From: Greg Kroah-Hartman Date: Sun, 17 Oct 2021 10:49:21 +0000 (+0200) Subject: 5.14-stable patches X-Git-Tag: v4.14.252~39 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=58d20ee6ec593c5713569785627c340ad95f0348;p=thirdparty%2Fkernel%2Fstable-queue.git 5.14-stable patches added patches: acpi-pm-include-alternate-amdi0005-id-in-special-behaviour.patch arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch btrfs-unlock-newly-allocated-extent-buffer-after-error.patch btrfs-update-refs-for-any-root-except-tree-log-roots.patch clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch csky-fixup-regs.sr-broken-in-ptrace.patch dm-fix-mempool-null-pointer-race-when-completing-io.patch dm-rq-don-t-queue-request-to-blk-mq-during-dm-suspend.patch drm-fbdev-clamp-fbdev-surface-size-if-too-large.patch drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch drm-msm-do-not-run-snapshot-on-non-dpu-devices.patch drm-nouveau-fifo-reinstate-the-correct-engine-bit-programming.patch mtd-rawnand-qcom-update-code-word-value-for-raw-read.patch nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch s390-fix-strrchr-implementation.patch spi-atmel-fix-pdc-transfer-setup-bug.patch --- diff --git a/queue-5.14/acpi-pm-include-alternate-amdi0005-id-in-special-behaviour.patch b/queue-5.14/acpi-pm-include-alternate-amdi0005-id-in-special-behaviour.patch new file mode 100644 index 00000000000..93b1b5fe70c --- /dev/null +++ b/queue-5.14/acpi-pm-include-alternate-amdi0005-id-in-special-behaviour.patch @@ -0,0 +1,43 @@ +From 1ea1dbf1f54c3345072c963b3acf8830e2468c1b Mon Sep 17 00:00:00 2001 +From: Sachi King +Date: Sat, 2 Oct 2021 14:18:40 +1000 +Subject: ACPI: PM: Include alternate AMDI0005 id in special behaviour + +From: Sachi King + +commit 1ea1dbf1f54c3345072c963b3acf8830e2468c1b upstream. + +The Surface Laptop 4 AMD has used the AMD0005 to identify this +controller instead of using the appropriate ACPI ID AMDI0005. The +AMD0005 needs the same special casing as AMDI0005. + +Link: https://github.com/linux-surface/acpidumps/tree/master/surface_laptop_4_amd +Link: https://gist.github.com/nakato/2a1a7df1a45fe680d7a08c583e1bf863 +Signed-off-by: Sachi King +Reviewed-by: Mario Limonciello +Cc: 5.14+ # 5.14+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/x86/s2idle.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/x86/s2idle.c ++++ b/drivers/acpi/x86/s2idle.c +@@ -371,7 +371,7 @@ static int lps0_device_attach(struct acp + return 0; + + if (acpi_s2idle_vendor_amd()) { +- /* AMD0004, AMDI0005: ++ /* AMD0004, AMD0005, AMDI0005: + * - Should use rev_id 0x0 + * - function mask > 0x3: Should use AMD method, but has off by one bug + * - function mask = 0x3: Should use Microsoft method +@@ -390,6 +390,7 @@ static int lps0_device_attach(struct acp + ACPI_LPS0_DSM_UUID_MICROSOFT, 0, + &lps0_dsm_guid_microsoft); + if (lps0_dsm_func_mask > 0x3 && (!strcmp(hid, "AMD0004") || ++ !strcmp(hid, "AMD0005") || + !strcmp(hid, "AMDI0005"))) { + lps0_dsm_func_mask = (lps0_dsm_func_mask << 1) | 0x1; + acpi_handle_debug(adev->handle, "_DSM UUID %s: Adjusted function mask: 0x%x\n", diff --git a/queue-5.14/arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch b/queue-5.14/arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch new file mode 100644 index 00000000000..f5225c69963 --- /dev/null +++ b/queue-5.14/arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch @@ -0,0 +1,42 @@ +From 2e5809a4ddb15969503e43b06662a9a725f613ea Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Tue, 5 Oct 2021 13:25:29 -0700 +Subject: arm64/hugetlb: fix CMA gigantic page order for non-4K PAGE_SIZE + +From: Mike Kravetz + +commit 2e5809a4ddb15969503e43b06662a9a725f613ea upstream. + +For non-4K PAGE_SIZE configs, the largest gigantic huge page size is +CONT_PMD_SHIFT order. On arm64 with 64K PAGE_SIZE, the gigantic page is +16G. Therefore, one should be able to specify 'hugetlb_cma=16G' on the +kernel command line so that one gigantic page can be allocated from CMA. +However, when adding such an option the following message is produced: + +hugetlb_cma: cma area should be at least 8796093022208 MiB + +This is because the calculation for non-4K gigantic page order is +incorrect in the arm64 specific routine arm64_hugetlb_cma_reserve(). + +Fixes: abb7962adc80 ("arm64/hugetlb: Reserve CMA areas for gigantic pages on 16K and 64K configs") +Cc: # 5.9.x +Signed-off-by: Mike Kravetz +Reviewed-by: Anshuman Khandual +Link: https://lore.kernel.org/r/20211005202529.213812-1-mike.kravetz@oracle.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/hugetlbpage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/mm/hugetlbpage.c ++++ b/arch/arm64/mm/hugetlbpage.c +@@ -43,7 +43,7 @@ void __init arm64_hugetlb_cma_reserve(vo + #ifdef CONFIG_ARM64_4K_PAGES + order = PUD_SHIFT - PAGE_SHIFT; + #else +- order = CONT_PMD_SHIFT + PMD_SHIFT - PAGE_SHIFT; ++ order = CONT_PMD_SHIFT - PAGE_SHIFT; + #endif + /* + * HugeTLB CMA reservation is required for gigantic diff --git a/queue-5.14/btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch b/queue-5.14/btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch new file mode 100644 index 00000000000..d918d0765bb --- /dev/null +++ b/queue-5.14/btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch @@ -0,0 +1,53 @@ +From cfd312695b71df04c3a2597859ff12c470d1e2e4 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 1 Oct 2021 13:48:18 +0100 +Subject: btrfs: check for error when looking up inode during dir entry replay + +From: Filipe Manana + +commit cfd312695b71df04c3a2597859ff12c470d1e2e4 upstream. + +At replay_one_name(), we are treating any error from btrfs_lookup_inode() +as if the inode does not exists. Fix this by checking for an error and +returning it to the caller. + +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1941,8 +1941,8 @@ static noinline int replay_one_name(stru + struct btrfs_key log_key; + struct inode *dir; + u8 log_type; +- int exists; +- int ret = 0; ++ bool exists; ++ int ret; + bool update_size = (key->type == BTRFS_DIR_INDEX_KEY); + bool name_added = false; + +@@ -1962,12 +1962,12 @@ static noinline int replay_one_name(stru + name_len); + + btrfs_dir_item_key_to_cpu(eb, di, &log_key); +- exists = btrfs_lookup_inode(trans, root, path, &log_key, 0); +- if (exists == 0) +- exists = 1; +- else +- exists = 0; ++ ret = btrfs_lookup_inode(trans, root, path, &log_key, 0); + btrfs_release_path(path); ++ if (ret < 0) ++ goto out; ++ exists = (ret == 0); ++ ret = 0; + + if (key->type == BTRFS_DIR_ITEM_KEY) { + dst_di = btrfs_lookup_dir_item(trans, root, path, key->objectid, diff --git a/queue-5.14/btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch b/queue-5.14/btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch new file mode 100644 index 00000000000..e07a81e85be --- /dev/null +++ b/queue-5.14/btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch @@ -0,0 +1,51 @@ +From 52db77791fe24538c8aa2a183248399715f6b380 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 1 Oct 2021 13:52:32 +0100 +Subject: btrfs: deal with errors when adding inode reference during log replay + +From: Filipe Manana + +commit 52db77791fe24538c8aa2a183248399715f6b380 upstream. + +At __inode_add_ref(), we treating any error returned from +btrfs_lookup_dir_item() or from btrfs_lookup_dir_index_item() as meaning +that there is no existing directory entry in the fs/subvolume tree. +This is not correct since we can get errors such as, for example, -EIO +when reading extent buffers while searching the fs/subvolume's btree. + +So fix that and return the error to the caller when it is not -ENOENT. + +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1182,7 +1182,10 @@ next: + /* look for a conflicting sequence number */ + di = btrfs_lookup_dir_index_item(trans, root, path, btrfs_ino(dir), + ref_index, name, namelen, 0); +- if (di && !IS_ERR(di)) { ++ if (IS_ERR(di)) { ++ if (PTR_ERR(di) != -ENOENT) ++ return PTR_ERR(di); ++ } else if (di) { + ret = drop_one_dir_item(trans, root, path, dir, di); + if (ret) + return ret; +@@ -1192,7 +1195,9 @@ next: + /* look for a conflicting name */ + di = btrfs_lookup_dir_item(trans, root, path, btrfs_ino(dir), + name, namelen, 0); +- if (di && !IS_ERR(di)) { ++ if (IS_ERR(di)) { ++ return PTR_ERR(di); ++ } else if (di) { + ret = drop_one_dir_item(trans, root, path, dir, di); + if (ret) + return ret; diff --git a/queue-5.14/btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch b/queue-5.14/btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch new file mode 100644 index 00000000000..234add8af64 --- /dev/null +++ b/queue-5.14/btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch @@ -0,0 +1,44 @@ +From e15ac6413745e3def00e663de00aea5a717311c1 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 1 Oct 2021 13:52:31 +0100 +Subject: btrfs: deal with errors when replaying dir entry during log replay + +From: Filipe Manana + +commit e15ac6413745e3def00e663de00aea5a717311c1 upstream. + +At replay_one_one(), we are treating any error returned from +btrfs_lookup_dir_item() or from btrfs_lookup_dir_index_item() as meaning +that there is no existing directory entry in the fs/subvolume tree. +This is not correct since we can get errors such as, for example, -EIO +when reading extent buffers while searching the fs/subvolume's btree. + +So fix that and return the error to the caller when it is not -ENOENT. + +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1977,7 +1977,14 @@ static noinline int replay_one_name(stru + ret = -EINVAL; + goto out; + } +- if (IS_ERR_OR_NULL(dst_di)) { ++ ++ if (dst_di == ERR_PTR(-ENOENT)) ++ dst_di = NULL; ++ ++ if (IS_ERR(dst_di)) { ++ ret = PTR_ERR(dst_di); ++ goto out; ++ } else if (!dst_di) { + /* we need a sequence number to insert, so we only + * do inserts for the BTRFS_DIR_INDEX_KEY types + */ diff --git a/queue-5.14/btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch b/queue-5.14/btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch new file mode 100644 index 00000000000..432c1328080 --- /dev/null +++ b/queue-5.14/btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch @@ -0,0 +1,56 @@ +From 4afb912f439c4bc4e6a4f3e7547f2e69e354108f Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Tue, 5 Oct 2021 16:35:27 -0400 +Subject: btrfs: fix abort logic in btrfs_replace_file_extents + +From: Josef Bacik + +commit 4afb912f439c4bc4e6a4f3e7547f2e69e354108f upstream. + +Error injection testing uncovered a case where we'd end up with a +corrupt file system with a missing extent in the middle of a file. This +occurs because the if statement to decide if we should abort is wrong. + +The only way we would abort in this case is if we got a ret != +-EOPNOTSUPP and we called from the file clone code. However the +prealloc code uses this path too. Instead we need to abort if there is +an error, and the only error we _don't_ abort on is -EOPNOTSUPP and only +if we came from the clone file code. + +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Nikolay Borisov +Reviewed-by: Filipe Manana +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -2691,14 +2691,16 @@ int btrfs_replace_file_extents(struct bt + drop_args.bytes_found); + if (ret != -ENOSPC) { + /* +- * When cloning we want to avoid transaction aborts when +- * nothing was done and we are attempting to clone parts +- * of inline extents, in such cases -EOPNOTSUPP is +- * returned by __btrfs_drop_extents() without having +- * changed anything in the file. ++ * The only time we don't want to abort is if we are ++ * attempting to clone a partial inline extent, in which ++ * case we'll get EOPNOTSUPP. However if we aren't ++ * clone we need to abort no matter what, because if we ++ * got EOPNOTSUPP via prealloc then we messed up and ++ * need to abort. + */ +- if (extent_info && !extent_info->is_new_extent && +- ret && ret != -EOPNOTSUPP) ++ if (ret && ++ (ret != -EOPNOTSUPP || ++ (extent_info && extent_info->is_new_extent))) + btrfs_abort_transaction(trans, ret); + break; + } diff --git a/queue-5.14/btrfs-unlock-newly-allocated-extent-buffer-after-error.patch b/queue-5.14/btrfs-unlock-newly-allocated-extent-buffer-after-error.patch new file mode 100644 index 00000000000..9f8a72c0333 --- /dev/null +++ b/queue-5.14/btrfs-unlock-newly-allocated-extent-buffer-after-error.patch @@ -0,0 +1,96 @@ +From 19ea40dddf1833db868533958ca066f368862211 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 14 Sep 2021 14:57:59 +0800 +Subject: btrfs: unlock newly allocated extent buffer after error + +From: Qu Wenruo + +commit 19ea40dddf1833db868533958ca066f368862211 upstream. + +[BUG] +There is a bug report that injected ENOMEM error could leave a tree +block locked while we return to user-space: + + BTRFS info (device loop0): enabling ssd optimizations + FAULT_INJECTION: forcing a failure. + name failslab, interval 1, probability 0, space 0, times 0 + CPU: 0 PID: 7579 Comm: syz-executor Not tainted 5.15.0-rc1 #16 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS + rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 + Call Trace: + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106 + fail_dump lib/fault-inject.c:52 [inline] + should_fail+0x13c/0x160 lib/fault-inject.c:146 + should_failslab+0x5/0x10 mm/slab_common.c:1328 + slab_pre_alloc_hook.constprop.99+0x4e/0xc0 mm/slab.h:494 + slab_alloc_node mm/slub.c:3120 [inline] + slab_alloc mm/slub.c:3214 [inline] + kmem_cache_alloc+0x44/0x280 mm/slub.c:3219 + btrfs_alloc_delayed_extent_op fs/btrfs/delayed-ref.h:299 [inline] + btrfs_alloc_tree_block+0x38c/0x670 fs/btrfs/extent-tree.c:4833 + __btrfs_cow_block+0x16f/0x7d0 fs/btrfs/ctree.c:415 + btrfs_cow_block+0x12a/0x300 fs/btrfs/ctree.c:570 + btrfs_search_slot+0x6b0/0xee0 fs/btrfs/ctree.c:1768 + btrfs_insert_empty_items+0x80/0xf0 fs/btrfs/ctree.c:3905 + btrfs_new_inode+0x311/0xa60 fs/btrfs/inode.c:6530 + btrfs_create+0x12b/0x270 fs/btrfs/inode.c:6783 + lookup_open+0x660/0x780 fs/namei.c:3282 + open_last_lookups fs/namei.c:3352 [inline] + path_openat+0x465/0xe20 fs/namei.c:3557 + do_filp_open+0xe3/0x170 fs/namei.c:3588 + do_sys_openat2+0x357/0x4a0 fs/open.c:1200 + do_sys_open+0x87/0xd0 fs/open.c:1216 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x46ae99 + Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 + 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d + 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 + RSP: 002b:00007f46711b9c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 + RAX: ffffffffffffffda RBX: 000000000078c0a0 RCX: 000000000046ae99 + RDX: 0000000000000000 RSI: 00000000000000a1 RDI: 0000000020005800 + RBP: 00007f46711b9c80 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000017 + R13: 0000000000000000 R14: 000000000078c0a0 R15: 00007ffc129da6e0 + + ================================================ + WARNING: lock held when returning to user space! + 5.15.0-rc1 #16 Not tainted + ------------------------------------------------ + syz-executor/7579 is leaving the kernel with locks still held! + 1 lock held by syz-executor/7579: + #0: ffff888104b73da8 (btrfs-tree-01/1){+.+.}-{3:3}, at: + __btrfs_tree_lock+0x2e/0x1a0 fs/btrfs/locking.c:112 + +[CAUSE] +In btrfs_alloc_tree_block(), after btrfs_init_new_buffer(), the new +extent buffer @buf is locked, but if later operations like adding +delayed tree ref fail, we just free @buf without unlocking it, +resulting above warning. + +[FIX] +Unlock @buf in out_free_buf: label. + +Reported-by: Hao Sun +Link: https://lore.kernel.org/linux-btrfs/CACkBjsZ9O6Zr0KK1yGn=1rQi6Crh1yeCRdTSBxx9R99L4xdn-Q@mail.gmail.com/ +CC: stable@vger.kernel.org # 5.4+ +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -4859,6 +4859,7 @@ struct extent_buffer *btrfs_alloc_tree_b + out_free_delayed: + btrfs_free_delayed_extent_op(extent_op); + out_free_buf: ++ btrfs_tree_unlock(buf); + free_extent_buffer(buf); + out_free_reserved: + btrfs_free_reserved_extent(fs_info, ins.objectid, ins.offset, 0); diff --git a/queue-5.14/btrfs-update-refs-for-any-root-except-tree-log-roots.patch b/queue-5.14/btrfs-update-refs-for-any-root-except-tree-log-roots.patch new file mode 100644 index 00000000000..56a6f656544 --- /dev/null +++ b/queue-5.14/btrfs-update-refs-for-any-root-except-tree-log-roots.patch @@ -0,0 +1,62 @@ +From d175209be04d7d263fa1a54cde7608c706c9d0d7 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 1 Oct 2021 13:57:18 -0400 +Subject: btrfs: update refs for any root except tree log roots + +From: Josef Bacik + +commit d175209be04d7d263fa1a54cde7608c706c9d0d7 upstream. + +I hit a stuck relocation on btrfs/061 during my overnight testing. This +turned out to be because we had left over extent entries in our extent +root for a data reloc inode that no longer existed. This happened +because in btrfs_drop_extents() we only update refs if we have SHAREABLE +set or we are the tree_root. This regression was introduced by +aeb935a45581 ("btrfs: don't set SHAREABLE flag for data reloc tree") +where we stopped setting SHAREABLE for the data reloc tree. + +The problem here is we actually do want to update extent references for +data extents in the data reloc tree, in fact we only don't want to +update extent references if the file extents are in the log tree. +Update this check to only skip updating references in the case of the +log tree. + +This is relatively rare, because you have to be running scrub at the +same time, which is what btrfs/061 does. The data reloc inode has its +extents pre-allocated, and then we copy the extent into the +pre-allocated chunks. We theoretically should never be calling +btrfs_drop_extents() on a data reloc inode. The exception of course is +with scrub, if our pre-allocated extent falls inside of the block group +we are scrubbing, then the block group will be marked read only and we +will be forced to cow that extent. This means we will call +btrfs_drop_extents() on that range when we COW that file extent. + +This isn't really problematic if we do this, the data reloc inode +requires that our extent lengths match exactly with the extent we are +copying, thankfully we validate the extent is correct with +get_new_location(), so if we happen to COW only part of the extent we +won't link it in when we do the relocation, so we are safe from any +other shenanigans that arise because of this interaction with scrub. + +Fixes: aeb935a45581 ("btrfs: don't set SHAREABLE flag for data reloc tree") +CC: stable@vger.kernel.org # 5.8+ +Reviewed-by: Qu Wenruo +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -733,8 +733,7 @@ int btrfs_drop_extents(struct btrfs_tran + if (args->start >= inode->disk_i_size && !args->replace_extent) + modify_tree = 0; + +- update_refs = (test_bit(BTRFS_ROOT_SHAREABLE, &root->state) || +- root == fs_info->tree_root); ++ update_refs = (root->root_key.objectid != BTRFS_TREE_LOG_OBJECTID); + while (1) { + recow = 0; + ret = btrfs_lookup_file_extent(trans, root, path, ino, diff --git a/queue-5.14/clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch b/queue-5.14/clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch new file mode 100644 index 00000000000..07274611169 --- /dev/null +++ b/queue-5.14/clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch @@ -0,0 +1,46 @@ +From 09540fa337196be20e9f0241652364f09275d374 Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Thu, 16 Sep 2021 17:51:26 -0500 +Subject: clk: socfpga: agilex: fix duplicate s2f_user0_clk + +From: Dinh Nguyen + +commit 09540fa337196be20e9f0241652364f09275d374 upstream. + +Remove the duplicate s2f_user0_clk and the unused s2f_usr0_mux define. + +Fixes: f817c132db67 ("clk: socfpga: agilex: fix up s2f_user0_clk representation") +Cc: stable@vger.kernel.org +Signed-off-by: Dinh Nguyen +Link: https://lore.kernel.org/r/20210916225126.1427700-1-dinguyen@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/socfpga/clk-agilex.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/clk/socfpga/clk-agilex.c ++++ b/drivers/clk/socfpga/clk-agilex.c +@@ -165,13 +165,6 @@ static const struct clk_parent_data mpu_ + .name = "boot_clk", }, + }; + +-static const struct clk_parent_data s2f_usr0_mux[] = { +- { .fw_name = "f2s-free-clk", +- .name = "f2s-free-clk", }, +- { .fw_name = "boot_clk", +- .name = "boot_clk", }, +-}; +- + static const struct clk_parent_data emac_mux[] = { + { .fw_name = "emaca_free_clk", + .name = "emaca_free_clk", }, +@@ -312,8 +305,6 @@ static const struct stratix10_gate_clock + 4, 0x44, 28, 1, 0, 0, 0}, + { AGILEX_CS_TIMER_CLK, "cs_timer_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x24, + 5, 0, 0, 0, 0x30, 1, 0}, +- { AGILEX_S2F_USER0_CLK, "s2f_user0_clk", NULL, s2f_usr0_mux, ARRAY_SIZE(s2f_usr0_mux), 0, 0x24, +- 6, 0, 0, 0, 0, 0, 0}, + { AGILEX_EMAC0_CLK, "emac0_clk", NULL, emac_mux, ARRAY_SIZE(emac_mux), 0, 0x7C, + 0, 0, 0, 0, 0x94, 26, 0}, + { AGILEX_EMAC1_CLK, "emac1_clk", NULL, emac_mux, ARRAY_SIZE(emac_mux), 0, 0x7C, diff --git a/queue-5.14/csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch b/queue-5.14/csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch new file mode 100644 index 00000000000..6893dbc8347 --- /dev/null +++ b/queue-5.14/csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch @@ -0,0 +1,43 @@ +From fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 24 Sep 2021 00:35:42 +0000 +Subject: csky: don't let sigreturn play with priveleged bits of status register + +From: Al Viro + +commit fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f upstream. + +csky restore_sigcontext() blindly overwrites regs->sr with the value +it finds in sigcontext. Attacker can store whatever they want in there, +which includes things like S-bit. Userland shouldn't be able to set +that, or anything other than C flag (bit 0). + +Do the same thing other architectures with protected bits in flags +register do - preserve everything that shouldn't be settable in +user mode, picking the rest from the value saved is sigcontext. + +Signed-off-by: Al Viro +Signed-off-by: Guo Ren +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/csky/kernel/signal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/csky/kernel/signal.c ++++ b/arch/csky/kernel/signal.c +@@ -52,10 +52,14 @@ static long restore_sigcontext(struct pt + struct sigcontext __user *sc) + { + int err = 0; ++ unsigned long sr = regs->sr; + + /* sc_pt_regs is structured the same as the start of pt_regs */ + err |= __copy_from_user(regs, &sc->sc_pt_regs, sizeof(struct pt_regs)); + ++ /* BIT(0) of regs->sr is Condition Code/Carry bit */ ++ regs->sr = (sr & ~1) | (regs->sr & 1); ++ + /* Restore the floating-point state. */ + err |= restore_fpu_state(sc); + diff --git a/queue-5.14/csky-fixup-regs.sr-broken-in-ptrace.patch b/queue-5.14/csky-fixup-regs.sr-broken-in-ptrace.patch new file mode 100644 index 00000000000..e69e7075f6b --- /dev/null +++ b/queue-5.14/csky-fixup-regs.sr-broken-in-ptrace.patch @@ -0,0 +1,35 @@ +From af89ebaa64de726ca0a39bbb0bf0c81a1f43ad50 Mon Sep 17 00:00:00 2001 +From: Guo Ren +Date: Fri, 24 Sep 2021 15:33:38 +0800 +Subject: csky: Fixup regs.sr broken in ptrace + +From: Guo Ren + +commit af89ebaa64de726ca0a39bbb0bf0c81a1f43ad50 upstream. + +gpr_get() return the entire pt_regs (include sr) to userspace, if we +don't restore the C bit in gpr_set, it may break the ALU result in +that context. So the C flag bit is part of gpr context, that's why +riscv totally remove the C bit in the ISA. That makes sr reg clear +from userspace to supervisor privilege. + +Signed-off-by: Guo Ren +Cc: Al Viro +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/csky/kernel/ptrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/csky/kernel/ptrace.c ++++ b/arch/csky/kernel/ptrace.c +@@ -99,7 +99,8 @@ static int gpr_set(struct task_struct *t + if (ret) + return ret; + +- regs.sr = task_pt_regs(target)->sr; ++ /* BIT(0) of regs.sr is Condition Code/Carry bit */ ++ regs.sr = (regs.sr & BIT(0)) | (task_pt_regs(target)->sr & ~BIT(0)); + #ifdef CONFIG_CPU_HAS_HILO + regs.dcsr = task_pt_regs(target)->dcsr; + #endif diff --git a/queue-5.14/dm-fix-mempool-null-pointer-race-when-completing-io.patch b/queue-5.14/dm-fix-mempool-null-pointer-race-when-completing-io.patch new file mode 100644 index 00000000000..b0e310fc74b --- /dev/null +++ b/queue-5.14/dm-fix-mempool-null-pointer-race-when-completing-io.patch @@ -0,0 +1,139 @@ +From d208b89401e073de986dc891037c5a668f5d5d95 Mon Sep 17 00:00:00 2001 +From: Jiazi Li +Date: Wed, 29 Sep 2021 19:59:28 +0800 +Subject: dm: fix mempool NULL pointer race when completing IO + +From: Jiazi Li + +commit d208b89401e073de986dc891037c5a668f5d5d95 upstream. + +dm_io_dec_pending() calls end_io_acct() first and will then dec md +in-flight pending count. But if a task is swapping DM table at same +time this can result in a crash due to mempool->elements being NULL: + +task1 task2 +do_resume + ->do_suspend + ->dm_wait_for_completion + bio_endio + ->clone_endio + ->dm_io_dec_pending + ->end_io_acct + ->wakeup task1 + ->dm_swap_table + ->__bind + ->__bind_mempools + ->bioset_exit + ->mempool_exit + ->free_io + +[ 67.330330] Unable to handle kernel NULL pointer dereference at +virtual address 0000000000000000 +...... +[ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO) +[ 67.330510] pc : mempool_free+0x70/0xa0 +[ 67.330515] lr : mempool_free+0x4c/0xa0 +[ 67.330520] sp : ffffff8008013b20 +[ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004 +[ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8 +[ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800 +[ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800 +[ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80 +[ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c +[ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd +[ 67.330563] x15: 000000000093b41e x14: 0000000000000010 +[ 67.330569] x13: 0000000000007f7a x12: 0000000034155555 +[ 67.330574] x11: 0000000000000001 x10: 0000000000000001 +[ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000 +[ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a +[ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001 +[ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8 +[ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970 +[ 67.330609] Call trace: +[ 67.330616] mempool_free+0x70/0xa0 +[ 67.330627] bio_put+0xf8/0x110 +[ 67.330638] dec_pending+0x13c/0x230 +[ 67.330644] clone_endio+0x90/0x180 +[ 67.330649] bio_endio+0x198/0x1b8 +[ 67.330655] dec_pending+0x190/0x230 +[ 67.330660] clone_endio+0x90/0x180 +[ 67.330665] bio_endio+0x198/0x1b8 +[ 67.330673] blk_update_request+0x214/0x428 +[ 67.330683] scsi_end_request+0x2c/0x300 +[ 67.330688] scsi_io_completion+0xa0/0x710 +[ 67.330695] scsi_finish_command+0xd8/0x110 +[ 67.330700] scsi_softirq_done+0x114/0x148 +[ 67.330708] blk_done_softirq+0x74/0xd0 +[ 67.330716] __do_softirq+0x18c/0x374 +[ 67.330724] irq_exit+0xb4/0xb8 +[ 67.330732] __handle_domain_irq+0x84/0xc0 +[ 67.330737] gic_handle_irq+0x148/0x1b0 +[ 67.330744] el1_irq+0xe8/0x190 +[ 67.330753] lpm_cpuidle_enter+0x4f8/0x538 +[ 67.330759] cpuidle_enter_state+0x1fc/0x398 +[ 67.330764] cpuidle_enter+0x18/0x20 +[ 67.330772] do_idle+0x1b4/0x290 +[ 67.330778] cpu_startup_entry+0x20/0x28 +[ 67.330786] secondary_start_kernel+0x160/0x170 + +Fix this by: +1) Establishing pointers to 'struct dm_io' members in +dm_io_dec_pending() so that they may be passed into end_io_acct() +_after_ free_io() is called. +2) Moving end_io_acct() after free_io(). + +Cc: stable@vger.kernel.org +Signed-off-by: Jiazi Li +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -492,18 +492,17 @@ static void start_io_acct(struct dm_io * + false, 0, &io->stats_aux); + } + +-static void end_io_acct(struct dm_io *io) ++static void end_io_acct(struct mapped_device *md, struct bio *bio, ++ unsigned long start_time, struct dm_stats_aux *stats_aux) + { +- struct mapped_device *md = io->md; +- struct bio *bio = io->orig_bio; +- unsigned long duration = jiffies - io->start_time; ++ unsigned long duration = jiffies - start_time; + +- bio_end_io_acct(bio, io->start_time); ++ bio_end_io_acct(bio, start_time); + + if (unlikely(dm_stats_used(&md->stats))) + dm_stats_account_io(&md->stats, bio_data_dir(bio), + bio->bi_iter.bi_sector, bio_sectors(bio), +- true, duration, &io->stats_aux); ++ true, duration, stats_aux); + + /* nudge anyone waiting on suspend queue */ + if (unlikely(wq_has_sleeper(&md->wait))) +@@ -786,6 +785,8 @@ void dm_io_dec_pending(struct dm_io *io, + blk_status_t io_error; + struct bio *bio; + struct mapped_device *md = io->md; ++ unsigned long start_time = 0; ++ struct dm_stats_aux stats_aux; + + /* Push-back supersedes any I/O errors */ + if (unlikely(error)) { +@@ -817,8 +818,10 @@ void dm_io_dec_pending(struct dm_io *io, + } + + io_error = io->status; +- end_io_acct(io); ++ start_time = io->start_time; ++ stats_aux = io->stats_aux; + free_io(md, io); ++ end_io_acct(md, bio, start_time, &stats_aux); + + if (io_error == BLK_STS_DM_REQUEUE) + return; diff --git a/queue-5.14/dm-rq-don-t-queue-request-to-blk-mq-during-dm-suspend.patch b/queue-5.14/dm-rq-don-t-queue-request-to-blk-mq-during-dm-suspend.patch new file mode 100644 index 00000000000..cbd34ebda07 --- /dev/null +++ b/queue-5.14/dm-rq-don-t-queue-request-to-blk-mq-during-dm-suspend.patch @@ -0,0 +1,43 @@ +From b4459b11e84092658fa195a2587aff3b9637f0e7 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Thu, 23 Sep 2021 17:11:31 +0800 +Subject: dm rq: don't queue request to blk-mq during DM suspend + +From: Ming Lei + +commit b4459b11e84092658fa195a2587aff3b9637f0e7 upstream. + +DM uses blk-mq's quiesce/unquiesce to stop/start device mapper queue. + +But blk-mq's unquiesce may come from outside events, such as elevator +switch, updating nr_requests or others, and request may come during +suspend, so simply ask for blk-mq to requeue it. + +Fixes one kernel panic issue when running updating nr_requests and +dm-mpath suspend/resume stress test. + +Cc: stable@vger.kernel.org +Signed-off-by: Ming Lei +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-rq.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/md/dm-rq.c ++++ b/drivers/md/dm-rq.c +@@ -490,6 +490,14 @@ static blk_status_t dm_mq_queue_rq(struc + struct mapped_device *md = tio->md; + struct dm_target *ti = md->immutable_target; + ++ /* ++ * blk-mq's unquiesce may come from outside events, such as ++ * elevator switch, updating nr_requests or others, and request may ++ * come during suspend, so simply ask for blk-mq to requeue it. ++ */ ++ if (unlikely(test_bit(DMF_BLOCK_IO_FOR_SUSPEND, &md->flags))) ++ return BLK_STS_RESOURCE; ++ + if (unlikely(!ti)) { + int srcu_idx; + struct dm_table *map = dm_get_live_table(md, &srcu_idx); diff --git a/queue-5.14/drm-fbdev-clamp-fbdev-surface-size-if-too-large.patch b/queue-5.14/drm-fbdev-clamp-fbdev-surface-size-if-too-large.patch new file mode 100644 index 00000000000..359993ab034 --- /dev/null +++ b/queue-5.14/drm-fbdev-clamp-fbdev-surface-size-if-too-large.patch @@ -0,0 +1,65 @@ +From b693e42921e0220c0d564c55c6cdc680b0f85390 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Tue, 5 Oct 2021 09:03:55 +0200 +Subject: drm/fbdev: Clamp fbdev surface size if too large +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Zimmermann + +commit b693e42921e0220c0d564c55c6cdc680b0f85390 upstream. + +Clamp the fbdev surface size of the available maximumi height to avoid +failing to init console emulation. An example error is shown below. + + bad framebuffer height 2304, should be >= 768 && <= 768 + [drm] Initialized simpledrm 1.0.0 20200625 for simple-framebuffer.0 on minor 0 + simple-framebuffer simple-framebuffer.0: [drm] *ERROR* fbdev: Failed to setup generic emulation (ret=-22) + +This is especially a problem with drivers that have very small screen +sizes and cannot over-allocate at all. + +v2: + * reduce warning level (Ville) + +Signed-off-by: Thomas Zimmermann +Fixes: 11e8f5fd223b ("drm: Add simpledrm driver") +Reviewed-by: Ville Syrjälä +Reviewed-by: Alex Deucher +Reported-by: Amanoel Dawod +Reported-by: Zoltán Kővágó +Reported-by: Michael Stapelberg +Cc: Daniel Vetter +Cc: Maxime Ripard +Cc: dri-devel@lists.freedesktop.org +Cc: # v5.14+ +Link: https://patchwork.freedesktop.org/patch/msgid/20211005070355.7680-1-tzimmermann@suse.de +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_fb_helper.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -1506,6 +1506,7 @@ static int drm_fb_helper_single_fb_probe + { + struct drm_client_dev *client = &fb_helper->client; + struct drm_device *dev = fb_helper->dev; ++ struct drm_mode_config *config = &dev->mode_config; + int ret = 0; + int crtc_count = 0; + struct drm_connector_list_iter conn_iter; +@@ -1663,6 +1664,11 @@ static int drm_fb_helper_single_fb_probe + /* Handle our overallocation */ + sizes.surface_height *= drm_fbdev_overalloc; + sizes.surface_height /= 100; ++ if (sizes.surface_height > config->max_height) { ++ drm_dbg_kms(dev, "Fbdev over-allocation too large; clamping height to %d\n", ++ config->max_height); ++ sizes.surface_height = config->max_height; ++ } + + /* push down into drivers */ + ret = (*fb_helper->funcs->fb_probe)(fb_helper, &sizes); diff --git a/queue-5.14/drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch b/queue-5.14/drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch new file mode 100644 index 00000000000..84c615fa243 --- /dev/null +++ b/queue-5.14/drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch @@ -0,0 +1,64 @@ +From 171316a68d9a8e0d9e28b7cf4c15afc4c6244a4e Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Fri, 17 Sep 2021 02:59:13 +0200 +Subject: drm/msm: Avoid potential overflow in timeout_to_jiffies() + +From: Marek Vasut + +commit 171316a68d9a8e0d9e28b7cf4c15afc4c6244a4e upstream. + +The return type of ktime_divns() is s64. The timeout_to_jiffies() currently +assigns the result of this ktime_divns() to unsigned long, which on 32 bit +systems may overflow. Furthermore, the result of this function is sometimes +also passed to functions which expect signed long, dma_fence_wait_timeout() +is one such example. + +Fix this by adjusting the type of remaining_jiffies to s64, so we do not +suffer overflow there, and return a value limited to range of 0..INT_MAX, +which is safe for all usecases of this timeout. + +The above overflow can be triggered if userspace passes in too large timeout +value, larger than INT_MAX / HZ seconds. The kernel detects it and complains +about "schedule_timeout: wrong timeout value %lx" and generates a warning +backtrace. + +Note that this fixes commit 6cedb8b377bb ("drm/msm: avoid using 'timespec'"), +because the previously used timespec_to_jiffies() function returned unsigned +long instead of s64: +static inline unsigned long timespec_to_jiffies(const struct timespec *value) + +Fixes: 6cedb8b377bb ("drm/msm: avoid using 'timespec'") +Signed-off-by: Marek Vasut +Cc: Arnd Bergmann +Cc: Jordan Crouse +Cc: Rob Clark +Cc: stable@vger.kernel.org # 5.6+ +Acked-by: Arnd Bergmann +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20210917005913.157379-1-marex@denx.de +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_drv.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_drv.h ++++ b/drivers/gpu/drm/msm/msm_drv.h +@@ -535,7 +535,7 @@ static inline int align_pitch(int width, + static inline unsigned long timeout_to_jiffies(const ktime_t *timeout) + { + ktime_t now = ktime_get(); +- unsigned long remaining_jiffies; ++ s64 remaining_jiffies; + + if (ktime_compare(*timeout, now) < 0) { + remaining_jiffies = 0; +@@ -544,7 +544,7 @@ static inline unsigned long timeout_to_j + remaining_jiffies = ktime_divns(rem, NSEC_PER_SEC / HZ); + } + +- return remaining_jiffies; ++ return clamp(remaining_jiffies, 0LL, (s64)INT_MAX); + } + + #endif /* __MSM_DRV_H__ */ diff --git a/queue-5.14/drm-msm-do-not-run-snapshot-on-non-dpu-devices.patch b/queue-5.14/drm-msm-do-not-run-snapshot-on-non-dpu-devices.patch new file mode 100644 index 00000000000..35bc7be1bb7 --- /dev/null +++ b/queue-5.14/drm-msm-do-not-run-snapshot-on-non-dpu-devices.patch @@ -0,0 +1,58 @@ +From 6a7e0b0e9fb839caa7c7f25bcf91a95b1c2cbef1 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Tue, 14 Sep 2021 14:48:31 -0300 +Subject: drm/msm: Do not run snapshot on non-DPU devices + +From: Fabio Estevam + +commit 6a7e0b0e9fb839caa7c7f25bcf91a95b1c2cbef1 upstream. + +Since commit 98659487b845 ("drm/msm: add support to take dpu snapshot") +the following NULL pointer dereference is seen on i.MX53: + +[ 3.275493] msm msm: bound 30000000.gpu (ops a3xx_ops) +[ 3.287174] [drm] Initialized msm 1.8.0 20130625 for msm on minor 0 +[ 3.293915] 8<--- cut here --- +[ 3.297012] Unable to handle kernel NULL pointer dereference at virtual address 00000028 +[ 3.305244] pgd = (ptrval) +[ 3.307989] [00000028] *pgd=00000000 +[ 3.311624] Internal error: Oops: 805 [#1] SMP ARM +[ 3.316430] Modules linked in: +[ 3.319503] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.14.0+g682d702b426b #1 +[ 3.326652] Hardware name: Freescale i.MX53 (Device Tree Support) +[ 3.332754] PC is at __mutex_init+0x14/0x54 +[ 3.336969] LR is at msm_disp_snapshot_init+0x24/0xa0 + +i.MX53 does not use the DPU controller. + +Fix the problem by only calling msm_disp_snapshot_init() on platforms that +use the DPU controller. + +Cc: stable@vger.kernel.org +Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot") +Signed-off-by: Fabio Estevam +Link: https://lore.kernel.org/r/20210914174831.2044420-1-festevam@gmail.com +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_drv.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -566,10 +566,11 @@ static int msm_drm_init(struct device *d + if (ret) + goto err_msm_uninit; + +- ret = msm_disp_snapshot_init(ddev); +- if (ret) +- DRM_DEV_ERROR(dev, "msm_disp_snapshot_init failed ret = %d\n", ret); +- ++ if (kms) { ++ ret = msm_disp_snapshot_init(ddev); ++ if (ret) ++ DRM_DEV_ERROR(dev, "msm_disp_snapshot_init failed ret = %d\n", ret); ++ } + drm_mode_config_reset(ddev); + + #ifdef CONFIG_DRM_FBDEV_EMULATION diff --git a/queue-5.14/drm-nouveau-fifo-reinstate-the-correct-engine-bit-programming.patch b/queue-5.14/drm-nouveau-fifo-reinstate-the-correct-engine-bit-programming.patch new file mode 100644 index 00000000000..d8cde4f70c9 --- /dev/null +++ b/queue-5.14/drm-nouveau-fifo-reinstate-the-correct-engine-bit-programming.patch @@ -0,0 +1,55 @@ +From d1d94b0129dccd226784633c60b7df90e8a051b5 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Thu, 7 Oct 2021 23:41:17 +0200 +Subject: drm/nouveau/fifo: Reinstate the correct engine bit programming + +From: Marek Vasut + +commit d1d94b0129dccd226784633c60b7df90e8a051b5 upstream. + +Commit 64f7c698bea9 ("drm/nouveau/fifo: add engine_id hook") replaced +fifo/chang84.c g84_fifo_chan_engine() call with an indirect call of +fifo/g84.c g84_fifo_engine_id(). The G84_FIFO_ENGN_* values returned +from the later g84_fifo_engine_id() are incremented by 1 compared to +the previous g84_fifo_chan_engine() return values. + +This is fine either way for most of the code, except this one line +where an engine bit programmed into the hardware is derived from the +return value. Decrement the return value accordingly, otherwise the +wrong engine bit is programmed into the hardware and that leads to +the following failure: +nouveau 0000:01:00.0: gr: 00000030 [ILLEGAL_MTHD ILLEGAL_CLASS] ch 1 [003fbce000 DRM] subc 3 class 0000 mthd 085c data 00000420 + +On the following hardware: +lspci -s 01:00.0 +01:00.0 VGA compatible controller: NVIDIA Corporation GT216GLM [Quadro FX 880M] (rev a2) +lspci -ns 01:00.0 +01:00.0 0300: 10de:0a3c (rev a2) + +Fixes: 64f7c698bea9 ("drm/nouveau/fifo: add engine_id hook") +Signed-off-by: Marek Vasut +Cc: # 5.12+ +Cc: Ben Skeggs +Cc: Karol Herbst +Cc: Lyude Paul +Reviewed-by: Karol Herbst +Reviewed-by: Ben Skeggs +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/20211007214117.231472-1-marex@denx.de +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/engine/fifo/chang84.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/chang84.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/chang84.c +@@ -82,7 +82,7 @@ g84_fifo_chan_engine_fini(struct nvkm_fi + if (offset < 0) + return 0; + +- engn = fifo->base.func->engine_id(&fifo->base, engine); ++ engn = fifo->base.func->engine_id(&fifo->base, engine) - 1; + save = nvkm_mask(device, 0x002520, 0x0000003f, 1 << engn); + nvkm_wr32(device, 0x0032fc, chan->base.inst->addr >> 12); + done = nvkm_msec(device, 2000, diff --git a/queue-5.14/mtd-rawnand-qcom-update-code-word-value-for-raw-read.patch b/queue-5.14/mtd-rawnand-qcom-update-code-word-value-for-raw-read.patch new file mode 100644 index 00000000000..67a0b4d652c --- /dev/null +++ b/queue-5.14/mtd-rawnand-qcom-update-code-word-value-for-raw-read.patch @@ -0,0 +1,61 @@ +From f60f5741002b9fde748cff65fd09bd6222c5db0c Mon Sep 17 00:00:00 2001 +From: Md Sadre Alam +Date: Tue, 7 Sep 2021 12:35:57 +0530 +Subject: mtd: rawnand: qcom: Update code word value for raw read + +From: Md Sadre Alam + +commit f60f5741002b9fde748cff65fd09bd6222c5db0c upstream. + +From QPIC V2 onwards there is a separate register to read +last code word "QPIC_NAND_READ_LOCATION_LAST_CW_n". + +qcom_nandc_read_cw_raw() is used to read only one code word +at a time. If we will configure number of code words to 1 in +in QPIC_NAND_DEV0_CFG0 register then QPIC controller thinks +its reading the last code word, since from QPIC V2 onwards +we are having separate register to read the last code word, +we have to configure "QPIC_NAND_READ_LOCATION_LAST_CW_n" +register to fetch data from controller buffer to system +memory. + +Fixes: 503ee5aad430 ("mtd: rawnand: qcom: update last code word register") +Cc: stable@kernel.org +Signed-off-by: Md Sadre Alam +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/1630998357-1359-1-git-send-email-mdalam@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/qcom_nandc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/raw/qcom_nandc.c ++++ b/drivers/mtd/nand/raw/qcom_nandc.c +@@ -1676,13 +1676,17 @@ qcom_nandc_read_cw_raw(struct mtd_info * + struct nand_ecc_ctrl *ecc = &chip->ecc; + int data_size1, data_size2, oob_size1, oob_size2; + int ret, reg_off = FLASH_BUF_ACC, read_loc = 0; ++ int raw_cw = cw; + + nand_read_page_op(chip, page, 0, NULL, 0); + host->use_ecc = false; + ++ if (nandc->props->qpic_v2) ++ raw_cw = ecc->steps - 1; ++ + clear_bam_transaction(nandc); + set_address(host, host->cw_size * cw, page); +- update_rw_regs(host, 1, true, cw); ++ update_rw_regs(host, 1, true, raw_cw); + config_nand_page_read(chip); + + data_size1 = mtd->writesize - host->cw_size * (ecc->steps - 1); +@@ -1711,7 +1715,7 @@ qcom_nandc_read_cw_raw(struct mtd_info * + nandc_set_read_loc(chip, cw, 3, read_loc, oob_size2, 1); + } + +- config_nand_cw_read(chip, false, cw); ++ config_nand_cw_read(chip, false, raw_cw); + + read_data_dma(nandc, reg_off, data_buf, data_size1, 0); + reg_off += data_size1; diff --git a/queue-5.14/nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch b/queue-5.14/nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch new file mode 100644 index 00000000000..f8f5237d1f1 --- /dev/null +++ b/queue-5.14/nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch @@ -0,0 +1,85 @@ +From be358af1191b1b2fedebd8f3421cafdc8edacc7d Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 14 Oct 2021 14:35:07 -0400 +Subject: nds32/ftrace: Fix Error: invalid operands (*UND* and *UND* sections) for `^' + +From: Steven Rostedt + +commit be358af1191b1b2fedebd8f3421cafdc8edacc7d upstream. + +I received a build failure for a new patch I'm working on the nds32 +architecture, and when I went to test it, I couldn't get to my build error, +because it failed to build with a bunch of: + + Error: invalid operands (*UND* and *UND* sections) for `^' + +issues with various files. Those files were temporary asm files that looked +like: kernel/.tmp_mc_fork.s + +I decided to look deeper, and found that the "mc" portion of that name +stood for "mcount", and was created by the recordmcount.pl script. One that +I wrote over a decade ago. Once I knew the source of the problem, I was +able to investigate it further. + +The way the recordmcount.pl script works (BTW, there's a C version that +simply modifies the ELF object) is by doing an "objdump" on the object +file. Looks for all the calls to "mcount", and creates an offset of those +locations from some global variable it can use (usually a global function +name, found with <.*>:). Creates a asm file that is a table of references +to these locations, using the found variable/function. Compiles it and +links it back into the original object file. This asm file is called +".tmp_mc_.s". + +The problem here is that the objdump produced by the nds32 object file, +contains things that look like: + + 0000159a <.L3^B1>: + 159a: c6 00 beqz38 $r6, 159a <.L3^B1> + 159a: R_NDS32_9_PCREL_RELA .text+0x159e + 159c: 84 d2 movi55 $r6, #-14 + 159e: 80 06 mov55 $r0, $r6 + 15a0: ec 3c addi10.sp #0x3c + +Where ".L3^B1 is somehow selected as the "global" variable to index off of. + +Then the assembly file that holds the mcount locations looks like this: + + .section __mcount_loc,"a",@progbits + .align 2 + .long .L3^B1 + -5522 + .long .L3^B1 + -5384 + .long .L3^B1 + -5270 + .long .L3^B1 + -5098 + .long .L3^B1 + -4970 + .long .L3^B1 + -4758 + .long .L3^B1 + -4122 + [...] + +And when it is compiled back to an object to link to the original object, +the compile fails on the "^" symbol. + +Simple solution for now, is to have the perl script ignore using function +symbols that have an "^" in the name. + +Link: https://lkml.kernel.org/r/20211014143507.4ad2c0f7@gandalf.local.home + +Cc: stable@vger.kernel.org +Acked-by: Greentime Hu +Fixes: fbf58a52ac088 ("nds32/ftrace: Add RECORD_MCOUNT support") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + scripts/recordmcount.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/recordmcount.pl ++++ b/scripts/recordmcount.pl +@@ -189,7 +189,7 @@ if ($arch =~ /(x86(_64)?)|(i386)/) { + $local_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\S+)"; + $weak_regex = "^[0-9a-fA-F]+\\s+([wW])\\s+(\\S+)"; + $section_regex = "Disassembly of section\\s+(\\S+):"; +-$function_regex = "^([0-9a-fA-F]+)\\s+<(.*?)>:"; ++$function_regex = "^([0-9a-fA-F]+)\\s+<([^^]*?)>:"; + $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s(mcount|__fentry__)\$"; + $section_type = '@progbits'; + $mcount_adjust = 0; diff --git a/queue-5.14/s390-fix-strrchr-implementation.patch b/queue-5.14/s390-fix-strrchr-implementation.patch new file mode 100644 index 00000000000..cb4d6021958 --- /dev/null +++ b/queue-5.14/s390-fix-strrchr-implementation.patch @@ -0,0 +1,49 @@ +From 8e0ab8e26b72a80e991c66a8abc16e6c856abe3d Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Tue, 5 Oct 2021 14:08:36 +0200 +Subject: s390: fix strrchr() implementation + +From: Roberto Sassu + +commit 8e0ab8e26b72a80e991c66a8abc16e6c856abe3d upstream. + +Fix two problems found in the strrchr() implementation for s390 +architectures: evaluate empty strings (return the string address instead of +NULL, if '\0' is passed as second argument); evaluate the first character +of non-empty strings (the current implementation stops at the second). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reported-by: Heiko Carstens (incorrect behavior with empty strings) +Signed-off-by: Roberto Sassu +Link: https://lore.kernel.org/r/20211005120836.60630-1-roberto.sassu@huawei.com +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/lib/string.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/arch/s390/lib/string.c ++++ b/arch/s390/lib/string.c +@@ -259,14 +259,13 @@ EXPORT_SYMBOL(strcmp); + #ifdef __HAVE_ARCH_STRRCHR + char *strrchr(const char *s, int c) + { +- size_t len = __strend(s) - s; ++ ssize_t len = __strend(s) - s; + +- if (len) +- do { +- if (s[len] == (char) c) +- return (char *) s + len; +- } while (--len > 0); +- return NULL; ++ do { ++ if (s[len] == (char)c) ++ return (char *)s + len; ++ } while (--len >= 0); ++ return NULL; + } + EXPORT_SYMBOL(strrchr); + #endif diff --git a/queue-5.14/series b/queue-5.14/series index 33c9fbd81e8..6dc8f93f300 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -12,3 +12,24 @@ alsa-hda-realtek-fix-for-quirk-to-enable-speaker-output-on-the-lenovo-13s-gen2.p alsa-hda-realtek-fix-the-mic-type-detection-issue-for-asus-g551jw.patch platform-x86-gigabyte-wmi-add-support-for-b550-aorus-elite-ax-v2.patch platform-x86-amd-pmc-add-alternative-acpi-id-for-pmc-controller.patch +spi-atmel-fix-pdc-transfer-setup-bug.patch +mtd-rawnand-qcom-update-code-word-value-for-raw-read.patch +nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch +dm-fix-mempool-null-pointer-race-when-completing-io.patch +acpi-pm-include-alternate-amdi0005-id-in-special-behaviour.patch +dm-rq-don-t-queue-request-to-blk-mq-during-dm-suspend.patch +s390-fix-strrchr-implementation.patch +clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch +csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch +csky-fixup-regs.sr-broken-in-ptrace.patch +drm-fbdev-clamp-fbdev-surface-size-if-too-large.patch +arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch +drm-nouveau-fifo-reinstate-the-correct-engine-bit-programming.patch +drm-msm-do-not-run-snapshot-on-non-dpu-devices.patch +drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch +btrfs-unlock-newly-allocated-extent-buffer-after-error.patch +btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch +btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch +btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch +btrfs-update-refs-for-any-root-except-tree-log-roots.patch +btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch diff --git a/queue-5.14/spi-atmel-fix-pdc-transfer-setup-bug.patch b/queue-5.14/spi-atmel-fix-pdc-transfer-setup-bug.patch new file mode 100644 index 00000000000..916e1cc53f7 --- /dev/null +++ b/queue-5.14/spi-atmel-fix-pdc-transfer-setup-bug.patch @@ -0,0 +1,45 @@ +From 75e33c55ae8fb4a177fe07c284665e1d61b02560 Mon Sep 17 00:00:00 2001 +From: Ville Baillie +Date: Tue, 21 Sep 2021 07:21:32 +0000 +Subject: spi: atmel: Fix PDC transfer setup bug + +From: Ville Baillie + +commit 75e33c55ae8fb4a177fe07c284665e1d61b02560 upstream. + +atmel_spi_dma_map_xfer to never be called in PDC mode. This causes the +driver to silently fail. + +This patch changes the conditional to match the behaviour of the +previous commit before the refactor. + +Fixes: 5fa5e6dec762 ("spi: atmel: Switch to transfer_one transfer method") +Signed-off-by: Ville Baillie +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210921072132.21831-1-villeb@bytesnap.co.uk +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-atmel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -1301,7 +1301,7 @@ static int atmel_spi_one_transfer(struct + * DMA map early, for performance (empties dcache ASAP) and + * better fault reporting. + */ +- if ((!master->cur_msg_mapped) ++ if ((!master->cur_msg->is_dma_mapped) + && as->use_pdc) { + if (atmel_spi_dma_map_xfer(as, xfer) < 0) + return -ENOMEM; +@@ -1381,7 +1381,7 @@ static int atmel_spi_one_transfer(struct + } + } + +- if (!master->cur_msg_mapped ++ if (!master->cur_msg->is_dma_mapped + && as->use_pdc) + atmel_spi_dma_unmap_xfer(master, xfer); +