From: Sasha Levin Date: Sat, 15 May 2021 02:13:36 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.4.120~91 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1cc450cd199d056b7b9c00cc0a22cfa464da540d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alsa-bebob-enable-to-deliver-midi-messages-for-multi.patch b/queue-5.10/alsa-bebob-enable-to-deliver-midi-messages-for-multi.patch new file mode 100644 index 00000000000..d2630b144de --- /dev/null +++ b/queue-5.10/alsa-bebob-enable-to-deliver-midi-messages-for-multi.patch @@ -0,0 +1,58 @@ +From f74df78c81a76cff298699803c0b5ade1bcfdf47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 12:28:31 +0900 +Subject: ALSA: bebob: enable to deliver MIDI messages for multiple ports + +From: Takashi Sakamoto + +[ Upstream commit d2b6f15bc18ac8fbce25398290774c21f5b2cd44 ] + +Current implementation of bebob driver doesn't correctly handle the case +that the device has multiple MIDI ports. The cause is the number of MIDI +conformant data channels is passed to AM824 data block processing layer. + +This commit fixes the bug. + +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20210321032831.340278-4-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/bebob/bebob_stream.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/sound/firewire/bebob/bebob_stream.c b/sound/firewire/bebob/bebob_stream.c +index bbae04793c50..c18017e0a3d9 100644 +--- a/sound/firewire/bebob/bebob_stream.c ++++ b/sound/firewire/bebob/bebob_stream.c +@@ -517,20 +517,22 @@ int snd_bebob_stream_init_duplex(struct snd_bebob *bebob) + static int keep_resources(struct snd_bebob *bebob, struct amdtp_stream *stream, + unsigned int rate, unsigned int index) + { +- struct snd_bebob_stream_formation *formation; ++ unsigned int pcm_channels; ++ unsigned int midi_ports; + struct cmp_connection *conn; + int err; + + if (stream == &bebob->tx_stream) { +- formation = bebob->tx_stream_formations + index; ++ pcm_channels = bebob->tx_stream_formations[index].pcm; ++ midi_ports = bebob->midi_input_ports; + conn = &bebob->out_conn; + } else { +- formation = bebob->rx_stream_formations + index; ++ pcm_channels = bebob->rx_stream_formations[index].pcm; ++ midi_ports = bebob->midi_output_ports; + conn = &bebob->in_conn; + } + +- err = amdtp_am824_set_parameters(stream, rate, formation->pcm, +- formation->midi, false); ++ err = amdtp_am824_set_parameters(stream, rate, pcm_channels, midi_ports, false); + if (err < 0) + return err; + +-- +2.30.2 + diff --git a/queue-5.10/alsa-hda-hdmi-fix-race-in-handling-acomp-eld-notific.patch b/queue-5.10/alsa-hda-hdmi-fix-race-in-handling-acomp-eld-notific.patch new file mode 100644 index 00000000000..378007db78e --- /dev/null +++ b/queue-5.10/alsa-hda-hdmi-fix-race-in-handling-acomp-eld-notific.patch @@ -0,0 +1,66 @@ +From 05664bd544c088db3d1c2edafd41614ee23d40d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 16:11:57 +0300 +Subject: ALSA: hda/hdmi: fix race in handling acomp ELD notification at resume + +From: Kai Vehmanen + +[ Upstream commit 0c37e2eb6b83e375e8a654d01598292d5591fc65 ] + +When snd-hda-codec-hdmi is used with ASoC HDA controller like SOF (acomp +used for ELD notifications), display connection change done during suspend, +can be lost due to following sequence of events: + + 1. system in S3 suspend + 2. DP/HDMI receiver connected + 3. system resumed + 4. HDA controller resumed, but card->deferred_resume_work not complete + 5. acomp eld_notify callback + 6. eld_notify ignored as power state is not CTL_POWER_D0 + 7. HDA resume deferred work completed, power state set to CTL_POWER_D0 + +This results in losing the notification, and the jack state reported to +user-space is not correct. + +The check on step 6 was added in commit 8ae743e82f0b ("ALSA: hda - Skip +ELD notification during system suspend"). It would seem with the deferred +resume logic in ASoC core, this check is not safe. + +Fix the issue by modifying the check to use "dev.power.power_state.event" +instead of ALSA specific card power state variable. + +BugLink: https://github.com/thesofproject/linux/issues/2825 +Suggested-by: Takashi Iwai +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20210416131157.1881366-1-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 8c6f10cbced3..6d2a4dfcfe43 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2653,7 +2653,7 @@ static void generic_acomp_pin_eld_notify(void *audio_ptr, int port, int dev_id) + /* skip notification during system suspend (but not in runtime PM); + * the state will be updated at resume + */ +- if (snd_power_get_state(codec->card) != SNDRV_CTL_POWER_D0) ++ if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND) + return; + /* ditto during suspend/resume process itself */ + if (snd_hdac_is_in_pm(&codec->core)) +@@ -2839,7 +2839,7 @@ static void intel_pin_eld_notify(void *audio_ptr, int port, int pipe) + /* skip notification during system suspend (but not in runtime PM); + * the state will be updated at resume + */ +- if (snd_power_get_state(codec->card) != SNDRV_CTL_POWER_D0) ++ if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND) + return; + /* ditto during suspend/resume process itself */ + if (snd_hdac_is_in_pm(&codec->core)) +-- +2.30.2 + diff --git a/queue-5.10/alsa-hda-realtek-add-quirk-for-lenovo-ideapad-s740.patch b/queue-5.10/alsa-hda-realtek-add-quirk-for-lenovo-ideapad-s740.patch new file mode 100644 index 00000000000..1caab1a0849 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-add-quirk-for-lenovo-ideapad-s740.patch @@ -0,0 +1,569 @@ +From a6e91ea7ce6f4b07fe52cc613b08b8fb9ed6b212 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 10:12:11 +0200 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Ideapad S740 + +From: Takashi Iwai + +[ Upstream commit 26928ca1f06aab4361eb5adbe7ef3b5c82f13cf2 ] + +Lenovo Ideapad S740 requires quite a few COEF setups to make its +speakers working. The verb table was provided from Ryan Prescott as +the result of investigation via qemu: + https://github.com/ryanprescott/realtek-verb-tools/wiki/How-to-sniff-verbs-from-a-Windows-sound-driver + +BugLink: https://github.com/thesofproject/linux/issues/2748 +Tested-by: Ryan Prescott +Link: https://lore.kernel.org/r/20210416081211.20059-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/ideapad_s740_helper.c | 492 ++++++++++++++++++++++++++++ + sound/pci/hda/patch_realtek.c | 11 + + 2 files changed, 503 insertions(+) + create mode 100644 sound/pci/hda/ideapad_s740_helper.c + +diff --git a/sound/pci/hda/ideapad_s740_helper.c b/sound/pci/hda/ideapad_s740_helper.c +new file mode 100644 +index 000000000000..564b9086e52d +--- /dev/null ++++ b/sound/pci/hda/ideapad_s740_helper.c +@@ -0,0 +1,492 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* Fixes for Lenovo Ideapad S740, to be included from codec driver */ ++ ++static const struct hda_verb alc285_ideapad_s740_coefs[] = { ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x10 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0320 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x24 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0041 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x24 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0041 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x007f }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x007f }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x003c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0011 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x003c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0011 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x000c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001a }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x000c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001a }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x000f }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0042 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x000f }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0042 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0010 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0040 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0010 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0040 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0003 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0009 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0003 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0009 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x004c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x004c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001d }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x004e }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001d }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x004e }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001b }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001b }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0019 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0025 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0019 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0025 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0018 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0037 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0018 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0037 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001a }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0040 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001a }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0040 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0016 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0076 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0016 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0076 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0017 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0010 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0017 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0010 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0015 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0015 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0015 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0015 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0007 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0086 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0007 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0086 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0002 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0002 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0002 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0002 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x24 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0042 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x24 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0042 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x007f }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x007f }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x003c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0011 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x003c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0011 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x000c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x002a }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x000c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x002a }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x000f }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0046 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x000f }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0046 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0010 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0044 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0010 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0044 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0003 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0009 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0003 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0009 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x004c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x004c }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001b }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001b }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0019 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0025 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0019 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0025 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0018 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0037 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0018 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0037 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001a }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0040 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x001a }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0040 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0016 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0076 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0016 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0076 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0017 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0010 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0017 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0010 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0015 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0015 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0015 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0015 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0007 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0086 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0007 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0086 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0002 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0002 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0001 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x29 }, ++{ 0x20, AC_VERB_SET_COEF_INDEX, 0x26 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0002 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0x0000 }, ++{ 0x20, AC_VERB_SET_PROC_COEF, 0xb020 }, ++{} ++}; ++ ++static void alc285_fixup_ideapad_s740_coef(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ switch (action) { ++ case HDA_FIXUP_ACT_PRE_PROBE: ++ snd_hda_add_verbs(codec, alc285_ideapad_s740_coefs); ++ break; ++ } ++} +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 8ec57bd351df..1fe70f2fe4fe 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6282,6 +6282,9 @@ static void alc_fixup_thinkpad_acpi(struct hda_codec *codec, + /* for alc295_fixup_hp_top_speakers */ + #include "hp_x360_helper.c" + ++/* for alc285_fixup_ideapad_s740_coef() */ ++#include "ideapad_s740_helper.c" ++ + enum { + ALC269_FIXUP_GPIO2, + ALC269_FIXUP_SONY_VAIO, +@@ -6481,6 +6484,7 @@ enum { + ALC282_FIXUP_ACER_DISABLE_LINEOUT, + ALC255_FIXUP_ACER_LIMIT_INT_MIC_BOOST, + ALC256_FIXUP_ACER_HEADSET_MIC, ++ ALC285_FIXUP_IDEAPAD_S740_COEF, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -7973,6 +7977,12 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC + }, ++ [ALC285_FIXUP_IDEAPAD_S740_COEF] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_ideapad_s740_coef, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -8320,6 +8330,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3176, "ThinkCentre Station", ALC283_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x17aa, 0x3178, "ThinkCentre Station", ALC283_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x17aa, 0x3818, "Lenovo C940", ALC298_FIXUP_LENOVO_SPK_VOLUME), ++ SND_PCI_QUIRK(0x17aa, 0x3827, "Ideapad S740", ALC285_FIXUP_IDEAPAD_S740_COEF), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI), +-- +2.30.2 + diff --git a/queue-5.10/alsa-hdsp-don-t-disable-if-not-enabled.patch b/queue-5.10/alsa-hdsp-don-t-disable-if-not-enabled.patch new file mode 100644 index 00000000000..f4c8c2135b8 --- /dev/null +++ b/queue-5.10/alsa-hdsp-don-t-disable-if-not-enabled.patch @@ -0,0 +1,49 @@ +From 59e1582b32f077d962985cba38fa5cd2a771c49a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 11:38:38 -0400 +Subject: ALSA: hdsp: don't disable if not enabled + +From: Tong Zhang + +[ Upstream commit 507cdb9adba006a7798c358456426e1aea3d9c4f ] + +hdsp wants to disable a not enabled pci device, which makes kernel +throw a warning. Make sure the device is enabled before calling disable. + +[ 1.758292] snd_hdsp 0000:00:03.0: disabling already-disabled device +[ 1.758327] WARNING: CPU: 0 PID: 180 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0 +[ 1.766985] Call Trace: +[ 1.767121] snd_hdsp_card_free+0x94/0xf0 [snd_hdsp] +[ 1.767388] release_card_device+0x4b/0x80 [snd] +[ 1.767639] device_release+0x3b/0xa0 +[ 1.767838] kobject_put+0x94/0x1b0 +[ 1.768027] put_device+0x13/0x20 +[ 1.768207] snd_card_free+0x61/0x90 [snd] +[ 1.768430] snd_hdsp_probe+0x524/0x5e0 [snd_hdsp] + +Suggested-by: Takashi Iwai +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20210321153840.378226-2-ztong0001@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/rme9652/hdsp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c +index cea53a878c36..4aee30db034d 100644 +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -5321,7 +5321,8 @@ static int snd_hdsp_free(struct hdsp *hdsp) + if (hdsp->port) + pci_release_regions(hdsp->pci); + +- pci_disable_device(hdsp->pci); ++ if (pci_is_enabled(hdsp->pci)) ++ pci_disable_device(hdsp->pci); + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.10/alsa-hdspm-don-t-disable-if-not-enabled.patch b/queue-5.10/alsa-hdspm-don-t-disable-if-not-enabled.patch new file mode 100644 index 00000000000..d327928cf5c --- /dev/null +++ b/queue-5.10/alsa-hdspm-don-t-disable-if-not-enabled.patch @@ -0,0 +1,49 @@ +From b88dab9dd55436a136c724cee5442f9da30339de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 11:38:39 -0400 +Subject: ALSA: hdspm: don't disable if not enabled + +From: Tong Zhang + +[ Upstream commit 790f5719b85e12e10c41753b864e74249585ed08 ] + +hdspm wants to disable a not enabled pci device, which makes kernel +throw a warning. Make sure the device is enabled before calling disable. + +[ 1.786391] snd_hdspm 0000:00:03.0: disabling already-disabled device +[ 1.786400] WARNING: CPU: 0 PID: 182 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0 +[ 1.795181] Call Trace: +[ 1.795320] snd_hdspm_card_free+0x58/0xa0 [snd_hdspm] +[ 1.795595] release_card_device+0x4b/0x80 [snd] +[ 1.795860] device_release+0x3b/0xa0 +[ 1.796072] kobject_put+0x94/0x1b0 +[ 1.796260] put_device+0x13/0x20 +[ 1.796438] snd_card_free+0x61/0x90 [snd] +[ 1.796659] snd_hdspm_probe+0x97b/0x1440 [snd_hdspm] + +Suggested-by: Takashi Iwai +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20210321153840.378226-3-ztong0001@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/rme9652/hdspm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c +index 4a1f576dd9cf..51c3c6a08a1c 100644 +--- a/sound/pci/rme9652/hdspm.c ++++ b/sound/pci/rme9652/hdspm.c +@@ -6891,7 +6891,8 @@ static int snd_hdspm_free(struct hdspm * hdspm) + if (hdspm->port) + pci_release_regions(hdspm->pci); + +- pci_disable_device(hdspm->pci); ++ if (pci_is_enabled(hdspm->pci)) ++ pci_disable_device(hdspm->pci); + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.10/alsa-rme9652-don-t-disable-if-not-enabled.patch b/queue-5.10/alsa-rme9652-don-t-disable-if-not-enabled.patch new file mode 100644 index 00000000000..060d957e31d --- /dev/null +++ b/queue-5.10/alsa-rme9652-don-t-disable-if-not-enabled.patch @@ -0,0 +1,49 @@ +From 8c66ac931751aba294f8052f0f703c759dc0b180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 11:38:40 -0400 +Subject: ALSA: rme9652: don't disable if not enabled + +From: Tong Zhang + +[ Upstream commit f57a741874bb6995089020e97a1dcdf9b165dcbe ] + +rme9652 wants to disable a not enabled pci device, which makes kernel +throw a warning. Make sure the device is enabled before calling disable. + +[ 1.751595] snd_rme9652 0000:00:03.0: disabling already-disabled device +[ 1.751605] WARNING: CPU: 0 PID: 174 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0 +[ 1.759968] Call Trace: +[ 1.760145] snd_rme9652_card_free+0x76/0xa0 [snd_rme9652] +[ 1.760434] release_card_device+0x4b/0x80 [snd] +[ 1.760679] device_release+0x3b/0xa0 +[ 1.760874] kobject_put+0x94/0x1b0 +[ 1.761059] put_device+0x13/0x20 +[ 1.761235] snd_card_free+0x61/0x90 [snd] +[ 1.761454] snd_rme9652_probe+0x3be/0x700 [snd_rme9652] + +Suggested-by: Takashi Iwai +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20210321153840.378226-4-ztong0001@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/rme9652/rme9652.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c +index 7ab10028d9fa..8def24673f35 100644 +--- a/sound/pci/rme9652/rme9652.c ++++ b/sound/pci/rme9652/rme9652.c +@@ -1740,7 +1740,8 @@ static int snd_rme9652_free(struct snd_rme9652 *rme9652) + if (rme9652->port) + pci_release_regions(rme9652->pci); + +- pci_disable_device(rme9652->pci); ++ if (pci_is_enabled(rme9652->pci)) ++ pci_disable_device(rme9652->pci); + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.10/arm-9064-1-hw_breakpoint-do-not-directly-check-the-e.patch b/queue-5.10/arm-9064-1-hw_breakpoint-do-not-directly-check-the-e.patch new file mode 100644 index 00000000000..6733c1f63bb --- /dev/null +++ b/queue-5.10/arm-9064-1-hw_breakpoint-do-not-directly-check-the-e.patch @@ -0,0 +1,48 @@ +From 022476544f9d9b49b485ca06013f4f852fd2fc8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Feb 2021 03:00:05 +0100 +Subject: ARM: 9064/1: hw_breakpoint: Do not directly check the event's + overflow_handler hook + +From: Zhen Lei + +[ Upstream commit a506bd5756290821a4314f502b4bafc2afcf5260 ] + +The commit 1879445dfa7b ("perf/core: Set event's default +::overflow_handler()") set a default event->overflow_handler in +perf_event_alloc(), and replace the check event->overflow_handler with +is_default_overflow_handler(), but one is missing. + +Currently, the bp->overflow_handler can not be NULL. As a result, +enable_single_step() is always not invoked. + +Comments from Zhen Lei: + + https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/ + +Fixes: 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()") +Signed-off-by: Zhen Lei +Cc: Wang Nan +Acked-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/hw_breakpoint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c +index 08660ae9dcbc..b1423fb130ea 100644 +--- a/arch/arm/kernel/hw_breakpoint.c ++++ b/arch/arm/kernel/hw_breakpoint.c +@@ -886,7 +886,7 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs) + info->trigger = addr; + pr_debug("breakpoint fired: address = 0x%x\n", addr); + perf_bp_event(bp, regs); +- if (!bp->overflow_handler) ++ if (is_default_overflow_handler(bp)) + enable_single_step(bp, addr); + goto unlock; + } +-- +2.30.2 + diff --git a/queue-5.10/arm64-entry-always-set-gic_prio_psr_i_set-during-ent.patch b/queue-5.10/arm64-entry-always-set-gic_prio_psr_i_set-during-ent.patch new file mode 100644 index 00000000000..b36736f8831 --- /dev/null +++ b/queue-5.10/arm64-entry-always-set-gic_prio_psr_i_set-during-ent.patch @@ -0,0 +1,219 @@ +From a44eeaed2155f0430296b8f8c1e48b92f9caca5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 12:15:55 +0100 +Subject: arm64: entry: always set GIC_PRIO_PSR_I_SET during entry + +From: Mark Rutland + +[ Upstream commit 4d6a38da8e79e94cbd1344aa90876f0f805db705 ] + +Zenghui reports that booting a kernel with "irqchip.gicv3_pseudo_nmi=1" +on the command line hits a warning during kernel entry, due to the way +we manipulate the PMR. + +Early in the entry sequence, we call lockdep_hardirqs_off() to inform +lockdep that interrupts have been masked (as the HW sets DAIF wqhen +entering an exception). Architecturally PMR_EL1 is not affected by +exception entry, and we don't set GIC_PRIO_PSR_I_SET in the PMR early in +the exception entry sequence, so early in exception entry the PMR can +indicate that interrupts are unmasked even though they are masked by +DAIF. + +If DEBUG_LOCKDEP is selected, lockdep_hardirqs_off() will check that +interrupts are masked, before we set GIC_PRIO_PSR_I_SET in any of the +exception entry paths, and hence lockdep_hardirqs_off() will WARN() that +something is amiss. + +We can avoid this by consistently setting GIC_PRIO_PSR_I_SET during +exception entry so that kernel code sees a consistent environment. We +must also update local_daif_inherit() to undo this, as currently only +touches DAIF. For other paths, local_daif_restore() will update both +DAIF and the PMR. With this done, we can remove the existing special +cases which set this later in the entry code. + +We always use (GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET) for consistency with +local_daif_save(), as this will warn if it ever encounters +(GIC_PRIO_IRQOFF | GIC_PRIO_PSR_I_SET), and never sets this itself. This +matches the gic_prio_kentry_setup that we have to retain for +ret_to_user. + +The original splat from Zenghui's report was: + +| DEBUG_LOCKS_WARN_ON(!irqs_disabled()) +| WARNING: CPU: 3 PID: 125 at kernel/locking/lockdep.c:4258 lockdep_hardirqs_off+0xd4/0xe8 +| Modules linked in: +| CPU: 3 PID: 125 Comm: modprobe Tainted: G W 5.12.0-rc8+ #463 +| Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 +| pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO BTYPE=--) +| pc : lockdep_hardirqs_off+0xd4/0xe8 +| lr : lockdep_hardirqs_off+0xd4/0xe8 +| sp : ffff80002a39bad0 +| pmr_save: 000000e0 +| x29: ffff80002a39bad0 x28: ffff0000de214bc0 +| x27: ffff0000de1c0400 x26: 000000000049b328 +| x25: 0000000000406f30 x24: ffff0000de1c00a0 +| x23: 0000000020400005 x22: ffff8000105f747c +| x21: 0000000096000044 x20: 0000000000498ef9 +| x19: ffff80002a39bc88 x18: ffffffffffffffff +| x17: 0000000000000000 x16: ffff800011c61eb0 +| x15: ffff800011700a88 x14: 0720072007200720 +| x13: 0720072007200720 x12: 0720072007200720 +| x11: 0720072007200720 x10: 0720072007200720 +| x9 : ffff80002a39bad0 x8 : ffff80002a39bad0 +| x7 : ffff8000119f0800 x6 : c0000000ffff7fff +| x5 : ffff8000119f07a8 x4 : 0000000000000001 +| x3 : 9bcdab23f2432800 x2 : ffff800011730538 +| x1 : 9bcdab23f2432800 x0 : 0000000000000000 +| Call trace: +| lockdep_hardirqs_off+0xd4/0xe8 +| enter_from_kernel_mode.isra.5+0x7c/0xa8 +| el1_abort+0x24/0x100 +| el1_sync_handler+0x80/0xd0 +| el1_sync+0x6c/0x100 +| __arch_clear_user+0xc/0x90 +| load_elf_binary+0x9fc/0x1450 +| bprm_execve+0x404/0x880 +| kernel_execve+0x180/0x188 +| call_usermodehelper_exec_async+0xdc/0x158 +| ret_from_fork+0x10/0x18 + +Fixes: 23529049c684 ("arm64: entry: fix non-NMI user<->kernel transitions") +Fixes: 7cd1ea1010ac ("arm64: entry: fix non-NMI kernel<->kernel transitions") +Fixes: f0cd5ac1e4c5 ("arm64: entry: fix NMI {user, kernel}->kernel transitions") +Fixes: 2a9b3e6ac69a ("arm64: entry: fix EL1 debug transitions") +Link: https://lore.kernel.org/r/f4012761-026f-4e51-3a0c-7524e434e8b3@huawei.com +Signed-off-by: Mark Rutland +Reported-by: Zenghui Yu +Cc: Marc Zyngier +Cc: Will Deacon +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210428111555.50880-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/daifflags.h | 3 +++ + arch/arm64/kernel/entry-common.c | 17 ----------------- + arch/arm64/kernel/entry.S | 15 ++------------- + 3 files changed, 5 insertions(+), 30 deletions(-) + +diff --git a/arch/arm64/include/asm/daifflags.h b/arch/arm64/include/asm/daifflags.h +index 1c26d7baa67f..cfdde3a56805 100644 +--- a/arch/arm64/include/asm/daifflags.h ++++ b/arch/arm64/include/asm/daifflags.h +@@ -131,6 +131,9 @@ static inline void local_daif_inherit(struct pt_regs *regs) + if (interrupts_enabled(regs)) + trace_hardirqs_on(); + ++ if (system_uses_irq_prio_masking()) ++ gic_write_pmr(regs->pmr_save); ++ + /* + * We can't use local_daif_restore(regs->pstate) here as + * system_has_prio_mask_debugging() won't restore the I bit if it can +diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c +index 70e0a7591245..ec120ed18faf 100644 +--- a/arch/arm64/kernel/entry-common.c ++++ b/arch/arm64/kernel/entry-common.c +@@ -178,14 +178,6 @@ static void noinstr el1_dbg(struct pt_regs *regs, unsigned long esr) + { + unsigned long far = read_sysreg(far_el1); + +- /* +- * The CPU masked interrupts, and we are leaving them masked during +- * do_debug_exception(). Update PMR as if we had called +- * local_daif_mask(). +- */ +- if (system_uses_irq_prio_masking()) +- gic_write_pmr(GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET); +- + arm64_enter_el1_dbg(regs); + do_debug_exception(far, esr, regs); + arm64_exit_el1_dbg(regs); +@@ -350,9 +342,6 @@ static void noinstr el0_dbg(struct pt_regs *regs, unsigned long esr) + /* Only watchpoints write FAR_EL1, otherwise its UNKNOWN */ + unsigned long far = read_sysreg(far_el1); + +- if (system_uses_irq_prio_masking()) +- gic_write_pmr(GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET); +- + enter_from_user_mode(); + do_debug_exception(far, esr, regs); + local_daif_restore(DAIF_PROCCTX_NOIRQ); +@@ -360,9 +349,6 @@ static void noinstr el0_dbg(struct pt_regs *regs, unsigned long esr) + + static void noinstr el0_svc(struct pt_regs *regs) + { +- if (system_uses_irq_prio_masking()) +- gic_write_pmr(GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET); +- + enter_from_user_mode(); + do_el0_svc(regs); + } +@@ -437,9 +423,6 @@ static void noinstr el0_cp15(struct pt_regs *regs, unsigned long esr) + + static void noinstr el0_svc_compat(struct pt_regs *regs) + { +- if (system_uses_irq_prio_masking()) +- gic_write_pmr(GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET); +- + enter_from_user_mode(); + do_el0_svc_compat(regs); + } +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index a9644da545c7..60d399123360 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -259,6 +259,8 @@ alternative_else_nop_endif + alternative_if ARM64_HAS_IRQ_PRIO_MASKING + mrs_s x20, SYS_ICC_PMR_EL1 + str x20, [sp, #S_PMR_SAVE] ++ mov x20, #GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET ++ msr_s SYS_ICC_PMR_EL1, x20 + alternative_else_nop_endif + + /* Re-enable tag checking (TCO set on exception entry) */ +@@ -495,17 +497,7 @@ alternative_endif + #endif + .endm + +- .macro gic_prio_irq_setup, pmr:req, tmp:req +-#ifdef CONFIG_ARM64_PSEUDO_NMI +- alternative_if ARM64_HAS_IRQ_PRIO_MASKING +- orr \tmp, \pmr, #GIC_PRIO_PSR_I_SET +- msr_s SYS_ICC_PMR_EL1, \tmp +- alternative_else_nop_endif +-#endif +- .endm +- + .macro el1_interrupt_handler, handler:req +- gic_prio_irq_setup pmr=x20, tmp=x1 + enable_da_f + + mov x0, sp +@@ -533,7 +525,6 @@ alternative_else_nop_endif + .endm + + .macro el0_interrupt_handler, handler:req +- gic_prio_irq_setup pmr=x20, tmp=x0 + user_exit_irqoff + enable_da_f + +@@ -719,7 +710,6 @@ SYM_CODE_END(el0_irq) + SYM_CODE_START_LOCAL(el1_error) + kernel_entry 1 + mrs x1, esr_el1 +- gic_prio_kentry_setup tmp=x2 + enable_dbg + mov x0, sp + bl do_serror +@@ -730,7 +720,6 @@ SYM_CODE_START_LOCAL(el0_error) + kernel_entry 0 + el0_error_naked: + mrs x25, esr_el1 +- gic_prio_kentry_setup tmp=x2 + user_exit_irqoff + enable_dbg + mov x0, sp +-- +2.30.2 + diff --git a/queue-5.10/arm64-entry-factor-irq-triage-logic-into-macros.patch b/queue-5.10/arm64-entry-factor-irq-triage-logic-into-macros.patch new file mode 100644 index 00000000000..7b10092b467 --- /dev/null +++ b/queue-5.10/arm64-entry-factor-irq-triage-logic-into-macros.patch @@ -0,0 +1,152 @@ +From d328952d82dac0f142d3d65764abf3f3d2ddf78e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 11:56:27 +0000 +Subject: arm64: entry: factor irq triage logic into macros + +From: Marc Zyngier + +[ Upstream commit 9eb563cdabe1d583c262042d5d44cc256f644543 ] + +In subsequent patches we'll allow an FIQ handler to be registered, and +FIQ exceptions will need to be triaged very similarly to IRQ exceptions. +So that we can reuse the existing logic, this patch factors the IRQ +triage logic out into macros that can be reused for FIQ. + +The macros are named to follow the elX_foo_handler scheme used by the C +exception handlers. For consistency with other top-level exception +handlers, the kernel_entry/kernel_exit logic is not moved into the +macros. As FIQ will use a different C handler, this handler name is +provided as an argument to the macros. + +There should be no functional change as a result of this patch. + +Signed-off-by: Marc Zyngier +[Mark: rework macros, commit message, rebase before DAIF rework] +Signed-off-by: Mark Rutland +Tested-by: Hector Martin +Cc: James Morse +Cc: Thomas Gleixner +Cc: Will Deacon +Acked-by: Will Deacon +Link: https://lore.kernel.org/r/20210315115629.57191-5-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/entry.S | 80 +++++++++++++++++++++------------------ + 1 file changed, 43 insertions(+), 37 deletions(-) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index 2da82c139e1c..a9644da545c7 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -464,8 +464,8 @@ tsk .req x28 // current thread_info + /* + * Interrupt handling. + */ +- .macro irq_handler +- ldr_l x1, handle_arch_irq ++ .macro irq_handler, handler:req ++ ldr_l x1, \handler + mov x0, sp + irq_stack_entry + blr x1 +@@ -504,6 +504,45 @@ alternative_endif + #endif + .endm + ++ .macro el1_interrupt_handler, handler:req ++ gic_prio_irq_setup pmr=x20, tmp=x1 ++ enable_da_f ++ ++ mov x0, sp ++ bl enter_el1_irq_or_nmi ++ ++ irq_handler \handler ++ ++#ifdef CONFIG_PREEMPTION ++ ldr x24, [tsk, #TSK_TI_PREEMPT] // get preempt count ++alternative_if ARM64_HAS_IRQ_PRIO_MASKING ++ /* ++ * DA_F were cleared at start of handling. If anything is set in DAIF, ++ * we come back from an NMI, so skip preemption ++ */ ++ mrs x0, daif ++ orr x24, x24, x0 ++alternative_else_nop_endif ++ cbnz x24, 1f // preempt count != 0 || NMI return path ++ bl arm64_preempt_schedule_irq // irq en/disable is done inside ++1: ++#endif ++ ++ mov x0, sp ++ bl exit_el1_irq_or_nmi ++ .endm ++ ++ .macro el0_interrupt_handler, handler:req ++ gic_prio_irq_setup pmr=x20, tmp=x0 ++ user_exit_irqoff ++ enable_da_f ++ ++ tbz x22, #55, 1f ++ bl do_el0_irq_bp_hardening ++1: ++ irq_handler \handler ++ .endm ++ + .text + + /* +@@ -633,32 +672,7 @@ SYM_CODE_END(el1_sync) + .align 6 + SYM_CODE_START_LOCAL_NOALIGN(el1_irq) + kernel_entry 1 +- gic_prio_irq_setup pmr=x20, tmp=x1 +- enable_da_f +- +- mov x0, sp +- bl enter_el1_irq_or_nmi +- +- irq_handler +- +-#ifdef CONFIG_PREEMPTION +- ldr x24, [tsk, #TSK_TI_PREEMPT] // get preempt count +-alternative_if ARM64_HAS_IRQ_PRIO_MASKING +- /* +- * DA_F were cleared at start of handling. If anything is set in DAIF, +- * we come back from an NMI, so skip preemption +- */ +- mrs x0, daif +- orr x24, x24, x0 +-alternative_else_nop_endif +- cbnz x24, 1f // preempt count != 0 || NMI return path +- bl arm64_preempt_schedule_irq // irq en/disable is done inside +-1: +-#endif +- +- mov x0, sp +- bl exit_el1_irq_or_nmi +- ++ el1_interrupt_handler handle_arch_irq + kernel_exit 1 + SYM_CODE_END(el1_irq) + +@@ -698,15 +712,7 @@ SYM_CODE_END(el0_error_compat) + SYM_CODE_START_LOCAL_NOALIGN(el0_irq) + kernel_entry 0 + el0_irq_naked: +- gic_prio_irq_setup pmr=x20, tmp=x0 +- user_exit_irqoff +- enable_da_f +- +- tbz x22, #55, 1f +- bl do_el0_irq_bp_hardening +-1: +- irq_handler +- ++ el0_interrupt_handler handle_arch_irq + b ret_to_user + SYM_CODE_END(el0_irq) + +-- +2.30.2 + diff --git a/queue-5.10/asoc-intel-bytcr_rt5640-add-quirk-for-the-chuwi-hi8-.patch b/queue-5.10/asoc-intel-bytcr_rt5640-add-quirk-for-the-chuwi-hi8-.patch new file mode 100644 index 00000000000..dc1de4e8b73 --- /dev/null +++ b/queue-5.10/asoc-intel-bytcr_rt5640-add-quirk-for-the-chuwi-hi8-.patch @@ -0,0 +1,56 @@ +From 2eb7a142c717d745753615d09e4f03dcd78c28a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 23:10:54 +0100 +Subject: ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet + +From: Hans de Goede + +[ Upstream commit 875c40eadf6ac6644c0f71842a4f30dd9968d281 ] + +The Chuwi Hi8 tablet is using an analog mic on IN1 and has its +jack-detect connected to JD2_IN4N, instead of using the default +IN3 for its internal mic and JD1_IN4P for jack-detect. + +It also only has 1 speaker. + +Add a quirk applying the correct settings for this configuration. + +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210325221054.22714-1-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5640.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index 2d887406ca85..1ef0464249d1 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -514,6 +514,23 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = { + BYT_RT5640_SSP0_AIF1 | + BYT_RT5640_MCLK_EN), + }, ++ { ++ /* Chuwi Hi8 (CWI509) */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Hampoo"), ++ DMI_MATCH(DMI_BOARD_NAME, "BYT-PA03C"), ++ DMI_MATCH(DMI_SYS_VENDOR, "ilife"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "S806"), ++ }, ++ .driver_data = (void *)(BYT_RT5640_IN1_MAP | ++ BYT_RT5640_JD_SRC_JD2_IN4N | ++ BYT_RT5640_OVCD_TH_2000UA | ++ BYT_RT5640_OVCD_SF_0P75 | ++ BYT_RT5640_MONO_SPEAKER | ++ BYT_RT5640_DIFF_MIC | ++ BYT_RT5640_SSP0_AIF1 | ++ BYT_RT5640_MCLK_EN), ++ }, + { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Circuitco"), +-- +2.30.2 + diff --git a/queue-5.10/asoc-intel-bytcr_rt5640-enable-jack-detect-support-o.patch b/queue-5.10/asoc-intel-bytcr_rt5640-enable-jack-detect-support-o.patch new file mode 100644 index 00000000000..eae53cf6ff5 --- /dev/null +++ b/queue-5.10/asoc-intel-bytcr_rt5640-enable-jack-detect-support-o.patch @@ -0,0 +1,41 @@ +From c684d418a3d433cbfd1ce76df18313ffd1f0ff94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 12:48:50 +0100 +Subject: ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF + +From: Hans de Goede + +[ Upstream commit b7c7203a1f751348f35fc4bcb157572d303f7573 ] + +The Asus T100TAF uses the same jack-detect settings as the T100TA, +this has been confirmed on actual hardware. + +Add these settings to the T100TAF quirks to enable jack-detect support +on the T100TAF. + +Signed-off-by: Hans de Goede +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210312114850.13832-1-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5640.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index d5812e73eb63..2d887406ca85 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -478,6 +478,9 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100TAF"), + }, + .driver_data = (void *)(BYT_RT5640_IN1_MAP | ++ BYT_RT5640_JD_SRC_JD2_IN4N | ++ BYT_RT5640_OVCD_TH_2000UA | ++ BYT_RT5640_OVCD_SF_0P75 | + BYT_RT5640_MONO_SPEAKER | + BYT_RT5640_DIFF_MIC | + BYT_RT5640_SSP0_AIF2 | +-- +2.30.2 + diff --git a/queue-5.10/asoc-intel-sof_sdw-add-quirk-for-new-adl-p-rvp.patch b/queue-5.10/asoc-intel-sof_sdw-add-quirk-for-new-adl-p-rvp.patch new file mode 100644 index 00000000000..3c2868b2890 --- /dev/null +++ b/queue-5.10/asoc-intel-sof_sdw-add-quirk-for-new-adl-p-rvp.patch @@ -0,0 +1,47 @@ +From fbb96a6e14dcb4af13069de029ad41c841340d61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 12:50:09 -0500 +Subject: ASoC: Intel: sof_sdw: add quirk for new ADL-P Rvp + +From: Vamshi Krishna Gopal + +[ Upstream commit d25bbe80485f8bcbbeb91a2a6cd8798c124b27b7 ] + +Add quirks for jack detection, rt711 DAI and DMIC + +Reviewed-by: Bard Liao +Reviewed-by: Kai Vehmanen +Signed-off-by: Vamshi Krishna Gopal +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210415175013.192862-6-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/sof_sdw.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/sound/soc/intel/boards/sof_sdw.c b/sound/soc/intel/boards/sof_sdw.c +index 1d7677376e74..9dc982c2c776 100644 +--- a/sound/soc/intel/boards/sof_sdw.c ++++ b/sound/soc/intel/boards/sof_sdw.c +@@ -187,6 +187,17 @@ static const struct dmi_system_id sof_sdw_quirk_table[] = { + SOF_RT715_DAI_ID_FIX | + SOF_SDW_FOUR_SPK), + }, ++ /* AlderLake devices */ ++ { ++ .callback = sof_sdw_quirk_cb, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Alder Lake Client Platform"), ++ }, ++ .driver_data = (void *)(SOF_RT711_JD_SRC_JD1 | ++ SOF_SDW_TGL_HDMI | ++ SOF_SDW_PCH_DMIC), ++ }, + {} + }; + +-- +2.30.2 + diff --git a/queue-5.10/asoc-rsnd-call-rsnd_ssi_master_clk_start-from-rsnd_s.patch b/queue-5.10/asoc-rsnd-call-rsnd_ssi_master_clk_start-from-rsnd_s.patch new file mode 100644 index 00000000000..23ea789861f --- /dev/null +++ b/queue-5.10/asoc-rsnd-call-rsnd_ssi_master_clk_start-from-rsnd_s.patch @@ -0,0 +1,116 @@ +From 3c810f32d34e8d9712941a2614947fd38edf4b99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 13:28:38 +0900 +Subject: ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() + +From: Kuninori Morimoto + +[ Upstream commit a122a116fc6d8fcf2f202dcd185173a54268f239 ] + +Current rsnd needs to call .prepare (P) for clock settings, +.trigger for playback start (S) and stop (E). +It should be called as below from SSI point of view. + + P -> S -> E -> P -> S -> E -> ... + +But, if you used MIXer, below case might happen + + (2) + 1: P -> S ---> E -> ... + 2: P ----> S -> ... + (1) (3) + +P(1) setups clock, but E(2) resets it. and starts playback (3). +In such case, it will reports "SSI parent/child should use same rate". + +rsnd_ssi_master_clk_start() which is the main function at (P) +was called from rsnd_ssi_init() (= S) before, +but was moved by below patch to rsnd_soc_dai_prepare() (= P) to avoid +using clk_get_rate() which shouldn't be used under atomic context. + + commit 4d230d1271064 ("ASoC: rsnd: fixup not to call clk_get/set + under non-atomic") + +Because of above patch, rsnd_ssi_master_clk_start() is now called at (P) +which is for non atomic context. But (P) is assuming that spin lock is +*not* used. +One issue now is rsnd_ssi_master_clk_start() is checking ssi->xxx +which should be protected by spin lock. + +After above patch, adg.c had below patch for other reasons. + + commit 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate() + under atomic context") + +clk_get_rate() is used at probe() timing by this patch. +In other words, rsnd_ssi_master_clk_start() is no longer using +clk_get_rate() any more. + +This means we can call it from rsnd_ssi_init() (= S) again which is +protected by spin lock. +This patch re-move it to under spin lock, and solves +1. checking ssi->xxx without spin lock issue. +2. clk setting / device start / device stop race condition. + +Reported-by: Linh Phung T. Y. +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/875z0x1jt5.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/ssi.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c +index d0ded427a836..a2f8138d40c7 100644 +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -507,10 +507,15 @@ static int rsnd_ssi_init(struct rsnd_mod *mod, + struct rsnd_priv *priv) + { + struct rsnd_ssi *ssi = rsnd_mod_to_ssi(mod); ++ int ret; + + if (!rsnd_ssi_is_run_mods(mod, io)) + return 0; + ++ ret = rsnd_ssi_master_clk_start(mod, io); ++ if (ret < 0) ++ return ret; ++ + ssi->usrcnt++; + + rsnd_mod_power_on(mod); +@@ -1060,13 +1065,6 @@ static int rsnd_ssi_pio_pointer(struct rsnd_mod *mod, + return 0; + } + +-static int rsnd_ssi_prepare(struct rsnd_mod *mod, +- struct rsnd_dai_stream *io, +- struct rsnd_priv *priv) +-{ +- return rsnd_ssi_master_clk_start(mod, io); +-} +- + static struct rsnd_mod_ops rsnd_ssi_pio_ops = { + .name = SSI_NAME, + .probe = rsnd_ssi_common_probe, +@@ -1079,7 +1077,6 @@ static struct rsnd_mod_ops rsnd_ssi_pio_ops = { + .pointer = rsnd_ssi_pio_pointer, + .pcm_new = rsnd_ssi_pcm_new, + .hw_params = rsnd_ssi_hw_params, +- .prepare = rsnd_ssi_prepare, + .get_status = rsnd_ssi_get_status, + }; + +@@ -1166,7 +1163,6 @@ static struct rsnd_mod_ops rsnd_ssi_dma_ops = { + .pcm_new = rsnd_ssi_pcm_new, + .fallback = rsnd_ssi_fallback, + .hw_params = rsnd_ssi_hw_params, +- .prepare = rsnd_ssi_prepare, + .get_status = rsnd_ssi_get_status, + }; + +-- +2.30.2 + diff --git a/queue-5.10/asoc-rsnd-core-check-convert-rate-in-rsnd_hw_params.patch b/queue-5.10/asoc-rsnd-core-check-convert-rate-in-rsnd_hw_params.patch new file mode 100644 index 00000000000..c32e05aadda --- /dev/null +++ b/queue-5.10/asoc-rsnd-core-check-convert-rate-in-rsnd_hw_params.patch @@ -0,0 +1,113 @@ +From bad30c95b30ad0d4bb6b90f194bff06a96f6995b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 14:47:35 +1000 +Subject: ASoC: rsnd: core: Check convert rate in rsnd_hw_params + +From: Mikhail Durnev + +[ Upstream commit 19c6a63ced5e07e40f3a5255cb1f0fe0d3be7b14 ] + +snd_pcm_hw_params_set_rate_near can return incorrect sample rate in +some cases, e.g. when the backend output rate is set to some value higher +than 48000 Hz and the input rate is 8000 Hz. So passing the value returned +by snd_pcm_hw_params_set_rate_near to snd_pcm_hw_params will result in +"FSO/FSI ratio error" and playing no audio at all while the userland +is not properly notified about the issue. + +If SRC is unable to convert the requested sample rate to the sample rate +the backend is using, then the requested sample rate should be adjusted in +rsnd_hw_params. The userland will be notified about that change in the +returned hw_params structure. + +Signed-off-by: Mikhail Durnev +Link: https://lore.kernel.org/r/1615870055-13954-1-git-send-email-mikhail_durnev@mentor.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/core.c | 69 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 68 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/sh/rcar/core.c b/sound/soc/sh/rcar/core.c +index 6e670b3e92a0..289928d4c0c9 100644 +--- a/sound/soc/sh/rcar/core.c ++++ b/sound/soc/sh/rcar/core.c +@@ -1428,8 +1428,75 @@ static int rsnd_hw_params(struct snd_soc_component *component, + } + if (io->converted_chan) + dev_dbg(dev, "convert channels = %d\n", io->converted_chan); +- if (io->converted_rate) ++ if (io->converted_rate) { ++ /* ++ * SRC supports convert rates from params_rate(hw_params)/k_down ++ * to params_rate(hw_params)*k_up, where k_up is always 6, and ++ * k_down depends on number of channels and SRC unit. ++ * So all SRC units can upsample audio up to 6 times regardless ++ * its number of channels. And all SRC units can downsample ++ * 2 channel audio up to 6 times too. ++ */ ++ int k_up = 6; ++ int k_down = 6; ++ int channel; ++ struct rsnd_mod *src_mod = rsnd_io_to_mod_src(io); ++ + dev_dbg(dev, "convert rate = %d\n", io->converted_rate); ++ ++ channel = io->converted_chan ? io->converted_chan : ++ params_channels(hw_params); ++ ++ switch (rsnd_mod_id(src_mod)) { ++ /* ++ * SRC0 can downsample 4, 6 and 8 channel audio up to 4 times. ++ * SRC1, SRC3 and SRC4 can downsample 4 channel audio ++ * up to 4 times. ++ * SRC1, SRC3 and SRC4 can downsample 6 and 8 channel audio ++ * no more than twice. ++ */ ++ case 1: ++ case 3: ++ case 4: ++ if (channel > 4) { ++ k_down = 2; ++ break; ++ } ++ fallthrough; ++ case 0: ++ if (channel > 2) ++ k_down = 4; ++ break; ++ ++ /* Other SRC units do not support more than 2 channels */ ++ default: ++ if (channel > 2) ++ return -EINVAL; ++ } ++ ++ if (params_rate(hw_params) > io->converted_rate * k_down) { ++ hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->min = ++ io->converted_rate * k_down; ++ hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->max = ++ io->converted_rate * k_down; ++ hw_params->cmask |= SNDRV_PCM_HW_PARAM_RATE; ++ } else if (params_rate(hw_params) * k_up < io->converted_rate) { ++ hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->min = ++ (io->converted_rate + k_up - 1) / k_up; ++ hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->max = ++ (io->converted_rate + k_up - 1) / k_up; ++ hw_params->cmask |= SNDRV_PCM_HW_PARAM_RATE; ++ } ++ ++ /* ++ * TBD: Max SRC input and output rates also depend on number ++ * of channels and SRC unit: ++ * SRC1, SRC3 and SRC4 do not support more than 128kHz ++ * for 6 channel and 96kHz for 8 channel audio. ++ * Perhaps this function should return EINVAL if the input or ++ * the output rate exceeds the limitation. ++ */ ++ } + } + + return rsnd_dai_call(hw_params, io, substream, hw_params); +-- +2.30.2 + diff --git a/queue-5.10/asoc-rt286-generalize-support-for-alc3263-codec.patch b/queue-5.10/asoc-rt286-generalize-support-for-alc3263-codec.patch new file mode 100644 index 00000000000..29c4c81ec6f --- /dev/null +++ b/queue-5.10/asoc-rt286-generalize-support-for-alc3263-codec.patch @@ -0,0 +1,99 @@ +From bc439c279234613e111fa94a7d52ab3e74c47d6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Apr 2021 09:46:58 -0400 +Subject: ASoC: rt286: Generalize support for ALC3263 codec + +From: David Ward + +[ Upstream commit aa2f9c12821e6a4ba1df4fb34a3dbc6a2a1ee7fe ] + +The ALC3263 codec on the XPS 13 9343 is also found on the Latitude 13 7350 +and Venue 11 Pro 7140. They require the same handling for the combo jack to +work with a headset: GPIO pin 6 must be set. + +The HDA driver always sets this pin on the ALC3263, which it distinguishes +by the codec vendor/device ID 0x10ec0288 and PCI subsystem vendor ID 0x1028 +(Dell). The ASoC driver does not use PCI, so adapt this check to use DMI to +determine if Dell is the system vendor. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=150601 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205961 +Signed-off-by: David Ward +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210418134658.4333-6-david.ward@gatech.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt286.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c +index 5fb9653d9131..8ae2e2eaad3d 100644 +--- a/sound/soc/codecs/rt286.c ++++ b/sound/soc/codecs/rt286.c +@@ -1117,12 +1117,11 @@ static const struct dmi_system_id force_combo_jack_table[] = { + { } + }; + +-static const struct dmi_system_id dmi_dell_dino[] = { ++static const struct dmi_system_id dmi_dell[] = { + { +- .ident = "Dell Dino", ++ .ident = "Dell", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9343") + } + }, + { } +@@ -1133,7 +1132,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + { + struct rt286_platform_data *pdata = dev_get_platdata(&i2c->dev); + struct rt286_priv *rt286; +- int i, ret, val; ++ int i, ret, vendor_id; + + rt286 = devm_kzalloc(&i2c->dev, sizeof(*rt286), + GFP_KERNEL); +@@ -1149,14 +1148,15 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + } + + ret = regmap_read(rt286->regmap, +- RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &val); ++ RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &vendor_id); + if (ret != 0) { + dev_err(&i2c->dev, "I2C error %d\n", ret); + return ret; + } +- if (val != RT286_VENDOR_ID && val != RT288_VENDOR_ID) { ++ if (vendor_id != RT286_VENDOR_ID && vendor_id != RT288_VENDOR_ID) { + dev_err(&i2c->dev, +- "Device with ID register %#x is not rt286\n", val); ++ "Device with ID register %#x is not rt286\n", ++ vendor_id); + return -ENODEV; + } + +@@ -1180,8 +1180,8 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + if (pdata) + rt286->pdata = *pdata; + +- if (dmi_check_system(force_combo_jack_table) || +- dmi_check_system(dmi_dell_dino)) ++ if ((vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) || ++ dmi_check_system(force_combo_jack_table)) + rt286->pdata.cbj_en = true; + + regmap_write(rt286->regmap, RT286_SET_AUDIO_POWER, AC_PWRST_D3); +@@ -1220,7 +1220,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL3, 0xf777, 0x4737); + regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL4, 0x00ff, 0x003f); + +- if (dmi_check_system(dmi_dell_dino)) { ++ if (vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) { + regmap_update_bits(rt286->regmap, + RT286_SET_GPIO_MASK, 0x40, 0x40); + regmap_update_bits(rt286->regmap, +-- +2.30.2 + diff --git a/queue-5.10/asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch b/queue-5.10/asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch new file mode 100644 index 00000000000..c592f2a6929 --- /dev/null +++ b/queue-5.10/asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch @@ -0,0 +1,39 @@ +From 7c2743f504fe369976fa25e9c3a2542c2a8821e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Apr 2021 09:46:57 -0400 +Subject: ASoC: rt286: Make RT286_SET_GPIO_* readable and writable + +From: David Ward + +[ Upstream commit cd8499d5c03ba260e3191e90236d0e5f6b147563 ] + +The GPIO configuration cannot be applied if the registers are inaccessible. +This prevented the headset mic from working on the Dell XPS 13 9343. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=114171 +Signed-off-by: David Ward +Link: https://lore.kernel.org/r/20210418134658.4333-5-david.ward@gatech.edu +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt286.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c +index 8ae2e2eaad3d..eec2dd93ecbb 100644 +--- a/sound/soc/codecs/rt286.c ++++ b/sound/soc/codecs/rt286.c +@@ -171,6 +171,9 @@ static bool rt286_readable_register(struct device *dev, unsigned int reg) + case RT286_PROC_COEF: + case RT286_SET_AMP_GAIN_ADC_IN1: + case RT286_SET_AMP_GAIN_ADC_IN2: ++ case RT286_SET_GPIO_MASK: ++ case RT286_SET_GPIO_DIRECTION: ++ case RT286_SET_GPIO_DATA: + case RT286_SET_POWER(RT286_DAC_OUT1): + case RT286_SET_POWER(RT286_DAC_OUT2): + case RT286_SET_POWER(RT286_ADC_IN1): +-- +2.30.2 + diff --git a/queue-5.10/asoc-rt5670-add-a-quirk-for-the-dell-venue-10-pro-50.patch b/queue-5.10/asoc-rt5670-add-a-quirk-for-the-dell-venue-10-pro-50.patch new file mode 100644 index 00000000000..71e6840dd95 --- /dev/null +++ b/queue-5.10/asoc-rt5670-add-a-quirk-for-the-dell-venue-10-pro-50.patch @@ -0,0 +1,47 @@ +From 508f4ef914a7e1b053ac6ea2aa9637584bc93f79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Apr 2021 16:07:45 +0200 +Subject: ASoC: rt5670: Add a quirk for the Dell Venue 10 Pro 5055 + +From: Hans de Goede + +[ Upstream commit 84cb0d5581b6a7bd5d96013f67e9f2eb0c7b4378 ] + +Add a quirk with the jack-detect and dmic settings necessary to make +jack-detect and the builtin mic work on Dell Venue 10 Pro 5055 tablets. + +Signed-off-by: Hans de Goede +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210402140747.174716-5-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5670.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/sound/soc/codecs/rt5670.c b/sound/soc/codecs/rt5670.c +index a0c8f58d729b..47ce074289ca 100644 +--- a/sound/soc/codecs/rt5670.c ++++ b/sound/soc/codecs/rt5670.c +@@ -2908,6 +2908,18 @@ static const struct dmi_system_id dmi_platform_intel_quirks[] = { + RT5670_GPIO1_IS_IRQ | + RT5670_JD_MODE3), + }, ++ { ++ .callback = rt5670_quirk_cb, ++ .ident = "Dell Venue 10 Pro 5055", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Venue 10 Pro 5055"), ++ }, ++ .driver_data = (unsigned long *)(RT5670_DMIC_EN | ++ RT5670_DMIC2_INR | ++ RT5670_GPIO1_IS_IRQ | ++ RT5670_JD_MODE1), ++ }, + { + .callback = rt5670_quirk_cb, + .ident = "Aegex 10 tablet (RU2)", +-- +2.30.2 + diff --git a/queue-5.10/ath11k-fix-thermal-temperature-read.patch b/queue-5.10/ath11k-fix-thermal-temperature-read.patch new file mode 100644 index 00000000000..27d13da3bc9 --- /dev/null +++ b/queue-5.10/ath11k-fix-thermal-temperature-read.patch @@ -0,0 +1,106 @@ +From 1ab585d87bb3e01e4174cd4fe633a9560e5c7b51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Feb 2021 10:27:08 -0800 +Subject: ath11k: fix thermal temperature read + +From: Pradeep Kumar Chitrapu + +[ Upstream commit e3de5bb7ac1a4cb262f8768924fd3ef6182b10bb ] + +Fix dangling pointer in thermal temperature event which causes +incorrect temperature read. + +Tested-on: IPQ8074 AHB WLAN.HK.2.4.0.1-00041-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Pradeep Kumar Chitrapu +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210218182708.8844-1-pradeepc@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/wmi.c | 53 +++++++++++---------------- + 1 file changed, 21 insertions(+), 32 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index 173ab6ceed1f..eca86225a341 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -4986,31 +4986,6 @@ int ath11k_wmi_pull_fw_stats(struct ath11k_base *ab, struct sk_buff *skb, + return 0; + } + +-static int +-ath11k_pull_pdev_temp_ev(struct ath11k_base *ab, u8 *evt_buf, +- u32 len, const struct wmi_pdev_temperature_event *ev) +-{ +- const void **tb; +- int ret; +- +- tb = ath11k_wmi_tlv_parse_alloc(ab, evt_buf, len, GFP_ATOMIC); +- if (IS_ERR(tb)) { +- ret = PTR_ERR(tb); +- ath11k_warn(ab, "failed to parse tlv: %d\n", ret); +- return ret; +- } +- +- ev = tb[WMI_TAG_PDEV_TEMPERATURE_EVENT]; +- if (!ev) { +- ath11k_warn(ab, "failed to fetch pdev temp ev"); +- kfree(tb); +- return -EPROTO; +- } +- +- kfree(tb); +- return 0; +-} +- + size_t ath11k_wmi_fw_stats_num_vdevs(struct list_head *head) + { + struct ath11k_fw_stats_vdev *i; +@@ -6390,23 +6365,37 @@ ath11k_wmi_pdev_temperature_event(struct ath11k_base *ab, + struct sk_buff *skb) + { + struct ath11k *ar; +- struct wmi_pdev_temperature_event ev = {0}; ++ const void **tb; ++ const struct wmi_pdev_temperature_event *ev; ++ int ret; ++ ++ tb = ath11k_wmi_tlv_parse_alloc(ab, skb->data, skb->len, GFP_ATOMIC); ++ if (IS_ERR(tb)) { ++ ret = PTR_ERR(tb); ++ ath11k_warn(ab, "failed to parse tlv: %d\n", ret); ++ return; ++ } + +- if (ath11k_pull_pdev_temp_ev(ab, skb->data, skb->len, &ev) != 0) { +- ath11k_warn(ab, "failed to extract pdev temperature event"); ++ ev = tb[WMI_TAG_PDEV_TEMPERATURE_EVENT]; ++ if (!ev) { ++ ath11k_warn(ab, "failed to fetch pdev temp ev"); ++ kfree(tb); + return; + } + + ath11k_dbg(ab, ATH11K_DBG_WMI, +- "pdev temperature ev temp %d pdev_id %d\n", ev.temp, ev.pdev_id); ++ "pdev temperature ev temp %d pdev_id %d\n", ev->temp, ev->pdev_id); + +- ar = ath11k_mac_get_ar_by_pdev_id(ab, ev.pdev_id); ++ ar = ath11k_mac_get_ar_by_pdev_id(ab, ev->pdev_id); + if (!ar) { +- ath11k_warn(ab, "invalid pdev id in pdev temperature ev %d", ev.pdev_id); ++ ath11k_warn(ab, "invalid pdev id in pdev temperature ev %d", ev->pdev_id); ++ kfree(tb); + return; + } + +- ath11k_thermal_event_temperature(ar, ev.temp); ++ ath11k_thermal_event_temperature(ar, ev->temp); ++ ++ kfree(tb); + } + + static void ath11k_wmi_tlv_op_rx(struct ath11k_base *ab, struct sk_buff *skb) +-- +2.30.2 + diff --git a/queue-5.10/block-rnbd-clt-change-queue_depth-type-in-rnbd_clt_s.patch b/queue-5.10/block-rnbd-clt-change-queue_depth-type-in-rnbd_clt_s.patch new file mode 100644 index 00000000000..7008905babe --- /dev/null +++ b/queue-5.10/block-rnbd-clt-change-queue_depth-type-in-rnbd_clt_s.patch @@ -0,0 +1,40 @@ +From 3af7981ee74cd9fffca67aef6658294a3ce8630e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 08:13:56 +0200 +Subject: block/rnbd-clt: Change queue_depth type in rnbd_clt_session to size_t + +From: Md Haris Iqbal + +[ Upstream commit 80d43cbd46155744ee450d2476ee4fcf2917ae9b ] + +The member queue_depth in the structure rnbd_clt_session is read from the +rtrs client side using the function rtrs_clt_query, which in turn is read +from the rtrs_clt structure. It should really be of type size_t. + +Fixes: 90426e89f54db ("block/rnbd: client: private header with client structs and functions") +Signed-off-by: Md Haris Iqbal +Reviewed-by: Guoqing Jiang +Signed-off-by: Gioh Kim +Link: https://lore.kernel.org/r/20210428061359.206794-2-gi-oh.kim@ionos.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/rnbd/rnbd-clt.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/rnbd/rnbd-clt.h b/drivers/block/rnbd/rnbd-clt.h +index b193d5904050..2941e3862b9c 100644 +--- a/drivers/block/rnbd/rnbd-clt.h ++++ b/drivers/block/rnbd/rnbd-clt.h +@@ -79,7 +79,7 @@ struct rnbd_clt_session { + DECLARE_BITMAP(cpu_queues_bm, NR_CPUS); + int __percpu *cpu_rr; /* per-cpu var for CPU round-robin */ + atomic_t busy; +- int queue_depth; ++ size_t queue_depth; + u32 max_io_size; + struct blk_mq_tag_set tag_set; + struct mutex lock; /* protects state and devs_list */ +-- +2.30.2 + diff --git a/queue-5.10/block-rnbd-clt-check-the-return-value-of-the-functio.patch b/queue-5.10/block-rnbd-clt-check-the-return-value-of-the-functio.patch new file mode 100644 index 00000000000..d69c7bf7d95 --- /dev/null +++ b/queue-5.10/block-rnbd-clt-check-the-return-value-of-the-functio.patch @@ -0,0 +1,58 @@ +From b4f4fa10781f72e79c3ce8916854fa6c9a8c3468 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 08:13:58 +0200 +Subject: block/rnbd-clt: Check the return value of the function rtrs_clt_query + +From: Md Haris Iqbal + +[ Upstream commit 1056ad829ec43f9b705b507c2093b05e2088b0b7 ] + +In case none of the paths are in connected state, the function +rtrs_clt_query returns an error. In such a case, error out since the +values in the rtrs_attrs structure would be garbage. + +Fixes: f7a7a5c228d45 ("block/rnbd: client: main functionality") +Signed-off-by: Md Haris Iqbal +Reviewed-by: Guoqing Jiang +Signed-off-by: Jack Wang +Signed-off-by: Gioh Kim +Link: https://lore.kernel.org/r/20210428061359.206794-4-gi-oh.kim@ionos.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/rnbd/rnbd-clt.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/rnbd/rnbd-clt.c b/drivers/block/rnbd/rnbd-clt.c +index ba334fe7626d..71b86fee81c2 100644 +--- a/drivers/block/rnbd/rnbd-clt.c ++++ b/drivers/block/rnbd/rnbd-clt.c +@@ -679,7 +679,11 @@ static void remap_devs(struct rnbd_clt_session *sess) + return; + } + +- rtrs_clt_query(sess->rtrs, &attrs); ++ err = rtrs_clt_query(sess->rtrs, &attrs); ++ if (err) { ++ pr_err("rtrs_clt_query(\"%s\"): %d\n", sess->sessname, err); ++ return; ++ } + mutex_lock(&sess->lock); + sess->max_io_size = attrs.max_io_size; + +@@ -1211,7 +1215,11 @@ find_and_get_or_create_sess(const char *sessname, + err = PTR_ERR(sess->rtrs); + goto wake_up_and_put; + } +- rtrs_clt_query(sess->rtrs, &attrs); ++ ++ err = rtrs_clt_query(sess->rtrs, &attrs); ++ if (err) ++ goto close_rtrs; ++ + sess->max_io_size = attrs.max_io_size; + sess->queue_depth = attrs.queue_depth; + +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-btusb-enable-quirk-boolean-flag-for-mediat.patch b/queue-5.10/bluetooth-btusb-enable-quirk-boolean-flag-for-mediat.patch new file mode 100644 index 00000000000..ae84c6ae635 --- /dev/null +++ b/queue-5.10/bluetooth-btusb-enable-quirk-boolean-flag-for-mediat.patch @@ -0,0 +1,36 @@ +From d7c8fb3b0bdf9eddfe3b4380e9ba41f9c6577ec9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 01:18:33 +0800 +Subject: Bluetooth: btusb: Enable quirk boolean flag for Mediatek Chip. + +From: mark-yw.chen + +[ Upstream commit 27e554a4fcd84e499bf0a82122b8c4c3f1de38b6 ] + +Adding support LE scatternet and WBS for Mediatek Chip + +Signed-off-by: mark-yw.chen +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 2953b96b3ced..175cb1c0d569 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -392,7 +392,9 @@ static const struct usb_device_id blacklist_table[] = { + + /* MediaTek Bluetooth devices */ + { USB_VENDOR_AND_INTERFACE_INFO(0x0e8d, 0xe0, 0x01, 0x01), +- .driver_info = BTUSB_MEDIATEK }, ++ .driver_info = BTUSB_MEDIATEK | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, + + /* Additional Realtek 8723AE Bluetooth devices */ + { USB_DEVICE(0x0930, 0x021d), .driver_info = BTUSB_REALTEK }, +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-check-for-zapped-sk-before-connecting.patch b/queue-5.10/bluetooth-check-for-zapped-sk-before-connecting.patch new file mode 100644 index 00000000000..47caf9f7c20 --- /dev/null +++ b/queue-5.10/bluetooth-check-for-zapped-sk-before-connecting.patch @@ -0,0 +1,69 @@ +From 84511c2daaab31c2898f8d821e8adbc523d1b736 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Mar 2021 16:32:20 +0800 +Subject: Bluetooth: check for zapped sk before connecting + +From: Archie Pusaka + +[ Upstream commit 3af70b39fa2d415dc86c370e5b24ddb9fdacbd6f ] + +There is a possibility of receiving a zapped sock on +l2cap_sock_connect(). This could lead to interesting crashes, one +such case is tearing down an already tore l2cap_sock as is happened +with this call trace: + +__dump_stack lib/dump_stack.c:15 [inline] +dump_stack+0xc4/0x118 lib/dump_stack.c:56 +register_lock_class kernel/locking/lockdep.c:792 [inline] +register_lock_class+0x239/0x6f6 kernel/locking/lockdep.c:742 +__lock_acquire+0x209/0x1e27 kernel/locking/lockdep.c:3105 +lock_acquire+0x29c/0x2fb kernel/locking/lockdep.c:3599 +__raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline] +_raw_spin_lock_bh+0x38/0x47 kernel/locking/spinlock.c:175 +spin_lock_bh include/linux/spinlock.h:307 [inline] +lock_sock_nested+0x44/0xfa net/core/sock.c:2518 +l2cap_sock_teardown_cb+0x88/0x2fb net/bluetooth/l2cap_sock.c:1345 +l2cap_chan_del+0xa3/0x383 net/bluetooth/l2cap_core.c:598 +l2cap_chan_close+0x537/0x5dd net/bluetooth/l2cap_core.c:756 +l2cap_chan_timeout+0x104/0x17e net/bluetooth/l2cap_core.c:429 +process_one_work+0x7e3/0xcb0 kernel/workqueue.c:2064 +worker_thread+0x5a5/0x773 kernel/workqueue.c:2196 +kthread+0x291/0x2a6 kernel/kthread.c:211 +ret_from_fork+0x4e/0x80 arch/x86/entry/entry_64.S:604 + +Signed-off-by: Archie Pusaka +Reported-by: syzbot+abfc0f5e668d4099af73@syzkaller.appspotmail.com +Reviewed-by: Alain Michaud +Reviewed-by: Abhishek Pandit-Subedi +Reviewed-by: Guenter Roeck +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index f1b1edd0b697..c99d65ef13b1 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -179,9 +179,17 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, + struct l2cap_chan *chan = l2cap_pi(sk)->chan; + struct sockaddr_l2 la; + int len, err = 0; ++ bool zapped; + + BT_DBG("sk %p", sk); + ++ lock_sock(sk); ++ zapped = sock_flag(sk, SOCK_ZAPPED); ++ release_sock(sk); ++ ++ if (zapped) ++ return -EINVAL; ++ + if (!addr || alen < offsetofend(struct sockaddr, sa_family) || + addr->sa_family != AF_BLUETOOTH) + return -EINVAL; +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-fix-incorrect-status-handling-in-le-phy-up.patch b/queue-5.10/bluetooth-fix-incorrect-status-handling-in-le-phy-up.patch new file mode 100644 index 00000000000..30829a36f5e --- /dev/null +++ b/queue-5.10/bluetooth-fix-incorrect-status-handling-in-le-phy-up.patch @@ -0,0 +1,35 @@ +From ae8ef444be9eac03f519c353b7c912f1e563d9e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Mar 2021 16:52:14 +0530 +Subject: Bluetooth: Fix incorrect status handling in LE PHY UPDATE event + +From: Ayush Garg + +[ Upstream commit 87df8bcccd2cede62dfb97dc3d4ca1fe66cb4f83 ] + +Skip updation of tx and rx PHYs values, when PHY Update +event's status is not successful. + +Signed-off-by: Ayush Garg +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index e0a542849735..4676e4b0be2b 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5897,7 +5897,7 @@ static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb) + + BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); + +- if (!ev->status) ++ if (ev->status) + return; + + hci_dev_lock(hdev); +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch b/queue-5.10/bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch new file mode 100644 index 00000000000..c705ddfdd54 --- /dev/null +++ b/queue-5.10/bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch @@ -0,0 +1,43 @@ +From 2e0415262eba69c8c759a74b9774a3c5157911e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 07:52:07 +0900 +Subject: Bluetooth: initialize skb_queue_head at l2cap_chan_create() + +From: Tetsuo Handa + +[ Upstream commit be8597239379f0f53c9710dd6ab551bbf535bec6 ] + +syzbot is hitting "INFO: trying to register non-static key." message [1], +for "struct l2cap_chan"->tx_q.lock spinlock is not yet initialized when +l2cap_chan_del() is called due to e.g. timeout. + +Since "struct l2cap_chan"->lock mutex is initialized at l2cap_chan_create() +immediately after "struct l2cap_chan" is allocated using kzalloc(), let's +as well initialize "struct l2cap_chan"->{tx_q,srej_q}.lock spinlocks there. + +[1] https://syzkaller.appspot.com/bug?extid=fadfba6a911f6bf71842 + +Reported-and-tested-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 3e18cddfbcc5..cdc386337173 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -451,6 +451,8 @@ struct l2cap_chan *l2cap_chan_create(void) + if (!chan) + return NULL; + ++ skb_queue_head_init(&chan->tx_q); ++ skb_queue_head_init(&chan->srej_q); + mutex_init(&chan->lock); + + /* Set default lock nesting level */ +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch b/queue-5.10/bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch new file mode 100644 index 00000000000..96a4d022631 --- /dev/null +++ b/queue-5.10/bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch @@ -0,0 +1,77 @@ +From 882af35751d3357890cdf09416fd212ebe541274 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 14:02:15 +0800 +Subject: Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default + +From: Archie Pusaka + +[ Upstream commit 3a9d54b1947ecea8eea9a902c0b7eb58a98add8a ] + +Currently l2cap_chan_set_defaults() reset chan->conf_state to zero. +However, there is a flag CONF_NOT_COMPLETE which is set when +creating the l2cap_chan. It is suggested that the flag should be +cleared when l2cap_chan is ready, but when l2cap_chan_set_defaults() +is called, l2cap_chan is not yet ready. Therefore, we must set this +flag as the default. + +Example crash call trace: +__dump_stack lib/dump_stack.c:15 [inline] +dump_stack+0xc4/0x118 lib/dump_stack.c:56 +panic+0x1c6/0x38b kernel/panic.c:117 +__warn+0x170/0x1b9 kernel/panic.c:471 +warn_slowpath_fmt+0xc7/0xf8 kernel/panic.c:494 +debug_print_object+0x175/0x193 lib/debugobjects.c:260 +debug_object_assert_init+0x171/0x1bf lib/debugobjects.c:614 +debug_timer_assert_init kernel/time/timer.c:629 [inline] +debug_assert_init kernel/time/timer.c:677 [inline] +del_timer+0x7c/0x179 kernel/time/timer.c:1034 +try_to_grab_pending+0x81/0x2e5 kernel/workqueue.c:1230 +cancel_delayed_work+0x7c/0x1c4 kernel/workqueue.c:2929 +l2cap_clear_timer+0x1e/0x41 include/net/bluetooth/l2cap.h:834 +l2cap_chan_del+0x2d8/0x37e net/bluetooth/l2cap_core.c:640 +l2cap_chan_close+0x532/0x5d8 net/bluetooth/l2cap_core.c:756 +l2cap_sock_shutdown+0x806/0x969 net/bluetooth/l2cap_sock.c:1174 +l2cap_sock_release+0x64/0x14d net/bluetooth/l2cap_sock.c:1217 +__sock_release+0xda/0x217 net/socket.c:580 +sock_close+0x1b/0x1f net/socket.c:1039 +__fput+0x322/0x55c fs/file_table.c:208 +____fput+0x17/0x19 fs/file_table.c:244 +task_work_run+0x19b/0x1d3 kernel/task_work.c:115 +exit_task_work include/linux/task_work.h:21 [inline] +do_exit+0xe4c/0x204a kernel/exit.c:766 +do_group_exit+0x291/0x291 kernel/exit.c:891 +get_signal+0x749/0x1093 kernel/signal.c:2396 +do_signal+0xa5/0xcdb arch/x86/kernel/signal.c:737 +exit_to_usermode_loop arch/x86/entry/common.c:243 [inline] +prepare_exit_to_usermode+0xed/0x235 arch/x86/entry/common.c:277 +syscall_return_slowpath+0x3a7/0x3b3 arch/x86/entry/common.c:348 +int_ret_from_sys_call+0x25/0xa3 + +Signed-off-by: Archie Pusaka +Reported-by: syzbot+338f014a98367a08a114@syzkaller.appspotmail.com +Reviewed-by: Alain Michaud +Reviewed-by: Abhishek Pandit-Subedi +Reviewed-by: Guenter Roeck +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 1ab27b90ddcb..3e18cddfbcc5 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -516,7 +516,9 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan) + chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; + chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO; + chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO; ++ + chan->conf_state = 0; ++ set_bit(CONF_NOT_COMPLETE, &chan->conf_state); + + set_bit(FLAG_FORCE_ACTIVE, &chan->flags); + } +-- +2.30.2 + diff --git a/queue-5.10/bnxt_en-add-pci-ids-for-hyper-v-vf-devices.patch b/queue-5.10/bnxt_en-add-pci-ids-for-hyper-v-vf-devices.patch new file mode 100644 index 00000000000..ce64fadb5ec --- /dev/null +++ b/queue-5.10/bnxt_en-add-pci-ids-for-hyper-v-vf-devices.patch @@ -0,0 +1,86 @@ +From 0cbaf6a7ddb5607cc074414b98ef5ece3caaae94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Apr 2021 13:45:25 -0400 +Subject: bnxt_en: Add PCI IDs for Hyper-V VF devices. + +From: Michael Chan + +[ Upstream commit 7fbf359bb2c19c824cbb1954020680824f6ee5a5 ] + +Support VF device IDs used by the Hyper-V hypervisor. + +Reviewed-by: Vasundhara Volam +Reviewed-by: Andy Gospodarek +Signed-off-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 7ddc2e2e4976..4385b42a2b63 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -122,7 +122,10 @@ enum board_idx { + NETXTREME_E_VF, + NETXTREME_C_VF, + NETXTREME_S_VF, ++ NETXTREME_C_VF_HV, ++ NETXTREME_E_VF_HV, + NETXTREME_E_P5_VF, ++ NETXTREME_E_P5_VF_HV, + }; + + /* indexed by enum above */ +@@ -170,7 +173,10 @@ static const struct { + [NETXTREME_E_VF] = { "Broadcom NetXtreme-E Ethernet Virtual Function" }, + [NETXTREME_C_VF] = { "Broadcom NetXtreme-C Ethernet Virtual Function" }, + [NETXTREME_S_VF] = { "Broadcom NetXtreme-S Ethernet Virtual Function" }, ++ [NETXTREME_C_VF_HV] = { "Broadcom NetXtreme-C Virtual Function for Hyper-V" }, ++ [NETXTREME_E_VF_HV] = { "Broadcom NetXtreme-E Virtual Function for Hyper-V" }, + [NETXTREME_E_P5_VF] = { "Broadcom BCM5750X NetXtreme-E Ethernet Virtual Function" }, ++ [NETXTREME_E_P5_VF_HV] = { "Broadcom BCM5750X NetXtreme-E Virtual Function for Hyper-V" }, + }; + + static const struct pci_device_id bnxt_pci_tbl[] = { +@@ -222,15 +228,25 @@ static const struct pci_device_id bnxt_pci_tbl[] = { + { PCI_VDEVICE(BROADCOM, 0xd804), .driver_data = BCM58804 }, + #ifdef CONFIG_BNXT_SRIOV + { PCI_VDEVICE(BROADCOM, 0x1606), .driver_data = NETXTREME_E_VF }, ++ { PCI_VDEVICE(BROADCOM, 0x1607), .driver_data = NETXTREME_E_VF_HV }, ++ { PCI_VDEVICE(BROADCOM, 0x1608), .driver_data = NETXTREME_E_VF_HV }, + { PCI_VDEVICE(BROADCOM, 0x1609), .driver_data = NETXTREME_E_VF }, ++ { PCI_VDEVICE(BROADCOM, 0x16bd), .driver_data = NETXTREME_E_VF_HV }, + { PCI_VDEVICE(BROADCOM, 0x16c1), .driver_data = NETXTREME_E_VF }, ++ { PCI_VDEVICE(BROADCOM, 0x16c2), .driver_data = NETXTREME_C_VF_HV }, ++ { PCI_VDEVICE(BROADCOM, 0x16c3), .driver_data = NETXTREME_C_VF_HV }, ++ { PCI_VDEVICE(BROADCOM, 0x16c4), .driver_data = NETXTREME_E_VF_HV }, ++ { PCI_VDEVICE(BROADCOM, 0x16c5), .driver_data = NETXTREME_E_VF_HV }, + { PCI_VDEVICE(BROADCOM, 0x16cb), .driver_data = NETXTREME_C_VF }, + { PCI_VDEVICE(BROADCOM, 0x16d3), .driver_data = NETXTREME_E_VF }, + { PCI_VDEVICE(BROADCOM, 0x16dc), .driver_data = NETXTREME_E_VF }, + { PCI_VDEVICE(BROADCOM, 0x16e1), .driver_data = NETXTREME_C_VF }, + { PCI_VDEVICE(BROADCOM, 0x16e5), .driver_data = NETXTREME_C_VF }, ++ { PCI_VDEVICE(BROADCOM, 0x16e6), .driver_data = NETXTREME_C_VF_HV }, + { PCI_VDEVICE(BROADCOM, 0x1806), .driver_data = NETXTREME_E_P5_VF }, + { PCI_VDEVICE(BROADCOM, 0x1807), .driver_data = NETXTREME_E_P5_VF }, ++ { PCI_VDEVICE(BROADCOM, 0x1808), .driver_data = NETXTREME_E_P5_VF_HV }, ++ { PCI_VDEVICE(BROADCOM, 0x1809), .driver_data = NETXTREME_E_P5_VF_HV }, + { PCI_VDEVICE(BROADCOM, 0xd800), .driver_data = NETXTREME_S_VF }, + #endif + { 0 } +@@ -263,7 +279,8 @@ static struct workqueue_struct *bnxt_pf_wq; + static bool bnxt_vf_pciid(enum board_idx idx) + { + return (idx == NETXTREME_C_VF || idx == NETXTREME_E_VF || +- idx == NETXTREME_S_VF || idx == NETXTREME_E_P5_VF); ++ idx == NETXTREME_S_VF || idx == NETXTREME_C_VF_HV || ++ idx == NETXTREME_E_VF_HV || idx == NETXTREME_E_P5_VF); + } + + #define DB_CP_REARM_FLAGS (DB_KEY_CP | DB_IDX_VALID) +-- +2.30.2 + diff --git a/queue-5.10/can-m_can-m_can_tx_work_queue-fix-tx_skb-race-condit.patch b/queue-5.10/can-m_can-m_can_tx_work_queue-fix-tx_skb-race-condit.patch new file mode 100644 index 00000000000..0283e175816 --- /dev/null +++ b/queue-5.10/can-m_can-m_can_tx_work_queue-fix-tx_skb-race-condit.patch @@ -0,0 +1,49 @@ +From 382784ee4ac867828e30f27b1bde61dc6fa232d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 13:32:27 +0200 +Subject: can: m_can: m_can_tx_work_queue(): fix tx_skb race condition + +From: Marc Kleine-Budde + +[ Upstream commit e04b2cfe61072c7966e1a5fb73dd1feb30c206ed ] + +The m_can_start_xmit() function checks if the cdev->tx_skb is NULL and +returns with NETDEV_TX_BUSY in case tx_sbk is not NULL. + +There is a race condition in the m_can_tx_work_queue(), where first +the skb is send to the driver and then the case tx_sbk is set to NULL. +A TX complete IRQ might come in between and wake the queue, which +results in tx_skb not being cleared yet. + +Fixes: f524f829b75a ("can: m_can: Create a m_can platform framework") +Tested-by: Torin Cooper-Bennun +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/m_can.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c +index 6f0bf5db885c..62bcef4bb95f 100644 +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -1466,6 +1466,8 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev) + int i; + int putidx; + ++ cdev->tx_skb = NULL; ++ + /* Generate ID field for TX buffer Element */ + /* Common to all supported M_CAN versions */ + if (cf->can_id & CAN_EFF_FLAG) { +@@ -1582,7 +1584,6 @@ static void m_can_tx_work_queue(struct work_struct *ws) + tx_work); + + m_can_tx_handler(cdev); +- cdev->tx_skb = NULL; + } + + static netdev_tx_t m_can_start_xmit(struct sk_buff *skb, +-- +2.30.2 + diff --git a/queue-5.10/can-mcp251x-fix-resume-from-sleep-before-interface-w.patch b/queue-5.10/can-mcp251x-fix-resume-from-sleep-before-interface-w.patch new file mode 100644 index 00000000000..95b5d4b9e28 --- /dev/null +++ b/queue-5.10/can-mcp251x-fix-resume-from-sleep-before-interface-w.patch @@ -0,0 +1,119 @@ +From 7fd3d22c9c874062b244f1c406bb3e5de7a9476a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 09:14:15 +0200 +Subject: can: mcp251x: fix resume from sleep before interface was brought up + +From: Frieder Schrempf + +[ Upstream commit 03c427147b2d3e503af258711af4fc792b89b0af ] + +Since 8ce8c0abcba3 the driver queues work via priv->restart_work when +resuming after suspend, even when the interface was not previously +enabled. This causes a null dereference error as the workqueue is only +allocated and initialized in mcp251x_open(). + +To fix this we move the workqueue init to mcp251x_can_probe() as there +is no reason to do it later and repeat it whenever mcp251x_open() is +called. + +Fixes: 8ce8c0abcba3 ("can: mcp251x: only reset hardware as required") +Link: https://lore.kernel.org/r/17d5d714-b468-482f-f37a-482e3d6df84e@kontron.de +Signed-off-by: Frieder Schrempf +Reviewed-by: Andy Shevchenko +[mkl: fix error handling in mcp251x_stop()] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251x.c | 35 ++++++++++++++++++----------------- + 1 file changed, 18 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c +index 42c3046fa304..89897a2d41fa 100644 +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -956,8 +956,6 @@ static int mcp251x_stop(struct net_device *net) + + priv->force_quit = 1; + free_irq(spi->irq, priv); +- destroy_workqueue(priv->wq); +- priv->wq = NULL; + + mutex_lock(&priv->mcp_lock); + +@@ -1224,24 +1222,15 @@ static int mcp251x_open(struct net_device *net) + goto out_close; + } + +- priv->wq = alloc_workqueue("mcp251x_wq", WQ_FREEZABLE | WQ_MEM_RECLAIM, +- 0); +- if (!priv->wq) { +- ret = -ENOMEM; +- goto out_clean; +- } +- INIT_WORK(&priv->tx_work, mcp251x_tx_work_handler); +- INIT_WORK(&priv->restart_work, mcp251x_restart_work_handler); +- + ret = mcp251x_hw_wake(spi); + if (ret) +- goto out_free_wq; ++ goto out_free_irq; + ret = mcp251x_setup(net, spi); + if (ret) +- goto out_free_wq; ++ goto out_free_irq; + ret = mcp251x_set_normal_mode(spi); + if (ret) +- goto out_free_wq; ++ goto out_free_irq; + + can_led_event(net, CAN_LED_EVENT_OPEN); + +@@ -1250,9 +1239,7 @@ static int mcp251x_open(struct net_device *net) + + return 0; + +-out_free_wq: +- destroy_workqueue(priv->wq); +-out_clean: ++out_free_irq: + free_irq(spi->irq, priv); + mcp251x_hw_sleep(spi); + out_close: +@@ -1373,6 +1360,15 @@ static int mcp251x_can_probe(struct spi_device *spi) + if (ret) + goto out_clk; + ++ priv->wq = alloc_workqueue("mcp251x_wq", WQ_FREEZABLE | WQ_MEM_RECLAIM, ++ 0); ++ if (!priv->wq) { ++ ret = -ENOMEM; ++ goto out_clk; ++ } ++ INIT_WORK(&priv->tx_work, mcp251x_tx_work_handler); ++ INIT_WORK(&priv->restart_work, mcp251x_restart_work_handler); ++ + priv->spi = spi; + mutex_init(&priv->mcp_lock); + +@@ -1417,6 +1413,8 @@ static int mcp251x_can_probe(struct spi_device *spi) + return 0; + + error_probe: ++ destroy_workqueue(priv->wq); ++ priv->wq = NULL; + mcp251x_power_enable(priv->power, 0); + + out_clk: +@@ -1438,6 +1436,9 @@ static int mcp251x_can_remove(struct spi_device *spi) + + mcp251x_power_enable(priv->power, 0); + ++ destroy_workqueue(priv->wq); ++ priv->wq = NULL; ++ + clk_disable_unprepare(priv->clk); + + free_candev(net); +-- +2.30.2 + diff --git a/queue-5.10/can-mcp251xfd-mcp251xfd_probe-add-missing-can_rx_off.patch b/queue-5.10/can-mcp251xfd-mcp251xfd_probe-add-missing-can_rx_off.patch new file mode 100644 index 00000000000..253db5585fb --- /dev/null +++ b/queue-5.10/can-mcp251xfd-mcp251xfd_probe-add-missing-can_rx_off.patch @@ -0,0 +1,42 @@ +From 2bfb154f246763a239073d2c16d0773ba229898f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 May 2021 11:34:34 +0200 +Subject: can: mcp251xfd: mcp251xfd_probe(): add missing can_rx_offload_del() + in error path + +From: Marc Kleine-Budde + +[ Upstream commit 4376ea42db8bfcac2bc3a30bba93917244a8c2d4 ] + +This patch adds the missing can_rx_offload_del(), that must be called +if mcp251xfd_register() fails. + +Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") +Link: https://lore.kernel.org/r/20210504091838.1109047-1-mkl@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +index 096d818c167e..68ff931993c2 100644 +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +@@ -2870,10 +2870,12 @@ static int mcp251xfd_probe(struct spi_device *spi) + + err = mcp251xfd_register(priv); + if (err) +- goto out_free_candev; ++ goto out_can_rx_offload_del; + + return 0; + ++ out_can_rx_offload_del: ++ can_rx_offload_del(&priv->offload); + out_free_candev: + spi->max_speed_hz = priv->spi_max_speed_hz_orig; + +-- +2.30.2 + diff --git a/queue-5.10/ceph-fix-inode-leak-on-getattr-error-in-__fh_to_dent.patch b/queue-5.10/ceph-fix-inode-leak-on-getattr-error-in-__fh_to_dent.patch new file mode 100644 index 00000000000..2ce2ecd865b --- /dev/null +++ b/queue-5.10/ceph-fix-inode-leak-on-getattr-error-in-__fh_to_dent.patch @@ -0,0 +1,37 @@ +From 5422e4bddee1ffb83b418ceb73ac0106b4e43758 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Mar 2021 09:21:53 -0400 +Subject: ceph: fix inode leak on getattr error in __fh_to_dentry + +From: Jeff Layton + +[ Upstream commit 1775c7ddacfcea29051c67409087578f8f4d751b ] + +Fixes: 878dabb64117 ("ceph: don't return -ESTALE if there's still an open file") +Signed-off-by: Jeff Layton +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/export.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/export.c b/fs/ceph/export.c +index e088843a7734..baa6368bece5 100644 +--- a/fs/ceph/export.c ++++ b/fs/ceph/export.c +@@ -178,8 +178,10 @@ static struct dentry *__fh_to_dentry(struct super_block *sb, u64 ino) + return ERR_CAST(inode); + /* We need LINK caps to reliably check i_nlink */ + err = ceph_do_getattr(inode, CEPH_CAP_LINK_SHARED, false); +- if (err) ++ if (err) { ++ iput(inode); + return ERR_PTR(err); ++ } + /* -ESTALE if inode as been unlinked and no file is open */ + if ((inode->i_nlink == 0) && (atomic_read(&inode->i_count) == 1)) { + iput(inode); +-- +2.30.2 + diff --git a/queue-5.10/coresight-do-not-scan-for-graph-if-none-is-present.patch b/queue-5.10/coresight-do-not-scan-for-graph-if-none-is-present.patch new file mode 100644 index 00000000000..5b7e998db9b --- /dev/null +++ b/queue-5.10/coresight-do-not-scan-for-graph-if-none-is-present.patch @@ -0,0 +1,50 @@ +From 27e1364e7143587977d1745c2a43deced1e3187b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Apr 2021 17:42:57 +0100 +Subject: coresight: Do not scan for graph if none is present + +From: Suzuki K Poulose + +[ Upstream commit 2b921b671a8d29c2adb255a86409aad1e3267309 ] + +If a graph node is not found for a given node, of_get_next_endpoint() +will emit the following error message : + + OF: graph: no port node found in / + +If the given component doesn't have any explicit connections (e.g, +ETE) we could simply ignore the graph parsing. As for any legacy +component where this is mandatory, the device will not be usable +as before this patch. Updating the DT bindings to Yaml and enabling +the schema checks can detect such issues with the DT. + +Cc: Mike Leach +Cc: Leo Yan +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20210405164307.1720226-11-suzuki.poulose@arm.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-platform.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/hwtracing/coresight/coresight-platform.c b/drivers/hwtracing/coresight/coresight-platform.c +index 3629b7885aca..c594f45319fc 100644 +--- a/drivers/hwtracing/coresight/coresight-platform.c ++++ b/drivers/hwtracing/coresight/coresight-platform.c +@@ -90,6 +90,12 @@ static void of_coresight_get_ports_legacy(const struct device_node *node, + struct of_endpoint endpoint; + int in = 0, out = 0; + ++ /* ++ * Avoid warnings in of_graph_get_next_endpoint() ++ * if the device doesn't have any graph connections ++ */ ++ if (!of_graph_is_present(node)) ++ return; + do { + ep = of_graph_get_next_endpoint(node, ep); + if (!ep) +-- +2.30.2 + diff --git a/queue-5.10/crypto-ccp-free-sev-device-if-sev-init-fails.patch b/queue-5.10/crypto-ccp-free-sev-device-if-sev-init-fails.patch new file mode 100644 index 00000000000..733170af98d --- /dev/null +++ b/queue-5.10/crypto-ccp-free-sev-device-if-sev-init-fails.patch @@ -0,0 +1,49 @@ +From 48e38cd3333cdc5b6a300fd6f9e5b154440e0a98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 15:49:45 -0700 +Subject: crypto: ccp: Free SEV device if SEV init fails + +From: Sean Christopherson + +[ Upstream commit b61a9071dc72a3c709192c0c00ab87c2b3de1d94 ] + +Free the SEV device if later initialization fails. The memory isn't +technically leaked as it's tracked in the top-level device's devres +list, but unless the top-level device is removed, the memory won't be +freed and is effectively leaked. + +Signed-off-by: Sean Christopherson +Message-Id: <20210406224952.4177376-2-seanjc@google.com> +Reviewed-by: Brijesh Singh +Acked-by: Tom Lendacky +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/sev-dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c +index 5b82ba7acc7c..21caed429cc5 100644 +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -989,7 +989,7 @@ int sev_dev_init(struct psp_device *psp) + if (!sev->vdata) { + ret = -ENODEV; + dev_err(dev, "sev: missing driver data\n"); +- goto e_err; ++ goto e_sev; + } + + psp_set_sev_irq_handler(psp, sev_irq_handler, sev); +@@ -1004,6 +1004,8 @@ int sev_dev_init(struct psp_device *psp) + + e_irq: + psp_clear_sev_irq_handler(psp); ++e_sev: ++ devm_kfree(dev, sev); + e_err: + psp->sev_data = NULL; + +-- +2.30.2 + diff --git a/queue-5.10/cuse-prevent-clone.patch b/queue-5.10/cuse-prevent-clone.patch new file mode 100644 index 00000000000..71f7bcd068b --- /dev/null +++ b/queue-5.10/cuse-prevent-clone.patch @@ -0,0 +1,37 @@ +From eb5de1bfa9d0daa21970d02b8700b32adadd2835 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 10:40:58 +0200 +Subject: cuse: prevent clone + +From: Miklos Szeredi + +[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ] + +For cloned connections cuse_channel_release() will be called more than +once, resulting in use after free. + +Prevent device cloning for CUSE, which does not make sense at this point, +and highly unlikely to be used in real life. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/cuse.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c +index 45082269e698..a37528b51798 100644 +--- a/fs/fuse/cuse.c ++++ b/fs/fuse/cuse.c +@@ -627,6 +627,8 @@ static int __init cuse_init(void) + cuse_channel_fops.owner = THIS_MODULE; + cuse_channel_fops.open = cuse_channel_open; + cuse_channel_fops.release = cuse_channel_release; ++ /* CUSE is not prepared for FUSE_DEV_IOC_CLONE */ ++ cuse_channel_fops.unlocked_ioctl = NULL; + + cuse_class = class_create(THIS_MODULE, "cuse"); + if (IS_ERR(cuse_class)) +-- +2.30.2 + diff --git a/queue-5.10/dmaengine-idxd-fix-cdev-setup-and-free-device-lifeti.patch b/queue-5.10/dmaengine-idxd-fix-cdev-setup-and-free-device-lifeti.patch new file mode 100644 index 00000000000..4cb9d302932 --- /dev/null +++ b/queue-5.10/dmaengine-idxd-fix-cdev-setup-and-free-device-lifeti.patch @@ -0,0 +1,312 @@ +From e0bf27b5979b0c189bc7728d0baa1e3698b2f9c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 16:37:57 -0700 +Subject: dmaengine: idxd: fix cdev setup and free device lifetime issues + +From: Dave Jiang + +[ Upstream commit 04922b7445a1950b86f130a1fe8c52cc27b3e30b ] + +The char device setup and cleanup has device lifetime issues regarding when +parts are initialized and cleaned up. The initialization of struct device is +done incorrectly. device_initialize() needs to be called on the 'struct +device' and then additional changes can be added. The ->release() function +needs to be setup via device_type before dev_set_name() to allow proper +cleanup. The change re-parents the cdev under the wq->conf_dev to get +natural reference inheritance. No known dependency on the old device path exists. + +Reported-by: Jason Gunthorpe +Fixes: 42d279f9137a ("dmaengine: idxd: add char driver to expose submission portal to userland") +Signed-off-by: Dave Jiang +Reviewed-by: Dan Williams +Link: https://lore.kernel.org/r/161852987721.2203940.1478218825576630810.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/cdev.c | 129 ++++++++++++++------------------------- + drivers/dma/idxd/idxd.h | 7 ++- + drivers/dma/idxd/init.c | 2 +- + drivers/dma/idxd/irq.c | 4 +- + drivers/dma/idxd/sysfs.c | 10 ++- + 5 files changed, 63 insertions(+), 89 deletions(-) + +diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c +index c3976156db2f..4da88578ed64 100644 +--- a/drivers/dma/idxd/cdev.c ++++ b/drivers/dma/idxd/cdev.c +@@ -35,15 +35,15 @@ struct idxd_user_context { + unsigned int flags; + }; + +-enum idxd_cdev_cleanup { +- CDEV_NORMAL = 0, +- CDEV_FAILED, +-}; +- + static void idxd_cdev_dev_release(struct device *dev) + { +- dev_dbg(dev, "releasing cdev device\n"); +- kfree(dev); ++ struct idxd_cdev *idxd_cdev = container_of(dev, struct idxd_cdev, dev); ++ struct idxd_cdev_context *cdev_ctx; ++ struct idxd_wq *wq = idxd_cdev->wq; ++ ++ cdev_ctx = &ictx[wq->idxd->type]; ++ ida_simple_remove(&cdev_ctx->minor_ida, idxd_cdev->minor); ++ kfree(idxd_cdev); + } + + static struct device_type idxd_cdev_device_type = { +@@ -58,14 +58,11 @@ static inline struct idxd_cdev *inode_idxd_cdev(struct inode *inode) + return container_of(cdev, struct idxd_cdev, cdev); + } + +-static inline struct idxd_wq *idxd_cdev_wq(struct idxd_cdev *idxd_cdev) +-{ +- return container_of(idxd_cdev, struct idxd_wq, idxd_cdev); +-} +- + static inline struct idxd_wq *inode_wq(struct inode *inode) + { +- return idxd_cdev_wq(inode_idxd_cdev(inode)); ++ struct idxd_cdev *idxd_cdev = inode_idxd_cdev(inode); ++ ++ return idxd_cdev->wq; + } + + static int idxd_cdev_open(struct inode *inode, struct file *filp) +@@ -172,11 +169,10 @@ static __poll_t idxd_cdev_poll(struct file *filp, + struct idxd_user_context *ctx = filp->private_data; + struct idxd_wq *wq = ctx->wq; + struct idxd_device *idxd = wq->idxd; +- struct idxd_cdev *idxd_cdev = &wq->idxd_cdev; + unsigned long flags; + __poll_t out = 0; + +- poll_wait(filp, &idxd_cdev->err_queue, wait); ++ poll_wait(filp, &wq->err_queue, wait); + spin_lock_irqsave(&idxd->dev_lock, flags); + if (idxd->sw_err.valid) + out = EPOLLIN | EPOLLRDNORM; +@@ -198,98 +194,67 @@ int idxd_cdev_get_major(struct idxd_device *idxd) + return MAJOR(ictx[idxd->type].devt); + } + +-static int idxd_wq_cdev_dev_setup(struct idxd_wq *wq) ++int idxd_wq_add_cdev(struct idxd_wq *wq) + { + struct idxd_device *idxd = wq->idxd; +- struct idxd_cdev *idxd_cdev = &wq->idxd_cdev; +- struct idxd_cdev_context *cdev_ctx; ++ struct idxd_cdev *idxd_cdev; ++ struct cdev *cdev; + struct device *dev; +- int minor, rc; ++ struct idxd_cdev_context *cdev_ctx; ++ int rc, minor; + +- idxd_cdev->dev = kzalloc(sizeof(*idxd_cdev->dev), GFP_KERNEL); +- if (!idxd_cdev->dev) ++ idxd_cdev = kzalloc(sizeof(*idxd_cdev), GFP_KERNEL); ++ if (!idxd_cdev) + return -ENOMEM; + +- dev = idxd_cdev->dev; +- dev->parent = &idxd->pdev->dev; +- dev_set_name(dev, "%s/wq%u.%u", idxd_get_dev_name(idxd), +- idxd->id, wq->id); +- dev->bus = idxd_get_bus_type(idxd); +- ++ idxd_cdev->wq = wq; ++ cdev = &idxd_cdev->cdev; ++ dev = &idxd_cdev->dev; + cdev_ctx = &ictx[wq->idxd->type]; + minor = ida_simple_get(&cdev_ctx->minor_ida, 0, MINORMASK, GFP_KERNEL); + if (minor < 0) { +- rc = minor; +- kfree(dev); +- goto ida_err; +- } +- +- dev->devt = MKDEV(MAJOR(cdev_ctx->devt), minor); +- dev->type = &idxd_cdev_device_type; +- rc = device_register(dev); +- if (rc < 0) { +- dev_err(&idxd->pdev->dev, "device register failed\n"); +- goto dev_reg_err; ++ kfree(idxd_cdev); ++ return minor; + } + idxd_cdev->minor = minor; + +- return 0; +- +- dev_reg_err: +- ida_simple_remove(&cdev_ctx->minor_ida, MINOR(dev->devt)); +- put_device(dev); +- ida_err: +- idxd_cdev->dev = NULL; +- return rc; +-} +- +-static void idxd_wq_cdev_cleanup(struct idxd_wq *wq, +- enum idxd_cdev_cleanup cdev_state) +-{ +- struct idxd_cdev *idxd_cdev = &wq->idxd_cdev; +- struct idxd_cdev_context *cdev_ctx; +- +- cdev_ctx = &ictx[wq->idxd->type]; +- if (cdev_state == CDEV_NORMAL) +- cdev_del(&idxd_cdev->cdev); +- device_unregister(idxd_cdev->dev); +- /* +- * The device_type->release() will be called on the device and free +- * the allocated struct device. We can just forget it. +- */ +- ida_simple_remove(&cdev_ctx->minor_ida, idxd_cdev->minor); +- idxd_cdev->dev = NULL; +- idxd_cdev->minor = -1; +-} +- +-int idxd_wq_add_cdev(struct idxd_wq *wq) +-{ +- struct idxd_cdev *idxd_cdev = &wq->idxd_cdev; +- struct cdev *cdev = &idxd_cdev->cdev; +- struct device *dev; +- int rc; ++ device_initialize(dev); ++ dev->parent = &wq->conf_dev; ++ dev->bus = idxd_get_bus_type(idxd); ++ dev->type = &idxd_cdev_device_type; ++ dev->devt = MKDEV(MAJOR(cdev_ctx->devt), minor); + +- rc = idxd_wq_cdev_dev_setup(wq); ++ rc = dev_set_name(dev, "%s/wq%u.%u", idxd_get_dev_name(idxd), ++ idxd->id, wq->id); + if (rc < 0) +- return rc; ++ goto err; + +- dev = idxd_cdev->dev; ++ wq->idxd_cdev = idxd_cdev; + cdev_init(cdev, &idxd_cdev_fops); +- cdev_set_parent(cdev, &dev->kobj); +- rc = cdev_add(cdev, dev->devt, 1); ++ rc = cdev_device_add(cdev, dev); + if (rc) { + dev_dbg(&wq->idxd->pdev->dev, "cdev_add failed: %d\n", rc); +- idxd_wq_cdev_cleanup(wq, CDEV_FAILED); +- return rc; ++ goto err; + } + +- init_waitqueue_head(&idxd_cdev->err_queue); + return 0; ++ ++ err: ++ put_device(dev); ++ wq->idxd_cdev = NULL; ++ return rc; + } + + void idxd_wq_del_cdev(struct idxd_wq *wq) + { +- idxd_wq_cdev_cleanup(wq, CDEV_NORMAL); ++ struct idxd_cdev *idxd_cdev; ++ struct idxd_cdev_context *cdev_ctx; ++ ++ cdev_ctx = &ictx[wq->idxd->type]; ++ idxd_cdev = wq->idxd_cdev; ++ wq->idxd_cdev = NULL; ++ cdev_device_del(&idxd_cdev->cdev, &idxd_cdev->dev); ++ put_device(&idxd_cdev->dev); + } + + int idxd_cdev_register(void) +diff --git a/drivers/dma/idxd/idxd.h b/drivers/dma/idxd/idxd.h +index adf30dc23685..eef6996ecc59 100644 +--- a/drivers/dma/idxd/idxd.h ++++ b/drivers/dma/idxd/idxd.h +@@ -71,10 +71,10 @@ enum idxd_wq_type { + }; + + struct idxd_cdev { ++ struct idxd_wq *wq; + struct cdev cdev; +- struct device *dev; ++ struct device dev; + int minor; +- struct wait_queue_head err_queue; + }; + + #define IDXD_ALLOCATED_BATCH_SIZE 128U +@@ -99,7 +99,8 @@ struct idxd_dma_chan { + struct idxd_wq { + void __iomem *dportal; + struct device conf_dev; +- struct idxd_cdev idxd_cdev; ++ struct idxd_cdev *idxd_cdev; ++ struct wait_queue_head err_queue; + struct idxd_device *idxd; + int id; + enum idxd_wq_type type; +diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c +index fa8c4228f358..f4c7ce8cb399 100644 +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -175,7 +175,7 @@ static int idxd_setup_internals(struct idxd_device *idxd) + wq->id = i; + wq->idxd = idxd; + mutex_init(&wq->wq_lock); +- wq->idxd_cdev.minor = -1; ++ init_waitqueue_head(&wq->err_queue); + wq->max_xfer_bytes = idxd->max_xfer_bytes; + wq->max_batch_size = idxd->max_batch_size; + wq->wqcfg = devm_kzalloc(dev, idxd->wqcfg_size, GFP_KERNEL); +diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c +index 6bb1c1773aae..fc9579180705 100644 +--- a/drivers/dma/idxd/irq.c ++++ b/drivers/dma/idxd/irq.c +@@ -75,7 +75,7 @@ static int process_misc_interrupts(struct idxd_device *idxd, u32 cause) + struct idxd_wq *wq = &idxd->wqs[id]; + + if (wq->type == IDXD_WQT_USER) +- wake_up_interruptible(&wq->idxd_cdev.err_queue); ++ wake_up_interruptible(&wq->err_queue); + } else { + int i; + +@@ -83,7 +83,7 @@ static int process_misc_interrupts(struct idxd_device *idxd, u32 cause) + struct idxd_wq *wq = &idxd->wqs[i]; + + if (wq->type == IDXD_WQT_USER) +- wake_up_interruptible(&wq->idxd_cdev.err_queue); ++ wake_up_interruptible(&wq->err_queue); + } + } + +diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c +index 7566b573d546..7b41cdff1a2c 100644 +--- a/drivers/dma/idxd/sysfs.c ++++ b/drivers/dma/idxd/sysfs.c +@@ -1052,8 +1052,16 @@ static ssize_t wq_cdev_minor_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct idxd_wq *wq = container_of(dev, struct idxd_wq, conf_dev); ++ int minor = -1; + +- return sprintf(buf, "%d\n", wq->idxd_cdev.minor); ++ mutex_lock(&wq->wq_lock); ++ if (wq->idxd_cdev) ++ minor = wq->idxd_cdev->minor; ++ mutex_unlock(&wq->wq_lock); ++ ++ if (minor == -1) ++ return -ENXIO; ++ return sysfs_emit(buf, "%d\n", minor); + } + + static struct device_attribute dev_attr_wq_cdev_minor = +-- +2.30.2 + diff --git a/queue-5.10/dmaengine-idxd-fix-dma-device-lifetime.patch b/queue-5.10/dmaengine-idxd-fix-dma-device-lifetime.patch new file mode 100644 index 00000000000..2e98d78f8b2 --- /dev/null +++ b/queue-5.10/dmaengine-idxd-fix-dma-device-lifetime.patch @@ -0,0 +1,243 @@ +From c3b8869c24e2bc57787df8dc9f1d2b300abbbcd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 16:37:10 -0700 +Subject: dmaengine: idxd: fix dma device lifetime + +From: Dave Jiang + +[ Upstream commit 397862855619271296e46d10f7dfa7bafe71eb81 ] + +The devm managed lifetime is incompatible with 'struct device' objects that +resides in idxd context. This is one of the series that clean up the idxd +driver 'struct device' lifetime. Remove embedding of dma_device and dma_chan +in idxd since it's not the only interface that idxd will use. The freeing of +the dma_device will be managed by the ->release() function. + +Reported-by: Jason Gunthorpe +Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") +Signed-off-by: Dave Jiang +Reviewed-by: Dan Williams +Link: https://lore.kernel.org/r/161852983001.2203940.14817017492384561719.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/device.c | 2 - + drivers/dma/idxd/dma.c | 77 ++++++++++++++++++++++++++++++++------- + drivers/dma/idxd/idxd.h | 18 +++++++-- + 3 files changed, 79 insertions(+), 18 deletions(-) + +diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c +index f90fdf7aeeef..47aae5fe8273 100644 +--- a/drivers/dma/idxd/device.c ++++ b/drivers/dma/idxd/device.c +@@ -169,8 +169,6 @@ int idxd_wq_alloc_resources(struct idxd_wq *wq) + desc->id = i; + desc->wq = wq; + desc->cpu = -1; +- dma_async_tx_descriptor_init(&desc->txd, &wq->dma_chan); +- desc->txd.tx_submit = idxd_dma_tx_submit; + } + + return 0; +diff --git a/drivers/dma/idxd/dma.c b/drivers/dma/idxd/dma.c +index ec177a535d6d..aa7435555de9 100644 +--- a/drivers/dma/idxd/dma.c ++++ b/drivers/dma/idxd/dma.c +@@ -14,7 +14,10 @@ + + static inline struct idxd_wq *to_idxd_wq(struct dma_chan *c) + { +- return container_of(c, struct idxd_wq, dma_chan); ++ struct idxd_dma_chan *idxd_chan; ++ ++ idxd_chan = container_of(c, struct idxd_dma_chan, chan); ++ return idxd_chan->wq; + } + + void idxd_dma_complete_txd(struct idxd_desc *desc, +@@ -144,7 +147,7 @@ static void idxd_dma_issue_pending(struct dma_chan *dma_chan) + { + } + +-dma_cookie_t idxd_dma_tx_submit(struct dma_async_tx_descriptor *tx) ++static dma_cookie_t idxd_dma_tx_submit(struct dma_async_tx_descriptor *tx) + { + struct dma_chan *c = tx->chan; + struct idxd_wq *wq = to_idxd_wq(c); +@@ -165,14 +168,25 @@ dma_cookie_t idxd_dma_tx_submit(struct dma_async_tx_descriptor *tx) + + static void idxd_dma_release(struct dma_device *device) + { ++ struct idxd_dma_dev *idxd_dma = container_of(device, struct idxd_dma_dev, dma); ++ ++ kfree(idxd_dma); + } + + int idxd_register_dma_device(struct idxd_device *idxd) + { +- struct dma_device *dma = &idxd->dma_dev; ++ struct idxd_dma_dev *idxd_dma; ++ struct dma_device *dma; ++ struct device *dev = &idxd->pdev->dev; ++ int rc; + ++ idxd_dma = kzalloc_node(sizeof(*idxd_dma), GFP_KERNEL, dev_to_node(dev)); ++ if (!idxd_dma) ++ return -ENOMEM; ++ ++ dma = &idxd_dma->dma; + INIT_LIST_HEAD(&dma->channels); +- dma->dev = &idxd->pdev->dev; ++ dma->dev = dev; + + dma_cap_set(DMA_PRIVATE, dma->cap_mask); + dma_cap_set(DMA_COMPLETION_NO_ORDER, dma->cap_mask); +@@ -188,35 +202,72 @@ int idxd_register_dma_device(struct idxd_device *idxd) + dma->device_alloc_chan_resources = idxd_dma_alloc_chan_resources; + dma->device_free_chan_resources = idxd_dma_free_chan_resources; + +- return dma_async_device_register(&idxd->dma_dev); ++ rc = dma_async_device_register(dma); ++ if (rc < 0) { ++ kfree(idxd_dma); ++ return rc; ++ } ++ ++ idxd_dma->idxd = idxd; ++ /* ++ * This pointer is protected by the refs taken by the dma_chan. It will remain valid ++ * as long as there are outstanding channels. ++ */ ++ idxd->idxd_dma = idxd_dma; ++ return 0; + } + + void idxd_unregister_dma_device(struct idxd_device *idxd) + { +- dma_async_device_unregister(&idxd->dma_dev); ++ dma_async_device_unregister(&idxd->idxd_dma->dma); + } + + int idxd_register_dma_channel(struct idxd_wq *wq) + { + struct idxd_device *idxd = wq->idxd; +- struct dma_device *dma = &idxd->dma_dev; +- struct dma_chan *chan = &wq->dma_chan; +- int rc; ++ struct dma_device *dma = &idxd->idxd_dma->dma; ++ struct device *dev = &idxd->pdev->dev; ++ struct idxd_dma_chan *idxd_chan; ++ struct dma_chan *chan; ++ int rc, i; ++ ++ idxd_chan = kzalloc_node(sizeof(*idxd_chan), GFP_KERNEL, dev_to_node(dev)); ++ if (!idxd_chan) ++ return -ENOMEM; + +- memset(&wq->dma_chan, 0, sizeof(struct dma_chan)); ++ chan = &idxd_chan->chan; + chan->device = dma; + list_add_tail(&chan->device_node, &dma->channels); ++ ++ for (i = 0; i < wq->num_descs; i++) { ++ struct idxd_desc *desc = wq->descs[i]; ++ ++ dma_async_tx_descriptor_init(&desc->txd, chan); ++ desc->txd.tx_submit = idxd_dma_tx_submit; ++ } ++ + rc = dma_async_device_channel_register(dma, chan); +- if (rc < 0) ++ if (rc < 0) { ++ kfree(idxd_chan); + return rc; ++ } ++ ++ wq->idxd_chan = idxd_chan; ++ idxd_chan->wq = wq; ++ get_device(&wq->conf_dev); + + return 0; + } + + void idxd_unregister_dma_channel(struct idxd_wq *wq) + { +- struct dma_chan *chan = &wq->dma_chan; ++ struct idxd_dma_chan *idxd_chan = wq->idxd_chan; ++ struct dma_chan *chan = &idxd_chan->chan; ++ struct idxd_dma_dev *idxd_dma = wq->idxd->idxd_dma; + +- dma_async_device_channel_unregister(&wq->idxd->dma_dev, chan); ++ dma_async_device_channel_unregister(&idxd_dma->dma, chan); + list_del(&chan->device_node); ++ kfree(wq->idxd_chan); ++ wq->idxd_chan = NULL; ++ put_device(&wq->conf_dev); + } +diff --git a/drivers/dma/idxd/idxd.h b/drivers/dma/idxd/idxd.h +index 1d7849cb9100..adf30dc23685 100644 +--- a/drivers/dma/idxd/idxd.h ++++ b/drivers/dma/idxd/idxd.h +@@ -14,6 +14,9 @@ + + extern struct kmem_cache *idxd_desc_pool; + ++struct idxd_device; ++struct idxd_wq; ++ + #define IDXD_REG_TIMEOUT 50 + #define IDXD_DRAIN_TIMEOUT 5000 + +@@ -88,6 +91,11 @@ enum idxd_complete_type { + IDXD_COMPLETE_ABORT, + }; + ++struct idxd_dma_chan { ++ struct dma_chan chan; ++ struct idxd_wq *wq; ++}; ++ + struct idxd_wq { + void __iomem *dportal; + struct device conf_dev; +@@ -112,7 +120,7 @@ struct idxd_wq { + int compls_size; + struct idxd_desc **descs; + struct sbitmap_queue sbq; +- struct dma_chan dma_chan; ++ struct idxd_dma_chan *idxd_chan; + char name[WQ_NAME_SIZE + 1]; + u64 max_xfer_bytes; + u32 max_batch_size; +@@ -147,6 +155,11 @@ enum idxd_device_flag { + IDXD_FLAG_CMD_RUNNING, + }; + ++struct idxd_dma_dev { ++ struct idxd_device *idxd; ++ struct dma_device dma; ++}; ++ + struct idxd_device { + enum idxd_type type; + struct device conf_dev; +@@ -191,7 +204,7 @@ struct idxd_device { + int num_wq_irqs; + struct idxd_irq_entry *irq_entries; + +- struct dma_device dma_dev; ++ struct idxd_dma_dev *idxd_dma; + struct workqueue_struct *wq; + struct work_struct work; + }; +@@ -313,7 +326,6 @@ void idxd_unregister_dma_channel(struct idxd_wq *wq); + void idxd_parse_completion_status(u8 status, enum dmaengine_tx_result *res); + void idxd_dma_complete_txd(struct idxd_desc *desc, + enum idxd_complete_type comp_type); +-dma_cookie_t idxd_dma_tx_submit(struct dma_async_tx_descriptor *tx); + + /* cdev */ + int idxd_cdev_register(void); +-- +2.30.2 + diff --git a/queue-5.10/dmaengine-idxd-fix-potential-null-dereference-on-poi.patch b/queue-5.10/dmaengine-idxd-fix-potential-null-dereference-on-poi.patch new file mode 100644 index 00000000000..f2a6b1adb9e --- /dev/null +++ b/queue-5.10/dmaengine-idxd-fix-potential-null-dereference-on-poi.patch @@ -0,0 +1,44 @@ +From 2de38423c6a2a8911de6d68791612a17733ecc06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 12:06:54 +0100 +Subject: dmaengine: idxd: Fix potential null dereference on pointer status + +From: Colin Ian King + +[ Upstream commit 28ac8e03c43dfc6a703aa420d18222540b801120 ] + +There are calls to idxd_cmd_exec that pass a null status pointer however +a recent commit has added an assignment to *status that can end up +with a null pointer dereference. The function expects a null status +pointer sometimes as there is a later assignment to *status where +status is first null checked. Fix the issue by null checking status +before making the assignment. + +Addresses-Coverity: ("Explicit null dereferenced") +Fixes: 89e3becd8f82 ("dmaengine: idxd: check device state before issue command") +Signed-off-by: Colin Ian King +Acked-by: Dave Jiang +Link: https://lore.kernel.org/r/20210415110654.1941580-1-colin.king@canonical.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/device.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c +index 459e9fbc2253..f90fdf7aeeef 100644 +--- a/drivers/dma/idxd/device.c ++++ b/drivers/dma/idxd/device.c +@@ -378,7 +378,8 @@ static void idxd_cmd_exec(struct idxd_device *idxd, int cmd_code, u32 operand, + + if (idxd_device_is_halted(idxd)) { + dev_warn(&idxd->pdev->dev, "Device is HALTED!\n"); +- *status = IDXD_CMDSTS_HW_ERR; ++ if (status) ++ *status = IDXD_CMDSTS_HW_ERR; + return; + } + +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-display-add-handling-for-hdcp2-rx-id-list-va.patch b/queue-5.10/drm-amd-display-add-handling-for-hdcp2-rx-id-list-va.patch new file mode 100644 index 00000000000..2679ce202b5 --- /dev/null +++ b/queue-5.10/drm-amd-display-add-handling-for-hdcp2-rx-id-list-va.patch @@ -0,0 +1,44 @@ +From fe0843c3a976be1f9f12011792690ac335732052 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jan 2021 18:05:50 -0500 +Subject: drm/amd/display: add handling for hdcp2 rx id list validation + +From: Dingchen (David) Zhang + +[ Upstream commit 4ccf9446b2a3615615045346c97f8a1e2a16568a ] + +[why] +the current implementation of hdcp2 rx id list validation does not +have handler/checker for invalid message status, e.g. HMAC, the V +parameter calculated from PSP not matching the V prime from Rx. + +[how] +return a generic FAILURE for any message status not SUCCESS or +REVOKED. + +Signed-off-by: Dingchen (David) Zhang +Reviewed-by: Bhawanpreet Lakha +Acked-by: Aurabindo Pillai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c +index 3a367a5968ae..972f2600f967 100644 +--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c ++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c +@@ -789,6 +789,8 @@ enum mod_hdcp_status mod_hdcp_hdcp2_validate_rx_id_list(struct mod_hdcp *hdcp) + TA_HDCP2_MSG_AUTHENTICATION_STATUS__RECEIVERID_REVOKED) { + hdcp->connection.is_hdcp2_revoked = 1; + status = MOD_HDCP_STATUS_HDCP2_RX_ID_LIST_REVOKED; ++ } else { ++ status = MOD_HDCP_STATUS_HDCP2_VALIDATE_RX_ID_LIST_FAILURE; + } + } + mutex_unlock(&psp->hdcp_context.mutex); +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-display-fixed-divide-by-zero-kernel-crash-du.patch b/queue-5.10/drm-amd-display-fixed-divide-by-zero-kernel-crash-du.patch new file mode 100644 index 00000000000..6fd96800fd1 --- /dev/null +++ b/queue-5.10/drm-amd-display-fixed-divide-by-zero-kernel-crash-du.patch @@ -0,0 +1,112 @@ +From a451f4fb9c4f3bf4acf58f92373a02459e14aaa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Dec 2020 19:14:48 -0500 +Subject: drm/amd/display: fixed divide by zero kernel crash during dsc + enablement + +From: Robin Singh + +[ Upstream commit 19cc1f3829567e7dca21c1389ea6407b8f5efab4 ] + +[why] +During dsc enable, a divide by zero condition triggered the +kernel crash. + +[how] +An IGT test, which enable the DSC, was crashing at the time of +restore the default dsc status, becaue of h_totals value +becoming 0. So add a check before divide condition. If h_total +is zero, gracefully ignore and set the default value. + +kernel panic log: + + [ 128.758827] divide error: 0000 [#1] PREEMPT SMP NOPTI + [ 128.762714] CPU: 5 PID: 4562 Comm: amd_dp_dsc Tainted: G W 5.4.19-android-x86_64 #1 + [ 128.769728] Hardware name: ADVANCED MICRO DEVICES, INC. Mauna/Mauna, BIOS WMN0B13N Nov 11 2020 + [ 128.777695] RIP: 0010:hubp2_vready_at_or_After_vsync+0x37/0x7a [amdgpu] + [ 128.785707] Code: 80 02 00 00 48 89 f3 48 8b 7f 08 b ...... + [ 128.805696] RSP: 0018:ffffad8f82d43628 EFLAGS: 00010246 + ...... + [ 128.857707] CR2: 00007106d8465000 CR3: 0000000426530000 CR4: 0000000000140ee0 + [ 128.865695] Call Trace: + [ 128.869712] hubp3_setup+0x1f/0x7f [amdgpu] + [ 128.873705] dcn20_update_dchubp_dpp+0xc8/0x54a [amdgpu] + [ 128.877706] dcn20_program_front_end_for_ctx+0x31d/0x463 [amdgpu] + [ 128.885706] dc_commit_state+0x3d2/0x658 [amdgpu] + [ 128.889707] amdgpu_dm_atomic_commit_tail+0x4b3/0x1e7c [amdgpu] + [ 128.897699] ? dm_read_reg_func+0x41/0xb5 [amdgpu] + [ 128.901707] ? dm_read_reg_func+0x41/0xb5 [amdgpu] + [ 128.905706] ? __is_insn_slot_addr+0x43/0x48 + [ 128.909706] ? fill_plane_buffer_attributes+0x29e/0x3dc [amdgpu] + [ 128.917705] ? dm_plane_helper_prepare_fb+0x255/0x284 [amdgpu] + [ 128.921700] ? usleep_range+0x7c/0x7c + [ 128.925705] ? preempt_count_sub+0xf/0x18 + [ 128.929706] ? _raw_spin_unlock_irq+0x13/0x24 + [ 128.933732] ? __wait_for_common+0x11e/0x18f + [ 128.937705] ? _raw_spin_unlock_irq+0x13/0x24 + [ 128.941706] ? __wait_for_common+0x11e/0x18f + [ 128.945705] commit_tail+0x8b/0xd2 [drm_kms_helper] + [ 128.949707] drm_atomic_helper_commit+0xd8/0xf5 [drm_kms_helper] + [ 128.957706] amdgpu_dm_atomic_commit+0x337/0x360 [amdgpu] + [ 128.961705] ? drm_atomic_check_only+0x543/0x68d [drm] + [ 128.969705] ? drm_atomic_set_property+0x760/0x7af [drm] + [ 128.973704] ? drm_mode_atomic_ioctl+0x6f3/0x85a [drm] + [ 128.977705] drm_mode_atomic_ioctl+0x6f3/0x85a [drm] + [ 128.985705] ? drm_atomic_set_property+0x7af/0x7af [drm] + [ 128.989706] drm_ioctl_kernel+0x82/0xda [drm] + [ 128.993706] drm_ioctl+0x225/0x319 [drm] + [ 128.997707] ? drm_atomic_set_property+0x7af/0x7af [drm] + [ 129.001706] ? preempt_count_sub+0xf/0x18 + [ 129.005713] amdgpu_drm_ioctl+0x4b/0x76 [amdgpu] + [ 129.009705] vfs_ioctl+0x1d/0x2a + [ 129.013705] do_vfs_ioctl+0x419/0x43d + [ 129.017707] ksys_ioctl+0x52/0x71 + [ 129.021707] __x64_sys_ioctl+0x16/0x19 + [ 129.025706] do_syscall_64+0x78/0x85 + [ 129.029705] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Robin Singh +Reviewed-by: Harry Wentland +Reviewed-by: Robin Singh +Acked-by: Aurabindo Pillai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c +index 368818d2dfc6..cd9bd71da4b7 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2012-17 Advanced Micro Devices, Inc. ++ * Copyright 2012-2021 Advanced Micro Devices, Inc. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), +@@ -181,11 +181,14 @@ void hubp2_vready_at_or_After_vsync(struct hubp *hubp, + else + Set HUBP_VREADY_AT_OR_AFTER_VSYNC = 0 + */ +- if ((pipe_dest->vstartup_start - (pipe_dest->vready_offset+pipe_dest->vupdate_width +- + pipe_dest->vupdate_offset) / pipe_dest->htotal) <= pipe_dest->vblank_end) { +- value = 1; +- } else +- value = 0; ++ if (pipe_dest->htotal != 0) { ++ if ((pipe_dest->vstartup_start - (pipe_dest->vready_offset+pipe_dest->vupdate_width ++ + pipe_dest->vupdate_offset) / pipe_dest->htotal) <= pipe_dest->vblank_end) { ++ value = 1; ++ } else ++ value = 0; ++ } ++ + REG_UPDATE(DCHUBP_CNTL, HUBP_VREADY_AT_OR_AFTER_VSYNC, value); + } + +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-display-force-vsync-flip-when-reconfiguring-.patch b/queue-5.10/drm-amd-display-force-vsync-flip-when-reconfiguring-.patch new file mode 100644 index 00000000000..37b0c2e04a9 --- /dev/null +++ b/queue-5.10/drm-amd-display-force-vsync-flip-when-reconfiguring-.patch @@ -0,0 +1,45 @@ +From c62d92df25828b5d706f3b4981f3c2794bf57f9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 11:03:35 -0400 +Subject: drm/amd/display: Force vsync flip when reconfiguring MPCC + +From: Anthony Wang + +[ Upstream commit 56d63782af9bbd1271bff1422a6a013123eade4d ] + +[Why] +Underflow observed when disabling PIP overlay in-game when +vsync is disabled, due to OTC master lock not working with +game pipe which is immediate flip. + +[How] +When performing a full update, override flip_immediate value +to false for all planes, so that flip occurs on vsync. + +Signed-off-by: Anthony Wang +Acked-by: Bindu Ramamurthy +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 921c4ca6e902..284ed1c8a35a 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -2504,6 +2504,10 @@ static void commit_planes_for_stream(struct dc *dc, + plane_state->triplebuffer_flips = true; + } + } ++ if (update_type == UPDATE_TYPE_FULL) { ++ /* force vsync flip when reconfiguring pipes to prevent underflow */ ++ plane_state->flip_immediate = false; ++ } + } + } + +-- +2.30.2 + diff --git a/queue-5.10/drm-amdgpu-add-mem-sync-flag-for-ib-allocated-by-sa.patch b/queue-5.10/drm-amdgpu-add-mem-sync-flag-for-ib-allocated-by-sa.patch new file mode 100644 index 00000000000..436a74b5807 --- /dev/null +++ b/queue-5.10/drm-amdgpu-add-mem-sync-flag-for-ib-allocated-by-sa.patch @@ -0,0 +1,40 @@ +From 0bb0a8dcae595880b4e416c48bc274052db5e240 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Apr 2021 16:17:14 +0800 +Subject: drm/amdgpu: Add mem sync flag for IB allocated by SA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jinzhou Su + +[ Upstream commit 5c88e3b86a88f14efa0a3ddd28641c6ff49fb9c4 ] + +The buffer of SA bo will be used by many cases. So it's better +to invalidate the cache of indirect buffer allocated by SA before +commit the IB. + +Signed-off-by: Jinzhou Su +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c +index 2f53fa0ae9a6..28f20f0b722f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c +@@ -75,6 +75,8 @@ int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm, + } + + ib->ptr = amdgpu_sa_bo_cpu_addr(ib->sa_bo); ++ /* flush the cache before commit the IB */ ++ ib->flags = AMDGPU_IB_FLAG_EMIT_MEM_SYNC; + + if (!vm) + ib->gpu_addr = amdgpu_sa_bo_gpu_addr(ib->sa_bo); +-- +2.30.2 + diff --git a/queue-5.10/drm-radeon-avoid-power-table-parsing-memory-leaks.patch b/queue-5.10/drm-radeon-avoid-power-table-parsing-memory-leaks.patch new file mode 100644 index 00000000000..1da1632845f --- /dev/null +++ b/queue-5.10/drm-radeon-avoid-power-table-parsing-memory-leaks.patch @@ -0,0 +1,64 @@ +From d59ea63b66195a4cbb4c3a4f806cd78824e706ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 May 2021 22:06:08 -0700 +Subject: drm/radeon: Avoid power table parsing memory leaks + +From: Kees Cook + +[ Upstream commit c69f27137a38d24301a6b659454a91ad85dff4aa ] + +Avoid leaving a hanging pre-allocated clock_info if last mode is +invalid, and avoid heap corruption if no valid modes are found. + +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537 +Fixes: 6991b8f2a319 ("drm/radeon/kms: fix segfault in pm rework") +Signed-off-by: Kees Cook +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_atombios.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c +index 96e80b0eca04..aca6e5cfae53 100644 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -2126,11 +2126,14 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev) + return state_index; + /* last mode is usually default, array is low to high */ + for (i = 0; i < num_modes; i++) { +- rdev->pm.power_state[state_index].clock_info = +- kcalloc(1, sizeof(struct radeon_pm_clock_info), +- GFP_KERNEL); ++ /* avoid memory leaks from invalid modes or unknown frev. */ ++ if (!rdev->pm.power_state[state_index].clock_info) { ++ rdev->pm.power_state[state_index].clock_info = ++ kzalloc(sizeof(struct radeon_pm_clock_info), ++ GFP_KERNEL); ++ } + if (!rdev->pm.power_state[state_index].clock_info) +- return state_index; ++ goto out; + rdev->pm.power_state[state_index].num_clock_modes = 1; + rdev->pm.power_state[state_index].clock_info[0].voltage.type = VOLTAGE_NONE; + switch (frev) { +@@ -2249,8 +2252,15 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev) + break; + } + } ++out: ++ /* free any unused clock_info allocation. */ ++ if (state_index && state_index < num_modes) { ++ kfree(rdev->pm.power_state[state_index].clock_info); ++ rdev->pm.power_state[state_index].clock_info = NULL; ++ } ++ + /* last mode is usually default */ +- if (rdev->pm.default_power_state_index == -1) { ++ if (state_index && rdev->pm.default_power_state_index == -1) { + rdev->pm.power_state[state_index - 1].type = + POWER_STATE_TYPE_DEFAULT; + rdev->pm.default_power_state_index = state_index - 1; +-- +2.30.2 + diff --git a/queue-5.10/drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch b/queue-5.10/drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch new file mode 100644 index 00000000000..2a6dbe3d448 --- /dev/null +++ b/queue-5.10/drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch @@ -0,0 +1,119 @@ +From 41299807cd9a42a6ab7f514d292b05d6f47de7e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 May 2021 22:06:07 -0700 +Subject: drm/radeon: Fix off-by-one power_state index heap overwrite + +From: Kees Cook + +[ Upstream commit 5bbf219328849e83878bddb7c226d8d42e84affc ] + +An out of bounds write happens when setting the default power state. +KASAN sees this as: + +[drm] radeon: 512M of GTT memory ready. +[drm] GART: num cpu pages 131072, num gpu pages 131072 +================================================================== +BUG: KASAN: slab-out-of-bounds in +radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon] +Write of size 4 at addr ffff88810178d858 by task systemd-udevd/157 + +CPU: 0 PID: 157 Comm: systemd-udevd Not tainted 5.12.0-E620 #50 +Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008 +Call Trace: + dump_stack+0xa5/0xe6 + print_address_description.constprop.0+0x18/0x239 + kasan_report+0x170/0x1a8 + radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon] + radeon_atombios_get_power_modes+0x144/0x1888 [radeon] + radeon_pm_init+0x1019/0x1904 [radeon] + rs690_init+0x76e/0x84a [radeon] + radeon_device_init+0x1c1a/0x21e5 [radeon] + radeon_driver_load_kms+0xf5/0x30b [radeon] + drm_dev_register+0x255/0x4a0 [drm] + radeon_pci_probe+0x246/0x2f6 [radeon] + pci_device_probe+0x1aa/0x294 + really_probe+0x30e/0x850 + driver_probe_device+0xe6/0x135 + device_driver_attach+0xc1/0xf8 + __driver_attach+0x13f/0x146 + bus_for_each_dev+0xfa/0x146 + bus_add_driver+0x2b3/0x447 + driver_register+0x242/0x2c1 + do_one_initcall+0x149/0x2fd + do_init_module+0x1ae/0x573 + load_module+0x4dee/0x5cca + __do_sys_finit_module+0xf1/0x140 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Without KASAN, this will manifest later when the kernel attempts to +allocate memory that was stomped, since it collides with the inline slab +freelist pointer: + +invalid opcode: 0000 [#1] SMP NOPTI +CPU: 0 PID: 781 Comm: openrc-run.sh Tainted: G W 5.10.12-gentoo-E620 #2 +Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008 +RIP: 0010:kfree+0x115/0x230 +Code: 89 c5 e8 75 ea ff ff 48 8b 00 0f ba e0 09 72 63 e8 1f f4 ff ff 41 89 c4 48 8b 45 00 0f ba e0 10 72 0a 48 8b 45 08 a8 01 75 02 <0f> 0b 44 89 e1 48 c7 c2 00 f0 ff ff be 06 00 00 00 48 d3 e2 48 c7 +RSP: 0018:ffffb42f40267e10 EFLAGS: 00010246 +RAX: ffffd61280ee8d88 RBX: 0000000000000004 RCX: 000000008010000d +RDX: 4000000000000000 RSI: ffffffffba1360b0 RDI: ffffd61280ee8d80 +RBP: ffffd61280ee8d80 R08: ffffffffb91bebdf R09: 0000000000000000 +R10: ffff8fe2c1047ac8 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000100 +FS: 00007fe80eff6b68(0000) GS:ffff8fe339c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fe80eec7bc0 CR3: 0000000038012000 CR4: 00000000000006f0 +Call Trace: + __free_fdtable+0x16/0x1f + put_files_struct+0x81/0x9b + do_exit+0x433/0x94d + do_group_exit+0xa6/0xa6 + __x64_sys_exit_group+0xf/0xf + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7fe80ef64bea +Code: Unable to access opcode bytes at RIP 0x7fe80ef64bc0. +RSP: 002b:00007ffdb1c47528 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe80ef64bea +RDX: 00007fe80ef64f60 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +R10: 00007fe80ee2c620 R11: 0000000000000246 R12: 00007fe80eff41e0 +R13: 00000000ffffffff R14: 0000000000000024 R15: 00007fe80edf9cd0 +Modules linked in: radeon(+) ath5k(+) snd_hda_codec_realtek ... + +Use a valid power_state index when initializing the "flags" and "misc" +and "misc2" fields. + +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537 +Reported-by: Erhard F. +Fixes: a48b9b4edb8b ("drm/radeon/kms/pm: add asic specific callbacks for getting power state (v2)") +Fixes: 79daedc94281 ("drm/radeon/kms: minor pm cleanups") +Signed-off-by: Kees Cook +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_atombios.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c +index 5d2591725189..96e80b0eca04 100644 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -2256,10 +2256,10 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev) + rdev->pm.default_power_state_index = state_index - 1; + rdev->pm.power_state[state_index - 1].default_clock_mode = + &rdev->pm.power_state[state_index - 1].clock_info[0]; +- rdev->pm.power_state[state_index].flags &= ++ rdev->pm.power_state[state_index - 1].flags &= + ~RADEON_PM_STATE_SINGLE_DISPLAY_ONLY; +- rdev->pm.power_state[state_index].misc = 0; +- rdev->pm.power_state[state_index].misc2 = 0; ++ rdev->pm.power_state[state_index - 1].misc = 0; ++ rdev->pm.power_state[state_index - 1].misc2 = 0; + } + return state_index; + } +-- +2.30.2 + diff --git a/queue-5.10/ethernet-enic-fix-a-use-after-free-bug-in-enic_hard_.patch b/queue-5.10/ethernet-enic-fix-a-use-after-free-bug-in-enic_hard_.patch new file mode 100644 index 00000000000..cb8912ccf14 --- /dev/null +++ b/queue-5.10/ethernet-enic-fix-a-use-after-free-bug-in-enic_hard_.patch @@ -0,0 +1,69 @@ +From cdb87cbbf063744794de130ce9018981ab0b7ffe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 May 2021 04:58:18 -0700 +Subject: ethernet:enic: Fix a use after free bug in enic_hard_start_xmit + +From: Lv Yunlong + +[ Upstream commit 643001b47adc844ae33510c4bb93c236667008a3 ] + +In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside +enic_queue_wq_skb, if some error happens, the skb will be freed +by dev_kfree_skb(skb). But the freed skb is still used in +skb_tx_timestamp(skb). + +My patch makes enic_queue_wq_skb() return error and goto spin_unlock() +incase of error. The solution is provided by Govind. +See https://lkml.org/lkml/2021/4/30/961. + +Fixes: fb7516d42478e ("enic: add sw timestamp support") +Signed-off-by: Lv Yunlong +Acked-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index fb269d587b74..548d8095c0a7 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -768,7 +768,7 @@ static inline int enic_queue_wq_skb_encap(struct enic *enic, struct vnic_wq *wq, + return err; + } + +-static inline void enic_queue_wq_skb(struct enic *enic, ++static inline int enic_queue_wq_skb(struct enic *enic, + struct vnic_wq *wq, struct sk_buff *skb) + { + unsigned int mss = skb_shinfo(skb)->gso_size; +@@ -814,6 +814,7 @@ static inline void enic_queue_wq_skb(struct enic *enic, + wq->to_use = buf->next; + dev_kfree_skb(skb); + } ++ return err; + } + + /* netif_tx_lock held, process context with BHs disabled, or BH */ +@@ -857,7 +858,8 @@ static netdev_tx_t enic_hard_start_xmit(struct sk_buff *skb, + return NETDEV_TX_BUSY; + } + +- enic_queue_wq_skb(enic, wq, skb); ++ if (enic_queue_wq_skb(enic, wq, skb)) ++ goto error; + + if (vnic_wq_desc_avail(wq) < MAX_SKB_FRAGS + ENIC_DESC_MAX_SPLITS) + netif_tx_stop_queue(txq); +@@ -865,6 +867,7 @@ static netdev_tx_t enic_hard_start_xmit(struct sk_buff *skb, + if (!netdev_xmit_more() || netif_xmit_stopped(txq)) + vnic_wq_doorbell(wq); + ++error: + spin_unlock(&enic->wq_lock[txq_map]); + + return NETDEV_TX_OK; +-- +2.30.2 + diff --git a/queue-5.10/ethtool-fix-missing-nlm_f_multi-flag-when-dumping.patch b/queue-5.10/ethtool-fix-missing-nlm_f_multi-flag-when-dumping.patch new file mode 100644 index 00000000000..29fa2733e42 --- /dev/null +++ b/queue-5.10/ethtool-fix-missing-nlm_f_multi-flag-when-dumping.patch @@ -0,0 +1,39 @@ +From a83e93f356dd8d9f7945b26a36295ecf9da7e0a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 00:47:14 +0200 +Subject: ethtool: fix missing NLM_F_MULTI flag when dumping + +From: Fernando Fernandez Mancera + +[ Upstream commit cf754ae331be7cc192b951756a1dd031e9ed978a ] + +When dumping the ethtool information from all the interfaces, the +netlink reply should contain the NLM_F_MULTI flag. This flag allows +userspace tools to identify that multiple messages are expected. + +Link: https://bugzilla.redhat.com/1953847 +Fixes: 365f9ae4ee36 ("ethtool: fix genlmsg_put() failure handling in ethnl_default_dumpit()") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ethtool/netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ethtool/netlink.c b/net/ethtool/netlink.c +index 50d3c8896f91..25a55086d2b6 100644 +--- a/net/ethtool/netlink.c ++++ b/net/ethtool/netlink.c +@@ -384,7 +384,8 @@ static int ethnl_default_dump_one(struct sk_buff *skb, struct net_device *dev, + int ret; + + ehdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq, +- ðtool_genl_family, 0, ctx->ops->reply_cmd); ++ ðtool_genl_family, NLM_F_MULTI, ++ ctx->ops->reply_cmd); + if (!ehdr) + return -EMSGSIZE; + +-- +2.30.2 + diff --git a/queue-5.10/ethtool-ioctl-fix-out-of-bounds-warning-in-store_lin.patch b/queue-5.10/ethtool-ioctl-fix-out-of-bounds-warning-in-store_lin.patch new file mode 100644 index 00000000000..56ffe58eabe --- /dev/null +++ b/queue-5.10/ethtool-ioctl-fix-out-of-bounds-warning-in-store_lin.patch @@ -0,0 +1,50 @@ +From d2a7352d679b38e1e1747034829be5444c210d0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 15:15:40 -0500 +Subject: ethtool: ioctl: Fix out-of-bounds warning in + store_link_ksettings_for_user() + +From: Gustavo A. R. Silva + +[ Upstream commit c1d9e34e11281a8ba1a1c54e4db554232a461488 ] + +Fix the following out-of-bounds warning: + +net/ethtool/ioctl.c:492:2: warning: 'memcpy' offset [49, 84] from the object at 'link_usettings' is out of the bounds of referenced subobject 'base' with type 'struct ethtool_link_settings' at offset 0 [-Warray-bounds] + +The problem is that the original code is trying to copy data into a +some struct members adjacent to each other in a single call to +memcpy(). This causes a legitimate compiler warning because memcpy() +overruns the length of &link_usettings.base. Fix this by directly +using &link_usettings and _from_ as destination and source addresses, +instead. + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ethtool/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c +index ec2cd7aab5ad..2917af3f5ac1 100644 +--- a/net/ethtool/ioctl.c ++++ b/net/ethtool/ioctl.c +@@ -489,7 +489,7 @@ store_link_ksettings_for_user(void __user *to, + { + struct ethtool_link_usettings link_usettings; + +- memcpy(&link_usettings.base, &from->base, sizeof(link_usettings)); ++ memcpy(&link_usettings, from, sizeof(link_usettings)); + bitmap_to_arr32(link_usettings.link_modes.supported, + from->link_modes.supported, + __ETHTOOL_LINK_MODE_MASK_NBITS); +-- +2.30.2 + diff --git a/queue-5.10/f2fs-avoid-unneeded-data-copy-in-f2fs_ioc_move_range.patch b/queue-5.10/f2fs-avoid-unneeded-data-copy-in-f2fs_ioc_move_range.patch new file mode 100644 index 00000000000..c143574c26d --- /dev/null +++ b/queue-5.10/f2fs-avoid-unneeded-data-copy-in-f2fs_ioc_move_range.patch @@ -0,0 +1,40 @@ +From 770ef1614992538e703bcd99000204be8338aa9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Nov 2020 09:24:36 +0800 +Subject: f2fs: avoid unneeded data copy in f2fs_ioc_move_range() + +From: Chao Yu + +[ Upstream commit 3a1b9eaf727b4ab84ebf059e09c38fc6a53e5614 ] + +Fields in struct f2fs_move_range won't change in f2fs_ioc_move_range(), +let's avoid copying this structure's data to userspace. + +Signed-off-by: Chao Yu +Reviewed-by: Eric Biggers +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 9f857e5709b6..5c74b2997197 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2913,12 +2913,6 @@ static int __f2fs_ioc_move_range(struct file *filp, + range->pos_out, range->len); + + mnt_drop_write_file(filp); +- if (err) +- goto err_out; +- +- if (copy_to_user((struct f2fs_move_range __user *)arg, +- &range, sizeof(range))) +- err = -EFAULT; + err_out: + fdput(dst); + return err; +-- +2.30.2 + diff --git a/queue-5.10/f2fs-fix-a-hungtask-problem-in-atomic-write.patch b/queue-5.10/f2fs-fix-a-hungtask-problem-in-atomic-write.patch new file mode 100644 index 00000000000..ddfb8764522 --- /dev/null +++ b/queue-5.10/f2fs-fix-a-hungtask-problem-in-atomic-write.patch @@ -0,0 +1,114 @@ +From e47fc1966684d3d16f3d0f50d31bfd17757cbc5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 17:34:14 +0800 +Subject: f2fs: Fix a hungtask problem in atomic write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yi Zhuang + +[ Upstream commit be1ee45d51384161681ecf21085a42d316ae25f7 ] + +In the cache writing process, if it is an atomic file, increase the page +count of F2FS_WB_CP_DATA, otherwise increase the page count of +F2FS_WB_DATA. + +When you step into the hook branch due to insufficient memory in +f2fs_write_begin, f2fs_drop_inmem_pages_all will be called to traverse +all atomic inodes and clear the FI_ATOMIC_FILE mark of all atomic files. + +In f2fs_drop_inmem_pages,first acquire the inmem_lock , revoke all the +inmem_pages, and then clear the FI_ATOMIC_FILE mark. Before this mark is +cleared, other threads may hold inmem_lock to add inmem_pages to the inode +that has just been emptied inmem_pages, and increase the page count of +F2FS_WB_CP_DATA. + +When the IO returns, it is found that the FI_ATOMIC_FILE flag is cleared +by f2fs_drop_inmem_pages_all, and f2fs_is_atomic_file returns false,which +causes the page count of F2FS_WB_DATA to be decremented. The page count of +F2FS_WB_CP_DATA cannot be cleared. Finally, hungtask is triggered in +f2fs_wait_on_all_pages because get_pages will never return zero. + +process A: process B: +f2fs_drop_inmem_pages_all +->f2fs_drop_inmem_pages of inode#1 + ->mutex_lock(&fi->inmem_lock) + ->__revoke_inmem_pages of inode#1 f2fs_ioc_commit_atomic_write + ->mutex_unlock(&fi->inmem_lock) ->f2fs_commit_inmem_pages of inode#1 + ->mutex_lock(&fi->inmem_lock) + ->__f2fs_commit_inmem_pages + ->f2fs_do_write_data_page + ->f2fs_outplace_write_data + ->do_write_page + ->f2fs_submit_page_write + ->inc_page_count(sbi, F2FS_WB_CP_DATA ) + ->mutex_unlock(&fi->inmem_lock) + ->spin_lock(&sbi->inode_lock[ATOMIC_FILE]); + ->clear_inode_flag(inode, FI_ATOMIC_FILE) + ->spin_unlock(&sbi->inode_lock[ATOMIC_FILE]) + f2fs_write_end_io + ->dec_page_count(sbi, F2FS_WB_DATA ); + +We can fix the problem by putting the action of clearing the FI_ATOMIC_FILE +mark into the inmem_lock lock. This operation can ensure that no one will +submit the inmem pages before the FI_ATOMIC_FILE mark is cleared, so that +there will be no atomic writes waiting for writeback. + +Fixes: 57864ae5ce3a ("f2fs: limit # of inmemory pages") +Signed-off-by: Yi Zhuang +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 30 +++++++++++++++++------------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index ddfc3daebe9b..1c264fd5a0dd 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -327,23 +327,27 @@ void f2fs_drop_inmem_pages(struct inode *inode) + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct f2fs_inode_info *fi = F2FS_I(inode); + +- while (!list_empty(&fi->inmem_pages)) { ++ do { + mutex_lock(&fi->inmem_lock); ++ if (list_empty(&fi->inmem_pages)) { ++ fi->i_gc_failures[GC_FAILURE_ATOMIC] = 0; ++ ++ spin_lock(&sbi->inode_lock[ATOMIC_FILE]); ++ if (!list_empty(&fi->inmem_ilist)) ++ list_del_init(&fi->inmem_ilist); ++ if (f2fs_is_atomic_file(inode)) { ++ clear_inode_flag(inode, FI_ATOMIC_FILE); ++ sbi->atomic_files--; ++ } ++ spin_unlock(&sbi->inode_lock[ATOMIC_FILE]); ++ ++ mutex_unlock(&fi->inmem_lock); ++ break; ++ } + __revoke_inmem_pages(inode, &fi->inmem_pages, + true, false, true); + mutex_unlock(&fi->inmem_lock); +- } +- +- fi->i_gc_failures[GC_FAILURE_ATOMIC] = 0; +- +- spin_lock(&sbi->inode_lock[ATOMIC_FILE]); +- if (!list_empty(&fi->inmem_ilist)) +- list_del_init(&fi->inmem_ilist); +- if (f2fs_is_atomic_file(inode)) { +- clear_inode_flag(inode, FI_ATOMIC_FILE); +- sbi->atomic_files--; +- } +- spin_unlock(&sbi->inode_lock[ATOMIC_FILE]); ++ } while (1); + } + + void f2fs_drop_inmem_page(struct inode *inode, struct page *page) +-- +2.30.2 + diff --git a/queue-5.10/f2fs-fix-a-redundant-call-to-f2fs_balance_fs-if-an-e.patch b/queue-5.10/f2fs-fix-a-redundant-call-to-f2fs_balance_fs-if-an-e.patch new file mode 100644 index 00000000000..3a454826cf2 --- /dev/null +++ b/queue-5.10/f2fs-fix-a-redundant-call-to-f2fs_balance_fs-if-an-e.patch @@ -0,0 +1,45 @@ +From 2b6354a22b8902121ce3b24d6b3c6fd9af0c02ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Mar 2021 09:21:18 +0000 +Subject: f2fs: fix a redundant call to f2fs_balance_fs if an error occurs + +From: Colin Ian King + +[ Upstream commit 28e18ee636ba28532dbe425540af06245a0bbecb ] + +The uninitialized variable dn.node_changed does not get set when a +call to f2fs_get_node_page fails. This uninitialized value gets used +in the call to f2fs_balance_fs() that may or not may not balances +dirty node and dentry pages depending on the uninitialized state of +the variable. Fix this by only calling f2fs_balance_fs if err is +not set. + +Thanks to Jaegeuk Kim for suggesting an appropriate fix. + +Addresses-Coverity: ("Uninitialized scalar variable") +Fixes: 2a3407607028 ("f2fs: call f2fs_balance_fs only when node was changed") +Signed-off-by: Colin Ian King +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inline.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c +index b9e37f0b3e09..1d7dafdaffe3 100644 +--- a/fs/f2fs/inline.c ++++ b/fs/f2fs/inline.c +@@ -218,7 +218,8 @@ out: + + f2fs_put_page(page, 1); + +- f2fs_balance_fs(sbi, dn.node_changed); ++ if (!err) ++ f2fs_balance_fs(sbi, dn.node_changed); + + return err; + } +-- +2.30.2 + diff --git a/queue-5.10/f2fs-fix-compat-f2fs_ioc_-move-garbage_collect-_rang.patch b/queue-5.10/f2fs-fix-compat-f2fs_ioc_-move-garbage_collect-_rang.patch new file mode 100644 index 00000000000..27138f3a335 --- /dev/null +++ b/queue-5.10/f2fs-fix-compat-f2fs_ioc_-move-garbage_collect-_rang.patch @@ -0,0 +1,295 @@ +From d27ceebfd8ea029a1bb0ad50faf5ffa62002cb05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Nov 2020 09:24:37 +0800 +Subject: f2fs: fix compat F2FS_IOC_{MOVE,GARBAGE_COLLECT}_RANGE + +From: Chao Yu + +[ Upstream commit 34178b1bc4b5c936eab3adb4835578093095a571 ] + +Eric reported a ioctl bug in below link: + +https://lore.kernel.org/linux-f2fs-devel/20201103032234.GB2875@sol.localdomain/ + +That said, on some 32-bit architectures, u64 has only 32-bit alignment, +notably i386 and x86_32, so that size of struct f2fs_gc_range compiled +in x86_32 is 20 bytes, however the size in x86_64 is 24 bytes, binary +compiled in x86_32 can not call F2FS_IOC_GARBAGE_COLLECT_RANGE successfully +due to mismatched value of ioctl command in between binary and f2fs +module, similarly, F2FS_IOC_MOVE_RANGE will fail too. + +In this patch we introduce two ioctls for compatibility of above special +32-bit binary: +- F2FS_IOC32_GARBAGE_COLLECT_RANGE +- F2FS_IOC32_MOVE_RANGE + +Reported-by: Eric Biggers +Signed-off-by: Chao Yu +Reviewed-by: Eric Biggers +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 137 +++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 104 insertions(+), 33 deletions(-) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 28f0bde38806..6850fb2081c8 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2496,26 +2496,19 @@ out: + return ret; + } + +-static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg) ++static int __f2fs_ioc_gc_range(struct file *filp, struct f2fs_gc_range *range) + { +- struct inode *inode = file_inode(filp); +- struct f2fs_sb_info *sbi = F2FS_I_SB(inode); +- struct f2fs_gc_range range; ++ struct f2fs_sb_info *sbi = F2FS_I_SB(file_inode(filp)); + u64 end; + int ret; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +- +- if (copy_from_user(&range, (struct f2fs_gc_range __user *)arg, +- sizeof(range))) +- return -EFAULT; +- + if (f2fs_readonly(sbi->sb)) + return -EROFS; + +- end = range.start + range.len; +- if (end < range.start || range.start < MAIN_BLKADDR(sbi) || ++ end = range->start + range->len; ++ if (end < range->start || range->start < MAIN_BLKADDR(sbi) || + end >= MAX_BLKADDR(sbi)) + return -EINVAL; + +@@ -2524,7 +2517,7 @@ static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg) + return ret; + + do_more: +- if (!range.sync) { ++ if (!range->sync) { + if (!down_write_trylock(&sbi->gc_lock)) { + ret = -EBUSY; + goto out; +@@ -2533,20 +2526,30 @@ do_more: + down_write(&sbi->gc_lock); + } + +- ret = f2fs_gc(sbi, range.sync, true, GET_SEGNO(sbi, range.start)); ++ ret = f2fs_gc(sbi, range->sync, true, GET_SEGNO(sbi, range->start)); + if (ret) { + if (ret == -EBUSY) + ret = -EAGAIN; + goto out; + } +- range.start += BLKS_PER_SEC(sbi); +- if (range.start <= end) ++ range->start += BLKS_PER_SEC(sbi); ++ if (range->start <= end) + goto do_more; + out: + mnt_drop_write_file(filp); + return ret; + } + ++static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg) ++{ ++ struct f2fs_gc_range range; ++ ++ if (copy_from_user(&range, (struct f2fs_gc_range __user *)arg, ++ sizeof(range))) ++ return -EFAULT; ++ return __f2fs_ioc_gc_range(filp, &range); ++} ++ + static int f2fs_ioc_write_checkpoint(struct file *filp, unsigned long arg) + { + struct inode *inode = file_inode(filp); +@@ -2883,9 +2886,9 @@ out: + return ret; + } + +-static int f2fs_ioc_move_range(struct file *filp, unsigned long arg) ++static int __f2fs_ioc_move_range(struct file *filp, ++ struct f2fs_move_range *range) + { +- struct f2fs_move_range range; + struct fd dst; + int err; + +@@ -2893,11 +2896,7 @@ static int f2fs_ioc_move_range(struct file *filp, unsigned long arg) + !(filp->f_mode & FMODE_WRITE)) + return -EBADF; + +- if (copy_from_user(&range, (struct f2fs_move_range __user *)arg, +- sizeof(range))) +- return -EFAULT; +- +- dst = fdget(range.dst_fd); ++ dst = fdget(range->dst_fd); + if (!dst.file) + return -EBADF; + +@@ -2910,8 +2909,8 @@ static int f2fs_ioc_move_range(struct file *filp, unsigned long arg) + if (err) + goto err_out; + +- err = f2fs_move_file_range(filp, range.pos_in, dst.file, +- range.pos_out, range.len); ++ err = f2fs_move_file_range(filp, range->pos_in, dst.file, ++ range->pos_out, range->len); + + mnt_drop_write_file(filp); + if (err) +@@ -2925,6 +2924,16 @@ err_out: + return err; + } + ++static int f2fs_ioc_move_range(struct file *filp, unsigned long arg) ++{ ++ struct f2fs_move_range range; ++ ++ if (copy_from_user(&range, (struct f2fs_move_range __user *)arg, ++ sizeof(range))) ++ return -EFAULT; ++ return __f2fs_ioc_move_range(filp, &range); ++} ++ + static int f2fs_ioc_flush_device(struct file *filp, unsigned long arg) + { + struct inode *inode = file_inode(filp); +@@ -3961,13 +3970,8 @@ err: + return ret; + } + +-long f2fs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) ++static long __f2fs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + { +- if (unlikely(f2fs_cp_error(F2FS_I_SB(file_inode(filp))))) +- return -EIO; +- if (!f2fs_is_checkpoint_ready(F2FS_I_SB(file_inode(filp)))) +- return -ENOSPC; +- + switch (cmd) { + case FS_IOC_GETFLAGS: + return f2fs_ioc_getflags(filp, arg); +@@ -4054,6 +4058,16 @@ long f2fs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + } + } + ++long f2fs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) ++{ ++ if (unlikely(f2fs_cp_error(F2FS_I_SB(file_inode(filp))))) ++ return -EIO; ++ if (!f2fs_is_checkpoint_ready(F2FS_I_SB(file_inode(filp)))) ++ return -ENOSPC; ++ ++ return __f2fs_ioctl(filp, cmd, arg); ++} ++ + static ssize_t f2fs_file_read_iter(struct kiocb *iocb, struct iov_iter *iter) + { + struct file *file = iocb->ki_filp; +@@ -4176,8 +4190,63 @@ out: + } + + #ifdef CONFIG_COMPAT ++struct compat_f2fs_gc_range { ++ u32 sync; ++ compat_u64 start; ++ compat_u64 len; ++}; ++#define F2FS_IOC32_GARBAGE_COLLECT_RANGE _IOW(F2FS_IOCTL_MAGIC, 11,\ ++ struct compat_f2fs_gc_range) ++ ++static int f2fs_compat_ioc_gc_range(struct file *file, unsigned long arg) ++{ ++ struct compat_f2fs_gc_range __user *urange; ++ struct f2fs_gc_range range; ++ int err; ++ ++ urange = compat_ptr(arg); ++ err = get_user(range.sync, &urange->sync); ++ err |= get_user(range.start, &urange->start); ++ err |= get_user(range.len, &urange->len); ++ if (err) ++ return -EFAULT; ++ ++ return __f2fs_ioc_gc_range(file, &range); ++} ++ ++struct compat_f2fs_move_range { ++ u32 dst_fd; ++ compat_u64 pos_in; ++ compat_u64 pos_out; ++ compat_u64 len; ++}; ++#define F2FS_IOC32_MOVE_RANGE _IOWR(F2FS_IOCTL_MAGIC, 9, \ ++ struct compat_f2fs_move_range) ++ ++static int f2fs_compat_ioc_move_range(struct file *file, unsigned long arg) ++{ ++ struct compat_f2fs_move_range __user *urange; ++ struct f2fs_move_range range; ++ int err; ++ ++ urange = compat_ptr(arg); ++ err = get_user(range.dst_fd, &urange->dst_fd); ++ err |= get_user(range.pos_in, &urange->pos_in); ++ err |= get_user(range.pos_out, &urange->pos_out); ++ err |= get_user(range.len, &urange->len); ++ if (err) ++ return -EFAULT; ++ ++ return __f2fs_ioc_move_range(file, &range); ++} ++ + long f2fs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + { ++ if (unlikely(f2fs_cp_error(F2FS_I_SB(file_inode(file))))) ++ return -EIO; ++ if (!f2fs_is_checkpoint_ready(F2FS_I_SB(file_inode(file)))) ++ return -ENOSPC; ++ + switch (cmd) { + case FS_IOC32_GETFLAGS: + cmd = FS_IOC_GETFLAGS; +@@ -4188,6 +4257,10 @@ long f2fs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + case FS_IOC32_GETVERSION: + cmd = FS_IOC_GETVERSION; + break; ++ case F2FS_IOC32_GARBAGE_COLLECT_RANGE: ++ return f2fs_compat_ioc_gc_range(file, arg); ++ case F2FS_IOC32_MOVE_RANGE: ++ return f2fs_compat_ioc_move_range(file, arg); + case F2FS_IOC_START_ATOMIC_WRITE: + case F2FS_IOC_COMMIT_ATOMIC_WRITE: + case F2FS_IOC_START_VOLATILE_WRITE: +@@ -4205,10 +4278,8 @@ long f2fs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + case FS_IOC_GET_ENCRYPTION_KEY_STATUS: + case FS_IOC_GET_ENCRYPTION_NONCE: + case F2FS_IOC_GARBAGE_COLLECT: +- case F2FS_IOC_GARBAGE_COLLECT_RANGE: + case F2FS_IOC_WRITE_CHECKPOINT: + case F2FS_IOC_DEFRAGMENT: +- case F2FS_IOC_MOVE_RANGE: + case F2FS_IOC_FLUSH_DEVICE: + case F2FS_IOC_GET_FEATURES: + case FS_IOC_FSGETXATTR: +@@ -4229,7 +4300,7 @@ long f2fs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + default: + return -ENOIOCTLCMD; + } +- return f2fs_ioctl(file, cmd, (unsigned long) compat_ptr(arg)); ++ return __f2fs_ioctl(file, cmd, (unsigned long) compat_ptr(arg)); + } + #endif + +-- +2.30.2 + diff --git a/queue-5.10/f2fs-fix-panic-during-f2fs_resize_fs.patch b/queue-5.10/f2fs-fix-panic-during-f2fs_resize_fs.patch new file mode 100644 index 00000000000..cd13d629ead --- /dev/null +++ b/queue-5.10/f2fs-fix-panic-during-f2fs_resize_fs.patch @@ -0,0 +1,75 @@ +From 9e50c02fa64f0af156bdbaa777bddffaf138b61e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Feb 2021 17:35:41 +0800 +Subject: f2fs: fix panic during f2fs_resize_fs() + +From: Chao Yu + +[ Upstream commit 3ab0598e6d860ef49d029943ba80f627c15c15d6 ] + +f2fs_resize_fs() hangs in below callstack with testcase: +- mkfs 16GB image & mount image +- dd 8GB fileA +- dd 8GB fileB +- sync +- rm fileA +- sync +- resize filesystem to 8GB + +kernel BUG at segment.c:2484! +Call Trace: + allocate_segment_by_default+0x92/0xf0 [f2fs] + f2fs_allocate_data_block+0x44b/0x7e0 [f2fs] + do_write_page+0x5a/0x110 [f2fs] + f2fs_outplace_write_data+0x55/0x100 [f2fs] + f2fs_do_write_data_page+0x392/0x850 [f2fs] + move_data_page+0x233/0x320 [f2fs] + do_garbage_collect+0x14d9/0x1660 [f2fs] + free_segment_range+0x1f7/0x310 [f2fs] + f2fs_resize_fs+0x118/0x330 [f2fs] + __f2fs_ioctl+0x487/0x3680 [f2fs] + __x64_sys_ioctl+0x8e/0xd0 + do_syscall_64+0x33/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The root cause is we forgot to check that whether we have enough space +in resized filesystem to store all valid blocks in before-resizing +filesystem, then allocator will run out-of-space during block migration +in free_segment_range(). + +Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/gc.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index 1e602d0f611f..e4e8c7257454 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1979,7 +1979,20 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count) + + /* stop CP to protect MAIN_SEC in free_segment_range */ + f2fs_lock_op(sbi); ++ ++ spin_lock(&sbi->stat_lock); ++ if (shrunk_blocks + valid_user_blocks(sbi) + ++ sbi->current_reserved_blocks + sbi->unusable_block_count + ++ F2FS_OPTION(sbi).root_reserved_blocks > sbi->user_block_count) ++ err = -ENOSPC; ++ spin_unlock(&sbi->stat_lock); ++ ++ if (err) ++ goto out_unlock; ++ + err = free_segment_range(sbi, secs, true); ++ ++out_unlock: + f2fs_unlock_op(sbi); + up_write(&sbi->gc_lock); + if (err) +-- +2.30.2 + diff --git a/queue-5.10/f2fs-fix-to-align-to-section-for-fallocate-on-pinned.patch b/queue-5.10/f2fs-fix-to-align-to-section-for-fallocate-on-pinned.patch new file mode 100644 index 00000000000..1c0ecea3ce2 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-align-to-section-for-fallocate-on-pinned.patch @@ -0,0 +1,163 @@ +From 9dc1c81451dac328419d05a8b740112e871dec7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Mar 2021 17:56:01 +0800 +Subject: f2fs: fix to align to section for fallocate() on pinned file + +From: Chao Yu + +[ Upstream commit e1175f02291141bbd924fc578299305fcde35855 ] + +Now, fallocate() on a pinned file only allocates blocks which aligns +to segment rather than section, so GC may try to migrate pinned file's +block, and after several times of failure, pinned file's block could +be migrated to other place, however user won't be aware of such +condition, and then old obsolete block address may be readed/written +incorrectly. + +To avoid such condition, let's try to allocate pinned file's blocks +with section alignment. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 +- + fs/f2fs/file.c | 19 +++++++++---------- + fs/f2fs/segment.c | 34 ++++++++++++++++++++++++++-------- + 3 files changed, 36 insertions(+), 19 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index f116150e45e3..c2973a1dead6 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3289,7 +3289,7 @@ void f2fs_get_new_segment(struct f2fs_sb_info *sbi, + unsigned int *newseg, bool new_sec, int dir); + void f2fs_allocate_segment_for_resize(struct f2fs_sb_info *sbi, int type, + unsigned int start, unsigned int end); +-void f2fs_allocate_new_segment(struct f2fs_sb_info *sbi, int type); ++void f2fs_allocate_new_section(struct f2fs_sb_info *sbi, int type); + void f2fs_allocate_new_segments(struct f2fs_sb_info *sbi); + int f2fs_trim_fs(struct f2fs_sb_info *sbi, struct fstrim_range *range); + bool f2fs_exist_trim_candidates(struct f2fs_sb_info *sbi, +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index df963686c4dc..e926770f89c5 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1643,27 +1643,26 @@ static int expand_inode_data(struct inode *inode, loff_t offset, + return 0; + + if (f2fs_is_pinned_file(inode)) { +- block_t len = (map.m_len >> sbi->log_blocks_per_seg) << +- sbi->log_blocks_per_seg; ++ block_t sec_blks = BLKS_PER_SEC(sbi); ++ block_t sec_len = roundup(map.m_len, sec_blks); + block_t done = 0; + +- if (map.m_len % sbi->blocks_per_seg) +- len += sbi->blocks_per_seg; +- +- map.m_len = sbi->blocks_per_seg; ++ map.m_len = sec_blks; + next_alloc: + if (has_not_enough_free_secs(sbi, 0, + GET_SEC_FROM_SEG(sbi, overprovision_segments(sbi)))) { + down_write(&sbi->gc_lock); + err = f2fs_gc(sbi, true, false, false, NULL_SEGNO); +- if (err && err != -ENODATA && err != -EAGAIN) ++ if (err && err != -ENODATA && err != -EAGAIN) { ++ map.m_len = done; + goto out_err; ++ } + } + + down_write(&sbi->pin_sem); + + f2fs_lock_op(sbi); +- f2fs_allocate_new_segment(sbi, CURSEG_COLD_DATA_PINNED); ++ f2fs_allocate_new_section(sbi, CURSEG_COLD_DATA_PINNED); + f2fs_unlock_op(sbi); + + map.m_seg_type = CURSEG_COLD_DATA_PINNED; +@@ -1672,9 +1671,9 @@ next_alloc: + up_write(&sbi->pin_sem); + + done += map.m_len; +- len -= map.m_len; ++ sec_len -= map.m_len; + map.m_lblk += map.m_len; +- if (!err && len) ++ if (!err && sec_len) + goto next_alloc; + + map.m_len = done; +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index f9e7280c39d9..d696d4713333 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -2903,7 +2903,8 @@ unlock: + up_read(&SM_I(sbi)->curseg_lock); + } + +-static void __allocate_new_segment(struct f2fs_sb_info *sbi, int type) ++static void __allocate_new_segment(struct f2fs_sb_info *sbi, int type, ++ bool new_sec) + { + struct curseg_info *curseg = CURSEG_I(sbi, type); + unsigned int old_segno; +@@ -2911,10 +2912,22 @@ static void __allocate_new_segment(struct f2fs_sb_info *sbi, int type) + if (!curseg->inited) + goto alloc; + +- if (!curseg->next_blkoff && +- !get_valid_blocks(sbi, curseg->segno, false) && +- !get_ckpt_valid_blocks(sbi, curseg->segno)) +- return; ++ if (curseg->next_blkoff || ++ get_valid_blocks(sbi, curseg->segno, new_sec)) ++ goto alloc; ++ ++ if (new_sec) { ++ unsigned int segno = START_SEGNO(curseg->segno); ++ int i; ++ ++ for (i = 0; i < sbi->segs_per_sec; i++, segno++) { ++ if (get_ckpt_valid_blocks(sbi, segno)) ++ goto alloc; ++ } ++ } else { ++ if (!get_ckpt_valid_blocks(sbi, curseg->segno)) ++ return; ++ } + + alloc: + old_segno = curseg->segno; +@@ -2922,10 +2935,15 @@ alloc: + locate_dirty_segment(sbi, old_segno); + } + +-void f2fs_allocate_new_segment(struct f2fs_sb_info *sbi, int type) ++static void __allocate_new_section(struct f2fs_sb_info *sbi, int type) ++{ ++ __allocate_new_segment(sbi, type, true); ++} ++ ++void f2fs_allocate_new_section(struct f2fs_sb_info *sbi, int type) + { + down_write(&SIT_I(sbi)->sentry_lock); +- __allocate_new_segment(sbi, type); ++ __allocate_new_section(sbi, type); + up_write(&SIT_I(sbi)->sentry_lock); + } + +@@ -2935,7 +2953,7 @@ void f2fs_allocate_new_segments(struct f2fs_sb_info *sbi) + + down_write(&SIT_I(sbi)->sentry_lock); + for (i = CURSEG_HOT_DATA; i <= CURSEG_COLD_DATA; i++) +- __allocate_new_segment(sbi, i); ++ __allocate_new_segment(sbi, i, false); + up_write(&SIT_I(sbi)->sentry_lock); + } + +-- +2.30.2 + diff --git a/queue-5.10/f2fs-fix-to-allow-migrating-fully-valid-segment.patch b/queue-5.10/f2fs-fix-to-allow-migrating-fully-valid-segment.patch new file mode 100644 index 00000000000..b49507eac82 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-allow-migrating-fully-valid-segment.patch @@ -0,0 +1,193 @@ +From 81dd7f282c6315eb8fde8e96df97b7c80262dce2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Feb 2021 17:35:40 +0800 +Subject: f2fs: fix to allow migrating fully valid segment + +From: Chao Yu + +[ Upstream commit 7dede88659df38f96128ab3922c50dde2d29c574 ] + +F2FS_IOC_FLUSH_DEVICE/F2FS_IOC_RESIZE_FS needs to migrate all blocks of +target segment to other place, no matter the segment has partially or fully +valid blocks. + +However, after commit 803e74be04b3 ("f2fs: stop GC when the victim becomes +fully valid"), we may skip migration due to target segment is fully valid, +result in failing the ioctl interface, fix this. + +Fixes: 803e74be04b3 ("f2fs: stop GC when the victim becomes fully valid") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 +- + fs/f2fs/file.c | 9 +++++---- + fs/f2fs/gc.c | 21 ++++++++++++--------- + fs/f2fs/segment.c | 2 +- + fs/f2fs/super.c | 2 +- + 5 files changed, 20 insertions(+), 16 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index af294eb23283..f116150e45e3 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3449,7 +3449,7 @@ void f2fs_destroy_post_read_wq(struct f2fs_sb_info *sbi); + int f2fs_start_gc_thread(struct f2fs_sb_info *sbi); + void f2fs_stop_gc_thread(struct f2fs_sb_info *sbi); + block_t f2fs_start_bidx_of_node(unsigned int node_ofs, struct inode *inode); +-int f2fs_gc(struct f2fs_sb_info *sbi, bool sync, bool background, ++int f2fs_gc(struct f2fs_sb_info *sbi, bool sync, bool background, bool force, + unsigned int segno); + void f2fs_build_gc_manager(struct f2fs_sb_info *sbi); + int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count); +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 6850fb2081c8..df963686c4dc 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1655,7 +1655,7 @@ next_alloc: + if (has_not_enough_free_secs(sbi, 0, + GET_SEC_FROM_SEG(sbi, overprovision_segments(sbi)))) { + down_write(&sbi->gc_lock); +- err = f2fs_gc(sbi, true, false, NULL_SEGNO); ++ err = f2fs_gc(sbi, true, false, false, NULL_SEGNO); + if (err && err != -ENODATA && err != -EAGAIN) + goto out_err; + } +@@ -2490,7 +2490,7 @@ static int f2fs_ioc_gc(struct file *filp, unsigned long arg) + down_write(&sbi->gc_lock); + } + +- ret = f2fs_gc(sbi, sync, true, NULL_SEGNO); ++ ret = f2fs_gc(sbi, sync, true, false, NULL_SEGNO); + out: + mnt_drop_write_file(filp); + return ret; +@@ -2526,7 +2526,8 @@ do_more: + down_write(&sbi->gc_lock); + } + +- ret = f2fs_gc(sbi, range->sync, true, GET_SEGNO(sbi, range->start)); ++ ret = f2fs_gc(sbi, range->sync, true, false, ++ GET_SEGNO(sbi, range->start)); + if (ret) { + if (ret == -EBUSY) + ret = -EAGAIN; +@@ -2985,7 +2986,7 @@ static int f2fs_ioc_flush_device(struct file *filp, unsigned long arg) + sm->last_victim[GC_CB] = end_segno + 1; + sm->last_victim[GC_GREEDY] = end_segno + 1; + sm->last_victim[ALLOC_NEXT] = end_segno + 1; +- ret = f2fs_gc(sbi, true, true, start_segno); ++ ret = f2fs_gc(sbi, true, true, true, start_segno); + if (ret == -EAGAIN) + ret = 0; + else if (ret < 0) +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index 05641a1e36cc..1e602d0f611f 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -112,7 +112,7 @@ do_gc: + sync_mode = F2FS_OPTION(sbi).bggc_mode == BGGC_MODE_SYNC; + + /* if return value is not zero, no victim was selected */ +- if (f2fs_gc(sbi, sync_mode, true, NULL_SEGNO)) ++ if (f2fs_gc(sbi, sync_mode, true, false, NULL_SEGNO)) + wait_ms = gc_th->no_gc_sleep_time; + + trace_f2fs_background_gc(sbi->sb, wait_ms, +@@ -1356,7 +1356,8 @@ out: + * the victim data block is ignored. + */ + static int gc_data_segment(struct f2fs_sb_info *sbi, struct f2fs_summary *sum, +- struct gc_inode_list *gc_list, unsigned int segno, int gc_type) ++ struct gc_inode_list *gc_list, unsigned int segno, int gc_type, ++ bool force_migrate) + { + struct super_block *sb = sbi->sb; + struct f2fs_summary *entry; +@@ -1385,8 +1386,8 @@ next_step: + * race condition along with SSR block allocation. + */ + if ((gc_type == BG_GC && has_not_enough_free_secs(sbi, 0, 0)) || +- get_valid_blocks(sbi, segno, true) == +- BLKS_PER_SEC(sbi)) ++ (!force_migrate && get_valid_blocks(sbi, segno, true) == ++ BLKS_PER_SEC(sbi))) + return submitted; + + if (check_valid_map(sbi, segno, off) == 0) +@@ -1521,7 +1522,8 @@ static int __get_victim(struct f2fs_sb_info *sbi, unsigned int *victim, + + static int do_garbage_collect(struct f2fs_sb_info *sbi, + unsigned int start_segno, +- struct gc_inode_list *gc_list, int gc_type) ++ struct gc_inode_list *gc_list, int gc_type, ++ bool force_migrate) + { + struct page *sum_page; + struct f2fs_summary_block *sum; +@@ -1608,7 +1610,8 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi, + gc_type); + else + submitted += gc_data_segment(sbi, sum->entries, gc_list, +- segno, gc_type); ++ segno, gc_type, ++ force_migrate); + + stat_inc_seg_count(sbi, type, gc_type); + migrated++; +@@ -1636,7 +1639,7 @@ skip: + } + + int f2fs_gc(struct f2fs_sb_info *sbi, bool sync, +- bool background, unsigned int segno) ++ bool background, bool force, unsigned int segno) + { + int gc_type = sync ? FG_GC : BG_GC; + int sec_freed = 0, seg_freed = 0, total_freed = 0; +@@ -1698,7 +1701,7 @@ gc_more: + if (ret) + goto stop; + +- seg_freed = do_garbage_collect(sbi, segno, &gc_list, gc_type); ++ seg_freed = do_garbage_collect(sbi, segno, &gc_list, gc_type, force); + if (gc_type == FG_GC && + seg_freed == f2fs_usable_segs_in_sec(sbi, segno)) + sec_freed++; +@@ -1837,7 +1840,7 @@ static int free_segment_range(struct f2fs_sb_info *sbi, + .iroot = RADIX_TREE_INIT(gc_list.iroot, GFP_NOFS), + }; + +- do_garbage_collect(sbi, segno, &gc_list, FG_GC); ++ do_garbage_collect(sbi, segno, &gc_list, FG_GC, true); + put_gc_inode(&gc_list); + + if (!gc_only && get_valid_blocks(sbi, segno, true)) { +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index f2a4265318f5..f9e7280c39d9 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -507,7 +507,7 @@ void f2fs_balance_fs(struct f2fs_sb_info *sbi, bool need) + */ + if (has_not_enough_free_secs(sbi, 0, 0)) { + down_write(&sbi->gc_lock); +- f2fs_gc(sbi, false, false, NULL_SEGNO); ++ f2fs_gc(sbi, false, false, false, NULL_SEGNO); + } + } + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 4fffbef216af..abc469dd9aea 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1723,7 +1723,7 @@ static int f2fs_disable_checkpoint(struct f2fs_sb_info *sbi) + + while (!f2fs_time_over(sbi, DISABLE_TIME)) { + down_write(&sbi->gc_lock); +- err = f2fs_gc(sbi, true, false, NULL_SEGNO); ++ err = f2fs_gc(sbi, true, false, false, NULL_SEGNO); + if (err == -ENODATA) { + err = 0; + break; +-- +2.30.2 + diff --git a/queue-5.10/f2fs-fix-to-avoid-accessing-invalid-fio-in-f2fs_allo.patch b/queue-5.10/f2fs-fix-to-avoid-accessing-invalid-fio-in-f2fs_allo.patch new file mode 100644 index 00000000000..6e4ab970af9 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-avoid-accessing-invalid-fio-in-f2fs_allo.patch @@ -0,0 +1,44 @@ +From 2d9d06def9860c57c5bee1ccf47d2b5e21d4138a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Apr 2021 17:22:23 +0800 +Subject: f2fs: fix to avoid accessing invalid fio in + f2fs_allocate_data_block() + +From: Chao Yu + +[ Upstream commit 25ae837e61dee712b4b1df36602ebfe724b2a0b6 ] + +Callers may pass fio parameter with NULL value to f2fs_allocate_data_block(), +so we should make sure accessing fio's field after fio's validation check. + +Fixes: f608c38c59c6 ("f2fs: clean up parameter of f2fs_allocate_data_block()") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 1c264fd5a0dd..d04b449978aa 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -3407,12 +3407,12 @@ void f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page, + f2fs_inode_chksum_set(sbi, page); + } + +- if (F2FS_IO_ALIGNED(sbi)) +- fio->retry = false; +- + if (fio) { + struct f2fs_bio_info *io; + ++ if (F2FS_IO_ALIGNED(sbi)) ++ fio->retry = false; ++ + INIT_LIST_HEAD(&fio->list); + fio->in_list = true; + io = sbi->write_io[fio->type] + fio->temp; +-- +2.30.2 + diff --git a/queue-5.10/f2fs-fix-to-avoid-touching-checkpointed-data-in-get_.patch b/queue-5.10/f2fs-fix-to-avoid-touching-checkpointed-data-in-get_.patch new file mode 100644 index 00000000000..5d30d46cb40 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-avoid-touching-checkpointed-data-in-get_.patch @@ -0,0 +1,200 @@ +From c1e47060021284f8b0831739fd5f177a11cb289f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 11:18:28 +0800 +Subject: f2fs: fix to avoid touching checkpointed data in get_victim() + +From: Chao Yu + +[ Upstream commit 61461fc921b756ae16e64243f72af2bfc2e620db ] + +In CP disabling mode, there are two issues when using LFS or SSR | AT_SSR +mode to select victim: + +1. LFS is set to find source section during GC, the victim should have +no checkpointed data, since after GC, section could not be set free for +reuse. + +Previously, we only check valid chpt blocks in current segment rather +than section, fix it. + +2. SSR | AT_SSR are set to find target segment for writes which can be +fully filled by checkpointed and newly written blocks, we should never +select such segment, otherwise it can cause panic or data corruption +during allocation, potential case is described as below: + + a) target segment has 'n' (n < 512) ckpt valid blocks + b) GC migrates 'n' valid blocks to other segment (segment is still + in dirty list) + c) GC migrates '512 - n' blocks to target segment (segment has 'n' + cp_vblocks and '512 - n' vblocks) + d) If GC selects target segment via {AT,}SSR allocator, however there + is no free space in targe segment. + +Fixes: 4354994f097d ("f2fs: checkpoint disabling") +Fixes: 093749e296e2 ("f2fs: support age threshold based garbage collection") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 1 + + fs/f2fs/gc.c | 28 ++++++++++++++++++++-------- + fs/f2fs/segment.c | 36 +++++++++++++++++++++--------------- + fs/f2fs/segment.h | 14 +++++++++++++- + 4 files changed, 55 insertions(+), 24 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index c2973a1dead6..036d2a3a2f41 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3282,6 +3282,7 @@ block_t f2fs_get_unusable_blocks(struct f2fs_sb_info *sbi); + int f2fs_disable_cp_again(struct f2fs_sb_info *sbi, block_t unusable); + void f2fs_release_discard_addrs(struct f2fs_sb_info *sbi); + int f2fs_npages_for_summary_flush(struct f2fs_sb_info *sbi, bool for_ra); ++bool f2fs_segment_has_free_slot(struct f2fs_sb_info *sbi, int segno); + void f2fs_init_inmem_curseg(struct f2fs_sb_info *sbi); + void f2fs_save_inmem_curseg(struct f2fs_sb_info *sbi); + void f2fs_restore_inmem_curseg(struct f2fs_sb_info *sbi); +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index e4e8c7257454..9b38cef4d50f 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -392,10 +392,6 @@ static void add_victim_entry(struct f2fs_sb_info *sbi, + if (p->gc_mode == GC_AT && + get_valid_blocks(sbi, segno, true) == 0) + return; +- +- if (p->alloc_mode == AT_SSR && +- get_seg_entry(sbi, segno)->ckpt_valid_blocks == 0) +- return; + } + + for (i = 0; i < sbi->segs_per_sec; i++) +@@ -728,11 +724,27 @@ retry: + + if (sec_usage_check(sbi, secno)) + goto next; ++ + /* Don't touch checkpointed data */ +- if (unlikely(is_sbi_flag_set(sbi, SBI_CP_DISABLED) && +- get_ckpt_valid_blocks(sbi, segno) && +- p.alloc_mode == LFS)) +- goto next; ++ if (unlikely(is_sbi_flag_set(sbi, SBI_CP_DISABLED))) { ++ if (p.alloc_mode == LFS) { ++ /* ++ * LFS is set to find source section during GC. ++ * The victim should have no checkpointed data. ++ */ ++ if (get_ckpt_valid_blocks(sbi, segno, true)) ++ goto next; ++ } else { ++ /* ++ * SSR | AT_SSR are set to find target segment ++ * for writes which can be full by checkpointed ++ * and newly written blocks. ++ */ ++ if (!f2fs_segment_has_free_slot(sbi, segno)) ++ goto next; ++ } ++ } ++ + if (gc_type == BG_GC && test_bit(secno, dirty_i->victim_secmap)) + goto next; + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index d696d4713333..661b891aa1ca 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -871,7 +871,7 @@ static void locate_dirty_segment(struct f2fs_sb_info *sbi, unsigned int segno) + mutex_lock(&dirty_i->seglist_lock); + + valid_blocks = get_valid_blocks(sbi, segno, false); +- ckpt_valid_blocks = get_ckpt_valid_blocks(sbi, segno); ++ ckpt_valid_blocks = get_ckpt_valid_blocks(sbi, segno, false); + + if (valid_blocks == 0 && (!is_sbi_flag_set(sbi, SBI_CP_DISABLED) || + ckpt_valid_blocks == usable_blocks)) { +@@ -956,7 +956,7 @@ static unsigned int get_free_segment(struct f2fs_sb_info *sbi) + for_each_set_bit(segno, dirty_i->dirty_segmap[DIRTY], MAIN_SEGS(sbi)) { + if (get_valid_blocks(sbi, segno, false)) + continue; +- if (get_ckpt_valid_blocks(sbi, segno)) ++ if (get_ckpt_valid_blocks(sbi, segno, false)) + continue; + mutex_unlock(&dirty_i->seglist_lock); + return segno; +@@ -2646,6 +2646,23 @@ static void __refresh_next_blkoff(struct f2fs_sb_info *sbi, + seg->next_blkoff++; + } + ++bool f2fs_segment_has_free_slot(struct f2fs_sb_info *sbi, int segno) ++{ ++ struct seg_entry *se = get_seg_entry(sbi, segno); ++ int entries = SIT_VBLOCK_MAP_SIZE / sizeof(unsigned long); ++ unsigned long *target_map = SIT_I(sbi)->tmp_map; ++ unsigned long *ckpt_map = (unsigned long *)se->ckpt_valid_map; ++ unsigned long *cur_map = (unsigned long *)se->cur_valid_map; ++ int i, pos; ++ ++ for (i = 0; i < entries; i++) ++ target_map[i] = ckpt_map[i] | cur_map[i]; ++ ++ pos = __find_rev_next_zero_bit(target_map, sbi->blocks_per_seg, 0); ++ ++ return pos < sbi->blocks_per_seg; ++} ++ + /* + * This function always allocates a used segment(from dirty seglist) by SSR + * manner, so it should recover the existing segment information of valid blocks +@@ -2916,19 +2933,8 @@ static void __allocate_new_segment(struct f2fs_sb_info *sbi, int type, + get_valid_blocks(sbi, curseg->segno, new_sec)) + goto alloc; + +- if (new_sec) { +- unsigned int segno = START_SEGNO(curseg->segno); +- int i; +- +- for (i = 0; i < sbi->segs_per_sec; i++, segno++) { +- if (get_ckpt_valid_blocks(sbi, segno)) +- goto alloc; +- } +- } else { +- if (!get_ckpt_valid_blocks(sbi, curseg->segno)) +- return; +- } +- ++ if (!get_ckpt_valid_blocks(sbi, curseg->segno, new_sec)) ++ return; + alloc: + old_segno = curseg->segno; + SIT_I(sbi)->s_ops->allocate_segment(sbi, type, true); +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 229814b4f4a6..1bf33fc27b8f 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -361,8 +361,20 @@ static inline unsigned int get_valid_blocks(struct f2fs_sb_info *sbi, + } + + static inline unsigned int get_ckpt_valid_blocks(struct f2fs_sb_info *sbi, +- unsigned int segno) ++ unsigned int segno, bool use_section) + { ++ if (use_section && __is_large_section(sbi)) { ++ unsigned int start_segno = START_SEGNO(segno); ++ unsigned int blocks = 0; ++ int i; ++ ++ for (i = 0; i < sbi->segs_per_sec; i++, start_segno++) { ++ struct seg_entry *se = get_seg_entry(sbi, start_segno); ++ ++ blocks += se->ckpt_valid_blocks; ++ } ++ return blocks; ++ } + return get_seg_entry(sbi, segno)->ckpt_valid_blocks; + } + +-- +2.30.2 + diff --git a/queue-5.10/f2fs-fix-to-cover-__allocate_new_section-with-curseg.patch b/queue-5.10/f2fs-fix-to-cover-__allocate_new_section-with-curseg.patch new file mode 100644 index 00000000000..822e8a5334a --- /dev/null +++ b/queue-5.10/f2fs-fix-to-cover-__allocate_new_section-with-curseg.patch @@ -0,0 +1,50 @@ +From 504a27753e9fad31753f9d3f1ecda4300c74629d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Mar 2021 09:46:22 +0800 +Subject: f2fs: fix to cover __allocate_new_section() with curseg_lock + +From: Chao Yu + +[ Upstream commit 823d13e12b6cbaef2f6e5d63c648643e7bc094dd ] + +In order to avoid race with f2fs_do_replace_block(). + +Fixes: f5a53edcf01e ("f2fs: support aligned pinned file") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 661b891aa1ca..ddfc3daebe9b 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -2948,19 +2948,23 @@ static void __allocate_new_section(struct f2fs_sb_info *sbi, int type) + + void f2fs_allocate_new_section(struct f2fs_sb_info *sbi, int type) + { ++ down_read(&SM_I(sbi)->curseg_lock); + down_write(&SIT_I(sbi)->sentry_lock); + __allocate_new_section(sbi, type); + up_write(&SIT_I(sbi)->sentry_lock); ++ up_read(&SM_I(sbi)->curseg_lock); + } + + void f2fs_allocate_new_segments(struct f2fs_sb_info *sbi) + { + int i; + ++ down_read(&SM_I(sbi)->curseg_lock); + down_write(&SIT_I(sbi)->sentry_lock); + for (i = CURSEG_HOT_DATA; i <= CURSEG_COLD_DATA; i++) + __allocate_new_segment(sbi, i, false); + up_write(&SIT_I(sbi)->sentry_lock); ++ up_read(&SM_I(sbi)->curseg_lock); + } + + static const struct segment_allocation default_salloc_ops = { +-- +2.30.2 + diff --git a/queue-5.10/f2fs-fix-to-update-last-i_size-if-fallocate-partiall.patch b/queue-5.10/f2fs-fix-to-update-last-i_size-if-fallocate-partiall.patch new file mode 100644 index 00000000000..5711ee2d7e1 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-update-last-i_size-if-fallocate-partiall.patch @@ -0,0 +1,106 @@ +From 2cac79b62fb454944054b5d2ffe0d28c236ce800 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 11:24:33 +0800 +Subject: f2fs: fix to update last i_size if fallocate partially succeeds + +From: Chao Yu + +[ Upstream commit 88f2cfc5fa90326edb569b4a81bb38ed4dcd3108 ] + +In the case of expanding pinned file, map.m_lblk and map.m_len +will update in each round of section allocation, so in error +path, last i_size will be calculated with wrong m_lblk and m_len, +fix it. + +Fixes: f5a53edcf01e ("f2fs: support aligned pinned file") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index e926770f89c5..9f857e5709b6 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1616,9 +1616,10 @@ static int expand_inode_data(struct inode *inode, loff_t offset, + struct f2fs_map_blocks map = { .m_next_pgofs = NULL, + .m_next_extent = NULL, .m_seg_type = NO_CHECK_TYPE, + .m_may_create = true }; +- pgoff_t pg_end; ++ pgoff_t pg_start, pg_end; + loff_t new_size = i_size_read(inode); + loff_t off_end; ++ block_t expanded = 0; + int err; + + err = inode_newsize_ok(inode, (len + offset)); +@@ -1631,11 +1632,12 @@ static int expand_inode_data(struct inode *inode, loff_t offset, + + f2fs_balance_fs(sbi, true); + ++ pg_start = ((unsigned long long)offset) >> PAGE_SHIFT; + pg_end = ((unsigned long long)offset + len) >> PAGE_SHIFT; + off_end = (offset + len) & (PAGE_SIZE - 1); + +- map.m_lblk = ((unsigned long long)offset) >> PAGE_SHIFT; +- map.m_len = pg_end - map.m_lblk; ++ map.m_lblk = pg_start; ++ map.m_len = pg_end - pg_start; + if (off_end) + map.m_len++; + +@@ -1645,7 +1647,6 @@ static int expand_inode_data(struct inode *inode, loff_t offset, + if (f2fs_is_pinned_file(inode)) { + block_t sec_blks = BLKS_PER_SEC(sbi); + block_t sec_len = roundup(map.m_len, sec_blks); +- block_t done = 0; + + map.m_len = sec_blks; + next_alloc: +@@ -1653,10 +1654,8 @@ next_alloc: + GET_SEC_FROM_SEG(sbi, overprovision_segments(sbi)))) { + down_write(&sbi->gc_lock); + err = f2fs_gc(sbi, true, false, false, NULL_SEGNO); +- if (err && err != -ENODATA && err != -EAGAIN) { +- map.m_len = done; ++ if (err && err != -ENODATA && err != -EAGAIN) + goto out_err; +- } + } + + down_write(&sbi->pin_sem); +@@ -1670,24 +1669,25 @@ next_alloc: + + up_write(&sbi->pin_sem); + +- done += map.m_len; ++ expanded += map.m_len; + sec_len -= map.m_len; + map.m_lblk += map.m_len; + if (!err && sec_len) + goto next_alloc; + +- map.m_len = done; ++ map.m_len = expanded; + } else { + err = f2fs_map_blocks(inode, &map, 1, F2FS_GET_BLOCK_PRE_AIO); ++ expanded = map.m_len; + } + out_err: + if (err) { + pgoff_t last_off; + +- if (!map.m_len) ++ if (!expanded) + return err; + +- last_off = map.m_lblk + map.m_len - 1; ++ last_off = pg_start + expanded - 1; + + /* update new size to the failed position */ + new_size = (last_off == pg_end) ? offset + len : +-- +2.30.2 + diff --git a/queue-5.10/f2fs-move-ioctl-interface-definitions-to-separated-f.patch b/queue-5.10/f2fs-move-ioctl-interface-definitions-to-separated-f.patch new file mode 100644 index 00000000000..fecb19f223f --- /dev/null +++ b/queue-5.10/f2fs-move-ioctl-interface-definitions-to-separated-f.patch @@ -0,0 +1,249 @@ +From 4ea74c95594c5c4fddcb53a73e22e7042507c51a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 14:21:31 +0800 +Subject: f2fs: move ioctl interface definitions to separated file + +From: Chao Yu + +[ Upstream commit fa4320cefb8537a70cc28c55d311a1f569697cd3 ] + +Like other filesystem does, we introduce a new file f2fs.h in path of +include/uapi/linux/, and move f2fs-specified ioctl interface definitions +to that file, after then, in order to use those definitions, userspace +developer only need to include the new header file rather than +copy & paste definitions from fs/f2fs/f2fs.h. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + MAINTAINERS | 1 + + fs/f2fs/f2fs.h | 79 --------------------------------- + fs/f2fs/file.c | 1 + + include/trace/events/f2fs.h | 1 + + include/uapi/linux/f2fs.h | 87 +++++++++++++++++++++++++++++++++++++ + 5 files changed, 90 insertions(+), 79 deletions(-) + create mode 100644 include/uapi/linux/f2fs.h + +diff --git a/MAINTAINERS b/MAINTAINERS +index 24cdfcf334ea..4fef10dd2975 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -6694,6 +6694,7 @@ F: Documentation/filesystems/f2fs.rst + F: fs/f2fs/ + F: include/linux/f2fs_fs.h + F: include/trace/events/f2fs.h ++F: include/uapi/linux/f2fs.h + + F71805F HARDWARE MONITORING DRIVER + M: Jean Delvare +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 699815e94bd3..af294eb23283 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -402,85 +402,6 @@ static inline bool __has_cursum_space(struct f2fs_journal *journal, + return size <= MAX_SIT_JENTRIES(journal); + } + +-/* +- * f2fs-specific ioctl commands +- */ +-#define F2FS_IOCTL_MAGIC 0xf5 +-#define F2FS_IOC_START_ATOMIC_WRITE _IO(F2FS_IOCTL_MAGIC, 1) +-#define F2FS_IOC_COMMIT_ATOMIC_WRITE _IO(F2FS_IOCTL_MAGIC, 2) +-#define F2FS_IOC_START_VOLATILE_WRITE _IO(F2FS_IOCTL_MAGIC, 3) +-#define F2FS_IOC_RELEASE_VOLATILE_WRITE _IO(F2FS_IOCTL_MAGIC, 4) +-#define F2FS_IOC_ABORT_VOLATILE_WRITE _IO(F2FS_IOCTL_MAGIC, 5) +-#define F2FS_IOC_GARBAGE_COLLECT _IOW(F2FS_IOCTL_MAGIC, 6, __u32) +-#define F2FS_IOC_WRITE_CHECKPOINT _IO(F2FS_IOCTL_MAGIC, 7) +-#define F2FS_IOC_DEFRAGMENT _IOWR(F2FS_IOCTL_MAGIC, 8, \ +- struct f2fs_defragment) +-#define F2FS_IOC_MOVE_RANGE _IOWR(F2FS_IOCTL_MAGIC, 9, \ +- struct f2fs_move_range) +-#define F2FS_IOC_FLUSH_DEVICE _IOW(F2FS_IOCTL_MAGIC, 10, \ +- struct f2fs_flush_device) +-#define F2FS_IOC_GARBAGE_COLLECT_RANGE _IOW(F2FS_IOCTL_MAGIC, 11, \ +- struct f2fs_gc_range) +-#define F2FS_IOC_GET_FEATURES _IOR(F2FS_IOCTL_MAGIC, 12, __u32) +-#define F2FS_IOC_SET_PIN_FILE _IOW(F2FS_IOCTL_MAGIC, 13, __u32) +-#define F2FS_IOC_GET_PIN_FILE _IOR(F2FS_IOCTL_MAGIC, 14, __u32) +-#define F2FS_IOC_PRECACHE_EXTENTS _IO(F2FS_IOCTL_MAGIC, 15) +-#define F2FS_IOC_RESIZE_FS _IOW(F2FS_IOCTL_MAGIC, 16, __u64) +-#define F2FS_IOC_GET_COMPRESS_BLOCKS _IOR(F2FS_IOCTL_MAGIC, 17, __u64) +-#define F2FS_IOC_RELEASE_COMPRESS_BLOCKS \ +- _IOR(F2FS_IOCTL_MAGIC, 18, __u64) +-#define F2FS_IOC_RESERVE_COMPRESS_BLOCKS \ +- _IOR(F2FS_IOCTL_MAGIC, 19, __u64) +-#define F2FS_IOC_SEC_TRIM_FILE _IOW(F2FS_IOCTL_MAGIC, 20, \ +- struct f2fs_sectrim_range) +- +-/* +- * should be same as XFS_IOC_GOINGDOWN. +- * Flags for going down operation used by FS_IOC_GOINGDOWN +- */ +-#define F2FS_IOC_SHUTDOWN _IOR('X', 125, __u32) /* Shutdown */ +-#define F2FS_GOING_DOWN_FULLSYNC 0x0 /* going down with full sync */ +-#define F2FS_GOING_DOWN_METASYNC 0x1 /* going down with metadata */ +-#define F2FS_GOING_DOWN_NOSYNC 0x2 /* going down */ +-#define F2FS_GOING_DOWN_METAFLUSH 0x3 /* going down with meta flush */ +-#define F2FS_GOING_DOWN_NEED_FSCK 0x4 /* going down to trigger fsck */ +- +-/* +- * Flags used by F2FS_IOC_SEC_TRIM_FILE +- */ +-#define F2FS_TRIM_FILE_DISCARD 0x1 /* send discard command */ +-#define F2FS_TRIM_FILE_ZEROOUT 0x2 /* zero out */ +-#define F2FS_TRIM_FILE_MASK 0x3 +- +-struct f2fs_gc_range { +- u32 sync; +- u64 start; +- u64 len; +-}; +- +-struct f2fs_defragment { +- u64 start; +- u64 len; +-}; +- +-struct f2fs_move_range { +- u32 dst_fd; /* destination fd */ +- u64 pos_in; /* start position in src_fd */ +- u64 pos_out; /* start position in dst_fd */ +- u64 len; /* size to move */ +-}; +- +-struct f2fs_flush_device { +- u32 dev_num; /* device number to flush */ +- u32 segments; /* # of segments to flush */ +-}; +- +-struct f2fs_sectrim_range { +- u64 start; +- u64 len; +- u64 flags; +-}; +- + /* for inline stuff */ + #define DEF_INLINE_RESERVED_SIZE 1 + static inline int get_extra_isize(struct inode *inode); +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 498e3aac7934..28f0bde38806 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -31,6 +31,7 @@ + #include "gc.h" + #include "trace.h" + #include ++#include + + static vm_fault_t f2fs_filemap_fault(struct vm_fault *vmf) + { +diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h +index f8f1e85ff130..56b113e3cd6a 100644 +--- a/include/trace/events/f2fs.h ++++ b/include/trace/events/f2fs.h +@@ -6,6 +6,7 @@ + #define _TRACE_F2FS_H + + #include ++#include + + #define show_dev(dev) MAJOR(dev), MINOR(dev) + #define show_dev_ino(entry) show_dev(entry->dev), (unsigned long)entry->ino +diff --git a/include/uapi/linux/f2fs.h b/include/uapi/linux/f2fs.h +new file mode 100644 +index 000000000000..28bcfe8d2c27 +--- /dev/null ++++ b/include/uapi/linux/f2fs.h +@@ -0,0 +1,87 @@ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ ++ ++#ifndef _UAPI_LINUX_F2FS_H ++#define _UAPI_LINUX_F2FS_H ++#include ++#include ++ ++/* ++ * f2fs-specific ioctl commands ++ */ ++#define F2FS_IOCTL_MAGIC 0xf5 ++#define F2FS_IOC_START_ATOMIC_WRITE _IO(F2FS_IOCTL_MAGIC, 1) ++#define F2FS_IOC_COMMIT_ATOMIC_WRITE _IO(F2FS_IOCTL_MAGIC, 2) ++#define F2FS_IOC_START_VOLATILE_WRITE _IO(F2FS_IOCTL_MAGIC, 3) ++#define F2FS_IOC_RELEASE_VOLATILE_WRITE _IO(F2FS_IOCTL_MAGIC, 4) ++#define F2FS_IOC_ABORT_VOLATILE_WRITE _IO(F2FS_IOCTL_MAGIC, 5) ++#define F2FS_IOC_GARBAGE_COLLECT _IOW(F2FS_IOCTL_MAGIC, 6, __u32) ++#define F2FS_IOC_WRITE_CHECKPOINT _IO(F2FS_IOCTL_MAGIC, 7) ++#define F2FS_IOC_DEFRAGMENT _IOWR(F2FS_IOCTL_MAGIC, 8, \ ++ struct f2fs_defragment) ++#define F2FS_IOC_MOVE_RANGE _IOWR(F2FS_IOCTL_MAGIC, 9, \ ++ struct f2fs_move_range) ++#define F2FS_IOC_FLUSH_DEVICE _IOW(F2FS_IOCTL_MAGIC, 10, \ ++ struct f2fs_flush_device) ++#define F2FS_IOC_GARBAGE_COLLECT_RANGE _IOW(F2FS_IOCTL_MAGIC, 11, \ ++ struct f2fs_gc_range) ++#define F2FS_IOC_GET_FEATURES _IOR(F2FS_IOCTL_MAGIC, 12, __u32) ++#define F2FS_IOC_SET_PIN_FILE _IOW(F2FS_IOCTL_MAGIC, 13, __u32) ++#define F2FS_IOC_GET_PIN_FILE _IOR(F2FS_IOCTL_MAGIC, 14, __u32) ++#define F2FS_IOC_PRECACHE_EXTENTS _IO(F2FS_IOCTL_MAGIC, 15) ++#define F2FS_IOC_RESIZE_FS _IOW(F2FS_IOCTL_MAGIC, 16, __u64) ++#define F2FS_IOC_GET_COMPRESS_BLOCKS _IOR(F2FS_IOCTL_MAGIC, 17, __u64) ++#define F2FS_IOC_RELEASE_COMPRESS_BLOCKS \ ++ _IOR(F2FS_IOCTL_MAGIC, 18, __u64) ++#define F2FS_IOC_RESERVE_COMPRESS_BLOCKS \ ++ _IOR(F2FS_IOCTL_MAGIC, 19, __u64) ++#define F2FS_IOC_SEC_TRIM_FILE _IOW(F2FS_IOCTL_MAGIC, 20, \ ++ struct f2fs_sectrim_range) ++ ++/* ++ * should be same as XFS_IOC_GOINGDOWN. ++ * Flags for going down operation used by FS_IOC_GOINGDOWN ++ */ ++#define F2FS_IOC_SHUTDOWN _IOR('X', 125, __u32) /* Shutdown */ ++#define F2FS_GOING_DOWN_FULLSYNC 0x0 /* going down with full sync */ ++#define F2FS_GOING_DOWN_METASYNC 0x1 /* going down with metadata */ ++#define F2FS_GOING_DOWN_NOSYNC 0x2 /* going down */ ++#define F2FS_GOING_DOWN_METAFLUSH 0x3 /* going down with meta flush */ ++#define F2FS_GOING_DOWN_NEED_FSCK 0x4 /* going down to trigger fsck */ ++ ++/* ++ * Flags used by F2FS_IOC_SEC_TRIM_FILE ++ */ ++#define F2FS_TRIM_FILE_DISCARD 0x1 /* send discard command */ ++#define F2FS_TRIM_FILE_ZEROOUT 0x2 /* zero out */ ++#define F2FS_TRIM_FILE_MASK 0x3 ++ ++struct f2fs_gc_range { ++ __u32 sync; ++ __u64 start; ++ __u64 len; ++}; ++ ++struct f2fs_defragment { ++ __u64 start; ++ __u64 len; ++}; ++ ++struct f2fs_move_range { ++ __u32 dst_fd; /* destination fd */ ++ __u64 pos_in; /* start position in src_fd */ ++ __u64 pos_out; /* start position in dst_fd */ ++ __u64 len; /* size to move */ ++}; ++ ++struct f2fs_flush_device { ++ __u32 dev_num; /* device number to flush */ ++ __u32 segments; /* # of segments to flush */ ++}; ++ ++struct f2fs_sectrim_range { ++ __u64 start; ++ __u64 len; ++ __u64 flags; ++}; ++ ++#endif /* _UAPI_LINUX_F2FS_H */ +-- +2.30.2 + diff --git a/queue-5.10/flow_dissector-fix-out-of-bounds-warning-in-__skb_fl.patch b/queue-5.10/flow_dissector-fix-out-of-bounds-warning-in-__skb_fl.patch new file mode 100644 index 00000000000..b83e2c43e2c --- /dev/null +++ b/queue-5.10/flow_dissector-fix-out-of-bounds-warning-in-__skb_fl.patch @@ -0,0 +1,53 @@ +From 6ea3a45bc2ac492bb816bc252f2791244e9ee80f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 14:31:51 -0500 +Subject: flow_dissector: Fix out-of-bounds warning in + __skb_flow_bpf_to_target() + +From: Gustavo A. R. Silva + +[ Upstream commit 1e3d976dbb23b3fce544752b434bdc32ce64aabc ] + +Fix the following out-of-bounds warning: + +net/core/flow_dissector.c:835:3: warning: 'memcpy' offset [33, 48] from the object at 'flow_keys' is out of the bounds of referenced subobject 'ipv6_src' with type '__u32[4]' {aka 'unsigned int[4]'} at offset 16 [-Warray-bounds] + +The problem is that the original code is trying to copy data into a +couple of struct members adjacent to each other in a single call to +memcpy(). So, the compiler legitimately complains about it. As these +are just a couple of members, fix this by copying each one of them in +separate calls to memcpy(). + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/flow_dissector.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index d48b37b15b27..c52e5ea654e9 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -822,8 +822,10 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys, + key_addrs = skb_flow_dissector_target(flow_dissector, + FLOW_DISSECTOR_KEY_IPV6_ADDRS, + target_container); +- memcpy(&key_addrs->v6addrs, &flow_keys->ipv6_src, +- sizeof(key_addrs->v6addrs)); ++ memcpy(&key_addrs->v6addrs.src, &flow_keys->ipv6_src, ++ sizeof(key_addrs->v6addrs.src)); ++ memcpy(&key_addrs->v6addrs.dst, &flow_keys->ipv6_dst, ++ sizeof(key_addrs->v6addrs.dst)); + key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; + } + +-- +2.30.2 + diff --git a/queue-5.10/fs-dlm-add-errno-handling-to-check-callback.patch b/queue-5.10/fs-dlm-add-errno-handling-to-check-callback.patch new file mode 100644 index 00000000000..44ea8da04bf --- /dev/null +++ b/queue-5.10/fs-dlm-add-errno-handling-to-check-callback.patch @@ -0,0 +1,74 @@ +From c95b5565efbc286fcf4975c8c7071c2306c025a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 17:05:12 -0500 +Subject: fs: dlm: add errno handling to check callback + +From: Alexander Aring + +[ Upstream commit 8aa9540b49e0833feba75dbf4f45babadd0ed215 ] + +This allows to return individual errno values for the config attribute +check callback instead of returning invalid argument only. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/config.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/fs/dlm/config.c b/fs/dlm/config.c +index 49c5f9407098..73e6643903af 100644 +--- a/fs/dlm/config.c ++++ b/fs/dlm/config.c +@@ -125,7 +125,7 @@ static ssize_t cluster_cluster_name_store(struct config_item *item, + CONFIGFS_ATTR(cluster_, cluster_name); + + static ssize_t cluster_set(struct dlm_cluster *cl, unsigned int *cl_field, +- int *info_field, bool (*check_cb)(unsigned int x), ++ int *info_field, int (*check_cb)(unsigned int x), + const char *buf, size_t len) + { + unsigned int x; +@@ -137,8 +137,11 @@ static ssize_t cluster_set(struct dlm_cluster *cl, unsigned int *cl_field, + if (rc) + return rc; + +- if (check_cb && check_cb(x)) +- return -EINVAL; ++ if (check_cb) { ++ rc = check_cb(x); ++ if (rc) ++ return rc; ++ } + + *cl_field = x; + *info_field = x; +@@ -161,14 +164,20 @@ static ssize_t cluster_##name##_show(struct config_item *item, char *buf) \ + } \ + CONFIGFS_ATTR(cluster_, name); + +-static bool dlm_check_zero(unsigned int x) ++static int dlm_check_zero(unsigned int x) + { +- return !x; ++ if (!x) ++ return -EINVAL; ++ ++ return 0; + } + +-static bool dlm_check_buffer_size(unsigned int x) ++static int dlm_check_buffer_size(unsigned int x) + { +- return (x < DEFAULT_BUFFER_SIZE); ++ if (x < DEFAULT_BUFFER_SIZE) ++ return -EINVAL; ++ ++ return 0; + } + + CLUSTER_ATTR(tcp_port, dlm_check_zero); +-- +2.30.2 + diff --git a/queue-5.10/fs-dlm-check-on-minimum-msglen-size.patch b/queue-5.10/fs-dlm-check-on-minimum-msglen-size.patch new file mode 100644 index 00000000000..e8b9f42b076 --- /dev/null +++ b/queue-5.10/fs-dlm-check-on-minimum-msglen-size.patch @@ -0,0 +1,42 @@ +From f5cf3a8ddce15dbfb5e2b481e5e22b3901d77b9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 17:05:17 -0500 +Subject: fs: dlm: check on minimum msglen size + +From: Alexander Aring + +[ Upstream commit 710176e8363f269c6ecd73d203973b31ace119d3 ] + +This patch adds an additional check for minimum dlm header size which is +an invalid dlm message and signals a broken stream. A msglen field cannot +be less than the dlm header size because the field is inclusive header +lengths. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/midcomms.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c +index fde3a6afe4be..0bedfa8606a2 100644 +--- a/fs/dlm/midcomms.c ++++ b/fs/dlm/midcomms.c +@@ -49,9 +49,10 @@ int dlm_process_incoming_buffer(int nodeid, unsigned char *buf, int len) + * cannot deliver this message to upper layers + */ + msglen = get_unaligned_le16(&hd->h_length); +- if (msglen > DEFAULT_BUFFER_SIZE) { +- log_print("received invalid length header: %u, will abort message parsing", +- msglen); ++ if (msglen > DEFAULT_BUFFER_SIZE || ++ msglen < sizeof(struct dlm_header)) { ++ log_print("received invalid length header: %u from node %d, will abort message parsing", ++ msglen, nodeid); + return -EBADMSG; + } + +-- +2.30.2 + diff --git a/queue-5.10/fs-dlm-fix-debugfs-dump.patch b/queue-5.10/fs-dlm-fix-debugfs-dump.patch new file mode 100644 index 00000000000..2be4ea4f598 --- /dev/null +++ b/queue-5.10/fs-dlm-fix-debugfs-dump.patch @@ -0,0 +1,40 @@ +From 038521028d65925d528661462542017025cb39e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 17:05:08 -0500 +Subject: fs: dlm: fix debugfs dump + +From: Alexander Aring + +[ Upstream commit 92c48950b43f4a767388cf87709d8687151a641f ] + +This patch fixes the following message which randomly pops up during +glocktop call: + +seq_file: buggy .next function table_seq_next did not update position index + +The issue is that seq_read_iter() in fs/seq_file.c also needs an +increment of the index in an non next record case as well which this +patch fixes otherwise seq_read_iter() will print out the above message. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/debug_fs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/dlm/debug_fs.c b/fs/dlm/debug_fs.c +index d6bbccb0ed15..d5bd990bcab8 100644 +--- a/fs/dlm/debug_fs.c ++++ b/fs/dlm/debug_fs.c +@@ -542,6 +542,7 @@ static void *table_seq_next(struct seq_file *seq, void *iter_ptr, loff_t *pos) + + if (bucket >= ls->ls_rsbtbl_size) { + kfree(ri); ++ ++*pos; + return NULL; + } + tree = toss ? &ls->ls_rsbtbl[bucket].toss : &ls->ls_rsbtbl[bucket].keep; +-- +2.30.2 + diff --git a/queue-5.10/fs-dlm-flush-swork-on-shutdown.patch b/queue-5.10/fs-dlm-flush-swork-on-shutdown.patch new file mode 100644 index 00000000000..bef9082d409 --- /dev/null +++ b/queue-5.10/fs-dlm-flush-swork-on-shutdown.patch @@ -0,0 +1,42 @@ +From aa70b1a6551c505450339258edcb3273881918be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 17:05:19 -0500 +Subject: fs: dlm: flush swork on shutdown + +From: Alexander Aring + +[ Upstream commit eec054b5a7cfe6d1f1598a323b05771ee99857b5 ] + +This patch fixes the flushing of send work before shutdown. The function +cancel_work_sync() is not the right workqueue functionality to use here +as it would cancel the work if the work queues itself. In cases of +EAGAIN in send() for dlm message we need to be sure that everything is +send out before. The function flush_work() will ensure that every send +work is be done inclusive in EAGAIN cases. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lowcomms.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c +index 79f56f16bc2c..44e2716ac158 100644 +--- a/fs/dlm/lowcomms.c ++++ b/fs/dlm/lowcomms.c +@@ -612,10 +612,7 @@ static void shutdown_connection(struct connection *con) + { + int ret; + +- if (cancel_work_sync(&con->swork)) { +- log_print("canceled swork for node %d", con->nodeid); +- clear_bit(CF_WRITE_PENDING, &con->flags); +- } ++ flush_work(&con->swork); + + mutex_lock(&con->sock_mutex); + /* nothing to shutdown */ +-- +2.30.2 + diff --git a/queue-5.10/fs-proc-generic.c-fix-incorrect-pde_is_permanent-che.patch b/queue-5.10/fs-proc-generic.c-fix-incorrect-pde_is_permanent-che.patch new file mode 100644 index 00000000000..fd1f4e62517 --- /dev/null +++ b/queue-5.10/fs-proc-generic.c-fix-incorrect-pde_is_permanent-che.patch @@ -0,0 +1,43 @@ +From 2b359c1b296408041f144716ae03cdb2d1d86682 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 18:02:10 -0700 +Subject: fs/proc/generic.c: fix incorrect pde_is_permanent check + +From: Colin Ian King + +[ Upstream commit f4bf74d82915708208bc9d0c9bd3f769f56bfbec ] + +Currently the pde_is_permanent() check is being run on root multiple times +rather than on the next proc directory entry. This looks like a +copy-paste error. Fix this by replacing root with next. + +Addresses-Coverity: ("Copy-paste error") +Link: https://lkml.kernel.org/r/20210318122633.14222-1-colin.king@canonical.com +Fixes: d919b33dafb3 ("proc: faster open/read/close with "permanent" files") +Signed-off-by: Colin Ian King +Acked-by: Christian Brauner +Reviewed-by: Alexey Dobriyan +Cc: Greg Kroah-Hartman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/proc/generic.c b/fs/proc/generic.c +index 6c0a05f55d6b..09e4d8a499a3 100644 +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -754,7 +754,7 @@ int remove_proc_subtree(const char *name, struct proc_dir_entry *parent) + while (1) { + next = pde_subdir_first(de); + if (next) { +- if (unlikely(pde_is_permanent(root))) { ++ if (unlikely(pde_is_permanent(next))) { + write_unlock(&proc_subdir_lock); + WARN(1, "removing permanent /proc entry '%s/%s'", + next->parent->name, next->name); +-- +2.30.2 + diff --git a/queue-5.10/fuse-invalidate-attrs-when-page-writeback-completes.patch b/queue-5.10/fuse-invalidate-attrs-when-page-writeback-completes.patch new file mode 100644 index 00000000000..8b9acee343e --- /dev/null +++ b/queue-5.10/fuse-invalidate-attrs-when-page-writeback-completes.patch @@ -0,0 +1,80 @@ +From 0227a6b7380bdc6164913224d825df196ca152a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 10:07:06 -0400 +Subject: fuse: invalidate attrs when page writeback completes + +From: Vivek Goyal + +[ Upstream commit 3466958beb31a8e9d3a1441a34228ed088b84f3e ] + +In fuse when a direct/write-through write happens we invalidate attrs +because that might have updated mtime/ctime on server and cached +mtime/ctime will be stale. + +What about page writeback path. Looks like we don't invalidate attrs +there. To be consistent, invalidate attrs in writeback path as well. Only +exception is when writeback_cache is enabled. In that case we strust local +mtime/ctime and there is no need to invalidate attrs. + +Recently users started experiencing failure of xfstests generic/080, +geneirc/215 and generic/614 on virtiofs. This happened only newer "stat" +utility and not older one. This patch fixes the issue. + +So what's the root cause of the issue. Here is detailed explanation. + +generic/080 test does mmap write to a file, closes the file and then checks +if mtime has been updated or not. When file is closed, it leads to +flushing of dirty pages (and that should update mtime/ctime on server). +But we did not explicitly invalidate attrs after writeback finished. Still +generic/080 passed so far and reason being that we invalidated atime in +fuse_readpages_end(). This is called in fuse_readahead() path and always +seems to trigger before mmaped write. + +So after mmaped write when lstat() is called, it sees that atleast one of +the fields being asked for is invalid (atime) and that results in +generating GETATTR to server and mtime/ctime also get updated and test +passes. + +But newer /usr/bin/stat seems to have moved to using statx() syscall now +(instead of using lstat()). And statx() allows it to query only ctime or +mtime (and not rest of the basic stat fields). That means when querying +for mtime, fuse_update_get_attr() sees that mtime is not invalid (only +atime is invalid). So it does not generate a new GETATTR and fill stat +with cached mtime/ctime. And that means updated mtime is not seen by +xfstest and tests start failing. + +Invalidating attrs after writeback completion should solve this problem in +a generic manner. + +Signed-off-by: Vivek Goyal +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/file.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index 7160d30068f3..8de9c24ac4ac 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1761,8 +1761,17 @@ static void fuse_writepage_end(struct fuse_mount *fm, struct fuse_args *args, + container_of(args, typeof(*wpa), ia.ap.args); + struct inode *inode = wpa->inode; + struct fuse_inode *fi = get_fuse_inode(inode); ++ struct fuse_conn *fc = get_fuse_conn(inode); + + mapping_set_error(inode->i_mapping, error); ++ /* ++ * A writeback finished and this might have updated mtime/ctime on ++ * server making local mtime/ctime stale. Hence invalidate attrs. ++ * Do this only if writeback_cache is not enabled. If writeback_cache ++ * is enabled, we trust local ctime/mtime. ++ */ ++ if (!fc->writeback_cache) ++ fuse_invalidate_attr(inode); + spin_lock(&fi->lock); + rb_erase(&wpa->writepages_entry, &fi->writepages); + while (wpa->next) { +-- +2.30.2 + diff --git a/queue-5.10/i2c-add-i2c_aq_no_rep_start-adapter-quirk.patch b/queue-5.10/i2c-add-i2c_aq_no_rep_start-adapter-quirk.patch new file mode 100644 index 00000000000..5f8183cbfa8 --- /dev/null +++ b/queue-5.10/i2c-add-i2c_aq_no_rep_start-adapter-quirk.patch @@ -0,0 +1,39 @@ +From c0bc910f3405a26cac67ec8fad835e2785c8f177 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 19:19:20 +0000 +Subject: i2c: Add I2C_AQ_NO_REP_START adapter quirk +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bence Csókás + +[ Upstream commit aca01415e076aa96cca0f801f4420ee5c10c660d ] + +This quirk signifies that the adapter cannot do a repeated +START, it always issues a STOP condition after transfers. + +Suggested-by: Wolfram Sang +Signed-off-by: Bence Csókás +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + include/linux/i2c.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/i2c.h b/include/linux/i2c.h +index 56622658b215..a670ae129f4b 100644 +--- a/include/linux/i2c.h ++++ b/include/linux/i2c.h +@@ -687,6 +687,8 @@ struct i2c_adapter_quirks { + #define I2C_AQ_NO_ZERO_LEN_READ BIT(5) + #define I2C_AQ_NO_ZERO_LEN_WRITE BIT(6) + #define I2C_AQ_NO_ZERO_LEN (I2C_AQ_NO_ZERO_LEN_READ | I2C_AQ_NO_ZERO_LEN_WRITE) ++/* adapter cannot do repeated START */ ++#define I2C_AQ_NO_REP_START BIT(7) + + /* + * i2c_adapter is the structure used to identify a physical i2c bus along +-- +2.30.2 + diff --git a/queue-5.10/i2c-bail-out-early-when-rdwr-parameters-are-wrong.patch b/queue-5.10/i2c-bail-out-early-when-rdwr-parameters-are-wrong.patch new file mode 100644 index 00000000000..36a595ef921 --- /dev/null +++ b/queue-5.10/i2c-bail-out-early-when-rdwr-parameters-are-wrong.patch @@ -0,0 +1,46 @@ +From 495d6c5f8db554e495b0472073361cbecca0a58d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 12:57:34 +0100 +Subject: i2c: bail out early when RDWR parameters are wrong + +From: Wolfram Sang + +[ Upstream commit 71581562ee36032d2d574a9b23ad4af6d6a64cf7 ] + +The buggy parameters currently get caught later, but emit a noisy WARN. +Userspace should not be able to trigger this, so add similar checks much +earlier. Also avoids some unneeded code paths, of course. Apply kernel +coding stlye to a comment while here. + +Reported-by: syzbot+ffb0b3ffa6cfbc7d7b3f@syzkaller.appspotmail.com +Tested-by: syzbot+ffb0b3ffa6cfbc7d7b3f@syzkaller.appspotmail.com +Signed-off-by: Wolfram Sang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-dev.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index 6ceb11cc4be1..6ef38a8ee95c 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -440,8 +440,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + sizeof(rdwr_arg))) + return -EFAULT; + +- /* Put an arbitrary limit on the number of messages that can +- * be sent at once */ ++ if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0) ++ return -EINVAL; ++ ++ /* ++ * Put an arbitrary limit on the number of messages that can ++ * be sent at once ++ */ + if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS) + return -EINVAL; + +-- +2.30.2 + diff --git a/queue-5.10/i40e-fix-broken-xdp-support.patch b/queue-5.10/i40e-fix-broken-xdp-support.patch new file mode 100644 index 00000000000..0ab7c8bd978 --- /dev/null +++ b/queue-5.10/i40e-fix-broken-xdp-support.patch @@ -0,0 +1,77 @@ +From 3a2e9fbf6262ae88017c5721f9ca7561f928a962 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Apr 2021 13:14:01 +0200 +Subject: i40e: fix broken XDP support + +From: Magnus Karlsson + +[ Upstream commit ae4393dfd472b194c90d75d2123105fb5ed59b04 ] + +Commit 12738ac4754e ("i40e: Fix sparse errors in i40e_txrx.c") broke +XDP support in the i40e driver. That commit was fixing a sparse error +in the code by introducing a new variable xdp_res instead of +overloading this into the skb pointer. The problem is that the code +later uses the skb pointer in if statements and these where not +extended to also test for the new xdp_res variable. Fix this by adding +the correct tests for xdp_res in these places. + +The skb pointer was used to store the result of the XDP program by +overloading the results in the error pointer +ERR_PTR(-result). Therefore, the allocation failure test that used to +only test for !skb now need to be extended to also consider !xdp_res. + +i40e_cleanup_headers() had a check that based on the skb value being +an error pointer, i.e. a result from the XDP program != XDP_PASS, and +if so start to process a new packet immediately, instead of populating +skb fields and sending the skb to the stack. This check is not needed +anymore, since we have added an explicit test for xdp_res being set +and if so just do continue to pick the next packet from the NIC. + +Fixes: 12738ac4754e ("i40e: Fix sparse errors in i40e_txrx.c") +Acked-by: Jesper Dangaard Brouer +Tested-by: Jesper Dangaard Brouer +Reported-by: Jesper Dangaard Brouer +Reviewed-by: Maciej Fijalkowski +Signed-off-by: Magnus Karlsson +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 62b439232fa5..011f484606a3 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -1810,10 +1810,6 @@ static bool i40e_cleanup_headers(struct i40e_ring *rx_ring, struct sk_buff *skb, + union i40e_rx_desc *rx_desc) + + { +- /* XDP packets use error pointer so abort at this point */ +- if (IS_ERR(skb)) +- return true; +- + /* ERR_MASK will only have valid bits if EOP set, and + * what we are doing here is actually checking + * I40E_RX_DESC_ERROR_RXE_SHIFT, since it is the zeroth bit in +@@ -2426,7 +2422,7 @@ static int i40e_clean_rx_irq(struct i40e_ring *rx_ring, int budget) + } + + /* exit if we failed to retrieve a buffer */ +- if (!skb) { ++ if (!xdp_res && !skb) { + rx_ring->rx_stats.alloc_buff_failed++; + rx_buffer->pagecnt_bias++; + break; +@@ -2438,7 +2434,7 @@ static int i40e_clean_rx_irq(struct i40e_ring *rx_ring, int budget) + if (i40e_is_non_eop(rx_ring, rx_desc, skb)) + continue; + +- if (i40e_cleanup_headers(rx_ring, skb, rx_desc)) { ++ if (xdp_res || i40e_cleanup_headers(rx_ring, skb, rx_desc)) { + skb = NULL; + continue; + } +-- +2.30.2 + diff --git a/queue-5.10/i40e-fix-phy-type-identifiers-for-2.5g-and-5g-adapte.patch b/queue-5.10/i40e-fix-phy-type-identifiers-for-2.5g-and-5g-adapte.patch new file mode 100644 index 00000000000..01ad808a6a2 --- /dev/null +++ b/queue-5.10/i40e-fix-phy-type-identifiers-for-2.5g-and-5g-adapte.patch @@ -0,0 +1,96 @@ +From 5e4a0d00ba7528b858ae9a7552d1d8b2d10a5837 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 14:43:07 +0000 +Subject: i40e: Fix PHY type identifiers for 2.5G and 5G adapters + +From: Mateusz Palczewski + +[ Upstream commit 15395ec4685bd45a43d1b54b8fd9846b87e2c621 ] + +Unlike other supported adapters, 2.5G and 5G use different +PHY type identifiers for reading/writing PHY settings +and for reading link status. This commit introduces +separate PHY identifiers for these two operation types. + +Fixes: 2e45d3f4677a ("i40e: Add support for X710 B/P & SFP+ cards") +Signed-off-by: Dawid Lukwinski +Signed-off-by: Mateusz Palczewski +Reviewed-by: Aleksandr Loktionov +Tested-by: Dave Switzer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h | 6 ++++-- + drivers/net/ethernet/intel/i40e/i40e_common.c | 4 ++-- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 4 ++-- + drivers/net/ethernet/intel/i40e/i40e_type.h | 7 ++----- + 4 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +index 1e960c3c7ef0..e84054fb8213 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h +@@ -1565,8 +1565,10 @@ enum i40e_aq_phy_type { + I40E_PHY_TYPE_25GBASE_LR = 0x22, + I40E_PHY_TYPE_25GBASE_AOC = 0x23, + I40E_PHY_TYPE_25GBASE_ACC = 0x24, +- I40E_PHY_TYPE_2_5GBASE_T = 0x30, +- I40E_PHY_TYPE_5GBASE_T = 0x31, ++ I40E_PHY_TYPE_2_5GBASE_T = 0x26, ++ I40E_PHY_TYPE_5GBASE_T = 0x27, ++ I40E_PHY_TYPE_2_5GBASE_T_LINK_STATUS = 0x30, ++ I40E_PHY_TYPE_5GBASE_T_LINK_STATUS = 0x31, + I40E_PHY_TYPE_MAX, + I40E_PHY_TYPE_NOT_SUPPORTED_HIGH_TEMP = 0xFD, + I40E_PHY_TYPE_EMPTY = 0xFE, +diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c +index adc9e4fa4789..ba109073d605 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_common.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c +@@ -1154,8 +1154,8 @@ static enum i40e_media_type i40e_get_media_type(struct i40e_hw *hw) + break; + case I40E_PHY_TYPE_100BASE_TX: + case I40E_PHY_TYPE_1000BASE_T: +- case I40E_PHY_TYPE_2_5GBASE_T: +- case I40E_PHY_TYPE_5GBASE_T: ++ case I40E_PHY_TYPE_2_5GBASE_T_LINK_STATUS: ++ case I40E_PHY_TYPE_5GBASE_T_LINK_STATUS: + case I40E_PHY_TYPE_10GBASE_T: + media = I40E_MEDIA_TYPE_BASET; + break; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index 13554706c180..5d48bc0c3f6c 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -841,8 +841,8 @@ static void i40e_get_settings_link_up(struct i40e_hw *hw, + 10000baseT_Full); + break; + case I40E_PHY_TYPE_10GBASE_T: +- case I40E_PHY_TYPE_5GBASE_T: +- case I40E_PHY_TYPE_2_5GBASE_T: ++ case I40E_PHY_TYPE_5GBASE_T_LINK_STATUS: ++ case I40E_PHY_TYPE_2_5GBASE_T_LINK_STATUS: + case I40E_PHY_TYPE_1000BASE_T: + case I40E_PHY_TYPE_100BASE_TX: + ethtool_link_ksettings_add_link_mode(ks, supported, Autoneg); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_type.h b/drivers/net/ethernet/intel/i40e/i40e_type.h +index c0bdc666f557..add67f7b73e8 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_type.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_type.h +@@ -239,11 +239,8 @@ struct i40e_phy_info { + #define I40E_CAP_PHY_TYPE_25GBASE_ACC BIT_ULL(I40E_PHY_TYPE_25GBASE_ACC + \ + I40E_PHY_TYPE_OFFSET) + /* Offset for 2.5G/5G PHY Types value to bit number conversion */ +-#define I40E_PHY_TYPE_OFFSET2 (-10) +-#define I40E_CAP_PHY_TYPE_2_5GBASE_T BIT_ULL(I40E_PHY_TYPE_2_5GBASE_T + \ +- I40E_PHY_TYPE_OFFSET2) +-#define I40E_CAP_PHY_TYPE_5GBASE_T BIT_ULL(I40E_PHY_TYPE_5GBASE_T + \ +- I40E_PHY_TYPE_OFFSET2) ++#define I40E_CAP_PHY_TYPE_2_5GBASE_T BIT_ULL(I40E_PHY_TYPE_2_5GBASE_T) ++#define I40E_CAP_PHY_TYPE_5GBASE_T BIT_ULL(I40E_PHY_TYPE_5GBASE_T) + #define I40E_HW_CAP_MAX_GPIO 30 + /* Capabilities of a PF or a VF or the whole device */ + struct i40e_hw_capabilities { +-- +2.30.2 + diff --git a/queue-5.10/i40e-fix-the-restart-auto-negotiation-after-fec-modi.patch b/queue-5.10/i40e-fix-the-restart-auto-negotiation-after-fec-modi.patch new file mode 100644 index 00000000000..8b78209cab5 --- /dev/null +++ b/queue-5.10/i40e-fix-the-restart-auto-negotiation-after-fec-modi.patch @@ -0,0 +1,41 @@ +From 2b545444034ad16a81d3f161411a2532997f0339 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 14:19:40 +0000 +Subject: i40e: fix the restart auto-negotiation after FEC modified + +From: Jaroslaw Gawin + +[ Upstream commit 61343e6da7810de81d6b826698946ae4f9070819 ] + +When FEC mode was changed the link didn't know it because +the link was not reset and new parameters were not negotiated. +Set a flag 'I40E_AQ_PHY_ENABLE_ATOMIC_LINK' in 'abilities' +to restart the link and make it run with the new settings. + +Fixes: 1d96340196f1 ("i40e: Add support FEC configuration for Fortville 25G") +Signed-off-by: Jaroslaw Gawin +Signed-off-by: Mateusz Palczewski +Tested-by: Dave Switzer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index 31d48a85cfaf..13554706c180 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -1409,7 +1409,8 @@ static int i40e_set_fec_cfg(struct net_device *netdev, u8 fec_cfg) + + memset(&config, 0, sizeof(config)); + config.phy_type = abilities.phy_type; +- config.abilities = abilities.abilities; ++ config.abilities = abilities.abilities | ++ I40E_AQ_PHY_ENABLE_ATOMIC_LINK; + config.phy_type_ext = abilities.phy_type_ext; + config.link_speed = abilities.link_speed; + config.eee_capability = abilities.eee_capability; +-- +2.30.2 + diff --git a/queue-5.10/i40e-fix-use-after-free-in-i40e_client_subtask.patch b/queue-5.10/i40e-fix-use-after-free-in-i40e_client_subtask.patch new file mode 100644 index 00000000000..3ea862a69e5 --- /dev/null +++ b/queue-5.10/i40e-fix-use-after-free-in-i40e_client_subtask.patch @@ -0,0 +1,37 @@ +From 9cc4db84ec2a40e03d4922b564479922fc88f23f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Apr 2021 22:41:18 +0800 +Subject: i40e: Fix use-after-free in i40e_client_subtask() + +From: Yunjian Wang + +[ Upstream commit 38318f23a7ef86a8b1862e5e8078c4de121960c3 ] + +Currently the call to i40e_client_del_instance frees the object +pf->cinst, however pf->cinst->lan_info is being accessed after +the free. Fix this by adding the missing return. + +Addresses-Coverity: ("Read from pointer after free") +Fixes: 7b0b1a6d0ac9 ("i40e: Disable iWARP VSI PETCP_ENA flag on netdev down events") +Signed-off-by: Yunjian Wang +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_client.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index a2dba32383f6..32f3facbed1a 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -375,6 +375,7 @@ void i40e_client_subtask(struct i40e_pf *pf) + clear_bit(__I40E_CLIENT_INSTANCE_OPENED, + &cdev->state); + i40e_client_del_instance(pf); ++ return; + } + } + } +-- +2.30.2 + diff --git a/queue-5.10/ia64-module-fix-symbolizer-crash-on-fdescr.patch b/queue-5.10/ia64-module-fix-symbolizer-crash-on-fdescr.patch new file mode 100644 index 00000000000..61116c2674f --- /dev/null +++ b/queue-5.10/ia64-module-fix-symbolizer-crash-on-fdescr.patch @@ -0,0 +1,120 @@ +From 838dca9558a8acfb2d960c8dfc90ea9bf6f3cb18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 22:53:48 -0700 +Subject: ia64: module: fix symbolizer crash on fdescr + +From: Sergei Trofimovich + +[ Upstream commit 99e729bd40fb3272fa4b0140839d5e957b58588a ] + +Noticed failure as a crash on ia64 when tried to symbolize all backtraces +collected by page_owner=on: + + $ cat /sys/kernel/debug/page_owner + + + CPU: 1 PID: 2074 Comm: cat Not tainted 5.12.0-rc4 #226 + Hardware name: hp server rx3600, BIOS 04.03 04/08/2008 + ip is at dereference_module_function_descriptor+0x41/0x100 + +Crash happens at dereference_module_function_descriptor() due to +use-after-free when dereferencing ".opd" section header. + +All section headers are already freed after module is laoded successfully. + +To keep symbolizer working the change stores ".opd" address and size after +module is relocated to a new place and before section headers are +discarded. + +To make similar errors less obscure module_finalize() now zeroes out all +variables relevant to module loading only. + +Link: https://lkml.kernel.org/r/20210403074803.3309096-1-slyfox@gentoo.org +Signed-off-by: Sergei Trofimovich +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/ia64/include/asm/module.h | 6 +++++- + arch/ia64/kernel/module.c | 29 +++++++++++++++++++++++++---- + 2 files changed, 30 insertions(+), 5 deletions(-) + +diff --git a/arch/ia64/include/asm/module.h b/arch/ia64/include/asm/module.h +index 5a29652e6def..7271b9c5fc76 100644 +--- a/arch/ia64/include/asm/module.h ++++ b/arch/ia64/include/asm/module.h +@@ -14,16 +14,20 @@ + struct elf64_shdr; /* forward declration */ + + struct mod_arch_specific { ++ /* Used only at module load time. */ + struct elf64_shdr *core_plt; /* core PLT section */ + struct elf64_shdr *init_plt; /* init PLT section */ + struct elf64_shdr *got; /* global offset table */ + struct elf64_shdr *opd; /* official procedure descriptors */ + struct elf64_shdr *unwind; /* unwind-table section */ + unsigned long gp; /* global-pointer for module */ ++ unsigned int next_got_entry; /* index of next available got entry */ + ++ /* Used at module run and cleanup time. */ + void *core_unw_table; /* core unwind-table cookie returned by unwinder */ + void *init_unw_table; /* init unwind-table cookie returned by unwinder */ +- unsigned int next_got_entry; /* index of next available got entry */ ++ void *opd_addr; /* symbolize uses .opd to get to actual function */ ++ unsigned long opd_size; + }; + + #define ARCH_SHF_SMALL SHF_IA_64_SHORT +diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c +index 00a496cb346f..2cba53c1da82 100644 +--- a/arch/ia64/kernel/module.c ++++ b/arch/ia64/kernel/module.c +@@ -905,9 +905,31 @@ register_unwind_table (struct module *mod) + int + module_finalize (const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, struct module *mod) + { ++ struct mod_arch_specific *mas = &mod->arch; ++ + DEBUGP("%s: init: entry=%p\n", __func__, mod->init); +- if (mod->arch.unwind) ++ if (mas->unwind) + register_unwind_table(mod); ++ ++ /* ++ * ".opd" was already relocated to the final destination. Store ++ * it's address for use in symbolizer. ++ */ ++ mas->opd_addr = (void *)mas->opd->sh_addr; ++ mas->opd_size = mas->opd->sh_size; ++ ++ /* ++ * Module relocation was already done at this point. Section ++ * headers are about to be deleted. Wipe out load-time context. ++ */ ++ mas->core_plt = NULL; ++ mas->init_plt = NULL; ++ mas->got = NULL; ++ mas->opd = NULL; ++ mas->unwind = NULL; ++ mas->gp = 0; ++ mas->next_got_entry = 0; ++ + return 0; + } + +@@ -926,10 +948,9 @@ module_arch_cleanup (struct module *mod) + + void *dereference_module_function_descriptor(struct module *mod, void *ptr) + { +- Elf64_Shdr *opd = mod->arch.opd; ++ struct mod_arch_specific *mas = &mod->arch; + +- if (ptr < (void *)opd->sh_addr || +- ptr >= (void *)(opd->sh_addr + opd->sh_size)) ++ if (ptr < mas->opd_addr || ptr >= mas->opd_addr + mas->opd_size) + return ptr; + + return dereference_function_descriptor(ptr); +-- +2.30.2 + diff --git a/queue-5.10/iavf-remove-duplicate-free-resources-calls.patch b/queue-5.10/iavf-remove-duplicate-free-resources-calls.patch new file mode 100644 index 00000000000..acfcbc15ebc --- /dev/null +++ b/queue-5.10/iavf-remove-duplicate-free-resources-calls.patch @@ -0,0 +1,36 @@ +From 7a0e2792f7102c1bde3d8fd9ad1dd7401d1d7a9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 15:41:42 +0100 +Subject: iavf: remove duplicate free resources calls + +From: Stefan Assmann + +[ Upstream commit 1a0e880b028f97478dc689e2900b312741d0d772 ] + +Both iavf_free_all_tx_resources() and iavf_free_all_rx_resources() have +already been called in the very same function. +Remove the duplicate calls. + +Signed-off-by: Stefan Assmann +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index dc5b3c06d1e0..ebd08543791b 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -3899,8 +3899,6 @@ static void iavf_remove(struct pci_dev *pdev) + + iounmap(hw->hw_addr); + pci_release_regions(pdev); +- iavf_free_all_tx_resources(adapter); +- iavf_free_all_rx_resources(adapter); + iavf_free_queues(adapter); + kfree(adapter->vf_res); + spin_lock_bh(&adapter->mac_vlan_list_lock); +-- +2.30.2 + diff --git a/queue-5.10/ib-hfi1-correct-oversized-ring-allocation.patch b/queue-5.10/ib-hfi1-correct-oversized-ring-allocation.patch new file mode 100644 index 00000000000..91eadd79420 --- /dev/null +++ b/queue-5.10/ib-hfi1-correct-oversized-ring-allocation.patch @@ -0,0 +1,96 @@ +From ea116dd81d667a4964e891f47de7aabf4f33b477 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 09:54:09 -0400 +Subject: IB/hfi1: Correct oversized ring allocation + +From: Mike Marciniszyn + +[ Upstream commit b536d4b2a279733f440c911dc831764690b90050 ] + +The completion ring for tx is using the wrong size to size the ring, +oversizing the ring by two orders of magniture. + +Correct the allocation size and use kcalloc_node() to allocate the ring. +Fix mistaken GFP defines in similar allocations. + +Link: https://lore.kernel.org/r/1617026056-50483-4-git-send-email-dennis.dalessandro@cornelisnetworks.com +Reviewed-by: Kaike Wan +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/ipoib.h | 3 ++- + drivers/infiniband/hw/hfi1/ipoib_tx.c | 14 +++++++------- + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/ipoib.h b/drivers/infiniband/hw/hfi1/ipoib.h +index b8c9d0a003fb..1ee361c6d11a 100644 +--- a/drivers/infiniband/hw/hfi1/ipoib.h ++++ b/drivers/infiniband/hw/hfi1/ipoib.h +@@ -52,8 +52,9 @@ union hfi1_ipoib_flow { + * @producer_lock: producer sync lock + * @consumer_lock: consumer sync lock + */ ++struct ipoib_txreq; + struct hfi1_ipoib_circ_buf { +- void **items; ++ struct ipoib_txreq **items; + unsigned long head; + unsigned long tail; + unsigned long max_items; +diff --git a/drivers/infiniband/hw/hfi1/ipoib_tx.c b/drivers/infiniband/hw/hfi1/ipoib_tx.c +index 9df292b51a05..ab1eefffc14b 100644 +--- a/drivers/infiniband/hw/hfi1/ipoib_tx.c ++++ b/drivers/infiniband/hw/hfi1/ipoib_tx.c +@@ -702,14 +702,14 @@ int hfi1_ipoib_txreq_init(struct hfi1_ipoib_dev_priv *priv) + + priv->tx_napis = kcalloc_node(dev->num_tx_queues, + sizeof(struct napi_struct), +- GFP_ATOMIC, ++ GFP_KERNEL, + priv->dd->node); + if (!priv->tx_napis) + goto free_txreq_cache; + + priv->txqs = kcalloc_node(dev->num_tx_queues, + sizeof(struct hfi1_ipoib_txq), +- GFP_ATOMIC, ++ GFP_KERNEL, + priv->dd->node); + if (!priv->txqs) + goto free_tx_napis; +@@ -741,9 +741,9 @@ int hfi1_ipoib_txreq_init(struct hfi1_ipoib_dev_priv *priv) + priv->dd->node); + + txq->tx_ring.items = +- vzalloc_node(array_size(tx_ring_size, +- sizeof(struct ipoib_txreq)), +- priv->dd->node); ++ kcalloc_node(tx_ring_size, ++ sizeof(struct ipoib_txreq *), ++ GFP_KERNEL, priv->dd->node); + if (!txq->tx_ring.items) + goto free_txqs; + +@@ -764,7 +764,7 @@ free_txqs: + struct hfi1_ipoib_txq *txq = &priv->txqs[i]; + + netif_napi_del(txq->napi); +- vfree(txq->tx_ring.items); ++ kfree(txq->tx_ring.items); + } + + kfree(priv->txqs); +@@ -817,7 +817,7 @@ void hfi1_ipoib_txreq_deinit(struct hfi1_ipoib_dev_priv *priv) + hfi1_ipoib_drain_tx_list(txq); + netif_napi_del(txq->napi); + (void)hfi1_ipoib_drain_tx_ring(txq, txq->tx_ring.max_items); +- vfree(txq->tx_ring.items); ++ kfree(txq->tx_ring.items); + } + + kfree(priv->txqs); +-- +2.30.2 + diff --git a/queue-5.10/ice-handle-increasing-tx-or-rx-ring-sizes.patch b/queue-5.10/ice-handle-increasing-tx-or-rx-ring-sizes.patch new file mode 100644 index 00000000000..c231ac99ca9 --- /dev/null +++ b/queue-5.10/ice-handle-increasing-tx-or-rx-ring-sizes.patch @@ -0,0 +1,215 @@ +From b8f865524c07735e404ec6c9206aa50b9f9fb799 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Mar 2021 10:12:05 -0800 +Subject: ice: handle increasing Tx or Rx ring sizes + +From: Paul M Stillwell Jr + +[ Upstream commit 2ec5638559c13b923250eccf495d2a033fccb3e7 ] + +There is an issue when the Tx or Rx ring size increases using +'ethtool -L ...' where the new rings don't get the correct ITR +values because when we rebuild the VSI we don't know that some +of the rings may be new. + +Fix this by looking at the original number of rings and +determining if the rings in ice_vsi_rebuild_set_coalesce() +were not present in the original rings received in +ice_vsi_rebuild_get_coalesce(). + +Also change the code to return an error if we can't allocate +memory for the coalesce data in ice_vsi_rebuild(). + +Signed-off-by: Paul M Stillwell Jr +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 123 ++++++++++++++++------ + drivers/net/ethernet/intel/ice/ice_txrx.h | 2 + + 2 files changed, 92 insertions(+), 33 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 170367eaa95a..e1384503dd4d 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -2684,38 +2684,46 @@ int ice_vsi_release(struct ice_vsi *vsi) + } + + /** +- * ice_vsi_rebuild_update_coalesce - set coalesce for a q_vector ++ * ice_vsi_rebuild_update_coalesce_intrl - set interrupt rate limit for a q_vector + * @q_vector: pointer to q_vector which is being updated +- * @coalesce: pointer to array of struct with stored coalesce ++ * @stored_intrl_setting: original INTRL setting + * + * Set coalesce param in q_vector and update these parameters in HW. + */ + static void +-ice_vsi_rebuild_update_coalesce(struct ice_q_vector *q_vector, +- struct ice_coalesce_stored *coalesce) ++ice_vsi_rebuild_update_coalesce_intrl(struct ice_q_vector *q_vector, ++ u16 stored_intrl_setting) + { +- struct ice_ring_container *rx_rc = &q_vector->rx; +- struct ice_ring_container *tx_rc = &q_vector->tx; + struct ice_hw *hw = &q_vector->vsi->back->hw; + +- tx_rc->itr_setting = coalesce->itr_tx; +- rx_rc->itr_setting = coalesce->itr_rx; +- +- /* dynamic ITR values will be updated during Tx/Rx */ +- if (!ITR_IS_DYNAMIC(tx_rc->itr_setting)) +- wr32(hw, GLINT_ITR(tx_rc->itr_idx, q_vector->reg_idx), +- ITR_REG_ALIGN(tx_rc->itr_setting) >> +- ICE_ITR_GRAN_S); +- if (!ITR_IS_DYNAMIC(rx_rc->itr_setting)) +- wr32(hw, GLINT_ITR(rx_rc->itr_idx, q_vector->reg_idx), +- ITR_REG_ALIGN(rx_rc->itr_setting) >> +- ICE_ITR_GRAN_S); +- +- q_vector->intrl = coalesce->intrl; ++ q_vector->intrl = stored_intrl_setting; + wr32(hw, GLINT_RATE(q_vector->reg_idx), + ice_intrl_usec_to_reg(q_vector->intrl, hw->intrl_gran)); + } + ++/** ++ * ice_vsi_rebuild_update_coalesce_itr - set coalesce for a q_vector ++ * @q_vector: pointer to q_vector which is being updated ++ * @rc: pointer to ring container ++ * @stored_itr_setting: original ITR setting ++ * ++ * Set coalesce param in q_vector and update these parameters in HW. ++ */ ++static void ++ice_vsi_rebuild_update_coalesce_itr(struct ice_q_vector *q_vector, ++ struct ice_ring_container *rc, ++ u16 stored_itr_setting) ++{ ++ struct ice_hw *hw = &q_vector->vsi->back->hw; ++ ++ rc->itr_setting = stored_itr_setting; ++ ++ /* dynamic ITR values will be updated during Tx/Rx */ ++ if (!ITR_IS_DYNAMIC(rc->itr_setting)) ++ wr32(hw, GLINT_ITR(rc->itr_idx, q_vector->reg_idx), ++ ITR_REG_ALIGN(rc->itr_setting) >> ICE_ITR_GRAN_S); ++} ++ + /** + * ice_vsi_rebuild_get_coalesce - get coalesce from all q_vectors + * @vsi: VSI connected with q_vectors +@@ -2735,6 +2743,11 @@ ice_vsi_rebuild_get_coalesce(struct ice_vsi *vsi, + coalesce[i].itr_tx = q_vector->tx.itr_setting; + coalesce[i].itr_rx = q_vector->rx.itr_setting; + coalesce[i].intrl = q_vector->intrl; ++ ++ if (i < vsi->num_txq) ++ coalesce[i].tx_valid = true; ++ if (i < vsi->num_rxq) ++ coalesce[i].rx_valid = true; + } + + return vsi->num_q_vectors; +@@ -2759,17 +2772,59 @@ ice_vsi_rebuild_set_coalesce(struct ice_vsi *vsi, + if ((size && !coalesce) || !vsi) + return; + +- for (i = 0; i < size && i < vsi->num_q_vectors; i++) +- ice_vsi_rebuild_update_coalesce(vsi->q_vectors[i], +- &coalesce[i]); +- +- /* number of q_vectors increased, so assume coalesce settings were +- * changed globally (i.e. ethtool -C eth0 instead of per-queue) and use +- * the previous settings from q_vector 0 for all of the new q_vectors ++ /* There are a couple of cases that have to be handled here: ++ * 1. The case where the number of queue vectors stays the same, but ++ * the number of Tx or Rx rings changes (the first for loop) ++ * 2. The case where the number of queue vectors increased (the ++ * second for loop) + */ +- for (; i < vsi->num_q_vectors; i++) +- ice_vsi_rebuild_update_coalesce(vsi->q_vectors[i], +- &coalesce[0]); ++ for (i = 0; i < size && i < vsi->num_q_vectors; i++) { ++ /* There are 2 cases to handle here and they are the same for ++ * both Tx and Rx: ++ * if the entry was valid previously (coalesce[i].[tr]x_valid ++ * and the loop variable is less than the number of rings ++ * allocated, then write the previous values ++ * ++ * if the entry was not valid previously, but the number of ++ * rings is less than are allocated (this means the number of ++ * rings increased from previously), then write out the ++ * values in the first element ++ */ ++ if (i < vsi->alloc_rxq && coalesce[i].rx_valid) ++ ice_vsi_rebuild_update_coalesce_itr(vsi->q_vectors[i], ++ &vsi->q_vectors[i]->rx, ++ coalesce[i].itr_rx); ++ else if (i < vsi->alloc_rxq) ++ ice_vsi_rebuild_update_coalesce_itr(vsi->q_vectors[i], ++ &vsi->q_vectors[i]->rx, ++ coalesce[0].itr_rx); ++ ++ if (i < vsi->alloc_txq && coalesce[i].tx_valid) ++ ice_vsi_rebuild_update_coalesce_itr(vsi->q_vectors[i], ++ &vsi->q_vectors[i]->tx, ++ coalesce[i].itr_tx); ++ else if (i < vsi->alloc_txq) ++ ice_vsi_rebuild_update_coalesce_itr(vsi->q_vectors[i], ++ &vsi->q_vectors[i]->tx, ++ coalesce[0].itr_tx); ++ ++ ice_vsi_rebuild_update_coalesce_intrl(vsi->q_vectors[i], ++ coalesce[i].intrl); ++ } ++ ++ /* the number of queue vectors increased so write whatever is in ++ * the first element ++ */ ++ for (; i < vsi->num_q_vectors; i++) { ++ ice_vsi_rebuild_update_coalesce_itr(vsi->q_vectors[i], ++ &vsi->q_vectors[i]->tx, ++ coalesce[0].itr_tx); ++ ice_vsi_rebuild_update_coalesce_itr(vsi->q_vectors[i], ++ &vsi->q_vectors[i]->rx, ++ coalesce[0].itr_rx); ++ ice_vsi_rebuild_update_coalesce_intrl(vsi->q_vectors[i], ++ coalesce[0].intrl); ++ } + } + + /** +@@ -2798,9 +2853,11 @@ int ice_vsi_rebuild(struct ice_vsi *vsi, bool init_vsi) + + coalesce = kcalloc(vsi->num_q_vectors, + sizeof(struct ice_coalesce_stored), GFP_KERNEL); +- if (coalesce) +- prev_num_q_vectors = ice_vsi_rebuild_get_coalesce(vsi, +- coalesce); ++ if (!coalesce) ++ return -ENOMEM; ++ ++ prev_num_q_vectors = ice_vsi_rebuild_get_coalesce(vsi, coalesce); ++ + ice_rm_vsi_lan_cfg(vsi->port_info, vsi->idx); + ice_vsi_free_q_vectors(vsi); + +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.h b/drivers/net/ethernet/intel/ice/ice_txrx.h +index ff1a1cbd078e..eab7ceae926b 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.h ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.h +@@ -351,6 +351,8 @@ struct ice_coalesce_stored { + u16 itr_tx; + u16 itr_rx; + u8 intrl; ++ u8 tx_valid; ++ u8 rx_valid; + }; + + /* iterator for handling rings in ring container */ +-- +2.30.2 + diff --git a/queue-5.10/iommu-amd-remove-performance-counter-pre-initializat.patch b/queue-5.10/iommu-amd-remove-performance-counter-pre-initializat.patch new file mode 100644 index 00000000000..3dc403d1d0b --- /dev/null +++ b/queue-5.10/iommu-amd-remove-performance-counter-pre-initializat.patch @@ -0,0 +1,98 @@ +From a39dbb2613c86498311ee101c37d95583aabc112 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 03:58:48 -0500 +Subject: iommu/amd: Remove performance counter pre-initialization test + +From: Suravee Suthikulpanit + +[ Upstream commit 994d6608efe4a4c8834bdc5014c86f4bc6aceea6 ] + +In early AMD desktop/mobile platforms (during 2013), when the IOMMU +Performance Counter (PMC) support was first introduced in +commit 30861ddc9cca ("perf/x86/amd: Add IOMMU Performance Counter +resource management"), there was a HW bug where the counters could not +be accessed. The result was reading of the counter always return zero. + +At the time, the suggested workaround was to add a test logic prior +to initializing the PMC feature to check if the counters can be programmed +and read back the same value. This has been working fine until the more +recent desktop/mobile platforms start enabling power gating for the PMC, +which prevents access to the counters. This results in the PMC support +being disabled unnecesarily. + +Unfortunatly, there is no documentation of since which generation +of hardware the original PMC HW bug was fixed. Although, it was fixed +soon after the first introduction of the PMC. Base on this, we assume +that the buggy platforms are less likely to be in used, and it should +be relatively safe to remove this legacy logic. + +Link: https://lore.kernel.org/linux-iommu/alpine.LNX.3.20.13.2006030935570.3181@monopod.intra.ispras.ru/ +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201753 +Cc: Tj (Elloe Linux) +Cc: Shuah Khan +Cc: Alexander Monakov +Cc: David Coe +Cc: Paul Menzel +Signed-off-by: Suravee Suthikulpanit +Tested-by: Shuah Khan +Link: https://lore.kernel.org/r/20210409085848.3908-3-suravee.suthikulpanit@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/init.c | 24 +----------------------- + 1 file changed, 1 insertion(+), 23 deletions(-) + +diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c +index 8b1a037116b0..cc9869cc48e4 100644 +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -1717,33 +1717,16 @@ static int __init init_iommu_all(struct acpi_table_header *table) + return 0; + } + +-static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr, +- u8 fxn, u64 *value, bool is_write); +- + static void init_iommu_perf_ctr(struct amd_iommu *iommu) + { ++ u64 val; + struct pci_dev *pdev = iommu->dev; +- u64 val = 0xabcd, val2 = 0, save_reg = 0; + + if (!iommu_feature(iommu, FEATURE_PC)) + return; + + amd_iommu_pc_present = true; + +- /* save the value to restore, if writable */ +- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false)) +- goto pc_false; +- +- /* Check if the performance counters can be written to */ +- if ((iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true)) || +- (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false)) || +- (val != val2)) +- goto pc_false; +- +- /* restore */ +- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true)) +- goto pc_false; +- + pci_info(pdev, "IOMMU performance counters supported\n"); + + val = readl(iommu->mmio_base + MMIO_CNTR_CONF_OFFSET); +@@ -1751,11 +1734,6 @@ static void init_iommu_perf_ctr(struct amd_iommu *iommu) + iommu->max_counters = (u8) ((val >> 7) & 0xf); + + return; +- +-pc_false: +- pci_err(pdev, "Unable to read/write to IOMMU perf counter.\n"); +- amd_iommu_pc_present = false; +- return; + } + + static ssize_t amd_iommu_show_cap(struct device *dev, +-- +2.30.2 + diff --git a/queue-5.10/ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch b/queue-5.10/ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch new file mode 100644 index 00000000000..8243a594b50 --- /dev/null +++ b/queue-5.10/ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch @@ -0,0 +1,98 @@ +From 6d4cd25d28b8a6de834ea86bd7b1794e7fc09e1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 12:12:54 -0700 +Subject: ip6_vti: proper dev_{hold|put} in ndo_[un]init methods + +From: Eric Dumazet + +[ Upstream commit 40cb881b5aaa0b69a7d93dec8440d5c62dae299f ] + +After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger +a warning [1] + +Issue here is that: + +- all dev_put() should be paired with a corresponding prior dev_hold(). + +- A driver doing a dev_put() in its ndo_uninit() MUST also + do a dev_hold() in its ndo_init(), only when ndo_init() + is returning 0. + +Otherwise, register_netdevice() would call ndo_uninit() +in its error path and release a refcount too soon. + +Therefore, we need to move dev_hold() call from +vti6_tnl_create2() to vti6_dev_init_gen() + +[1] +WARNING: CPU: 0 PID: 15951 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 +Modules linked in: +CPU: 0 PID: 15951 Comm: syz-executor.3 Not tainted 5.12.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 +Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58 +RSP: 0018:ffffc90001eaef28 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000040000 RSI: ffffffff815c51f5 RDI: fffff520003d5dd7 +RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff88801bb1c568 +R13: ffff88801f69e800 R14: 00000000ffffffff R15: ffff888050889d40 +FS: 00007fc79314e700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f1c1ff47108 CR3: 0000000020fd5000 CR4: 00000000001506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + __refcount_dec include/linux/refcount.h:344 [inline] + refcount_dec include/linux/refcount.h:359 [inline] + dev_put include/linux/netdevice.h:4135 [inline] + vti6_dev_uninit+0x31a/0x360 net/ipv6/ip6_vti.c:297 + register_netdevice+0xadf/0x1500 net/core/dev.c:10308 + vti6_tnl_create2+0x1b5/0x400 net/ipv6/ip6_vti.c:190 + vti6_newlink+0x9d/0xd0 net/ipv6/ip6_vti.c:1020 + __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443 + rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491 + rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:674 + ____sys_sendmsg+0x331/0x810 net/socket.c:2350 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 + __sys_sendmmsg+0x195/0x470 net/socket.c:2490 + __do_sys_sendmmsg net/socket.c:2519 [inline] + __se_sys_sendmmsg net/socket.c:2516 [inline] + __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2516 + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_vti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c +index ecfeffc06c55..82961ff4da9b 100644 +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -192,7 +192,6 @@ static int vti6_tnl_create2(struct net_device *dev) + + strcpy(t->parms.name, dev->name); + +- dev_hold(dev); + vti6_tnl_link(ip6n, t); + + return 0; +@@ -931,6 +930,7 @@ static inline int vti6_dev_init_gen(struct net_device *dev) + dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); + if (!dev->tstats) + return -ENOMEM; ++ dev_hold(dev); + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.10/iwlwifi-pcie-make-cfg-vs.-trans_cfg-more-robust.patch b/queue-5.10/iwlwifi-pcie-make-cfg-vs.-trans_cfg-more-robust.patch new file mode 100644 index 00000000000..8055d6ff70f --- /dev/null +++ b/queue-5.10/iwlwifi-pcie-make-cfg-vs.-trans_cfg-more-robust.patch @@ -0,0 +1,114 @@ +From 5e9687becba63bd84e5571bfc97e782d7430e0e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Mar 2021 16:24:58 +0300 +Subject: iwlwifi: pcie: make cfg vs. trans_cfg more robust + +From: Johannes Berg + +[ Upstream commit 48a5494d6a4cb5812f0640d9515f1876ffc7a013 ] + +If we (for example) have a trans_cfg entry in the PCI IDs table, +but then don't find a full cfg entry for it in the info table, +we fall through to the code that treats the PCI ID table entry +as a full cfg entry. This obviously causes crashes later, e.g. +when trying to build the firmware name string. + +Avoid such crashes by using the low bit of the pointer as a tag +for trans_cfg entries (automatically using a macro that checks +the type when assigning) and then checking that before trying to +use the data as a full entry - if it's just a partial entry at +that point, fail. + +Since we're adding some macro magic, also check that the type is +in fact either struct iwl_cfg_trans_params or struct iwl_cfg, +failing compilation ("initializer element is not constant") if +it isn't. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20210330162204.6f69fe6e4128.I921d4ae20ef5276716baeeeda0b001cf25b9b968@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 35 +++++++++++++++---- + 1 file changed, 28 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index 500fdb0b6c42..eeb70560b746 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -73,10 +73,20 @@ + #include "iwl-prph.h" + #include "internal.h" + ++#define TRANS_CFG_MARKER BIT(0) ++#define _IS_A(cfg, _struct) __builtin_types_compatible_p(typeof(cfg), \ ++ struct _struct) ++extern int _invalid_type; ++#define _TRANS_CFG_MARKER(cfg) \ ++ (__builtin_choose_expr(_IS_A(cfg, iwl_cfg_trans_params), \ ++ TRANS_CFG_MARKER, \ ++ __builtin_choose_expr(_IS_A(cfg, iwl_cfg), 0, _invalid_type))) ++#define _ASSIGN_CFG(cfg) (_TRANS_CFG_MARKER(cfg) + (kernel_ulong_t)&(cfg)) ++ + #define IWL_PCI_DEVICE(dev, subdev, cfg) \ + .vendor = PCI_VENDOR_ID_INTEL, .device = (dev), \ + .subvendor = PCI_ANY_ID, .subdevice = (subdev), \ +- .driver_data = (kernel_ulong_t)&(cfg) ++ .driver_data = _ASSIGN_CFG(cfg) + + /* Hardware specific file defines the PCI IDs table for that hardware module */ + static const struct pci_device_id iwl_hw_card_ids[] = { +@@ -1018,20 +1028,23 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { + + static int iwl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { +- const struct iwl_cfg_trans_params *trans = +- (struct iwl_cfg_trans_params *)(ent->driver_data); ++ const struct iwl_cfg_trans_params *trans; + const struct iwl_cfg *cfg_7265d __maybe_unused = NULL; + struct iwl_trans *iwl_trans; + struct iwl_trans_pcie *trans_pcie; + unsigned long flags; + int i, ret; ++ const struct iwl_cfg *cfg; ++ ++ trans = (void *)(ent->driver_data & ~TRANS_CFG_MARKER); ++ + /* + * This is needed for backwards compatibility with the old + * tables, so we don't need to change all the config structs + * at the same time. The cfg is used to compare with the old + * full cfg structs. + */ +- const struct iwl_cfg *cfg = (struct iwl_cfg *)(ent->driver_data); ++ cfg = (void *)(ent->driver_data & ~TRANS_CFG_MARKER); + + /* make sure trans is the first element in iwl_cfg */ + BUILD_BUG_ON(offsetof(struct iwl_cfg, trans)); +@@ -1133,11 +1146,19 @@ static int iwl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + #endif + /* +- * If we didn't set the cfg yet, assume the trans is actually +- * a full cfg from the old tables. ++ * If we didn't set the cfg yet, the PCI ID table entry should have ++ * been a full config - if yes, use it, otherwise fail. + */ +- if (!iwl_trans->cfg) ++ if (!iwl_trans->cfg) { ++ if (ent->driver_data & TRANS_CFG_MARKER) { ++ pr_err("No config found for PCI dev %04x/%04x, rev=0x%x, rfid=0x%x\n", ++ pdev->device, pdev->subsystem_device, ++ iwl_trans->hw_rev, iwl_trans->hw_rf_id); ++ ret = -EINVAL; ++ goto out_free_trans; ++ } + iwl_trans->cfg = cfg; ++ } + + /* if we don't have a name yet, copy name from the old cfg */ + if (!iwl_trans->name) +-- +2.30.2 + diff --git a/queue-5.10/kbuild-generate-module.symvers-only-when-vmlinux-exi.patch b/queue-5.10/kbuild-generate-module.symvers-only-when-vmlinux-exi.patch new file mode 100644 index 00000000000..de8a9a9577d --- /dev/null +++ b/queue-5.10/kbuild-generate-module.symvers-only-when-vmlinux-exi.patch @@ -0,0 +1,144 @@ +From 82d0656c79b5144b10d91a227e804c32690127cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Mar 2021 03:54:09 +0900 +Subject: kbuild: generate Module.symvers only when vmlinux exists + +From: Masahiro Yamada + +[ Upstream commit 69bc8d386aebbd91a6bb44b6d33f77c8dfa9ed8c ] + +The external module build shows the following warning if Module.symvers +is missing in the kernel tree. + + WARNING: Symbol version dump "Module.symvers" is missing. + Modules may not have dependencies or modversions. + +I think this is an important heads-up because the resulting modules may +not work as expected. This happens when you did not build the entire +kernel tree, for example, you might have prepared the minimal setups +for external modules by 'make defconfig && make modules_preapre'. + +A problem is that 'make modules' creates Module.symvers even without +vmlinux. In this case, that warning is suppressed since Module.symvers +already exists in spite of its incomplete content. + +The incomplete (i.e. invalid) Module.symvers should not be created. + +This commit changes the second pass of modpost to dump symbols into +modules-only.symvers. The final Module.symvers is created by +concatenating vmlinux.symvers and modules-only.symvers if both exist. + +Module.symvers is supposed to collect symbols from both vmlinux and +modules. It might be a bit confusing, and I am not quite sure if it +is an official interface, but presumably it is difficult to rename it +because some tools (e.g. kmod) parse it. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + .gitignore | 1 + + Documentation/dontdiff | 1 + + Makefile | 2 +- + scripts/Makefile.modpost | 15 ++++++++++++++- + scripts/mod/modpost.c | 15 +-------------- + 5 files changed, 18 insertions(+), 16 deletions(-) + +diff --git a/.gitignore b/.gitignore +index d01cda8e1177..67d2f3503128 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -55,6 +55,7 @@ modules.order + /tags + /TAGS + /linux ++/modules-only.symvers + /vmlinux + /vmlinux.32 + /vmlinux.symvers +diff --git a/Documentation/dontdiff b/Documentation/dontdiff +index e361fc95ca29..82e3eee7363b 100644 +--- a/Documentation/dontdiff ++++ b/Documentation/dontdiff +@@ -178,6 +178,7 @@ mktables + mktree + mkutf8data + modpost ++modules-only.symvers + modules.builtin + modules.builtin.modinfo + modules.nsdeps +diff --git a/Makefile b/Makefile +index 39f14ad009ae..1ee3fb1dde59 100644 +--- a/Makefile ++++ b/Makefile +@@ -1483,7 +1483,7 @@ endif # CONFIG_MODULES + # make distclean Remove editor backup files, patch leftover files and the like + + # Directories & files removed with 'make clean' +-CLEAN_FILES += include/ksym vmlinux.symvers \ ++CLEAN_FILES += include/ksym vmlinux.symvers modules-only.symvers \ + modules.builtin modules.builtin.modinfo modules.nsdeps \ + compile_commands.json + +diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost +index f54b6ac37ac2..12a87be0fb44 100644 +--- a/scripts/Makefile.modpost ++++ b/scripts/Makefile.modpost +@@ -65,7 +65,20 @@ else + ifeq ($(KBUILD_EXTMOD),) + + input-symdump := vmlinux.symvers +-output-symdump := Module.symvers ++output-symdump := modules-only.symvers ++ ++quiet_cmd_cat = GEN $@ ++ cmd_cat = cat $(real-prereqs) > $@ ++ ++ifneq ($(wildcard vmlinux.symvers),) ++ ++__modpost: Module.symvers ++Module.symvers: vmlinux.symvers modules-only.symvers FORCE ++ $(call if_changed,cat) ++ ++targets += Module.symvers ++ ++endif + + else + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index f882ce0d9327..e08f75aed429 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -2481,19 +2481,6 @@ fail: + fatal("parse error in symbol dump file\n"); + } + +-/* For normal builds always dump all symbols. +- * For external modules only dump symbols +- * that are not read from kernel Module.symvers. +- **/ +-static int dump_sym(struct symbol *sym) +-{ +- if (!external_module) +- return 1; +- if (sym->module->from_dump) +- return 0; +- return 1; +-} +- + static void write_dump(const char *fname) + { + struct buffer buf = { }; +@@ -2504,7 +2491,7 @@ static void write_dump(const char *fname) + for (n = 0; n < SYMBOL_HASH_SIZE ; n++) { + symbol = symbolhash[n]; + while (symbol) { +- if (dump_sym(symbol)) { ++ if (!symbol->module->from_dump) { + namespace = symbol->namespace; + buf_printf(&buf, "0x%08x\t%s\t%s\t%s\t%s\n", + symbol->crc, symbol->name, +-- +2.30.2 + diff --git a/queue-5.10/kconfig-nconf-stop-endless-search-loops.patch b/queue-5.10/kconfig-nconf-stop-endless-search-loops.patch new file mode 100644 index 00000000000..328eec4717f --- /dev/null +++ b/queue-5.10/kconfig-nconf-stop-endless-search-loops.patch @@ -0,0 +1,62 @@ +From debc228659cf1efceaceac84fcba9cdf9f3287ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 09:28:03 +0200 +Subject: kconfig: nconf: stop endless search loops + +From: Mihai Moldovan + +[ Upstream commit 8c94b430b9f6213dec84e309bb480a71778c4213 ] + +If the user selects the very first entry in a page and performs a +search-up operation, or selects the very last entry in a page and +performs a search-down operation that will not succeed (e.g., via +[/]asdfzzz[Up Arrow]), nconf will never terminate searching the page. + +The reason is that in this case, the starting point will be set to -1 +or n, which is then translated into (n - 1) (i.e., the last entry of +the page) or 0 (i.e., the first entry of the page) and finally the +search begins. This continues to work fine until the index reaches 0 or +(n - 1), at which point it will be decremented to -1 or incremented to +n, but not checked against the starting point right away. Instead, it's +wrapped around to the bottom or top again, after which the starting +point check occurs... and naturally fails. + +My original implementation added another check for -1 before wrapping +the running index variable around, but Masahiro Yamada pointed out that +the actual issue is that the comparison point (starting point) exceeds +bounds (i.e., the [0,n-1] interval) in the first place and that, +instead, the starting point should be fixed. + +This has the welcome side-effect of also fixing the case where the +starting point was n while searching down, which also lead to an +infinite loop. + +OTOH, this code is now essentially all his work. + +Amazingly, nobody seems to have been hit by this for 11 years - or at +the very least nobody bothered to debug and fix this. + +Signed-off-by: Mihai Moldovan +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index e0f965529166..af814b39b876 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -504,8 +504,8 @@ static int get_mext_match(const char *match_str, match_f flag) + else if (flag == FIND_NEXT_MATCH_UP) + --match_start; + ++ match_start = (match_start + items_num) % items_num; + index = match_start; +- index = (index + items_num) % items_num; + while (true) { + char *str = k_menu_items[index].str; + if (strcasestr(str, match_str) != NULL) +-- +2.30.2 + diff --git a/queue-5.10/kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch b/queue-5.10/kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch new file mode 100644 index 00000000000..0f310f6c0a8 --- /dev/null +++ b/queue-5.10/kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch @@ -0,0 +1,45 @@ +From 50c2b3207fd5f4381a61140afe63a74739b10970 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 18:04:38 -0700 +Subject: kernel: kexec_file: fix error return code of + kexec_calculate_store_digests() + +From: Jia-Ju Bai + +[ Upstream commit 31d82c2c787d5cf65fedd35ebbc0c1bd95c1a679 ] + +When vzalloc() returns NULL to sha_regions, no error return code of +kexec_calculate_store_digests() is assigned. To fix this bug, ret is +assigned with -ENOMEM in this case. + +Link: https://lkml.kernel.org/r/20210309083904.24321-1-baijiaju1990@gmail.com +Fixes: a43cac0d9dc2 ("kexec: split kexec_file syscall code to kexec_file.c") +Signed-off-by: Jia-Ju Bai +Reported-by: TOTE Robot +Acked-by: Baoquan He +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/kexec_file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c +index 7825adcc5efc..aea9104265f2 100644 +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -740,8 +740,10 @@ static int kexec_calculate_store_digests(struct kimage *image) + + sha_region_sz = KEXEC_SEGMENT_MAX * sizeof(struct kexec_sha_region); + sha_regions = vzalloc(sha_region_sz); +- if (!sha_regions) ++ if (!sha_regions) { ++ ret = -ENOMEM; + goto out_free_desc; ++ } + + desc->tfm = tfm; + +-- +2.30.2 + diff --git a/queue-5.10/kernel-resource-make-walk_mem_res-find-all-busy-iore.patch b/queue-5.10/kernel-resource-make-walk_mem_res-find-all-busy-iore.patch new file mode 100644 index 00000000000..caa2ec7f237 --- /dev/null +++ b/queue-5.10/kernel-resource-make-walk_mem_res-find-all-busy-iore.patch @@ -0,0 +1,76 @@ +From bd7069008557a9f24bfcaa6159841be9da202074 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 18:05:16 -0700 +Subject: kernel/resource: make walk_mem_res() find all busy IORESOURCE_MEM + resources + +From: David Hildenbrand + +[ Upstream commit 3c9c797534364593b73ba6ab060a014af8934721 ] + +It used to be true that we can have system RAM (IORESOURCE_SYSTEM_RAM | +IORESOURCE_BUSY) only on the first level in the resource tree. However, +this is no longer holds for driver-managed system RAM (i.e., added via +dax/kmem and virtio-mem), which gets added on lower levels, for example, +inside device containers. + +IORESOURCE_SYSTEM_RAM is defined as IORESOURCE_MEM | IORESOURCE_SYSRAM and +just a special type of IORESOURCE_MEM. + +The function walk_mem_res() only considers the first level and is used in +arch/x86/mm/ioremap.c:__ioremap_check_mem() only. We currently fail to +identify System RAM added by dax/kmem and virtio-mem as +"IORES_MAP_SYSTEM_RAM", for example, allowing for remapping of such +"normal RAM" in __ioremap_caller(). + +Let's find all IORESOURCE_MEM | IORESOURCE_BUSY resources, making the +function behave similar to walk_system_ram_res(). + +Link: https://lkml.kernel.org/r/20210325115326.7826-3-david@redhat.com +Fixes: ebf71552bb0e ("virtio-mem: Add parent resource for all added "System RAM"") +Fixes: c221c0b0308f ("device-dax: "Hotplug" persistent memory for use like normal RAM") +Signed-off-by: David Hildenbrand +Reviewed-by: Dan Williams +Cc: Greg Kroah-Hartman +Cc: Dan Williams +Cc: Daniel Vetter +Cc: Andy Shevchenko +Cc: Mauro Carvalho Chehab +Cc: Dave Young +Cc: Baoquan He +Cc: Vivek Goyal +Cc: Dave Hansen +Cc: Keith Busch +Cc: Michal Hocko +Cc: Qian Cai +Cc: Oscar Salvador +Cc: Eric Biederman +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Tom Lendacky +Cc: Brijesh Singh +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/resource.c b/kernel/resource.c +index 88a0ed866777..817545ff80b9 100644 +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -463,7 +463,7 @@ int walk_mem_res(u64 start, u64 end, void *arg, + { + unsigned long flags = IORESOURCE_MEM | IORESOURCE_BUSY; + +- return __walk_iomem_res_desc(start, end, flags, IORES_DESC_NONE, true, ++ return __walk_iomem_res_desc(start, end, flags, IORES_DESC_NONE, false, + arg, func); + } + +-- +2.30.2 + diff --git a/queue-5.10/kernel-resource-make-walk_system_ram_res-find-all-bu.patch b/queue-5.10/kernel-resource-make-walk_system_ram_res-find-all-bu.patch new file mode 100644 index 00000000000..5274543060d --- /dev/null +++ b/queue-5.10/kernel-resource-make-walk_system_ram_res-find-all-bu.patch @@ -0,0 +1,106 @@ +From 1936aa7f400d629707e8bcc287585e78f73757a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 18:05:12 -0700 +Subject: kernel/resource: make walk_system_ram_res() find all busy + IORESOURCE_SYSTEM_RAM resources + +From: David Hildenbrand + +[ Upstream commit 97f61c8f44ec9020708b97a51188170add4f3084 ] + +Patch series "kernel/resource: make walk_system_ram_res() and walk_mem_res() search the whole tree", v2. + +Playing with kdump+virtio-mem I noticed that kexec_file_load() does not +consider System RAM added via dax/kmem and virtio-mem when preparing the +elf header for kdump. Looking into the details, the logic used in +walk_system_ram_res() and walk_mem_res() seems to be outdated. + +walk_system_ram_range() already does the right thing, let's change +walk_system_ram_res() and walk_mem_res(), and clean up. + +Loading a kdump kernel via "kexec -p -s" ... will result in the kdump +kernel to also dump dax/kmem and virtio-mem added System RAM now. + +Note: kexec-tools on x86-64 also have to be updated to consider this +memory in the kexec_load() case when processing /proc/iomem. + +This patch (of 3): + +It used to be true that we can have system RAM (IORESOURCE_SYSTEM_RAM | +IORESOURCE_BUSY) only on the first level in the resource tree. However, +this is no longer holds for driver-managed system RAM (i.e., added via +dax/kmem and virtio-mem), which gets added on lower levels, for example, +inside device containers. + +We have two users of walk_system_ram_res(), which currently only +consideres the first level: + +a) kernel/kexec_file.c:kexec_walk_resources() -- We properly skip + IORESOURCE_SYSRAM_DRIVER_MANAGED resources via + locate_mem_hole_callback(), so even after this change, we won't be + placing kexec images onto dax/kmem and virtio-mem added memory. No + change. + +b) arch/x86/kernel/crash.c:fill_up_crash_elf_data() -- we're currently + not adding relevant ranges to the crash elf header, resulting in them + not getting dumped via kdump. + +This change fixes loading a crashkernel via kexec_file_load() and +including dax/kmem and virtio-mem added System RAM in the crashdump on +x86-64. Note that e.g,, arm64 relies on memblock data and, therefore, +always considers all added System RAM already. + +Let's find all IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY resources, making +the function behave like walk_system_ram_range(). + +Link: https://lkml.kernel.org/r/20210325115326.7826-1-david@redhat.com +Link: https://lkml.kernel.org/r/20210325115326.7826-2-david@redhat.com +Fixes: ebf71552bb0e ("virtio-mem: Add parent resource for all added "System RAM"") +Fixes: c221c0b0308f ("device-dax: "Hotplug" persistent memory for use like normal RAM") +Signed-off-by: David Hildenbrand +Reviewed-by: Dan Williams +Acked-by: Baoquan He +Cc: Greg Kroah-Hartman +Cc: Dan Williams +Cc: Daniel Vetter +Cc: Andy Shevchenko +Cc: Mauro Carvalho Chehab +Cc: Dave Young +Cc: Baoquan He +Cc: Vivek Goyal +Cc: Dave Hansen +Cc: Keith Busch +Cc: Michal Hocko +Cc: Qian Cai +Cc: Oscar Salvador +Cc: Eric Biederman +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Tom Lendacky +Cc: Brijesh Singh +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/resource.c b/kernel/resource.c +index 3ae2f56cc79d..88a0ed866777 100644 +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -450,7 +450,7 @@ int walk_system_ram_res(u64 start, u64 end, void *arg, + { + unsigned long flags = IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY; + +- return __walk_iomem_res_desc(start, end, flags, IORES_DESC_NONE, true, ++ return __walk_iomem_res_desc(start, end, flags, IORES_DESC_NONE, false, + arg, func); + } + +-- +2.30.2 + diff --git a/queue-5.10/khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch b/queue-5.10/khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch new file mode 100644 index 00000000000..d90d70bc240 --- /dev/null +++ b/queue-5.10/khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch @@ -0,0 +1,63 @@ +From 7f105c13ea6dc111bd58dff1f350b6a3287cbdac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:33:46 -0700 +Subject: khugepaged: fix wrong result value for + trace_mm_collapse_huge_page_isolate() + +From: Miaohe Lin + +[ Upstream commit 74e579bf231a337ab3786d59e64bc94f45ca7b3f ] + +In writable and !referenced case, the result value should be +SCAN_LACK_REFERENCED_PAGE for trace_mm_collapse_huge_page_isolate() +instead of default 0 (SCAN_FAIL) here. + +Link: https://lkml.kernel.org/r/20210306032947.35921-5-linmiaohe@huawei.com +Fixes: 7d2eba0557c1 ("mm: add tracepoint for scanning pages") +Signed-off-by: Miaohe Lin +Acked-by: Kirill A. Shutemov +Cc: Dan Carpenter +Cc: Ebru Akagunduz +Cc: Mike Kravetz +Cc: Rik van Riel +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/khugepaged.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index abab394c4206..a6238118ac4c 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -714,17 +714,17 @@ next: + if (pte_write(pteval)) + writable = true; + } +- if (likely(writable)) { +- if (likely(referenced)) { +- result = SCAN_SUCCEED; +- trace_mm_collapse_huge_page_isolate(page, none_or_zero, +- referenced, writable, result); +- return 1; +- } +- } else { ++ ++ if (unlikely(!writable)) { + result = SCAN_PAGE_RO; ++ } else if (unlikely(!referenced)) { ++ result = SCAN_LACK_REFERENCED_PAGE; ++ } else { ++ result = SCAN_SUCCEED; ++ trace_mm_collapse_huge_page_isolate(page, none_or_zero, ++ referenced, writable, result); ++ return 1; + } +- + out: + release_pte_pages(pte, _pte, compound_pagelist); + trace_mm_collapse_huge_page_isolate(page, none_or_zero, +-- +2.30.2 + diff --git a/queue-5.10/ksm-fix-potential-missing-rmap_item-for-stable_node.patch b/queue-5.10/ksm-fix-potential-missing-rmap_item-for-stable_node.patch new file mode 100644 index 00000000000..abaac8a75b2 --- /dev/null +++ b/queue-5.10/ksm-fix-potential-missing-rmap_item-for-stable_node.patch @@ -0,0 +1,57 @@ +From e40458367d782293708bf42c2524dddebfd74171 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:37:45 -0700 +Subject: ksm: fix potential missing rmap_item for stable_node + +From: Miaohe Lin + +[ Upstream commit c89a384e2551c692a9fe60d093fd7080f50afc51 ] + +When removing rmap_item from stable tree, STABLE_FLAG of rmap_item is +cleared with head reserved. So the following scenario might happen: For +ksm page with rmap_item1: + +cmp_and_merge_page + stable_node->head = &migrate_nodes; + remove_rmap_item_from_tree, but head still equal to stable_node; + try_to_merge_with_ksm_page failed; + return; + +For the same ksm page with rmap_item2, stable node migration succeed this +time. The stable_node->head does not equal to migrate_nodes now. For ksm +page with rmap_item1 again: + +cmp_and_merge_page + stable_node->head != &migrate_nodes && rmap_item->head == stable_node + return; + +We would miss the rmap_item for stable_node and might result in failed +rmap_walk_ksm(). Fix this by set rmap_item->head to NULL when rmap_item +is removed from stable tree. + +Link: https://lkml.kernel.org/r/20210330140228.45635-5-linmiaohe@huawei.com +Fixes: 4146d2d673e8 ("ksm: make !merge_across_nodes migration safe") +Signed-off-by: Miaohe Lin +Cc: Hugh Dickins +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/ksm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/ksm.c b/mm/ksm.c +index 0960750bb316..25b8362a4f89 100644 +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -794,6 +794,7 @@ static void remove_rmap_item_from_tree(struct rmap_item *rmap_item) + stable_node->rmap_hlist_len--; + + put_anon_vma(rmap_item->anon_vma); ++ rmap_item->head = NULL; + rmap_item->address &= PAGE_MASK; + + } else if (rmap_item->address & UNSTABLE_FLAG) { +-- +2.30.2 + diff --git a/queue-5.10/libbpf-fix-signed-overflow-in-ringbuf_process_ring.patch b/queue-5.10/libbpf-fix-signed-overflow-in-ringbuf_process_ring.patch new file mode 100644 index 00000000000..05a23f0e744 --- /dev/null +++ b/queue-5.10/libbpf-fix-signed-overflow-in-ringbuf_process_ring.patch @@ -0,0 +1,104 @@ +From 667ad9aa5da04dd797f82843f50858374a493ff7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 13:05:10 +0000 +Subject: libbpf: Fix signed overflow in ringbuf_process_ring + +From: Brendan Jackman + +[ Upstream commit 2a30f9440640c418bcfbea9b2b344d268b58e0a2 ] + +One of our benchmarks running in (Google-internal) CI pushes data +through the ringbuf faster htan than userspace is able to consume +it. In this case it seems we're actually able to get >INT_MAX entries +in a single ring_buffer__consume() call. ASAN detected that cnt +overflows in this case. + +Fix by using 64-bit counter internally and then capping the result to +INT_MAX before converting to the int return type. Do the same for +the ring_buffer__poll(). + +Fixes: bf99c936f947 (libbpf: Add BPF ring buffer support) +Signed-off-by: Brendan Jackman +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210429130510.1621665-1-jackmanb@google.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/ringbuf.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/tools/lib/bpf/ringbuf.c b/tools/lib/bpf/ringbuf.c +index 06cd709a3453..86c31c787fb9 100644 +--- a/tools/lib/bpf/ringbuf.c ++++ b/tools/lib/bpf/ringbuf.c +@@ -202,9 +202,11 @@ static inline int roundup_len(__u32 len) + return (len + 7) / 8 * 8; + } + +-static int ringbuf_process_ring(struct ring* r) ++static int64_t ringbuf_process_ring(struct ring* r) + { +- int *len_ptr, len, err, cnt = 0; ++ int *len_ptr, len, err; ++ /* 64-bit to avoid overflow in case of extreme application behavior */ ++ int64_t cnt = 0; + unsigned long cons_pos, prod_pos; + bool got_new_data; + void *sample; +@@ -244,12 +246,14 @@ done: + } + + /* Consume available ring buffer(s) data without event polling. +- * Returns number of records consumed across all registered ring buffers, or +- * negative number if any of the callbacks return error. ++ * Returns number of records consumed across all registered ring buffers (or ++ * INT_MAX, whichever is less), or negative number if any of the callbacks ++ * return error. + */ + int ring_buffer__consume(struct ring_buffer *rb) + { +- int i, err, res = 0; ++ int64_t err, res = 0; ++ int i; + + for (i = 0; i < rb->ring_cnt; i++) { + struct ring *ring = &rb->rings[i]; +@@ -259,18 +263,24 @@ int ring_buffer__consume(struct ring_buffer *rb) + return err; + res += err; + } ++ if (res > INT_MAX) ++ return INT_MAX; + return res; + } + + /* Poll for available data and consume records, if any are available. +- * Returns number of records consumed, or negative number, if any of the +- * registered callbacks returned error. ++ * Returns number of records consumed (or INT_MAX, whichever is less), or ++ * negative number, if any of the registered callbacks returned error. + */ + int ring_buffer__poll(struct ring_buffer *rb, int timeout_ms) + { +- int i, cnt, err, res = 0; ++ int i, cnt; ++ int64_t err, res = 0; + + cnt = epoll_wait(rb->epoll_fd, rb->events, rb->ring_cnt, timeout_ms); ++ if (cnt < 0) ++ return -errno; ++ + for (i = 0; i < cnt; i++) { + __u32 ring_id = rb->events[i].data.fd; + struct ring *ring = &rb->rings[ring_id]; +@@ -280,5 +290,7 @@ int ring_buffer__poll(struct ring_buffer *rb, int timeout_ms) + return err; + res += err; + } +- return cnt < 0 ? -errno : res; ++ if (res > INT_MAX) ++ return INT_MAX; ++ return res; + } +-- +2.30.2 + diff --git a/queue-5.10/mac80211-clear-the-beacon-s-crc-after-channel-switch.patch b/queue-5.10/mac80211-clear-the-beacon-s-crc-after-channel-switch.patch new file mode 100644 index 00000000000..f9979c5ec98 --- /dev/null +++ b/queue-5.10/mac80211-clear-the-beacon-s-crc-after-channel-switch.patch @@ -0,0 +1,52 @@ +From fa3f28ec11849e6af413c4d42c10d11cbee7ff32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 14:31:25 +0200 +Subject: mac80211: clear the beacon's CRC after channel switch + +From: Emmanuel Grumbach + +[ Upstream commit d6843d1ee283137723b4a8c76244607ce6db1951 ] + +After channel switch, we should consider any beacon with a +CSA IE as a new switch. If the CSA IE is a leftover from +before the switch that the AP forgot to remove, we'll get +a CSA-to-Self. + +This caused issues in iwlwifi where the firmware saw a beacon +with a CSA-to-Self with mode = 1 on the new channel after a +switch. The firmware considered this a new switch and closed +its queues. Since the beacon didn't change between before and +after the switch, we wouldn't handle it (the CRC is the same) +and we wouldn't let the firmware open its queues again or +disconnect if the CSA IE stays for too long. + +Clear the CRC valid state after we switch to make sure that +we handle the beacon and handle the CSA IE as required. + +Signed-off-by: Emmanuel Grumbach +Link: https://lore.kernel.org/r/20210408143124.b9e68aa98304.I465afb55ca2c7d59f7bf610c6046a1fd732b4c28@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index ef19c3399b89..6d3220c66931 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1295,6 +1295,11 @@ static void ieee80211_chswitch_post_beacon(struct ieee80211_sub_if_data *sdata) + + sdata->vif.csa_active = false; + ifmgd->csa_waiting_bcn = false; ++ /* ++ * If the CSA IE is still present on the beacon after the switch, ++ * we need to consider it as a new CSA (possibly to self). ++ */ ++ ifmgd->beacon_crc_valid = false; + + ret = drv_post_channel_switch(sdata); + if (ret) { +-- +2.30.2 + diff --git a/queue-5.10/mips-loongson64-use-_cache_uncached-instead-of-_cach.patch b/queue-5.10/mips-loongson64-use-_cache_uncached-instead-of-_cach.patch new file mode 100644 index 00000000000..2345ff37190 --- /dev/null +++ b/queue-5.10/mips-loongson64-use-_cache_uncached-instead-of-_cach.patch @@ -0,0 +1,68 @@ +From a971697ef609eb8c086468975e24d0590024f9e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 17:25:12 +0800 +Subject: MIPS: Loongson64: Use _CACHE_UNCACHED instead of + _CACHE_UNCACHED_ACCELERATED + +From: Tiezhu Yang + +[ Upstream commit 5e65c52ec716af6e8f51dacdaeb4a4d872249af1 ] + +Loongson64 processors have a writecombine issue that maybe failed to +write back framebuffer used with ATI Radeon or AMD GPU at times, after +commit 8a08e50cee66 ("drm: Permit video-buffers writecombine mapping +for MIPS"), there exists some errors such as blurred screen and lockup, +and so on. + +[ 60.958721] radeon 0000:03:00.0: ring 0 stalled for more than 10079msec +[ 60.965315] radeon 0000:03:00.0: GPU lockup (current fence id 0x0000000000000112 last fence id 0x000000000000011d on ring 0) +[ 60.976525] radeon 0000:03:00.0: ring 3 stalled for more than 10086msec +[ 60.983156] radeon 0000:03:00.0: GPU lockup (current fence id 0x0000000000000374 last fence id 0x00000000000003a8 on ring 3) + +As discussed earlier [1], it might be better to disable writecombine +on the CPU detection side because the root cause is unknown now. + +Actually, this patch is a temporary solution to just make it work well, +it is not a proper and final solution, I hope someone will have a better +solution to fix this issue in the future. + +[1] https://lore.kernel.org/patchwork/patch/1285542/ + +Signed-off-by: Tiezhu Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/cpu-probe.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/arch/mips/kernel/cpu-probe.c b/arch/mips/kernel/cpu-probe.c +index 31cb9199197c..e6ae2bcdbeda 100644 +--- a/arch/mips/kernel/cpu-probe.c ++++ b/arch/mips/kernel/cpu-probe.c +@@ -1739,7 +1739,6 @@ static inline void cpu_probe_loongson(struct cpuinfo_mips *c, unsigned int cpu) + set_isa(c, MIPS_CPU_ISA_M64R2); + break; + } +- c->writecombine = _CACHE_UNCACHED_ACCELERATED; + c->ases |= (MIPS_ASE_LOONGSON_MMI | MIPS_ASE_LOONGSON_EXT | + MIPS_ASE_LOONGSON_EXT2); + break; +@@ -1769,7 +1768,6 @@ static inline void cpu_probe_loongson(struct cpuinfo_mips *c, unsigned int cpu) + * register, we correct it here. + */ + c->options |= MIPS_CPU_FTLB | MIPS_CPU_TLBINV | MIPS_CPU_LDPTE; +- c->writecombine = _CACHE_UNCACHED_ACCELERATED; + c->ases |= (MIPS_ASE_LOONGSON_MMI | MIPS_ASE_LOONGSON_CAM | + MIPS_ASE_LOONGSON_EXT | MIPS_ASE_LOONGSON_EXT2); + c->ases &= ~MIPS_ASE_VZ; /* VZ of Loongson-3A2000/3000 is incomplete */ +@@ -1780,7 +1778,6 @@ static inline void cpu_probe_loongson(struct cpuinfo_mips *c, unsigned int cpu) + set_elf_platform(cpu, "loongson3a"); + set_isa(c, MIPS_CPU_ISA_M64R2); + decode_cpucfg(c); +- c->writecombine = _CACHE_UNCACHED_ACCELERATED; + break; + default: + panic("Unknown Loongson Processor ID!"); +-- +2.30.2 + diff --git a/queue-5.10/mm-gup-check-every-subpage-of-a-compound-page-during.patch b/queue-5.10/mm-gup-check-every-subpage-of-a-compound-page-during.patch new file mode 100644 index 00000000000..b94768ddb40 --- /dev/null +++ b/queue-5.10/mm-gup-check-every-subpage-of-a-compound-page-during.patch @@ -0,0 +1,108 @@ +From 9ffa957b5409f1c6afbfcd58f05803139d2a5048 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:38:42 -0700 +Subject: mm/gup: check every subpage of a compound page during isolation + +From: Pavel Tatashin + +[ Upstream commit 83c02c23d0747a7bdcd71f99a538aacec94b146c ] + +When pages are isolated in check_and_migrate_movable_pages() we skip +compound number of pages at a time. However, as Jason noted, it is not +necessary correct that pages[i] corresponds to the pages that we +skipped. This is because it is possible that the addresses in this +range had split_huge_pmd()/split_huge_pud(), and these functions do not +update the compound page metadata. + +The problem can be reproduced if something like this occurs: + +1. User faulted huge pages. +2. split_huge_pmd() was called for some reason +3. User has unmapped some sub-pages in the range +4. User tries to longterm pin the addresses. + +The resulting pages[i] might end-up having pages which are not compound +size page aligned. + +Link: https://lkml.kernel.org/r/20210215161349.246722-3-pasha.tatashin@soleen.com +Fixes: aa712399c1e8 ("mm/gup: speed up check_and_migrate_cma_pages() on huge page") +Signed-off-by: Pavel Tatashin +Reported-by: Jason Gunthorpe +Reviewed-by: Jason Gunthorpe +Cc: Dan Williams +Cc: David Hildenbrand +Cc: David Rientjes +Cc: Ingo Molnar +Cc: Ira Weiny +Cc: James Morris +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: Joonsoo Kim +Cc: Matthew Wilcox +Cc: Mel Gorman +Cc: Michal Hocko +Cc: Michal Hocko +Cc: Mike Kravetz +Cc: Oscar Salvador +Cc: Peter Zijlstra +Cc: Sasha Levin +Cc: Steven Rostedt (VMware) +Cc: Tyler Hicks +Cc: Vlastimil Babka +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/gup.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/mm/gup.c b/mm/gup.c +index 054ff923d3d9..e10807c4c46b 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1562,26 +1562,23 @@ static long check_and_migrate_cma_pages(struct mm_struct *mm, + unsigned int gup_flags) + { + unsigned long i; +- unsigned long step; + bool drain_allow = true; + bool migrate_allow = true; + LIST_HEAD(cma_page_list); + long ret = nr_pages; ++ struct page *prev_head, *head; + struct migration_target_control mtc = { + .nid = NUMA_NO_NODE, + .gfp_mask = GFP_USER | __GFP_MOVABLE | __GFP_NOWARN, + }; + + check_again: +- for (i = 0; i < nr_pages;) { +- +- struct page *head = compound_head(pages[i]); +- +- /* +- * gup may start from a tail page. Advance step by the left +- * part. +- */ +- step = compound_nr(head) - (pages[i] - head); ++ prev_head = NULL; ++ for (i = 0; i < nr_pages; i++) { ++ head = compound_head(pages[i]); ++ if (head == prev_head) ++ continue; ++ prev_head = head; + /* + * If we get a page from the CMA zone, since we are going to + * be pinning these entries, we might as well move them out +@@ -1605,8 +1602,6 @@ check_again: + } + } + } +- +- i += step; + } + + if (!list_empty(&cma_page_list)) { +-- +2.30.2 + diff --git a/queue-5.10/mm-gup-check-for-isolation-errors.patch b/queue-5.10/mm-gup-check-for-isolation-errors.patch new file mode 100644 index 00000000000..3404d37d2d1 --- /dev/null +++ b/queue-5.10/mm-gup-check-for-isolation-errors.patch @@ -0,0 +1,155 @@ +From b2c18dde945297389cdf97494f92b0d922345100 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:38:49 -0700 +Subject: mm/gup: check for isolation errors + +From: Pavel Tatashin + +[ Upstream commit 6e7f34ebb8d25d71ce7f4580ba3cbfc10b895580 ] + +It is still possible that we pin movable CMA pages if there are +isolation errors and cma_page_list stays empty when we check again. + +Check for isolation errors, and return success only when there are no +isolation errors, and cma_page_list is empty after checking. + +Because isolation errors are transient, we retry indefinitely. + +Link: https://lkml.kernel.org/r/20210215161349.246722-5-pasha.tatashin@soleen.com +Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") +Signed-off-by: Pavel Tatashin +Reviewed-by: Jason Gunthorpe +Cc: Dan Williams +Cc: David Hildenbrand +Cc: David Rientjes +Cc: Ingo Molnar +Cc: Ira Weiny +Cc: James Morris +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: Joonsoo Kim +Cc: Matthew Wilcox +Cc: Mel Gorman +Cc: Michal Hocko +Cc: Michal Hocko +Cc: Mike Kravetz +Cc: Oscar Salvador +Cc: Peter Zijlstra +Cc: Sasha Levin +Cc: Steven Rostedt (VMware) +Cc: Tyler Hicks +Cc: Vlastimil Babka +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/gup.c | 60 ++++++++++++++++++++++++++++++++------------------------ + 1 file changed, 34 insertions(+), 26 deletions(-) + +diff --git a/mm/gup.c b/mm/gup.c +index 0fa8d88eb7ba..c2826f3afe72 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1561,8 +1561,8 @@ static long check_and_migrate_cma_pages(struct mm_struct *mm, + struct vm_area_struct **vmas, + unsigned int gup_flags) + { +- unsigned long i; +- bool drain_allow = true; ++ unsigned long i, isolation_error_count; ++ bool drain_allow; + LIST_HEAD(cma_page_list); + long ret = nr_pages; + struct page *prev_head, *head; +@@ -1573,6 +1573,8 @@ static long check_and_migrate_cma_pages(struct mm_struct *mm, + + check_again: + prev_head = NULL; ++ isolation_error_count = 0; ++ drain_allow = true; + for (i = 0; i < nr_pages; i++) { + head = compound_head(pages[i]); + if (head == prev_head) +@@ -1584,25 +1586,35 @@ check_again: + * of the CMA zone if possible. + */ + if (is_migrate_cma_page(head)) { +- if (PageHuge(head)) +- isolate_huge_page(head, &cma_page_list); +- else { ++ if (PageHuge(head)) { ++ if (!isolate_huge_page(head, &cma_page_list)) ++ isolation_error_count++; ++ } else { + if (!PageLRU(head) && drain_allow) { + lru_add_drain_all(); + drain_allow = false; + } + +- if (!isolate_lru_page(head)) { +- list_add_tail(&head->lru, &cma_page_list); +- mod_node_page_state(page_pgdat(head), +- NR_ISOLATED_ANON + +- page_is_file_lru(head), +- thp_nr_pages(head)); ++ if (isolate_lru_page(head)) { ++ isolation_error_count++; ++ continue; + } ++ list_add_tail(&head->lru, &cma_page_list); ++ mod_node_page_state(page_pgdat(head), ++ NR_ISOLATED_ANON + ++ page_is_file_lru(head), ++ thp_nr_pages(head)); + } + } + } + ++ /* ++ * If list is empty, and no isolation errors, means that all pages are ++ * in the correct zone. ++ */ ++ if (list_empty(&cma_page_list) && !isolation_error_count) ++ return ret; ++ + if (!list_empty(&cma_page_list)) { + /* + * drop the above get_user_pages reference. +@@ -1622,23 +1634,19 @@ check_again: + return ret > 0 ? -ENOMEM : ret; + } + +- /* +- * We did migrate all the pages, Try to get the page references +- * again migrating any new CMA pages which we failed to isolate +- * earlier. +- */ +- ret = __get_user_pages_locked(mm, start, nr_pages, +- pages, vmas, NULL, +- gup_flags); +- +- if (ret > 0) { +- nr_pages = ret; +- drain_allow = true; +- goto check_again; +- } ++ /* We unpinned pages before migration, pin them again */ ++ ret = __get_user_pages_locked(mm, start, nr_pages, pages, vmas, ++ NULL, gup_flags); ++ if (ret <= 0) ++ return ret; ++ nr_pages = ret; + } + +- return ret; ++ /* ++ * check again because pages were unpinned, and we also might have ++ * had isolation errors and need more pages to migrate. ++ */ ++ goto check_again; + } + #else + static long check_and_migrate_cma_pages(struct mm_struct *mm, +-- +2.30.2 + diff --git a/queue-5.10/mm-gup-return-an-error-on-migration-failure.patch b/queue-5.10/mm-gup-return-an-error-on-migration-failure.patch new file mode 100644 index 00000000000..f6b1ac47f35 --- /dev/null +++ b/queue-5.10/mm-gup-return-an-error-on-migration-failure.patch @@ -0,0 +1,96 @@ +From 47467db20a4031d08692c2cb8faf012920a1eca2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:38:46 -0700 +Subject: mm/gup: return an error on migration failure + +From: Pavel Tatashin + +[ Upstream commit f0f4463837da17a89d965dcbe4e411629dbcf308 ] + +When migration failure occurs, we still pin pages, which means that we +may pin CMA movable pages which should never be the case. + +Instead return an error without pinning pages when migration failure +happens. + +No need to retry migrating, because migrate_pages() already retries 10 +times. + +Link: https://lkml.kernel.org/r/20210215161349.246722-4-pasha.tatashin@soleen.com +Signed-off-by: Pavel Tatashin +Reviewed-by: Jason Gunthorpe +Cc: Dan Williams +Cc: David Hildenbrand +Cc: David Rientjes +Cc: Ingo Molnar +Cc: Ira Weiny +Cc: James Morris +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: Joonsoo Kim +Cc: Matthew Wilcox +Cc: Mel Gorman +Cc: Michal Hocko +Cc: Michal Hocko +Cc: Mike Kravetz +Cc: Oscar Salvador +Cc: Peter Zijlstra +Cc: Sasha Levin +Cc: Steven Rostedt (VMware) +Cc: Tyler Hicks +Cc: Vlastimil Babka +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/gup.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/mm/gup.c b/mm/gup.c +index e10807c4c46b..0fa8d88eb7ba 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1563,7 +1563,6 @@ static long check_and_migrate_cma_pages(struct mm_struct *mm, + { + unsigned long i; + bool drain_allow = true; +- bool migrate_allow = true; + LIST_HEAD(cma_page_list); + long ret = nr_pages; + struct page *prev_head, *head; +@@ -1614,17 +1613,15 @@ check_again: + for (i = 0; i < nr_pages; i++) + put_page(pages[i]); + +- if (migrate_pages(&cma_page_list, alloc_migration_target, NULL, +- (unsigned long)&mtc, MIGRATE_SYNC, MR_CONTIG_RANGE)) { +- /* +- * some of the pages failed migration. Do get_user_pages +- * without migration. +- */ +- migrate_allow = false; +- ++ ret = migrate_pages(&cma_page_list, alloc_migration_target, ++ NULL, (unsigned long)&mtc, MIGRATE_SYNC, ++ MR_CONTIG_RANGE); ++ if (ret) { + if (!list_empty(&cma_page_list)) + putback_movable_pages(&cma_page_list); ++ return ret > 0 ? -ENOMEM : ret; + } ++ + /* + * We did migrate all the pages, Try to get the page references + * again migrating any new CMA pages which we failed to isolate +@@ -1634,7 +1631,7 @@ check_again: + pages, vmas, NULL, + gup_flags); + +- if ((ret > 0) && migrate_allow) { ++ if (ret > 0) { + nr_pages = ret; + drain_allow = true; + goto check_again; +-- +2.30.2 + diff --git a/queue-5.10/mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch b/queue-5.10/mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch new file mode 100644 index 00000000000..0c6750811ac --- /dev/null +++ b/queue-5.10/mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch @@ -0,0 +1,57 @@ +From 88fb8b7b1e9acefe927b4005426f22fb6e7542a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:34:38 -0700 +Subject: mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts() + +From: Miaohe Lin + +[ Upstream commit da56388c4397878a65b74f7fe97760f5aa7d316b ] + +A rare out of memory error would prevent removal of the reserve map region +for a page. hugetlb_fix_reserve_counts() handles this rare case to avoid +dangling with incorrect counts. Unfortunately, hugepage_subpool_get_pages +and hugetlb_acct_memory could possibly fail too. We should correctly +handle these cases. + +Link: https://lkml.kernel.org/r/20210410072348.20437-5-linmiaohe@huawei.com +Fixes: b5cec28d36f5 ("hugetlbfs: truncate_hugepages() takes a range of pages") +Signed-off-by: Miaohe Lin +Cc: Feilong Lin +Cc: Mike Kravetz +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/hugetlb.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 573f1a0183be..900851a4f914 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -745,13 +745,20 @@ void hugetlb_fix_reserve_counts(struct inode *inode) + { + struct hugepage_subpool *spool = subpool_inode(inode); + long rsv_adjust; ++ bool reserved = false; + + rsv_adjust = hugepage_subpool_get_pages(spool, 1); +- if (rsv_adjust) { ++ if (rsv_adjust > 0) { + struct hstate *h = hstate_inode(inode); + +- hugetlb_acct_memory(h, 1); ++ if (!hugetlb_acct_memory(h, 1)) ++ reserved = true; ++ } else if (!rsv_adjust) { ++ reserved = true; + } ++ ++ if (!reserved) ++ pr_warn("hugetlb: Huge Page Reserved count may go negative.\n"); + } + + /* +-- +2.30.2 + diff --git a/queue-5.10/mm-migrate.c-fix-potential-indeterminate-pte-entry-i.patch b/queue-5.10/mm-migrate.c-fix-potential-indeterminate-pte-entry-i.patch new file mode 100644 index 00000000000..e962e423385 --- /dev/null +++ b/queue-5.10/mm-migrate.c-fix-potential-indeterminate-pte-entry-i.patch @@ -0,0 +1,50 @@ +From a82294dea6e0106ab701888c6960b9fc42619274 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:37:10 -0700 +Subject: mm/migrate.c: fix potential indeterminate pte entry in + migrate_vma_insert_page() + +From: Miaohe Lin + +[ Upstream commit 34f5e9b9d1990d286199084efa752530ee3d8297 ] + +If the zone device page does not belong to un-addressable device memory, +the variable entry will be uninitialized and lead to indeterminate pte +entry ultimately. Fix this unexpected case and warn about it. + +Link: https://lkml.kernel.org/r/20210325131524.48181-4-linmiaohe@huawei.com +Fixes: df6ad69838fc ("mm/device-public-memory: device memory cache coherent with CPU") +Signed-off-by: Miaohe Lin +Reviewed-by: David Hildenbrand +Cc: Alistair Popple +Cc: Jerome Glisse +Cc: Rafael Aquini +Cc: Yang Shi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/migrate.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/mm/migrate.c b/mm/migrate.c +index 9d7ca1bd7f4b..7982256a5125 100644 +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -2914,6 +2914,13 @@ static void migrate_vma_insert_page(struct migrate_vma *migrate, + + swp_entry = make_device_private_entry(page, vma->vm_flags & VM_WRITE); + entry = swp_entry_to_pte(swp_entry); ++ } else { ++ /* ++ * For now we only support migrating to un-addressable ++ * device memory. ++ */ ++ pr_warn_once("Unsupported ZONE_DEVICE page type.\n"); ++ goto abort; + } + } else { + entry = mk_pte(page, vma->vm_page_prot); +-- +2.30.2 + diff --git a/queue-5.10/mptcp-fix-splat-when-closing-unaccepted-socket.patch b/queue-5.10/mptcp-fix-splat-when-closing-unaccepted-socket.patch new file mode 100644 index 00000000000..c6eff28bfe4 --- /dev/null +++ b/queue-5.10/mptcp-fix-splat-when-closing-unaccepted-socket.patch @@ -0,0 +1,50 @@ +From c0cb7c75f846cf124719eac339b211faa992d267 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 17:16:38 -0700 +Subject: mptcp: fix splat when closing unaccepted socket + +From: Paolo Abeni + +[ Upstream commit 578c18eff1627d6a911f08f4cf351eca41fdcc7d ] + +If userspace exits before calling accept() on a listener that had at least +one new connection ready, we get: + + Attempt to release TCP socket in state 8 + +This happens because the mptcp socket gets cloned when the TCP connection +is ready, but the socket is never exposed to userspace. + +The client additionally sends a DATA_FIN, which brings connection into +CLOSE_WAIT state. This in turn prevents the orphan+state reset fixup +in mptcp_sock_destruct() from doing its job. + +Fixes: 3721b9b64676b ("mptcp: Track received DATA_FIN sequence number and add related helpers") +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/185 +Tested-by: Florian Westphal +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Link: https://lore.kernel.org/r/20210507001638.225468-1-mathew.j.martineau@linux.intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 6317b9bc8681..01a675fa2aa2 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -445,8 +445,7 @@ static void mptcp_sock_destruct(struct sock *sk) + * ESTABLISHED state and will not have the SOCK_DEAD flag. + * Both result in warnings from inet_sock_destruct. + */ +- +- if (sk->sk_state == TCP_ESTABLISHED) { ++ if ((1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)) { + sk->sk_state = TCP_CLOSE; + WARN_ON_ONCE(sk->sk_socket); + sock_orphan(sk); +-- +2.30.2 + diff --git a/queue-5.10/mt76-mt7615-fix-entering-driver-own-state-on-mt7663.patch b/queue-5.10/mt76-mt7615-fix-entering-driver-own-state-on-mt7663.patch new file mode 100644 index 00000000000..93dd266f70e --- /dev/null +++ b/queue-5.10/mt76-mt7615-fix-entering-driver-own-state-on-mt7663.patch @@ -0,0 +1,47 @@ +From 5d4cd0d7adb94ef9582b920072a00ecccfff1f7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 21:07:53 +0200 +Subject: mt76: mt7615: fix entering driver-own state on mt7663 + +From: Felix Fietkau + +[ Upstream commit 5c7d374444afdeb9dd534a37c4f6c13af032da0c ] + +Fixes hardware wakeup issues + +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +index c31036f57aef..62a971660da7 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +@@ -341,12 +341,20 @@ static int mt7615_mcu_drv_pmctrl(struct mt7615_dev *dev) + u32 addr; + int err; + +- addr = is_mt7663(mdev) ? MT_PCIE_DOORBELL_PUSH : MT_CFG_LPCR_HOST; ++ if (is_mt7663(mdev)) { ++ /* Clear firmware own via N9 eint */ ++ mt76_wr(dev, MT_PCIE_DOORBELL_PUSH, MT_CFG_LPCR_HOST_DRV_OWN); ++ mt76_poll(dev, MT_CONN_ON_MISC, MT_CFG_LPCR_HOST_FW_OWN, 0, 3000); ++ ++ addr = MT_CONN_HIF_ON_LPCTL; ++ } else { ++ addr = MT_CFG_LPCR_HOST; ++ } ++ + mt76_wr(dev, addr, MT_CFG_LPCR_HOST_DRV_OWN); + + mt7622_trigger_hif_int(dev, true); + +- addr = is_mt7663(mdev) ? MT_CONN_HIF_ON_LPCTL : MT_CFG_LPCR_HOST; + err = !mt76_poll_msec(dev, addr, MT_CFG_LPCR_HOST_FW_OWN, 0, 3000); + + mt7622_trigger_hif_int(dev, false); +-- +2.30.2 + diff --git a/queue-5.10/mt76-mt7615-support-loading-eeprom-for-mt7613be.patch b/queue-5.10/mt76-mt7615-support-loading-eeprom-for-mt7613be.patch new file mode 100644 index 00000000000..284af5f1b14 --- /dev/null +++ b/queue-5.10/mt76-mt7615-support-loading-eeprom-for-mt7613be.patch @@ -0,0 +1,38 @@ +From 5c779540ebe8ef250ffbb4d06373bb130967cbce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Feb 2021 09:59:53 +0100 +Subject: mt76: mt7615: support loading EEPROM for MT7613BE + +From: Sander Vanheule + +[ Upstream commit 858ebf446bee7d5077bd99488aae617908c3f4fe ] + +EEPROM blobs for MT7613BE radios start with (little endian) 0x7663, +which is also the PCI device ID for this device. The EEPROM is required +for the radio to work at useful power levels, otherwise only the lowest +power level is available. + +Suggested-by: Georgi Vlaev +Tested-by: Stijn Segers +Signed-off-by: Sander Vanheule +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/eeprom.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/eeprom.c b/drivers/net/wireless/mediatek/mt76/mt7615/eeprom.c +index f4756bb946c3..e9cdcdc54d5c 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/eeprom.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/eeprom.c +@@ -86,6 +86,7 @@ static int mt7615_check_eeprom(struct mt76_dev *dev) + switch (val) { + case 0x7615: + case 0x7622: ++ case 0x7663: + return 0; + default: + return -EINVAL; +-- +2.30.2 + diff --git a/queue-5.10/mt76-mt76x0-disable-gtk-offloading.patch b/queue-5.10/mt76-mt76x0-disable-gtk-offloading.patch new file mode 100644 index 00000000000..97708a0d6bd --- /dev/null +++ b/queue-5.10/mt76-mt76x0-disable-gtk-offloading.patch @@ -0,0 +1,46 @@ +From 21c388b28802a37a45f7497119d8af2339dfa137 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Feb 2021 16:09:17 +0100 +Subject: mt76: mt76x0: disable GTK offloading + +From: David Bauer + +[ Upstream commit 4b36cc6b390f18dbc59a45fb4141f90d7dfe2b23 ] + +When operating two VAP on a MT7610 with encryption (PSK2, SAE, OWE), +only the first one to be created will transmit properly encrypteded +frames. + +All subsequently created VAPs will sent out frames with the payload left +unencrypted, breaking multicast traffic (ICMP6 NDP) and potentially +disclosing information to a third party. + +Disable GTK offloading and encrypt these frames in software to +circumvent this issue. THis only seems to be necessary on MT7610 chips, +as MT7612 is not affected from our testing. + +Signed-off-by: David Bauer +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76x02_util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c +index 11b769af2f8f..0f191bd28417 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c +@@ -446,6 +446,10 @@ int mt76x02_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) + return -EOPNOTSUPP; + ++ /* MT76x0 GTK offloading does not work with more than one VIF */ ++ if (is_mt76x0(dev) && !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) ++ return -EOPNOTSUPP; ++ + msta = sta ? (struct mt76x02_sta *)sta->drv_priv : NULL; + wcid = msta ? &msta->wcid : &mvif->group_wcid; + +-- +2.30.2 + diff --git a/queue-5.10/mt76-mt7915-fix-txpower-init-for-tssi-off-chips.patch b/queue-5.10/mt76-mt7915-fix-txpower-init-for-tssi-off-chips.patch new file mode 100644 index 00000000000..4aba9303521 --- /dev/null +++ b/queue-5.10/mt76-mt7915-fix-txpower-init-for-tssi-off-chips.patch @@ -0,0 +1,63 @@ +From cd2338e7cba320fcb5c8bfd028ea3e54d14ffd72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Apr 2021 10:31:29 +0800 +Subject: mt76: mt7915: fix txpower init for TSSI off chips + +From: Shayne Chen + +[ Upstream commit a226ccd04c479ccd23d6927c64bad1b441707f70 ] + +Fix incorrect txpower init value for TSSI off chips which causes +too small txpower. + +Signed-off-by: Shayne Chen +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../wireless/mediatek/mt76/mt7915/eeprom.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c b/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c +index 7deba7ebd68a..e4c5f968f706 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c +@@ -104,7 +104,7 @@ int mt7915_eeprom_get_target_power(struct mt7915_dev *dev, + struct ieee80211_channel *chan, + u8 chain_idx) + { +- int index; ++ int index, target_power; + bool tssi_on; + + if (chain_idx > 3) +@@ -113,15 +113,22 @@ int mt7915_eeprom_get_target_power(struct mt7915_dev *dev, + tssi_on = mt7915_tssi_enabled(dev, chan->band); + + if (chan->band == NL80211_BAND_2GHZ) { +- index = MT_EE_TX0_POWER_2G + chain_idx * 3 + !tssi_on; ++ index = MT_EE_TX0_POWER_2G + chain_idx * 3; ++ target_power = mt7915_eeprom_read(dev, index); ++ ++ if (!tssi_on) ++ target_power += mt7915_eeprom_read(dev, index + 1); + } else { +- int group = tssi_on ? +- mt7915_get_channel_group(chan->hw_value) : 8; ++ int group = mt7915_get_channel_group(chan->hw_value); ++ ++ index = MT_EE_TX0_POWER_5G + chain_idx * 12; ++ target_power = mt7915_eeprom_read(dev, index + group); + +- index = MT_EE_TX0_POWER_5G + chain_idx * 12 + group; ++ if (!tssi_on) ++ target_power += mt7915_eeprom_read(dev, index + 8); + } + +- return mt7915_eeprom_read(dev, index); ++ return target_power; + } + + static const u8 sku_cck_delta_map[] = { +-- +2.30.2 + diff --git a/queue-5.10/net-bridge-when-suppression-is-enabled-exclude-rarp-.patch b/queue-5.10/net-bridge-when-suppression-is-enabled-exclude-rarp-.patch new file mode 100644 index 00000000000..4696d67a80c --- /dev/null +++ b/queue-5.10/net-bridge-when-suppression-is-enabled-exclude-rarp-.patch @@ -0,0 +1,44 @@ +From 636e1c08e836c4a40e181e317f10afaf91178ccb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 17:45:27 +0200 +Subject: net: bridge: when suppression is enabled exclude RARP packets + +From: Nikolay Aleksandrov + +[ Upstream commit 0353b4a96b7a9f60fe20d1b3ebd4931a4085f91c ] + +Recently we had an interop issue where RARP packets got suppressed with +bridge neigh suppression enabled, but the check in the code was meant to +suppress GARP. Exclude RARP packets from it which would allow some VMWare +setups to work, to quote the report: +"Those RARP packets usually get generated by vMware to notify physical +switches when vMotion occurs. vMware may use random sip/tip or just use +sip=tip=0. So the RARP packet sometimes get properly flooded by the vtep +and other times get dropped by the logic" + +Reported-by: Amer Abdalamer +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_arp_nd_proxy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c +index dfec65eca8a6..3db1def4437b 100644 +--- a/net/bridge/br_arp_nd_proxy.c ++++ b/net/bridge/br_arp_nd_proxy.c +@@ -160,7 +160,9 @@ void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br, + if (br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED)) { + if (p && (p->flags & BR_NEIGH_SUPPRESS)) + return; +- if (ipv4_is_zeronet(sip) || sip == tip) { ++ if (parp->ar_op != htons(ARPOP_RREQUEST) && ++ parp->ar_op != htons(ARPOP_RREPLY) && ++ (ipv4_is_zeronet(sip) || sip == tip)) { + /* prevent flooding to neigh suppress ports */ + BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1; + return; +-- +2.30.2 + diff --git a/queue-5.10/net-ethernet-mtk_eth_soc-fix-rx-vlan-offload.patch b/queue-5.10/net-ethernet-mtk_eth_soc-fix-rx-vlan-offload.patch new file mode 100644 index 00000000000..6e0c7e40056 --- /dev/null +++ b/queue-5.10/net-ethernet-mtk_eth_soc-fix-rx-vlan-offload.patch @@ -0,0 +1,50 @@ +From 32301185df8fda5db88cfdd504774d7f537cde2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 22:20:54 -0700 +Subject: net: ethernet: mtk_eth_soc: fix RX VLAN offload + +From: Felix Fietkau + +[ Upstream commit 3f57d8c40fea9b20543cab4da12f4680d2ef182c ] + +The VLAN ID in the rx descriptor is only valid if the RX_DMA_VTAG bit is +set. Fixes frames wrongly marked with VLAN tags. + +Signed-off-by: Felix Fietkau +[Ilya: fix commit message] +Signed-off-by: Ilya Lipnitskiy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +- + drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 6d2d60675ffd..d930fcda9c3b 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1319,7 +1319,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget, + skb->protocol = eth_type_trans(skb, netdev); + + if (netdev->features & NETIF_F_HW_VLAN_CTAG_RX && +- RX_DMA_VID(trxd.rxd3)) ++ (trxd.rxd2 & RX_DMA_VTAG)) + __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q), + RX_DMA_VID(trxd.rxd3)); + skb_record_rx_queue(skb, 0); +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +index 454cfcd465fd..73ce1f0f307a 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +@@ -295,6 +295,7 @@ + #define RX_DMA_LSO BIT(30) + #define RX_DMA_PLEN0(_x) (((_x) & 0x3fff) << 16) + #define RX_DMA_GET_PLEN0(_x) (((_x) >> 16) & 0x3fff) ++#define RX_DMA_VTAG BIT(15) + + /* QDMA descriptor rxd3 */ + #define RX_DMA_VID(_x) ((_x) & 0xfff) +-- +2.30.2 + diff --git a/queue-5.10/net-fix-nla_strcmp-to-handle-more-then-one-trailing-.patch b/queue-5.10/net-fix-nla_strcmp-to-handle-more-then-one-trailing-.patch new file mode 100644 index 00000000000..b2e0867621b --- /dev/null +++ b/queue-5.10/net-fix-nla_strcmp-to-handle-more-then-one-trailing-.patch @@ -0,0 +1,52 @@ +From 20a2fa40fc5113db4b342ea803a53bad5ba467b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 09:58:31 -0700 +Subject: net: fix nla_strcmp to handle more then one trailing null character +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Å»enczykowski + +[ Upstream commit 2c16db6c92b0ee4aa61e88366df82169e83c3f7e ] + +Android userspace has been using TCA_KIND with a char[IFNAMESIZ] +many-null-terminated buffer containing the string 'bpf'. + +This works on 4.19 and ceases to work on 5.10. + +I'm not entirely sure what fixes tag to use, but I think the issue +was likely introduced in the below mentioned 5.4 commit. + +Reported-by: Nucca Chen +Cc: Cong Wang +Cc: David Ahern +Cc: David S. Miller +Cc: Jakub Kicinski +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Cc: Jiri Pirko +Fixes: 62794fc4fbf5 ("net_sched: add max len check for TCA_KIND") +Change-Id: I66dc281f165a2858fc29a44869a270a2d698a82b +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + lib/nlattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/nlattr.c b/lib/nlattr.c +index 74019c8ebf6b..fe60f9ae9db1 100644 +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -816,7 +816,7 @@ int nla_strcmp(const struct nlattr *nla, const char *str) + int attrlen = nla_len(nla); + int d; + +- if (attrlen > 0 && buf[attrlen - 1] == '\0') ++ while (attrlen > 0 && buf[attrlen - 1] == '\0') + attrlen--; + + d = attrlen - len; +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-add-check-for-hns3_nic_state_inited-in-hns3.patch b/queue-5.10/net-hns3-add-check-for-hns3_nic_state_inited-in-hns3.patch new file mode 100644 index 00000000000..4fe7f917544 --- /dev/null +++ b/queue-5.10/net-hns3-add-check-for-hns3_nic_state_inited-in-hns3.patch @@ -0,0 +1,44 @@ +From 2ebdb489a959e6751d529d2714e54c1a2b1d232e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 16:34:52 +0800 +Subject: net: hns3: add check for HNS3_NIC_STATE_INITED in + hns3_reset_notify_up_enet() + +From: Jian Shen + +[ Upstream commit b4047aac4ec1066bab6c71950623746d7bcf7154 ] + +In some cases, the device is not initialized because reset failed. +If another task calls hns3_reset_notify_up_enet() before reset +retry, it will cause an error since uninitialized pointer access. +So add check for HNS3_NIC_STATE_INITED before calling +hns3_nic_net_open() in hns3_reset_notify_up_enet(). + +Fixes: bb6b94a896d4 ("net: hns3: Add reset interface implementation in client") +Signed-off-by: Jian Shen +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 051598341968..6066cb0a5abb 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -4426,6 +4426,11 @@ static int hns3_reset_notify_up_enet(struct hnae3_handle *handle) + struct hns3_nic_priv *priv = netdev_priv(kinfo->netdev); + int ret = 0; + ++ if (!test_bit(HNS3_NIC_STATE_INITED, &priv->state)) { ++ netdev_err(kinfo->netdev, "device is not initialized yet\n"); ++ return -EFAULT; ++ } ++ + clear_bit(HNS3_NIC_STATE_RESETTING, &priv->state); + + if (netif_running(kinfo->netdev)) { +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-add-handling-for-xmit-skb-with-recursive-fr.patch b/queue-5.10/net-hns3-add-handling-for-xmit-skb-with-recursive-fr.patch new file mode 100644 index 00000000000..5089189c4a2 --- /dev/null +++ b/queue-5.10/net-hns3-add-handling-for-xmit-skb-with-recursive-fr.patch @@ -0,0 +1,297 @@ +From 3e783701588458e99593d501dd22d67a854982bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 11:57:50 +0800 +Subject: net: hns3: add handling for xmit skb with recursive fraglist + +From: Yunsheng Lin + +[ Upstream commit d5d5e0193ee8f88efbbc7f1471087255657bc19a ] + +Currently hns3 driver only handle the xmit skb with one level of +fraglist skb, add handling for multi level by calling hns3_tx_bd_num() +recursively when calculating bd num and calling hns3_fill_skb_to_desc() +recursively when filling tx desc. + +When the skb has a fraglist level of 24, the skb is simply dropped and +stats.max_recursion_level is added to record the error. Move the stat +handling from hns3_nic_net_xmit() to hns3_nic_maybe_stop_tx() in order +to handle different error stat and add the 'max_recursion_level' and +'hw_limitation' stat. + +Note that the max recursive level as 24 is chose according to below: +commit 48a1df65334b ("skbuff: return -EMSGSIZE in skb_to_sgvec to +prevent overflow"). + +And that we are not able to find a testcase to verify the recursive +fraglist case, so Fixes tag is not provided. + +Reported-by: Barry Song +Signed-off-by: Yunsheng Lin +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns3/hns3_enet.c | 115 +++++++++++------- + .../net/ethernet/hisilicon/hns3/hns3_enet.h | 2 + + .../ethernet/hisilicon/hns3/hns3_ethtool.c | 2 + + 3 files changed, 78 insertions(+), 41 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 070bef303d18..051598341968 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -1192,23 +1192,21 @@ static unsigned int hns3_skb_bd_num(struct sk_buff *skb, unsigned int *bd_size, + } + + static unsigned int hns3_tx_bd_num(struct sk_buff *skb, unsigned int *bd_size, +- u8 max_non_tso_bd_num) ++ u8 max_non_tso_bd_num, unsigned int bd_num, ++ unsigned int recursion_level) + { ++#define HNS3_MAX_RECURSION_LEVEL 24 ++ + struct sk_buff *frag_skb; +- unsigned int bd_num = 0; + + /* If the total len is within the max bd limit */ +- if (likely(skb->len <= HNS3_MAX_BD_SIZE && !skb_has_frag_list(skb) && ++ if (likely(skb->len <= HNS3_MAX_BD_SIZE && !recursion_level && ++ !skb_has_frag_list(skb) && + skb_shinfo(skb)->nr_frags < max_non_tso_bd_num)) + return skb_shinfo(skb)->nr_frags + 1U; + +- /* The below case will always be linearized, return +- * HNS3_MAX_BD_NUM_TSO + 1U to make sure it is linearized. +- */ +- if (unlikely(skb->len > HNS3_MAX_TSO_SIZE || +- (!skb_is_gso(skb) && skb->len > +- HNS3_MAX_NON_TSO_SIZE(max_non_tso_bd_num)))) +- return HNS3_MAX_TSO_BD_NUM + 1U; ++ if (unlikely(recursion_level >= HNS3_MAX_RECURSION_LEVEL)) ++ return UINT_MAX; + + bd_num = hns3_skb_bd_num(skb, bd_size, bd_num); + +@@ -1216,7 +1214,8 @@ static unsigned int hns3_tx_bd_num(struct sk_buff *skb, unsigned int *bd_size, + return bd_num; + + skb_walk_frags(skb, frag_skb) { +- bd_num = hns3_skb_bd_num(frag_skb, bd_size, bd_num); ++ bd_num = hns3_tx_bd_num(frag_skb, bd_size, max_non_tso_bd_num, ++ bd_num, recursion_level + 1); + if (bd_num > HNS3_MAX_TSO_BD_NUM) + return bd_num; + } +@@ -1276,6 +1275,43 @@ void hns3_shinfo_pack(struct skb_shared_info *shinfo, __u32 *size) + size[i] = skb_frag_size(&shinfo->frags[i]); + } + ++static int hns3_skb_linearize(struct hns3_enet_ring *ring, ++ struct sk_buff *skb, ++ u8 max_non_tso_bd_num, ++ unsigned int bd_num) ++{ ++ /* 'bd_num == UINT_MAX' means the skb' fraglist has a ++ * recursion level of over HNS3_MAX_RECURSION_LEVEL. ++ */ ++ if (bd_num == UINT_MAX) { ++ u64_stats_update_begin(&ring->syncp); ++ ring->stats.over_max_recursion++; ++ u64_stats_update_end(&ring->syncp); ++ return -ENOMEM; ++ } ++ ++ /* The skb->len has exceeded the hw limitation, linearization ++ * will not help. ++ */ ++ if (skb->len > HNS3_MAX_TSO_SIZE || ++ (!skb_is_gso(skb) && skb->len > ++ HNS3_MAX_NON_TSO_SIZE(max_non_tso_bd_num))) { ++ u64_stats_update_begin(&ring->syncp); ++ ring->stats.hw_limitation++; ++ u64_stats_update_end(&ring->syncp); ++ return -ENOMEM; ++ } ++ ++ if (__skb_linearize(skb)) { ++ u64_stats_update_begin(&ring->syncp); ++ ring->stats.sw_err_cnt++; ++ u64_stats_update_end(&ring->syncp); ++ return -ENOMEM; ++ } ++ ++ return 0; ++} ++ + static int hns3_nic_maybe_stop_tx(struct hns3_enet_ring *ring, + struct net_device *netdev, + struct sk_buff *skb) +@@ -1285,7 +1321,7 @@ static int hns3_nic_maybe_stop_tx(struct hns3_enet_ring *ring, + unsigned int bd_size[HNS3_MAX_TSO_BD_NUM + 1U]; + unsigned int bd_num; + +- bd_num = hns3_tx_bd_num(skb, bd_size, max_non_tso_bd_num); ++ bd_num = hns3_tx_bd_num(skb, bd_size, max_non_tso_bd_num, 0, 0); + if (unlikely(bd_num > max_non_tso_bd_num)) { + if (bd_num <= HNS3_MAX_TSO_BD_NUM && skb_is_gso(skb) && + !hns3_skb_need_linearized(skb, bd_size, bd_num, +@@ -1294,16 +1330,11 @@ static int hns3_nic_maybe_stop_tx(struct hns3_enet_ring *ring, + goto out; + } + +- if (__skb_linearize(skb)) ++ if (hns3_skb_linearize(ring, skb, max_non_tso_bd_num, ++ bd_num)) + return -ENOMEM; + + bd_num = hns3_tx_bd_count(skb->len); +- if ((skb_is_gso(skb) && bd_num > HNS3_MAX_TSO_BD_NUM) || +- (!skb_is_gso(skb) && +- bd_num > max_non_tso_bd_num)) { +- trace_hns3_over_max_bd(skb); +- return -ENOMEM; +- } + + u64_stats_update_begin(&ring->syncp); + ring->stats.tx_copy++; +@@ -1327,6 +1358,10 @@ out: + return bd_num; + } + ++ u64_stats_update_begin(&ring->syncp); ++ ring->stats.tx_busy++; ++ u64_stats_update_end(&ring->syncp); ++ + return -EBUSY; + } + +@@ -1374,6 +1409,7 @@ static int hns3_fill_skb_to_desc(struct hns3_enet_ring *ring, + struct sk_buff *skb, enum hns_desc_type type) + { + unsigned int size = skb_headlen(skb); ++ struct sk_buff *frag_skb; + int i, ret, bd_num = 0; + + if (size) { +@@ -1398,6 +1434,15 @@ static int hns3_fill_skb_to_desc(struct hns3_enet_ring *ring, + bd_num += ret; + } + ++ skb_walk_frags(skb, frag_skb) { ++ ret = hns3_fill_skb_to_desc(ring, frag_skb, ++ DESC_TYPE_FRAGLIST_SKB); ++ if (unlikely(ret < 0)) ++ return ret; ++ ++ bd_num += ret; ++ } ++ + return bd_num; + } + +@@ -1428,8 +1473,6 @@ netdev_tx_t hns3_nic_net_xmit(struct sk_buff *skb, struct net_device *netdev) + struct hns3_enet_ring *ring = &priv->ring[skb->queue_mapping]; + struct netdev_queue *dev_queue; + int pre_ntu, next_to_use_head; +- struct sk_buff *frag_skb; +- int bd_num = 0; + bool doorbell; + int ret; + +@@ -1445,15 +1488,8 @@ netdev_tx_t hns3_nic_net_xmit(struct sk_buff *skb, struct net_device *netdev) + ret = hns3_nic_maybe_stop_tx(ring, netdev, skb); + if (unlikely(ret <= 0)) { + if (ret == -EBUSY) { +- u64_stats_update_begin(&ring->syncp); +- ring->stats.tx_busy++; +- u64_stats_update_end(&ring->syncp); + hns3_tx_doorbell(ring, 0, true); + return NETDEV_TX_BUSY; +- } else if (ret == -ENOMEM) { +- u64_stats_update_begin(&ring->syncp); +- ring->stats.sw_err_cnt++; +- u64_stats_update_end(&ring->syncp); + } + + hns3_rl_err(netdev, "xmit error: %d!\n", ret); +@@ -1466,21 +1502,14 @@ netdev_tx_t hns3_nic_net_xmit(struct sk_buff *skb, struct net_device *netdev) + if (unlikely(ret < 0)) + goto fill_err; + ++ /* 'ret < 0' means filling error, 'ret == 0' means skb->len is ++ * zero, which is unlikely, and 'ret > 0' means how many tx desc ++ * need to be notified to the hw. ++ */ + ret = hns3_fill_skb_to_desc(ring, skb, DESC_TYPE_SKB); +- if (unlikely(ret < 0)) ++ if (unlikely(ret <= 0)) + goto fill_err; + +- bd_num += ret; +- +- skb_walk_frags(skb, frag_skb) { +- ret = hns3_fill_skb_to_desc(ring, frag_skb, +- DESC_TYPE_FRAGLIST_SKB); +- if (unlikely(ret < 0)) +- goto fill_err; +- +- bd_num += ret; +- } +- + pre_ntu = ring->next_to_use ? (ring->next_to_use - 1) : + (ring->desc_num - 1); + ring->desc[pre_ntu].tx.bdtp_fe_sc_vld_ra_ri |= +@@ -1491,7 +1520,7 @@ netdev_tx_t hns3_nic_net_xmit(struct sk_buff *skb, struct net_device *netdev) + dev_queue = netdev_get_tx_queue(netdev, ring->queue_index); + doorbell = __netdev_tx_sent_queue(dev_queue, skb->len, + netdev_xmit_more()); +- hns3_tx_doorbell(ring, bd_num, doorbell); ++ hns3_tx_doorbell(ring, ret, doorbell); + + return NETDEV_TX_OK; + +@@ -1656,11 +1685,15 @@ static void hns3_nic_get_stats64(struct net_device *netdev, + tx_drop += ring->stats.tx_l4_proto_err; + tx_drop += ring->stats.tx_l2l3l4_err; + tx_drop += ring->stats.tx_tso_err; ++ tx_drop += ring->stats.over_max_recursion; ++ tx_drop += ring->stats.hw_limitation; + tx_errors += ring->stats.sw_err_cnt; + tx_errors += ring->stats.tx_vlan_err; + tx_errors += ring->stats.tx_l4_proto_err; + tx_errors += ring->stats.tx_l2l3l4_err; + tx_errors += ring->stats.tx_tso_err; ++ tx_errors += ring->stats.over_max_recursion; ++ tx_errors += ring->stats.hw_limitation; + } while (u64_stats_fetch_retry_irq(&ring->syncp, start)); + + /* fetch the rx stats */ +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h +index 1c81dea0da1e..398686b15a82 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.h +@@ -359,6 +359,8 @@ struct ring_stats { + u64 tx_l4_proto_err; + u64 tx_l2l3l4_err; + u64 tx_tso_err; ++ u64 over_max_recursion; ++ u64 hw_limitation; + }; + struct { + u64 rx_pkts; +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +index 6b07b2771172..c0aa3be0cdfb 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -39,6 +39,8 @@ static const struct hns3_stats hns3_txq_stats[] = { + HNS3_TQP_STAT("l4_proto_err", tx_l4_proto_err), + HNS3_TQP_STAT("l2l3l4_err", tx_l2l3l4_err), + HNS3_TQP_STAT("tso_err", tx_tso_err), ++ HNS3_TQP_STAT("over_max_recursion", over_max_recursion), ++ HNS3_TQP_STAT("hw_limitation", hw_limitation), + }; + + #define HNS3_TXQ_STATS_COUNT ARRAY_SIZE(hns3_txq_stats) +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-disable-phy-loopback-setting-in-hclge_mac_s.patch b/queue-5.10/net-hns3-disable-phy-loopback-setting-in-hclge_mac_s.patch new file mode 100644 index 00000000000..9772941d737 --- /dev/null +++ b/queue-5.10/net-hns3-disable-phy-loopback-setting-in-hclge_mac_s.patch @@ -0,0 +1,39 @@ +From f6d1d05e2d22b1b8a06b74cd95d195bd0f620cc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 17:06:22 +0800 +Subject: net: hns3: disable phy loopback setting in hclge_mac_start_phy + +From: Yufeng Mo + +[ Upstream commit 472497d0bdae890a896013332a0b673f9acdf2bf ] + +If selftest and reset are performed at the same time, the phy +loopback setting may be still in enable state after the reset, +and device cannot link up. So fix this issue by disabling phy +loopback before phy_start(). + +Fixes: 256727da7395 ("net: hns3: Add MDIO support to HNS3 Ethernet driver for hip08 SoC") +Signed-off-by: Yufeng Mo +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +index e89820702540..c194bba187d6 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +@@ -255,6 +255,8 @@ void hclge_mac_start_phy(struct hclge_dev *hdev) + if (!phydev) + return; + ++ phy_loopback(phydev, false); ++ + phy_start(phydev); + } + +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-fix-for-vxlan-gpe-tx-checksum-bug.patch b/queue-5.10/net-hns3-fix-for-vxlan-gpe-tx-checksum-bug.patch new file mode 100644 index 00000000000..0550156288a --- /dev/null +++ b/queue-5.10/net-hns3-fix-for-vxlan-gpe-tx-checksum-bug.patch @@ -0,0 +1,51 @@ +From 67737a5a455c0f23024d136d316632149b141684 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 17:06:19 +0800 +Subject: net: hns3: fix for vxlan gpe tx checksum bug + +From: Hao Chen + +[ Upstream commit 905416f18fe74bdd4de91bf94ef5a790a36e4b99 ] + +When skb->ip_summed is CHECKSUM_PARTIAL, for non-tunnel udp packet, +which has a dest port as the IANA assigned, the hardware is expected +to do the checksum offload, but the hardware whose version is below +V3 will not do the checksum offload when udp dest port is 4790. + +So fixes it by doing the checksum in software for this case. + +Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") +Signed-off-by: Hao Chen +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 6066cb0a5abb..3a42b96cb843 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -778,7 +778,7 @@ static int hns3_get_l4_protocol(struct sk_buff *skb, u8 *ol4_proto, + * and it is udp packet, which has a dest port as the IANA assigned. + * the hardware is expected to do the checksum offload, but the + * hardware will not do the checksum offload when udp dest port is +- * 4789 or 6081. ++ * 4789, 4790 or 6081. + */ + static bool hns3_tunnel_csum_bug(struct sk_buff *skb) + { +@@ -788,7 +788,8 @@ static bool hns3_tunnel_csum_bug(struct sk_buff *skb) + + if (!(!skb->encapsulation && + (l4.udp->dest == htons(IANA_VXLAN_UDP_PORT) || +- l4.udp->dest == htons(GENEVE_UDP_PORT)))) ++ l4.udp->dest == htons(GENEVE_UDP_PORT) || ++ l4.udp->dest == htons(4790)))) + return false; + + skb_checksum_help(skb); +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-fix-incorrect-configuration-for-igu_egu_hw_.patch b/queue-5.10/net-hns3-fix-incorrect-configuration-for-igu_egu_hw_.patch new file mode 100644 index 00000000000..c7629604acb --- /dev/null +++ b/queue-5.10/net-hns3-fix-incorrect-configuration-for-igu_egu_hw_.patch @@ -0,0 +1,56 @@ +From 2e069db14a975185a0f7cc28ce496f50f76c8f4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 16:34:50 +0800 +Subject: net: hns3: fix incorrect configuration for igu_egu_hw_err + +From: Yufeng Mo + +[ Upstream commit 2867298dd49ee84214b8721521dc7a5a6382520c ] + +According to the UM, the type and enable status of igu_egu_hw_err +should be configured separately. Currently, the type field is +incorrect when disable this error. So fix it by configuring these +two fields separately. + +Fixes: bf1faf9415dd ("net: hns3: Add enable and process hw errors from IGU, EGU and NCSI") +Signed-off-by: Yufeng Mo +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c | 3 ++- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c +index 9ee55ee0487d..3226ca176155 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c +@@ -753,8 +753,9 @@ static int hclge_config_igu_egu_hw_err_int(struct hclge_dev *hdev, bool en) + + /* configure IGU,EGU error interrupts */ + hclge_cmd_setup_basic_desc(&desc, HCLGE_IGU_COMMON_INT_EN, false); ++ desc.data[0] = cpu_to_le32(HCLGE_IGU_ERR_INT_TYPE); + if (en) +- desc.data[0] = cpu_to_le32(HCLGE_IGU_ERR_INT_EN); ++ desc.data[0] |= cpu_to_le32(HCLGE_IGU_ERR_INT_EN); + + desc.data[1] = cpu_to_le32(HCLGE_IGU_ERR_INT_EN_MASK); + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h +index 608fe26fc3fe..d647f3c84134 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h +@@ -32,7 +32,8 @@ + #define HCLGE_TQP_ECC_ERR_INT_EN_MASK 0x0FFF + #define HCLGE_MSIX_SRAM_ECC_ERR_INT_EN_MASK 0x0F000000 + #define HCLGE_MSIX_SRAM_ECC_ERR_INT_EN 0x0F000000 +-#define HCLGE_IGU_ERR_INT_EN 0x0000066F ++#define HCLGE_IGU_ERR_INT_EN 0x0000000F ++#define HCLGE_IGU_ERR_INT_TYPE 0x00000660 + #define HCLGE_IGU_ERR_INT_EN_MASK 0x000F + #define HCLGE_IGU_TNL_ERR_INT_EN 0x0002AABF + #define HCLGE_IGU_TNL_ERR_INT_EN_MASK 0x003F +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-initialize-the-message-content-in-hclge_get.patch b/queue-5.10/net-hns3-initialize-the-message-content-in-hclge_get.patch new file mode 100644 index 00000000000..6ef11bff4ba --- /dev/null +++ b/queue-5.10/net-hns3-initialize-the-message-content-in-hclge_get.patch @@ -0,0 +1,38 @@ +From 645819e94b4e42d7739227a6d63cd8b6c7c2fe4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 16:34:51 +0800 +Subject: net: hns3: initialize the message content in hclge_get_link_mode() + +From: Yufeng Mo + +[ Upstream commit 568a54bdf70b143f3e0befa298e22ad469ffc732 ] + +The message sent to VF should be initialized, otherwise random +value of some contents may cause improper processing by the target. +So add a initialization to message in hclge_get_link_mode(). + +Fixes: 9194d18b0577 ("net: hns3: fix the problem that the supported port is empty") +Signed-off-by: Yufeng Mo +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c +index 9c8004fc9dc4..e0254672831f 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c +@@ -519,7 +519,7 @@ static void hclge_get_link_mode(struct hclge_vport *vport, + unsigned long advertising; + unsigned long supported; + unsigned long send_data; +- u8 msg_data[10]; ++ u8 msg_data[10] = {}; + u8 dest_vfid; + + advertising = hdev->hw.mac.advertising[0]; +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-remediate-a-potential-overflow-risk-of-bd_n.patch b/queue-5.10/net-hns3-remediate-a-potential-overflow-risk-of-bd_n.patch new file mode 100644 index 00000000000..f9d149567f5 --- /dev/null +++ b/queue-5.10/net-hns3-remediate-a-potential-overflow-risk-of-bd_n.patch @@ -0,0 +1,113 @@ +From e74689e7d231a3725c8d0fb7fe4138f8decefde2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 11:57:47 +0800 +Subject: net: hns3: remediate a potential overflow risk of bd_num_list + +From: Guangbin Huang + +[ Upstream commit a2ee6fd28a190588e142ad8ea9d40069cd3c9f98 ] + +The array size of bd_num_list is a fixed value, it may have potential +overflow risk when array size of hclge_dfx_bd_offset_list is greater +than that fixed value. So modify bd_num_list as a pointer and allocate +memory for it according to array size of hclge_dfx_bd_offset_list. + +Signed-off-by: Guangbin Huang +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../hisilicon/hns3/hns3pf/hclge_main.c | 27 ++++++++++++++----- + 1 file changed, 20 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index b856dbe4db73..98190aa90781 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -10845,7 +10845,6 @@ static int hclge_get_64_bit_regs(struct hclge_dev *hdev, u32 regs_num, + #define REG_LEN_PER_LINE (REG_NUM_PER_LINE * sizeof(u32)) + #define REG_SEPARATOR_LINE 1 + #define REG_NUM_REMAIN_MASK 3 +-#define BD_LIST_MAX_NUM 30 + + int hclge_query_bd_num_cmd_send(struct hclge_dev *hdev, struct hclge_desc *desc) + { +@@ -10939,15 +10938,19 @@ static int hclge_get_dfx_reg_len(struct hclge_dev *hdev, int *len) + { + u32 dfx_reg_type_num = ARRAY_SIZE(hclge_dfx_bd_offset_list); + int data_len_per_desc, bd_num, i; +- int bd_num_list[BD_LIST_MAX_NUM]; ++ int *bd_num_list; + u32 data_len; + int ret; + ++ bd_num_list = kcalloc(dfx_reg_type_num, sizeof(int), GFP_KERNEL); ++ if (!bd_num_list) ++ return -ENOMEM; ++ + ret = hclge_get_dfx_reg_bd_num(hdev, bd_num_list, dfx_reg_type_num); + if (ret) { + dev_err(&hdev->pdev->dev, + "Get dfx reg bd num fail, status is %d.\n", ret); +- return ret; ++ goto out; + } + + data_len_per_desc = sizeof_field(struct hclge_desc, data); +@@ -10958,6 +10961,8 @@ static int hclge_get_dfx_reg_len(struct hclge_dev *hdev, int *len) + *len += (data_len / REG_LEN_PER_LINE + 1) * REG_LEN_PER_LINE; + } + ++out: ++ kfree(bd_num_list); + return ret; + } + +@@ -10965,16 +10970,20 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data) + { + u32 dfx_reg_type_num = ARRAY_SIZE(hclge_dfx_bd_offset_list); + int bd_num, bd_num_max, buf_len, i; +- int bd_num_list[BD_LIST_MAX_NUM]; + struct hclge_desc *desc_src; ++ int *bd_num_list; + u32 *reg = data; + int ret; + ++ bd_num_list = kcalloc(dfx_reg_type_num, sizeof(int), GFP_KERNEL); ++ if (!bd_num_list) ++ return -ENOMEM; ++ + ret = hclge_get_dfx_reg_bd_num(hdev, bd_num_list, dfx_reg_type_num); + if (ret) { + dev_err(&hdev->pdev->dev, + "Get dfx reg bd num fail, status is %d.\n", ret); +- return ret; ++ goto out; + } + + bd_num_max = bd_num_list[0]; +@@ -10983,8 +10992,10 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data) + + buf_len = sizeof(*desc_src) * bd_num_max; + desc_src = kzalloc(buf_len, GFP_KERNEL); +- if (!desc_src) +- return -ENOMEM; ++ if (!desc_src) { ++ ret = -ENOMEM; ++ goto out; ++ } + + for (i = 0; i < dfx_reg_type_num; i++) { + bd_num = bd_num_list[i]; +@@ -11000,6 +11011,8 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data) + } + + kfree(desc_src); ++out: ++ kfree(bd_num_list); + return ret; + } + +-- +2.30.2 + diff --git a/queue-5.10/net-hns3-use-netif_tx_disable-to-stop-the-transmit-q.patch b/queue-5.10/net-hns3-use-netif_tx_disable-to-stop-the-transmit-q.patch new file mode 100644 index 00000000000..81c10460606 --- /dev/null +++ b/queue-5.10/net-hns3-use-netif_tx_disable-to-stop-the-transmit-q.patch @@ -0,0 +1,44 @@ +From 133bb5b348c39b541a0be3b458678388ae243a03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 17:06:20 +0800 +Subject: net: hns3: use netif_tx_disable to stop the transmit queue + +From: Peng Li + +[ Upstream commit b416e872be06fdace3c36cf5210130509d0f0e72 ] + +Currently, netif_tx_stop_all_queues() is used to ensure that +the xmit is not running, but for the concurrent case it will +not take effect, since netif_tx_stop_all_queues() just sets +a flag without locking to indicate that the xmit queue(s) +should not be run. + +So use netif_tx_disable() to replace netif_tx_stop_all_queues(), +it takes the xmit queue lock while marking the queue stopped. + +Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 3a42b96cb843..ef3148919970 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -526,8 +526,8 @@ static int hns3_nic_net_stop(struct net_device *netdev) + if (h->ae_algo->ops->set_timer_task) + h->ae_algo->ops->set_timer_task(priv->ae_handle, false); + +- netif_tx_stop_all_queues(netdev); + netif_carrier_off(netdev); ++ netif_tx_disable(netdev); + + hns3_nic_net_down(netdev); + +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5e-use-net_prefetchw-instead-of-prefetchw-in-.patch b/queue-5.10/net-mlx5e-use-net_prefetchw-instead-of-prefetchw-in-.patch new file mode 100644 index 00000000000..6210f3f86d0 --- /dev/null +++ b/queue-5.10/net-mlx5e-use-net_prefetchw-instead-of-prefetchw-in-.patch @@ -0,0 +1,46 @@ +From 5c29ce800f8d475b21484ff3138c963915803161 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 18:43:31 +0200 +Subject: net/mlx5e: Use net_prefetchw instead of prefetchw in MPWQE TX + datapath + +From: Maxim Mikityanskiy + +[ Upstream commit 991b2654605b455a94dac73e14b23480e7e20991 ] + +Commit e20f0dbf204f ("net/mlx5e: RX, Add a prefetch command for small +L1_CACHE_BYTES") switched to using net_prefetchw at all places in mlx5e. +In the same time frame, commit 5af75c747e2a ("net/mlx5e: Enhanced TX +MPWQE for SKBs") added one more usage of prefetchw. When these two +changes were merged, this new occurrence of prefetchw wasn't replaced +with net_prefetchw. + +This commit fixes this last occurrence of prefetchw in +mlx5e_tx_mpwqe_session_start, making the same change that was done in +mlx5e_xdp_mpwqe_session_start. + +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Saeed Mahameed +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +index 38a23d209b33..373668068071 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -486,7 +486,7 @@ static void mlx5e_tx_mpwqe_session_start(struct mlx5e_txqsq *sq, + + pi = mlx5e_txqsq_get_next_pi(sq, MLX5E_TX_MPW_MAX_WQEBBS); + wqe = MLX5E_TX_FETCH_WQE(sq, pi); +- prefetchw(wqe->data); ++ net_prefetchw(wqe->data); + + *session = (struct mlx5e_tx_mpwqe) { + .wqe = wqe, +-- +2.30.2 + diff --git a/queue-5.10/net-sched-cls_flower-use-ntohs-for-struct-flow_disse.patch b/queue-5.10/net-sched-cls_flower-use-ntohs-for-struct-flow_disse.patch new file mode 100644 index 00000000000..b3f71c7968f --- /dev/null +++ b/queue-5.10/net-sched-cls_flower-use-ntohs-for-struct-flow_disse.patch @@ -0,0 +1,108 @@ +From eaf2e1acf1e5bf6debbde27dfc85d2607470e0a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Mar 2021 23:05:48 +0200 +Subject: net/sched: cls_flower: use ntohs for struct flow_dissector_key_ports + +From: Vladimir Oltean + +[ Upstream commit 6215afcb9a7e35cef334dc0ae7f998cc72c8465f ] + +A make W=1 build complains that: + +net/sched/cls_flower.c:214:20: warning: cast from restricted __be16 +net/sched/cls_flower.c:214:20: warning: incorrect type in argument 1 (different base types) +net/sched/cls_flower.c:214:20: expected unsigned short [usertype] val +net/sched/cls_flower.c:214:20: got restricted __be16 [usertype] dst + +This is because we use htons on struct flow_dissector_key_ports members +src and dst, which are defined as __be16, so they are already in network +byte order, not host. The byte swap function for the other direction +should have been used. + +Because htons and ntohs do the same thing (either both swap, or none +does), this change has no functional effect except to silence the +warnings. + +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_flower.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index 14316ba9b3b3..a5212a3f86e2 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -209,16 +209,16 @@ static bool fl_range_port_dst_cmp(struct cls_fl_filter *filter, + struct fl_flow_key *key, + struct fl_flow_key *mkey) + { +- __be16 min_mask, max_mask, min_val, max_val; ++ u16 min_mask, max_mask, min_val, max_val; + +- min_mask = htons(filter->mask->key.tp_range.tp_min.dst); +- max_mask = htons(filter->mask->key.tp_range.tp_max.dst); +- min_val = htons(filter->key.tp_range.tp_min.dst); +- max_val = htons(filter->key.tp_range.tp_max.dst); ++ min_mask = ntohs(filter->mask->key.tp_range.tp_min.dst); ++ max_mask = ntohs(filter->mask->key.tp_range.tp_max.dst); ++ min_val = ntohs(filter->key.tp_range.tp_min.dst); ++ max_val = ntohs(filter->key.tp_range.tp_max.dst); + + if (min_mask && max_mask) { +- if (htons(key->tp_range.tp.dst) < min_val || +- htons(key->tp_range.tp.dst) > max_val) ++ if (ntohs(key->tp_range.tp.dst) < min_val || ++ ntohs(key->tp_range.tp.dst) > max_val) + return false; + + /* skb does not have min and max values */ +@@ -232,16 +232,16 @@ static bool fl_range_port_src_cmp(struct cls_fl_filter *filter, + struct fl_flow_key *key, + struct fl_flow_key *mkey) + { +- __be16 min_mask, max_mask, min_val, max_val; ++ u16 min_mask, max_mask, min_val, max_val; + +- min_mask = htons(filter->mask->key.tp_range.tp_min.src); +- max_mask = htons(filter->mask->key.tp_range.tp_max.src); +- min_val = htons(filter->key.tp_range.tp_min.src); +- max_val = htons(filter->key.tp_range.tp_max.src); ++ min_mask = ntohs(filter->mask->key.tp_range.tp_min.src); ++ max_mask = ntohs(filter->mask->key.tp_range.tp_max.src); ++ min_val = ntohs(filter->key.tp_range.tp_min.src); ++ max_val = ntohs(filter->key.tp_range.tp_max.src); + + if (min_mask && max_mask) { +- if (htons(key->tp_range.tp.src) < min_val || +- htons(key->tp_range.tp.src) > max_val) ++ if (ntohs(key->tp_range.tp.src) < min_val || ++ ntohs(key->tp_range.tp.src) > max_val) + return false; + + /* skb does not have min and max values */ +@@ -779,16 +779,16 @@ static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key, + TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_max.src)); + + if (mask->tp_range.tp_min.dst && mask->tp_range.tp_max.dst && +- htons(key->tp_range.tp_max.dst) <= +- htons(key->tp_range.tp_min.dst)) { ++ ntohs(key->tp_range.tp_max.dst) <= ++ ntohs(key->tp_range.tp_min.dst)) { + NL_SET_ERR_MSG_ATTR(extack, + tb[TCA_FLOWER_KEY_PORT_DST_MIN], + "Invalid destination port range (min must be strictly smaller than max)"); + return -EINVAL; + } + if (mask->tp_range.tp_min.src && mask->tp_range.tp_max.src && +- htons(key->tp_range.tp_max.src) <= +- htons(key->tp_range.tp_min.src)) { ++ ntohs(key->tp_range.tp_max.src) <= ++ ntohs(key->tp_range.tp_min.src)) { + NL_SET_ERR_MSG_ATTR(extack, + tb[TCA_FLOWER_KEY_PORT_SRC_MIN], + "Invalid source port range (min must be strictly smaller than max)"); +-- +2.30.2 + diff --git a/queue-5.10/net-sched-tapr-prevent-cycle_time-0-in-parse_taprio_.patch b/queue-5.10/net-sched-tapr-prevent-cycle_time-0-in-parse_taprio_.patch new file mode 100644 index 00000000000..4504d16551e --- /dev/null +++ b/queue-5.10/net-sched-tapr-prevent-cycle_time-0-in-parse_taprio_.patch @@ -0,0 +1,46 @@ +From 06214a9ecf2d58900026093deef231bd9ca8a4ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Apr 2021 07:30:46 +0800 +Subject: net: sched: tapr: prevent cycle_time == 0 in parse_taprio_schedule + +From: Du Cheng + +[ Upstream commit ed8157f1ebf1ae81a8fa2653e3f20d2076fad1c9 ] + +There is a reproducible sequence from the userland that will trigger a WARN_ON() +condition in taprio_get_start_time, which causes kernel to panic if configured +as "panic_on_warn". Catch this condition in parse_taprio_schedule to +prevent this condition. + +Reported as bug on syzkaller: +https://syzkaller.appspot.com/bug?extid=d50710fd0873a9c6b40c + +Reported-by: syzbot+d50710fd0873a9c6b40c@syzkaller.appspotmail.com +Signed-off-by: Du Cheng +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_taprio.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index c966c05a0be9..00853065dfa0 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -900,6 +900,12 @@ static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb, + + list_for_each_entry(entry, &new->entries, list) + cycle = ktime_add_ns(cycle, entry->interval); ++ ++ if (!cycle) { ++ NL_SET_ERR_MSG(extack, "'cycle_time' can never be 0"); ++ return -EINVAL; ++ } ++ + new->cycle_time = cycle; + } + +-- +2.30.2 + diff --git a/queue-5.10/net-stmmac-clear-receive-all-ra-bit-when-promiscuous.patch b/queue-5.10/net-stmmac-clear-receive-all-ra-bit-when-promiscuous.patch new file mode 100644 index 00000000000..8a44ecb2a34 --- /dev/null +++ b/queue-5.10/net-stmmac-clear-receive-all-ra-bit-when-promiscuous.patch @@ -0,0 +1,37 @@ +From 5673463ca435df25ad078897e0ba7233d8acca14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 21:12:41 +0530 +Subject: net: stmmac: Clear receive all(RA) bit when promiscuous mode is off + +From: Ramesh Babu B + +[ Upstream commit 4c7a94286ef7ac7301d633f17519fb1bb89d7550 ] + +In promiscuous mode Receive All bit is set in GMAC packet filter register, +but outside promiscuous mode Receive All bit is not cleared, +which resulted in all network packets are received when toggle (ON/OFF) +the promiscuous mode. + +Fixes: e0f9956a3862 ("net: stmmac: Add option for VLAN filter fail queue enable") +Signed-off-by: Ramesh Babu B +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index ced6d76a0d85..16c538cfaf59 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -617,6 +617,7 @@ static void dwmac4_set_filter(struct mac_device_info *hw, + value &= ~GMAC_PACKET_FILTER_PCF; + value &= ~GMAC_PACKET_FILTER_PM; + value &= ~GMAC_PACKET_FILTER_PR; ++ value &= ~GMAC_PACKET_FILTER_RA; + if (dev->flags & IFF_PROMISC) { + /* VLAN Tag Filter Fail Packets Queuing */ + if (hw->vlan_fail_q_en) { +-- +2.30.2 + diff --git a/queue-5.10/net-stmmac-set-fifo-sizes-for-ipq806x.patch b/queue-5.10/net-stmmac-set-fifo-sizes-for-ipq806x.patch new file mode 100644 index 00000000000..6035a74e93e --- /dev/null +++ b/queue-5.10/net-stmmac-set-fifo-sizes-for-ipq806x.patch @@ -0,0 +1,44 @@ +From 0b693bf75242807d28f540714b3c566d91524566 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Mar 2021 13:18:26 +0000 +Subject: net: stmmac: Set FIFO sizes for ipq806x + +From: Jonathan McDowell + +[ Upstream commit e127906b68b49ddb3ecba39ffa36a329c48197d3 ] + +Commit eaf4fac47807 ("net: stmmac: Do not accept invalid MTU values") +started using the TX FIFO size to verify what counts as a valid MTU +request for the stmmac driver. This is unset for the ipq806x variant. +Looking at older patches for this it seems the RX + TXs buffers can be +up to 8k, so set appropriately. + +(I sent this as an RFC patch in June last year, but received no replies. +I've been running with this on my hardware (a MikroTik RB3011) since +then with larger MTUs to support both the internal qca8k switch and +VLANs with no problems. Without the patch it's impossible to set the +larger MTU required to support this.) + +Signed-off-by: Jonathan McDowell +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +index bf3250e0e59c..749585fe6fc9 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +@@ -352,6 +352,8 @@ static int ipq806x_gmac_probe(struct platform_device *pdev) + plat_dat->bsp_priv = gmac; + plat_dat->fix_mac_speed = ipq806x_gmac_fix_mac_speed; + plat_dat->multicast_filter_bins = 0; ++ plat_dat->tx_fifo_size = 8192; ++ plat_dat->rx_fifo_size = 8192; + + err = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res); + if (err) +-- +2.30.2 + diff --git a/queue-5.10/netfilter-nfnetlink_osf-fix-a-missing-skb_header_poi.patch b/queue-5.10/netfilter-nfnetlink_osf-fix-a-missing-skb_header_poi.patch new file mode 100644 index 00000000000..93bf49d0741 --- /dev/null +++ b/queue-5.10/netfilter-nfnetlink_osf-fix-a-missing-skb_header_poi.patch @@ -0,0 +1,36 @@ +From f1646d49977c647ee1859b95cebae7f28734d89e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 22:25:24 +0200 +Subject: netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL + check + +From: Pablo Neira Ayuso + +[ Upstream commit 5e024c325406470d1165a09c6feaf8ec897936be ] + +Do not assume that the tcph->doff field is correct when parsing for TCP +options, skb_header_pointer() might fail to fetch these bits. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index 916a3c7f9eaf..79fbf37291f3 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -186,6 +186,8 @@ static const struct tcphdr *nf_osf_hdr_ctx_init(struct nf_osf_hdr_ctx *ctx, + + ctx->optp = skb_header_pointer(skb, ip_hdrlen(skb) + + sizeof(struct tcphdr), ctx->optsize, opts); ++ if (!ctx->optp) ++ return NULL; + } + + return tcp; +-- +2.30.2 + diff --git a/queue-5.10/netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch b/queue-5.10/netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch new file mode 100644 index 00000000000..a5700d329db --- /dev/null +++ b/queue-5.10/netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch @@ -0,0 +1,76 @@ +From 844839e796ca8bdc5b96ca52ab33006b085ba319 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 05:53:23 -0700 +Subject: netfilter: nftables: avoid overflows in nft_hash_buckets() + +From: Eric Dumazet + +[ Upstream commit a54754ec9891830ba548e2010c889e3c8146e449 ] + +Number of buckets being stored in 32bit variables, we have to +ensure that no overflows occur in nft_hash_buckets() + +syzbot injected a size == 0x40000000 and reported: + +UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 +shift exponent 64 is too large for 64-bit type 'long unsigned int' +CPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 + __roundup_pow_of_two include/linux/log2.h:57 [inline] + nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline] + nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652 + nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline] + nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322 + nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488 + nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline] + nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:674 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + +Fixes: 0ed6389c483d ("netfilter: nf_tables: rename set implementations") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_hash.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c +index 4d3f147e8d8d..d7083bcb20e8 100644 +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -393,9 +393,17 @@ static void nft_rhash_destroy(const struct nft_set *set) + (void *)set); + } + ++/* Number of buckets is stored in u32, so cap our result to 1U<<31 */ ++#define NFT_MAX_BUCKETS (1U << 31) ++ + static u32 nft_hash_buckets(u32 size) + { +- return roundup_pow_of_two(size * 4 / 3); ++ u64 val = div_u64((u64)size * 4, 3); ++ ++ if (val >= NFT_MAX_BUCKETS) ++ return NFT_MAX_BUCKETS; ++ ++ return roundup_pow_of_two(val); + } + + static bool nft_rhash_estimate(const struct nft_set_desc *desc, u32 features, +-- +2.30.2 + diff --git a/queue-5.10/netfilter-nftables-fix-a-memleak-from-userdata-error.patch b/queue-5.10/netfilter-nftables-fix-a-memleak-from-userdata-error.patch new file mode 100644 index 00000000000..281ba5d146d --- /dev/null +++ b/queue-5.10/netfilter-nftables-fix-a-memleak-from-userdata-error.patch @@ -0,0 +1,38 @@ +From d5c7e5715de40c8ef3a718cd87c43382f1595794 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 23:06:43 +0200 +Subject: netfilter: nftables: Fix a memleak from userdata error path in new + objects + +From: Pablo Neira Ayuso + +[ Upstream commit 85dfd816fabfc16e71786eda0a33a7046688b5b0 ] + +Release object name if userdata allocation fails. + +Fixes: b131c96496b3 ("netfilter: nf_tables: add userdata support for nft_object") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 2e76935db2c8..7bf7bfa0c7d9 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6015,9 +6015,9 @@ err_obj_ht: + INIT_LIST_HEAD(&obj->list); + return err; + err_trans: +- kfree(obj->key.name); +-err_userdata: + kfree(obj->udata); ++err_userdata: ++ kfree(obj->key.name); + err_strdup: + if (obj->ops->destroy) + obj->ops->destroy(&ctx, obj); +-- +2.30.2 + diff --git a/queue-5.10/netfilter-xt_secmark-add-new-revision-to-fix-structu.patch b/queue-5.10/netfilter-xt_secmark-add-new-revision-to-fix-structu.patch new file mode 100644 index 00000000000..b2f706c2831 --- /dev/null +++ b/queue-5.10/netfilter-xt_secmark-add-new-revision-to-fix-structu.patch @@ -0,0 +1,173 @@ +From 19986f36455269a7cae00bc09190bc01e87985ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 14:00:13 +0200 +Subject: netfilter: xt_SECMARK: add new revision to fix structure layout + +From: Pablo Neira Ayuso + +[ Upstream commit c7d13358b6a2f49f81a34aa323a2d0878a0532a2 ] + +This extension breaks when trying to delete rules, add a new revision to +fix this. + +Fixes: 5e6874cdb8de ("[SECMARK]: Add xtables SECMARK target") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/xt_SECMARK.h | 6 ++ + net/netfilter/xt_SECMARK.c | 88 ++++++++++++++++++----- + 2 files changed, 75 insertions(+), 19 deletions(-) + +diff --git a/include/uapi/linux/netfilter/xt_SECMARK.h b/include/uapi/linux/netfilter/xt_SECMARK.h +index 1f2a708413f5..beb2cadba8a9 100644 +--- a/include/uapi/linux/netfilter/xt_SECMARK.h ++++ b/include/uapi/linux/netfilter/xt_SECMARK.h +@@ -20,4 +20,10 @@ struct xt_secmark_target_info { + char secctx[SECMARK_SECCTX_MAX]; + }; + ++struct xt_secmark_target_info_v1 { ++ __u8 mode; ++ char secctx[SECMARK_SECCTX_MAX]; ++ __u32 secid; ++}; ++ + #endif /*_XT_SECMARK_H_target */ +diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c +index 75625d13e976..498a0bf6f044 100644 +--- a/net/netfilter/xt_SECMARK.c ++++ b/net/netfilter/xt_SECMARK.c +@@ -24,10 +24,9 @@ MODULE_ALIAS("ip6t_SECMARK"); + static u8 mode; + + static unsigned int +-secmark_tg(struct sk_buff *skb, const struct xt_action_param *par) ++secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info) + { + u32 secmark = 0; +- const struct xt_secmark_target_info *info = par->targinfo; + + switch (mode) { + case SECMARK_MODE_SEL: +@@ -41,7 +40,7 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par) + return XT_CONTINUE; + } + +-static int checkentry_lsm(struct xt_secmark_target_info *info) ++static int checkentry_lsm(struct xt_secmark_target_info_v1 *info) + { + int err; + +@@ -73,15 +72,15 @@ static int checkentry_lsm(struct xt_secmark_target_info *info) + return 0; + } + +-static int secmark_tg_check(const struct xt_tgchk_param *par) ++static int ++secmark_tg_check(const char *table, struct xt_secmark_target_info_v1 *info) + { +- struct xt_secmark_target_info *info = par->targinfo; + int err; + +- if (strcmp(par->table, "mangle") != 0 && +- strcmp(par->table, "security") != 0) { ++ if (strcmp(table, "mangle") != 0 && ++ strcmp(table, "security") != 0) { + pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n", +- par->table); ++ table); + return -EINVAL; + } + +@@ -116,25 +115,76 @@ static void secmark_tg_destroy(const struct xt_tgdtor_param *par) + } + } + +-static struct xt_target secmark_tg_reg __read_mostly = { +- .name = "SECMARK", +- .revision = 0, +- .family = NFPROTO_UNSPEC, +- .checkentry = secmark_tg_check, +- .destroy = secmark_tg_destroy, +- .target = secmark_tg, +- .targetsize = sizeof(struct xt_secmark_target_info), +- .me = THIS_MODULE, ++static int secmark_tg_check_v0(const struct xt_tgchk_param *par) ++{ ++ struct xt_secmark_target_info *info = par->targinfo; ++ struct xt_secmark_target_info_v1 newinfo = { ++ .mode = info->mode, ++ }; ++ int ret; ++ ++ memcpy(newinfo.secctx, info->secctx, SECMARK_SECCTX_MAX); ++ ++ ret = secmark_tg_check(par->table, &newinfo); ++ info->secid = newinfo.secid; ++ ++ return ret; ++} ++ ++static unsigned int ++secmark_tg_v0(struct sk_buff *skb, const struct xt_action_param *par) ++{ ++ const struct xt_secmark_target_info *info = par->targinfo; ++ struct xt_secmark_target_info_v1 newinfo = { ++ .secid = info->secid, ++ }; ++ ++ return secmark_tg(skb, &newinfo); ++} ++ ++static int secmark_tg_check_v1(const struct xt_tgchk_param *par) ++{ ++ return secmark_tg_check(par->table, par->targinfo); ++} ++ ++static unsigned int ++secmark_tg_v1(struct sk_buff *skb, const struct xt_action_param *par) ++{ ++ return secmark_tg(skb, par->targinfo); ++} ++ ++static struct xt_target secmark_tg_reg[] __read_mostly = { ++ { ++ .name = "SECMARK", ++ .revision = 0, ++ .family = NFPROTO_UNSPEC, ++ .checkentry = secmark_tg_check_v0, ++ .destroy = secmark_tg_destroy, ++ .target = secmark_tg_v0, ++ .targetsize = sizeof(struct xt_secmark_target_info), ++ .me = THIS_MODULE, ++ }, ++ { ++ .name = "SECMARK", ++ .revision = 1, ++ .family = NFPROTO_UNSPEC, ++ .checkentry = secmark_tg_check_v1, ++ .destroy = secmark_tg_destroy, ++ .target = secmark_tg_v1, ++ .targetsize = sizeof(struct xt_secmark_target_info_v1), ++ .usersize = offsetof(struct xt_secmark_target_info_v1, secid), ++ .me = THIS_MODULE, ++ }, + }; + + static int __init secmark_tg_init(void) + { +- return xt_register_target(&secmark_tg_reg); ++ return xt_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg)); + } + + static void __exit secmark_tg_exit(void) + { +- xt_unregister_target(&secmark_tg_reg); ++ xt_unregister_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg)); + } + + module_init(secmark_tg_init); +-- +2.30.2 + diff --git a/queue-5.10/nfs-deal-correctly-with-attribute-generation-counter.patch b/queue-5.10/nfs-deal-correctly-with-attribute-generation-counter.patch new file mode 100644 index 00000000000..dc9bb2e9d6a --- /dev/null +++ b/queue-5.10/nfs-deal-correctly-with-attribute-generation-counter.patch @@ -0,0 +1,49 @@ +From 30bc19bbc3140304b8ee8c4947059ee68caec03b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 16:46:05 -0400 +Subject: NFS: Deal correctly with attribute generation counter overflow + +From: Trond Myklebust + +[ Upstream commit 9fdbfad1777cb4638f489eeb62d85432010c0031 ] + +We need to use unsigned long subtraction and then convert to signed in +order to deal correcly with C overflow rules. + +Fixes: f5062003465c ("NFS: Set an attribute barrier on all updates") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 43af053f467a..6e2e948f1475 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1642,10 +1642,10 @@ EXPORT_SYMBOL_GPL(_nfs_display_fhandle); + */ + static int nfs_inode_attrs_need_update(const struct inode *inode, const struct nfs_fattr *fattr) + { +- const struct nfs_inode *nfsi = NFS_I(inode); ++ unsigned long attr_gencount = NFS_I(inode)->attr_gencount; + +- return ((long)fattr->gencount - (long)nfsi->attr_gencount) > 0 || +- ((long)nfsi->attr_gencount - (long)nfs_read_attr_generation_counter() > 0); ++ return (long)(fattr->gencount - attr_gencount) > 0 || ++ (long)(attr_gencount - nfs_read_attr_generation_counter()) > 0; + } + + static int nfs_refresh_inode_locked(struct inode *inode, struct nfs_fattr *fattr) +@@ -2074,7 +2074,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr) + nfsi->attrtimeo_timestamp = now; + } + /* Set the barrier to be more recent than this fattr */ +- if ((long)fattr->gencount - (long)nfsi->attr_gencount > 0) ++ if ((long)(fattr->gencount - nfsi->attr_gencount) > 0) + nfsi->attr_gencount = fattr->gencount; + } + +-- +2.30.2 + diff --git a/queue-5.10/nfs-fix-attribute-bitmask-in-_nfs42_proc_fallocate.patch b/queue-5.10/nfs-fix-attribute-bitmask-in-_nfs42_proc_fallocate.patch new file mode 100644 index 00000000000..0a8615d26b5 --- /dev/null +++ b/queue-5.10/nfs-fix-attribute-bitmask-in-_nfs42_proc_fallocate.patch @@ -0,0 +1,63 @@ +From f1872776cd84b4702ee10052bb200bc9580ee004 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Mar 2021 18:12:03 -0400 +Subject: NFS: Fix attribute bitmask in _nfs42_proc_fallocate() + +From: Trond Myklebust + +[ Upstream commit e99812e1382f0bfb6149393262bc70645c9f537a ] + +We can't use nfs4_fattr_bitmap as a bitmask, because it hasn't been +filtered to represent the attributes supported by the server. Instead, +let's revert to using server->cache_consistency_bitmask after adding in +the missing SPACE_USED attribute. + +Fixes: 913eca1aea87 ("NFS: Fallocate should use the nfs4_fattr_bitmap") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs42proc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c +index 4fc61e3d098d..52d8cc253a2b 100644 +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -46,11 +46,12 @@ static int _nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + { + struct inode *inode = file_inode(filep); + struct nfs_server *server = NFS_SERVER(inode); ++ u32 bitmask[3]; + struct nfs42_falloc_args args = { + .falloc_fh = NFS_FH(inode), + .falloc_offset = offset, + .falloc_length = len, +- .falloc_bitmask = nfs4_fattr_bitmap, ++ .falloc_bitmask = bitmask, + }; + struct nfs42_falloc_res res = { + .falloc_server = server, +@@ -68,6 +69,10 @@ static int _nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + return status; + } + ++ memcpy(bitmask, server->cache_consistency_bitmask, sizeof(bitmask)); ++ if (server->attr_bitmask[1] & FATTR4_WORD1_SPACE_USED) ++ bitmask[1] |= FATTR4_WORD1_SPACE_USED; ++ + res.falloc_fattr = nfs_alloc_fattr(); + if (!res.falloc_fattr) + return -ENOMEM; +@@ -75,7 +80,8 @@ static int _nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + status = nfs4_call_sync(server->client, server, msg, + &args.seq_args, &res.seq_res, 0); + if (status == 0) +- status = nfs_post_op_update_inode(inode, res.falloc_fattr); ++ status = nfs_post_op_update_inode_force_wcc(inode, ++ res.falloc_fattr); + + kfree(res.falloc_fattr); + return status; +-- +2.30.2 + diff --git a/queue-5.10/nfs-nfs4_bitmask_adjust-must-not-change-the-server-g.patch b/queue-5.10/nfs-nfs4_bitmask_adjust-must-not-change-the-server-g.patch new file mode 100644 index 00000000000..5bed3aae2c1 --- /dev/null +++ b/queue-5.10/nfs-nfs4_bitmask_adjust-must-not-change-the-server-g.patch @@ -0,0 +1,188 @@ +From b18e17f62ff73d15361dcd2324c50e764f83b2c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 18:15:36 -0400 +Subject: NFS: nfs4_bitmask_adjust() must not change the server global bitmasks + +From: Trond Myklebust + +[ Upstream commit 332d1a0373be32a3a3c152756bca45ff4f4e11b5 ] + +As currently set, the calls to nfs4_bitmask_adjust() will end up +overwriting the contents of the nfs_server cache_consistency_bitmask +field. +The intention here should be to modify a private copy of that mask in +the close/delegreturn/write arguments. + +Fixes: 76bd5c016ef4 ("NFSv4: make cache consistency bitmask dynamic") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 56 +++++++++++++++++++++++++---------------- + include/linux/nfs_xdr.h | 11 +++++--- + 2 files changed, 42 insertions(+), 25 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 15ac6b6893e7..06b70de0cc0d 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -112,9 +112,10 @@ static int nfs41_test_stateid(struct nfs_server *, nfs4_stateid *, + static int nfs41_free_stateid(struct nfs_server *, const nfs4_stateid *, + const struct cred *, bool); + #endif +-static void nfs4_bitmask_adjust(__u32 *bitmask, struct inode *inode, +- struct nfs_server *server, +- struct nfs4_label *label); ++static void nfs4_bitmask_set(__u32 bitmask[NFS4_BITMASK_SZ], ++ const __u32 *src, struct inode *inode, ++ struct nfs_server *server, ++ struct nfs4_label *label); + + #ifdef CONFIG_NFS_V4_SECURITY_LABEL + static inline struct nfs4_label * +@@ -3596,6 +3597,7 @@ static void nfs4_close_prepare(struct rpc_task *task, void *data) + struct nfs4_closedata *calldata = data; + struct nfs4_state *state = calldata->state; + struct inode *inode = calldata->inode; ++ struct nfs_server *server = NFS_SERVER(inode); + struct pnfs_layout_hdr *lo; + bool is_rdonly, is_wronly, is_rdwr; + int call_close = 0; +@@ -3652,8 +3654,10 @@ static void nfs4_close_prepare(struct rpc_task *task, void *data) + if (calldata->arg.fmode == 0 || calldata->arg.fmode == FMODE_READ) { + /* Close-to-open cache consistency revalidation */ + if (!nfs4_have_delegation(inode, FMODE_READ)) { +- calldata->arg.bitmask = NFS_SERVER(inode)->cache_consistency_bitmask; +- nfs4_bitmask_adjust(calldata->arg.bitmask, inode, NFS_SERVER(inode), NULL); ++ nfs4_bitmask_set(calldata->arg.bitmask_store, ++ server->cache_consistency_bitmask, ++ inode, server, NULL); ++ calldata->arg.bitmask = calldata->arg.bitmask_store; + } else + calldata->arg.bitmask = NULL; + } +@@ -5418,19 +5422,17 @@ bool nfs4_write_need_cache_consistency_data(struct nfs_pgio_header *hdr) + return nfs4_have_delegation(hdr->inode, FMODE_READ) == 0; + } + +-static void nfs4_bitmask_adjust(__u32 *bitmask, struct inode *inode, +- struct nfs_server *server, +- struct nfs4_label *label) ++static void nfs4_bitmask_set(__u32 bitmask[NFS4_BITMASK_SZ], const __u32 *src, ++ struct inode *inode, struct nfs_server *server, ++ struct nfs4_label *label) + { +- + unsigned long cache_validity = READ_ONCE(NFS_I(inode)->cache_validity); ++ unsigned int i; + +- if ((cache_validity & NFS_INO_INVALID_DATA) || +- (cache_validity & NFS_INO_REVAL_PAGECACHE) || +- (cache_validity & NFS_INO_REVAL_FORCED) || +- (cache_validity & NFS_INO_INVALID_OTHER)) +- nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, label), inode); ++ memcpy(bitmask, src, sizeof(*bitmask) * NFS4_BITMASK_SZ); + ++ if (cache_validity & (NFS_INO_INVALID_CHANGE | NFS_INO_REVAL_PAGECACHE)) ++ bitmask[0] |= FATTR4_WORD0_CHANGE; + if (cache_validity & NFS_INO_INVALID_ATIME) + bitmask[1] |= FATTR4_WORD1_TIME_ACCESS; + if (cache_validity & NFS_INO_INVALID_OTHER) +@@ -5439,16 +5441,22 @@ static void nfs4_bitmask_adjust(__u32 *bitmask, struct inode *inode, + FATTR4_WORD1_NUMLINKS; + if (label && label->len && cache_validity & NFS_INO_INVALID_LABEL) + bitmask[2] |= FATTR4_WORD2_SECURITY_LABEL; +- if (cache_validity & NFS_INO_INVALID_CHANGE) +- bitmask[0] |= FATTR4_WORD0_CHANGE; + if (cache_validity & NFS_INO_INVALID_CTIME) + bitmask[1] |= FATTR4_WORD1_TIME_METADATA; + if (cache_validity & NFS_INO_INVALID_MTIME) + bitmask[1] |= FATTR4_WORD1_TIME_MODIFY; +- if (cache_validity & NFS_INO_INVALID_SIZE) +- bitmask[0] |= FATTR4_WORD0_SIZE; + if (cache_validity & NFS_INO_INVALID_BLOCKS) + bitmask[1] |= FATTR4_WORD1_SPACE_USED; ++ ++ if (nfs4_have_delegation(inode, FMODE_READ) && ++ !(cache_validity & NFS_INO_REVAL_FORCED)) ++ bitmask[0] &= ~FATTR4_WORD0_SIZE; ++ else if (cache_validity & ++ (NFS_INO_INVALID_SIZE | NFS_INO_REVAL_PAGECACHE)) ++ bitmask[0] |= FATTR4_WORD0_SIZE; ++ ++ for (i = 0; i < NFS4_BITMASK_SZ; i++) ++ bitmask[i] &= server->attr_bitmask[i]; + } + + static void nfs4_proc_write_setup(struct nfs_pgio_header *hdr, +@@ -5461,8 +5469,10 @@ static void nfs4_proc_write_setup(struct nfs_pgio_header *hdr, + hdr->args.bitmask = NULL; + hdr->res.fattr = NULL; + } else { +- hdr->args.bitmask = server->cache_consistency_bitmask; +- nfs4_bitmask_adjust(hdr->args.bitmask, hdr->inode, server, NULL); ++ nfs4_bitmask_set(hdr->args.bitmask_store, ++ server->cache_consistency_bitmask, ++ hdr->inode, server, NULL); ++ hdr->args.bitmask = hdr->args.bitmask_store; + } + + if (!hdr->pgio_done_cb) +@@ -6504,8 +6514,10 @@ static int _nfs4_proc_delegreturn(struct inode *inode, const struct cred *cred, + + data->args.fhandle = &data->fh; + data->args.stateid = &data->stateid; +- data->args.bitmask = server->cache_consistency_bitmask; +- nfs4_bitmask_adjust(data->args.bitmask, inode, server, NULL); ++ nfs4_bitmask_set(data->args.bitmask_store, ++ server->cache_consistency_bitmask, inode, server, ++ NULL); ++ data->args.bitmask = data->args.bitmask_store; + nfs_copy_fh(&data->fh, NFS_FH(inode)); + nfs4_stateid_copy(&data->stateid, stateid); + data->res.fattr = &data->fattr; +diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h +index d63cb862d58e..5491ad5f48a9 100644 +--- a/include/linux/nfs_xdr.h ++++ b/include/linux/nfs_xdr.h +@@ -15,6 +15,8 @@ + #define NFS_DEF_FILE_IO_SIZE (4096U) + #define NFS_MIN_FILE_IO_SIZE (1024U) + ++#define NFS_BITMASK_SZ 3 ++ + struct nfs4_string { + unsigned int len; + char *data; +@@ -525,7 +527,8 @@ struct nfs_closeargs { + struct nfs_seqid * seqid; + fmode_t fmode; + u32 share_access; +- u32 * bitmask; ++ const u32 * bitmask; ++ u32 bitmask_store[NFS_BITMASK_SZ]; + struct nfs4_layoutreturn_args *lr_args; + }; + +@@ -608,7 +611,8 @@ struct nfs4_delegreturnargs { + struct nfs4_sequence_args seq_args; + const struct nfs_fh *fhandle; + const nfs4_stateid *stateid; +- u32 * bitmask; ++ const u32 *bitmask; ++ u32 bitmask_store[NFS_BITMASK_SZ]; + struct nfs4_layoutreturn_args *lr_args; + }; + +@@ -648,7 +652,8 @@ struct nfs_pgio_args { + union { + unsigned int replen; /* used by read */ + struct { +- u32 * bitmask; /* used by write */ ++ const u32 * bitmask; /* used by write */ ++ u32 bitmask_store[NFS_BITMASK_SZ]; /* used by write */ + enum nfs3_stable_how stable; /* used by write */ + }; + }; +-- +2.30.2 + diff --git a/queue-5.10/nfsd-ensure-new-clients-break-delegations.patch b/queue-5.10/nfsd-ensure-new-clients-break-delegations.patch new file mode 100644 index 00000000000..65db56f4bfd --- /dev/null +++ b/queue-5.10/nfsd-ensure-new-clients-break-delegations.patch @@ -0,0 +1,71 @@ +From e94dce6d7ea8778219cd4730d53f56750654eb6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 14:00:14 -0400 +Subject: nfsd: ensure new clients break delegations + +From: J. Bruce Fields + +[ Upstream commit 217fd6f625af591e2866bebb8cda778cf85bea2e ] + +If nfsd already has an open file that it plans to use for IO from +another, it may not need to do another vfs open, but it still may need +to break any delegations in case the existing opens are for another +client. + +Symptoms are that we may incorrectly fail to break a delegation on a +write open from a different client, when the delegation-holding client +already has a write open. + +Fixes: 28df3d1539de ("nfsd: clients don't need to break their own delegations") +Signed-off-by: J. Bruce Fields +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4state.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 55cf60b71cde..ac20f79bbedd 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -4874,6 +4874,11 @@ static __be32 nfs4_get_vfs_file(struct svc_rqst *rqstp, struct nfs4_file *fp, + if (nf) + nfsd_file_put(nf); + ++ status = nfserrno(nfsd_open_break_lease(cur_fh->fh_dentry->d_inode, ++ access)); ++ if (status) ++ goto out_put_access; ++ + status = nfsd4_truncate(rqstp, cur_fh, open); + if (status) + goto out_put_access; +@@ -6856,11 +6861,20 @@ out: + static __be32 nfsd_test_lock(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file_lock *lock) + { + struct nfsd_file *nf; +- __be32 err = nfsd_file_acquire(rqstp, fhp, NFSD_MAY_READ, &nf); +- if (!err) { +- err = nfserrno(vfs_test_lock(nf->nf_file, lock)); +- nfsd_file_put(nf); +- } ++ __be32 err; ++ ++ err = nfsd_file_acquire(rqstp, fhp, NFSD_MAY_READ, &nf); ++ if (err) ++ return err; ++ fh_lock(fhp); /* to block new leases till after test_lock: */ ++ err = nfserrno(nfsd_open_break_lease(fhp->fh_dentry->d_inode, ++ NFSD_MAY_READ)); ++ if (err) ++ goto out; ++ err = nfserrno(vfs_test_lock(nf->nf_file, lock)); ++out: ++ fh_unlock(fhp); ++ nfsd_file_put(nf); + return err; + } + +-- +2.30.2 + diff --git a/queue-5.10/nfsv4.2-always-flush-out-writes-in-nfs42_proc_falloc.patch b/queue-5.10/nfsv4.2-always-flush-out-writes-in-nfs42_proc_falloc.patch new file mode 100644 index 00000000000..82a185b88aa --- /dev/null +++ b/queue-5.10/nfsv4.2-always-flush-out-writes-in-nfs42_proc_falloc.patch @@ -0,0 +1,78 @@ +From 63dc7a14e1958bcdc7b56625d9cfbc533ade5159 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Mar 2021 18:17:14 -0400 +Subject: NFSv4.2: Always flush out writes in nfs42_proc_fallocate() + +From: Trond Myklebust + +[ Upstream commit 99f23783224355e7022ceea9b8d9f62c0fd01bd8 ] + +Whether we're allocating or delallocating space, we should flush out the +pending writes in order to avoid races with attribute updates. + +Fixes: 1e564d3dbd68 ("NFSv4.2: Fix a race in nfs42_proc_deallocate()") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs42proc.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c +index 52d8cc253a2b..948a4c69687c 100644 +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -90,7 +90,8 @@ static int _nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + loff_t offset, loff_t len) + { +- struct nfs_server *server = NFS_SERVER(file_inode(filep)); ++ struct inode *inode = file_inode(filep); ++ struct nfs_server *server = NFS_SERVER(inode); + struct nfs4_exception exception = { }; + struct nfs_lock_context *lock; + int err; +@@ -99,9 +100,13 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + if (IS_ERR(lock)) + return PTR_ERR(lock); + +- exception.inode = file_inode(filep); ++ exception.inode = inode; + exception.state = lock->open_context->state; + ++ err = nfs_sync_inode(inode); ++ if (err) ++ goto out; ++ + do { + err = _nfs42_proc_fallocate(msg, filep, lock, offset, len); + if (err == -ENOTSUPP) { +@@ -110,7 +115,7 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + } + err = nfs4_handle_exception(server, err, &exception); + } while (exception.retry); +- ++out: + nfs_put_lock_context(lock); + return err; + } +@@ -148,16 +153,13 @@ int nfs42_proc_deallocate(struct file *filep, loff_t offset, loff_t len) + return -EOPNOTSUPP; + + inode_lock(inode); +- err = nfs_sync_inode(inode); +- if (err) +- goto out_unlock; + + err = nfs42_proc_fallocate(&msg, filep, offset, len); + if (err == 0) + truncate_pagecache_range(inode, offset, (offset + len) -1); + if (err == -EOPNOTSUPP) + NFS_SERVER(inode)->caps &= ~NFS_CAP_DEALLOCATE; +-out_unlock: ++ + inode_unlock(inode); + return err; + } +-- +2.30.2 + diff --git a/queue-5.10/nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch b/queue-5.10/nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch new file mode 100644 index 00000000000..8f379e805dd --- /dev/null +++ b/queue-5.10/nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch @@ -0,0 +1,43 @@ +From f8cc4469a36de57b41b85f77a18b84b0abc64855 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 15:30:25 -0400 +Subject: NFSv4.2 fix handling of sr_eof in SEEK's reply + +From: Olga Kornievskaia + +[ Upstream commit 73f5c88f521a630ea1628beb9c2d48a2e777a419 ] + +Currently the client ignores the value of the sr_eof of the SEEK +operation. According to the spec, if the server didn't find the +requested extent and reached the end of the file, the server +would return sr_eof=true. In case the request for DATA and no +data was found (ie in the middle of the hole), then the lseek +expects that ENXIO would be returned. + +Fixes: 1c6dcbe5ceff8 ("NFS: Implement SEEK") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs42proc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c +index 948a4c69687c..4ebcd9dd1535 100644 +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -665,7 +665,10 @@ static loff_t _nfs42_proc_llseek(struct file *filep, + if (status) + return status; + +- return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes); ++ if (whence == SEEK_DATA && res.sr_eof) ++ return -NFS4ERR_NXIO; ++ else ++ return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes); + } + + loff_t nfs42_proc_llseek(struct file *filep, loff_t offset, int whence) +-- +2.30.2 + diff --git a/queue-5.10/nfsv4.x-don-t-return-nfs4err_nomatching_layout-if-we.patch b/queue-5.10/nfsv4.x-don-t-return-nfs4err_nomatching_layout-if-we.patch new file mode 100644 index 00000000000..f3b44887939 --- /dev/null +++ b/queue-5.10/nfsv4.x-don-t-return-nfs4err_nomatching_layout-if-we.patch @@ -0,0 +1,61 @@ +From 6567e68563d55f86c6d45d1a292b92d96af8b5e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 15:09:41 -0400 +Subject: NFSv4.x: Don't return NFS4ERR_NOMATCHING_LAYOUT if we're unmounting + +From: Trond Myklebust + +[ Upstream commit 8926cc8302819be9e67f70409ed001ecb2c924a9 ] + +If the NFS super block is being unmounted, then we currently may end up +telling the server that we've forgotten the layout while it is actually +still in use by the client. +In that case, just assume that the client will soon return the layout +anyway, and so return NFS4ERR_DELAY in response to the layout recall. + +Fixes: 58ac3e59235f ("NFSv4/pnfs: Clean up nfs_layout_find_inode()") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/callback_proc.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/fs/nfs/callback_proc.c b/fs/nfs/callback_proc.c +index e61dbc9b86ae..be546ece383f 100644 +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -132,12 +132,12 @@ static struct inode *nfs_layout_find_inode_by_stateid(struct nfs_client *clp, + list_for_each_entry_rcu(lo, &server->layouts, plh_layouts) { + if (!pnfs_layout_is_valid(lo)) + continue; +- if (stateid != NULL && +- !nfs4_stateid_match_other(stateid, &lo->plh_stateid)) ++ if (!nfs4_stateid_match_other(stateid, &lo->plh_stateid)) + continue; +- if (!nfs_sb_active(server->super)) +- continue; +- inode = igrab(lo->plh_inode); ++ if (nfs_sb_active(server->super)) ++ inode = igrab(lo->plh_inode); ++ else ++ inode = ERR_PTR(-EAGAIN); + rcu_read_unlock(); + if (inode) + return inode; +@@ -171,9 +171,10 @@ static struct inode *nfs_layout_find_inode_by_fh(struct nfs_client *clp, + continue; + if (nfsi->layout != lo) + continue; +- if (!nfs_sb_active(server->super)) +- continue; +- inode = igrab(lo->plh_inode); ++ if (nfs_sb_active(server->super)) ++ inode = igrab(lo->plh_inode); ++ else ++ inode = ERR_PTR(-EAGAIN); + rcu_read_unlock(); + if (inode) + return inode; +-- +2.30.2 + diff --git a/queue-5.10/pci-endpoint-add-helper-api-to-get-the-next-unreserv.patch b/queue-5.10/pci-endpoint-add-helper-api-to-get-the-next-unreserv.patch new file mode 100644 index 00000000000..c79a765b642 --- /dev/null +++ b/queue-5.10/pci-endpoint-add-helper-api-to-get-the-next-unreserv.patch @@ -0,0 +1,97 @@ +From cfea008bcd04b3e3f334da5fa7b846054ecc5631 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Feb 2021 01:27:55 +0530 +Subject: PCI: endpoint: Add helper API to get the 'next' unreserved BAR + +From: Kishon Vijay Abraham I + +[ Upstream commit fa8fef0e104a23efe568b835d9e7e188d1d97610 ] + +Add an API to get the next unreserved BAR starting from a given BAR number +that can be used by the endpoint function. + +Link: https://lore.kernel.org/r/20210201195809.7342-4-kishon@ti.com +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/pci-epc-core.c | 26 ++++++++++++++++++++++---- + include/linux/pci-epc.h | 2 ++ + 2 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c +index 25e57672e1a1..1afe5d9afb0d 100644 +--- a/drivers/pci/endpoint/pci-epc-core.c ++++ b/drivers/pci/endpoint/pci-epc-core.c +@@ -87,17 +87,36 @@ EXPORT_SYMBOL_GPL(pci_epc_get); + * pci_epc_get_first_free_bar() - helper to get first unreserved BAR + * @epc_features: pci_epc_features structure that holds the reserved bar bitmap + * +- * Invoke to get the first unreserved BAR that can be used for endpoint ++ * Invoke to get the first unreserved BAR that can be used by the endpoint + * function. For any incorrect value in reserved_bar return '0'. + */ + unsigned int pci_epc_get_first_free_bar(const struct pci_epc_features + *epc_features) ++{ ++ return pci_epc_get_next_free_bar(epc_features, BAR_0); ++} ++EXPORT_SYMBOL_GPL(pci_epc_get_first_free_bar); ++ ++/** ++ * pci_epc_get_next_free_bar() - helper to get unreserved BAR starting from @bar ++ * @epc_features: pci_epc_features structure that holds the reserved bar bitmap ++ * @bar: the starting BAR number from where unreserved BAR should be searched ++ * ++ * Invoke to get the next unreserved BAR starting from @bar that can be used ++ * for endpoint function. For any incorrect value in reserved_bar return '0'. ++ */ ++unsigned int pci_epc_get_next_free_bar(const struct pci_epc_features ++ *epc_features, enum pci_barno bar) + { + unsigned long free_bar; + + if (!epc_features) + return 0; + ++ /* If 'bar - 1' is a 64-bit BAR, move to the next BAR */ ++ if ((epc_features->bar_fixed_64bit << 1) & 1 << bar) ++ bar++; ++ + /* Find if the reserved BAR is also a 64-bit BAR */ + free_bar = epc_features->reserved_bar & epc_features->bar_fixed_64bit; + +@@ -105,14 +124,13 @@ unsigned int pci_epc_get_first_free_bar(const struct pci_epc_features + free_bar <<= 1; + free_bar |= epc_features->reserved_bar; + +- /* Now find the free BAR */ +- free_bar = ffz(free_bar); ++ free_bar = find_next_zero_bit(&free_bar, 6, bar); + if (free_bar > 5) + return 0; + + return free_bar; + } +-EXPORT_SYMBOL_GPL(pci_epc_get_first_free_bar); ++EXPORT_SYMBOL_GPL(pci_epc_get_next_free_bar); + + /** + * pci_epc_get_features() - get the features supported by EPC +diff --git a/include/linux/pci-epc.h b/include/linux/pci-epc.h +index cc66bec8be90..cfe9b427e6b7 100644 +--- a/include/linux/pci-epc.h ++++ b/include/linux/pci-epc.h +@@ -203,6 +203,8 @@ const struct pci_epc_features *pci_epc_get_features(struct pci_epc *epc, + u8 func_no); + unsigned int pci_epc_get_first_free_bar(const struct pci_epc_features + *epc_features); ++unsigned int pci_epc_get_next_free_bar(const struct pci_epc_features ++ *epc_features, enum pci_barno bar); + struct pci_epc *pci_epc_get(const char *epc_name); + void pci_epc_put(struct pci_epc *epc); + +-- +2.30.2 + diff --git a/queue-5.10/pci-endpoint-fix-missing-destroy_workqueue.patch b/queue-5.10/pci-endpoint-fix-missing-destroy_workqueue.patch new file mode 100644 index 00000000000..ba18dc76e33 --- /dev/null +++ b/queue-5.10/pci-endpoint-fix-missing-destroy_workqueue.patch @@ -0,0 +1,47 @@ +From 71032843967ce2f56193de7a4737ea94c2929f39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 16:40:12 +0800 +Subject: PCI: endpoint: Fix missing destroy_workqueue() + +From: Yang Yingliang + +[ Upstream commit acaef7981a218813e3617edb9c01837808de063c ] + +Add the missing destroy_workqueue() before return from +pci_epf_test_init() in the error handling case and add +destroy_workqueue() in pci_epf_test_exit(). + +Link: https://lore.kernel.org/r/20210331084012.2091010-1-yangyingliang@huawei.com +Fixes: 349e7a85b25fa ("PCI: endpoint: functions: Add an EP function to test PCI") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/functions/pci-epf-test.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c +index 5f6ce120a67a..d41570715dc7 100644 +--- a/drivers/pci/endpoint/functions/pci-epf-test.c ++++ b/drivers/pci/endpoint/functions/pci-epf-test.c +@@ -922,6 +922,7 @@ static int __init pci_epf_test_init(void) + + ret = pci_epf_register_driver(&test_driver); + if (ret) { ++ destroy_workqueue(kpcitest_workqueue); + pr_err("Failed to register pci epf test driver --> %d\n", ret); + return ret; + } +@@ -932,6 +933,8 @@ module_init(pci_epf_test_init); + + static void __exit pci_epf_test_exit(void) + { ++ if (kpcitest_workqueue) ++ destroy_workqueue(kpcitest_workqueue); + pci_epf_unregister_driver(&test_driver); + } + module_exit(pci_epf_test_exit); +-- +2.30.2 + diff --git a/queue-5.10/pci-endpoint-fix-null-pointer-dereference-for-get_fe.patch b/queue-5.10/pci-endpoint-fix-null-pointer-dereference-for-get_fe.patch new file mode 100644 index 00000000000..e480508f0a2 --- /dev/null +++ b/queue-5.10/pci-endpoint-fix-null-pointer-dereference-for-get_fe.patch @@ -0,0 +1,78 @@ +From 0c47f4123690440981330a112835a87a3e9863f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 15:46:09 +0530 +Subject: PCI: endpoint: Fix NULL pointer dereference for ->get_features() + +From: Shradha Todi + +[ Upstream commit 6613bc2301ba291a1c5a90e1dc24cf3edf223c03 ] + +get_features ops of pci_epc_ops may return NULL, causing NULL pointer +dereference in pci_epf_test_alloc_space function. Let us add a check for +pci_epc_feature pointer in pci_epf_test_bind before we access it to avoid +any such NULL pointer dereference and return -ENOTSUPP in case +pci_epc_feature is not found. + +When the patch is not applied and EPC features is not implemented in the +platform driver, we see the following dump due to kernel NULL pointer +dereference. + +Call trace: + pci_epf_test_bind+0xf4/0x388 + pci_epf_bind+0x3c/0x80 + pci_epc_epf_link+0xa8/0xcc + configfs_symlink+0x1a4/0x48c + vfs_symlink+0x104/0x184 + do_symlinkat+0x80/0xd4 + __arm64_sys_symlinkat+0x1c/0x24 + el0_svc_common.constprop.3+0xb8/0x170 + el0_svc_handler+0x70/0x88 + el0_svc+0x8/0x640 +Code: d2800581 b9403ab9 f9404ebb 8b394f60 (f9400400) +---[ end trace a438e3c5a24f9df0 ]--- + +Link: https://lore.kernel.org/r/20210324101609.79278-1-shradha.t@samsung.com +Fixes: 2c04c5b8eef79 ("PCI: pci-epf-test: Use pci_epc_get_features() to get EPC features") +Signed-off-by: Sriram Dash +Signed-off-by: Shradha Todi +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Pankaj Dubey +Reviewed-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/functions/pci-epf-test.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c +index 7a1f3abfde48..5f6ce120a67a 100644 +--- a/drivers/pci/endpoint/functions/pci-epf-test.c ++++ b/drivers/pci/endpoint/functions/pci-epf-test.c +@@ -830,15 +830,18 @@ static int pci_epf_test_bind(struct pci_epf *epf) + return -EINVAL; + + epc_features = pci_epc_get_features(epc, epf->func_no); +- if (epc_features) { +- linkup_notifier = epc_features->linkup_notifier; +- core_init_notifier = epc_features->core_init_notifier; +- test_reg_bar = pci_epc_get_first_free_bar(epc_features); +- if (test_reg_bar < 0) +- return -EINVAL; +- pci_epf_configure_bar(epf, epc_features); ++ if (!epc_features) { ++ dev_err(&epf->dev, "epc_features not implemented\n"); ++ return -EOPNOTSUPP; + } + ++ linkup_notifier = epc_features->linkup_notifier; ++ core_init_notifier = epc_features->core_init_notifier; ++ test_reg_bar = pci_epc_get_first_free_bar(epc_features); ++ if (test_reg_bar < 0) ++ return -EINVAL; ++ pci_epf_configure_bar(epf, epc_features); ++ + epf_test->test_reg_bar = test_reg_bar; + epf_test->epc_features = epc_features; + +-- +2.30.2 + diff --git a/queue-5.10/pci-endpoint-make-_free_bar-to-return-error-codes-on.patch b/queue-5.10/pci-endpoint-make-_free_bar-to-return-error-codes-on.patch new file mode 100644 index 00000000000..c7600ea6d07 --- /dev/null +++ b/queue-5.10/pci-endpoint-make-_free_bar-to-return-error-codes-on.patch @@ -0,0 +1,112 @@ +From d98f701d3157ed17e252e3a2588c95ac0d952f75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Feb 2021 01:27:56 +0530 +Subject: PCI: endpoint: Make *_free_bar() to return error codes on failure + +From: Kishon Vijay Abraham I + +[ Upstream commit 0e27aeccfa3d1bab7c6a29fb8e6fcedbad7b09a8 ] + +Modify pci_epc_get_next_free_bar() and pci_epc_get_first_free_bar() to +return error values if there are no free BARs available. + +Link: https://lore.kernel.org/r/20210201195809.7342-5-kishon@ti.com +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/functions/pci-epf-test.c | 2 ++ + drivers/pci/endpoint/pci-epc-core.c | 12 ++++++------ + include/linux/pci-epc.h | 8 ++++---- + include/linux/pci-epf.h | 1 + + 4 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c +index e4e51d884553..7a1f3abfde48 100644 +--- a/drivers/pci/endpoint/functions/pci-epf-test.c ++++ b/drivers/pci/endpoint/functions/pci-epf-test.c +@@ -834,6 +834,8 @@ static int pci_epf_test_bind(struct pci_epf *epf) + linkup_notifier = epc_features->linkup_notifier; + core_init_notifier = epc_features->core_init_notifier; + test_reg_bar = pci_epc_get_first_free_bar(epc_features); ++ if (test_reg_bar < 0) ++ return -EINVAL; + pci_epf_configure_bar(epf, epc_features); + } + +diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c +index 1afe5d9afb0d..ea7e7465ce7a 100644 +--- a/drivers/pci/endpoint/pci-epc-core.c ++++ b/drivers/pci/endpoint/pci-epc-core.c +@@ -90,8 +90,8 @@ EXPORT_SYMBOL_GPL(pci_epc_get); + * Invoke to get the first unreserved BAR that can be used by the endpoint + * function. For any incorrect value in reserved_bar return '0'. + */ +-unsigned int pci_epc_get_first_free_bar(const struct pci_epc_features +- *epc_features) ++enum pci_barno ++pci_epc_get_first_free_bar(const struct pci_epc_features *epc_features) + { + return pci_epc_get_next_free_bar(epc_features, BAR_0); + } +@@ -105,13 +105,13 @@ EXPORT_SYMBOL_GPL(pci_epc_get_first_free_bar); + * Invoke to get the next unreserved BAR starting from @bar that can be used + * for endpoint function. For any incorrect value in reserved_bar return '0'. + */ +-unsigned int pci_epc_get_next_free_bar(const struct pci_epc_features +- *epc_features, enum pci_barno bar) ++enum pci_barno pci_epc_get_next_free_bar(const struct pci_epc_features ++ *epc_features, enum pci_barno bar) + { + unsigned long free_bar; + + if (!epc_features) +- return 0; ++ return BAR_0; + + /* If 'bar - 1' is a 64-bit BAR, move to the next BAR */ + if ((epc_features->bar_fixed_64bit << 1) & 1 << bar) +@@ -126,7 +126,7 @@ unsigned int pci_epc_get_next_free_bar(const struct pci_epc_features + + free_bar = find_next_zero_bit(&free_bar, 6, bar); + if (free_bar > 5) +- return 0; ++ return NO_BAR; + + return free_bar; + } +diff --git a/include/linux/pci-epc.h b/include/linux/pci-epc.h +index cfe9b427e6b7..88d311bad984 100644 +--- a/include/linux/pci-epc.h ++++ b/include/linux/pci-epc.h +@@ -201,10 +201,10 @@ int pci_epc_start(struct pci_epc *epc); + void pci_epc_stop(struct pci_epc *epc); + const struct pci_epc_features *pci_epc_get_features(struct pci_epc *epc, + u8 func_no); +-unsigned int pci_epc_get_first_free_bar(const struct pci_epc_features +- *epc_features); +-unsigned int pci_epc_get_next_free_bar(const struct pci_epc_features +- *epc_features, enum pci_barno bar); ++enum pci_barno ++pci_epc_get_first_free_bar(const struct pci_epc_features *epc_features); ++enum pci_barno pci_epc_get_next_free_bar(const struct pci_epc_features ++ *epc_features, enum pci_barno bar); + struct pci_epc *pci_epc_get(const char *epc_name); + void pci_epc_put(struct pci_epc *epc); + +diff --git a/include/linux/pci-epf.h b/include/linux/pci-epf.h +index 6644ff3b0702..fa3aca43eb19 100644 +--- a/include/linux/pci-epf.h ++++ b/include/linux/pci-epf.h +@@ -21,6 +21,7 @@ enum pci_notify_event { + }; + + enum pci_barno { ++ NO_BAR = -1, + BAR_0, + BAR_1, + BAR_2, +-- +2.30.2 + diff --git a/queue-5.10/pci-endpoint-make-_get_first_free_bar-take-into-acco.patch b/queue-5.10/pci-endpoint-make-_get_first_free_bar-take-into-acco.patch new file mode 100644 index 00000000000..3cc711c59ae --- /dev/null +++ b/queue-5.10/pci-endpoint-make-_get_first_free_bar-take-into-acco.patch @@ -0,0 +1,57 @@ +From 93b37a950050de86658c89e11de64bbd274d78ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Feb 2021 01:27:54 +0530 +Subject: PCI: endpoint: Make *_get_first_free_bar() take into account 64 bit + BAR + +From: Kishon Vijay Abraham I + +[ Upstream commit 959a48d0eac0321948c9f3d1707ba22c100e92d5 ] + +pci_epc_get_first_free_bar() uses only "reserved_bar" member in +epc_features to get the first unreserved BAR. However if the reserved BAR +is also a 64-bit BAR, then the next BAR shouldn't be returned (since 64-bit +BAR uses two BARs). + +Make pci_epc_get_first_free_bar() take into account 64 bit BAR while +returning the first free unreserved BAR. + +Link: https://lore.kernel.org/r/20210201195809.7342-3-kishon@ti.com +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/pci-epc-core.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c +index cadd3db0cbb0..25e57672e1a1 100644 +--- a/drivers/pci/endpoint/pci-epc-core.c ++++ b/drivers/pci/endpoint/pci-epc-core.c +@@ -93,12 +93,20 @@ EXPORT_SYMBOL_GPL(pci_epc_get); + unsigned int pci_epc_get_first_free_bar(const struct pci_epc_features + *epc_features) + { +- int free_bar; ++ unsigned long free_bar; + + if (!epc_features) + return 0; + +- free_bar = ffz(epc_features->reserved_bar); ++ /* Find if the reserved BAR is also a 64-bit BAR */ ++ free_bar = epc_features->reserved_bar & epc_features->bar_fixed_64bit; ++ ++ /* Set the adjacent bit if the reserved BAR is also a 64-bit BAR */ ++ free_bar <<= 1; ++ free_bar |= epc_features->reserved_bar; ++ ++ /* Now find the free BAR */ ++ free_bar = ffz(free_bar); + if (free_bar > 5) + return 0; + +-- +2.30.2 + diff --git a/queue-5.10/pci-iproc-fix-return-value-of-iproc_msi_irq_domain_a.patch b/queue-5.10/pci-iproc-fix-return-value-of-iproc_msi_irq_domain_a.patch new file mode 100644 index 00000000000..b190ec95350 --- /dev/null +++ b/queue-5.10/pci-iproc-fix-return-value-of-iproc_msi_irq_domain_a.patch @@ -0,0 +1,43 @@ +From a759599cf9a5a9333bfd5dd2cc610496037a31a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 15:22:02 +0100 +Subject: PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 1e83130f01b04c16579ed5a5e03d729bcffc4c5d ] + +IRQ domain alloc function should return zero on success. Non-zero value +indicates failure. + +Link: https://lore.kernel.org/r/20210303142202.25780-1-pali@kernel.org +Fixes: fc54bae28818 ("PCI: iproc: Allow allocation of multiple MSIs") +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Krzysztof Wilczyński +Acked-by: Ray Jui +Acked-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-iproc-msi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pcie-iproc-msi.c b/drivers/pci/controller/pcie-iproc-msi.c +index 908475d27e0e..eede4e8f3f75 100644 +--- a/drivers/pci/controller/pcie-iproc-msi.c ++++ b/drivers/pci/controller/pcie-iproc-msi.c +@@ -271,7 +271,7 @@ static int iproc_msi_irq_domain_alloc(struct irq_domain *domain, + NULL, NULL); + } + +- return hwirq; ++ return 0; + } + + static void iproc_msi_irq_domain_free(struct irq_domain *domain, +-- +2.30.2 + diff --git a/queue-5.10/pci-release-of-node-in-pci_scan_device-s-error-path.patch b/queue-5.10/pci-release-of-node-in-pci_scan_device-s-error-path.patch new file mode 100644 index 00000000000..aa3036b6da0 --- /dev/null +++ b/queue-5.10/pci-release-of-node-in-pci_scan_device-s-error-path.patch @@ -0,0 +1,38 @@ +From 473b86cc7854348518541cdd893a93454d4cdf00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jan 2021 02:28:26 +0300 +Subject: PCI: Release OF node in pci_scan_device()'s error path + +From: Dmitry Baryshkov + +[ Upstream commit c99e755a4a4c165cad6effb39faffd0f3377c02d ] + +In pci_scan_device(), if pci_setup_device() fails for any reason, the code +will not release device's of_node by calling pci_release_of_node(). Fix +that by calling the release function. + +Fixes: 98d9f30c820d ("pci/of: Match PCI devices to OF nodes dynamically") +Link: https://lore.kernel.org/r/20210124232826.1879-1-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Bjorn Helgaas +Reviewed-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/pci/probe.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index 4289030b0fff..ece90a23936d 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -2367,6 +2367,7 @@ static struct pci_dev *pci_scan_device(struct pci_bus *bus, int devfn) + pci_set_of_node(dev); + + if (pci_setup_device(dev)) { ++ pci_release_of_node(dev); + pci_bus_put(dev->bus); + kfree(dev); + return NULL; +-- +2.30.2 + diff --git a/queue-5.10/pinctrl-samsung-use-int-for-register-masks-in-exynos.patch b/queue-5.10/pinctrl-samsung-use-int-for-register-masks-in-exynos.patch new file mode 100644 index 00000000000..dbfc06d3fb7 --- /dev/null +++ b/queue-5.10/pinctrl-samsung-use-int-for-register-masks-in-exynos.patch @@ -0,0 +1,72 @@ +From 04d9095abe3cbf1289d7b28b7bda81307aaecb6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 21:50:29 +0200 +Subject: pinctrl: samsung: use 'int' for register masks in Exynos + +From: Krzysztof Kozlowski + +[ Upstream commit fa0c10a5f3a49130dd11281aa27e7e1c8654abc7 ] + +The Special Function Registers on all Exynos SoC, including ARM64, are +32-bit wide, so entire driver uses matching functions like readl() or +writel(). On 64-bit ARM using unsigned long for register masks: +1. makes little sense as immediately after bitwise operation it will be + cast to 32-bit value when calling writel(), +2. is actually error-prone because it might promote other operands to + 64-bit. + +Addresses-Coverity: Unintentional integer overflow +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Sylwester Nawrocki +Link: https://lore.kernel.org/r/20210408195029.69974-1-krzysztof.kozlowski@canonical.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/samsung/pinctrl-exynos.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/samsung/pinctrl-exynos.c b/drivers/pinctrl/samsung/pinctrl-exynos.c +index b9ea09fabf84..493079a47d05 100644 +--- a/drivers/pinctrl/samsung/pinctrl-exynos.c ++++ b/drivers/pinctrl/samsung/pinctrl-exynos.c +@@ -55,7 +55,7 @@ static void exynos_irq_mask(struct irq_data *irqd) + struct exynos_irq_chip *our_chip = to_exynos_irq_chip(chip); + struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd); + unsigned long reg_mask = our_chip->eint_mask + bank->eint_offset; +- unsigned long mask; ++ unsigned int mask; + unsigned long flags; + + spin_lock_irqsave(&bank->slock, flags); +@@ -83,7 +83,7 @@ static void exynos_irq_unmask(struct irq_data *irqd) + struct exynos_irq_chip *our_chip = to_exynos_irq_chip(chip); + struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd); + unsigned long reg_mask = our_chip->eint_mask + bank->eint_offset; +- unsigned long mask; ++ unsigned int mask; + unsigned long flags; + + /* +@@ -483,7 +483,7 @@ static void exynos_irq_eint0_15(struct irq_desc *desc) + chained_irq_exit(chip, desc); + } + +-static inline void exynos_irq_demux_eint(unsigned long pend, ++static inline void exynos_irq_demux_eint(unsigned int pend, + struct irq_domain *domain) + { + unsigned int irq; +@@ -500,8 +500,8 @@ static void exynos_irq_demux_eint16_31(struct irq_desc *desc) + { + struct irq_chip *chip = irq_desc_get_chip(desc); + struct exynos_muxed_weint_data *eintd = irq_desc_get_handler_data(desc); +- unsigned long pend; +- unsigned long mask; ++ unsigned int pend; ++ unsigned int mask; + int i; + + chained_irq_enter(chip, desc); +-- +2.30.2 + diff --git a/queue-5.10/pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch b/queue-5.10/pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch new file mode 100644 index 00000000000..77949786986 --- /dev/null +++ b/queue-5.10/pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch @@ -0,0 +1,52 @@ +From ec7cf34012064ce738ad68f9851942382d65bca4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 11:56:49 +0300 +Subject: pNFS/flexfiles: fix incorrect size check in decode_nfs_fh() + +From: Nikola Livic + +[ Upstream commit ed34695e15aba74f45247f1ee2cf7e09d449f925 ] + +We (adam zabrocki, alexander matrosov, alexander tereshkin, maksym +bazalii) observed the check: + + if (fh->size > sizeof(struct nfs_fh)) + +should not use the size of the nfs_fh struct which includes an extra two +bytes from the size field. + +struct nfs_fh { + unsigned short size; + unsigned char data[NFS_MAXFHSIZE]; +} + +but should determine the size from data[NFS_MAXFHSIZE] so the memcpy +will not write 2 bytes beyond destination. The proposed fix is to +compare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs +code base. + +Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Nikola Livic +Signed-off-by: Dan Carpenter +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c +index fd0eda328943..a8a02081942d 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -106,7 +106,7 @@ static int decode_nfs_fh(struct xdr_stream *xdr, struct nfs_fh *fh) + if (unlikely(!p)) + return -ENOBUFS; + fh->size = be32_to_cpup(p++); +- if (fh->size > sizeof(struct nfs_fh)) { ++ if (fh->size > NFS_MAXFHSIZE) { + printk(KERN_ERR "NFS flexfiles: Too big fh received %d\n", + fh->size); + return -EOVERFLOW; +-- +2.30.2 + diff --git a/queue-5.10/powerpc-32-statically-initialise-first-emergency-con.patch b/queue-5.10/powerpc-32-statically-initialise-first-emergency-con.patch new file mode 100644 index 00000000000..347b56ec259 --- /dev/null +++ b/queue-5.10/powerpc-32-statically-initialise-first-emergency-con.patch @@ -0,0 +1,59 @@ +From c19c1b9ed78811b7e75009207c235bf13956c18c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 12:50:25 +0000 +Subject: powerpc/32: Statically initialise first emergency context + +From: Christophe Leroy + +[ Upstream commit a4719f5bb6d7dc220bffdc1b9f5ce5eaa5543581 ] + +The check of the emergency context initialisation in +vmap_stack_overflow is buggy for the SMP case, as it +compares r1 with 0 while in the SMP case r1 is offseted +by the CPU id. + +Instead of fixing it, just perform static initialisation +of the first emergency context. + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/4a67ba422be75713286dca0c86ee0d3df2eb6dfa.1615552867.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/head_32.h | 6 +----- + arch/powerpc/kernel/setup_32.c | 2 +- + 2 files changed, 2 insertions(+), 6 deletions(-) + +diff --git a/arch/powerpc/kernel/head_32.h b/arch/powerpc/kernel/head_32.h +index fef0b34a77c9..f8e3d15ddf69 100644 +--- a/arch/powerpc/kernel/head_32.h ++++ b/arch/powerpc/kernel/head_32.h +@@ -338,11 +338,7 @@ label: + lis r1, emergency_ctx@ha + #endif + lwz r1, emergency_ctx@l(r1) +- cmpwi cr1, r1, 0 +- bne cr1, 1f +- lis r1, init_thread_union@ha +- addi r1, r1, init_thread_union@l +-1: addi r1, r1, THREAD_SIZE - INT_FRAME_SIZE ++ addi r1, r1, THREAD_SIZE - INT_FRAME_SIZE + EXCEPTION_PROLOG_2 + SAVE_NVGPRS(r11) + addi r3, r1, STACK_FRAME_OVERHEAD +diff --git a/arch/powerpc/kernel/setup_32.c b/arch/powerpc/kernel/setup_32.c +index 057d6b8e9bb0..e7f2eb7837fc 100644 +--- a/arch/powerpc/kernel/setup_32.c ++++ b/arch/powerpc/kernel/setup_32.c +@@ -164,7 +164,7 @@ void __init irqstack_early_init(void) + } + + #ifdef CONFIG_VMAP_STACK +-void *emergency_ctx[NR_CPUS] __ro_after_init; ++void *emergency_ctx[NR_CPUS] __ro_after_init = {[0] = &init_stack}; + + void __init emergency_stack_init(void) + { +-- +2.30.2 + diff --git a/queue-5.10/powerpc-iommu-annotate-nested-lock-for-lockdep.patch b/queue-5.10/powerpc-iommu-annotate-nested-lock-for-lockdep.patch new file mode 100644 index 00000000000..1efc6163460 --- /dev/null +++ b/queue-5.10/powerpc-iommu-annotate-nested-lock-for-lockdep.patch @@ -0,0 +1,70 @@ +From 4ba4adbdd2bc657d24d447d76aa55b4fdf491143 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 17:36:53 +1100 +Subject: powerpc/iommu: Annotate nested lock for lockdep + +From: Alexey Kardashevskiy + +[ Upstream commit cc7130bf119add37f36238343a593b71ef6ecc1e ] + +The IOMMU table is divided into pools for concurrent mappings and each +pool has a separate spinlock. When taking the ownership of an IOMMU group +to pass through a device to a VM, we lock these spinlocks which triggers +a false negative warning in lockdep (below). + +This fixes it by annotating the large pool's spinlock as a nest lock +which makes lockdep not complaining when locking nested locks if +the nest lock is locked already. + +=== +WARNING: possible recursive locking detected +5.11.0-le_syzkaller_a+fstn1 #100 Not tainted +-------------------------------------------- +qemu-system-ppc/4129 is trying to acquire lock: +c0000000119bddb0 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0 + +but task is already holding lock: +c0000000119bdd30 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&(p->lock)/1); + lock(&(p->lock)/1); +=== + +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210301063653.51003-1-aik@ozlabs.ru +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/iommu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c +index 5b69a6a72a0e..6806eefa52ce 100644 +--- a/arch/powerpc/kernel/iommu.c ++++ b/arch/powerpc/kernel/iommu.c +@@ -1050,7 +1050,7 @@ int iommu_take_ownership(struct iommu_table *tbl) + + spin_lock_irqsave(&tbl->large_pool.lock, flags); + for (i = 0; i < tbl->nr_pools; i++) +- spin_lock(&tbl->pools[i].lock); ++ spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock); + + iommu_table_release_pages(tbl); + +@@ -1078,7 +1078,7 @@ void iommu_release_ownership(struct iommu_table *tbl) + + spin_lock_irqsave(&tbl->large_pool.lock, flags); + for (i = 0; i < tbl->nr_pools; i++) +- spin_lock(&tbl->pools[i].lock); ++ spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock); + + memset(tbl->it_map, 0, sz); + +-- +2.30.2 + diff --git a/queue-5.10/powerpc-mm-add-cond_resched-while-removing-hpte-mapp.patch b/queue-5.10/powerpc-mm-add-cond_resched-while-removing-hpte-mapp.patch new file mode 100644 index 00000000000..14930785a0c --- /dev/null +++ b/queue-5.10/powerpc-mm-add-cond_resched-while-removing-hpte-mapp.patch @@ -0,0 +1,87 @@ +From 3d425b0d772bc84d51f7483ba9cf224068de2c6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Apr 2021 22:01:48 +0530 +Subject: powerpc/mm: Add cond_resched() while removing hpte mappings + +From: Vaibhav Jain + +[ Upstream commit a5d6a3e73acbd619dd5b7b831762b755f9e2db80 ] + +While removing large number of mappings from hash page tables for +large memory systems as soft-lockup is reported because of the time +spent inside htap_remove_mapping() like one below: + + watchdog: BUG: soft lockup - CPU#8 stuck for 23s! + + NIP plpar_hcall+0x38/0x58 + LR pSeries_lpar_hpte_invalidate+0x68/0xb0 + Call Trace: + 0x1fffffffffff000 (unreliable) + pSeries_lpar_hpte_removebolted+0x9c/0x230 + hash__remove_section_mapping+0xec/0x1c0 + remove_section_mapping+0x28/0x3c + arch_remove_memory+0xfc/0x150 + devm_memremap_pages_release+0x180/0x2f0 + devm_action_release+0x30/0x50 + release_nodes+0x28c/0x300 + device_release_driver_internal+0x16c/0x280 + unbind_store+0x124/0x170 + drv_attr_store+0x44/0x60 + sysfs_kf_write+0x64/0x90 + kernfs_fop_write+0x1b0/0x290 + __vfs_write+0x3c/0x70 + vfs_write+0xd4/0x270 + ksys_write+0xdc/0x130 + system_call+0x5c/0x70 + +Fix this by adding a cond_resched() to the loop in +htap_remove_mapping() that issues hcall to remove hpte mapping. The +call to cond_resched() is issued every HZ jiffies which should prevent +the soft-lockup from being reported. + +Suggested-by: Aneesh Kumar K.V +Signed-off-by: Vaibhav Jain +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210404163148.321346-1-vaibhav@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/book3s64/hash_utils.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/mm/book3s64/hash_utils.c b/arch/powerpc/mm/book3s64/hash_utils.c +index 24702c0a92e0..0141d571476c 100644 +--- a/arch/powerpc/mm/book3s64/hash_utils.c ++++ b/arch/powerpc/mm/book3s64/hash_utils.c +@@ -336,7 +336,7 @@ repeat: + int htab_remove_mapping(unsigned long vstart, unsigned long vend, + int psize, int ssize) + { +- unsigned long vaddr; ++ unsigned long vaddr, time_limit; + unsigned int step, shift; + int rc; + int ret = 0; +@@ -349,8 +349,19 @@ int htab_remove_mapping(unsigned long vstart, unsigned long vend, + + /* Unmap the full range specificied */ + vaddr = ALIGN_DOWN(vstart, step); ++ time_limit = jiffies + HZ; ++ + for (;vaddr < vend; vaddr += step) { + rc = mmu_hash_ops.hpte_removebolted(vaddr, psize, ssize); ++ ++ /* ++ * For large number of mappings introduce a cond_resched() ++ * to prevent softlockup warnings. ++ */ ++ if (time_after(jiffies, time_limit)) { ++ cond_resched(); ++ time_limit = jiffies + HZ; ++ } + if (rc == -ENOENT) { + ret = -ENOENT; + continue; +-- +2.30.2 + diff --git a/queue-5.10/powerpc-pseries-stop-calling-printk-in-rtas_stop_sel.patch b/queue-5.10/powerpc-pseries-stop-calling-printk-in-rtas_stop_sel.patch new file mode 100644 index 00000000000..acc067b921e --- /dev/null +++ b/queue-5.10/powerpc-pseries-stop-calling-printk-in-rtas_stop_sel.patch @@ -0,0 +1,72 @@ +From 324bd482deb5d1614d6967a71a279b9985533507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Apr 2021 23:54:13 +1000 +Subject: powerpc/pseries: Stop calling printk in rtas_stop_self() + +From: Michael Ellerman + +[ Upstream commit ed8029d7b472369a010a1901358567ca3b6dbb0d ] + +RCU complains about us calling printk() from an offline CPU: + + ============================= + WARNING: suspicious RCU usage + 5.12.0-rc7-02874-g7cf90e481cb8 #1 Not tainted + ----------------------------- + kernel/locking/lockdep.c:3568 RCU-list traversed in non-reader section!! + + other info that might help us debug this: + + RCU used illegally from offline CPU! + rcu_scheduler_active = 2, debug_locks = 1 + no locks held by swapper/0/0. + + stack backtrace: + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7-02874-g7cf90e481cb8 #1 + Call Trace: + dump_stack+0xec/0x144 (unreliable) + lockdep_rcu_suspicious+0x124/0x144 + __lock_acquire+0x1098/0x28b0 + lock_acquire+0x128/0x600 + _raw_spin_lock_irqsave+0x6c/0xc0 + down_trylock+0x2c/0x70 + __down_trylock_console_sem+0x60/0x140 + vprintk_emit+0x1a8/0x4b0 + vprintk_func+0xcc/0x200 + printk+0x40/0x54 + pseries_cpu_offline_self+0xc0/0x120 + arch_cpu_idle_dead+0x54/0x70 + do_idle+0x174/0x4a0 + cpu_startup_entry+0x38/0x40 + rest_init+0x268/0x388 + start_kernel+0x748/0x790 + start_here_common+0x1c/0x614 + +Which happens because by the time we get to rtas_stop_self() we are +already offline. In addition the message can be spammy, and is not that +helpful for users, so remove it. + +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210418135413.1204031-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/hotplug-cpu.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c +index 12cbffd3c2e3..325f3b220f36 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c ++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c +@@ -47,9 +47,6 @@ static void rtas_stop_self(void) + + BUG_ON(rtas_stop_self_token == RTAS_UNKNOWN_SERVICE); + +- printk("cpu %u (hwid %u) Ready to die...\n", +- smp_processor_id(), hard_smp_processor_id()); +- + rtas_call_unlocked(&args, rtas_stop_self_token, 0, 1, NULL); + + panic("Alas, I survived.\n"); +-- +2.30.2 + diff --git a/queue-5.10/powerpc-smp-set-numa-node-before-updating-mask.patch b/queue-5.10/powerpc-smp-set-numa-node-before-updating-mask.patch new file mode 100644 index 00000000000..091a9f4868f --- /dev/null +++ b/queue-5.10/powerpc-smp-set-numa-node-before-updating-mask.patch @@ -0,0 +1,90 @@ +From 43707e4e2ebb4df96152d781f62288a8cdd9c77f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Apr 2021 21:12:00 +0530 +Subject: powerpc/smp: Set numa node before updating mask + +From: Srikar Dronamraju + +[ Upstream commit 6980d13f0dd189846887bbbfa43793d9a41768d3 ] + +Geethika reported a trace when doing a dlpar CPU add. + +------------[ cut here ]------------ +WARNING: CPU: 152 PID: 1134 at kernel/sched/topology.c:2057 +CPU: 152 PID: 1134 Comm: kworker/152:1 Not tainted 5.12.0-rc5-master #5 +Workqueue: events cpuset_hotplug_workfn +NIP: c0000000001cfc14 LR: c0000000001cfc10 CTR: c0000000007e3420 +REGS: c0000034a08eb260 TRAP: 0700 Not tainted (5.12.0-rc5-master+) +MSR: 8000000000029033 CR: 28828422 XER: 00000020 +CFAR: c0000000001fd888 IRQMASK: 0 #012GPR00: c0000000001cfc10 +c0000034a08eb500 c000000001f35400 0000000000000027 #012GPR04: +c0000035abaa8010 c0000035abb30a00 0000000000000027 c0000035abaa8018 +#012GPR08: 0000000000000023 c0000035abaaef48 00000035aa540000 +c0000035a49dffe8 #012GPR12: 0000000028828424 c0000035bf1a1c80 +0000000000000497 0000000000000004 #012GPR16: c00000000347a258 +0000000000000140 c00000000203d468 c000000001a1a490 #012GPR20: +c000000001f9c160 c0000034adf70920 c0000034aec9fd20 0000000100087bd3 +#012GPR24: 0000000100087bd3 c0000035b3de09f8 0000000000000030 +c0000035b3de09f8 #012GPR28: 0000000000000028 c00000000347a280 +c0000034aefe0b00 c0000000010a2a68 +NIP [c0000000001cfc14] build_sched_domains+0x6a4/0x1500 +LR [c0000000001cfc10] build_sched_domains+0x6a0/0x1500 +Call Trace: +[c0000034a08eb500] [c0000000001cfc10] build_sched_domains+0x6a0/0x1500 (unreliable) +[c0000034a08eb640] [c0000000001d1e6c] partition_sched_domains_locked+0x3ec/0x530 +[c0000034a08eb6e0] [c0000000002936d4] rebuild_sched_domains_locked+0x524/0xbf0 +[c0000034a08eb7e0] [c000000000296bb0] rebuild_sched_domains+0x40/0x70 +[c0000034a08eb810] [c000000000296e74] cpuset_hotplug_workfn+0x294/0xe20 +[c0000034a08ebc30] [c000000000178dd0] process_one_work+0x300/0x670 +[c0000034a08ebd10] [c0000000001791b8] worker_thread+0x78/0x520 +[c0000034a08ebda0] [c000000000185090] kthread+0x1a0/0x1b0 +[c0000034a08ebe10] [c00000000000ccec] ret_from_kernel_thread+0x5c/0x70 +Instruction dump: +7d2903a6 4e800421 e8410018 7f67db78 7fe6fb78 7f45d378 7f84e378 7c681b78 +3c62ff1a 3863c6f8 4802dc35 60000000 <0fe00000> 3920fff4 f9210070 e86100a0 +---[ end trace 532d9066d3d4d7ec ]--- + +Some of the per-CPU masks use cpu_cpu_mask as a filter to limit the search +for related CPUs. On a dlpar add of a CPU, update cpu_cpu_mask before +updating the per-CPU masks. This will ensure the cpu_cpu_mask is updated +correctly before its used in setting the masks. Setting the numa_node will +ensure that when cpu_cpu_mask() gets called, the correct node number is +used. This code movement helped fix the above call trace. + +Reported-by: Geetika Moolchandani +Signed-off-by: Srikar Dronamraju +Reviewed-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210401154200.150077-1-srikar@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/smp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c +index dd34ea674496..db7ac77bea3a 100644 +--- a/arch/powerpc/kernel/smp.c ++++ b/arch/powerpc/kernel/smp.c +@@ -1442,6 +1442,9 @@ void start_secondary(void *unused) + + vdso_getcpu_init(); + #endif ++ set_numa_node(numa_cpu_lookup_table[cpu]); ++ set_numa_mem(local_memory_node(numa_cpu_lookup_table[cpu])); ++ + /* Update topology CPU masks */ + add_cpu_to_masks(cpu); + +@@ -1460,9 +1463,6 @@ void start_secondary(void *unused) + shared_caches = true; + } + +- set_numa_node(numa_cpu_lookup_table[cpu]); +- set_numa_mem(local_memory_node(numa_cpu_lookup_table[cpu])); +- + smp_wmb(); + notify_cpu_starting(cpu); + set_cpu_online(cpu, true); +-- +2.30.2 + diff --git a/queue-5.10/pwm-atmel-fix-duty-cycle-calculation-in-.get_state.patch b/queue-5.10/pwm-atmel-fix-duty-cycle-calculation-in-.get_state.patch new file mode 100644 index 00000000000..972a0da5122 --- /dev/null +++ b/queue-5.10/pwm-atmel-fix-duty-cycle-calculation-in-.get_state.patch @@ -0,0 +1,39 @@ +From ae4a27c004ef1fe8a64ff44c711f2bdd70940fa1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Apr 2021 11:51:17 +0200 +Subject: pwm: atmel: Fix duty cycle calculation in .get_state() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 453e8b3d8e36ddcb283b3d1698864a03ea45599a ] + +The CDTY register contains the number of inactive cycles. .apply() does +this correctly, however .get_state() got this wrong. + +Fixes: 651b510a74d4 ("pwm: atmel: Implement .get_state()") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-atmel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-atmel.c b/drivers/pwm/pwm-atmel.c +index 6161e7e3e9ac..d7cb0dfa25a5 100644 +--- a/drivers/pwm/pwm-atmel.c ++++ b/drivers/pwm/pwm-atmel.c +@@ -319,7 +319,7 @@ static void atmel_pwm_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + + cdty = atmel_pwm_ch_readl(atmel_pwm, pwm->hwpwm, + atmel_pwm->data->regs.duty); +- tmp = (u64)cdty * NSEC_PER_SEC; ++ tmp = (u64)(cprd - cdty) * NSEC_PER_SEC; + tmp <<= pres; + state->duty_cycle = DIV64_U64_ROUND_UP(tmp, rate); + +-- +2.30.2 + diff --git a/queue-5.10/qtnfmac-fix-possible-buffer-overflow-in-qtnf_event_h.patch b/queue-5.10/qtnfmac-fix-possible-buffer-overflow-in-qtnf_event_h.patch new file mode 100644 index 00000000000..455a71c44b0 --- /dev/null +++ b/queue-5.10/qtnfmac-fix-possible-buffer-overflow-in-qtnf_event_h.patch @@ -0,0 +1,43 @@ +From bc40703d1f2587e5fd4c40174ec1a8a9de413218 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Apr 2021 15:58:42 +0100 +Subject: qtnfmac: Fix possible buffer overflow in + qtnf_event_handle_external_auth + +From: Lee Gibson + +[ Upstream commit 130f634da1af649205f4a3dd86cbe5c126b57914 ] + +Function qtnf_event_handle_external_auth calls memcpy without +checking the length. +A user could control that length and trigger a buffer overflow. +Fix by checking the length is within the maximum allowed size. + +Signed-off-by: Lee Gibson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210419145842.345787-1-leegib@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/quantenna/qtnfmac/event.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/quantenna/qtnfmac/event.c b/drivers/net/wireless/quantenna/qtnfmac/event.c +index c775c177933b..8dc80574d08d 100644 +--- a/drivers/net/wireless/quantenna/qtnfmac/event.c ++++ b/drivers/net/wireless/quantenna/qtnfmac/event.c +@@ -570,8 +570,10 @@ qtnf_event_handle_external_auth(struct qtnf_vif *vif, + return 0; + + if (ev->ssid_len) { +- memcpy(auth.ssid.ssid, ev->ssid, ev->ssid_len); +- auth.ssid.ssid_len = ev->ssid_len; ++ int len = clamp_val(ev->ssid_len, 0, IEEE80211_MAX_SSID_LEN); ++ ++ memcpy(auth.ssid.ssid, ev->ssid, len); ++ auth.ssid.ssid_len = len; + } + + auth.key_mgmt_suite = le32_to_cpu(ev->akm_suite); +-- +2.30.2 + diff --git a/queue-5.10/remoteproc-qcom_q6v5_mss-replace-ioremap-with-memrem.patch b/queue-5.10/remoteproc-qcom_q6v5_mss-replace-ioremap-with-memrem.patch new file mode 100644 index 00000000000..8b103fd36e9 --- /dev/null +++ b/queue-5.10/remoteproc-qcom_q6v5_mss-replace-ioremap-with-memrem.patch @@ -0,0 +1,79 @@ +From d8f74e90a011669cfba3ec9802cb9f6d5d802315 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Nov 2020 12:33:41 +0530 +Subject: remoteproc: qcom_q6v5_mss: Replace ioremap with memremap + +From: Sibi Sankar + +[ Upstream commit 04ff5d19cf6e2f9dbdf137c0c6eb44934d46a99c ] + +Fix the sparse warnings reported by the kernel test bot by replacing +ioremap calls with memremap. + +Reviewed-by: Bjorn Andersson +Reported-by: kernel test robot +Signed-off-by: Sibi Sankar +Link: https://lore.kernel.org/r/1604473422-29639-1-git-send-email-sibis@codeaurora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_q6v5_mss.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c +index ba6f7551242d..126a9706449a 100644 +--- a/drivers/remoteproc/qcom_q6v5_mss.c ++++ b/drivers/remoteproc/qcom_q6v5_mss.c +@@ -1182,7 +1182,7 @@ static int q6v5_mpss_load(struct q6v5 *qproc) + goto release_firmware; + } + +- ptr = ioremap_wc(qproc->mpss_phys + offset, phdr->p_memsz); ++ ptr = memremap(qproc->mpss_phys + offset, phdr->p_memsz, MEMREMAP_WC); + if (!ptr) { + dev_err(qproc->dev, + "unable to map memory region: %pa+%zx-%x\n", +@@ -1197,7 +1197,7 @@ static int q6v5_mpss_load(struct q6v5 *qproc) + "failed to load segment %d from truncated file %s\n", + i, fw_name); + ret = -EINVAL; +- iounmap(ptr); ++ memunmap(ptr); + goto release_firmware; + } + +@@ -1209,7 +1209,7 @@ static int q6v5_mpss_load(struct q6v5 *qproc) + ptr, phdr->p_filesz); + if (ret) { + dev_err(qproc->dev, "failed to load %s\n", fw_name); +- iounmap(ptr); ++ memunmap(ptr); + goto release_firmware; + } + +@@ -1220,7 +1220,7 @@ static int q6v5_mpss_load(struct q6v5 *qproc) + memset(ptr + phdr->p_filesz, 0, + phdr->p_memsz - phdr->p_filesz); + } +- iounmap(ptr); ++ memunmap(ptr); + size += phdr->p_memsz; + + code_length = readl(qproc->rmb_base + RMB_PMI_CODE_LENGTH_REG); +@@ -1287,11 +1287,11 @@ static void qcom_q6v5_dump_segment(struct rproc *rproc, + } + + if (!ret) +- ptr = ioremap_wc(qproc->mpss_phys + offset + cp_offset, size); ++ ptr = memremap(qproc->mpss_phys + offset + cp_offset, size, MEMREMAP_WC); + + if (ptr) { + memcpy(dest, ptr, size); +- iounmap(ptr); ++ memunmap(ptr); + } else { + memset(dest, 0xff, size); + } +-- +2.30.2 + diff --git a/queue-5.10/remoteproc-qcom_q6v5_mss-validate-p_filesz-in-elf-lo.patch b/queue-5.10/remoteproc-qcom_q6v5_mss-validate-p_filesz-in-elf-lo.patch new file mode 100644 index 00000000000..bbc3f444f78 --- /dev/null +++ b/queue-5.10/remoteproc-qcom_q6v5_mss-validate-p_filesz-in-elf-lo.patch @@ -0,0 +1,62 @@ +From 670ea624c0532273cb1f7f21759dd51ea303ec1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 15:20:02 -0800 +Subject: remoteproc: qcom_q6v5_mss: Validate p_filesz in ELF loader + +From: Bjorn Andersson + +[ Upstream commit 3d2ee78906af5f08d499d6aa3aa504406fa38106 ] + +Analog to the issue in the common mdt_loader code the MSS ELF loader +does not validate that p_filesz bytes will fit in the memory region and +that the loaded segments are not truncated. Fix this in the same way +as proposed for the mdt_loader. + +Reviewed-by: Mathieu Poirier +Fixes: 135b9e8d1cd8 ("remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load") +Link: https://lore.kernel.org/r/20210312232002.3466791-1-bjorn.andersson@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_q6v5_mss.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c +index 126a9706449a..ebc3e755bcbc 100644 +--- a/drivers/remoteproc/qcom_q6v5_mss.c ++++ b/drivers/remoteproc/qcom_q6v5_mss.c +@@ -1182,6 +1182,14 @@ static int q6v5_mpss_load(struct q6v5 *qproc) + goto release_firmware; + } + ++ if (phdr->p_filesz > phdr->p_memsz) { ++ dev_err(qproc->dev, ++ "refusing to load segment %d with p_filesz > p_memsz\n", ++ i); ++ ret = -EINVAL; ++ goto release_firmware; ++ } ++ + ptr = memremap(qproc->mpss_phys + offset, phdr->p_memsz, MEMREMAP_WC); + if (!ptr) { + dev_err(qproc->dev, +@@ -1213,6 +1221,16 @@ static int q6v5_mpss_load(struct q6v5 *qproc) + goto release_firmware; + } + ++ if (seg_fw->size != phdr->p_filesz) { ++ dev_err(qproc->dev, ++ "failed to load segment %d from truncated file %s\n", ++ i, fw_name); ++ ret = -EINVAL; ++ release_firmware(seg_fw); ++ memunmap(ptr); ++ goto release_firmware; ++ } ++ + release_firmware(seg_fw); + } + +-- +2.30.2 + diff --git a/queue-5.10/revert-iommu-amd-fix-performance-counter-initializat.patch b/queue-5.10/revert-iommu-amd-fix-performance-counter-initializat.patch new file mode 100644 index 00000000000..46939a2a5f0 --- /dev/null +++ b/queue-5.10/revert-iommu-amd-fix-performance-counter-initializat.patch @@ -0,0 +1,125 @@ +From 5c6b2f9fd73e318160ae9a4a750b028d69cb1817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 03:58:47 -0500 +Subject: Revert "iommu/amd: Fix performance counter initialization" + +From: Paul Menzel + +[ Upstream commit 715601e4e36903a653cd4294dfd3ed0019101991 ] + +This reverts commit 6778ff5b21bd8e78c8bd547fd66437cf2657fd9b. + +The original commit tries to address an issue, where PMC power-gating +causing the IOMMU PMC pre-init test to fail on certain desktop/mobile +platforms where the power-gating is normally enabled. + +There have been several reports that the workaround still does not +guarantee to work, and can add up to 100 ms (on the worst case) +to the boot process on certain platforms such as the MSI B350M MORTAR +with AMD Ryzen 3 2200G. + +Therefore, revert this commit as a prelude to removing the pre-init +test. + +Link: https://lore.kernel.org/linux-iommu/alpine.LNX.3.20.13.2006030935570.3181@monopod.intra.ispras.ru/ +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201753 +Cc: Tj (Elloe Linux) +Cc: Shuah Khan +Cc: Alexander Monakov +Cc: David Coe +Signed-off-by: Paul Menzel +Signed-off-by: Suravee Suthikulpanit +Link: https://lore.kernel.org/r/20210409085848.3908-2-suravee.suthikulpanit@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/init.c | 45 ++++++++++------------------------------ + 1 file changed, 11 insertions(+), 34 deletions(-) + +diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c +index fa502c0e2e31..8b1a037116b0 100644 +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -12,7 +12,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -255,8 +254,6 @@ static enum iommu_init_state init_state = IOMMU_START_STATE; + static int amd_iommu_enable_interrupts(void); + static int __init iommu_go_to_state(enum iommu_init_state state); + static void init_device_table_dma(void); +-static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr, +- u8 fxn, u64 *value, bool is_write); + + static bool amd_iommu_pre_enabled = true; + +@@ -1720,11 +1717,13 @@ static int __init init_iommu_all(struct acpi_table_header *table) + return 0; + } + +-static void __init init_iommu_perf_ctr(struct amd_iommu *iommu) ++static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr, ++ u8 fxn, u64 *value, bool is_write); ++ ++static void init_iommu_perf_ctr(struct amd_iommu *iommu) + { +- int retry; + struct pci_dev *pdev = iommu->dev; +- u64 val = 0xabcd, val2 = 0, save_reg, save_src; ++ u64 val = 0xabcd, val2 = 0, save_reg = 0; + + if (!iommu_feature(iommu, FEATURE_PC)) + return; +@@ -1732,39 +1731,17 @@ static void __init init_iommu_perf_ctr(struct amd_iommu *iommu) + amd_iommu_pc_present = true; + + /* save the value to restore, if writable */ +- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false) || +- iommu_pc_get_set_reg(iommu, 0, 0, 8, &save_src, false)) +- goto pc_false; +- +- /* +- * Disable power gating by programing the performance counter +- * source to 20 (i.e. counts the reads and writes from/to IOMMU +- * Reserved Register [MMIO Offset 1FF8h] that are ignored.), +- * which never get incremented during this init phase. +- * (Note: The event is also deprecated.) +- */ +- val = 20; +- if (iommu_pc_get_set_reg(iommu, 0, 0, 8, &val, true)) ++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false)) + goto pc_false; + + /* Check if the performance counters can be written to */ +- val = 0xabcd; +- for (retry = 5; retry; retry--) { +- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true) || +- iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false) || +- val2) +- break; +- +- /* Wait about 20 msec for power gating to disable and retry. */ +- msleep(20); +- } +- +- /* restore */ +- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true) || +- iommu_pc_get_set_reg(iommu, 0, 0, 8, &save_src, true)) ++ if ((iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true)) || ++ (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false)) || ++ (val != val2)) + goto pc_false; + +- if (val != val2) ++ /* restore */ ++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true)) + goto pc_false; + + pci_info(pdev, "IOMMU performance counters supported\n"); +-- +2.30.2 + diff --git a/queue-5.10/risc-v-fix-error-code-returned-by-riscv_hartid_to_cp.patch b/queue-5.10/risc-v-fix-error-code-returned-by-riscv_hartid_to_cp.patch new file mode 100644 index 00000000000..2eaf1bae7e9 --- /dev/null +++ b/queue-5.10/risc-v-fix-error-code-returned-by-riscv_hartid_to_cp.patch @@ -0,0 +1,39 @@ +From 5d9be37335cf086b3ae1a1f006416889b1b69c2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 14:25:22 +0530 +Subject: RISC-V: Fix error code returned by riscv_hartid_to_cpuid() + +From: Anup Patel + +[ Upstream commit 533b4f3a789d49574e7ae0f6ececed153f651f97 ] + +We should return a negative error code upon failure in +riscv_hartid_to_cpuid() instead of NR_CPUS. This is also +aligned with all uses of riscv_hartid_to_cpuid() which +expect negative error code upon failure. + +Fixes: 6825c7a80f18 ("RISC-V: Add logical CPU indexing for RISC-V") +Fixes: f99fb607fb2b ("RISC-V: Use Linux logical CPU number instead of hartid") +Signed-off-by: Anup Patel +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/smp.c b/arch/riscv/kernel/smp.c +index ea028d9e0d24..d44567490d91 100644 +--- a/arch/riscv/kernel/smp.c ++++ b/arch/riscv/kernel/smp.c +@@ -54,7 +54,7 @@ int riscv_hartid_to_cpuid(int hartid) + return i; + + pr_err("Couldn't find cpu id for hartid [%d]\n", hartid); +- return i; ++ return -ENOENT; + } + + void riscv_cpuid_to_hartid_mask(const struct cpumask *in, struct cpumask *out) +-- +2.30.2 + diff --git a/queue-5.10/rpmsg-qcom_glink_native-fix-error-return-code-of-qco.patch b/queue-5.10/rpmsg-qcom_glink_native-fix-error-return-code-of-qco.patch new file mode 100644 index 00000000000..0ea98c4931f --- /dev/null +++ b/queue-5.10/rpmsg-qcom_glink_native-fix-error-return-code-of-qco.patch @@ -0,0 +1,39 @@ +From 9a031ec9e688bb9f5e3e76c39e9f0c42ac9a78eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Mar 2021 05:36:24 -0800 +Subject: rpmsg: qcom_glink_native: fix error return code of + qcom_glink_rx_data() + +From: Jia-Ju Bai + +[ Upstream commit 26594c6bbb60c6bc87e3762a86ceece57d164c66 ] + +When idr_find() returns NULL to intent, no error return code of +qcom_glink_rx_data() is assigned. +To fix this bug, ret is assigned with -ENOENT in this case. + +Fixes: 64f95f87920d ("rpmsg: glink: Use the local intents when receiving data") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20210306133624.17237-1-baijiaju1990@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_glink_native.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c +index 27a05167c18c..4840886532ff 100644 +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -857,6 +857,7 @@ static int qcom_glink_rx_data(struct qcom_glink *glink, size_t avail) + dev_err(glink->dev, + "no intent found for channel %s intent %d", + channel->name, liid); ++ ret = -ENOENT; + goto advance_rx; + } + } +-- +2.30.2 + diff --git a/queue-5.10/rtc-ds1307-fix-wday-settings-for-rx8130.patch b/queue-5.10/rtc-ds1307-fix-wday-settings-for-rx8130.patch new file mode 100644 index 00000000000..0d4a86497cc --- /dev/null +++ b/queue-5.10/rtc-ds1307-fix-wday-settings-for-rx8130.patch @@ -0,0 +1,53 @@ +From 11fcbc06dee9136cb46a9b15bab77c7e62699c9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Apr 2021 11:39:17 +0900 +Subject: rtc: ds1307: Fix wday settings for rx8130 + +From: Nobuhiro Iwamatsu + +[ Upstream commit 204756f016726a380bafe619438ed979088bd04a ] + +rx8130 wday specifies the bit position, not BCD. + +Fixes: ee0981be7704 ("rtc: ds1307: Add support for Epson RX8130CE") +Signed-off-by: Nobuhiro Iwamatsu +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210420023917.1949066-1-nobuhiro1.iwamatsu@toshiba.co.jp +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ds1307.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c +index 9f5f54ca039d..07a9cc91671b 100644 +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -295,7 +295,11 @@ static int ds1307_get_time(struct device *dev, struct rtc_time *t) + t->tm_min = bcd2bin(regs[DS1307_REG_MIN] & 0x7f); + tmp = regs[DS1307_REG_HOUR] & 0x3f; + t->tm_hour = bcd2bin(tmp); +- t->tm_wday = bcd2bin(regs[DS1307_REG_WDAY] & 0x07) - 1; ++ /* rx8130 is bit position, not BCD */ ++ if (ds1307->type == rx_8130) ++ t->tm_wday = fls(regs[DS1307_REG_WDAY] & 0x7f); ++ else ++ t->tm_wday = bcd2bin(regs[DS1307_REG_WDAY] & 0x07) - 1; + t->tm_mday = bcd2bin(regs[DS1307_REG_MDAY] & 0x3f); + tmp = regs[DS1307_REG_MONTH] & 0x1f; + t->tm_mon = bcd2bin(tmp) - 1; +@@ -342,7 +346,11 @@ static int ds1307_set_time(struct device *dev, struct rtc_time *t) + regs[DS1307_REG_SECS] = bin2bcd(t->tm_sec); + regs[DS1307_REG_MIN] = bin2bcd(t->tm_min); + regs[DS1307_REG_HOUR] = bin2bcd(t->tm_hour); +- regs[DS1307_REG_WDAY] = bin2bcd(t->tm_wday + 1); ++ /* rx8130 is bit position, not BCD */ ++ if (ds1307->type == rx_8130) ++ regs[DS1307_REG_WDAY] = 1 << t->tm_wday; ++ else ++ regs[DS1307_REG_WDAY] = bin2bcd(t->tm_wday + 1); + regs[DS1307_REG_MDAY] = bin2bcd(t->tm_mday); + regs[DS1307_REG_MONTH] = bin2bcd(t->tm_mon + 1); + +-- +2.30.2 + diff --git a/queue-5.10/rtc-fsl-ftm-alarm-add-module_table.patch b/queue-5.10/rtc-fsl-ftm-alarm-add-module_table.patch new file mode 100644 index 00000000000..8ae21bb3ff0 --- /dev/null +++ b/queue-5.10/rtc-fsl-ftm-alarm-add-module_table.patch @@ -0,0 +1,36 @@ +From b8a7ea49db06f7b34fd3e621ea870dc20f3d120f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 10:40:06 +0200 +Subject: rtc: fsl-ftm-alarm: add MODULE_TABLE() + +From: Michael Walle + +[ Upstream commit 7fcb86185978661c9188397d474f90364745b8d9 ] + +The module doesn't load automatically. Fix it by adding the missing +MODULE_TABLE(). + +Fixes: 7b0b551dbc1e ("rtc: fsl-ftm-alarm: add FTM alarm driver") +Signed-off-by: Michael Walle +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210414084006.17933-1-michael@walle.cc +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-fsl-ftm-alarm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rtc/rtc-fsl-ftm-alarm.c b/drivers/rtc/rtc-fsl-ftm-alarm.c +index 48d3b38ea348..e08672e26203 100644 +--- a/drivers/rtc/rtc-fsl-ftm-alarm.c ++++ b/drivers/rtc/rtc-fsl-ftm-alarm.c +@@ -310,6 +310,7 @@ static const struct of_device_id ftm_rtc_match[] = { + { .compatible = "fsl,lx2160a-ftm-alarm", }, + { }, + }; ++MODULE_DEVICE_TABLE(of, ftm_rtc_match); + + static const struct acpi_device_id ftm_imx_acpi_ids[] = { + {"NXP0014",}, +-- +2.30.2 + diff --git a/queue-5.10/rtw88-8822c-add-lc-calibration-for-rtl8822c.patch b/queue-5.10/rtw88-8822c-add-lc-calibration-for-rtl8822c.patch new file mode 100644 index 00000000000..fb8c5a647a8 --- /dev/null +++ b/queue-5.10/rtw88-8822c-add-lc-calibration-for-rtl8822c.patch @@ -0,0 +1,167 @@ +From 865f9f115747cfd089e03d949c9a8048d0462a1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 13:42:16 +0800 +Subject: rtw88: 8822c: add LC calibration for RTL8822C + +From: Po-Hao Huang + +[ Upstream commit 7ae7784ec2a812c07d2ca91a6538ef2470154fb6 ] + +Fix power tracking issue by replacing unnecessary IQ calibration +with LC calibration. +When thermal difference exceeds limitation, let RF circuit adjsut +its characteristic to fit in current environment. + +Signed-off-by: Po-Hao Huang +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210319054218.3319-6-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/main.h | 2 ++ + drivers/net/wireless/realtek/rtw88/phy.c | 14 ++++++++++ + drivers/net/wireless/realtek/rtw88/phy.h | 1 + + drivers/net/wireless/realtek/rtw88/reg.h | 5 ++++ + drivers/net/wireless/realtek/rtw88/rtw8822c.c | 27 +++++++++++++++++-- + 5 files changed, 47 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/main.h b/drivers/net/wireless/realtek/rtw88/main.h +index ffb02e614217..8ba0b0824ae9 100644 +--- a/drivers/net/wireless/realtek/rtw88/main.h ++++ b/drivers/net/wireless/realtek/rtw88/main.h +@@ -1156,6 +1156,7 @@ struct rtw_chip_info { + bool en_dis_dpd; + u16 dpd_ratemask; + u8 iqk_threshold; ++ u8 lck_threshold; + const struct rtw_pwr_track_tbl *pwr_track_tbl; + + u8 bfer_su_max_num; +@@ -1485,6 +1486,7 @@ struct rtw_dm_info { + u8 tx_rate; + u8 thermal_avg[RTW_RF_PATH_MAX]; + u8 thermal_meter_k; ++ u8 thermal_meter_lck; + s8 delta_power_index[RTW_RF_PATH_MAX]; + s8 delta_power_index_last[RTW_RF_PATH_MAX]; + u8 default_ofdm_index; +diff --git a/drivers/net/wireless/realtek/rtw88/phy.c b/drivers/net/wireless/realtek/rtw88/phy.c +index 36e2f0dba00c..af8b703d11d4 100644 +--- a/drivers/net/wireless/realtek/rtw88/phy.c ++++ b/drivers/net/wireless/realtek/rtw88/phy.c +@@ -2154,6 +2154,20 @@ s8 rtw_phy_pwrtrack_get_pwridx(struct rtw_dev *rtwdev, + } + EXPORT_SYMBOL(rtw_phy_pwrtrack_get_pwridx); + ++bool rtw_phy_pwrtrack_need_lck(struct rtw_dev *rtwdev) ++{ ++ struct rtw_dm_info *dm_info = &rtwdev->dm_info; ++ u8 delta_lck; ++ ++ delta_lck = abs(dm_info->thermal_avg[0] - dm_info->thermal_meter_lck); ++ if (delta_lck >= rtwdev->chip->lck_threshold) { ++ dm_info->thermal_meter_lck = dm_info->thermal_avg[0]; ++ return true; ++ } ++ return false; ++} ++EXPORT_SYMBOL(rtw_phy_pwrtrack_need_lck); ++ + bool rtw_phy_pwrtrack_need_iqk(struct rtw_dev *rtwdev) + { + struct rtw_dm_info *dm_info = &rtwdev->dm_info; +diff --git a/drivers/net/wireless/realtek/rtw88/phy.h b/drivers/net/wireless/realtek/rtw88/phy.h +index b924ed07630a..9623248c9466 100644 +--- a/drivers/net/wireless/realtek/rtw88/phy.h ++++ b/drivers/net/wireless/realtek/rtw88/phy.h +@@ -55,6 +55,7 @@ u8 rtw_phy_pwrtrack_get_delta(struct rtw_dev *rtwdev, u8 path); + s8 rtw_phy_pwrtrack_get_pwridx(struct rtw_dev *rtwdev, + struct rtw_swing_table *swing_table, + u8 tbl_path, u8 therm_path, u8 delta); ++bool rtw_phy_pwrtrack_need_lck(struct rtw_dev *rtwdev); + bool rtw_phy_pwrtrack_need_iqk(struct rtw_dev *rtwdev); + void rtw_phy_config_swing_table(struct rtw_dev *rtwdev, + struct rtw_swing_table *swing_table); +diff --git a/drivers/net/wireless/realtek/rtw88/reg.h b/drivers/net/wireless/realtek/rtw88/reg.h +index 86b94c008a27..aca3dbdc2d5a 100644 +--- a/drivers/net/wireless/realtek/rtw88/reg.h ++++ b/drivers/net/wireless/realtek/rtw88/reg.h +@@ -639,8 +639,13 @@ + #define RF_TXATANK 0x64 + #define RF_TRXIQ 0x66 + #define RF_RXIQGEN 0x8d ++#define RF_SYN_PFD 0xb0 + #define RF_XTALX2 0xb8 ++#define RF_SYN_CTRL 0xbb + #define RF_MALSEL 0xbe ++#define RF_SYN_AAC 0xc9 ++#define RF_AAC_CTRL 0xca ++#define RF_FAST_LCK 0xcc + #define RF_RCKD 0xde + #define RF_TXADBG 0xde + #define RF_LUTDBG 0xdf +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +index e37300e98517..b718f5d810be 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +@@ -1124,6 +1124,7 @@ static void rtw8822c_pwrtrack_init(struct rtw_dev *rtwdev) + + dm_info->pwr_trk_triggered = false; + dm_info->thermal_meter_k = rtwdev->efuse.thermal_meter_k; ++ dm_info->thermal_meter_lck = rtwdev->efuse.thermal_meter_k; + } + + static void rtw8822c_phy_set_param(struct rtw_dev *rtwdev) +@@ -2106,6 +2107,26 @@ static void rtw8822c_false_alarm_statistics(struct rtw_dev *rtwdev) + rtw_write32_set(rtwdev, REG_RX_BREAK, BIT_COM_RX_GCK_EN); + } + ++static void rtw8822c_do_lck(struct rtw_dev *rtwdev) ++{ ++ u32 val; ++ ++ rtw_write_rf(rtwdev, RF_PATH_A, RF_SYN_CTRL, RFREG_MASK, 0x80010); ++ rtw_write_rf(rtwdev, RF_PATH_A, RF_SYN_PFD, RFREG_MASK, 0x1F0FA); ++ fsleep(1); ++ rtw_write_rf(rtwdev, RF_PATH_A, RF_AAC_CTRL, RFREG_MASK, 0x80000); ++ rtw_write_rf(rtwdev, RF_PATH_A, RF_SYN_AAC, RFREG_MASK, 0x80001); ++ read_poll_timeout(rtw_read_rf, val, val != 0x1, 1000, 100000, ++ true, rtwdev, RF_PATH_A, RF_AAC_CTRL, 0x1000); ++ rtw_write_rf(rtwdev, RF_PATH_A, RF_SYN_PFD, RFREG_MASK, 0x1F0F8); ++ rtw_write_rf(rtwdev, RF_PATH_B, RF_SYN_CTRL, RFREG_MASK, 0x80010); ++ ++ rtw_write_rf(rtwdev, RF_PATH_A, RF_FAST_LCK, RFREG_MASK, 0x0f000); ++ rtw_write_rf(rtwdev, RF_PATH_A, RF_FAST_LCK, RFREG_MASK, 0x4f000); ++ fsleep(1); ++ rtw_write_rf(rtwdev, RF_PATH_A, RF_FAST_LCK, RFREG_MASK, 0x0f000); ++} ++ + static void rtw8822c_do_iqk(struct rtw_dev *rtwdev) + { + struct rtw_iqk_para para = {0}; +@@ -3519,11 +3540,12 @@ static void __rtw8822c_pwr_track(struct rtw_dev *rtwdev) + + rtw_phy_config_swing_table(rtwdev, &swing_table); + ++ if (rtw_phy_pwrtrack_need_lck(rtwdev)) ++ rtw8822c_do_lck(rtwdev); ++ + for (i = 0; i < rtwdev->hal.rf_path_num; i++) + rtw8822c_pwr_track_path(rtwdev, &swing_table, i); + +- if (rtw_phy_pwrtrack_need_iqk(rtwdev)) +- rtw8822c_do_iqk(rtwdev); + } + + static void rtw8822c_pwr_track(struct rtw_dev *rtwdev) +@@ -4328,6 +4350,7 @@ struct rtw_chip_info rtw8822c_hw_spec = { + .dpd_ratemask = DIS_DPD_RATEALL, + .pwr_track_tbl = &rtw8822c_rtw_pwr_track_tbl, + .iqk_threshold = 8, ++ .lck_threshold = 8, + .bfer_su_max_num = 2, + .bfer_mu_max_num = 1, + .rx_ldpc = true, +-- +2.30.2 + diff --git a/queue-5.10/samples-bpf-fix-broken-tracex1-due-to-kprobe-argumen.patch b/queue-5.10/samples-bpf-fix-broken-tracex1-due-to-kprobe-argumen.patch new file mode 100644 index 00000000000..98c68778852 --- /dev/null +++ b/queue-5.10/samples-bpf-fix-broken-tracex1-due-to-kprobe-argumen.patch @@ -0,0 +1,49 @@ +From f2c4fd848381f8f0bb8e7be2293728563134be38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 23:48:03 +0800 +Subject: samples/bpf: Fix broken tracex1 due to kprobe argument change + +From: Yaqi Chen + +[ Upstream commit 137733d08f4ab14a354dacaa9a8fc35217747605 ] + +>From commit c0bbbdc32feb ("__netif_receive_skb_core: pass skb by +reference"), the first argument passed into __netif_receive_skb_core +has changed to reference of a skb pointer. + +This commit fixes by using bpf_probe_read_kernel. + +Signed-off-by: Yaqi Chen +Signed-off-by: Alexei Starovoitov +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20210416154803.37157-1-chendotjs@gmail.com +Signed-off-by: Sasha Levin +--- + samples/bpf/tracex1_kern.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/samples/bpf/tracex1_kern.c b/samples/bpf/tracex1_kern.c +index 3f4599c9a202..ef30d2b353b0 100644 +--- a/samples/bpf/tracex1_kern.c ++++ b/samples/bpf/tracex1_kern.c +@@ -26,7 +26,7 @@ + SEC("kprobe/__netif_receive_skb_core") + int bpf_prog1(struct pt_regs *ctx) + { +- /* attaches to kprobe netif_receive_skb, ++ /* attaches to kprobe __netif_receive_skb_core, + * looks for packets on loobpack device and prints them + */ + char devname[IFNAMSIZ]; +@@ -35,7 +35,7 @@ int bpf_prog1(struct pt_regs *ctx) + int len; + + /* non-portable! works for the given kernel only */ +- skb = (struct sk_buff *) PT_REGS_PARM1(ctx); ++ bpf_probe_read_kernel(&skb, sizeof(skb), (void *)PT_REGS_PARM1(ctx)); + dev = _(skb->dev); + len = _(skb->len); + +-- +2.30.2 + diff --git a/queue-5.10/sched-fair-fix-unfairness-caused-by-missing-load-dec.patch b/queue-5.10/sched-fair-fix-unfairness-caused-by-missing-load-dec.patch new file mode 100644 index 00000000000..99b291ea1bf --- /dev/null +++ b/queue-5.10/sched-fair-fix-unfairness-caused-by-missing-load-dec.patch @@ -0,0 +1,123 @@ +From 4acba90536cc5ae9448d9a8e9d9f86e7d1ef07fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 16:19:50 +0200 +Subject: sched/fair: Fix unfairness caused by missing load decay + +From: Odin Ugedal + +[ Upstream commit 0258bdfaff5bd13c4d2383150b7097aecd6b6d82 ] + +This fixes an issue where old load on a cfs_rq is not properly decayed, +resulting in strange behavior where fairness can decrease drastically. +Real workloads with equally weighted control groups have ended up +getting a respective 99% and 1%(!!) of cpu time. + +When an idle task is attached to a cfs_rq by attaching a pid to a cgroup, +the old load of the task is attached to the new cfs_rq and sched_entity by +attach_entity_cfs_rq. If the task is then moved to another cpu (and +therefore cfs_rq) before being enqueued/woken up, the load will be moved +to cfs_rq->removed from the sched_entity. Such a move will happen when +enforcing a cpuset on the task (eg. via a cgroup) that force it to move. + +The load will however not be removed from the task_group itself, making +it look like there is a constant load on that cfs_rq. This causes the +vruntime of tasks on other sibling cfs_rq's to increase faster than they +are supposed to; causing severe fairness issues. If no other task is +started on the given cfs_rq, and due to the cpuset it would not happen, +this load would never be properly unloaded. With this patch the load +will be properly removed inside update_blocked_averages. This also +applies to tasks moved to the fair scheduling class and moved to another +cpu, and this path will also fix that. For fork, the entity is queued +right away, so this problem does not affect that. + +This applies to cases where the new process is the first in the cfs_rq, +issue introduced 3d30544f0212 ("sched/fair: Apply more PELT fixes"), and +when there has previously been load on the cgroup but the cgroup was +removed from the leaflist due to having null PELT load, indroduced +in 039ae8bcf7a5 ("sched/fair: Fix O(nr_cgroups) in the load balancing +path"). + +For a simple cgroup hierarchy (as seen below) with two equally weighted +groups, that in theory should get 50/50 of cpu time each, it often leads +to a load of 60/40 or 70/30. + +parent/ + cg-1/ + cpu.weight: 100 + cpuset.cpus: 1 + cg-2/ + cpu.weight: 100 + cpuset.cpus: 1 + +If the hierarchy is deeper (as seen below), while keeping cg-1 and cg-2 +equally weighted, they should still get a 50/50 balance of cpu time. +This however sometimes results in a balance of 10/90 or 1/99(!!) between +the task groups. + +$ ps u -C stress +USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND +root 18568 1.1 0.0 3684 100 pts/12 R+ 13:36 0:00 stress --cpu 1 +root 18580 99.3 0.0 3684 100 pts/12 R+ 13:36 0:09 stress --cpu 1 + +parent/ + cg-1/ + cpu.weight: 100 + sub-group/ + cpu.weight: 1 + cpuset.cpus: 1 + cg-2/ + cpu.weight: 100 + sub-group/ + cpu.weight: 10000 + cpuset.cpus: 1 + +This can be reproduced by attaching an idle process to a cgroup and +moving it to a given cpuset before it wakes up. The issue is evident in +many (if not most) container runtimes, and has been reproduced +with both crun and runc (and therefore docker and all its "derivatives"), +and with both cgroup v1 and v2. + +Fixes: 3d30544f0212 ("sched/fair: Apply more PELT fixes") +Fixes: 039ae8bcf7a5 ("sched/fair: Fix O(nr_cgroups) in the load balancing path") +Signed-off-by: Odin Ugedal +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Link: https://lkml.kernel.org/r/20210501141950.23622-2-odin@uged.al +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index c80d1a039d19..1ad0e52487f6 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -10840,16 +10840,22 @@ static void propagate_entity_cfs_rq(struct sched_entity *se) + { + struct cfs_rq *cfs_rq; + ++ list_add_leaf_cfs_rq(cfs_rq_of(se)); ++ + /* Start to propagate at parent */ + se = se->parent; + + for_each_sched_entity(se) { + cfs_rq = cfs_rq_of(se); + +- if (cfs_rq_throttled(cfs_rq)) +- break; ++ if (!cfs_rq_throttled(cfs_rq)){ ++ update_load_avg(cfs_rq, se, UPDATE_TG); ++ list_add_leaf_cfs_rq(cfs_rq); ++ continue; ++ } + +- update_load_avg(cfs_rq, se, UPDATE_TG); ++ if (list_add_leaf_cfs_rq(cfs_rq)) ++ break; + } + } + #else +-- +2.30.2 + diff --git a/queue-5.10/sched-fix-out-of-bound-access-in-uclamp.patch b/queue-5.10/sched-fix-out-of-bound-access-in-uclamp.patch new file mode 100644 index 00000000000..9831c09a1a0 --- /dev/null +++ b/queue-5.10/sched-fix-out-of-bound-access-in-uclamp.patch @@ -0,0 +1,49 @@ +From 2f45ed0052553dd275b13a837c241eecda6af915 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 15:14:12 +0000 +Subject: sched: Fix out-of-bound access in uclamp + +From: Quentin Perret + +[ Upstream commit 6d2f8909a5fabb73fe2a63918117943986c39b6c ] + +Util-clamp places tasks in different buckets based on their clamp values +for performance reasons. However, the size of buckets is currently +computed using a rounding division, which can lead to an off-by-one +error in some configurations. + +For instance, with 20 buckets, the bucket size will be 1024/20=51. A +task with a clamp of 1024 will be mapped to bucket id 1024/51=20. Sadly, +correct indexes are in range [0,19], hence leading to an out of bound +memory access. + +Clamp the bucket id to fix the issue. + +Fixes: 69842cba9ace ("sched/uclamp: Add CPU's clamp buckets refcounting") +Suggested-by: Qais Yousef +Signed-off-by: Quentin Perret +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Reviewed-by: Dietmar Eggemann +Link: https://lkml.kernel.org/r/20210430151412.160913-1-qperret@google.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 3c3554d9ee50..57b236251884 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -936,7 +936,7 @@ DEFINE_STATIC_KEY_FALSE(sched_uclamp_used); + + static inline unsigned int uclamp_bucket_id(unsigned int clamp_value) + { +- return clamp_value / UCLAMP_BUCKET_DELTA; ++ return min_t(unsigned int, clamp_value / UCLAMP_BUCKET_DELTA, UCLAMP_BUCKETS - 1); + } + + static inline unsigned int uclamp_none(enum uclamp_id clamp_id) +-- +2.30.2 + diff --git a/queue-5.10/scsi-qla2xxx-prevent-prli-in-target-mode.patch b/queue-5.10/scsi-qla2xxx-prevent-prli-in-target-mode.patch new file mode 100644 index 00000000000..88644e3a371 --- /dev/null +++ b/queue-5.10/scsi-qla2xxx-prevent-prli-in-target-mode.patch @@ -0,0 +1,48 @@ +From 1940b431558b70fbe57fbdfa83356ad9e7865fd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 18:34:14 +0300 +Subject: scsi: qla2xxx: Prevent PRLI in target mode + +From: Anastasia Kovaleva + +[ Upstream commit fcb16d9a8ecf1e9bfced0fc654ea4e2caa7517f4 ] + +In a case when the initiator in P2P mode by some circumstances does not +send PRLI, the target, in a case when the target port's WWPN is less than +initiator's, changes the discovery state in DSC_GNL. When gnl completes it +sends PRLI to the initiator. + +Usually the initiator in P2P mode always sends PRLI. We caught this issue +on Linux stable v5.4.6 https://www.spinics.net/lists/stable/msg458515.html. + +Fix this particular corner case in the behaviour of the P2P mod target +login state machine. + +Link: https://lore.kernel.org/r/20210422153414.4022-1-a.kovaleva@yadro.com +Fixes: a9ed06d4e640 ("scsi: qla2xxx: Allow PLOGI in target mode") +Reviewed-by: Roman Bolshakov +Reviewed-by: Himanshu Madhani +Signed-off-by: Anastasia Kovaleva +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 52e8b555bd1d..6faf34fa6220 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -1190,6 +1190,9 @@ static int qla24xx_post_prli_work(struct scsi_qla_host *vha, fc_port_t *fcport) + { + struct qla_work_evt *e; + ++ if (vha->host->active_mode == MODE_TARGET) ++ return QLA_FUNCTION_FAILED; ++ + e = qla2x00_alloc_work(vha, QLA_EVT_PRLI); + if (!e) + return QLA_FUNCTION_FAILED; +-- +2.30.2 + diff --git a/queue-5.10/scsi-ufs-core-cancel-rpm_dev_flush_recheck_work-duri.patch b/queue-5.10/scsi-ufs-core-cancel-rpm_dev_flush_recheck_work-duri.patch new file mode 100644 index 00000000000..26ebf821ea7 --- /dev/null +++ b/queue-5.10/scsi-ufs-core-cancel-rpm_dev_flush_recheck_work-duri.patch @@ -0,0 +1,41 @@ +From 5ce676e485dff5a5978f4d3a540ae1cf3052e643 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Apr 2021 20:48:39 -0700 +Subject: scsi: ufs: core: Cancel rpm_dev_flush_recheck_work during system + suspend + +From: Can Guo + +[ Upstream commit 637822e63b79ee8a729f7ba2645a26cf5a524ee4 ] + +During ufs system suspend, leaving rpm_dev_flush_recheck_work running or +pending is risky because concurrency may happen between system +suspend/resume and runtime resume routine. Fix this by cancelling +rpm_dev_flush_recheck_work synchronously during system suspend. + +Link: https://lore.kernel.org/r/1619408921-30426-3-git-send-email-cang@codeaurora.org +Fixes: 51dd905bd2f6 ("scsi: ufs: Fix WriteBooster flush during runtime suspend") +Reviewed-by: Daejun Park +Signed-off-by: Can Guo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index d1900ea31b0d..96f9c81d42b2 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -8819,6 +8819,8 @@ int ufshcd_system_suspend(struct ufs_hba *hba) + if (!hba || !hba->is_powered) + return 0; + ++ cancel_delayed_work_sync(&hba->rpm_dev_flush_recheck_work); ++ + if ((ufs_get_pm_lvl_to_dev_pwr_mode(hba->spm_lvl) == + hba->curr_dev_pwr_mode) && + (ufs_get_pm_lvl_to_link_pwr_state(hba->spm_lvl) == +-- +2.30.2 + diff --git a/queue-5.10/scsi-ufs-core-do-not-put-ufs-power-into-lpm-if-link-.patch b/queue-5.10/scsi-ufs-core-do-not-put-ufs-power-into-lpm-if-link-.patch new file mode 100644 index 00000000000..3776b68f363 --- /dev/null +++ b/queue-5.10/scsi-ufs-core-do-not-put-ufs-power-into-lpm-if-link-.patch @@ -0,0 +1,47 @@ +From 4fe4c5cc216698e5df3c9f7a3313840274a19760 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Apr 2021 20:48:38 -0700 +Subject: scsi: ufs: core: Do not put UFS power into LPM if link is broken + +From: Can Guo + +[ Upstream commit 23043dd87b153d02eaf676e752d32429be5e5126 ] + +During resume, if link is broken due to AH8 failure, make sure +ufshcd_resume() does not put UFS power back into LPM. + +Link: https://lore.kernel.org/r/1619408921-30426-2-git-send-email-cang@codeaurora.org +Fixes: 4db7a2360597 ("scsi: ufs: Fix concurrency of error handler and other error recovery paths") +Reviewed-by: Daejun Park +Signed-off-by: Can Guo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 4215d9a8e5de..d1900ea31b0d 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -8459,7 +8459,7 @@ static void ufshcd_vreg_set_lpm(struct ufs_hba *hba) + } else if (!ufshcd_is_ufs_dev_active(hba)) { + ufshcd_toggle_vreg(hba->dev, hba->vreg_info.vcc, false); + vcc_off = true; +- if (!ufshcd_is_link_active(hba)) { ++ if (ufshcd_is_link_hibern8(hba) || ufshcd_is_link_off(hba)) { + ufshcd_config_vreg_lpm(hba, hba->vreg_info.vccq); + ufshcd_config_vreg_lpm(hba, hba->vreg_info.vccq2); + } +@@ -8481,7 +8481,7 @@ static int ufshcd_vreg_set_hpm(struct ufs_hba *hba) + !hba->dev_info.is_lu_power_on_wp) { + ret = ufshcd_setup_vreg(hba, true); + } else if (!ufshcd_is_ufs_dev_active(hba)) { +- if (!ret && !ufshcd_is_link_active(hba)) { ++ if (!ufshcd_is_link_active(hba)) { + ret = ufshcd_config_vreg_hpm(hba, hba->vreg_info.vccq); + if (ret) + goto vcc_disable; +-- +2.30.2 + diff --git a/queue-5.10/scsi-ufs-core-narrow-down-fast-path-in-system-suspen.patch b/queue-5.10/scsi-ufs-core-narrow-down-fast-path-in-system-suspen.patch new file mode 100644 index 00000000000..decdc8a99a1 --- /dev/null +++ b/queue-5.10/scsi-ufs-core-narrow-down-fast-path-in-system-suspen.patch @@ -0,0 +1,46 @@ +From 343c6d754575adbc90eb02686e4a7e6e524680bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Apr 2021 20:48:40 -0700 +Subject: scsi: ufs: core: Narrow down fast path in system suspend path + +From: Can Guo + +[ Upstream commit ce4f62f9dd8cf43ac044045ed598a0b80ef33890 ] + +If spm_lvl is set to 0 or 1, when system suspend kicks start and HBA is +runtime active, system suspend may just bail without doing anything (the +fast path), leaving other contexts still running, e.g., clock gating and +clock scaling. When system resume kicks start, concurrency can happen +between ufshcd_resume() and these contexts, leading to various stability +issues. + +Add a check against HBA's runtime state and allowing fast path only if HBA +is runtime suspended, otherwise let system suspend go ahead call +ufshcd_suspend(). This will guarantee that these contexts are stopped by +either runtime suspend or system suspend. + +Link: https://lore.kernel.org/r/1619408921-30426-4-git-send-email-cang@codeaurora.org +Fixes: 0b257734344a ("scsi: ufs: optimize system suspend handling") +Reviewed-by: Daejun Park +Signed-off-by: Can Guo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 96f9c81d42b2..08d4d40c510e 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -8825,6 +8825,7 @@ int ufshcd_system_suspend(struct ufs_hba *hba) + hba->curr_dev_pwr_mode) && + (ufs_get_pm_lvl_to_link_pwr_state(hba->spm_lvl) == + hba->uic_link_state) && ++ pm_runtime_suspended(hba->dev) && + !hba->dev_info.b_rpm_dev_flush_capable) + goto out; + +-- +2.30.2 + diff --git a/queue-5.10/sctp-do-asoc-update-earlier-in-sctp_sf_do_dupcook_a.patch b/queue-5.10/sctp-do-asoc-update-earlier-in-sctp_sf_do_dupcook_a.patch new file mode 100644 index 00000000000..d358ec60e66 --- /dev/null +++ b/queue-5.10/sctp-do-asoc-update-earlier-in-sctp_sf_do_dupcook_a.patch @@ -0,0 +1,96 @@ +From 3e3b8de94d6863f798c914af0b88b8feaa749ee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 04:02:58 +0800 +Subject: sctp: do asoc update earlier in sctp_sf_do_dupcook_a + +From: Xin Long + +[ Upstream commit 35b4f24415c854cd718ccdf38dbea6297f010aae ] + +There's a panic that occurs in a few of envs, the call trace is as below: + + [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI + [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp] + [] sctp_assoc_control_transport+0x1b9/0x210 [sctp] + [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp] + [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp] + [] sctp_do_sm+0xc3/0x2a0 [sctp] + [] sctp_generate_timeout_event+0x81/0xf0 [sctp] + +This is caused by a transport use-after-free issue. When processing a +duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK +and SHUTDOWN chunks are allocated with the transort from the new asoc. +However, later in the sideeffect machine, the old asoc is used to send +them out and old asoc's shutdown_last_sent_to is set to the transport +that SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually +belongs to the new asoc. After the new_asoc is freed and the old asoc +T2 timeout, the old asoc's shutdown_last_sent_to that is already freed +would be accessed in sctp_sf_t2_timer_expire(). + +Thanks Alexander and Jere for helping dig into this issue. + +To fix it, this patch is to do the asoc update first, then allocate +the COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This +would make more sense, as a chunk from an asoc shouldn't be sent out +with another asoc. We had fixed quite a few issues caused by this. + +Fixes: 145cb2f7177d ("sctp: Fix bundling of SHUTDOWN with COOKIE-ACK") +Reported-by: Alexander Sverdlin +Reported-by: syzbot+bbe538efd1046586f587@syzkaller.appspotmail.com +Reported-by: Michal Tesar +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index c669f8bd1eab..d4d268b8b8aa 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -1841,20 +1841,35 @@ static enum sctp_disposition sctp_sf_do_dupcook_a( + SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); + sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); + +- repl = sctp_make_cookie_ack(new_asoc, chunk); ++ /* Update the content of current association. */ ++ if (sctp_assoc_update((struct sctp_association *)asoc, new_asoc)) { ++ struct sctp_chunk *abort; ++ ++ abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr)); ++ if (abort) { ++ sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); ++ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); ++ } ++ sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED)); ++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, ++ SCTP_PERR(SCTP_ERROR_RSRC_LOW)); ++ SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); ++ SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); ++ goto nomem; ++ } ++ ++ repl = sctp_make_cookie_ack(asoc, chunk); + if (!repl) + goto nomem; + + /* Report association restart to upper layer. */ + ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, +- new_asoc->c.sinit_num_ostreams, +- new_asoc->c.sinit_max_instreams, ++ asoc->c.sinit_num_ostreams, ++ asoc->c.sinit_max_instreams, + NULL, GFP_ATOMIC); + if (!ev) + goto nomem_ev; + +- /* Update the content of current association. */ +- sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); + sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); + if ((sctp_state(asoc, SHUTDOWN_PENDING) || + sctp_state(asoc, SHUTDOWN_SENT)) && +-- +2.30.2 + diff --git a/queue-5.10/sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch b/queue-5.10/sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch new file mode 100644 index 00000000000..1e8c373bc70 --- /dev/null +++ b/queue-5.10/sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch @@ -0,0 +1,52 @@ +From 0140b7572951bf97243efcf8043fbd5d5033f386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 May 2021 04:41:20 +0800 +Subject: sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b + +From: Xin Long + +[ Upstream commit f282df0391267fb2b263da1cc3233aa6fb81defc ] + +Normally SCTP_MIB_CURRESTAB is always incremented once asoc enter into +ESTABLISHED from the state < ESTABLISHED and decremented when the asoc +is being deleted. + +However, in sctp_sf_do_dupcook_b(), the asoc's state can be changed to +ESTABLISHED from the state >= ESTABLISHED where it shouldn't increment +SCTP_MIB_CURRESTAB. Otherwise, one asoc may increment MIB_CURRESTAB +multiple times but only decrement once at the end. + +I was able to reproduce it by using scapy to do the 4-way shakehands, +after that I replayed the COOKIE-ECHO chunk with 'peer_vtag' field +changed to different values, and SCTP_MIB_CURRESTAB was incremented +multiple times and never went back to 0 even when the asoc was freed. + +This patch is to fix it by only incrementing SCTP_MIB_CURRESTAB when +the state < ESTABLISHED in sctp_sf_do_dupcook_b(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index d4d268b8b8aa..b65bdaa84228 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -1933,7 +1933,8 @@ static enum sctp_disposition sctp_sf_do_dupcook_b( + sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, + SCTP_STATE(SCTP_STATE_ESTABLISHED)); +- SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); ++ if (asoc->state < SCTP_STATE_ESTABLISHED) ++ SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB); + sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL()); + + repl = sctp_make_cookie_ack(new_asoc, chunk); +-- +2.30.2 + diff --git a/queue-5.10/sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch b/queue-5.10/sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch new file mode 100644 index 00000000000..b878cd36838 --- /dev/null +++ b/queue-5.10/sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch @@ -0,0 +1,44 @@ +From 584297ea795b8acad095ff9d4fda950b3cd4d3ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 14:12:36 -0500 +Subject: sctp: Fix out-of-bounds warning in sctp_process_asconf_param() + +From: Gustavo A. R. Silva + +[ Upstream commit e5272ad4aab347dde5610c0aedb786219e3ff793 ] + +Fix the following out-of-bounds warning: + +net/sctp/sm_make_chunk.c:3150:4: warning: 'memcpy' offset [17, 28] from the object at 'addr' is out of the bounds of referenced subobject 'v4' with type 'struct sockaddr_in' at offset 0 [-Warray-bounds] + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/sm_make_chunk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index 9a56ae2f3651..b9d6babe2870 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -3126,7 +3126,7 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, + * primary. + */ + if (af->is_any(&addr)) +- memcpy(&addr.v4, sctp_source(asconf), sizeof(addr)); ++ memcpy(&addr, sctp_source(asconf), sizeof(addr)); + + if (security_sctp_bind_connect(asoc->ep->base.sk, + SCTP_PARAM_SET_PRIMARY, +-- +2.30.2 + diff --git a/queue-5.10/selftests-mlxsw-fix-mausezahn-invocation-in-erspan-s.patch b/queue-5.10/selftests-mlxsw-fix-mausezahn-invocation-in-erspan-s.patch new file mode 100644 index 00000000000..7bd8d935f83 --- /dev/null +++ b/queue-5.10/selftests-mlxsw-fix-mausezahn-invocation-in-erspan-s.patch @@ -0,0 +1,91 @@ +From d53d882be80b1a1fb9e0819cb269d67e25a452cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Apr 2021 14:19:48 +0200 +Subject: selftests: mlxsw: Fix mausezahn invocation in ERSPAN scale test + +From: Petr Machata + +[ Upstream commit 1233898ab758cbcf5f6fea10b8dd16a0b2c24fab ] + +The mirror_gre_scale test creates as many ERSPAN sessions as the underlying +chip supports, and tests that they all work. In order to determine that it +issues a stream of ICMP packets and checks if they are mirrored as +expected. + +However, the mausezahn invocation missed the -6 flag to identify the use of +IPv6 protocol, and was sending ICMP messages over IPv6, as opposed to +ICMP6. It also didn't pass an explicit source IP address, which apparently +worked at some point in the past, but does not anymore. + +To fix these issues, extend the function mirror_test() in mirror_lib by +detecting the IPv6 protocol addresses, and using a different ICMP scheme. +Fix __mirror_gre_test() in the selftest itself to pass a source IP address. + +Signed-off-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../drivers/net/mlxsw/mirror_gre_scale.sh | 3 ++- + .../selftests/net/forwarding/mirror_lib.sh | 19 +++++++++++++++++-- + 2 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/mlxsw/mirror_gre_scale.sh b/tools/testing/selftests/drivers/net/mlxsw/mirror_gre_scale.sh +index 6f3a70df63bc..e00435753008 100644 +--- a/tools/testing/selftests/drivers/net/mlxsw/mirror_gre_scale.sh ++++ b/tools/testing/selftests/drivers/net/mlxsw/mirror_gre_scale.sh +@@ -120,12 +120,13 @@ __mirror_gre_test() + sleep 5 + + for ((i = 0; i < count; ++i)); do ++ local sip=$(mirror_gre_ipv6_addr 1 $i)::1 + local dip=$(mirror_gre_ipv6_addr 1 $i)::2 + local htun=h3-gt6-$i + local message + + icmp6_capture_install $htun +- mirror_test v$h1 "" $dip $htun 100 10 ++ mirror_test v$h1 $sip $dip $htun 100 10 + icmp6_capture_uninstall $htun + done + } +diff --git a/tools/testing/selftests/net/forwarding/mirror_lib.sh b/tools/testing/selftests/net/forwarding/mirror_lib.sh +index 13db1cb50e57..6406cd76a19d 100644 +--- a/tools/testing/selftests/net/forwarding/mirror_lib.sh ++++ b/tools/testing/selftests/net/forwarding/mirror_lib.sh +@@ -20,6 +20,13 @@ mirror_uninstall() + tc filter del dev $swp1 $direction pref 1000 + } + ++is_ipv6() ++{ ++ local addr=$1; shift ++ ++ [[ -z ${addr//[0-9a-fA-F:]/} ]] ++} ++ + mirror_test() + { + local vrf_name=$1; shift +@@ -29,9 +36,17 @@ mirror_test() + local pref=$1; shift + local expect=$1; shift + ++ if is_ipv6 $dip; then ++ local proto=-6 ++ local type="icmp6 type=128" # Echo request. ++ else ++ local proto= ++ local type="icmp echoreq" ++ fi ++ + local t0=$(tc_rule_stats_get $dev $pref) +- $MZ $vrf_name ${sip:+-A $sip} -B $dip -a own -b bc -q \ +- -c 10 -d 100msec -t icmp type=8 ++ $MZ $proto $vrf_name ${sip:+-A $sip} -B $dip -a own -b bc -q \ ++ -c 10 -d 100msec -t $type + sleep 0.5 + local t1=$(tc_rule_stats_get $dev $pref) + local delta=$((t1 - t0)) +-- +2.30.2 + diff --git a/queue-5.10/selftests-mlxsw-increase-the-tolerance-of-backlog-bu.patch b/queue-5.10/selftests-mlxsw-increase-the-tolerance-of-backlog-bu.patch new file mode 100644 index 00000000000..61fee899615 --- /dev/null +++ b/queue-5.10/selftests-mlxsw-increase-the-tolerance-of-backlog-bu.patch @@ -0,0 +1,46 @@ +From 875aa2a8ba3b7c1fd866ec296501e4de382cd296 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Apr 2021 14:19:47 +0200 +Subject: selftests: mlxsw: Increase the tolerance of backlog buildup + +From: Petr Machata + +[ Upstream commit dda7f4fa55839baeb72ae040aeaf9ccf89d3e416 ] + +The intention behind this test is to make sure that qdisc limit is +correctly projected to the HW. However, first, due to rounding in the +qdisc, and then in the driver, the number cannot actually be accurate. And +second, the approach to testing this is to oversubscribe the port with +traffic generated on the same switch. The actual backlog size therefore +fluctuates. + +In practice, this test proved to be noisier than the rest, and spuriously +fails every now and then. Increase the tolerance to 10 % to avoid these +issues. + +Signed-off-by: Petr Machata +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/mlxsw/sch_red_core.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/mlxsw/sch_red_core.sh b/tools/testing/selftests/drivers/net/mlxsw/sch_red_core.sh +index b0cb1aaffdda..33ddd01689be 100644 +--- a/tools/testing/selftests/drivers/net/mlxsw/sch_red_core.sh ++++ b/tools/testing/selftests/drivers/net/mlxsw/sch_red_core.sh +@@ -507,8 +507,8 @@ do_red_test() + check_err $? "backlog $backlog / $limit Got $pct% marked packets, expected == 0." + local diff=$((limit - backlog)) + pct=$((100 * diff / limit)) +- ((0 <= pct && pct <= 5)) +- check_err $? "backlog $backlog / $limit expected <= 5% distance" ++ ((0 <= pct && pct <= 10)) ++ check_err $? "backlog $backlog / $limit expected <= 10% distance" + log_test "TC $((vlan - 10)): RED backlog > limit" + + stop_traffic +-- +2.30.2 + diff --git a/queue-5.10/selftests-powerpc-fix-l1d-flushing-tests-for-power10.patch b/queue-5.10/selftests-powerpc-fix-l1d-flushing-tests-for-power10.patch new file mode 100644 index 00000000000..8839e33e989 --- /dev/null +++ b/queue-5.10/selftests-powerpc-fix-l1d-flushing-tests-for-power10.patch @@ -0,0 +1,82 @@ +From 09e57838e210a349031eea6d684f92bdc94773e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Feb 2021 17:02:27 +1000 +Subject: selftests/powerpc: Fix L1D flushing tests for Power10 + +From: Russell Currey + +[ Upstream commit 3a72c94ebfb1f171eba0715998010678a09ec796 ] + +The rfi_flush and entry_flush selftests work by using the PM_LD_MISS_L1 +perf event to count L1D misses. The value of this event has changed +over time: + +- Power7 uses 0x400f0 +- Power8 and Power9 use both 0x400f0 and 0x3e054 +- Power10 uses only 0x3e054 + +Rather than relying on raw values, configure perf to count L1D read +misses in the most explicit way available. + +This fixes the selftests to work on systems without 0x400f0 as +PM_LD_MISS_L1, and should change no behaviour for systems that the tests +already worked on. + +The only potential downside is that referring to a specific perf event +requires PMU support implemented in the kernel for that platform. + +Signed-off-by: Russell Currey +Acked-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210223070227.2916871-1-ruscur@russell.cc +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/security/entry_flush.c | 2 +- + tools/testing/selftests/powerpc/security/flush_utils.h | 4 ++++ + tools/testing/selftests/powerpc/security/rfi_flush.c | 2 +- + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/security/entry_flush.c b/tools/testing/selftests/powerpc/security/entry_flush.c +index 78cf914fa321..68ce377b205e 100644 +--- a/tools/testing/selftests/powerpc/security/entry_flush.c ++++ b/tools/testing/selftests/powerpc/security/entry_flush.c +@@ -53,7 +53,7 @@ int entry_flush_test(void) + + entry_flush = entry_flush_orig; + +- fd = perf_event_open_counter(PERF_TYPE_RAW, /* L1d miss */ 0x400f0, -1); ++ fd = perf_event_open_counter(PERF_TYPE_HW_CACHE, PERF_L1D_READ_MISS_CONFIG, -1); + FAIL_IF(fd < 0); + + p = (char *)memalign(zero_size, CACHELINE_SIZE); +diff --git a/tools/testing/selftests/powerpc/security/flush_utils.h b/tools/testing/selftests/powerpc/security/flush_utils.h +index 07a5eb301466..7a3d60292916 100644 +--- a/tools/testing/selftests/powerpc/security/flush_utils.h ++++ b/tools/testing/selftests/powerpc/security/flush_utils.h +@@ -9,6 +9,10 @@ + + #define CACHELINE_SIZE 128 + ++#define PERF_L1D_READ_MISS_CONFIG ((PERF_COUNT_HW_CACHE_L1D) | \ ++ (PERF_COUNT_HW_CACHE_OP_READ << 8) | \ ++ (PERF_COUNT_HW_CACHE_RESULT_MISS << 16)) ++ + void syscall_loop(char *p, unsigned long iterations, + unsigned long zero_size); + +diff --git a/tools/testing/selftests/powerpc/security/rfi_flush.c b/tools/testing/selftests/powerpc/security/rfi_flush.c +index 7565fd786640..f73484a6470f 100644 +--- a/tools/testing/selftests/powerpc/security/rfi_flush.c ++++ b/tools/testing/selftests/powerpc/security/rfi_flush.c +@@ -54,7 +54,7 @@ int rfi_flush_test(void) + + rfi_flush = rfi_flush_orig; + +- fd = perf_event_open_counter(PERF_TYPE_RAW, /* L1d miss */ 0x400f0, -1); ++ fd = perf_event_open_counter(PERF_TYPE_HW_CACHE, PERF_L1D_READ_MISS_CONFIG, -1); + FAIL_IF(fd < 0); + + p = (char *)memalign(zero_size, CACHELINE_SIZE); +-- +2.30.2 + diff --git a/queue-5.10/selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch b/queue-5.10/selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch new file mode 100644 index 00000000000..4bb69e4db87 --- /dev/null +++ b/queue-5.10/selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch @@ -0,0 +1,42 @@ +From 80255aacf27815152bf9ed862be62c6d36ba1313 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 08:34:13 -0700 +Subject: selftests: Set CC to clang in lib.mk if LLVM is set + +From: Yonghong Song + +[ Upstream commit 26e6dd1072763cd5696b75994c03982dde952ad9 ] + +selftests/bpf/Makefile includes lib.mk. With the following command + make -j60 LLVM=1 LLVM_IAS=1 <=== compile kernel + make -j60 -C tools/testing/selftests/bpf LLVM=1 LLVM_IAS=1 V=1 +some files are still compiled with gcc. This patch +fixed lib.mk issue which sets CC to gcc in all cases. + +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210413153413.3027426-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/lib.mk | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk +index be17462fe146..0af84ad48aa7 100644 +--- a/tools/testing/selftests/lib.mk ++++ b/tools/testing/selftests/lib.mk +@@ -1,6 +1,10 @@ + # This mimics the top-level Makefile. We do it explicitly here so that this + # Makefile can operate with or without the kbuild infrastructure. ++ifneq ($(LLVM),) ++CC := clang ++else + CC := $(CROSS_COMPILE)gcc ++endif + + ifeq (0,$(MAKELEVEL)) + ifeq ($(OUTPUT),) +-- +2.30.2 + diff --git a/queue-5.10/series b/queue-5.10/series index 6948773bf1c..382ce9cbefc 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -8,3 +8,186 @@ acpi-pm-add-acpi-id-of-alder-lake-fan.patch pm-runtime-fix-unpaired-parent-child_count-for-force_resume.patch cpufreq-intel_pstate-use-hwp-if-enabled-by-platform-firmware.patch kvm-cap-halt-polling-at-kvm-max_halt_poll_ns.patch +ath11k-fix-thermal-temperature-read.patch +fs-dlm-fix-debugfs-dump.patch +fs-dlm-add-errno-handling-to-check-callback.patch +fs-dlm-check-on-minimum-msglen-size.patch +fs-dlm-flush-swork-on-shutdown.patch +tipc-convert-dest-node-s-address-to-network-order.patch +asoc-intel-bytcr_rt5640-enable-jack-detect-support-o.patch +net-mlx5e-use-net_prefetchw-instead-of-prefetchw-in-.patch +net-stmmac-set-fifo-sizes-for-ipq806x.patch +asoc-rsnd-core-check-convert-rate-in-rsnd_hw_params.patch +bluetooth-fix-incorrect-status-handling-in-le-phy-up.patch +i2c-bail-out-early-when-rdwr-parameters-are-wrong.patch +alsa-hdsp-don-t-disable-if-not-enabled.patch +alsa-hdspm-don-t-disable-if-not-enabled.patch +alsa-rme9652-don-t-disable-if-not-enabled.patch +alsa-bebob-enable-to-deliver-midi-messages-for-multi.patch +bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch +bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch +net-sched-cls_flower-use-ntohs-for-struct-flow_disse.patch +net-bridge-when-suppression-is-enabled-exclude-rarp-.patch +bluetooth-check-for-zapped-sk-before-connecting.patch +selftests-powerpc-fix-l1d-flushing-tests-for-power10.patch +powerpc-32-statically-initialise-first-emergency-con.patch +net-hns3-remediate-a-potential-overflow-risk-of-bd_n.patch +net-hns3-add-handling-for-xmit-skb-with-recursive-fr.patch +ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch +asoc-intel-bytcr_rt5640-add-quirk-for-the-chuwi-hi8-.patch +ice-handle-increasing-tx-or-rx-ring-sizes.patch +bluetooth-btusb-enable-quirk-boolean-flag-for-mediat.patch +asoc-rt5670-add-a-quirk-for-the-dell-venue-10-pro-50.patch +i2c-add-i2c_aq_no_rep_start-adapter-quirk.patch +mips-loongson64-use-_cache_uncached-instead-of-_cach.patch +coresight-do-not-scan-for-graph-if-none-is-present.patch +ib-hfi1-correct-oversized-ring-allocation.patch +mac80211-clear-the-beacon-s-crc-after-channel-switch.patch +pinctrl-samsung-use-int-for-register-masks-in-exynos.patch +rtw88-8822c-add-lc-calibration-for-rtl8822c.patch +mt76-mt7615-support-loading-eeprom-for-mt7613be.patch +mt76-mt76x0-disable-gtk-offloading.patch +mt76-mt7915-fix-txpower-init-for-tssi-off-chips.patch +fuse-invalidate-attrs-when-page-writeback-completes.patch +virtiofs-fix-userns.patch +cuse-prevent-clone.patch +iwlwifi-pcie-make-cfg-vs.-trans_cfg-more-robust.patch +powerpc-mm-add-cond_resched-while-removing-hpte-mapp.patch +asoc-rsnd-call-rsnd_ssi_master_clk_start-from-rsnd_s.patch +revert-iommu-amd-fix-performance-counter-initializat.patch +iommu-amd-remove-performance-counter-pre-initializat.patch +drm-amd-display-force-vsync-flip-when-reconfiguring-.patch +selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch +kconfig-nconf-stop-endless-search-loops.patch +alsa-hda-realtek-add-quirk-for-lenovo-ideapad-s740.patch +asoc-intel-sof_sdw-add-quirk-for-new-adl-p-rvp.patch +alsa-hda-hdmi-fix-race-in-handling-acomp-eld-notific.patch +sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch +flow_dissector-fix-out-of-bounds-warning-in-__skb_fl.patch +powerpc-smp-set-numa-node-before-updating-mask.patch +asoc-rt286-generalize-support-for-alc3263-codec.patch +ethtool-ioctl-fix-out-of-bounds-warning-in-store_lin.patch +net-sched-tapr-prevent-cycle_time-0-in-parse_taprio_.patch +samples-bpf-fix-broken-tracex1-due-to-kprobe-argumen.patch +powerpc-pseries-stop-calling-printk-in-rtas_stop_sel.patch +drm-amd-display-fixed-divide-by-zero-kernel-crash-du.patch +drm-amd-display-add-handling-for-hdcp2-rx-id-list-va.patch +drm-amdgpu-add-mem-sync-flag-for-ib-allocated-by-sa.patch +mt76-mt7615-fix-entering-driver-own-state-on-mt7663.patch +crypto-ccp-free-sev-device-if-sev-init-fails.patch +wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch +wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch +qtnfmac-fix-possible-buffer-overflow-in-qtnf_event_h.patch +powerpc-iommu-annotate-nested-lock-for-lockdep.patch +iavf-remove-duplicate-free-resources-calls.patch +net-ethernet-mtk_eth_soc-fix-rx-vlan-offload.patch +selftests-mlxsw-increase-the-tolerance-of-backlog-bu.patch +selftests-mlxsw-fix-mausezahn-invocation-in-erspan-s.patch +kbuild-generate-module.symvers-only-when-vmlinux-exi.patch +bnxt_en-add-pci-ids-for-hyper-v-vf-devices.patch +ia64-module-fix-symbolizer-crash-on-fdescr.patch +watchdog-rename-__touch_watchdog-to-a-better-descrip.patch +watchdog-explicitly-update-timestamp-when-reporting-.patch +watchdog-softlockup-remove-logic-that-tried-to-preve.patch +watchdog-fix-barriers-when-printing-backtraces-from-.patch +asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch +thermal-thermal_of-fix-error-return-code-of-thermal_.patch +f2fs-move-ioctl-interface-definitions-to-separated-f.patch +f2fs-fix-compat-f2fs_ioc_-move-garbage_collect-_rang.patch +f2fs-fix-to-allow-migrating-fully-valid-segment.patch +f2fs-fix-panic-during-f2fs_resize_fs.patch +f2fs-fix-a-redundant-call-to-f2fs_balance_fs-if-an-e.patch +remoteproc-qcom_q6v5_mss-replace-ioremap-with-memrem.patch +remoteproc-qcom_q6v5_mss-validate-p_filesz-in-elf-lo.patch +pci-iproc-fix-return-value-of-iproc_msi_irq_domain_a.patch +pci-release-of-node-in-pci_scan_device-s-error-path.patch +arm-9064-1-hw_breakpoint-do-not-directly-check-the-e.patch +f2fs-fix-to-align-to-section-for-fallocate-on-pinned.patch +f2fs-fix-to-update-last-i_size-if-fallocate-partiall.patch +pci-endpoint-make-_get_first_free_bar-take-into-acco.patch +pci-endpoint-add-helper-api-to-get-the-next-unreserv.patch +pci-endpoint-make-_free_bar-to-return-error-codes-on.patch +pci-endpoint-fix-null-pointer-dereference-for-get_fe.patch +f2fs-fix-to-avoid-touching-checkpointed-data-in-get_.patch +f2fs-fix-to-cover-__allocate_new_section-with-curseg.patch +f2fs-fix-a-hungtask-problem-in-atomic-write.patch +f2fs-fix-to-avoid-accessing-invalid-fio-in-f2fs_allo.patch +rpmsg-qcom_glink_native-fix-error-return-code-of-qco.patch +nfs-nfs4_bitmask_adjust-must-not-change-the-server-g.patch +nfs-fix-attribute-bitmask-in-_nfs42_proc_fallocate.patch +nfsv4.2-always-flush-out-writes-in-nfs42_proc_falloc.patch +nfs-deal-correctly-with-attribute-generation-counter.patch +pci-endpoint-fix-missing-destroy_workqueue.patch +pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch +nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch +sunrpc-move-fault-injection-call-sites.patch +sunrpc-remove-trace_xprt_transmit_queued.patch +sunrpc-handle-major-timeout-in-xprt_adjust_timeout.patch +thermal-drivers-tsens-fix-missing-put_device-error.patch +nfsv4.x-don-t-return-nfs4err_nomatching_layout-if-we.patch +nfsd-ensure-new-clients-break-delegations.patch +rtc-fsl-ftm-alarm-add-module_table.patch +dmaengine-idxd-fix-potential-null-dereference-on-poi.patch +dmaengine-idxd-fix-dma-device-lifetime.patch +dmaengine-idxd-fix-cdev-setup-and-free-device-lifeti.patch +sunrpc-fix-ternary-sign-expansion-bug-in-tracing.patch +pwm-atmel-fix-duty-cycle-calculation-in-.get_state.patch +xprtrdma-avoid-receive-queue-wrapping.patch +xprtrdma-fix-cwnd-update-ordering.patch +xprtrdma-rpcrdma_mr_pop-already-does-list_del_init.patch +swiotlb-fix-the-type-of-index.patch +ceph-fix-inode-leak-on-getattr-error-in-__fh_to_dent.patch +scsi-qla2xxx-prevent-prli-in-target-mode.patch +scsi-ufs-core-do-not-put-ufs-power-into-lpm-if-link-.patch +scsi-ufs-core-cancel-rpm_dev_flush_recheck_work-duri.patch +scsi-ufs-core-narrow-down-fast-path-in-system-suspen.patch +rtc-ds1307-fix-wday-settings-for-rx8130.patch +net-hns3-fix-incorrect-configuration-for-igu_egu_hw_.patch +net-hns3-initialize-the-message-content-in-hclge_get.patch +net-hns3-add-check-for-hns3_nic_state_inited-in-hns3.patch +net-hns3-fix-for-vxlan-gpe-tx-checksum-bug.patch +net-hns3-use-netif_tx_disable-to-stop-the-transmit-q.patch +net-hns3-disable-phy-loopback-setting-in-hclge_mac_s.patch +sctp-do-asoc-update-earlier-in-sctp_sf_do_dupcook_a.patch +risc-v-fix-error-code-returned-by-riscv_hartid_to_cp.patch +sunrpc-fix-misplaced-barrier-in-call_decode.patch +libbpf-fix-signed-overflow-in-ringbuf_process_ring.patch +block-rnbd-clt-change-queue_depth-type-in-rnbd_clt_s.patch +block-rnbd-clt-check-the-return-value-of-the-functio.patch +ethernet-enic-fix-a-use-after-free-bug-in-enic_hard_.patch +sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch +netfilter-xt_secmark-add-new-revision-to-fix-structu.patch +xsk-fix-for-xp_aligned_validate_desc-when-len-chunk_.patch +net-stmmac-clear-receive-all-ra-bit-when-promiscuous.patch +drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch +drm-radeon-avoid-power-table-parsing-memory-leaks.patch +arm64-entry-factor-irq-triage-logic-into-macros.patch +arm64-entry-always-set-gic_prio_psr_i_set-during-ent.patch +khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch +mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch +mm-migrate.c-fix-potential-indeterminate-pte-entry-i.patch +ksm-fix-potential-missing-rmap_item-for-stable_node.patch +mm-gup-check-every-subpage-of-a-compound-page-during.patch +mm-gup-return-an-error-on-migration-failure.patch +mm-gup-check-for-isolation-errors.patch +ethtool-fix-missing-nlm_f_multi-flag-when-dumping.patch +net-fix-nla_strcmp-to-handle-more-then-one-trailing-.patch +smc-disallow-tcp_ulp-in-smc_setsockopt.patch +netfilter-nfnetlink_osf-fix-a-missing-skb_header_poi.patch +netfilter-nftables-fix-a-memleak-from-userdata-error.patch +can-mcp251xfd-mcp251xfd_probe-add-missing-can_rx_off.patch +can-mcp251x-fix-resume-from-sleep-before-interface-w.patch +can-m_can-m_can_tx_work_queue-fix-tx_skb-race-condit.patch +sched-fix-out-of-bound-access-in-uclamp.patch +sched-fair-fix-unfairness-caused-by-missing-load-dec.patch +fs-proc-generic.c-fix-incorrect-pde_is_permanent-che.patch +kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch +kernel-resource-make-walk_system_ram_res-find-all-bu.patch +kernel-resource-make-walk_mem_res-find-all-busy-iore.patch +netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch +i40e-fix-broken-xdp-support.patch +i40e-fix-use-after-free-in-i40e_client_subtask.patch +i40e-fix-the-restart-auto-negotiation-after-fec-modi.patch +i40e-fix-phy-type-identifiers-for-2.5g-and-5g-adapte.patch +mptcp-fix-splat-when-closing-unaccepted-socket.patch +f2fs-avoid-unneeded-data-copy-in-f2fs_ioc_move_range.patch diff --git a/queue-5.10/smc-disallow-tcp_ulp-in-smc_setsockopt.patch b/queue-5.10/smc-disallow-tcp_ulp-in-smc_setsockopt.patch new file mode 100644 index 00000000000..ea895db616d --- /dev/null +++ b/queue-5.10/smc-disallow-tcp_ulp-in-smc_setsockopt.patch @@ -0,0 +1,55 @@ +From 9a644e8397d1aa64fb84431112faab1419fcb2bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 12:40:48 -0700 +Subject: smc: disallow TCP_ULP in smc_setsockopt() + +From: Cong Wang + +[ Upstream commit 8621436671f3a4bba5db57482e1ee604708bf1eb ] + +syzbot is able to setup kTLS on an SMC socket which coincidentally +uses sk_user_data too. Later, kTLS treats it as psock so triggers a +refcnt warning. The root cause is that smc_setsockopt() simply calls +TCP setsockopt() which includes TCP_ULP. I do not think it makes +sense to setup kTLS on top of SMC sockets, so we should just disallow +this setup. + +It is hard to find a commit to blame, but we can apply this patch +since the beginning of TCP_ULP. + +Reported-and-tested-by: syzbot+b54a1ce86ba4a623b7f0@syzkaller.appspotmail.com +Fixes: 734942cc4ea6 ("tcp: ULP infrastructure") +Cc: John Fastabend +Signed-off-by: Karsten Graul +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 5dd4faaf7d6e..030d7f30b13f 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -2147,6 +2147,9 @@ static int smc_setsockopt(struct socket *sock, int level, int optname, + struct smc_sock *smc; + int val, rc; + ++ if (level == SOL_TCP && optname == TCP_ULP) ++ return -EOPNOTSUPP; ++ + smc = smc_sk(sk); + + /* generic setsockopts reaching us here always apply to the +@@ -2171,7 +2174,6 @@ static int smc_setsockopt(struct socket *sock, int level, int optname, + if (rc || smc->use_fallback) + goto out; + switch (optname) { +- case TCP_ULP: + case TCP_FASTOPEN: + case TCP_FASTOPEN_CONNECT: + case TCP_FASTOPEN_KEY: +-- +2.30.2 + diff --git a/queue-5.10/sunrpc-fix-misplaced-barrier-in-call_decode.patch b/queue-5.10/sunrpc-fix-misplaced-barrier-in-call_decode.patch new file mode 100644 index 00000000000..5b5d213de94 --- /dev/null +++ b/queue-5.10/sunrpc-fix-misplaced-barrier-in-call_decode.patch @@ -0,0 +1,68 @@ +From e2d2ab3c96a3f0b32de8d8d9cd1caedfcec30948 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 14:10:51 +1000 +Subject: sunrpc: Fix misplaced barrier in call_decode + +From: Baptiste Lepers + +[ Upstream commit f8f7e0fb22b2e75be55f2f0c13e229e75b0eac07 ] + +Fix a misplaced barrier in call_decode. The struct rpc_rqst is modified +as follows by xprt_complete_rqst: + +req->rq_private_buf.len = copied; +/* Ensure all writes are done before we update */ +/* req->rq_reply_bytes_recvd */ +smp_wmb(); +req->rq_reply_bytes_recvd = copied; + +And currently read as follows by call_decode: + +smp_rmb(); // misplaced +if (!req->rq_reply_bytes_recvd) + goto out; +req->rq_rcv_buf.len = req->rq_private_buf.len; + +This patch places the smp_rmb after the if to ensure that +rq_reply_bytes_recvd and rq_private_buf.len are read in order. + +Fixes: 9ba828861c56a ("SUNRPC: Don't try to parse incomplete RPC messages") +Signed-off-by: Baptiste Lepers +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 69d8843a26e0..4a0e8e458a9a 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -2459,12 +2459,6 @@ call_decode(struct rpc_task *task) + task->tk_flags &= ~RPC_CALL_MAJORSEEN; + } + +- /* +- * Ensure that we see all writes made by xprt_complete_rqst() +- * before it changed req->rq_reply_bytes_recvd. +- */ +- smp_rmb(); +- + /* + * Did we ever call xprt_complete_rqst()? If not, we should assume + * the message is incomplete. +@@ -2473,6 +2467,11 @@ call_decode(struct rpc_task *task) + if (!req->rq_reply_bytes_recvd) + goto out; + ++ /* Ensure that we see all writes made by xprt_complete_rqst() ++ * before it changed req->rq_reply_bytes_recvd. ++ */ ++ smp_rmb(); ++ + req->rq_rcv_buf.len = req->rq_private_buf.len; + trace_rpc_xdr_recvfrom(task, &req->rq_rcv_buf); + +-- +2.30.2 + diff --git a/queue-5.10/sunrpc-fix-ternary-sign-expansion-bug-in-tracing.patch b/queue-5.10/sunrpc-fix-ternary-sign-expansion-bug-in-tracing.patch new file mode 100644 index 00000000000..b75cf8f2aef --- /dev/null +++ b/queue-5.10/sunrpc-fix-ternary-sign-expansion-bug-in-tracing.patch @@ -0,0 +1,42 @@ +From 85e707c42631e42c709af871822ede5802a17081 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 12:14:37 +0300 +Subject: SUNRPC: fix ternary sign expansion bug in tracing + +From: Dan Carpenter + +[ Upstream commit cb579086536f6564f5846f89808ec394ef8b8621 ] + +This code is supposed to pass negative "err" values for tracing but it +passes positive values instead. The problem is that the +trace_svcsock_tcp_send() function takes a long but "err" is an int and +"sent" is a u32. The negative is first type promoted to u32 so it +becomes a high positive then it is promoted to long and it stays +positive. + +Fix this by casting "err" directly to long. + +Fixes: 998024dee197 ("SUNRPC: Add more svcsock tracepoints") +Signed-off-by: Dan Carpenter +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svcsock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c +index fa7b7ae2c2c5..eba1714bf09a 100644 +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -1176,7 +1176,7 @@ static int svc_tcp_sendto(struct svc_rqst *rqstp) + goto out_notconn; + err = svc_tcp_sendmsg(svsk->sk_sock, &msg, xdr, marker, &sent); + xdr_free_bvec(xdr); +- trace_svcsock_tcp_send(xprt, err < 0 ? err : sent); ++ trace_svcsock_tcp_send(xprt, err < 0 ? (long)err : sent); + if (err < 0 || sent != (xdr->len + sizeof(marker))) + goto out_close; + mutex_unlock(&xprt->xpt_mutex); +-- +2.30.2 + diff --git a/queue-5.10/sunrpc-handle-major-timeout-in-xprt_adjust_timeout.patch b/queue-5.10/sunrpc-handle-major-timeout-in-xprt_adjust_timeout.patch new file mode 100644 index 00000000000..7cafec190f3 --- /dev/null +++ b/queue-5.10/sunrpc-handle-major-timeout-in-xprt_adjust_timeout.patch @@ -0,0 +1,61 @@ +From 6c2b1e2597023e0922a3d1758cd515beb3c60920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Apr 2021 21:29:26 -0400 +Subject: SUNRPC: Handle major timeout in xprt_adjust_timeout() + +From: Chris Dion + +[ Upstream commit 09252177d5f924f404551b4b4eded5daa7f04a3a ] + +Currently if a major timeout value is reached, but the minor value has +not been reached, an ETIMEOUT will not be sent back to the caller. +This can occur if the v4 server is not responding to requests and +retrans is configured larger than the default of two. + +For example, A TCP mount with a configured timeout value of 50 and a +retransmission count of 3 to a v4 server which is not responding: + +1. Initial value and increment set to 5s, maxval set to 20s, retries at 3 +2. Major timeout is set to 20s, minor timeout set to 5s initially +3. xport_adjust_timeout() is called after 5s, retry with 10s timeout, + minor timeout is bumped to 10s +4. And again after another 10s, 15s total time with minor timeout set + to 15s +5. After 20s total time xport_adjust_timeout is called as major timeout is + reached, but skipped because the minor timeout is not reached + - After this time the cpu spins continually calling + xport_adjust_timeout() and returning 0 for 10 seconds. + As seen on perf sched: + 39243.913182 [0005] mount.nfs[3794] 4607.938 0.017 9746.863 +6. This continues until the 15s minor timeout condition is reached (in + this case for 10 seconds). After which the ETIMEOUT is processed + back to the caller, the cpu spinning stops, and normal operations + continue + +Fixes: 7de62bc09fe6 ("SUNRPC dont update timeout value on connection reset") +Signed-off-by: Chris Dion +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c +index 586bc9d98de1..a85759d8cde8 100644 +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -670,9 +670,9 @@ int xprt_adjust_timeout(struct rpc_rqst *req) + const struct rpc_timeout *to = req->rq_task->tk_client->cl_timeout; + int status = 0; + +- if (time_before(jiffies, req->rq_minortimeo)) +- return status; + if (time_before(jiffies, req->rq_majortimeo)) { ++ if (time_before(jiffies, req->rq_minortimeo)) ++ return status; + if (to->to_exponential) + req->rq_timeout <<= 1; + else +-- +2.30.2 + diff --git a/queue-5.10/sunrpc-move-fault-injection-call-sites.patch b/queue-5.10/sunrpc-move-fault-injection-call-sites.patch new file mode 100644 index 00000000000..6172d1d5afd --- /dev/null +++ b/queue-5.10/sunrpc-move-fault-injection-call-sites.patch @@ -0,0 +1,85 @@ +From be75bcf96a54020cc0f6cab6f2c7610c6ddd95ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 13:22:14 -0400 +Subject: SUNRPC: Move fault injection call sites + +From: Chuck Lever + +[ Upstream commit 7638e0bfaed1b653d3ca663e560e9ffb44bb1030 ] + +I've hit some crashes that occur in the xprt_rdma_inject_disconnect +path. It appears that, for some provides, rdma_disconnect() can +take so long that the transport can disconnect and release its +hardware resources while rdma_disconnect() is still running, +resulting in a UAF in the provider. + +The transport's fault injection method may depend on the stability +of transport data structures. That means it needs to be invoked +only from contexts that hold the transport write lock. + +Fixes: 4a0682583988 ("SUNRPC: Transport fault injection") +Signed-off-by: Chuck Lever +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 1 - + net/sunrpc/xprt.c | 6 ++++-- + net/sunrpc/xprtrdma/transport.c | 6 ++++-- + 3 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 3259120462ed..69d8843a26e0 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1802,7 +1802,6 @@ call_allocate(struct rpc_task *task) + + status = xprt->ops->buf_alloc(task); + trace_rpc_buf_alloc(task, status); +- xprt_inject_disconnect(xprt); + if (status == 0) + return; + if (status != -ENOMEM) { +diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c +index 57f09ea3ef2a..99d07513237e 100644 +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -1455,7 +1455,10 @@ bool xprt_prepare_transmit(struct rpc_task *task) + + void xprt_end_transmit(struct rpc_task *task) + { +- xprt_release_write(task->tk_rqstp->rq_xprt, task); ++ struct rpc_xprt *xprt = task->tk_rqstp->rq_xprt; ++ ++ xprt_inject_disconnect(xprt); ++ xprt_release_write(xprt, task); + } + + /** +@@ -1857,7 +1860,6 @@ void xprt_release(struct rpc_task *task) + spin_unlock(&xprt->transport_lock); + if (req->rq_buffer) + xprt->ops->buf_free(task); +- xprt_inject_disconnect(xprt); + xdr_free_bvec(&req->rq_rcv_buf); + xdr_free_bvec(&req->rq_snd_buf); + if (req->rq_cred != NULL) +diff --git a/net/sunrpc/xprtrdma/transport.c b/net/sunrpc/xprtrdma/transport.c +index 035060c05fd5..f93ff4282bf4 100644 +--- a/net/sunrpc/xprtrdma/transport.c ++++ b/net/sunrpc/xprtrdma/transport.c +@@ -262,8 +262,10 @@ xprt_rdma_connect_worker(struct work_struct *work) + * xprt_rdma_inject_disconnect - inject a connection fault + * @xprt: transport context + * +- * If @xprt is connected, disconnect it to simulate spurious connection +- * loss. ++ * If @xprt is connected, disconnect it to simulate spurious ++ * connection loss. Caller must hold @xprt's send lock to ++ * ensure that data structures and hardware resources are ++ * stable during the rdma_disconnect() call. + */ + static void + xprt_rdma_inject_disconnect(struct rpc_xprt *xprt) +-- +2.30.2 + diff --git a/queue-5.10/sunrpc-remove-trace_xprt_transmit_queued.patch b/queue-5.10/sunrpc-remove-trace_xprt_transmit_queued.patch new file mode 100644 index 00000000000..82354171216 --- /dev/null +++ b/queue-5.10/sunrpc-remove-trace_xprt_transmit_queued.patch @@ -0,0 +1,63 @@ +From 628c1a0d06c7bdac4de7dcb6b1f29296bbcdf5d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 16:03:08 -0400 +Subject: SUNRPC: Remove trace_xprt_transmit_queued + +From: Chuck Lever + +[ Upstream commit 6cf23783f750634e10daeede48b0f5f5d64ebf3a ] + +This tracepoint can crash when dereferencing snd_task because +when some transports connect, they put a cookie in that field +instead of a pointer to an rpc_task. + +BUG: KASAN: use-after-free in trace_event_raw_event_xprt_writelock_event+0x141/0x18e [sunrpc] +Read of size 2 at addr ffff8881a83bd3a0 by task git/331872 + +CPU: 11 PID: 331872 Comm: git Tainted: G S 5.12.0-rc2-00007-g3ab6e585a7f9 #1453 +Hardware name: Supermicro SYS-6028R-T/X10DRi, BIOS 1.1a 10/16/2015 +Call Trace: + dump_stack+0x9c/0xcf + print_address_description.constprop.0+0x18/0x239 + kasan_report+0x174/0x1b0 + trace_event_raw_event_xprt_writelock_event+0x141/0x18e [sunrpc] + xprt_prepare_transmit+0x8e/0xc1 [sunrpc] + call_transmit+0x4d/0xc6 [sunrpc] + +Fixes: 9ce07ae5eb1d ("SUNRPC: Replace dprintk() call site in xprt_prepare_transmit") +Signed-off-by: Chuck Lever +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + include/trace/events/sunrpc.h | 1 - + net/sunrpc/xprt.c | 2 -- + 2 files changed, 3 deletions(-) + +diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h +index 2a03263b5f9d..23db248a7fdb 100644 +--- a/include/trace/events/sunrpc.h ++++ b/include/trace/events/sunrpc.h +@@ -1141,7 +1141,6 @@ DECLARE_EVENT_CLASS(xprt_writelock_event, + + DEFINE_WRITELOCK_EVENT(reserve_xprt); + DEFINE_WRITELOCK_EVENT(release_xprt); +-DEFINE_WRITELOCK_EVENT(transmit_queued); + + DECLARE_EVENT_CLASS(xprt_cong_event, + TP_PROTO( +diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c +index 99d07513237e..586bc9d98de1 100644 +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -1441,8 +1441,6 @@ bool xprt_prepare_transmit(struct rpc_task *task) + struct rpc_xprt *xprt = req->rq_xprt; + + if (!xprt_lock_write(xprt, task)) { +- trace_xprt_transmit_queued(xprt, task); +- + /* Race breaker: someone may have transmitted us */ + if (!test_bit(RPC_TASK_NEED_XMIT, &task->tk_runstate)) + rpc_wake_up_queued_task_set_status(&xprt->sending, +-- +2.30.2 + diff --git a/queue-5.10/swiotlb-fix-the-type-of-index.patch b/queue-5.10/swiotlb-fix-the-type-of-index.patch new file mode 100644 index 00000000000..0abc1aa34e5 --- /dev/null +++ b/queue-5.10/swiotlb-fix-the-type-of-index.patch @@ -0,0 +1,38 @@ +From f5d0f9c19edb3ab5fcba8fc9a49cc000842e32f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 16:14:53 +0800 +Subject: swiotlb: Fix the type of index + +From: Claire Chang + +[ Upstream commit 95b079d8215b83b37fa59341fda92fcb9392f14a ] + +Fix the type of index from unsigned int to int since find_slots() might +return -1. + +Fixes: 26a7e094783d ("swiotlb: refactor swiotlb_tbl_map_single") +Reviewed-by: Christoph Hellwig +Signed-off-by: Claire Chang +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Sasha Levin +--- + kernel/dma/swiotlb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c +index ba4055a192e4..0f61b14b0099 100644 +--- a/kernel/dma/swiotlb.c ++++ b/kernel/dma/swiotlb.c +@@ -563,7 +563,8 @@ phys_addr_t swiotlb_tbl_map_single(struct device *dev, phys_addr_t orig_addr, + enum dma_data_direction dir, unsigned long attrs) + { + unsigned int offset = swiotlb_align_offset(dev, orig_addr); +- unsigned int index, i; ++ unsigned int i; ++ int index; + phys_addr_t tlb_addr; + + if (no_iotlb_memory) +-- +2.30.2 + diff --git a/queue-5.10/thermal-drivers-tsens-fix-missing-put_device-error.patch b/queue-5.10/thermal-drivers-tsens-fix-missing-put_device-error.patch new file mode 100644 index 00000000000..619bb00095b --- /dev/null +++ b/queue-5.10/thermal-drivers-tsens-fix-missing-put_device-error.patch @@ -0,0 +1,45 @@ +From b3e7756f4bb4f496babd7aea2edb67dcab2bb3b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Apr 2021 20:54:31 +0800 +Subject: thermal/drivers/tsens: Fix missing put_device error + +From: Guangqing Zhu + +[ Upstream commit f4136863e8899fa0554343201b78b9e197c78a78 ] + +Fixes coccicheck error: + +drivers/thermal/qcom/tsens.c:759:4-10: ERROR: missing put_device; call +of_find_device_by_node on line 715, but without a corresponding object +release within this function. + +Fixes: a7ff82976122 ("drivers: thermal: tsens: Merge tsens-common.c into tsens.c") +Signed-off-by: Guangqing Zhu +Reviewed-by: Bjorn Andersson +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210404125431.12208-1-zhuguangqing83@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/thermal/qcom/tsens.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/qcom/tsens.c b/drivers/thermal/qcom/tsens.c +index d8ce3a687b80..3c4c0516e58a 100644 +--- a/drivers/thermal/qcom/tsens.c ++++ b/drivers/thermal/qcom/tsens.c +@@ -755,8 +755,10 @@ int __init init_common(struct tsens_priv *priv) + for (i = VER_MAJOR; i <= VER_STEP; i++) { + priv->rf[i] = devm_regmap_field_alloc(dev, priv->srot_map, + priv->fields[i]); +- if (IS_ERR(priv->rf[i])) +- return PTR_ERR(priv->rf[i]); ++ if (IS_ERR(priv->rf[i])) { ++ ret = PTR_ERR(priv->rf[i]); ++ goto err_put_device; ++ } + } + ret = regmap_field_read(priv->rf[VER_MINOR], &ver_minor); + if (ret) +-- +2.30.2 + diff --git a/queue-5.10/thermal-thermal_of-fix-error-return-code-of-thermal_.patch b/queue-5.10/thermal-thermal_of-fix-error-return-code-of-thermal_.patch new file mode 100644 index 00000000000..eda319cb2aa --- /dev/null +++ b/queue-5.10/thermal-thermal_of-fix-error-return-code-of-thermal_.patch @@ -0,0 +1,53 @@ +From 2ba25428aeced15d53cd9372b7a3d1b85c85541e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 04:24:23 -0800 +Subject: thermal: thermal_of: Fix error return code of + thermal_of_populate_bind_params() + +From: Jia-Ju Bai + +[ Upstream commit 45c7eaeb29d67224db4ba935deb575586a1fda09 ] + +When kcalloc() returns NULL to __tcbp or of_count_phandle_with_args() +returns zero or -ENOENT to count, no error return code of +thermal_of_populate_bind_params() is assigned. +To fix these bugs, ret is assigned with -ENOMEM and -ENOENT in these +cases, respectively. + +Fixes: a92bab8919e3 ("of: thermal: Allow multiple devices to share cooling map") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210310122423.3266-1-baijiaju1990@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_of.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c +index 69ef12f852b7..5b76f9a1280d 100644 +--- a/drivers/thermal/thermal_of.c ++++ b/drivers/thermal/thermal_of.c +@@ -704,14 +704,17 @@ static int thermal_of_populate_bind_params(struct device_node *np, + + count = of_count_phandle_with_args(np, "cooling-device", + "#cooling-cells"); +- if (!count) { ++ if (count <= 0) { + pr_err("Add a cooling_device property with at least one device\n"); ++ ret = -ENOENT; + goto end; + } + + __tcbp = kcalloc(count, sizeof(*__tcbp), GFP_KERNEL); +- if (!__tcbp) ++ if (!__tcbp) { ++ ret = -ENOMEM; + goto end; ++ } + + for (i = 0; i < count; i++) { + ret = of_parse_phandle_with_args(np, "cooling-device", +-- +2.30.2 + diff --git a/queue-5.10/tipc-convert-dest-node-s-address-to-network-order.patch b/queue-5.10/tipc-convert-dest-node-s-address-to-network-order.patch new file mode 100644 index 00000000000..c8bcb725783 --- /dev/null +++ b/queue-5.10/tipc-convert-dest-node-s-address-to-network-order.patch @@ -0,0 +1,41 @@ +From 60dccd18cb00050015c0557b5798d3856a2b57f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 10:33:22 +0700 +Subject: tipc: convert dest node's address to network order + +From: Hoang Le + +[ Upstream commit 1980d37565061ab44bdc2f9e4da477d3b9752e81 ] + +(struct tipc_link_info)->dest is in network order (__be32), so we must +convert the value to network order before assigning. The problem detected +by sparse: + +net/tipc/netlink_compat.c:699:24: warning: incorrect type in assignment (different base types) +net/tipc/netlink_compat.c:699:24: expected restricted __be32 [usertype] dest +net/tipc/netlink_compat.c:699:24: got int + +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/netlink_compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index 1c7aa51cc2a3..49e893313652 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -693,7 +693,7 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg, + if (err) + return err; + +- link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]); ++ link_info.dest = htonl(nla_get_flag(link[TIPC_NLA_LINK_DEST])); + link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP])); + nla_strlcpy(link_info.str, link[TIPC_NLA_LINK_NAME], + TIPC_MAX_LINK_NAME); +-- +2.30.2 + diff --git a/queue-5.10/virtiofs-fix-userns.patch b/queue-5.10/virtiofs-fix-userns.patch new file mode 100644 index 00000000000..a99a15d643c --- /dev/null +++ b/queue-5.10/virtiofs-fix-userns.patch @@ -0,0 +1,38 @@ +From 9559861ebfe8d76999e766919b7b3b4dc24bbcd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 10:40:58 +0200 +Subject: virtiofs: fix userns + +From: Miklos Szeredi + +[ Upstream commit 0a7419c68a45d2d066b996be5087aa2d07ce80eb ] + +get_user_ns() is done twice (once in virtio_fs_get_tree() and once in +fuse_conn_init()), resulting in a reference leak. + +Also looks better to use fsc->user_ns (which *should* be the +current_user_ns() at this point). + +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/virtio_fs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c +index f0a7f1b7b75f..b9cfb1165ff4 100644 +--- a/fs/fuse/virtio_fs.c ++++ b/fs/fuse/virtio_fs.c +@@ -1457,8 +1457,7 @@ static int virtio_fs_get_tree(struct fs_context *fsc) + return -ENOMEM; + } + +- fuse_conn_init(fc, fm, get_user_ns(current_user_ns()), +- &virtio_fs_fiq_ops, fs); ++ fuse_conn_init(fc, fm, fsc->user_ns, &virtio_fs_fiq_ops, fs); + fc->release = fuse_free_conn; + fc->delete_stale = true; + fc->auto_submounts = true; +-- +2.30.2 + diff --git a/queue-5.10/watchdog-explicitly-update-timestamp-when-reporting-.patch b/queue-5.10/watchdog-explicitly-update-timestamp-when-reporting-.patch new file mode 100644 index 00000000000..df4910b48bb --- /dev/null +++ b/queue-5.10/watchdog-explicitly-update-timestamp-when-reporting-.patch @@ -0,0 +1,57 @@ +From 92856393e5f777b5dd53c4b551708e640d833a89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 22:54:23 -0700 +Subject: watchdog: explicitly update timestamp when reporting softlockup + +From: Petr Mladek + +[ Upstream commit c9ad17c991492f4390f42598f6ab0531f87eed07 ] + +The softlockup situation might stay for a long time or even forever. When +it happens, the softlockup debug messages are printed in regular intervals +defined by get_softlockup_thresh(). + +There is a mystery. The repeated message is printed after the full +interval that is defined by get_softlockup_thresh(). But the timer +callback is called more often as defined by sample_period. The code looks +like the soflockup should get reported in every sample_period when it was +once behind the thresh. + +It works only by chance. The watchdog is touched when printing the stall +report, for example, in printk_stack_address(). + +Make the behavior clear and predictable by explicitly updating the +timestamp in watchdog_timer_fn() when the report gets printed. + +Link: https://lkml.kernel.org/r/20210311122130.6788-3-pmladek@suse.com +Signed-off-by: Petr Mladek +Cc: Ingo Molnar +Cc: Laurence Oberman +Cc: Michal Hocko +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Vincent Whitchurch +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/watchdog.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/watchdog.c b/kernel/watchdog.c +index c58244064de8..7776d53a015c 100644 +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -409,6 +409,9 @@ static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer) + } + } + ++ /* Start period for the next softlockup warning. */ ++ update_touch_ts(); ++ + pr_emerg("BUG: soft lockup - CPU#%d stuck for %us! [%s:%d]\n", + smp_processor_id(), duration, + current->comm, task_pid_nr(current)); +-- +2.30.2 + diff --git a/queue-5.10/watchdog-fix-barriers-when-printing-backtraces-from-.patch b/queue-5.10/watchdog-fix-barriers-when-printing-backtraces-from-.patch new file mode 100644 index 00000000000..7657b364c7b --- /dev/null +++ b/queue-5.10/watchdog-fix-barriers-when-printing-backtraces-from-.patch @@ -0,0 +1,76 @@ +From b6ffed1bc4e35db3458895719875c7e0658493c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 22:54:33 -0700 +Subject: watchdog: fix barriers when printing backtraces from all CPUs + +From: Petr Mladek + +[ Upstream commit 9f113bf760ca90d709f8f89a733d10abb1f04a83 ] + +Any parallel softlockup reports are skipped when one CPU is already +printing backtraces from all CPUs. + +The exclusive rights are synchronized using one bit in +soft_lockup_nmi_warn. There is also one memory barrier that does not make +much sense. + +Use two barriers on the right location to prevent mixing two reports. + +[pmladek@suse.com: use bit lock operations to prevent multiple soft-lockup reports] + Link: https://lkml.kernel.org/r/YFSVsLGVWMXTvlbk@alley + +Link: https://lkml.kernel.org/r/20210311122130.6788-6-pmladek@suse.com +Signed-off-by: Petr Mladek +Acked-by: Peter Zijlstra (Intel) +Cc: Ingo Molnar +Cc: Laurence Oberman +Cc: Michal Hocko +Cc: Thomas Gleixner +Cc: Vincent Whitchurch +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/watchdog.c | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/kernel/watchdog.c b/kernel/watchdog.c +index 122e272ad7f2..01bf977090dc 100644 +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -393,11 +393,12 @@ static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer) + if (kvm_check_and_clear_guest_paused()) + return HRTIMER_RESTART; + ++ /* ++ * Prevent multiple soft-lockup reports if one cpu is already ++ * engaged in dumping all cpu back traces. ++ */ + if (softlockup_all_cpu_backtrace) { +- /* Prevent multiple soft-lockup reports if one cpu is already +- * engaged in dumping cpu back traces +- */ +- if (test_and_set_bit(0, &soft_lockup_nmi_warn)) ++ if (test_and_set_bit_lock(0, &soft_lockup_nmi_warn)) + return HRTIMER_RESTART; + } + +@@ -415,14 +416,8 @@ static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer) + dump_stack(); + + if (softlockup_all_cpu_backtrace) { +- /* Avoid generating two back traces for current +- * given that one is already made above +- */ + trigger_allbutself_cpu_backtrace(); +- +- clear_bit(0, &soft_lockup_nmi_warn); +- /* Barrier to sync with other cpus */ +- smp_mb__after_atomic(); ++ clear_bit_unlock(0, &soft_lockup_nmi_warn); + } + + add_taint(TAINT_SOFTLOCKUP, LOCKDEP_STILL_OK); +-- +2.30.2 + diff --git a/queue-5.10/watchdog-rename-__touch_watchdog-to-a-better-descrip.patch b/queue-5.10/watchdog-rename-__touch_watchdog-to-a-better-descrip.patch new file mode 100644 index 00000000000..13a3940827e --- /dev/null +++ b/queue-5.10/watchdog-rename-__touch_watchdog-to-a-better-descrip.patch @@ -0,0 +1,103 @@ +From bceb7c1d167f4a0d80201994384c76f089388745 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 22:54:20 -0700 +Subject: watchdog: rename __touch_watchdog() to a better descriptive name + +From: Petr Mladek + +[ Upstream commit 7c0012f522c802d25be102bafe54f333168e6119 ] + +Patch series "watchdog/softlockup: Report overall time and some cleanup", v2. + +I dug deep into the softlockup watchdog history when time permitted this +year. And reworked the patchset that fixed timestamps and cleaned up the +code[2]. + +I split it into very small steps and did even more code clean up. The +result looks quite strightforward and I am pretty confident with the +changes. + +[1] v2: https://lore.kernel.org/r/20201210160038.31441-1-pmladek@suse.com +[2] v1: https://lore.kernel.org/r/20191024114928.15377-1-pmladek@suse.com + +This patch (of 6): + +There are many touch_*watchdog() functions. They are called in situations +where the watchdog could report false positives or create unnecessary +noise. For example, when CPU is entering idle mode, a virtual machine is +stopped, or a lot of messages are printed in the atomic context. + +These functions set SOFTLOCKUP_RESET instead of a real timestamp. It +allows to call them even in a context where jiffies might be outdated. +For example, in an atomic context. + +The real timestamp is set by __touch_watchdog() that is called from the +watchdog timer callback. + +Rename this callback to update_touch_ts(). It better describes the effect +and clearly distinguish is from the other touch_*watchdog() functions. + +Another motivation is that two timestamps are going to be used. One will +be used for the total softlockup time. The other will be used to measure +time since the last report. The new function name will help to +distinguish which timestamp is being updated. + +Link: https://lkml.kernel.org/r/20210311122130.6788-1-pmladek@suse.com +Link: https://lkml.kernel.org/r/20210311122130.6788-2-pmladek@suse.com +Signed-off-by: Petr Mladek +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Peter Zijlstra +Cc: Laurence Oberman +Cc: Vincent Whitchurch +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/watchdog.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/watchdog.c b/kernel/watchdog.c +index 71109065bd8e..c58244064de8 100644 +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -236,7 +236,7 @@ static void set_sample_period(void) + } + + /* Commands for resetting the watchdog */ +-static void __touch_watchdog(void) ++static void update_touch_ts(void) + { + __this_cpu_write(watchdog_touch_ts, get_timestamp()); + } +@@ -331,7 +331,7 @@ static DEFINE_PER_CPU(struct cpu_stop_work, softlockup_stop_work); + */ + static int softlockup_fn(void *data) + { +- __touch_watchdog(); ++ update_touch_ts(); + complete(this_cpu_ptr(&softlockup_completion)); + + return 0; +@@ -374,7 +374,7 @@ static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer) + + /* Clear the guest paused flag on watchdog reset */ + kvm_check_and_clear_guest_paused(); +- __touch_watchdog(); ++ update_touch_ts(); + return HRTIMER_RESTART; + } + +@@ -460,7 +460,7 @@ static void watchdog_enable(unsigned int cpu) + HRTIMER_MODE_REL_PINNED_HARD); + + /* Initialize timestamp */ +- __touch_watchdog(); ++ update_touch_ts(); + /* Enable the perf event */ + if (watchdog_enabled & NMI_WATCHDOG_ENABLED) + watchdog_nmi_enable(cpu); +-- +2.30.2 + diff --git a/queue-5.10/watchdog-softlockup-remove-logic-that-tried-to-preve.patch b/queue-5.10/watchdog-softlockup-remove-logic-that-tried-to-preve.patch new file mode 100644 index 00000000000..195b7b3ab3d --- /dev/null +++ b/queue-5.10/watchdog-softlockup-remove-logic-that-tried-to-preve.patch @@ -0,0 +1,110 @@ +From 94d74f9393a430bfb0329447c222e8609c4bb36f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 22:54:30 -0700 +Subject: watchdog/softlockup: remove logic that tried to prevent repeated + reports + +From: Petr Mladek + +[ Upstream commit 1bc503cb4a2638fb1c57801a7796aca57845ce63 ] + +The softlockup detector does some gymnastic with the variable +soft_watchdog_warn. It was added by the commit 58687acba59266735ad +("lockup_detector: Combine nmi_watchdog and softlockup detector"). + +The purpose is not completely clear. There are the following clues. They +describe the situation how it looked after the above mentioned commit: + + 1. The variable was checked with a comment "only warn once". + + 2. The variable was set when softlockup was reported. It was cleared + only when the CPU was not longer in the softlockup state. + + 3. watchdog_touch_ts was not explicitly updated when the softlockup + was reported. Without this variable, the report would normally + be printed again during every following watchdog_timer_fn() + invocation. + +The logic has got even more tangled up by the commit ed235875e2ca98 +("kernel/watchdog.c: print traces for all cpus on lockup detection"). +After this commit, soft_watchdog_warn is set only when +softlockup_all_cpu_backtrace is enabled. But multiple reports from all +CPUs are prevented by a new variable soft_lockup_nmi_warn. + +Conclusion: + +The variable probably never worked as intended. In each case, it has not +worked last many years because the softlockup was reported repeatedly +after the full period defined by watchdog_thresh. + +The reason is that watchdog gets touched in many known slow paths, for +example, in printk_stack_address(). This code is called also when +printing the softlockup report. It means that the watchdog timestamp gets +updated after each report. + +Solution: + +Simply remove the logic. People want the periodic report anyway. + +Link: https://lkml.kernel.org/r/20210311122130.6788-5-pmladek@suse.com +Signed-off-by: Petr Mladek +Cc: Ingo Molnar +Cc: Laurence Oberman +Cc: Michal Hocko +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Vincent Whitchurch +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/watchdog.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/kernel/watchdog.c b/kernel/watchdog.c +index 7776d53a015c..122e272ad7f2 100644 +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -172,7 +172,6 @@ static u64 __read_mostly sample_period; + static DEFINE_PER_CPU(unsigned long, watchdog_touch_ts); + static DEFINE_PER_CPU(struct hrtimer, watchdog_hrtimer); + static DEFINE_PER_CPU(bool, softlockup_touch_sync); +-static DEFINE_PER_CPU(bool, soft_watchdog_warn); + static DEFINE_PER_CPU(unsigned long, hrtimer_interrupts); + static DEFINE_PER_CPU(unsigned long, hrtimer_interrupts_saved); + static unsigned long soft_lockup_nmi_warn; +@@ -394,19 +393,12 @@ static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer) + if (kvm_check_and_clear_guest_paused()) + return HRTIMER_RESTART; + +- /* only warn once */ +- if (__this_cpu_read(soft_watchdog_warn) == true) +- return HRTIMER_RESTART; +- + if (softlockup_all_cpu_backtrace) { + /* Prevent multiple soft-lockup reports if one cpu is already + * engaged in dumping cpu back traces + */ +- if (test_and_set_bit(0, &soft_lockup_nmi_warn)) { +- /* Someone else will report us. Let's give up */ +- __this_cpu_write(soft_watchdog_warn, true); ++ if (test_and_set_bit(0, &soft_lockup_nmi_warn)) + return HRTIMER_RESTART; +- } + } + + /* Start period for the next softlockup warning. */ +@@ -436,9 +428,7 @@ static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer) + add_taint(TAINT_SOFTLOCKUP, LOCKDEP_STILL_OK); + if (softlockup_panic) + panic("softlockup: hung tasks"); +- __this_cpu_write(soft_watchdog_warn, true); +- } else +- __this_cpu_write(soft_watchdog_warn, false); ++ } + + return HRTIMER_RESTART; + } +-- +2.30.2 + diff --git a/queue-5.10/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch b/queue-5.10/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch new file mode 100644 index 00000000000..6aed5ec3f94 --- /dev/null +++ b/queue-5.10/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch @@ -0,0 +1,286 @@ +From d9877964e50af9dc63a862be3af936bf413c3f06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 18:45:15 -0500 +Subject: wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join + +From: Gustavo A. R. Silva + +[ Upstream commit bb43e5718d8f1b46e7a77e7b39be3c691f293050 ] + +Fix the following out-of-bounds warnings by adding a new structure +wl3501_req instead of duplicating the same members in structure +wl3501_join_req and wl3501_scan_confirm: + +arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [39, 108] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 36 [-Warray-bounds] +arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [25, 95] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 22 [-Warray-bounds] + +Refactor the code, accordingly: + +$ pahole -C wl3501_req drivers/net/wireless/wl3501_cs.o +struct wl3501_req { + u16 beacon_period; /* 0 2 */ + u16 dtim_period; /* 2 2 */ + u16 cap_info; /* 4 2 */ + u8 bss_type; /* 6 1 */ + u8 bssid[6]; /* 7 6 */ + struct iw_mgmt_essid_pset ssid; /* 13 34 */ + struct iw_mgmt_ds_pset ds_pset; /* 47 3 */ + struct iw_mgmt_cf_pset cf_pset; /* 50 8 */ + struct iw_mgmt_ibss_pset ibss_pset; /* 58 4 */ + struct iw_mgmt_data_rset bss_basic_rset; /* 62 10 */ + + /* size: 72, cachelines: 2, members: 10 */ + /* last cacheline: 8 bytes */ +}; + +$ pahole -C wl3501_join_req drivers/net/wireless/wl3501_cs.o +struct wl3501_join_req { + u16 next_blk; /* 0 2 */ + u8 sig_id; /* 2 1 */ + u8 reserved; /* 3 1 */ + struct iw_mgmt_data_rset operational_rset; /* 4 10 */ + u16 reserved2; /* 14 2 */ + u16 timeout; /* 16 2 */ + u16 probe_delay; /* 18 2 */ + u8 timestamp[8]; /* 20 8 */ + u8 local_time[8]; /* 28 8 */ + struct wl3501_req req; /* 36 72 */ + + /* size: 108, cachelines: 2, members: 10 */ + /* last cacheline: 44 bytes */ +}; + +$ pahole -C wl3501_scan_confirm drivers/net/wireless/wl3501_cs.o +struct wl3501_scan_confirm { + u16 next_blk; /* 0 2 */ + u8 sig_id; /* 2 1 */ + u8 reserved; /* 3 1 */ + u16 status; /* 4 2 */ + char timestamp[8]; /* 6 8 */ + char localtime[8]; /* 14 8 */ + struct wl3501_req req; /* 22 72 */ + /* --- cacheline 1 boundary (64 bytes) was 30 bytes ago --- */ + u8 rssi; /* 94 1 */ + + /* size: 96, cachelines: 2, members: 8 */ + /* padding: 1 */ + /* last cacheline: 32 bytes */ +}; + +The problem is that the original code is trying to copy data into a +bunch of struct members adjacent to each other in a single call to +memcpy(). Now that a new struct wl3501_req enclosing all those adjacent +members is introduced, memcpy() doesn't overrun the length of +&sig.beacon_period and &this->bss_set[i].beacon_period, because the +address of the new struct object _req_ is used as the destination, +instead. + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1fbaf516da763b50edac47d792a9145aa4482e29.1618442265.git.gustavoars@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501.h | 35 +++++++++++-------------- + drivers/net/wireless/wl3501_cs.c | 44 +++++++++++++++++--------------- + 2 files changed, 38 insertions(+), 41 deletions(-) + +diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h +index 31ebef3e7ed4..87195c1dadf2 100644 +--- a/drivers/net/wireless/wl3501.h ++++ b/drivers/net/wireless/wl3501.h +@@ -379,16 +379,7 @@ struct wl3501_get_confirm { + u8 mib_value[100]; + }; + +-struct wl3501_join_req { +- u16 next_blk; +- u8 sig_id; +- u8 reserved; +- struct iw_mgmt_data_rset operational_rset; +- u16 reserved2; +- u16 timeout; +- u16 probe_delay; +- u8 timestamp[8]; +- u8 local_time[8]; ++struct wl3501_req { + u16 beacon_period; + u16 dtim_period; + u16 cap_info; +@@ -401,6 +392,19 @@ struct wl3501_join_req { + struct iw_mgmt_data_rset bss_basic_rset; + }; + ++struct wl3501_join_req { ++ u16 next_blk; ++ u8 sig_id; ++ u8 reserved; ++ struct iw_mgmt_data_rset operational_rset; ++ u16 reserved2; ++ u16 timeout; ++ u16 probe_delay; ++ u8 timestamp[8]; ++ u8 local_time[8]; ++ struct wl3501_req req; ++}; ++ + struct wl3501_join_confirm { + u16 next_blk; + u8 sig_id; +@@ -443,16 +447,7 @@ struct wl3501_scan_confirm { + u16 status; + char timestamp[8]; + char localtime[8]; +- u16 beacon_period; +- u16 dtim_period; +- u16 cap_info; +- u8 bss_type; +- u8 bssid[ETH_ALEN]; +- struct iw_mgmt_essid_pset ssid; +- struct iw_mgmt_ds_pset ds_pset; +- struct iw_mgmt_cf_pset cf_pset; +- struct iw_mgmt_ibss_pset ibss_pset; +- struct iw_mgmt_data_rset bss_basic_rset; ++ struct wl3501_req req; + u8 rssi; + }; + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index c3c859c4b2c7..ff1701adbb17 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -592,7 +592,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas) + struct wl3501_join_req sig = { + .sig_id = WL3501_SIG_JOIN_REQ, + .timeout = 10, +- .ds_pset = { ++ .req.ds_pset = { + .el = { + .id = IW_MGMT_INFO_ELEMENT_DS_PARAMETER_SET, + .len = 1, +@@ -601,7 +601,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas) + }, + }; + +- memcpy(&sig.beacon_period, &this->bss_set[stas].beacon_period, 72); ++ memcpy(&sig.req, &this->bss_set[stas].req, sizeof(sig.req)); + return wl3501_esbq_exec(this, &sig, sizeof(sig)); + } + +@@ -669,35 +669,37 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr) + if (sig.status == WL3501_STATUS_SUCCESS) { + pr_debug("success"); + if ((this->net_type == IW_MODE_INFRA && +- (sig.cap_info & WL3501_MGMT_CAPABILITY_ESS)) || ++ (sig.req.cap_info & WL3501_MGMT_CAPABILITY_ESS)) || + (this->net_type == IW_MODE_ADHOC && +- (sig.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) || ++ (sig.req.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) || + this->net_type == IW_MODE_AUTO) { + if (!this->essid.el.len) + matchflag = 1; + else if (this->essid.el.len == 3 && + !memcmp(this->essid.essid, "ANY", 3)) + matchflag = 1; +- else if (this->essid.el.len != sig.ssid.el.len) ++ else if (this->essid.el.len != sig.req.ssid.el.len) + matchflag = 0; +- else if (memcmp(this->essid.essid, sig.ssid.essid, ++ else if (memcmp(this->essid.essid, sig.req.ssid.essid, + this->essid.el.len)) + matchflag = 0; + else + matchflag = 1; + if (matchflag) { + for (i = 0; i < this->bss_cnt; i++) { +- if (ether_addr_equal_unaligned(this->bss_set[i].bssid, sig.bssid)) { ++ if (ether_addr_equal_unaligned(this->bss_set[i].req.bssid, ++ sig.req.bssid)) { + matchflag = 0; + break; + } + } + } + if (matchflag && (i < 20)) { +- memcpy(&this->bss_set[i].beacon_period, +- &sig.beacon_period, 73); ++ memcpy(&this->bss_set[i].req, ++ &sig.req, sizeof(sig.req)); + this->bss_cnt++; + this->rssi = sig.rssi; ++ this->bss_set[i].rssi = sig.rssi; + } + } + } else if (sig.status == WL3501_STATUS_TIMEOUT) { +@@ -889,19 +891,19 @@ static void wl3501_mgmt_join_confirm(struct net_device *dev, u16 addr) + if (this->join_sta_bss < this->bss_cnt) { + const int i = this->join_sta_bss; + memcpy(this->bssid, +- this->bss_set[i].bssid, ETH_ALEN); +- this->chan = this->bss_set[i].ds_pset.chan; ++ this->bss_set[i].req.bssid, ETH_ALEN); ++ this->chan = this->bss_set[i].req.ds_pset.chan; + iw_copy_mgmt_info_element(&this->keep_essid.el, +- &this->bss_set[i].ssid.el); ++ &this->bss_set[i].req.ssid.el); + wl3501_mgmt_auth(this); + } + } else { + const int i = this->join_sta_bss; + +- memcpy(&this->bssid, &this->bss_set[i].bssid, ETH_ALEN); +- this->chan = this->bss_set[i].ds_pset.chan; ++ memcpy(&this->bssid, &this->bss_set[i].req.bssid, ETH_ALEN); ++ this->chan = this->bss_set[i].req.ds_pset.chan; + iw_copy_mgmt_info_element(&this->keep_essid.el, +- &this->bss_set[i].ssid.el); ++ &this->bss_set[i].req.ssid.el); + wl3501_online(dev); + } + } else { +@@ -1575,30 +1577,30 @@ static int wl3501_get_scan(struct net_device *dev, struct iw_request_info *info, + for (i = 0; i < this->bss_cnt; ++i) { + iwe.cmd = SIOCGIWAP; + iwe.u.ap_addr.sa_family = ARPHRD_ETHER; +- memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].bssid, ETH_ALEN); ++ memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].req.bssid, ETH_ALEN); + current_ev = iwe_stream_add_event(info, current_ev, + extra + IW_SCAN_MAX_DATA, + &iwe, IW_EV_ADDR_LEN); + iwe.cmd = SIOCGIWESSID; + iwe.u.data.flags = 1; +- iwe.u.data.length = this->bss_set[i].ssid.el.len; ++ iwe.u.data.length = this->bss_set[i].req.ssid.el.len; + current_ev = iwe_stream_add_point(info, current_ev, + extra + IW_SCAN_MAX_DATA, + &iwe, +- this->bss_set[i].ssid.essid); ++ this->bss_set[i].req.ssid.essid); + iwe.cmd = SIOCGIWMODE; +- iwe.u.mode = this->bss_set[i].bss_type; ++ iwe.u.mode = this->bss_set[i].req.bss_type; + current_ev = iwe_stream_add_event(info, current_ev, + extra + IW_SCAN_MAX_DATA, + &iwe, IW_EV_UINT_LEN); + iwe.cmd = SIOCGIWFREQ; +- iwe.u.freq.m = this->bss_set[i].ds_pset.chan; ++ iwe.u.freq.m = this->bss_set[i].req.ds_pset.chan; + iwe.u.freq.e = 0; + current_ev = iwe_stream_add_event(info, current_ev, + extra + IW_SCAN_MAX_DATA, + &iwe, IW_EV_FREQ_LEN); + iwe.cmd = SIOCGIWENCODE; +- if (this->bss_set[i].cap_info & WL3501_MGMT_CAPABILITY_PRIVACY) ++ if (this->bss_set[i].req.cap_info & WL3501_MGMT_CAPABILITY_PRIVACY) + iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY; + else + iwe.u.data.flags = IW_ENCODE_DISABLED; +-- +2.30.2 + diff --git a/queue-5.10/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch b/queue-5.10/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch new file mode 100644 index 00000000000..61597a45dbe --- /dev/null +++ b/queue-5.10/wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch @@ -0,0 +1,147 @@ +From 7253da74cd10d05887fca104bc474f81f9e13e56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 18:43:19 -0500 +Subject: wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt + +From: Gustavo A. R. Silva + +[ Upstream commit 820aa37638a252b57967bdf4038a514b1ab85d45 ] + +Fix the following out-of-bounds warnings by enclosing structure members +daddr and saddr into new struct addr, in structures wl3501_md_req and +wl3501_md_ind: + +arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds] +arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds] + +Refactor the code, accordingly: + +$ pahole -C wl3501_md_req drivers/net/wireless/wl3501_cs.o +struct wl3501_md_req { + u16 next_blk; /* 0 2 */ + u8 sig_id; /* 2 1 */ + u8 routing; /* 3 1 */ + u16 data; /* 4 2 */ + u16 size; /* 6 2 */ + u8 pri; /* 8 1 */ + u8 service_class; /* 9 1 */ + struct { + u8 daddr[6]; /* 10 6 */ + u8 saddr[6]; /* 16 6 */ + } addr; /* 10 12 */ + + /* size: 22, cachelines: 1, members: 8 */ + /* last cacheline: 22 bytes */ +}; + +$ pahole -C wl3501_md_ind drivers/net/wireless/wl3501_cs.o +struct wl3501_md_ind { + u16 next_blk; /* 0 2 */ + u8 sig_id; /* 2 1 */ + u8 routing; /* 3 1 */ + u16 data; /* 4 2 */ + u16 size; /* 6 2 */ + u8 reception; /* 8 1 */ + u8 pri; /* 9 1 */ + u8 service_class; /* 10 1 */ + struct { + u8 daddr[6]; /* 11 6 */ + u8 saddr[6]; /* 17 6 */ + } addr; /* 11 12 */ + + /* size: 24, cachelines: 1, members: 9 */ + /* padding: 1 */ + /* last cacheline: 24 bytes */ +}; + +The problem is that the original code is trying to copy data into a +couple of arrays adjacent to each other in a single call to memcpy(). +Now that a new struct _addr_ enclosing those two adjacent arrays +is introduced, memcpy() doesn't overrun the length of &sig.daddr[0] +and &sig.daddr, because the address of the new struct object _addr_ +is used, instead. + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Reviewed-by: Kees Cook +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/d260fe56aed7112bff2be5b4d152d03ad7b78e78.1618442265.git.gustavoars@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501.h | 12 ++++++++---- + drivers/net/wireless/wl3501_cs.c | 10 ++++++---- + 2 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h +index b446cb369557..31ebef3e7ed4 100644 +--- a/drivers/net/wireless/wl3501.h ++++ b/drivers/net/wireless/wl3501.h +@@ -471,8 +471,10 @@ struct wl3501_md_req { + u16 size; + u8 pri; + u8 service_class; +- u8 daddr[ETH_ALEN]; +- u8 saddr[ETH_ALEN]; ++ struct { ++ u8 daddr[ETH_ALEN]; ++ u8 saddr[ETH_ALEN]; ++ } addr; + }; + + struct wl3501_md_ind { +@@ -484,8 +486,10 @@ struct wl3501_md_ind { + u8 reception; + u8 pri; + u8 service_class; +- u8 daddr[ETH_ALEN]; +- u8 saddr[ETH_ALEN]; ++ struct { ++ u8 daddr[ETH_ALEN]; ++ u8 saddr[ETH_ALEN]; ++ } addr; + }; + + struct wl3501_md_confirm { +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 026e88b80bfc..c3c859c4b2c7 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -471,6 +471,7 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) + struct wl3501_md_req sig = { + .sig_id = WL3501_SIG_MD_REQ, + }; ++ size_t sig_addr_len = sizeof(sig.addr); + u8 *pdata = (char *)data; + int rc = -EIO; + +@@ -486,9 +487,9 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) + goto out; + } + rc = 0; +- memcpy(&sig.daddr[0], pdata, 12); +- pktlen = len - 12; +- pdata += 12; ++ memcpy(&sig.addr, pdata, sig_addr_len); ++ pktlen = len - sig_addr_len; ++ pdata += sig_addr_len; + sig.data = bf; + if (((*pdata) * 256 + (*(pdata + 1))) > 1500) { + u8 addr4[ETH_ALEN] = { +@@ -982,7 +983,8 @@ static inline void wl3501_md_ind_interrupt(struct net_device *dev, + } else { + skb->dev = dev; + skb_reserve(skb, 2); /* IP headers on 16 bytes boundaries */ +- skb_copy_to_linear_data(skb, (unsigned char *)&sig.daddr, 12); ++ skb_copy_to_linear_data(skb, (unsigned char *)&sig.addr, ++ sizeof(sig.addr)); + wl3501_receive(this, skb->data, pkt_len); + skb_put(skb, pkt_len); + skb->protocol = eth_type_trans(skb, dev); +-- +2.30.2 + diff --git a/queue-5.10/xprtrdma-avoid-receive-queue-wrapping.patch b/queue-5.10/xprtrdma-avoid-receive-queue-wrapping.patch new file mode 100644 index 00000000000..9fc9400bace --- /dev/null +++ b/queue-5.10/xprtrdma-avoid-receive-queue-wrapping.patch @@ -0,0 +1,42 @@ +From 9dcff71dd92ce136d7b82c6427bc92a7f9d32997 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Apr 2021 14:02:03 -0400 +Subject: xprtrdma: Avoid Receive Queue wrapping + +From: Chuck Lever + +[ Upstream commit 32e6b68167f1d446111c973d57e6f52aee11897a ] + +Commit e340c2d6ef2a ("xprtrdma: Reduce the doorbell rate (Receive)") +increased the number of Receive WRs that are posted by the client, +but did not increase the size of the Receive Queue allocated during +transport set-up. + +This is usually not an issue because RPCRDMA_BACKWARD_WRS is defined +as (32) when SUNRPC_BACKCHANNEL is defined. In cases where it isn't, +there is a real risk of Receive Queue wrapping. + +Fixes: e340c2d6ef2a ("xprtrdma: Reduce the doorbell rate (Receive)") +Signed-off-by: Chuck Lever +Reviewed-by: Tom Talpey +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/frwr_ops.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sunrpc/xprtrdma/frwr_ops.c b/net/sunrpc/xprtrdma/frwr_ops.c +index 44888f5badef..8f96bb0a6061 100644 +--- a/net/sunrpc/xprtrdma/frwr_ops.c ++++ b/net/sunrpc/xprtrdma/frwr_ops.c +@@ -242,6 +242,7 @@ int frwr_query_device(struct rpcrdma_ep *ep, const struct ib_device *device) + ep->re_attr.cap.max_send_wr += 1; /* for ib_drain_sq */ + ep->re_attr.cap.max_recv_wr = ep->re_max_requests; + ep->re_attr.cap.max_recv_wr += RPCRDMA_BACKWARD_WRS; ++ ep->re_attr.cap.max_recv_wr += RPCRDMA_MAX_RECV_BATCH; + ep->re_attr.cap.max_recv_wr += 1; /* for ib_drain_rq */ + + ep->re_max_rdma_segs = +-- +2.30.2 + diff --git a/queue-5.10/xprtrdma-fix-cwnd-update-ordering.patch b/queue-5.10/xprtrdma-fix-cwnd-update-ordering.patch new file mode 100644 index 00000000000..8b1717c90d3 --- /dev/null +++ b/queue-5.10/xprtrdma-fix-cwnd-update-ordering.patch @@ -0,0 +1,100 @@ +From 57e45b5515f283a7bb04afde27170529247a3a6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Apr 2021 14:02:41 -0400 +Subject: xprtrdma: Fix cwnd update ordering + +From: Chuck Lever + +[ Upstream commit 35d8b10a25884050bb3b0149b62c3818ec59f77c ] + +After a reconnect, the reply handler is opening the cwnd (and thus +enabling more RPC Calls to be sent) /before/ rpcrdma_post_recvs() +can post enough Receive WRs to receive their replies. This causes an +RNR and the new connection is lost immediately. + +The race is most clearly exposed when KASAN and disconnect injection +are enabled. This slows down rpcrdma_rep_create() enough to allow +the send side to post a bunch of RPC Calls before the Receive +completion handler can invoke ib_post_recv(). + +Fixes: 2ae50ad68cd7 ("xprtrdma: Close window between waking RPC senders and posting Receives") +Signed-off-by: Chuck Lever +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/rpc_rdma.c | 3 ++- + net/sunrpc/xprtrdma/verbs.c | 10 +++++----- + net/sunrpc/xprtrdma/xprt_rdma.h | 2 +- + 3 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/net/sunrpc/xprtrdma/rpc_rdma.c b/net/sunrpc/xprtrdma/rpc_rdma.c +index c48536f2121f..ca267a855a12 100644 +--- a/net/sunrpc/xprtrdma/rpc_rdma.c ++++ b/net/sunrpc/xprtrdma/rpc_rdma.c +@@ -1467,9 +1467,10 @@ void rpcrdma_reply_handler(struct rpcrdma_rep *rep) + credits = 1; /* don't deadlock */ + else if (credits > r_xprt->rx_ep->re_max_requests) + credits = r_xprt->rx_ep->re_max_requests; ++ rpcrdma_post_recvs(r_xprt, credits + (buf->rb_bc_srv_max_requests << 1), ++ false); + if (buf->rb_credits != credits) + rpcrdma_update_cwnd(r_xprt, credits); +- rpcrdma_post_recvs(r_xprt, false); + + req = rpcr_to_rdmar(rqst); + if (req->rl_reply) { +diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c +index ad6e2e4994ce..04325f0267c1 100644 +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -535,7 +535,7 @@ int rpcrdma_xprt_connect(struct rpcrdma_xprt *r_xprt) + * outstanding Receives. + */ + rpcrdma_ep_get(ep); +- rpcrdma_post_recvs(r_xprt, true); ++ rpcrdma_post_recvs(r_xprt, 1, true); + + rc = rdma_connect(ep->re_id, &ep->re_remote_cma); + if (rc) +@@ -1377,21 +1377,21 @@ int rpcrdma_post_sends(struct rpcrdma_xprt *r_xprt, struct rpcrdma_req *req) + /** + * rpcrdma_post_recvs - Refill the Receive Queue + * @r_xprt: controlling transport instance +- * @temp: mark Receive buffers to be deleted after use ++ * @needed: current credit grant ++ * @temp: mark Receive buffers to be deleted after one use + * + */ +-void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, bool temp) ++void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp) + { + struct rpcrdma_buffer *buf = &r_xprt->rx_buf; + struct rpcrdma_ep *ep = r_xprt->rx_ep; + struct ib_recv_wr *wr, *bad_wr; + struct rpcrdma_rep *rep; +- int needed, count, rc; ++ int count, rc; + + rc = 0; + count = 0; + +- needed = buf->rb_credits + (buf->rb_bc_srv_max_requests << 1); + if (likely(ep->re_receive_count > needed)) + goto out; + needed -= ep->re_receive_count; +diff --git a/net/sunrpc/xprtrdma/xprt_rdma.h b/net/sunrpc/xprtrdma/xprt_rdma.h +index 43974ef39a50..3cacc6f4c527 100644 +--- a/net/sunrpc/xprtrdma/xprt_rdma.h ++++ b/net/sunrpc/xprtrdma/xprt_rdma.h +@@ -452,7 +452,7 @@ int rpcrdma_xprt_connect(struct rpcrdma_xprt *r_xprt); + void rpcrdma_xprt_disconnect(struct rpcrdma_xprt *r_xprt); + + int rpcrdma_post_sends(struct rpcrdma_xprt *r_xprt, struct rpcrdma_req *req); +-void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, bool temp); ++void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp); + + /* + * Buffer calls - xprtrdma/verbs.c +-- +2.30.2 + diff --git a/queue-5.10/xprtrdma-rpcrdma_mr_pop-already-does-list_del_init.patch b/queue-5.10/xprtrdma-rpcrdma_mr_pop-already-does-list_del_init.patch new file mode 100644 index 00000000000..86fea621cec --- /dev/null +++ b/queue-5.10/xprtrdma-rpcrdma_mr_pop-already-does-list_del_init.patch @@ -0,0 +1,35 @@ +From 051f5e9007ed97902ae0196547eec8dc05b04e12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Apr 2021 14:02:54 -0400 +Subject: xprtrdma: rpcrdma_mr_pop() already does list_del_init() + +From: Chuck Lever + +[ Upstream commit 1363e6388c363d0433f9aa4e2f33efe047572687 ] + +The rpcrdma_mr_pop() earlier in the function has already cleared +out mr_list, so it must not be done again in the error path. + +Fixes: 847568942f93 ("xprtrdma: Remove fr_state") +Signed-off-by: Chuck Lever +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/frwr_ops.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/sunrpc/xprtrdma/frwr_ops.c b/net/sunrpc/xprtrdma/frwr_ops.c +index 8f96bb0a6061..bf3627dce552 100644 +--- a/net/sunrpc/xprtrdma/frwr_ops.c ++++ b/net/sunrpc/xprtrdma/frwr_ops.c +@@ -555,7 +555,6 @@ void frwr_unmap_sync(struct rpcrdma_xprt *r_xprt, struct rpcrdma_req *req) + mr = container_of(frwr, struct rpcrdma_mr, frwr); + bad_wr = bad_wr->next; + +- list_del_init(&mr->mr_list); + frwr_mr_recycle(mr); + } + } +-- +2.30.2 + diff --git a/queue-5.10/xsk-fix-for-xp_aligned_validate_desc-when-len-chunk_.patch b/queue-5.10/xsk-fix-for-xp_aligned_validate_desc-when-len-chunk_.patch new file mode 100644 index 00000000000..1a5f9834258 --- /dev/null +++ b/queue-5.10/xsk-fix-for-xp_aligned_validate_desc-when-len-chunk_.patch @@ -0,0 +1,54 @@ +From 1849e9ee6734d7f9d3cf5d34fa2edf457776fecd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 17:44:24 +0800 +Subject: xsk: Fix for xp_aligned_validate_desc() when len == chunk_size + +From: Xuan Zhuo + +[ Upstream commit ac31565c21937eee9117e43c9cd34f557f6f1cb8 ] + +When desc->len is equal to chunk_size, it is legal. But when the +xp_aligned_validate_desc() got chunk_end from desc->addr + desc->len +pointing to the next chunk during the check, it caused the check to +fail. + +This problem was first introduced in bbff2f321a86 ("xsk: new descriptor +addressing scheme"). Later in 2b43470add8c ("xsk: Introduce AF_XDP buffer +allocation API") this piece of code was moved into the new function called +xp_aligned_validate_desc(). This function was then moved into xsk_queue.h +via 26062b185eee ("xsk: Explicitly inline functions and move definitions"). + +Fixes: bbff2f321a86 ("xsk: new descriptor addressing scheme") +Signed-off-by: Xuan Zhuo +Signed-off-by: Daniel Borkmann +Acked-by: Magnus Karlsson +Link: https://lore.kernel.org/bpf/20210428094424.54435-1-xuanzhuo@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + net/xdp/xsk_queue.h | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h +index ef6de0fb4e31..be9fd5a72011 100644 +--- a/net/xdp/xsk_queue.h ++++ b/net/xdp/xsk_queue.h +@@ -126,13 +126,12 @@ static inline bool xskq_cons_read_addr_unchecked(struct xsk_queue *q, u64 *addr) + static inline bool xp_aligned_validate_desc(struct xsk_buff_pool *pool, + struct xdp_desc *desc) + { +- u64 chunk, chunk_end; ++ u64 chunk; + +- chunk = xp_aligned_extract_addr(pool, desc->addr); +- chunk_end = xp_aligned_extract_addr(pool, desc->addr + desc->len); +- if (chunk != chunk_end) ++ if (desc->len > pool->chunk_size) + return false; + ++ chunk = xp_aligned_extract_addr(pool, desc->addr); + if (chunk >= pool->addrs_cnt) + return false; + +-- +2.30.2 +