address spaces) + ./arch/x86/include/asm/special_insns.h:289:41: expected struct *__dst + ./arch/x86/include/asm/special_insns.h:289:41: got void [noderef] __iomem *dst + + [ bp: Massage commit message. ] + +Fixes: 7f5933f81bd8 ("x86/asm: Add an enqcmds() wrapper for the ENQCMDS instruction") +Reported-by: kernel test robot +Signed-off-by: Dave Jiang +Signed-off-by: Borislav Petkov +Reviewed-by: Ben Widawsky +Reviewed-by: Dan Williams +Link: https://lkml.kernel.org/r/161003789741.4062451.14362269365703761223.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/special_insns.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/special_insns.h b/arch/x86/include/asm/special_insns.h +index cc177b4431ae..0cf19684dd20 100644 +--- a/arch/x86/include/asm/special_insns.h ++++ b/arch/x86/include/asm/special_insns.h +@@ -286,7 +286,7 @@ static inline void movdir64b(void *dst, const void *src) + static inline int enqcmds(void __iomem *dst, const void *src) + { + const struct { char _[64]; } *__src = src; +- struct { char _[64]; } *__dst = dst; ++ struct { char _[64]; } __iomem *__dst = dst; + int zf; + + /* +-- +2.33.0 + diff --git a/queue-5.10/x86-asm-fix-setz-size-enqcmds-build-failure.patch b/queue-5.10/x86-asm-fix-setz-size-enqcmds-build-failure.patch new file mode 100644 index 00000000000..f362eddcd62 --- /dev/null +++ b/queue-5.10/x86-asm-fix-setz-size-enqcmds-build-failure.patch @@ -0,0 +1,43 @@ +From d523d3959b31ca5bf0b9f985a47c398f613a28e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 15:33:32 -0700 +Subject: x86/asm: Fix SETZ size enqcmds() build failure + +From: Kees Cook + +[ Upstream commit d81ff5fe14a950f53e2833cfa196e7bb3fd5d4e3 ] + +When building under GCC 4.9 and 5.5: + + arch/x86/include/asm/special_insns.h: Assembler messages: + arch/x86/include/asm/special_insns.h:286: Error: operand size mismatch for `setz' + +Change the type to "bool" for condition code arguments, as documented. + +Fixes: 7f5933f81bd8 ("x86/asm: Add an enqcmds() wrapper for the ENQCMDS instruction") +Co-developed-by: Arnd Bergmann +Signed-off-by: Arnd Bergmann +Signed-off-by: Kees Cook +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20210910223332.3224851-1-keescook@chromium.org +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/special_insns.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/special_insns.h b/arch/x86/include/asm/special_insns.h +index 0cf19684dd20..415693f5d909 100644 +--- a/arch/x86/include/asm/special_insns.h ++++ b/arch/x86/include/asm/special_insns.h +@@ -287,7 +287,7 @@ static inline int enqcmds(void __iomem *dst, const void *src) + { + const struct { char _[64]; } *__src = src; + struct { char _[64]; } __iomem *__dst = dst; +- int zf; ++ bool zf; + + /* + * ENQCMDS %(rdx), rax +-- +2.33.0 + diff --git a/queue-5.10/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch b/queue-5.10/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch new file mode 100644 index 00000000000..b09e4f25c1f --- /dev/null +++ b/queue-5.10/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch @@ -0,0 +1,195 @@ +From 2cc58dbb2e312a3ac4f56d79ca458c0cef842077 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Aug 2021 14:32:06 +0200 +Subject: xen/balloon: use a kernel thread instead a workqueue + +From: Juergen Gross + +[ Upstream commit 8480ed9c2bbd56fc86524998e5f2e3e22f5038f6 ] + +Today the Xen ballooning is done via delayed work in a workqueue. This +might result in workqueue hangups being reported in case of large +amounts of memory are being ballooned in one go (here 16GB): + +BUG: workqueue lockup - pool cpus=6 node=0 flags=0x0 nice=0 stuck for 64s! +Showing busy workqueues and worker pools: +workqueue events: flags=0x0 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=2/256 refcnt=3 + in-flight: 229:balloon_process + pending: cache_reap +workqueue events_freezable_power_: flags=0x84 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2 + pending: disk_events_workfn +workqueue mm_percpu_wq: flags=0x8 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2 + pending: vmstat_update +pool 12: cpus=6 node=0 flags=0x0 nice=0 hung=64s workers=3 idle: 2222 43 + +This can easily be avoided by using a dedicated kernel thread for doing +the ballooning work. + +Reported-by: Jan Beulich +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/r/20210827123206.15429-1-jgross@suse.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/balloon.c | 62 +++++++++++++++++++++++++++++++------------ + 1 file changed, 45 insertions(+), 17 deletions(-) + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index b57b2067ecbf..65fcbc1e076e 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -43,6 +43,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -115,7 +117,7 @@ static struct ctl_table xen_root[] = { + #define EXTENT_ORDER (fls(XEN_PFN_PER_PAGE) - 1) + + /* +- * balloon_process() state: ++ * balloon_thread() state: + * + * BP_DONE: done or nothing to do, + * BP_WAIT: wait to be rescheduled, +@@ -130,6 +132,8 @@ enum bp_state { + BP_ECANCELED + }; + ++/* Main waiting point for xen-balloon thread. */ ++static DECLARE_WAIT_QUEUE_HEAD(balloon_thread_wq); + + static DEFINE_MUTEX(balloon_mutex); + +@@ -144,10 +148,6 @@ static xen_pfn_t frame_list[PAGE_SIZE / sizeof(xen_pfn_t)]; + static LIST_HEAD(ballooned_pages); + static DECLARE_WAIT_QUEUE_HEAD(balloon_wq); + +-/* Main work function, always executed in process context. */ +-static void balloon_process(struct work_struct *work); +-static DECLARE_DELAYED_WORK(balloon_worker, balloon_process); +- + /* When ballooning out (allocating memory to return to Xen) we don't really + want the kernel to try too hard since that can trigger the oom killer. */ + #define GFP_BALLOON \ +@@ -366,7 +366,7 @@ static void xen_online_page(struct page *page, unsigned int order) + static int xen_memory_notifier(struct notifier_block *nb, unsigned long val, void *v) + { + if (val == MEM_ONLINE) +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + + return NOTIFY_OK; + } +@@ -491,18 +491,43 @@ static enum bp_state decrease_reservation(unsigned long nr_pages, gfp_t gfp) + } + + /* +- * As this is a work item it is guaranteed to run as a single instance only. ++ * Stop waiting if either state is not BP_EAGAIN and ballooning action is ++ * needed, or if the credit has changed while state is BP_EAGAIN. ++ */ ++static bool balloon_thread_cond(enum bp_state state, long credit) ++{ ++ if (state != BP_EAGAIN) ++ credit = 0; ++ ++ return current_credit() != credit || kthread_should_stop(); ++} ++ ++/* ++ * As this is a kthread it is guaranteed to run as a single instance only. + * We may of course race updates of the target counts (which are protected + * by the balloon lock), or with changes to the Xen hard limit, but we will + * recover from these in time. + */ +-static void balloon_process(struct work_struct *work) ++static int balloon_thread(void *unused) + { + enum bp_state state = BP_DONE; + long credit; ++ unsigned long timeout; ++ ++ set_freezable(); ++ for (;;) { ++ if (state == BP_EAGAIN) ++ timeout = balloon_stats.schedule_delay * HZ; ++ else ++ timeout = 3600 * HZ; ++ credit = current_credit(); + ++ wait_event_interruptible_timeout(balloon_thread_wq, ++ balloon_thread_cond(state, credit), timeout); ++ ++ if (kthread_should_stop()) ++ return 0; + +- do { + mutex_lock(&balloon_mutex); + + credit = current_credit(); +@@ -529,12 +554,7 @@ static void balloon_process(struct work_struct *work) + mutex_unlock(&balloon_mutex); + + cond_resched(); +- +- } while (credit && state == BP_DONE); +- +- /* Schedule more work if there is some still to be done. */ +- if (state == BP_EAGAIN) +- schedule_delayed_work(&balloon_worker, balloon_stats.schedule_delay * HZ); ++ } + } + + /* Resets the Xen limit, sets new target, and kicks off processing. */ +@@ -542,7 +562,7 @@ void balloon_set_new_target(unsigned long target) + { + /* No need for lock. Not read-modify-write updates. */ + balloon_stats.target_pages = target; +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + } + EXPORT_SYMBOL_GPL(balloon_set_new_target); + +@@ -647,7 +667,7 @@ void free_xenballooned_pages(int nr_pages, struct page **pages) + + /* The balloon may be too large now. Shrink it if needed. */ + if (current_credit()) +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + + mutex_unlock(&balloon_mutex); + } +@@ -679,6 +699,8 @@ static void __init balloon_add_region(unsigned long start_pfn, + + static int __init balloon_init(void) + { ++ struct task_struct *task; ++ + if (!xen_domain()) + return -ENODEV; + +@@ -722,6 +744,12 @@ static int __init balloon_init(void) + } + #endif + ++ task = kthread_run(balloon_thread, NULL, "xen-balloon"); ++ if (IS_ERR(task)) { ++ pr_err("xen-balloon thread could not be started, ballooning will not work!\n"); ++ return PTR_ERR(task); ++ } ++ + /* Init the xen-balloon driver. */ + xen_balloon_init(); + +-- +2.33.0 +