From: Greg Kroah-Hartman Date: Thu, 23 Nov 2023 12:22:35 +0000 (+0000) Subject: 5.10-stable patches X-Git-Tag: v4.14.331~86 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=53850b58d7653bb4765b286ef9adff64d93ebfb7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: dmaengine-stm32-mdma-correct-desc-prep-when-channel-running.patch i2c-core-run-atomic-i2c-xfer-when-preemptible.patch i3c-master-cdns-fix-reading-status-register.patch jbd2-fix-potential-data-lost-in-recovering-journal-raced-with-synchronizing-fs-bdev.patch kernel-reboot-emergency_restart-set-correct-system_state.patch mcb-fix-error-handling-for-different-scenarios-when-parsing.patch mm-cma-use-nth_page-in-place-of-direct-struct-page-manipulation.patch mm-memory_hotplug-use-pfn-math-in-place-of-direct-struct-page-manipulation.patch mtd-cfi_cmdset_0001-byte-swap-otp-info.patch quota-explicitly-forbid-quota-files-from-being-encrypted.patch s390-cmma-fix-handling-of-swapper_pg_dir-and-invalid_pg_dir.patch s390-cmma-fix-initial-kernel-address-space-page-table-walk.patch --- diff --git a/queue-5.10/dmaengine-stm32-mdma-correct-desc-prep-when-channel-running.patch b/queue-5.10/dmaengine-stm32-mdma-correct-desc-prep-when-channel-running.patch new file mode 100644 index 00000000000..23ba4530e45 --- /dev/null +++ b/queue-5.10/dmaengine-stm32-mdma-correct-desc-prep-when-channel-running.patch @@ -0,0 +1,48 @@ +From 03f25d53b145bc2f7ccc82fc04e4482ed734f524 Mon Sep 17 00:00:00 2001 +From: Alain Volmat +Date: Mon, 9 Oct 2023 10:24:50 +0200 +Subject: dmaengine: stm32-mdma: correct desc prep when channel running + +From: Alain Volmat + +commit 03f25d53b145bc2f7ccc82fc04e4482ed734f524 upstream. + +In case of the prep descriptor while the channel is already running, the +CCR register value stored into the channel could already have its EN bit +set. This would lead to a bad transfer since, at start transfer time, +enabling the channel while other registers aren't yet properly set. +To avoid this, ensure to mask the CCR_EN bit when storing the ccr value +into the mdma channel structure. + +Fixes: a4ffb13c8946 ("dmaengine: Add STM32 MDMA driver") +Signed-off-by: Alain Volmat +Signed-off-by: Amelie Delaunay +Cc: stable@vger.kernel.org +Tested-by: Alain Volmat +Link: https://lore.kernel.org/r/20231009082450.452877-1-amelie.delaunay@foss.st.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/stm32-mdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/dma/stm32-mdma.c ++++ b/drivers/dma/stm32-mdma.c +@@ -509,7 +509,7 @@ static int stm32_mdma_set_xfer_param(str + src_maxburst = chan->dma_config.src_maxburst; + dst_maxburst = chan->dma_config.dst_maxburst; + +- ccr = stm32_mdma_read(dmadev, STM32_MDMA_CCR(chan->id)); ++ ccr = stm32_mdma_read(dmadev, STM32_MDMA_CCR(chan->id)) & ~STM32_MDMA_CCR_EN; + ctcr = stm32_mdma_read(dmadev, STM32_MDMA_CTCR(chan->id)); + ctbr = stm32_mdma_read(dmadev, STM32_MDMA_CTBR(chan->id)); + +@@ -937,7 +937,7 @@ stm32_mdma_prep_dma_memcpy(struct dma_ch + if (!desc) + return NULL; + +- ccr = stm32_mdma_read(dmadev, STM32_MDMA_CCR(chan->id)); ++ ccr = stm32_mdma_read(dmadev, STM32_MDMA_CCR(chan->id)) & ~STM32_MDMA_CCR_EN; + ctcr = stm32_mdma_read(dmadev, STM32_MDMA_CTCR(chan->id)); + ctbr = stm32_mdma_read(dmadev, STM32_MDMA_CTBR(chan->id)); + cbndtr = stm32_mdma_read(dmadev, STM32_MDMA_CBNDTR(chan->id)); diff --git a/queue-5.10/i2c-core-run-atomic-i2c-xfer-when-preemptible.patch b/queue-5.10/i2c-core-run-atomic-i2c-xfer-when-preemptible.patch new file mode 100644 index 00000000000..d15481f2061 --- /dev/null +++ b/queue-5.10/i2c-core-run-atomic-i2c-xfer-when-preemptible.patch @@ -0,0 +1,54 @@ +From aa49c90894d06e18a1ee7c095edbd2f37c232d02 Mon Sep 17 00:00:00 2001 +From: Benjamin Bara +Date: Sat, 15 Jul 2023 09:53:24 +0200 +Subject: i2c: core: Run atomic i2c xfer when !preemptible + +From: Benjamin Bara + +commit aa49c90894d06e18a1ee7c095edbd2f37c232d02 upstream. + +Since bae1d3a05a8b, i2c transfers are non-atomic if preemption is +disabled. However, non-atomic i2c transfers require preemption (e.g. in +wait_for_completion() while waiting for the DMA). + +panic() calls preempt_disable_notrace() before calling +emergency_restart(). Therefore, if an i2c device is used for the +restart, the xfer should be atomic. This avoids warnings like: + +[ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0 +[ 12.676926] Voluntary context switch within RCU read-side critical section! +... +[ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114 +[ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70 +... +[ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58 +[ 13.001050] machine_restart from panic+0x2a8/0x32c + +Use !preemptible() instead, which is basically the same check as +pre-v5.2. + +Fixes: bae1d3a05a8b ("i2c: core: remove use of in_atomic()") +Cc: stable@vger.kernel.org # v5.2+ +Suggested-by: Dmitry Osipenko +Acked-by: Wolfram Sang +Reviewed-by: Dmitry Osipenko +Tested-by: Nishanth Menon +Signed-off-by: Benjamin Bara +Link: https://lore.kernel.org/r/20230327-tegra-pmic-reboot-v7-2-18699d5dcd76@skidata.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/i2c-core.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/i2c-core.h ++++ b/drivers/i2c/i2c-core.h +@@ -29,7 +29,7 @@ int i2c_dev_irq_from_resources(const str + */ + static inline bool i2c_in_atomic_xfer_mode(void) + { +- return system_state > SYSTEM_RUNNING && irqs_disabled(); ++ return system_state > SYSTEM_RUNNING && !preemptible(); + } + + static inline int __i2c_lock_bus_helper(struct i2c_adapter *adap) diff --git a/queue-5.10/i3c-master-cdns-fix-reading-status-register.patch b/queue-5.10/i3c-master-cdns-fix-reading-status-register.patch new file mode 100644 index 00000000000..2cabe14c2d5 --- /dev/null +++ b/queue-5.10/i3c-master-cdns-fix-reading-status-register.patch @@ -0,0 +1,49 @@ +From 4bd8405257da717cd556f99e5fb68693d12c9766 Mon Sep 17 00:00:00 2001 +From: Joshua Yeong +Date: Wed, 13 Sep 2023 11:17:45 +0800 +Subject: i3c: master: cdns: Fix reading status register + +From: Joshua Yeong + +commit 4bd8405257da717cd556f99e5fb68693d12c9766 upstream. + +IBIR_DEPTH and CMDR_DEPTH should read from status0 instead of status1. + +Cc: stable@vger.kernel.org +Fixes: 603f2bee2c54 ("i3c: master: Add driver for Cadence IP") +Signed-off-by: Joshua Yeong +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/r/20230913031743.11439-2-joshua.yeong@starfivetech.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i3c/master/i3c-master-cdns.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/i3c/master/i3c-master-cdns.c ++++ b/drivers/i3c/master/i3c-master-cdns.c +@@ -192,7 +192,7 @@ + #define SLV_STATUS1_HJ_DIS BIT(18) + #define SLV_STATUS1_MR_DIS BIT(17) + #define SLV_STATUS1_PROT_ERR BIT(16) +-#define SLV_STATUS1_DA(x) (((s) & GENMASK(15, 9)) >> 9) ++#define SLV_STATUS1_DA(s) (((s) & GENMASK(15, 9)) >> 9) + #define SLV_STATUS1_HAS_DA BIT(8) + #define SLV_STATUS1_DDR_RX_FULL BIT(7) + #define SLV_STATUS1_DDR_TX_FULL BIT(6) +@@ -1622,13 +1622,13 @@ static int cdns_i3c_master_probe(struct + /* Device ID0 is reserved to describe this master. */ + master->maxdevs = CONF_STATUS0_DEVS_NUM(val); + master->free_rr_slots = GENMASK(master->maxdevs, 1); ++ master->caps.ibirfifodepth = CONF_STATUS0_IBIR_DEPTH(val); ++ master->caps.cmdrfifodepth = CONF_STATUS0_CMDR_DEPTH(val); + + val = readl(master->regs + CONF_STATUS1); + master->caps.cmdfifodepth = CONF_STATUS1_CMD_DEPTH(val); + master->caps.rxfifodepth = CONF_STATUS1_RX_DEPTH(val); + master->caps.txfifodepth = CONF_STATUS1_TX_DEPTH(val); +- master->caps.ibirfifodepth = CONF_STATUS0_IBIR_DEPTH(val); +- master->caps.cmdrfifodepth = CONF_STATUS0_CMDR_DEPTH(val); + + spin_lock_init(&master->ibi.lock); + master->ibi.num_slots = CONF_STATUS1_IBI_HW_RES(val); diff --git a/queue-5.10/jbd2-fix-potential-data-lost-in-recovering-journal-raced-with-synchronizing-fs-bdev.patch b/queue-5.10/jbd2-fix-potential-data-lost-in-recovering-journal-raced-with-synchronizing-fs-bdev.patch new file mode 100644 index 00000000000..e654a888776 --- /dev/null +++ b/queue-5.10/jbd2-fix-potential-data-lost-in-recovering-journal-raced-with-synchronizing-fs-bdev.patch @@ -0,0 +1,94 @@ +From 61187fce8600e8ef90e601be84f9d0f3222c1206 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Tue, 19 Sep 2023 09:25:25 +0800 +Subject: jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev + +From: Zhihao Cheng + +commit 61187fce8600e8ef90e601be84f9d0f3222c1206 upstream. + +JBD2 makes sure journal data is fallen on fs device by sync_blockdev(), +however, other process could intercept the EIO information from bdev's +mapping, which leads journal recovering successful even EIO occurs during +data written back to fs device. + +We found this problem in our product, iscsi + multipath is chosen for block +device of ext4. Unstable network may trigger kpartx to rescan partitions in +device mapper layer. Detailed process is shown as following: + + mount kpartx irq +jbd2_journal_recover + do_one_pass + memcpy(nbh->b_data, obh->b_data) // copy data to fs dev from journal + mark_buffer_dirty // mark bh dirty + vfs_read + generic_file_read_iter // dio + filemap_write_and_wait_range + __filemap_fdatawrite_range + do_writepages + block_write_full_folio + submit_bh_wbc + >> EIO occurs in disk << + end_buffer_async_write + mark_buffer_write_io_error + mapping_set_error + set_bit(AS_EIO, &mapping->flags) // set! + filemap_check_errors + test_and_clear_bit(AS_EIO, &mapping->flags) // clear! + err2 = sync_blockdev + filemap_write_and_wait + filemap_check_errors + test_and_clear_bit(AS_EIO, &mapping->flags) // false + err2 = 0 + +Filesystem is mounted successfully even data from journal is failed written +into disk, and ext4/ocfs2 could become corrupted. + +Fix it by comparing the wb_err state in fs block device before recovering +and after recovering. + +A reproducer can be found in the kernel bugzilla referenced below. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217888 +Cc: stable@vger.kernel.org +Signed-off-by: Zhihao Cheng +Signed-off-by: Zhang Yi +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230919012525.1783108-1-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/recovery.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/jbd2/recovery.c ++++ b/fs/jbd2/recovery.c +@@ -287,6 +287,8 @@ int jbd2_journal_recover(journal_t *jour + journal_superblock_t * sb; + + struct recovery_info info; ++ errseq_t wb_err; ++ struct address_space *mapping; + + memset(&info, 0, sizeof(info)); + sb = journal->j_superblock; +@@ -304,6 +306,9 @@ int jbd2_journal_recover(journal_t *jour + return 0; + } + ++ wb_err = 0; ++ mapping = journal->j_fs_dev->bd_inode->i_mapping; ++ errseq_check_and_advance(&mapping->wb_err, &wb_err); + err = do_one_pass(journal, &info, PASS_SCAN); + if (!err) + err = do_one_pass(journal, &info, PASS_REVOKE); +@@ -324,6 +329,9 @@ int jbd2_journal_recover(journal_t *jour + err2 = sync_blockdev(journal->j_fs_dev); + if (!err) + err = err2; ++ err2 = errseq_check_and_advance(&mapping->wb_err, &wb_err); ++ if (!err) ++ err = err2; + /* Make sure all replayed data is on permanent storage */ + if (journal->j_flags & JBD2_BARRIER) { + err2 = blkdev_issue_flush(journal->j_fs_dev, GFP_KERNEL); diff --git a/queue-5.10/kernel-reboot-emergency_restart-set-correct-system_state.patch b/queue-5.10/kernel-reboot-emergency_restart-set-correct-system_state.patch new file mode 100644 index 00000000000..58a2c91128d --- /dev/null +++ b/queue-5.10/kernel-reboot-emergency_restart-set-correct-system_state.patch @@ -0,0 +1,49 @@ +From 60466c067927abbcaff299845abd4b7069963139 Mon Sep 17 00:00:00 2001 +From: Benjamin Bara +Date: Sat, 15 Jul 2023 09:53:23 +0200 +Subject: kernel/reboot: emergency_restart: Set correct system_state + +From: Benjamin Bara + +commit 60466c067927abbcaff299845abd4b7069963139 upstream. + +As the emergency restart does not call kernel_restart_prepare(), the +system_state stays in SYSTEM_RUNNING. + +Since bae1d3a05a8b, this hinders i2c_in_atomic_xfer_mode() from becoming +active, and therefore might lead to avoidable warnings in the restart +handlers, e.g.: + +[ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0 +[ 12.676926] Voluntary context switch within RCU read-side critical section! +... +[ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114 +[ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70 +... +[ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58 +[ 13.001050] machine_restart from panic+0x2a8/0x32c + +Avoid these by setting the correct system_state. + +Fixes: bae1d3a05a8b ("i2c: core: remove use of in_atomic()") +Cc: stable@vger.kernel.org # v5.2+ +Reviewed-by: Dmitry Osipenko +Tested-by: Nishanth Menon +Signed-off-by: Benjamin Bara +Link: https://lore.kernel.org/r/20230327-tegra-pmic-reboot-v7-1-18699d5dcd76@skidata.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + kernel/reboot.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/reboot.c ++++ b/kernel/reboot.c +@@ -64,6 +64,7 @@ EXPORT_SYMBOL_GPL(pm_power_off_prepare); + void emergency_restart(void) + { + kmsg_dump(KMSG_DUMP_EMERG); ++ system_state = SYSTEM_RESTART; + machine_emergency_restart(); + } + EXPORT_SYMBOL_GPL(emergency_restart); diff --git a/queue-5.10/mcb-fix-error-handling-for-different-scenarios-when-parsing.patch b/queue-5.10/mcb-fix-error-handling-for-different-scenarios-when-parsing.patch new file mode 100644 index 00000000000..cc98315df32 --- /dev/null +++ b/queue-5.10/mcb-fix-error-handling-for-different-scenarios-when-parsing.patch @@ -0,0 +1,49 @@ +From 63ba2d07b4be72b94216d20561f43e1150b25d98 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sanju=C3=A1n=20Garc=C3=ADa=2C=20Jorge?= + +Date: Thu, 19 Oct 2023 14:15:34 +0000 +Subject: mcb: fix error handling for different scenarios when parsing + +From: Sanjuán García, Jorge + +commit 63ba2d07b4be72b94216d20561f43e1150b25d98 upstream. + +chameleon_parse_gdd() may fail for different reasons and end up +in the err tag. Make sure we at least always free the mcb_device +allocated with mcb_alloc_dev(). + +If mcb_device_register() fails, make sure to give up the reference +in the same place the device was added. + +Fixes: 728ac3389296 ("mcb: mcb-parse: fix error handing in chameleon_parse_gdd()") +Cc: stable +Reviewed-by: Jose Javier Rodriguez Barbarin +Signed-off-by: Jorge Sanjuan Garcia +Link: https://lore.kernel.org/r/20231019141434.57971-2-jorge.sanjuangarcia@duagon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mcb/mcb-core.c | 1 + + drivers/mcb/mcb-parse.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mcb/mcb-core.c ++++ b/drivers/mcb/mcb-core.c +@@ -248,6 +248,7 @@ int mcb_device_register(struct mcb_bus * + return 0; + + out: ++ put_device(&dev->dev); + + return ret; + } +--- a/drivers/mcb/mcb-parse.c ++++ b/drivers/mcb/mcb-parse.c +@@ -106,7 +106,7 @@ static int chameleon_parse_gdd(struct mc + return 0; + + err: +- put_device(&mdev->dev); ++ mcb_free_dev(mdev); + + return ret; + } diff --git a/queue-5.10/mm-cma-use-nth_page-in-place-of-direct-struct-page-manipulation.patch b/queue-5.10/mm-cma-use-nth_page-in-place-of-direct-struct-page-manipulation.patch new file mode 100644 index 00000000000..6decb507c59 --- /dev/null +++ b/queue-5.10/mm-cma-use-nth_page-in-place-of-direct-struct-page-manipulation.patch @@ -0,0 +1,59 @@ +From 2e7cfe5cd5b6b0b98abf57a3074885979e187c1c Mon Sep 17 00:00:00 2001 +From: Zi Yan +Date: Wed, 13 Sep 2023 16:12:44 -0400 +Subject: mm/cma: use nth_page() in place of direct struct page manipulation + +From: Zi Yan + +commit 2e7cfe5cd5b6b0b98abf57a3074885979e187c1c upstream. + +Patch series "Use nth_page() in place of direct struct page manipulation", +v3. + +On SPARSEMEM without VMEMMAP, struct page is not guaranteed to be +contiguous, since each memory section's memmap might be allocated +independently. hugetlb pages can go beyond a memory section size, thus +direct struct page manipulation on hugetlb pages/subpages might give wrong +struct page. Kernel provides nth_page() to do the manipulation properly. +Use that whenever code can see hugetlb pages. + + +This patch (of 5): + +When dealing with hugetlb pages, manipulating struct page pointers +directly can get to wrong struct page, since struct page is not guaranteed +to be contiguous on SPARSEMEM without VMEMMAP. Use nth_page() to handle +it properly. + +Without the fix, page_kasan_tag_reset() could reset wrong page tags, +causing a wrong kasan result. No related bug is reported. The fix +comes from code inspection. + +Link: https://lkml.kernel.org/r/20230913201248.452081-1-zi.yan@sent.com +Link: https://lkml.kernel.org/r/20230913201248.452081-2-zi.yan@sent.com +Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via pagealloc") +Signed-off-by: Zi Yan +Reviewed-by: Muchun Song +Cc: David Hildenbrand +Cc: Matthew Wilcox (Oracle) +Cc: Mike Kravetz +Cc: Mike Rapoport (IBM) +Cc: Thomas Bogendoerfer +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/cma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -482,7 +482,7 @@ struct page *cma_alloc(struct cma *cma, + */ + if (page) { + for (i = 0; i < count; i++) +- page_kasan_tag_reset(page + i); ++ page_kasan_tag_reset(nth_page(page, i)); + } + + if (ret && !no_warn) { diff --git a/queue-5.10/mm-memory_hotplug-use-pfn-math-in-place-of-direct-struct-page-manipulation.patch b/queue-5.10/mm-memory_hotplug-use-pfn-math-in-place-of-direct-struct-page-manipulation.patch new file mode 100644 index 00000000000..dada1896577 --- /dev/null +++ b/queue-5.10/mm-memory_hotplug-use-pfn-math-in-place-of-direct-struct-page-manipulation.patch @@ -0,0 +1,46 @@ +From 1640a0ef80f6d572725f5b0330038c18e98ea168 Mon Sep 17 00:00:00 2001 +From: Zi Yan +Date: Wed, 13 Sep 2023 16:12:46 -0400 +Subject: mm/memory_hotplug: use pfn math in place of direct struct page manipulation + +From: Zi Yan + +commit 1640a0ef80f6d572725f5b0330038c18e98ea168 upstream. + +When dealing with hugetlb pages, manipulating struct page pointers +directly can get to wrong struct page, since struct page is not guaranteed +to be contiguous on SPARSEMEM without VMEMMAP. Use pfn calculation to +handle it properly. + +Without the fix, a wrong number of page might be skipped. Since skip cannot be +negative, scan_movable_page() will end early and might miss a movable page with +-ENOENT. This might fail offline_pages(). No bug is reported. The fix comes +from code inspection. + +Link: https://lkml.kernel.org/r/20230913201248.452081-4-zi.yan@sent.com +Fixes: eeb0efd071d8 ("mm,memory_hotplug: fix scan_movable_pages() for gigantic hugepages") +Signed-off-by: Zi Yan +Reviewed-by: Muchun Song +Acked-by: David Hildenbrand +Cc: Matthew Wilcox (Oracle) +Cc: Mike Kravetz +Cc: Mike Rapoport (IBM) +Cc: Thomas Bogendoerfer +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory_hotplug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1263,7 +1263,7 @@ static int scan_movable_pages(unsigned l + head = compound_head(page); + if (page_huge_active(head)) + goto found; +- skip = compound_nr(head) - (page - head); ++ skip = compound_nr(head) - (pfn - page_to_pfn(head)); + pfn += skip - 1; + } + return -ENOENT; diff --git a/queue-5.10/mtd-cfi_cmdset_0001-byte-swap-otp-info.patch b/queue-5.10/mtd-cfi_cmdset_0001-byte-swap-otp-info.patch new file mode 100644 index 00000000000..d85bacf409f --- /dev/null +++ b/queue-5.10/mtd-cfi_cmdset_0001-byte-swap-otp-info.patch @@ -0,0 +1,75 @@ +From 565fe150624ee77dc63a735cc1b3bff5101f38a3 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 20 Oct 2023 22:30:29 +0200 +Subject: mtd: cfi_cmdset_0001: Byte swap OTP info + +From: Linus Walleij + +commit 565fe150624ee77dc63a735cc1b3bff5101f38a3 upstream. + +Currently the offset into the device when looking for OTP +bits can go outside of the address of the MTD NOR devices, +and if that memory isn't readable, bad things happen +on the IXP4xx (added prints that illustrate the problem before +the crash): + +cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x00000100 +ixp4xx_copy_from copy from 0x00000100 to 0xc880dd78 +cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x12000000 +ixp4xx_copy_from copy from 0x12000000 to 0xc880dd78 +8<--- cut here --- +Unable to handle kernel paging request at virtual address db000000 +[db000000] *pgd=00000000 +(...) + +This happens in this case because the IXP4xx is big endian and +the 32- and 16-bit fields in the struct cfi_intelext_otpinfo are not +properly byteswapped. Compare to how the code in read_pri_intelext() +byteswaps the fields in struct cfi_pri_intelext. + +Adding a small byte swapping loop for the OTP in read_pri_intelext() +and the crash goes away. + +The problem went unnoticed for many years until I enabled +CONFIG_MTD_OTP on the IXP4xx as well, triggering the bug. + +Cc: stable@vger.kernel.org +Reviewed-by: Nicolas Pitre +Signed-off-by: Linus Walleij +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20231020-mtd-otp-byteswap-v4-1-0d132c06aa9d@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/chips/cfi_cmdset_0001.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0001.c ++++ b/drivers/mtd/chips/cfi_cmdset_0001.c +@@ -420,9 +420,25 @@ read_pri_intelext(struct map_info *map, + extra_size = 0; + + /* Protection Register info */ +- if (extp->NumProtectionFields) ++ if (extp->NumProtectionFields) { ++ struct cfi_intelext_otpinfo *otp = ++ (struct cfi_intelext_otpinfo *)&extp->extra[0]; ++ + extra_size += (extp->NumProtectionFields - 1) * +- sizeof(struct cfi_intelext_otpinfo); ++ sizeof(struct cfi_intelext_otpinfo); ++ ++ if (extp_size >= sizeof(*extp) + extra_size) { ++ int i; ++ ++ /* Do some byteswapping if necessary */ ++ for (i = 0; i < extp->NumProtectionFields - 1; i++) { ++ otp->ProtRegAddr = le32_to_cpu(otp->ProtRegAddr); ++ otp->FactGroups = le16_to_cpu(otp->FactGroups); ++ otp->UserGroups = le16_to_cpu(otp->UserGroups); ++ otp++; ++ } ++ } ++ } + } + + if (extp->MinorVersion >= '1') { diff --git a/queue-5.10/quota-explicitly-forbid-quota-files-from-being-encrypted.patch b/queue-5.10/quota-explicitly-forbid-quota-files-from-being-encrypted.patch new file mode 100644 index 00000000000..37b91ff3cea --- /dev/null +++ b/queue-5.10/quota-explicitly-forbid-quota-files-from-being-encrypted.patch @@ -0,0 +1,64 @@ +From d3cc1b0be258191d6360c82ea158c2972f8d3991 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 4 Sep 2023 17:32:27 -0700 +Subject: quota: explicitly forbid quota files from being encrypted + +From: Eric Biggers + +commit d3cc1b0be258191d6360c82ea158c2972f8d3991 upstream. + +Since commit d7e7b9af104c ("fscrypt: stop using keyrings subsystem for +fscrypt_master_key"), xfstest generic/270 causes a WARNING when run on +f2fs with test_dummy_encryption in the mount options: + +$ kvm-xfstests -c f2fs/encrypt generic/270 +[...] +WARNING: CPU: 1 PID: 2453 at fs/crypto/keyring.c:240 fscrypt_destroy_keyring+0x1f5/0x260 + +The cause of the WARNING is that not all encrypted inodes have been +evicted before fscrypt_destroy_keyring() is called, which violates an +assumption. This happens because the test uses an external quota file, +which gets automatically encrypted due to test_dummy_encryption. + +Encryption of quota files has never really been supported. On ext4, +ext4_quota_read() does not decrypt the data, so encrypted quota files +are always considered invalid on ext4. On f2fs, f2fs_quota_read() uses +the pagecache, so trying to use an encrypted quota file gets farther, +resulting in the issue described above being possible. But this was +never intended to be possible, and there is no use case for it. + +Therefore, make the quota support layer explicitly reject using +IS_ENCRYPTED inodes when quotaon is attempted. + +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Jan Kara +Message-Id: <20230905003227.326998-1-ebiggers@kernel.org> +Signed-off-by: Greg Kroah-Hartman +--- + fs/quota/dquot.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2398,6 +2398,20 @@ static int vfs_setup_quota_inode(struct + if (sb_has_quota_loaded(sb, type)) + return -EBUSY; + ++ /* ++ * Quota files should never be encrypted. They should be thought of as ++ * filesystem metadata, not user data. New-style internal quota files ++ * cannot be encrypted by users anyway, but old-style external quota ++ * files could potentially be incorrectly created in an encrypted ++ * directory, hence this explicit check. Some reasons why encrypted ++ * quota files don't work include: (1) some filesystems that support ++ * encryption don't handle it in their quota_read and quota_write, and ++ * (2) cleaning up encrypted quota files at unmount would need special ++ * consideration, as quota files are cleaned up later than user files. ++ */ ++ if (IS_ENCRYPTED(inode)) ++ return -EINVAL; ++ + dqopt->files[type] = igrab(inode); + if (!dqopt->files[type]) + return -EIO; diff --git a/queue-5.10/s390-cmma-fix-handling-of-swapper_pg_dir-and-invalid_pg_dir.patch b/queue-5.10/s390-cmma-fix-handling-of-swapper_pg_dir-and-invalid_pg_dir.patch new file mode 100644 index 00000000000..bb35d3989f4 --- /dev/null +++ b/queue-5.10/s390-cmma-fix-handling-of-swapper_pg_dir-and-invalid_pg_dir.patch @@ -0,0 +1,45 @@ +From 84bb41d5df48868055d159d9247b80927f1f70f9 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Tue, 24 Oct 2023 10:15:20 +0200 +Subject: s390/cmma: fix handling of swapper_pg_dir and invalid_pg_dir + +From: Heiko Carstens + +commit 84bb41d5df48868055d159d9247b80927f1f70f9 upstream. + +If the cmma no-dat feature is available the kernel page tables are walked +to identify and mark all pages which are used for address translation (all +region, segment, and page tables). In a subsequent loop all other pages are +marked as "no-dat" pages with the ESSA instruction. + +This information is visible to the hypervisor, so that the hypervisor can +optimize purging of guest TLB entries. All pages used for swapper_pg_dir +and invalid_pg_dir are incorrectly marked as no-dat, which in turn can +result in incorrect guest TLB flushes. + +Fix this by marking those pages correctly as being used for DAT. + +Cc: +Reviewed-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/page-states.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/s390/mm/page-states.c ++++ b/arch/s390/mm/page-states.c +@@ -198,6 +198,12 @@ void __init cmma_init_nodat(void) + return; + /* Mark pages used in kernel page tables */ + mark_kernel_pgd(); ++ page = virt_to_page(&swapper_pg_dir); ++ for (i = 0; i < 4; i++) ++ set_bit(PG_arch_1, &page[i].flags); ++ page = virt_to_page(&invalid_pg_dir); ++ for (i = 0; i < 4; i++) ++ set_bit(PG_arch_1, &page[i].flags); + + /* Set all kernel pages not used for page tables to stable/no-dat */ + for_each_mem_pfn_range(i, MAX_NUMNODES, &start, &end, NULL) { diff --git a/queue-5.10/s390-cmma-fix-initial-kernel-address-space-page-table-walk.patch b/queue-5.10/s390-cmma-fix-initial-kernel-address-space-page-table-walk.patch new file mode 100644 index 00000000000..0b07e751946 --- /dev/null +++ b/queue-5.10/s390-cmma-fix-initial-kernel-address-space-page-table-walk.patch @@ -0,0 +1,69 @@ +From 16ba44826a04834d3eeeda4b731c2ea3481062b7 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Tue, 17 Oct 2023 21:07:03 +0200 +Subject: s390/cmma: fix initial kernel address space page table walk + +From: Heiko Carstens + +commit 16ba44826a04834d3eeeda4b731c2ea3481062b7 upstream. + +If the cmma no-dat feature is available the kernel page tables are walked +to identify and mark all pages which are used for address translation (all +region, segment, and page tables). In a subsequent loop all other pages are +marked as "no-dat" pages with the ESSA instruction. + +This information is visible to the hypervisor, so that the hypervisor can +optimize purging of guest TLB entries. The initial loop however does not +cover the complete kernel address space. This can result in pages being +marked as not being used for dynamic address translation, even though they +are. In turn guest TLB entries incorrectly may not be purged. + +Fix this by adjusting the end address of the kernel address range being +walked. + +Cc: +Reviewed-by: Claudio Imbrenda +Reviewed-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/page-states.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/arch/s390/mm/page-states.c ++++ b/arch/s390/mm/page-states.c +@@ -161,15 +161,22 @@ static void mark_kernel_p4d(pgd_t *pgd, + + static void mark_kernel_pgd(void) + { +- unsigned long addr, next; ++ unsigned long addr, next, max_addr; + struct page *page; + pgd_t *pgd; + int i; + + addr = 0; ++ /* ++ * Figure out maximum virtual address accessible with the ++ * kernel ASCE. This is required to keep the page table walker ++ * from accessing non-existent entries. ++ */ ++ max_addr = (S390_lowcore.kernel_asce.val & _ASCE_TYPE_MASK) >> 2; ++ max_addr = 1UL << (max_addr * 11 + 31); + pgd = pgd_offset_k(addr); + do { +- next = pgd_addr_end(addr, MODULES_END); ++ next = pgd_addr_end(addr, max_addr); + if (pgd_none(*pgd)) + continue; + if (!pgd_folded(*pgd)) { +@@ -178,7 +185,7 @@ static void mark_kernel_pgd(void) + set_bit(PG_arch_1, &page[i].flags); + } + mark_kernel_p4d(pgd, addr, next); +- } while (pgd++, addr = next, addr != MODULES_END); ++ } while (pgd++, addr = next, addr != max_addr); + } + + void __init cmma_init_nodat(void) diff --git a/queue-5.10/series b/queue-5.10/series index 2c2d40371e2..a6a77c0a9e7 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -126,3 +126,15 @@ mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch pci-keystone-don-t-discard-.remove-callback.patch pci-keystone-don-t-discard-.probe-callback.patch +jbd2-fix-potential-data-lost-in-recovering-journal-raced-with-synchronizing-fs-bdev.patch +quota-explicitly-forbid-quota-files-from-being-encrypted.patch +kernel-reboot-emergency_restart-set-correct-system_state.patch +i2c-core-run-atomic-i2c-xfer-when-preemptible.patch +mcb-fix-error-handling-for-different-scenarios-when-parsing.patch +dmaengine-stm32-mdma-correct-desc-prep-when-channel-running.patch +s390-cmma-fix-initial-kernel-address-space-page-table-walk.patch +s390-cmma-fix-handling-of-swapper_pg_dir-and-invalid_pg_dir.patch +mm-cma-use-nth_page-in-place-of-direct-struct-page-manipulation.patch +mm-memory_hotplug-use-pfn-math-in-place-of-direct-struct-page-manipulation.patch +mtd-cfi_cmdset_0001-byte-swap-otp-info.patch +i3c-master-cdns-fix-reading-status-register.patch