From: Greg Kroah-Hartman Date: Sat, 21 Oct 2023 09:18:20 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v4.14.328~62 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=46d87a0ec5cd29b612ac8f7ed6211a0c214111c6;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: acpi-irq-fix-incorrect-return-value-in-acpi_register_gsi.patch dt-bindings-mmc-sdhci-msm-correct-minimum-number-of-clocks.patch kvm-x86-mmu-stop-zapping-invalidated-tdp-mmu-roots-asynchronously.patch mmc-core-capture-correct-oemid-bits-for-emmc-cards.patch mmc-core-sdio-hold-retuning-if-sdio-in-1-bit-mode.patch mmc-mtk-sd-use-readl_poll_timeout_atomic-in-msdc_reset_hw.patch mmc-sdhci-pci-gli-fix-lpm-negotiation-so-x86-s0ix-socs-can-suspend.patch mtd-physmap-core-restore-map_rom-fallback.patch mtd-rawnand-arasan-ensure-program-page-operations-are-successful.patch mtd-rawnand-marvell-ensure-program-page-operations-are-successful.patch mtd-rawnand-pl353-ensure-program-page-operations-are-successful.patch mtd-rawnand-qcom-unmap-the-right-resource-upon-probe-failure.patch mtd-spinand-micron-correct-bitmask-for-ecc-status.patch nfs42-client-needs-to-strip-file-mode-s-suid-sgid-bit-after-allocate-op.patch nfsv4.1-fixup-use-exchgid4_flag_use_pnfs_ds-for-ds-server.patch nvme-pci-add-bogus_nid-for-intel-0a54-device.patch nvme-rdma-do-not-try-to-stop-unallocated-queues.patch nvme-sanitize-metadata-bounce-buffer-for-reads.patch nvmet-auth-complete-a-request-only-after-freeing-the-dhchap-pointers.patch pnfs-fix-a-hang-in-nfs4_evict_inode.patch pnfs-flexfiles-check-the-layout-validity-in-ff_layout_mirror_prepare_stats.patch revert-pinctrl-avoid-unsafe-code-pattern-in-find_pinctrl.patch --- diff --git a/queue-6.1/acpi-irq-fix-incorrect-return-value-in-acpi_register_gsi.patch b/queue-6.1/acpi-irq-fix-incorrect-return-value-in-acpi_register_gsi.patch new file mode 100644 index 00000000000..ab01dcc3e15 --- /dev/null +++ b/queue-6.1/acpi-irq-fix-incorrect-return-value-in-acpi_register_gsi.patch @@ -0,0 +1,48 @@ +From 0c21a18d5d6c6a73d098fb9b4701572370942df9 Mon Sep 17 00:00:00 2001 +From: Sunil V L +Date: Mon, 16 Oct 2023 22:39:39 +0530 +Subject: ACPI: irq: Fix incorrect return value in acpi_register_gsi() + +From: Sunil V L + +commit 0c21a18d5d6c6a73d098fb9b4701572370942df9 upstream. + +acpi_register_gsi() should return a negative value in case of failure. + +Currently, it returns the return value from irq_create_fwspec_mapping(). +However, irq_create_fwspec_mapping() returns 0 for failure. Fix the +issue by returning -EINVAL if irq_create_fwspec_mapping() returns zero. + +Fixes: d44fa3d46079 ("ACPI: Add support for ResourceSource/IRQ domain mapping") +Cc: 4.11+ # 4.11+ +Signed-off-by: Sunil V L +[ rjw: Rename a new local variable ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/irq.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/irq.c ++++ b/drivers/acpi/irq.c +@@ -57,6 +57,7 @@ int acpi_register_gsi(struct device *dev + int polarity) + { + struct irq_fwspec fwspec; ++ unsigned int irq; + + fwspec.fwnode = acpi_get_gsi_domain_id(gsi); + if (WARN_ON(!fwspec.fwnode)) { +@@ -68,7 +69,11 @@ int acpi_register_gsi(struct device *dev + fwspec.param[1] = acpi_dev_get_irq_type(trigger, polarity); + fwspec.param_count = 2; + +- return irq_create_fwspec_mapping(&fwspec); ++ irq = irq_create_fwspec_mapping(&fwspec); ++ if (!irq) ++ return -EINVAL; ++ ++ return irq; + } + EXPORT_SYMBOL_GPL(acpi_register_gsi); + diff --git a/queue-6.1/dt-bindings-mmc-sdhci-msm-correct-minimum-number-of-clocks.patch b/queue-6.1/dt-bindings-mmc-sdhci-msm-correct-minimum-number-of-clocks.patch new file mode 100644 index 00000000000..0159f576c10 --- /dev/null +++ b/queue-6.1/dt-bindings-mmc-sdhci-msm-correct-minimum-number-of-clocks.patch @@ -0,0 +1,37 @@ +From 1bbac8d6af085408885675c1e29b2581250be124 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 25 Aug 2023 15:55:02 +0200 +Subject: dt-bindings: mmc: sdhci-msm: correct minimum number of clocks + +From: Krzysztof Kozlowski + +commit 1bbac8d6af085408885675c1e29b2581250be124 upstream. + +In the TXT binding before conversion, the "xo" clock was listed as +optional. Conversion kept it optional in "clock-names", but not in +"clocks". This fixes dbts_check warnings like: + + qcom-sdx65-mtp.dtb: mmc@8804000: clocks: [[13, 59], [13, 58]] is too short + +Cc: +Fixes: a45537723f4b ("dt-bindings: mmc: sdhci-msm: Convert bindings to yaml") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Conor Dooley +Link: https://lore.kernel.org/r/20230825135503.282135-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/mmc/sdhci-msm.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/mmc/sdhci-msm.yaml ++++ b/Documentation/devicetree/bindings/mmc/sdhci-msm.yaml +@@ -59,7 +59,7 @@ properties: + maxItems: 4 + + clocks: +- minItems: 3 ++ minItems: 2 + items: + - description: Main peripheral bus clock, PCLK/HCLK - AHB Bus clock + - description: SDC MMC clock, MCLK diff --git a/queue-6.1/kvm-x86-mmu-stop-zapping-invalidated-tdp-mmu-roots-asynchronously.patch b/queue-6.1/kvm-x86-mmu-stop-zapping-invalidated-tdp-mmu-roots-asynchronously.patch new file mode 100644 index 00000000000..a12391d1434 --- /dev/null +++ b/queue-6.1/kvm-x86-mmu-stop-zapping-invalidated-tdp-mmu-roots-asynchronously.patch @@ -0,0 +1,427 @@ +From 0df9dab891ff0d9b646d82e4fe038229e4c02451 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 15 Sep 2023 17:39:15 -0700 +Subject: KVM: x86/mmu: Stop zapping invalidated TDP MMU roots asynchronously + +From: Sean Christopherson + +commit 0df9dab891ff0d9b646d82e4fe038229e4c02451 upstream. + +Stop zapping invalidate TDP MMU roots via work queue now that KVM +preserves TDP MMU roots until they are explicitly invalidated. Zapping +roots asynchronously was effectively a workaround to avoid stalling a vCPU +for an extended during if a vCPU unloaded a root, which at the time +happened whenever the guest toggled CR0.WP (a frequent operation for some +guest kernels). + +While a clever hack, zapping roots via an unbound worker had subtle, +unintended consequences on host scheduling, especially when zapping +multiple roots, e.g. as part of a memslot. Because the work of zapping a +root is no longer bound to the task that initiated the zap, things like +the CPU affinity and priority of the original task get lost. Losing the +affinity and priority can be especially problematic if unbound workqueues +aren't affined to a small number of CPUs, as zapping multiple roots can +cause KVM to heavily utilize the majority of CPUs in the system, *beyond* +the CPUs KVM is already using to run vCPUs. + +When deleting a memslot via KVM_SET_USER_MEMORY_REGION, the async root +zap can result in KVM occupying all logical CPUs for ~8ms, and result in +high priority tasks not being scheduled in in a timely manner. In v5.15, +which doesn't preserve unloaded roots, the issues were even more noticeable +as KVM would zap roots more frequently and could occupy all CPUs for 50ms+. + +Consuming all CPUs for an extended duration can lead to significant jitter +throughout the system, e.g. on ChromeOS with virtio-gpu, deleting memslots +is a semi-frequent operation as memslots are deleted and recreated with +different host virtual addresses to react to host GPU drivers allocating +and freeing GPU blobs. On ChromeOS, the jitter manifests as audio blips +during games due to the audio server's tasks not getting scheduled in +promptly, despite the tasks having a high realtime priority. + +Deleting memslots isn't exactly a fast path and should be avoided when +possible, and ChromeOS is working towards utilizing MAP_FIXED to avoid the +memslot shenanigans, but KVM is squarely in the wrong. Not to mention +that removing the async zapping eliminates a non-trivial amount of +complexity. + +Note, one of the subtle behaviors hidden behind the async zapping is that +KVM would zap invalidated roots only once (ignoring partial zaps from +things like mmu_notifier events). Preserve this behavior by adding a flag +to identify roots that are scheduled to be zapped versus roots that have +already been zapped but not yet freed. + +Add a comment calling out why kvm_tdp_mmu_invalidate_all_roots() can +encounter invalid roots, as it's not at all obvious why zapping +invalidated roots shouldn't simply zap all invalid roots. + +Reported-by: Pattara Teerapong +Cc: David Stevens +Cc: Yiwei Zhang +Cc: Paul Hsia +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20230916003916.2545000-4-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sean Christopherson +Reviewed-by: David Matlack +Tested-by: David Matlack +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 3 + arch/x86/kvm/mmu/mmu.c | 9 -- + arch/x86/kvm/mmu/mmu_internal.h | 15 ++-- + arch/x86/kvm/mmu/tdp_mmu.c | 135 ++++++++++++++++------------------------ + arch/x86/kvm/mmu/tdp_mmu.h | 4 - + arch/x86/kvm/x86.c | 5 - + 6 files changed, 69 insertions(+), 102 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1324,7 +1324,6 @@ struct kvm_arch { + * the thread holds the MMU lock in write mode. + */ + spinlock_t tdp_mmu_pages_lock; +- struct workqueue_struct *tdp_mmu_zap_wq; + #endif /* CONFIG_X86_64 */ + + /* +@@ -1727,7 +1726,7 @@ void kvm_mmu_vendor_module_exit(void); + + void kvm_mmu_destroy(struct kvm_vcpu *vcpu); + int kvm_mmu_create(struct kvm_vcpu *vcpu); +-int kvm_mmu_init_vm(struct kvm *kvm); ++void kvm_mmu_init_vm(struct kvm *kvm); + void kvm_mmu_uninit_vm(struct kvm *kvm); + + void kvm_mmu_after_set_cpuid(struct kvm_vcpu *vcpu); +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -5994,19 +5994,16 @@ static void kvm_mmu_invalidate_zap_pages + kvm_mmu_zap_all_fast(kvm); + } + +-int kvm_mmu_init_vm(struct kvm *kvm) ++void kvm_mmu_init_vm(struct kvm *kvm) + { + struct kvm_page_track_notifier_node *node = &kvm->arch.mmu_sp_tracker; +- int r; + + INIT_LIST_HEAD(&kvm->arch.active_mmu_pages); + INIT_LIST_HEAD(&kvm->arch.zapped_obsolete_pages); + INIT_LIST_HEAD(&kvm->arch.lpage_disallowed_mmu_pages); + spin_lock_init(&kvm->arch.mmu_unsync_pages_lock); + +- r = kvm_mmu_init_tdp_mmu(kvm); +- if (r < 0) +- return r; ++ kvm_mmu_init_tdp_mmu(kvm); + + node->track_write = kvm_mmu_pte_write; + node->track_flush_slot = kvm_mmu_invalidate_zap_pages_in_memslot; +@@ -6019,8 +6016,6 @@ int kvm_mmu_init_vm(struct kvm *kvm) + + kvm->arch.split_desc_cache.kmem_cache = pte_list_desc_cache; + kvm->arch.split_desc_cache.gfp_zero = __GFP_ZERO; +- +- return 0; + } + + static void mmu_free_vm_memory_caches(struct kvm *kvm) +--- a/arch/x86/kvm/mmu/mmu_internal.h ++++ b/arch/x86/kvm/mmu/mmu_internal.h +@@ -56,7 +56,12 @@ struct kvm_mmu_page { + + bool tdp_mmu_page; + bool unsync; +- u8 mmu_valid_gen; ++ union { ++ u8 mmu_valid_gen; ++ ++ /* Only accessed under slots_lock. */ ++ bool tdp_mmu_scheduled_root_to_zap; ++ }; + bool lpage_disallowed; /* Can't be replaced by an equiv large page */ + + /* +@@ -92,13 +97,7 @@ struct kvm_mmu_page { + struct kvm_rmap_head parent_ptes; /* rmap pointers to parent sptes */ + tdp_ptep_t ptep; + }; +- union { +- DECLARE_BITMAP(unsync_child_bitmap, 512); +- struct { +- struct work_struct tdp_mmu_async_work; +- void *tdp_mmu_async_data; +- }; +- }; ++ DECLARE_BITMAP(unsync_child_bitmap, 512); + + struct list_head lpage_disallowed_link; + #ifdef CONFIG_X86_32 +--- a/arch/x86/kvm/mmu/tdp_mmu.c ++++ b/arch/x86/kvm/mmu/tdp_mmu.c +@@ -14,24 +14,16 @@ static bool __read_mostly tdp_mmu_enable + module_param_named(tdp_mmu, tdp_mmu_enabled, bool, 0644); + + /* Initializes the TDP MMU for the VM, if enabled. */ +-int kvm_mmu_init_tdp_mmu(struct kvm *kvm) ++void kvm_mmu_init_tdp_mmu(struct kvm *kvm) + { +- struct workqueue_struct *wq; +- + if (!tdp_enabled || !READ_ONCE(tdp_mmu_enabled)) +- return 0; +- +- wq = alloc_workqueue("kvm", WQ_UNBOUND|WQ_MEM_RECLAIM|WQ_CPU_INTENSIVE, 0); +- if (!wq) +- return -ENOMEM; ++ return; + + /* This should not be changed for the lifetime of the VM. */ + kvm->arch.tdp_mmu_enabled = true; + INIT_LIST_HEAD(&kvm->arch.tdp_mmu_roots); + spin_lock_init(&kvm->arch.tdp_mmu_pages_lock); + INIT_LIST_HEAD(&kvm->arch.tdp_mmu_pages); +- kvm->arch.tdp_mmu_zap_wq = wq; +- return 1; + } + + /* Arbitrarily returns true so that this may be used in if statements. */ +@@ -57,20 +49,15 @@ void kvm_mmu_uninit_tdp_mmu(struct kvm * + * ultimately frees all roots. + */ + kvm_tdp_mmu_invalidate_all_roots(kvm); +- +- /* +- * Destroying a workqueue also first flushes the workqueue, i.e. no +- * need to invoke kvm_tdp_mmu_zap_invalidated_roots(). +- */ +- destroy_workqueue(kvm->arch.tdp_mmu_zap_wq); ++ kvm_tdp_mmu_zap_invalidated_roots(kvm); + + WARN_ON(!list_empty(&kvm->arch.tdp_mmu_pages)); + WARN_ON(!list_empty(&kvm->arch.tdp_mmu_roots)); + + /* + * Ensure that all the outstanding RCU callbacks to free shadow pages +- * can run before the VM is torn down. Work items on tdp_mmu_zap_wq +- * can call kvm_tdp_mmu_put_root and create new callbacks. ++ * can run before the VM is torn down. Putting the last reference to ++ * zapped roots will create new callbacks. + */ + rcu_barrier(); + } +@@ -97,46 +84,6 @@ static void tdp_mmu_free_sp_rcu_callback + tdp_mmu_free_sp(sp); + } + +-static void tdp_mmu_zap_root(struct kvm *kvm, struct kvm_mmu_page *root, +- bool shared); +- +-static void tdp_mmu_zap_root_work(struct work_struct *work) +-{ +- struct kvm_mmu_page *root = container_of(work, struct kvm_mmu_page, +- tdp_mmu_async_work); +- struct kvm *kvm = root->tdp_mmu_async_data; +- +- read_lock(&kvm->mmu_lock); +- +- /* +- * A TLB flush is not necessary as KVM performs a local TLB flush when +- * allocating a new root (see kvm_mmu_load()), and when migrating vCPU +- * to a different pCPU. Note, the local TLB flush on reuse also +- * invalidates any paging-structure-cache entries, i.e. TLB entries for +- * intermediate paging structures, that may be zapped, as such entries +- * are associated with the ASID on both VMX and SVM. +- */ +- tdp_mmu_zap_root(kvm, root, true); +- +- /* +- * Drop the refcount using kvm_tdp_mmu_put_root() to test its logic for +- * avoiding an infinite loop. By design, the root is reachable while +- * it's being asynchronously zapped, thus a different task can put its +- * last reference, i.e. flowing through kvm_tdp_mmu_put_root() for an +- * asynchronously zapped root is unavoidable. +- */ +- kvm_tdp_mmu_put_root(kvm, root, true); +- +- read_unlock(&kvm->mmu_lock); +-} +- +-static void tdp_mmu_schedule_zap_root(struct kvm *kvm, struct kvm_mmu_page *root) +-{ +- root->tdp_mmu_async_data = kvm; +- INIT_WORK(&root->tdp_mmu_async_work, tdp_mmu_zap_root_work); +- queue_work(kvm->arch.tdp_mmu_zap_wq, &root->tdp_mmu_async_work); +-} +- + void kvm_tdp_mmu_put_root(struct kvm *kvm, struct kvm_mmu_page *root, + bool shared) + { +@@ -222,11 +169,11 @@ static struct kvm_mmu_page *tdp_mmu_next + #define for_each_valid_tdp_mmu_root_yield_safe(_kvm, _root, _as_id, _shared) \ + __for_each_tdp_mmu_root_yield_safe(_kvm, _root, _as_id, _shared, true) + +-#define for_each_tdp_mmu_root_yield_safe(_kvm, _root) \ +- for (_root = tdp_mmu_next_root(_kvm, NULL, false, false); \ ++#define for_each_tdp_mmu_root_yield_safe(_kvm, _root, _shared) \ ++ for (_root = tdp_mmu_next_root(_kvm, NULL, _shared, false); \ + _root; \ +- _root = tdp_mmu_next_root(_kvm, _root, false, false)) \ +- if (!kvm_lockdep_assert_mmu_lock_held(_kvm, false)) { \ ++ _root = tdp_mmu_next_root(_kvm, _root, _shared, false)) \ ++ if (!kvm_lockdep_assert_mmu_lock_held(_kvm, _shared)) { \ + } else + + /* +@@ -305,7 +252,7 @@ hpa_t kvm_tdp_mmu_get_vcpu_root_hpa(stru + * by a memslot update or by the destruction of the VM. Initialize the + * refcount to two; one reference for the vCPU, and one reference for + * the TDP MMU itself, which is held until the root is invalidated and +- * is ultimately put by tdp_mmu_zap_root_work(). ++ * is ultimately put by kvm_tdp_mmu_zap_invalidated_roots(). + */ + refcount_set(&root->tdp_mmu_root_count, 2); + +@@ -963,7 +910,7 @@ bool kvm_tdp_mmu_zap_leafs(struct kvm *k + { + struct kvm_mmu_page *root; + +- for_each_tdp_mmu_root_yield_safe(kvm, root) ++ for_each_tdp_mmu_root_yield_safe(kvm, root, false) + flush = tdp_mmu_zap_leafs(kvm, root, start, end, true, flush); + + return flush; +@@ -985,7 +932,7 @@ void kvm_tdp_mmu_zap_all(struct kvm *kvm + * is being destroyed or the userspace VMM has exited. In both cases, + * KVM_RUN is unreachable, i.e. no vCPUs will ever service the request. + */ +- for_each_tdp_mmu_root_yield_safe(kvm, root) ++ for_each_tdp_mmu_root_yield_safe(kvm, root, false) + tdp_mmu_zap_root(kvm, root, false); + } + +@@ -995,18 +942,47 @@ void kvm_tdp_mmu_zap_all(struct kvm *kvm + */ + void kvm_tdp_mmu_zap_invalidated_roots(struct kvm *kvm) + { +- flush_workqueue(kvm->arch.tdp_mmu_zap_wq); ++ struct kvm_mmu_page *root; ++ ++ read_lock(&kvm->mmu_lock); ++ ++ for_each_tdp_mmu_root_yield_safe(kvm, root, true) { ++ if (!root->tdp_mmu_scheduled_root_to_zap) ++ continue; ++ ++ root->tdp_mmu_scheduled_root_to_zap = false; ++ KVM_BUG_ON(!root->role.invalid, kvm); ++ ++ /* ++ * A TLB flush is not necessary as KVM performs a local TLB ++ * flush when allocating a new root (see kvm_mmu_load()), and ++ * when migrating a vCPU to a different pCPU. Note, the local ++ * TLB flush on reuse also invalidates paging-structure-cache ++ * entries, i.e. TLB entries for intermediate paging structures, ++ * that may be zapped, as such entries are associated with the ++ * ASID on both VMX and SVM. ++ */ ++ tdp_mmu_zap_root(kvm, root, true); ++ ++ /* ++ * The referenced needs to be put *after* zapping the root, as ++ * the root must be reachable by mmu_notifiers while it's being ++ * zapped ++ */ ++ kvm_tdp_mmu_put_root(kvm, root, true); ++ } ++ ++ read_unlock(&kvm->mmu_lock); + } + + /* + * Mark each TDP MMU root as invalid to prevent vCPUs from reusing a root that + * is about to be zapped, e.g. in response to a memslots update. The actual +- * zapping is performed asynchronously. Using a separate workqueue makes it +- * easy to ensure that the destruction is performed before the "fast zap" +- * completes, without keeping a separate list of invalidated roots; the list is +- * effectively the list of work items in the workqueue. ++ * zapping is done separately so that it happens with mmu_lock with read, ++ * whereas invalidating roots must be done with mmu_lock held for write (unless ++ * the VM is being destroyed). + * +- * Note, the asynchronous worker is gifted the TDP MMU's reference. ++ * Note, kvm_tdp_mmu_zap_invalidated_roots() is gifted the TDP MMU's reference. + * See kvm_tdp_mmu_get_vcpu_root_hpa(). + */ + void kvm_tdp_mmu_invalidate_all_roots(struct kvm *kvm) +@@ -1031,19 +1007,20 @@ void kvm_tdp_mmu_invalidate_all_roots(st + /* + * As above, mmu_lock isn't held when destroying the VM! There can't + * be other references to @kvm, i.e. nothing else can invalidate roots +- * or be consuming roots, but walking the list of roots does need to be +- * guarded against roots being deleted by the asynchronous zap worker. ++ * or get/put references to roots. + */ +- rcu_read_lock(); +- +- list_for_each_entry_rcu(root, &kvm->arch.tdp_mmu_roots, link) { ++ list_for_each_entry(root, &kvm->arch.tdp_mmu_roots, link) { ++ /* ++ * Note, invalid roots can outlive a memslot update! Invalid ++ * roots must be *zapped* before the memslot update completes, ++ * but a different task can acquire a reference and keep the ++ * root alive after its been zapped. ++ */ + if (!root->role.invalid) { ++ root->tdp_mmu_scheduled_root_to_zap = true; + root->role.invalid = true; +- tdp_mmu_schedule_zap_root(kvm, root); + } + } +- +- rcu_read_unlock(); + } + + /* +--- a/arch/x86/kvm/mmu/tdp_mmu.h ++++ b/arch/x86/kvm/mmu/tdp_mmu.h +@@ -65,7 +65,7 @@ u64 *kvm_tdp_mmu_fast_pf_get_last_sptep( + u64 *spte); + + #ifdef CONFIG_X86_64 +-int kvm_mmu_init_tdp_mmu(struct kvm *kvm); ++void kvm_mmu_init_tdp_mmu(struct kvm *kvm); + void kvm_mmu_uninit_tdp_mmu(struct kvm *kvm); + static inline bool is_tdp_mmu_page(struct kvm_mmu_page *sp) { return sp->tdp_mmu_page; } + +@@ -86,7 +86,7 @@ static inline bool is_tdp_mmu(struct kvm + return sp && is_tdp_mmu_page(sp) && sp->root_count; + } + #else +-static inline int kvm_mmu_init_tdp_mmu(struct kvm *kvm) { return 0; } ++static inline void kvm_mmu_init_tdp_mmu(struct kvm *kvm) {} + static inline void kvm_mmu_uninit_tdp_mmu(struct kvm *kvm) {} + static inline bool is_tdp_mmu_page(struct kvm_mmu_page *sp) { return false; } + static inline bool is_tdp_mmu(struct kvm_mmu *mmu) { return false; } +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -12453,9 +12453,7 @@ int kvm_arch_init_vm(struct kvm *kvm, un + if (ret) + goto out; + +- ret = kvm_mmu_init_vm(kvm); +- if (ret) +- goto out_page_track; ++ kvm_mmu_init_vm(kvm); + + ret = static_call(kvm_x86_vm_init)(kvm); + if (ret) +@@ -12500,7 +12498,6 @@ int kvm_arch_init_vm(struct kvm *kvm, un + + out_uninit_mmu: + kvm_mmu_uninit_vm(kvm); +-out_page_track: + kvm_page_track_cleanup(kvm); + out: + return ret; diff --git a/queue-6.1/mmc-core-capture-correct-oemid-bits-for-emmc-cards.patch b/queue-6.1/mmc-core-capture-correct-oemid-bits-for-emmc-cards.patch new file mode 100644 index 00000000000..dae503260ad --- /dev/null +++ b/queue-6.1/mmc-core-capture-correct-oemid-bits-for-emmc-cards.patch @@ -0,0 +1,39 @@ +From 84ee19bffc9306128cd0f1c650e89767079efeff Mon Sep 17 00:00:00 2001 +From: Avri Altman +Date: Wed, 27 Sep 2023 10:15:00 +0300 +Subject: mmc: core: Capture correct oemid-bits for eMMC cards + +From: Avri Altman + +commit 84ee19bffc9306128cd0f1c650e89767079efeff upstream. + +The OEMID is an 8-bit binary number rather than 16-bit as the current code +parses for. The OEMID occupies bits [111:104] in the CID register, see the +eMMC spec JESD84-B51 paragraph 7.2.3. It seems that the 16-bit comes from +the legacy MMC specs (v3.31 and before). + +Let's fix the parsing by simply move to use 8-bit instead of 16-bit. This +means we ignore the impact on some of those old MMC cards that may be out +there, but on the other hand this shouldn't be a problem as the OEMID seems +not be an important feature for these cards. + +Signed-off-by: Avri Altman +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230927071500.1791882-1-avri.altman@wdc.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/mmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -104,7 +104,7 @@ static int mmc_decode_cid(struct mmc_car + case 3: /* MMC v3.1 - v3.3 */ + case 4: /* MMC v4 */ + card->cid.manfid = UNSTUFF_BITS(resp, 120, 8); +- card->cid.oemid = UNSTUFF_BITS(resp, 104, 16); ++ card->cid.oemid = UNSTUFF_BITS(resp, 104, 8); + card->cid.prod_name[0] = UNSTUFF_BITS(resp, 96, 8); + card->cid.prod_name[1] = UNSTUFF_BITS(resp, 88, 8); + card->cid.prod_name[2] = UNSTUFF_BITS(resp, 80, 8); diff --git a/queue-6.1/mmc-core-sdio-hold-retuning-if-sdio-in-1-bit-mode.patch b/queue-6.1/mmc-core-sdio-hold-retuning-if-sdio-in-1-bit-mode.patch new file mode 100644 index 00000000000..3c88a7b3448 --- /dev/null +++ b/queue-6.1/mmc-core-sdio-hold-retuning-if-sdio-in-1-bit-mode.patch @@ -0,0 +1,45 @@ +From 32a9cdb8869dc111a0c96cf8e1762be9684af15b Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Wed, 30 Aug 2023 17:39:22 +0800 +Subject: mmc: core: sdio: hold retuning if sdio in 1-bit mode + +From: Haibo Chen + +commit 32a9cdb8869dc111a0c96cf8e1762be9684af15b upstream. + +tuning only support in 4-bit mode or 8 bit mode, so in 1-bit mode, +need to hold retuning. + +Find this issue when use manual tuning method on imx93. When system +resume back, SDIO WIFI try to switch back to 4 bit mode, first will +trigger retuning, and all tuning command failed. + +Signed-off-by: Haibo Chen +Acked-by: Adrian Hunter +Fixes: dfa13ebbe334 ("mmc: host: Add facility to support re-tuning") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230830093922.3095850-1-haibo.chen@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sdio.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/core/sdio.c ++++ b/drivers/mmc/core/sdio.c +@@ -1089,8 +1089,14 @@ static int mmc_sdio_resume(struct mmc_ho + } + err = mmc_sdio_reinit_card(host); + } else if (mmc_card_wake_sdio_irq(host)) { +- /* We may have switched to 1-bit mode during suspend */ ++ /* ++ * We may have switched to 1-bit mode during suspend, ++ * need to hold retuning, because tuning only supprt ++ * 4-bit mode or 8 bit mode. ++ */ ++ mmc_retune_hold_now(host); + err = sdio_enable_4bit_bus(host->card); ++ mmc_retune_release(host); + } + + if (err) diff --git a/queue-6.1/mmc-mtk-sd-use-readl_poll_timeout_atomic-in-msdc_reset_hw.patch b/queue-6.1/mmc-mtk-sd-use-readl_poll_timeout_atomic-in-msdc_reset_hw.patch new file mode 100644 index 00000000000..b526526d4fd --- /dev/null +++ b/queue-6.1/mmc-mtk-sd-use-readl_poll_timeout_atomic-in-msdc_reset_hw.patch @@ -0,0 +1,83 @@ +From c7bb120c1c66672b657e95d0942c989b8275aeb3 Mon Sep 17 00:00:00 2001 +From: Pablo Sun +Date: Fri, 22 Sep 2023 17:53:48 +0800 +Subject: mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw + +From: Pablo Sun + +commit c7bb120c1c66672b657e95d0942c989b8275aeb3 upstream. + +Use atomic readl_poll_timeout_atomic, because msdc_reset_hw +may be invoked in IRQ handler in the following context: + + msdc_irq() -> msdc_cmd_done() -> msdc_reset_hw() + +The following kernel BUG stack trace can be observed on +Genio 1200 EVK after initializing MSDC1 hardware during kernel boot: + +[ 1.187441] BUG: scheduling while atomic: swapper/0/0/0x00010002 +[ 1.189157] Modules linked in: +[ 1.204633] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.15.42-mtk+modified #1 +[ 1.205713] Hardware name: MediaTek Genio 1200 EVK-P1V2-EMMC (DT) +[ 1.206484] Call trace: +[ 1.206796] dump_backtrace+0x0/0x1ac +[ 1.207266] show_stack+0x24/0x30 +[ 1.207692] dump_stack_lvl+0x68/0x84 +[ 1.208162] dump_stack+0x1c/0x38 +[ 1.208587] __schedule_bug+0x68/0x80 +[ 1.209056] __schedule+0x6ec/0x7c0 +[ 1.209502] schedule+0x7c/0x110 +[ 1.209915] schedule_hrtimeout_range_clock+0xc4/0x1f0 +[ 1.210569] schedule_hrtimeout_range+0x20/0x30 +[ 1.211148] usleep_range_state+0x84/0xc0 +[ 1.211661] msdc_reset_hw+0xc8/0x1b0 +[ 1.212134] msdc_cmd_done.isra.0+0x4ac/0x5f0 +[ 1.212693] msdc_irq+0x104/0x2d4 +[ 1.213121] __handle_irq_event_percpu+0x68/0x280 +[ 1.213725] handle_irq_event+0x70/0x15c +[ 1.214230] handle_fasteoi_irq+0xb0/0x1a4 +[ 1.214755] handle_domain_irq+0x6c/0x9c +[ 1.215260] gic_handle_irq+0xc4/0x180 +[ 1.215741] call_on_irq_stack+0x2c/0x54 +[ 1.216245] do_interrupt_handler+0x5c/0x70 +[ 1.216782] el1_interrupt+0x30/0x80 +[ 1.217242] el1h_64_irq_handler+0x1c/0x2c +[ 1.217769] el1h_64_irq+0x78/0x7c +[ 1.218206] cpuidle_enter_state+0xc8/0x600 +[ 1.218744] cpuidle_enter+0x44/0x5c +[ 1.219205] do_idle+0x224/0x2d0 +[ 1.219624] cpu_startup_entry+0x30/0x80 +[ 1.220129] rest_init+0x108/0x134 +[ 1.220568] arch_call_rest_init+0x1c/0x28 +[ 1.221094] start_kernel+0x6c0/0x700 +[ 1.221564] __primary_switched+0xc0/0xc8 + +Fixes: ffaea6ebfe9c ("mmc: mtk-sd: Use readl_poll_timeout instead of open-coded polling") +Signed-off-by: Pablo Sun +Reviewed-by: Chen-Yu Tsai +Reviewed-by: AngeloGioacchino Del Regno +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230922095348.22182-1-pablo.sun@mediatek.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mtk-sd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -655,11 +655,11 @@ static void msdc_reset_hw(struct msdc_ho + u32 val; + + sdr_set_bits(host->base + MSDC_CFG, MSDC_CFG_RST); +- readl_poll_timeout(host->base + MSDC_CFG, val, !(val & MSDC_CFG_RST), 0, 0); ++ readl_poll_timeout_atomic(host->base + MSDC_CFG, val, !(val & MSDC_CFG_RST), 0, 0); + + sdr_set_bits(host->base + MSDC_FIFOCS, MSDC_FIFOCS_CLR); +- readl_poll_timeout(host->base + MSDC_FIFOCS, val, +- !(val & MSDC_FIFOCS_CLR), 0, 0); ++ readl_poll_timeout_atomic(host->base + MSDC_FIFOCS, val, ++ !(val & MSDC_FIFOCS_CLR), 0, 0); + + val = readl(host->base + MSDC_INT); + writel(val, host->base + MSDC_INT); diff --git a/queue-6.1/mmc-sdhci-pci-gli-fix-lpm-negotiation-so-x86-s0ix-socs-can-suspend.patch b/queue-6.1/mmc-sdhci-pci-gli-fix-lpm-negotiation-so-x86-s0ix-socs-can-suspend.patch new file mode 100644 index 00000000000..ce6d5ed0864 --- /dev/null +++ b/queue-6.1/mmc-sdhci-pci-gli-fix-lpm-negotiation-so-x86-s0ix-socs-can-suspend.patch @@ -0,0 +1,167 @@ +From 1202d617e3d04c8d27a14ef30784a698c48170b3 Mon Sep 17 00:00:00 2001 +From: Sven van Ashbrook +Date: Thu, 31 Aug 2023 16:00:56 +0000 +Subject: mmc: sdhci-pci-gli: fix LPM negotiation so x86/S0ix SoCs can suspend + +From: Sven van Ashbrook + +commit 1202d617e3d04c8d27a14ef30784a698c48170b3 upstream. + +To improve the r/w performance of GL9763E, the current driver inhibits LPM +negotiation while the device is active. + +This prevents a large number of SoCs from suspending, notably x86 systems +which commonly use S0ix as the suspend mechanism - for example, Intel +Alder Lake and Raptor Lake processors. + +Failure description: +1. Userspace initiates s2idle suspend (e.g. via writing to + /sys/power/state) +2. This switches the runtime_pm device state to active, which disables + LPM negotiation, then calls the "regular" suspend callback +3. With LPM negotiation disabled, the bus cannot enter low-power state +4. On a large number of SoCs, if the bus not in a low-power state, S0ix + cannot be entered, which in turn prevents the SoC from entering + suspend. + +Fix by re-enabling LPM negotiation in the device's suspend callback. + +Suggested-by: Stanislaw Kardach +Fixes: f9e5b33934ce ("mmc: host: Improve I/O read/write performance for GL9763E") +Cc: stable@vger.kernel.org +Signed-off-by: Sven van Ashbrook +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20230831160055.v3.1.I7ed1ca09797be2dd76ca914c57d88b32d24dac88@changeid +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-gli.c | 104 ++++++++++++++++++++++++--------------- + 1 file changed, 66 insertions(+), 38 deletions(-) + +--- a/drivers/mmc/host/sdhci-pci-gli.c ++++ b/drivers/mmc/host/sdhci-pci-gli.c +@@ -756,42 +756,6 @@ static u32 sdhci_gl9750_readl(struct sdh + return value; + } + +-#ifdef CONFIG_PM_SLEEP +-static int sdhci_pci_gli_resume(struct sdhci_pci_chip *chip) +-{ +- struct sdhci_pci_slot *slot = chip->slots[0]; +- +- pci_free_irq_vectors(slot->chip->pdev); +- gli_pcie_enable_msi(slot); +- +- return sdhci_pci_resume_host(chip); +-} +- +-static int sdhci_cqhci_gli_resume(struct sdhci_pci_chip *chip) +-{ +- struct sdhci_pci_slot *slot = chip->slots[0]; +- int ret; +- +- ret = sdhci_pci_gli_resume(chip); +- if (ret) +- return ret; +- +- return cqhci_resume(slot->host->mmc); +-} +- +-static int sdhci_cqhci_gli_suspend(struct sdhci_pci_chip *chip) +-{ +- struct sdhci_pci_slot *slot = chip->slots[0]; +- int ret; +- +- ret = cqhci_suspend(slot->host->mmc); +- if (ret) +- return ret; +- +- return sdhci_suspend_host(slot->host); +-} +-#endif +- + static void gl9763e_hs400_enhanced_strobe(struct mmc_host *mmc, + struct mmc_ios *ios) + { +@@ -1040,6 +1004,70 @@ static int gl9763e_runtime_resume(struct + } + #endif + ++#ifdef CONFIG_PM_SLEEP ++static int sdhci_pci_gli_resume(struct sdhci_pci_chip *chip) ++{ ++ struct sdhci_pci_slot *slot = chip->slots[0]; ++ ++ pci_free_irq_vectors(slot->chip->pdev); ++ gli_pcie_enable_msi(slot); ++ ++ return sdhci_pci_resume_host(chip); ++} ++ ++static int gl9763e_resume(struct sdhci_pci_chip *chip) ++{ ++ struct sdhci_pci_slot *slot = chip->slots[0]; ++ int ret; ++ ++ ret = sdhci_pci_gli_resume(chip); ++ if (ret) ++ return ret; ++ ++ ret = cqhci_resume(slot->host->mmc); ++ if (ret) ++ return ret; ++ ++ /* ++ * Disable LPM negotiation to bring device back in sync ++ * with its runtime_pm state. ++ */ ++ gl9763e_set_low_power_negotiation(slot, false); ++ ++ return 0; ++} ++ ++static int gl9763e_suspend(struct sdhci_pci_chip *chip) ++{ ++ struct sdhci_pci_slot *slot = chip->slots[0]; ++ int ret; ++ ++ /* ++ * Certain SoCs can suspend only with the bus in low- ++ * power state, notably x86 SoCs when using S0ix. ++ * Re-enable LPM negotiation to allow entering L1 state ++ * and entering system suspend. ++ */ ++ gl9763e_set_low_power_negotiation(slot, true); ++ ++ ret = cqhci_suspend(slot->host->mmc); ++ if (ret) ++ goto err_suspend; ++ ++ ret = sdhci_suspend_host(slot->host); ++ if (ret) ++ goto err_suspend_host; ++ ++ return 0; ++ ++err_suspend_host: ++ cqhci_resume(slot->host->mmc); ++err_suspend: ++ gl9763e_set_low_power_negotiation(slot, false); ++ return ret; ++} ++#endif ++ + static int gli_probe_slot_gl9763e(struct sdhci_pci_slot *slot) + { + struct pci_dev *pdev = slot->chip->pdev; +@@ -1147,8 +1175,8 @@ const struct sdhci_pci_fixes sdhci_gl976 + .probe_slot = gli_probe_slot_gl9763e, + .ops = &sdhci_gl9763e_ops, + #ifdef CONFIG_PM_SLEEP +- .resume = sdhci_cqhci_gli_resume, +- .suspend = sdhci_cqhci_gli_suspend, ++ .resume = gl9763e_resume, ++ .suspend = gl9763e_suspend, + #endif + #ifdef CONFIG_PM + .runtime_suspend = gl9763e_runtime_suspend, diff --git a/queue-6.1/mtd-physmap-core-restore-map_rom-fallback.patch b/queue-6.1/mtd-physmap-core-restore-map_rom-fallback.patch new file mode 100644 index 00000000000..21b46206eb8 --- /dev/null +++ b/queue-6.1/mtd-physmap-core-restore-map_rom-fallback.patch @@ -0,0 +1,43 @@ +From 6792b7fce610bcd1cf3e07af3607fe7e2c38c1d8 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 30 Aug 2023 17:00:34 +0200 +Subject: mtd: physmap-core: Restore map_rom fallback + +From: Geert Uytterhoeven + +commit 6792b7fce610bcd1cf3e07af3607fe7e2c38c1d8 upstream. + +When the exact mapping type driver was not available, the old +physmap_of_core driver fell back to mapping the region as ROM. +Unfortunately this feature was lost when the DT and pdata cases were +merged. Revive this useful feature. + +Fixes: 642b1e8dbed7bbbf ("mtd: maps: Merge physmap_of.c into physmap-core.c") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/550e8c8c1da4c4baeb3d71ff79b14a18d4194f9e.1693407371.git.geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/maps/physmap-core.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/mtd/maps/physmap-core.c ++++ b/drivers/mtd/maps/physmap-core.c +@@ -552,6 +552,17 @@ static int physmap_flash_probe(struct pl + if (info->probe_type) { + info->mtds[i] = do_map_probe(info->probe_type, + &info->maps[i]); ++ ++ /* Fall back to mapping region as ROM */ ++ if (!info->mtds[i] && IS_ENABLED(CONFIG_MTD_ROM) && ++ strcmp(info->probe_type, "map_rom")) { ++ dev_warn(&dev->dev, ++ "map_probe() failed for type %s\n", ++ info->probe_type); ++ ++ info->mtds[i] = do_map_probe("map_rom", ++ &info->maps[i]); ++ } + } else { + int j; + diff --git a/queue-6.1/mtd-rawnand-arasan-ensure-program-page-operations-are-successful.patch b/queue-6.1/mtd-rawnand-arasan-ensure-program-page-operations-are-successful.patch new file mode 100644 index 00000000000..e73d0b409fd --- /dev/null +++ b/queue-6.1/mtd-rawnand-arasan-ensure-program-page-operations-are-successful.patch @@ -0,0 +1,74 @@ +From 3a4a893dbb19e229db3b753f0462520b561dee98 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Mon, 17 Jul 2023 21:42:20 +0200 +Subject: mtd: rawnand: arasan: Ensure program page operations are successful + +From: Miquel Raynal + +commit 3a4a893dbb19e229db3b753f0462520b561dee98 upstream. + +The NAND core complies with the ONFI specification, which itself +mentions that after any program or erase operation, a status check +should be performed to see whether the operation was finished *and* +successful. + +The NAND core offers helpers to finish a page write (sending the +"PAGE PROG" command, waiting for the NAND chip to be ready again, and +checking the operation status). But in some cases, advanced controller +drivers might want to optimize this and craft their own page write +helper to leverage additional hardware capabilities, thus not always +using the core facilities. + +Some drivers, like this one, do not use the core helper to finish a page +write because the final cycles are automatically managed by the +hardware. In this case, the additional care must be taken to manually +perform the final status check. + +Let's read the NAND chip status at the end of the page write helper and +return -EIO upon error. + +Cc: Michal Simek +Cc: stable@vger.kernel.org +Fixes: 88ffef1b65cf ("mtd: rawnand: arasan: Support the hardware BCH ECC engine") +Signed-off-by: Miquel Raynal +Acked-by: Michal Simek +Link: https://lore.kernel.org/linux-mtd/20230717194221.229778-2-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/arasan-nand-controller.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/raw/arasan-nand-controller.c ++++ b/drivers/mtd/nand/raw/arasan-nand-controller.c +@@ -515,6 +515,7 @@ static int anfc_write_page_hw_ecc(struct + struct mtd_info *mtd = nand_to_mtd(chip); + unsigned int len = mtd->writesize + (oob_required ? mtd->oobsize : 0); + dma_addr_t dma_addr; ++ u8 status; + int ret; + struct anfc_op nfc_op = { + .pkt_reg = +@@ -561,10 +562,21 @@ static int anfc_write_page_hw_ecc(struct + } + + /* Spare data is not protected */ +- if (oob_required) ++ if (oob_required) { + ret = nand_write_oob_std(chip, page); ++ if (ret) ++ return ret; ++ } ++ ++ /* Check write status on the chip side */ ++ ret = nand_status_op(chip, &status); ++ if (ret) ++ return ret; ++ ++ if (status & NAND_STATUS_FAIL) ++ return -EIO; + +- return ret; ++ return 0; + } + + static int anfc_sel_write_page_hw_ecc(struct nand_chip *chip, const u8 *buf, diff --git a/queue-6.1/mtd-rawnand-marvell-ensure-program-page-operations-are-successful.patch b/queue-6.1/mtd-rawnand-marvell-ensure-program-page-operations-are-successful.patch new file mode 100644 index 00000000000..dd476b60a89 --- /dev/null +++ b/queue-6.1/mtd-rawnand-marvell-ensure-program-page-operations-are-successful.patch @@ -0,0 +1,93 @@ +From 3e01d5254698ea3d18e09d96b974c762328352cd Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Mon, 17 Jul 2023 21:42:19 +0200 +Subject: mtd: rawnand: marvell: Ensure program page operations are successful + +From: Miquel Raynal + +commit 3e01d5254698ea3d18e09d96b974c762328352cd upstream. + +The NAND core complies with the ONFI specification, which itself +mentions that after any program or erase operation, a status check +should be performed to see whether the operation was finished *and* +successful. + +The NAND core offers helpers to finish a page write (sending the +"PAGE PROG" command, waiting for the NAND chip to be ready again, and +checking the operation status). But in some cases, advanced controller +drivers might want to optimize this and craft their own page write +helper to leverage additional hardware capabilities, thus not always +using the core facilities. + +Some drivers, like this one, do not use the core helper to finish a page +write because the final cycles are automatically managed by the +hardware. In this case, the additional care must be taken to manually +perform the final status check. + +Let's read the NAND chip status at the end of the page write helper and +return -EIO upon error. + +Cc: stable@vger.kernel.org +Fixes: 02f26ecf8c77 ("mtd: nand: add reworked Marvell NAND controller driver") +Reported-by: Aviram Dali +Signed-off-by: Miquel Raynal +Tested-by: Ravi Chandra Minnikanti +Link: https://lore.kernel.org/linux-mtd/20230717194221.229778-1-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/marvell_nand.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/marvell_nand.c ++++ b/drivers/mtd/nand/raw/marvell_nand.c +@@ -1154,6 +1154,7 @@ static int marvell_nfc_hw_ecc_hmg_do_wri + .ndcb[2] = NDCB2_ADDR5_PAGE(page), + }; + unsigned int oob_bytes = lt->spare_bytes + (raw ? lt->ecc_bytes : 0); ++ u8 status; + int ret; + + /* NFCv2 needs more information about the operation being executed */ +@@ -1187,7 +1188,18 @@ static int marvell_nfc_hw_ecc_hmg_do_wri + + ret = marvell_nfc_wait_op(chip, + PSEC_TO_MSEC(sdr->tPROG_max)); +- return ret; ++ if (ret) ++ return ret; ++ ++ /* Check write status on the chip side */ ++ ret = nand_status_op(chip, &status); ++ if (ret) ++ return ret; ++ ++ if (status & NAND_STATUS_FAIL) ++ return -EIO; ++ ++ return 0; + } + + static int marvell_nfc_hw_ecc_hmg_write_page_raw(struct nand_chip *chip, +@@ -1616,6 +1628,7 @@ static int marvell_nfc_hw_ecc_bch_write_ + int data_len = lt->data_bytes; + int spare_len = lt->spare_bytes; + int chunk, ret; ++ u8 status; + + marvell_nfc_select_target(chip, chip->cur_cs); + +@@ -1652,6 +1665,14 @@ static int marvell_nfc_hw_ecc_bch_write_ + if (ret) + return ret; + ++ /* Check write status on the chip side */ ++ ret = nand_status_op(chip, &status); ++ if (ret) ++ return ret; ++ ++ if (status & NAND_STATUS_FAIL) ++ return -EIO; ++ + return 0; + } + diff --git a/queue-6.1/mtd-rawnand-pl353-ensure-program-page-operations-are-successful.patch b/queue-6.1/mtd-rawnand-pl353-ensure-program-page-operations-are-successful.patch new file mode 100644 index 00000000000..5931bf74c21 --- /dev/null +++ b/queue-6.1/mtd-rawnand-pl353-ensure-program-page-operations-are-successful.patch @@ -0,0 +1,65 @@ +From 9777cc13fd2c3212618904636354be60835e10bb Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Mon, 17 Jul 2023 21:42:21 +0200 +Subject: mtd: rawnand: pl353: Ensure program page operations are successful + +From: Miquel Raynal + +commit 9777cc13fd2c3212618904636354be60835e10bb upstream. + +The NAND core complies with the ONFI specification, which itself +mentions that after any program or erase operation, a status check +should be performed to see whether the operation was finished *and* +successful. + +The NAND core offers helpers to finish a page write (sending the +"PAGE PROG" command, waiting for the NAND chip to be ready again, and +checking the operation status). But in some cases, advanced controller +drivers might want to optimize this and craft their own page write +helper to leverage additional hardware capabilities, thus not always +using the core facilities. + +Some drivers, like this one, do not use the core helper to finish a page +write because the final cycles are automatically managed by the +hardware. In this case, the additional care must be taken to manually +perform the final status check. + +Let's read the NAND chip status at the end of the page write helper and +return -EIO upon error. + +Cc: Michal Simek +Cc: stable@vger.kernel.org +Fixes: 08d8c62164a3 ("mtd: rawnand: pl353: Add support for the ARM PL353 SMC NAND controller") +Signed-off-by: Miquel Raynal +Tested-by: Michal Simek +Link: https://lore.kernel.org/linux-mtd/20230717194221.229778-3-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/pl35x-nand-controller.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/mtd/nand/raw/pl35x-nand-controller.c ++++ b/drivers/mtd/nand/raw/pl35x-nand-controller.c +@@ -513,6 +513,7 @@ static int pl35x_nand_write_page_hwecc(s + u32 addr1 = 0, addr2 = 0, row; + u32 cmd_addr; + int i, ret; ++ u8 status; + + ret = pl35x_smc_set_ecc_mode(nfc, chip, PL35X_SMC_ECC_CFG_MODE_APB); + if (ret) +@@ -565,6 +566,14 @@ static int pl35x_nand_write_page_hwecc(s + if (ret) + goto disable_ecc_engine; + ++ /* Check write status on the chip side */ ++ ret = nand_status_op(chip, &status); ++ if (ret) ++ goto disable_ecc_engine; ++ ++ if (status & NAND_STATUS_FAIL) ++ ret = -EIO; ++ + disable_ecc_engine: + pl35x_smc_set_ecc_mode(nfc, chip, PL35X_SMC_ECC_CFG_MODE_BYPASS); + diff --git a/queue-6.1/mtd-rawnand-qcom-unmap-the-right-resource-upon-probe-failure.patch b/queue-6.1/mtd-rawnand-qcom-unmap-the-right-resource-upon-probe-failure.patch new file mode 100644 index 00000000000..4cfac09f4fb --- /dev/null +++ b/queue-6.1/mtd-rawnand-qcom-unmap-the-right-resource-upon-probe-failure.patch @@ -0,0 +1,34 @@ +From 5279f4a9eed3ee7d222b76511ea7a22c89e7eefd Mon Sep 17 00:00:00 2001 +From: Bibek Kumar Patro +Date: Wed, 13 Sep 2023 12:37:02 +0530 +Subject: mtd: rawnand: qcom: Unmap the right resource upon probe failure + +From: Bibek Kumar Patro + +commit 5279f4a9eed3ee7d222b76511ea7a22c89e7eefd upstream. + +We currently provide the physical address of the DMA region +rather than the output of dma_map_resource() which is obviously wrong. + +Fixes: 7330fc505af4 ("mtd: rawnand: qcom: stop using phys_to_dma()") +Cc: stable@vger.kernel.org +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Bibek Kumar Patro +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230913070702.12707-1-quic_bibekkum@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/qcom_nandc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/qcom_nandc.c ++++ b/drivers/mtd/nand/raw/qcom_nandc.c +@@ -3310,7 +3310,7 @@ err_nandc_alloc: + err_aon_clk: + clk_disable_unprepare(nandc->core_clk); + err_core_clk: +- dma_unmap_resource(dev, res->start, resource_size(res), ++ dma_unmap_resource(dev, nandc->base_dma, resource_size(res), + DMA_BIDIRECTIONAL, 0); + return ret; + } diff --git a/queue-6.1/mtd-spinand-micron-correct-bitmask-for-ecc-status.patch b/queue-6.1/mtd-spinand-micron-correct-bitmask-for-ecc-status.patch new file mode 100644 index 00000000000..a8db5a1e10b --- /dev/null +++ b/queue-6.1/mtd-spinand-micron-correct-bitmask-for-ecc-status.patch @@ -0,0 +1,32 @@ +From 9836a987860e33943945d4b257729a4f94eae576 Mon Sep 17 00:00:00 2001 +From: Martin Kurbanov +Date: Tue, 5 Sep 2023 17:56:37 +0300 +Subject: mtd: spinand: micron: correct bitmask for ecc status + +From: Martin Kurbanov + +commit 9836a987860e33943945d4b257729a4f94eae576 upstream. + +Valid bitmask is 0x70 in the status register. + +Fixes: a508e8875e13 ("mtd: spinand: Add initial support for Micron MT29F2G01ABAGD") +Signed-off-by: Martin Kurbanov +Reviewed-by: Frieder Schrempf +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230905145637.139068-1-mmkurbanov@sberdevices.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/spi/micron.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/spi/micron.c ++++ b/drivers/mtd/nand/spi/micron.c +@@ -12,7 +12,7 @@ + + #define SPINAND_MFR_MICRON 0x2c + +-#define MICRON_STATUS_ECC_MASK GENMASK(7, 4) ++#define MICRON_STATUS_ECC_MASK GENMASK(6, 4) + #define MICRON_STATUS_ECC_NO_BITFLIPS (0 << 4) + #define MICRON_STATUS_ECC_1TO3_BITFLIPS (1 << 4) + #define MICRON_STATUS_ECC_4TO6_BITFLIPS (3 << 4) diff --git a/queue-6.1/nfs42-client-needs-to-strip-file-mode-s-suid-sgid-bit-after-allocate-op.patch b/queue-6.1/nfs42-client-needs-to-strip-file-mode-s-suid-sgid-bit-after-allocate-op.patch new file mode 100644 index 00000000000..ec7972974c5 --- /dev/null +++ b/queue-6.1/nfs42-client-needs-to-strip-file-mode-s-suid-sgid-bit-after-allocate-op.patch @@ -0,0 +1,38 @@ +From f588d72bd95f748849685412b1f0c7959ca228cf Mon Sep 17 00:00:00 2001 +From: Dai Ngo +Date: Mon, 18 Sep 2023 23:30:20 -0700 +Subject: nfs42: client needs to strip file mode's suid/sgid bit after ALLOCATE op + +From: Dai Ngo + +commit f588d72bd95f748849685412b1f0c7959ca228cf upstream. + +The Linux NFS server strips the SUID and SGID from the file mode +on ALLOCATE op. + +Modify _nfs42_proc_fallocate to add NFS_INO_REVAL_FORCED to +nfs_set_cache_invalid's argument to force update of the file +mode suid/sgid bit. + +Suggested-by: Trond Myklebust +Signed-off-by: Dai Ngo +Reviewed-by: Jeff Layton +Tested-by: Jeff Layton +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs42proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -81,7 +81,8 @@ static int _nfs42_proc_fallocate(struct + if (status == 0) { + if (nfs_should_remove_suid(inode)) { + spin_lock(&inode->i_lock); +- nfs_set_cache_invalid(inode, NFS_INO_INVALID_MODE); ++ nfs_set_cache_invalid(inode, ++ NFS_INO_REVAL_FORCED | NFS_INO_INVALID_MODE); + spin_unlock(&inode->i_lock); + } + status = nfs_post_op_update_inode_force_wcc(inode, diff --git a/queue-6.1/nfsv4.1-fixup-use-exchgid4_flag_use_pnfs_ds-for-ds-server.patch b/queue-6.1/nfsv4.1-fixup-use-exchgid4_flag_use_pnfs_ds-for-ds-server.patch new file mode 100644 index 00000000000..c114f18e041 --- /dev/null +++ b/queue-6.1/nfsv4.1-fixup-use-exchgid4_flag_use_pnfs_ds-for-ds-server.patch @@ -0,0 +1,40 @@ +From 379e4adfddd6a2f95a4f2029b8ddcbacf92b21f9 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Mon, 9 Oct 2023 10:59:01 -0400 +Subject: NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server + +From: Olga Kornievskaia + +commit 379e4adfddd6a2f95a4f2029b8ddcbacf92b21f9 upstream. + +This patches fixes commit 51d674a5e488 "NFSv4.1: use +EXCHGID4_FLAG_USE_PNFS_DS for DS server", purpose of that +commit was to mark EXCHANGE_ID to the DS with the appropriate +flag. + +However, connection to MDS can return both EXCHGID4_FLAG_USE_PNFS_DS +and EXCHGID4_FLAG_USE_PNFS_MDS set but previous patch would only +remember the USE_PNFS_DS and for the 2nd EXCHANGE_ID send that +to the MDS. + +Instead, just mark the pnfs path exclusively. + +Fixes: 51d674a5e488 ("NFSv4.1: use EXCHGID4_FLAG_USE_PNFS_DS for DS server") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -8875,8 +8875,6 @@ static int _nfs4_proc_exchange_id(struct + /* Save the EXCHANGE_ID verifier session trunk tests */ + memcpy(clp->cl_confirm.data, argp->verifier.data, + sizeof(clp->cl_confirm.data)); +- if (resp->flags & EXCHGID4_FLAG_USE_PNFS_DS) +- set_bit(NFS_CS_DS, &clp->cl_flags); + out: + trace_nfs4_exchange_id(clp, status); + rpc_put_task(task); diff --git a/queue-6.1/nvme-pci-add-bogus_nid-for-intel-0a54-device.patch b/queue-6.1/nvme-pci-add-bogus_nid-for-intel-0a54-device.patch new file mode 100644 index 00000000000..48185799b6a --- /dev/null +++ b/queue-6.1/nvme-pci-add-bogus_nid-for-intel-0a54-device.patch @@ -0,0 +1,32 @@ +From 5c3f4066462a5f6cac04d3dd81c9f551fabbc6c7 Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Thu, 12 Oct 2023 11:13:51 -0700 +Subject: nvme-pci: add BOGUS_NID for Intel 0a54 device + +From: Keith Busch + +commit 5c3f4066462a5f6cac04d3dd81c9f551fabbc6c7 upstream. + +These ones claim cmic and nmic capable, so need special consideration to ignore +their duplicate identifiers. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217981 +Reported-by: welsh@cassens.com +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3439,7 +3439,8 @@ static const struct pci_device_id nvme_i + { PCI_VDEVICE(INTEL, 0x0a54), /* Intel P4500/P4600 */ + .driver_data = NVME_QUIRK_STRIPE_SIZE | + NVME_QUIRK_DEALLOCATE_ZEROES | +- NVME_QUIRK_IGNORE_DEV_SUBNQN, }, ++ NVME_QUIRK_IGNORE_DEV_SUBNQN | ++ NVME_QUIRK_BOGUS_NID, }, + { PCI_VDEVICE(INTEL, 0x0a55), /* Dell Express Flash P4600 */ + .driver_data = NVME_QUIRK_STRIPE_SIZE | + NVME_QUIRK_DEALLOCATE_ZEROES, }, diff --git a/queue-6.1/nvme-rdma-do-not-try-to-stop-unallocated-queues.patch b/queue-6.1/nvme-rdma-do-not-try-to-stop-unallocated-queues.patch new file mode 100644 index 00000000000..f5495fa3b22 --- /dev/null +++ b/queue-6.1/nvme-rdma-do-not-try-to-stop-unallocated-queues.patch @@ -0,0 +1,43 @@ +From 3820c4fdc247b6f0a4162733bdb8ddf8f2e8a1e4 Mon Sep 17 00:00:00 2001 +From: Maurizio Lombardi +Date: Mon, 31 Jul 2023 12:37:58 +0200 +Subject: nvme-rdma: do not try to stop unallocated queues + +From: Maurizio Lombardi + +commit 3820c4fdc247b6f0a4162733bdb8ddf8f2e8a1e4 upstream. + +Trying to stop a queue which hasn't been allocated will result +in a warning due to calling mutex_lock() against an uninitialized mutex. + + DEBUG_LOCKS_WARN_ON(lock->magic != lock) + WARNING: CPU: 4 PID: 104150 at kernel/locking/mutex.c:579 + + Call trace: + RIP: 0010:__mutex_lock+0x1173/0x14a0 + nvme_rdma_stop_queue+0x1b/0xa0 [nvme_rdma] + nvme_rdma_teardown_io_queues.part.0+0xb0/0x1d0 [nvme_rdma] + nvme_rdma_delete_ctrl+0x50/0x100 [nvme_rdma] + nvme_do_delete_ctrl+0x149/0x158 [nvme_core] + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Sagi Grimberg +Tested-by: Yi Zhang +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/rdma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -643,6 +643,9 @@ static void __nvme_rdma_stop_queue(struc + + static void nvme_rdma_stop_queue(struct nvme_rdma_queue *queue) + { ++ if (!test_bit(NVME_RDMA_Q_ALLOCATED, &queue->flags)) ++ return; ++ + mutex_lock(&queue->queue_lock); + if (test_and_clear_bit(NVME_RDMA_Q_LIVE, &queue->flags)) + __nvme_rdma_stop_queue(queue); diff --git a/queue-6.1/nvme-sanitize-metadata-bounce-buffer-for-reads.patch b/queue-6.1/nvme-sanitize-metadata-bounce-buffer-for-reads.patch new file mode 100644 index 00000000000..f079055ebae --- /dev/null +++ b/queue-6.1/nvme-sanitize-metadata-bounce-buffer-for-reads.patch @@ -0,0 +1,43 @@ +From 2b32c76e2b0154b98b9322ae7546b8156cd703e6 Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Mon, 16 Oct 2023 13:12:47 -0700 +Subject: nvme: sanitize metadata bounce buffer for reads + +From: Keith Busch + +commit 2b32c76e2b0154b98b9322ae7546b8156cd703e6 upstream. + +User can request more metadata bytes than the device will write. Ensure +kernel buffer is initialized so we're not leaking unsanitized memory on +the copy-out. + +Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata") +Reviewed-by: Jens Axboe +Reviewed-by: Christoph Hellwig +Reviewed-by: Kanchan Joshi +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/ioctl.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/nvme/host/ioctl.c ++++ b/drivers/nvme/host/ioctl.c +@@ -32,9 +32,13 @@ static void *nvme_add_user_metadata(stru + if (!buf) + goto out; + +- ret = -EFAULT; +- if ((req_op(req) == REQ_OP_DRV_OUT) && copy_from_user(buf, ubuf, len)) +- goto out_free_meta; ++ if (req_op(req) == REQ_OP_DRV_OUT) { ++ ret = -EFAULT; ++ if (copy_from_user(buf, ubuf, len)) ++ goto out_free_meta; ++ } else { ++ memset(buf, 0, len); ++ } + + bip = bio_integrity_alloc(bio, GFP_KERNEL, 1); + if (IS_ERR(bip)) { diff --git a/queue-6.1/nvmet-auth-complete-a-request-only-after-freeing-the-dhchap-pointers.patch b/queue-6.1/nvmet-auth-complete-a-request-only-after-freeing-the-dhchap-pointers.patch new file mode 100644 index 00000000000..aaff1145c6a --- /dev/null +++ b/queue-6.1/nvmet-auth-complete-a-request-only-after-freeing-the-dhchap-pointers.patch @@ -0,0 +1,100 @@ +From f965b281fd872b2e18bd82dd97730db9834d0750 Mon Sep 17 00:00:00 2001 +From: Maurizio Lombardi +Date: Tue, 17 Oct 2023 10:28:45 +0200 +Subject: nvmet-auth: complete a request only after freeing the dhchap pointers + +From: Maurizio Lombardi + +commit f965b281fd872b2e18bd82dd97730db9834d0750 upstream. + +It may happen that the work to destroy a queue +(for example nvmet_tcp_release_queue_work()) is started while +an auth-send or auth-receive command is still completing. + +nvmet_sq_destroy() will block, waiting for all the references +to the sq to be dropped, the last reference is then +dropped when nvmet_req_complete() is called. + +When this happens, both nvmet_sq_destroy() and +nvmet_execute_auth_send()/_receive() will free the dhchap pointers by +calling nvmet_auth_sq_free(). +Since there isn't any lock, the two threads may race against each other, +causing double frees and memory corruptions, as reported by KASAN. + +Reproduced by stress blktests nvme/041 nvme/042 nvme/043 + + nvme nvme2: qid 0: authenticated with hash hmac(sha512) dhgroup ffdhe4096 + ================================================================== + BUG: KASAN: double-free in kfree+0xec/0x4b0 + + Call Trace: + + kfree+0xec/0x4b0 + nvmet_auth_sq_free+0xe1/0x160 [nvmet] + nvmet_execute_auth_send+0x482/0x16d0 [nvmet] + process_one_work+0x8e5/0x1510 + + Allocated by task 191846: + __kasan_kmalloc+0x81/0xa0 + nvmet_auth_ctrl_sesskey+0xf6/0x380 [nvmet] + nvmet_auth_reply+0x119/0x990 [nvmet] + + Freed by task 143270: + kfree+0xec/0x4b0 + nvmet_auth_sq_free+0xe1/0x160 [nvmet] + process_one_work+0x8e5/0x1510 + +Fix this bug by calling nvmet_req_complete() only after freeing the +pointers, so we will prevent the race by holding the sq reference. + +V2: remove redundant code + +Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication") +Signed-off-by: Maurizio Lombardi +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/fabrics-cmd-auth.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/nvme/target/fabrics-cmd-auth.c ++++ b/drivers/nvme/target/fabrics-cmd-auth.c +@@ -337,19 +337,21 @@ done: + __func__, ctrl->cntlid, req->sq->qid, + status, req->error_loc); + req->cqe->result.u64 = 0; +- nvmet_req_complete(req, status); + if (req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_SUCCESS2 && + req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_FAILURE2) { + unsigned long auth_expire_secs = ctrl->kato ? ctrl->kato : 120; + + mod_delayed_work(system_wq, &req->sq->auth_expired_work, + auth_expire_secs * HZ); +- return; ++ goto complete; + } + /* Final states, clear up variables */ + nvmet_auth_sq_free(req->sq); + if (req->sq->dhchap_step == NVME_AUTH_DHCHAP_MESSAGE_FAILURE2) + nvmet_ctrl_fatal_error(ctrl); ++ ++complete: ++ nvmet_req_complete(req, status); + } + + static int nvmet_auth_challenge(struct nvmet_req *req, void *d, int al) +@@ -527,11 +529,12 @@ void nvmet_execute_auth_receive(struct n + kfree(d); + done: + req->cqe->result.u64 = 0; +- nvmet_req_complete(req, status); ++ + if (req->sq->dhchap_step == NVME_AUTH_DHCHAP_MESSAGE_SUCCESS2) + nvmet_auth_sq_free(req->sq); + else if (req->sq->dhchap_step == NVME_AUTH_DHCHAP_MESSAGE_FAILURE1) { + nvmet_auth_sq_free(req->sq); + nvmet_ctrl_fatal_error(ctrl); + } ++ nvmet_req_complete(req, status); + } diff --git a/queue-6.1/pnfs-fix-a-hang-in-nfs4_evict_inode.patch b/queue-6.1/pnfs-fix-a-hang-in-nfs4_evict_inode.patch new file mode 100644 index 00000000000..da010031806 --- /dev/null +++ b/queue-6.1/pnfs-fix-a-hang-in-nfs4_evict_inode.patch @@ -0,0 +1,84 @@ +From f63955721a8020e979b99cc417dcb6da3106aa24 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 8 Oct 2023 14:20:19 -0400 +Subject: pNFS: Fix a hang in nfs4_evict_inode() + +From: Trond Myklebust + +commit f63955721a8020e979b99cc417dcb6da3106aa24 upstream. + +We are not allowed to call pnfs_mark_matching_lsegs_return() without +also holding a reference to the layout header, since doing so could lead +to the reference count going to zero when we call +pnfs_layout_remove_lseg(). This again can lead to a hang when we get to +nfs4_evict_inode() and are unable to clear the layout pointer. + +pnfs_layout_return_unused_byserver() is guilty of this behaviour, and +has been seen to trigger the refcount warning prior to a hang. + +Fixes: b6d49ecd1081 ("NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pnfs.c | 33 +++++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -2634,31 +2634,44 @@ pnfs_should_return_unused_layout(struct + return mode == 0; + } + +-static int +-pnfs_layout_return_unused_byserver(struct nfs_server *server, void *data) ++static int pnfs_layout_return_unused_byserver(struct nfs_server *server, ++ void *data) + { + const struct pnfs_layout_range *range = data; ++ const struct cred *cred; + struct pnfs_layout_hdr *lo; + struct inode *inode; ++ nfs4_stateid stateid; ++ enum pnfs_iomode iomode; ++ + restart: + rcu_read_lock(); + list_for_each_entry_rcu(lo, &server->layouts, plh_layouts) { +- if (!pnfs_layout_can_be_returned(lo) || ++ inode = lo->plh_inode; ++ if (!inode || !pnfs_layout_can_be_returned(lo) || + test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags)) + continue; +- inode = lo->plh_inode; + spin_lock(&inode->i_lock); +- if (!pnfs_should_return_unused_layout(lo, range)) { ++ if (!lo->plh_inode || ++ !pnfs_should_return_unused_layout(lo, range)) { + spin_unlock(&inode->i_lock); + continue; + } ++ pnfs_get_layout_hdr(lo); ++ pnfs_set_plh_return_info(lo, range->iomode, 0); ++ if (pnfs_mark_matching_lsegs_return(lo, &lo->plh_return_segs, ++ range, 0) != 0 || ++ !pnfs_prepare_layoutreturn(lo, &stateid, &cred, &iomode)) { ++ spin_unlock(&inode->i_lock); ++ rcu_read_unlock(); ++ pnfs_put_layout_hdr(lo); ++ cond_resched(); ++ goto restart; ++ } + spin_unlock(&inode->i_lock); +- inode = pnfs_grab_inode_layout_hdr(lo); +- if (!inode) +- continue; + rcu_read_unlock(); +- pnfs_mark_layout_for_return(inode, range); +- iput(inode); ++ pnfs_send_layoutreturn(lo, &stateid, &cred, iomode, false); ++ pnfs_put_layout_hdr(lo); + cond_resched(); + goto restart; + } diff --git a/queue-6.1/pnfs-flexfiles-check-the-layout-validity-in-ff_layout_mirror_prepare_stats.patch b/queue-6.1/pnfs-flexfiles-check-the-layout-validity-in-ff_layout_mirror_prepare_stats.patch new file mode 100644 index 00000000000..b79966876c4 --- /dev/null +++ b/queue-6.1/pnfs-flexfiles-check-the-layout-validity-in-ff_layout_mirror_prepare_stats.patch @@ -0,0 +1,54 @@ +From e1c6cfbb3bd1377e2ddcbe06cf8fb1ec323ea7d3 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 8 Oct 2023 14:28:46 -0400 +Subject: pNFS/flexfiles: Check the layout validity in ff_layout_mirror_prepare_stats + +From: Trond Myklebust + +commit e1c6cfbb3bd1377e2ddcbe06cf8fb1ec323ea7d3 upstream. + +Ensure that we check the layout pointer and validity after dereferencing +it in ff_layout_mirror_prepare_stats. + +Fixes: 08e2e5bc6c9a ("pNFS/flexfiles: Clean up layoutstats") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -2520,9 +2520,9 @@ ff_layout_mirror_prepare_stats(struct pn + return i; + } + +-static int +-ff_layout_prepare_layoutstats(struct nfs42_layoutstat_args *args) ++static int ff_layout_prepare_layoutstats(struct nfs42_layoutstat_args *args) + { ++ struct pnfs_layout_hdr *lo; + struct nfs4_flexfile_layout *ff_layout; + const int dev_count = PNFS_LAYOUTSTATS_MAXDEV; + +@@ -2533,11 +2533,14 @@ ff_layout_prepare_layoutstats(struct nfs + return -ENOMEM; + + spin_lock(&args->inode->i_lock); +- ff_layout = FF_LAYOUT_FROM_HDR(NFS_I(args->inode)->layout); +- args->num_dev = ff_layout_mirror_prepare_stats(&ff_layout->generic_hdr, +- &args->devinfo[0], +- dev_count, +- NFS4_FF_OP_LAYOUTSTATS); ++ lo = NFS_I(args->inode)->layout; ++ if (lo && pnfs_layout_is_valid(lo)) { ++ ff_layout = FF_LAYOUT_FROM_HDR(lo); ++ args->num_dev = ff_layout_mirror_prepare_stats( ++ &ff_layout->generic_hdr, &args->devinfo[0], dev_count, ++ NFS4_FF_OP_LAYOUTSTATS); ++ } else ++ args->num_dev = 0; + spin_unlock(&args->inode->i_lock); + if (!args->num_dev) { + kfree(args->devinfo); diff --git a/queue-6.1/revert-pinctrl-avoid-unsafe-code-pattern-in-find_pinctrl.patch b/queue-6.1/revert-pinctrl-avoid-unsafe-code-pattern-in-find_pinctrl.patch new file mode 100644 index 00000000000..78430218e8a --- /dev/null +++ b/queue-6.1/revert-pinctrl-avoid-unsafe-code-pattern-in-find_pinctrl.patch @@ -0,0 +1,77 @@ +From 62140a1e4dec4594d5d1e1d353747bf2ef434e8b Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Tue, 17 Oct 2023 17:18:06 +0300 +Subject: Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" + +From: Andy Shevchenko + +commit 62140a1e4dec4594d5d1e1d353747bf2ef434e8b upstream. + +The commit breaks MMC enumeration on the Intel Merrifield +plaform. + +Before: +[ 36.439057] mmc0: SDHCI controller on PCI [0000:00:01.0] using ADMA +[ 36.450924] mmc2: SDHCI controller on PCI [0000:00:01.3] using ADMA +[ 36.459355] mmc1: SDHCI controller on PCI [0000:00:01.2] using ADMA +[ 36.706399] mmc0: new DDR MMC card at address 0001 +[ 37.058972] mmc2: new ultra high speed DDR50 SDIO card at address 0001 +[ 37.278977] mmcblk0: mmc0:0001 H4G1d 3.64 GiB +[ 37.297300] mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 + +After: +[ 36.436704] mmc2: SDHCI controller on PCI [0000:00:01.3] using ADMA +[ 36.436720] mmc1: SDHCI controller on PCI [0000:00:01.0] using ADMA +[ 36.463685] mmc0: SDHCI controller on PCI [0000:00:01.2] using ADMA +[ 36.720627] mmc1: new DDR MMC card at address 0001 +[ 37.068181] mmc2: new ultra high speed DDR50 SDIO card at address 0001 +[ 37.279998] mmcblk1: mmc1:0001 H4G1d 3.64 GiB +[ 37.302670] mmcblk1: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 + +This reverts commit c153a4edff6ab01370fcac8e46f9c89cca1060c2. + +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20231017141806.535191-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/core.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/pinctrl/core.c ++++ b/drivers/pinctrl/core.c +@@ -1007,20 +1007,17 @@ static int add_setting(struct pinctrl *p + + static struct pinctrl *find_pinctrl(struct device *dev) + { +- struct pinctrl *entry, *p = NULL; ++ struct pinctrl *p; + + mutex_lock(&pinctrl_list_mutex); +- +- list_for_each_entry(entry, &pinctrl_list, node) { +- if (entry->dev == dev) { +- p = entry; +- kref_get(&p->users); +- break; ++ list_for_each_entry(p, &pinctrl_list, node) ++ if (p->dev == dev) { ++ mutex_unlock(&pinctrl_list_mutex); ++ return p; + } +- } + + mutex_unlock(&pinctrl_list_mutex); +- return p; ++ return NULL; + } + + static void pinctrl_free(struct pinctrl *p, bool inlist); +@@ -1129,6 +1126,7 @@ struct pinctrl *pinctrl_get(struct devic + p = find_pinctrl(dev); + if (p) { + dev_dbg(dev, "obtain a copy of previously claimed pinctrl\n"); ++ kref_get(&p->users); + return p; + } + diff --git a/queue-6.1/series b/queue-6.1/series index 8fe31df2744..1df8cfec54c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -157,3 +157,25 @@ net-devlink-track-netdev-with-devlink_port-assigned.patch net-store-netdevs-in-an-xarray.patch net-move-altnames-together-with-the-netdevice.patch net-smc-fix-smc-clc-failed-issue-when-netdevice-not-.patch +mtd-rawnand-qcom-unmap-the-right-resource-upon-probe-failure.patch +mtd-rawnand-pl353-ensure-program-page-operations-are-successful.patch +mtd-rawnand-marvell-ensure-program-page-operations-are-successful.patch +mtd-rawnand-arasan-ensure-program-page-operations-are-successful.patch +mtd-spinand-micron-correct-bitmask-for-ecc-status.patch +mtd-physmap-core-restore-map_rom-fallback.patch +dt-bindings-mmc-sdhci-msm-correct-minimum-number-of-clocks.patch +mmc-sdhci-pci-gli-fix-lpm-negotiation-so-x86-s0ix-socs-can-suspend.patch +mmc-mtk-sd-use-readl_poll_timeout_atomic-in-msdc_reset_hw.patch +mmc-core-sdio-hold-retuning-if-sdio-in-1-bit-mode.patch +mmc-core-capture-correct-oemid-bits-for-emmc-cards.patch +revert-pinctrl-avoid-unsafe-code-pattern-in-find_pinctrl.patch +pnfs-fix-a-hang-in-nfs4_evict_inode.patch +pnfs-flexfiles-check-the-layout-validity-in-ff_layout_mirror_prepare_stats.patch +nfsv4.1-fixup-use-exchgid4_flag_use_pnfs_ds-for-ds-server.patch +acpi-irq-fix-incorrect-return-value-in-acpi_register_gsi.patch +nfs42-client-needs-to-strip-file-mode-s-suid-sgid-bit-after-allocate-op.patch +nvme-sanitize-metadata-bounce-buffer-for-reads.patch +nvme-pci-add-bogus_nid-for-intel-0a54-device.patch +nvmet-auth-complete-a-request-only-after-freeing-the-dhchap-pointers.patch +nvme-rdma-do-not-try-to-stop-unallocated-queues.patch +kvm-x86-mmu-stop-zapping-invalidated-tdp-mmu-roots-asynchronously.patch