From: Sasha Levin Date: Wed, 19 May 2021 22:43:10 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.4.269~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=669a20de508b5ee7a18eb0279e045101ea7287a8;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpi-hotplug-pci-fix-reference-count-leak-in-enable_.patch b/queue-4.14/acpi-hotplug-pci-fix-reference-count-leak-in-enable_.patch new file mode 100644 index 00000000000..813eff15114 --- /dev/null +++ b/queue-4.14/acpi-hotplug-pci-fix-reference-count-leak-in-enable_.patch @@ -0,0 +1,43 @@ +From 5c77e74140ea28635259d368fe5cc6900edc4691 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 15:26:00 +0800 +Subject: ACPI / hotplug / PCI: Fix reference count leak in enable_slot() + +From: Feilong Lin + +[ Upstream commit 3bbfd319034ddce59e023837a4aa11439460509b ] + +In enable_slot(), if pci_get_slot() returns NULL, we clear the SLOT_ENABLED +flag. When pci_get_slot() finds a device, it increments the device's +reference count. In this case, we did not call pci_dev_put() to decrement +the reference count, so the memory of the device (struct pci_dev type) will +eventually leak. + +Call pci_dev_put() to decrement its reference count when pci_get_slot() +returns a PCI device. + +Link: https://lore.kernel.org/r/b411af88-5049-a1c6-83ac-d104a1f429be@huawei.com +Signed-off-by: Feilong Lin +Signed-off-by: Zhiqiang Liu +Signed-off-by: Bjorn Helgaas +Reviewed-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/acpiphp_glue.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c +index f2c1008e0f76..40e936e3a480 100644 +--- a/drivers/pci/hotplug/acpiphp_glue.c ++++ b/drivers/pci/hotplug/acpiphp_glue.c +@@ -509,6 +509,7 @@ static void enable_slot(struct acpiphp_slot *slot) + slot->flags &= (~SLOT_ENABLED); + continue; + } ++ pci_dev_put(dev); + } + } + +-- +2.30.2 + diff --git a/queue-4.14/alsa-hda-generic-change-the-dac-ctl-name-for-lo-spk-.patch b/queue-4.14/alsa-hda-generic-change-the-dac-ctl-name-for-lo-spk-.patch new file mode 100644 index 00000000000..65759bc8878 --- /dev/null +++ b/queue-4.14/alsa-hda-generic-change-the-dac-ctl-name-for-lo-spk-.patch @@ -0,0 +1,64 @@ +From 273e3d40153862b6e4730757815e6dcfc9eaec46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 15:39:17 +0800 +Subject: ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP + +From: Hui Wang + +[ Upstream commit f48652bbe3ae62ba2835a396b7e01f063e51c4cd ] + +Without this change, the DAC ctl's name could be changed only when +the machine has both Speaker and Headphone, but we met some machines +which only has Lineout and Headhpone, and the Lineout and Headphone +share the Audio Mixer0 and DAC0, the ctl's name is set to "Front". + +On most of machines, the "Front" is used for Speaker only or Lineout +only, but on this machine it is shared by Lineout and Headphone, +This introduces an issue in the pipewire and pulseaudio, suppose users +want the Headphone to be on and the Speaker/Lineout to be off, they +could turn off the "Front", this works on most of the machines, but on +this machine, the "Front" couldn't be turned off otherwise the +headphone will be off too. Here we do some change to let the ctl's +name change to "Headphone+LO" on this machine, and pipewire and +pulseaudio already could handle "Headphone+LO" and "Speaker+LO". +(https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/747) + +BugLink: http://bugs.launchpad.net/bugs/804178 +Signed-off-by: Hui Wang +Link: https://lore.kernel.org/r/20210504073917.22406-1-hui.wang@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_generic.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index 14881fe80a21..1833deefe1af 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -1212,11 +1212,17 @@ static const char *get_line_out_pfx(struct hda_codec *codec, int ch, + *index = ch; + return "Headphone"; + case AUTO_PIN_LINE_OUT: +- /* This deals with the case where we have two DACs and +- * one LO, one HP and one Speaker */ +- if (!ch && cfg->speaker_outs && cfg->hp_outs) { +- bool hp_lo_shared = !path_has_mixer(codec, spec->hp_paths[0], ctl_type); +- bool spk_lo_shared = !path_has_mixer(codec, spec->speaker_paths[0], ctl_type); ++ /* This deals with the case where one HP or one Speaker or ++ * one HP + one Speaker need to share the DAC with LO ++ */ ++ if (!ch) { ++ bool hp_lo_shared = false, spk_lo_shared = false; ++ ++ if (cfg->speaker_outs) ++ spk_lo_shared = !path_has_mixer(codec, ++ spec->speaker_paths[0], ctl_type); ++ if (cfg->hp_outs) ++ hp_lo_shared = !path_has_mixer(codec, spec->hp_paths[0], ctl_type); + if (hp_lo_shared && spk_lo_shared) + return spec->vmaster_mute.hook ? "PCM" : "Master"; + if (hp_lo_shared) +-- +2.30.2 + diff --git a/queue-4.14/arm-9058-1-cache-v7-refactor-v7_invalidate_l1-to-avo.patch b/queue-4.14/arm-9058-1-cache-v7-refactor-v7_invalidate_l1-to-avo.patch new file mode 100644 index 00000000000..7c0230354b2 --- /dev/null +++ b/queue-4.14/arm-9058-1-cache-v7-refactor-v7_invalidate_l1-to-avo.patch @@ -0,0 +1,105 @@ +From 0670bba9c44b03d61b7928da36c24d323b6dc367 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Feb 2021 09:23:09 +0100 +Subject: ARM: 9058/1: cache-v7: refactor v7_invalidate_l1 to avoid clobbering + r5/r6 + +From: Ard Biesheuvel + +[ Upstream commit f9e7a99fb6b86aa6a00e53b34ee6973840e005aa ] + +The cache invalidation code in v7_invalidate_l1 can be tweaked to +re-read the associativity from CCSIDR, and keep the way identifier +component in a single register that is assigned in the outer loop. This +way, we need 2 registers less. + +Given that the number of sets is typically much larger than the +associativity, rearrange the code so that the outer loop has the fewer +number of iterations, ensuring that the re-read of CCSIDR only occurs a +handful of times in practice. + +Fix the whitespace while at it, and update the comment to indicate that +this code is no longer a clone of anything else. + +Acked-by: Nicolas Pitre +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/cache-v7.S | 51 +++++++++++++++++++++--------------------- + 1 file changed, 25 insertions(+), 26 deletions(-) + +diff --git a/arch/arm/mm/cache-v7.S b/arch/arm/mm/cache-v7.S +index 50a70edbc863..08986397e5c7 100644 +--- a/arch/arm/mm/cache-v7.S ++++ b/arch/arm/mm/cache-v7.S +@@ -27,41 +27,40 @@ + * processor. We fix this by performing an invalidate, rather than a + * clean + invalidate, before jumping into the kernel. + * +- * This function is cloned from arch/arm/mach-tegra/headsmp.S, and needs +- * to be called for both secondary cores startup and primary core resume +- * procedures. ++ * This function needs to be called for both secondary cores startup and ++ * primary core resume procedures. + */ + ENTRY(v7_invalidate_l1) + mov r0, #0 + mcr p15, 2, r0, c0, c0, 0 + mrc p15, 1, r0, c0, c0, 0 + +- movw r1, #0x7fff +- and r2, r1, r0, lsr #13 ++ movw r3, #0x3ff ++ and r3, r3, r0, lsr #3 @ 'Associativity' in CCSIDR[12:3] ++ clz r1, r3 @ WayShift ++ mov r2, #1 ++ mov r3, r3, lsl r1 @ NumWays-1 shifted into bits [31:...] ++ movs r1, r2, lsl r1 @ #1 shifted left by same amount ++ moveq r1, #1 @ r1 needs value > 0 even if only 1 way + +- movw r1, #0x3ff ++ and r2, r0, #0x7 ++ add r2, r2, #4 @ SetShift + +- and r3, r1, r0, lsr #3 @ NumWays - 1 +- add r2, r2, #1 @ NumSets ++1: movw r4, #0x7fff ++ and r0, r4, r0, lsr #13 @ 'NumSets' in CCSIDR[27:13] + +- and r0, r0, #0x7 +- add r0, r0, #4 @ SetShift +- +- clz r1, r3 @ WayShift +- add r4, r3, #1 @ NumWays +-1: sub r2, r2, #1 @ NumSets-- +- mov r3, r4 @ Temp = NumWays +-2: subs r3, r3, #1 @ Temp-- +- mov r5, r3, lsl r1 +- mov r6, r2, lsl r0 +- orr r5, r5, r6 @ Reg = (Temp< +Date: Wed, 24 Feb 2021 13:25:53 +0100 +Subject: ARM: 9066/1: ftrace: pause/unpause function graph tracer in + cpu_suspend() + +From: louis.wang + +[ Upstream commit 8252ca87c7a2111502ee13994956f8c309faad7f ] + +Enabling function_graph tracer on ARM causes kernel panic, because the +function graph tracer updates the "return address" of a function in order +to insert a trace callback on function exit, it saves the function's +original return address in a return trace stack, but cpu_suspend() may not +return through the normal return path. + +cpu_suspend() will resume directly via the cpu_resume path, but the return +trace stack has been set-up by the subfunctions of cpu_suspend(), which +makes the "return address" inconsistent with cpu_suspend(). + +This patch refers to Commit de818bd4522c40ea02a81b387d2fa86f989c9623 +("arm64: kernel: pause/unpause function graph tracer in cpu_suspend()"), + +fixes the issue by pausing/resuming the function graph tracer on the thread +executing cpu_suspend(), so that the function graph tracer state is kept +consistent across functions that enter power down states and never return +by effectively disabling graph tracer while they are executing. + +Signed-off-by: louis.wang +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/suspend.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/suspend.c b/arch/arm/kernel/suspend.c +index d08099269e35..e126386fb78a 100644 +--- a/arch/arm/kernel/suspend.c ++++ b/arch/arm/kernel/suspend.c +@@ -1,4 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 ++#include + #include + #include + #include +@@ -26,6 +27,13 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long)) + if (!idmap_pgd) + return -EINVAL; + ++ /* ++ * Function graph tracer state gets incosistent when the kernel ++ * calls functions that never return (aka suspend finishers) hence ++ * disable graph tracing during their execution. ++ */ ++ pause_graph_tracing(); ++ + /* + * Provide a temporary page table with an identity mapping for + * the MMU-enable code, required for resuming. On successful +@@ -33,6 +41,9 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long)) + * back to the correct page tables. + */ + ret = __cpu_suspend(arg, fn, __mpidr); ++ ++ unpause_graph_tracing(); ++ + if (ret == 0) { + cpu_switch_mm(mm->pgd, mm); + local_flush_bp_all(); +@@ -46,7 +57,13 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long)) + int cpu_suspend(unsigned long arg, int (*fn)(unsigned long)) + { + u32 __mpidr = cpu_logical_map(smp_processor_id()); +- return __cpu_suspend(arg, fn, __mpidr); ++ int ret; ++ ++ pause_graph_tracing(); ++ ret = __cpu_suspend(arg, fn, __mpidr); ++ unpause_graph_tracing(); ++ ++ return ret; + } + #define idmap_pgd NULL + #endif +-- +2.30.2 + diff --git a/queue-4.14/block-reexpand-iov_iter-after-read-write.patch b/queue-4.14/block-reexpand-iov_iter-after-read-write.patch new file mode 100644 index 00000000000..c194307ce36 --- /dev/null +++ b/queue-4.14/block-reexpand-iov_iter-after-read-write.patch @@ -0,0 +1,171 @@ +From bec34ef81b3f83a45fbb7f6a9a80813b04c3f756 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Apr 2021 15:18:07 +0800 +Subject: block: reexpand iov_iter after read/write + +From: yangerkun + +[ Upstream commit cf7b39a0cbf6bf57aa07a008d46cf695add05b4c ] + +We get a bug: + +BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x11c/0x404 +lib/iov_iter.c:1139 +Read of size 8 at addr ffff0000d3fb11f8 by task + +CPU: 0 PID: 12582 Comm: syz-executor.2 Not tainted +5.10.0-00843-g352c8610ccd2 #2 +Hardware name: linux,dummy-virt (DT) +Call trace: + dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132 + show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196 + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x110/0x164 lib/dump_stack.c:118 + print_address_description+0x78/0x5c8 mm/kasan/report.c:385 + __kasan_report mm/kasan/report.c:545 [inline] + kasan_report+0x148/0x1e4 mm/kasan/report.c:562 + check_memory_region_inline mm/kasan/generic.c:183 [inline] + __asan_load8+0xb4/0xbc mm/kasan/generic.c:252 + iov_iter_revert+0x11c/0x404 lib/iov_iter.c:1139 + io_read fs/io_uring.c:3421 [inline] + io_issue_sqe+0x2344/0x2d64 fs/io_uring.c:5943 + __io_queue_sqe+0x19c/0x520 fs/io_uring.c:6260 + io_queue_sqe+0x2a4/0x590 fs/io_uring.c:6326 + io_submit_sqe fs/io_uring.c:6395 [inline] + io_submit_sqes+0x4c0/0xa04 fs/io_uring.c:6624 + __do_sys_io_uring_enter fs/io_uring.c:9013 [inline] + __se_sys_io_uring_enter fs/io_uring.c:8960 [inline] + __arm64_sys_io_uring_enter+0x190/0x708 fs/io_uring.c:8960 + __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] + invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] + el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] + do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:227 + el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 + el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 + el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 + +Allocated by task 12570: + stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 + kasan_save_stack mm/kasan/common.c:48 [inline] + kasan_set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461 + kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475 + __kmalloc+0x23c/0x334 mm/slub.c:3970 + kmalloc include/linux/slab.h:557 [inline] + __io_alloc_async_data+0x68/0x9c fs/io_uring.c:3210 + io_setup_async_rw fs/io_uring.c:3229 [inline] + io_read fs/io_uring.c:3436 [inline] + io_issue_sqe+0x2954/0x2d64 fs/io_uring.c:5943 + __io_queue_sqe+0x19c/0x520 fs/io_uring.c:6260 + io_queue_sqe+0x2a4/0x590 fs/io_uring.c:6326 + io_submit_sqe fs/io_uring.c:6395 [inline] + io_submit_sqes+0x4c0/0xa04 fs/io_uring.c:6624 + __do_sys_io_uring_enter fs/io_uring.c:9013 [inline] + __se_sys_io_uring_enter fs/io_uring.c:8960 [inline] + __arm64_sys_io_uring_enter+0x190/0x708 fs/io_uring.c:8960 + __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] + invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] + el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] + do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:227 + el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 + el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 + el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 + +Freed by task 12570: + stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 + kasan_save_stack mm/kasan/common.c:48 [inline] + kasan_set_track+0x38/0x6c mm/kasan/common.c:56 + kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355 + __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422 + kasan_slab_free+0x10/0x1c mm/kasan/common.c:431 + slab_free_hook mm/slub.c:1544 [inline] + slab_free_freelist_hook mm/slub.c:1577 [inline] + slab_free mm/slub.c:3142 [inline] + kfree+0x104/0x38c mm/slub.c:4124 + io_dismantle_req fs/io_uring.c:1855 [inline] + __io_free_req+0x70/0x254 fs/io_uring.c:1867 + io_put_req_find_next fs/io_uring.c:2173 [inline] + __io_queue_sqe+0x1fc/0x520 fs/io_uring.c:6279 + __io_req_task_submit+0x154/0x21c fs/io_uring.c:2051 + io_req_task_submit+0x2c/0x44 fs/io_uring.c:2063 + task_work_run+0xdc/0x128 kernel/task_work.c:151 + get_signal+0x6f8/0x980 kernel/signal.c:2562 + do_signal+0x108/0x3a4 arch/arm64/kernel/signal.c:658 + do_notify_resume+0xbc/0x25c arch/arm64/kernel/signal.c:722 + work_pending+0xc/0x180 + +blkdev_read_iter can truncate iov_iter's count since the count + pos may +exceed the size of the blkdev. This will confuse io_read that we have +consume the iovec. And once we do the iov_iter_revert in io_read, we +will trigger the slab-out-of-bounds. Fix it by reexpand the count with +size has been truncated. + +blkdev_write_iter can trigger the problem too. + +Signed-off-by: yangerkun +Acked-by: Pavel Begunkov +Link: https://lore.kernel.org/r/20210401071807.3328235-1-yangerkun@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/block_dev.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/fs/block_dev.c b/fs/block_dev.c +index 23fb999b49e1..a56974d04010 100644 +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -1906,6 +1906,7 @@ ssize_t blkdev_write_iter(struct kiocb *iocb, struct iov_iter *from) + struct inode *bd_inode = bdev_file_inode(file); + loff_t size = i_size_read(bd_inode); + struct blk_plug plug; ++ size_t shorted = 0; + ssize_t ret; + + if (bdev_read_only(I_BDEV(bd_inode))) +@@ -1920,12 +1921,17 @@ ssize_t blkdev_write_iter(struct kiocb *iocb, struct iov_iter *from) + if ((iocb->ki_flags & (IOCB_NOWAIT | IOCB_DIRECT)) == IOCB_NOWAIT) + return -EOPNOTSUPP; + +- iov_iter_truncate(from, size - iocb->ki_pos); ++ size -= iocb->ki_pos; ++ if (iov_iter_count(from) > size) { ++ shorted = iov_iter_count(from) - size; ++ iov_iter_truncate(from, size); ++ } + + blk_start_plug(&plug); + ret = __generic_file_write_iter(iocb, from); + if (ret > 0) + ret = generic_write_sync(iocb, ret); ++ iov_iter_reexpand(from, iov_iter_count(from) + shorted); + blk_finish_plug(&plug); + return ret; + } +@@ -1937,13 +1943,21 @@ ssize_t blkdev_read_iter(struct kiocb *iocb, struct iov_iter *to) + struct inode *bd_inode = bdev_file_inode(file); + loff_t size = i_size_read(bd_inode); + loff_t pos = iocb->ki_pos; ++ size_t shorted = 0; ++ ssize_t ret; + + if (pos >= size) + return 0; + + size -= pos; +- iov_iter_truncate(to, size); +- return generic_file_read_iter(iocb, to); ++ if (iov_iter_count(to) > size) { ++ shorted = iov_iter_count(to) - size; ++ iov_iter_truncate(to, size); ++ } ++ ++ ret = generic_file_read_iter(iocb, to); ++ iov_iter_reexpand(to, iov_iter_count(to) + shorted); ++ return ret; + } + EXPORT_SYMBOL_GPL(blkdev_read_iter); + +-- +2.30.2 + diff --git a/queue-4.14/ceph-fix-fscache-invalidation.patch b/queue-4.14/ceph-fix-fscache-invalidation.patch new file mode 100644 index 00000000000..e7b7a38af1b --- /dev/null +++ b/queue-4.14/ceph-fix-fscache-invalidation.patch @@ -0,0 +1,47 @@ +From 0ec1736b3e27ecc1089c67f1294d4bacaf65ce5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 18:05:37 -0500 +Subject: ceph: fix fscache invalidation + +From: Jeff Layton + +[ Upstream commit 10a7052c7868bc7bc72d947f5aac6f768928db87 ] + +Ensure that we invalidate the fscache whenever we invalidate the +pagecache. + +Signed-off-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 1 + + fs/ceph/inode.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index 382cf85fd574..b077b9a6bf95 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1662,6 +1662,7 @@ static int try_nonblocking_invalidate(struct inode *inode) + u32 invalidating_gen = ci->i_rdcache_gen; + + spin_unlock(&ci->i_ceph_lock); ++ ceph_fscache_invalidate(inode); + invalidate_mapping_pages(&inode->i_data, 0, -1); + spin_lock(&ci->i_ceph_lock); + +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index 5999d806de78..90db2cd07840 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -1757,6 +1757,7 @@ static void ceph_invalidate_work(struct work_struct *work) + orig_gen = ci->i_rdcache_gen; + spin_unlock(&ci->i_ceph_lock); + ++ ceph_fscache_invalidate(inode); + if (invalidate_inode_pages2(inode->i_mapping) < 0) { + pr_err("invalidate_pages %p fails\n", inode); + } +-- +2.30.2 + diff --git a/queue-4.14/gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-dell-.patch b/queue-4.14/gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-dell-.patch new file mode 100644 index 00000000000..5d07879da38 --- /dev/null +++ b/queue-4.14/gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-dell-.patch @@ -0,0 +1,57 @@ +From d047ead68a9fa7f03b8b2734db742c4c38ae1b20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Apr 2021 18:27:40 +0200 +Subject: gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro + 5055 + +From: Hans de Goede + +[ Upstream commit da91ece226729c76f60708efc275ebd4716ad089 ] + +Like some other Bay and Cherry Trail SoC based devices the Dell Venue +10 Pro 5055 has an embedded-controller which uses ACPI GPIO events to +report events instead of using the standard ACPI EC interface for this. + +The EC interrupt is only used to report battery-level changes and +it keeps doing this while the system is suspended, causing the system +to not stay suspended. + +Add an ignore-wake quirk for the GPIO pin used by the EC to fix the +spurious wakeups from suspend. + +Signed-off-by: Hans de Goede +Acked-by: Andy Shevchenko +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-acpi.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c +index ab5de5196080..c380ce957d8d 100644 +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -1404,6 +1404,20 @@ static const struct dmi_system_id gpiolib_acpi_quirks[] = { + .no_edge_events_on_boot = true, + }, + }, ++ { ++ /* ++ * The Dell Venue 10 Pro 5055, with Bay Trail SoC + TI PMIC uses an ++ * external embedded-controller connected via I2C + an ACPI GPIO ++ * event handler on INT33FFC:02 pin 12, causing spurious wakeups. ++ */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Venue 10 Pro 5055"), ++ }, ++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) { ++ .ignore_wake = "INT33FC:02@12", ++ }, ++ }, + { + /* + * HP X2 10 models with Cherry Trail SoC + TI PMIC use an +-- +2.30.2 + diff --git a/queue-4.14/input-elants_i2c-do-not-bind-to-i2c-hid-compatible-a.patch b/queue-4.14/input-elants_i2c-do-not-bind-to-i2c-hid-compatible-a.patch new file mode 100644 index 00000000000..799ce8a0c7e --- /dev/null +++ b/queue-4.14/input-elants_i2c-do-not-bind-to-i2c-hid-compatible-a.patch @@ -0,0 +1,132 @@ +From 7d3c9d0822deb6ce5f505781132462289fd4e457 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 22:29:07 -0700 +Subject: Input: elants_i2c - do not bind to i2c-hid compatible ACPI + instantiated devices + +From: Hans de Goede + +[ Upstream commit 65299e8bfb24774e6340e93ae49f6626598917c8 ] + +Several users have been reporting that elants_i2c gives several errors +during probe and that their touchscreen does not work on their Lenovo AMD +based laptops with a touchscreen with a ELAN0001 ACPI hardware-id: + +[ 0.550596] elants_i2c i2c-ELAN0001:00: i2c-ELAN0001:00 supply vcc33 not found, using dummy regulator +[ 0.551836] elants_i2c i2c-ELAN0001:00: i2c-ELAN0001:00 supply vccio not found, using dummy regulator +[ 0.560932] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (77 77 77 77): -121 +[ 0.562427] elants_i2c i2c-ELAN0001:00: software reset failed: -121 +[ 0.595925] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (77 77 77 77): -121 +[ 0.597974] elants_i2c i2c-ELAN0001:00: software reset failed: -121 +[ 0.621893] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (77 77 77 77): -121 +[ 0.622504] elants_i2c i2c-ELAN0001:00: software reset failed: -121 +[ 0.632650] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (4d 61 69 6e): -121 +[ 0.634256] elants_i2c i2c-ELAN0001:00: boot failed: -121 +[ 0.699212] elants_i2c i2c-ELAN0001:00: invalid 'hello' packet: 00 00 ff ff +[ 1.630506] elants_i2c i2c-ELAN0001:00: Failed to read fw id: -121 +[ 1.645508] elants_i2c i2c-ELAN0001:00: unknown packet 00 00 ff ff + +Despite these errors, the elants_i2c driver stays bound to the device +(it returns 0 from its probe method despite the errors), blocking the +i2c-hid driver from binding. + +Manually unbinding the elants_i2c driver and binding the i2c-hid driver +makes the touchscreen work. + +Check if the ACPI-fwnode for the touchscreen contains one of the i2c-hid +compatiblity-id strings and if it has the I2C-HID spec's DSM to get the +HID descriptor address, If it has both then make elants_i2c not bind, +so that the i2c-hid driver can bind. + +This assumes that non of the (older) elan touchscreens which actually +need the elants_i2c driver falsely advertise an i2c-hid compatiblity-id ++ DSM in their ACPI-fwnodes. If some of them actually do have this +false advertising, then this change may lead to regressions. + +While at it also drop the unnecessary DEVICE_NAME prefixing of the +"I2C check functionality error", dev_err already outputs the driver-name. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207759 +Acked-by: Benjamin Tissoires +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210405202756.16830-1-hdegoede@redhat.com + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/elants_i2c.c | 44 ++++++++++++++++++++++++-- + 1 file changed, 42 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c +index 0f4cda7282a2..fd48fb6ef210 100644 +--- a/drivers/input/touchscreen/elants_i2c.c ++++ b/drivers/input/touchscreen/elants_i2c.c +@@ -40,6 +40,7 @@ + #include + #include + #include ++#include + #include + + /* Device, Driver information */ +@@ -1138,6 +1139,40 @@ static void elants_i2c_power_off(void *_data) + } + } + ++#ifdef CONFIG_ACPI ++static const struct acpi_device_id i2c_hid_ids[] = { ++ {"ACPI0C50", 0 }, ++ {"PNP0C50", 0 }, ++ { }, ++}; ++ ++static const guid_t i2c_hid_guid = ++ GUID_INIT(0x3CDFF6F7, 0x4267, 0x4555, ++ 0xAD, 0x05, 0xB3, 0x0A, 0x3D, 0x89, 0x38, 0xDE); ++ ++static bool elants_acpi_is_hid_device(struct device *dev) ++{ ++ acpi_handle handle = ACPI_HANDLE(dev); ++ union acpi_object *obj; ++ ++ if (acpi_match_device_ids(ACPI_COMPANION(dev), i2c_hid_ids)) ++ return false; ++ ++ obj = acpi_evaluate_dsm_typed(handle, &i2c_hid_guid, 1, 1, NULL, ACPI_TYPE_INTEGER); ++ if (obj) { ++ ACPI_FREE(obj); ++ return true; ++ } ++ ++ return false; ++} ++#else ++static bool elants_acpi_is_hid_device(struct device *dev) ++{ ++ return false; ++} ++#endif ++ + static int elants_i2c_probe(struct i2c_client *client, + const struct i2c_device_id *id) + { +@@ -1146,9 +1181,14 @@ static int elants_i2c_probe(struct i2c_client *client, + unsigned long irqflags; + int error; + ++ /* Don't bind to i2c-hid compatible devices, these are handled by the i2c-hid drv. */ ++ if (elants_acpi_is_hid_device(&client->dev)) { ++ dev_warn(&client->dev, "This device appears to be an I2C-HID device, not binding\n"); ++ return -ENODEV; ++ } ++ + if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) { +- dev_err(&client->dev, +- "%s: i2c check functionality error\n", DEVICE_NAME); ++ dev_err(&client->dev, "I2C check functionality error\n"); + return -ENXIO; + } + +-- +2.30.2 + diff --git a/queue-4.14/input-silead-add-workaround-for-x86-bios-es-which-br.patch b/queue-4.14/input-silead-add-workaround-for-x86-bios-es-which-br.patch new file mode 100644 index 00000000000..7b159cec2b6 --- /dev/null +++ b/queue-4.14/input-silead-add-workaround-for-x86-bios-es-which-br.patch @@ -0,0 +1,128 @@ +From 25358577c9f1c683b43a756eb111c7181a3af66e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 22:29:49 -0700 +Subject: Input: silead - add workaround for x86 BIOS-es which bring the chip + up in a stuck state + +From: Hans de Goede + +[ Upstream commit e479187748a8f151a85116a7091c599b121fdea5 ] + +Some buggy BIOS-es bring up the touchscreen-controller in a stuck +state where it blocks the I2C bus. Specifically this happens on +the Jumper EZpad 7 tablet model. + +After much poking at this problem I have found that the following steps +are necessary to unstuck the chip / bus: + +1. Turn off the Silead chip. +2. Try to do an I2C transfer with the chip, this will fail in response to + which the I2C-bus-driver will call: i2c_recover_bus() which will unstuck + the I2C-bus. Note the unstuck-ing of the I2C bus only works if we first + drop the chip of the bus by turning it off. +3. Turn the chip back on. + +On the x86/ACPI systems were this problem is seen, step 1. and 3. require +making ACPI calls and dealing with ACPI Power Resources. This commit adds +a workaround which runtime-suspends the chip to turn it off, leaving it up +to the ACPI subsystem to deal with all the ACPI specific details. + +There is no good way to detect this bug, so the workaround gets activated +by a new "silead,stuck-controller-bug" boolean device-property. Since this +is only used on x86/ACPI, this will be set by model specific device-props +set by drivers/platform/x86/touchscreen_dmi.c. Therefor this new +device-property is not documented in the DT-bindings. + +Dmesg will contain the following messages on systems where the workaround +is activated: + +[ 54.309029] silead_ts i2c-MSSL1680:00: [Firmware Bug]: Stuck I2C bus: please ignore the next 'controller timed out' error +[ 55.373593] i2c_designware 808622C1:04: controller timed out +[ 55.582186] silead_ts i2c-MSSL1680:00: Silead chip ID: 0x80360000 + +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210405202745.16777-1-hdegoede@redhat.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/silead.c | 44 +++++++++++++++++++++++++++--- + 1 file changed, 40 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/touchscreen/silead.c b/drivers/input/touchscreen/silead.c +index 7c0eeef29b3c..18c866129845 100644 +--- a/drivers/input/touchscreen/silead.c ++++ b/drivers/input/touchscreen/silead.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -319,10 +320,8 @@ static int silead_ts_get_id(struct i2c_client *client) + + error = i2c_smbus_read_i2c_block_data(client, SILEAD_REG_ID, + sizeof(chip_id), (u8 *)&chip_id); +- if (error < 0) { +- dev_err(&client->dev, "Chip ID read error %d\n", error); ++ if (error < 0) + return error; +- } + + data->chip_id = le32_to_cpu(chip_id); + dev_info(&client->dev, "Silead chip ID: 0x%8X", data->chip_id); +@@ -335,12 +334,49 @@ static int silead_ts_setup(struct i2c_client *client) + int error; + u32 status; + ++ /* ++ * Some buggy BIOS-es bring up the chip in a stuck state where it ++ * blocks the I2C bus. The following steps are necessary to ++ * unstuck the chip / bus: ++ * 1. Turn off the Silead chip. ++ * 2. Try to do an I2C transfer with the chip, this will fail in ++ * response to which the I2C-bus-driver will call: ++ * i2c_recover_bus() which will unstuck the I2C-bus. Note the ++ * unstuck-ing of the I2C bus only works if we first drop the ++ * chip off the bus by turning it off. ++ * 3. Turn the chip back on. ++ * ++ * On the x86/ACPI systems were this problem is seen, step 1. and ++ * 3. require making ACPI calls and dealing with ACPI Power ++ * Resources. The workaround below runtime-suspends the chip to ++ * turn it off, leaving it up to the ACPI subsystem to deal with ++ * this. ++ */ ++ ++ if (device_property_read_bool(&client->dev, ++ "silead,stuck-controller-bug")) { ++ pm_runtime_set_active(&client->dev); ++ pm_runtime_enable(&client->dev); ++ pm_runtime_allow(&client->dev); ++ ++ pm_runtime_suspend(&client->dev); ++ ++ dev_warn(&client->dev, FW_BUG "Stuck I2C bus: please ignore the next 'controller timed out' error\n"); ++ silead_ts_get_id(client); ++ ++ /* The forbid will also resume the device */ ++ pm_runtime_forbid(&client->dev); ++ pm_runtime_disable(&client->dev); ++ } ++ + silead_ts_set_power(client, SILEAD_POWER_OFF); + silead_ts_set_power(client, SILEAD_POWER_ON); + + error = silead_ts_get_id(client); +- if (error) ++ if (error) { ++ dev_err(&client->dev, "Chip ID read error %d\n", error); + return error; ++ } + + error = silead_ts_init(client); + if (error) +-- +2.30.2 + diff --git a/queue-4.14/lib-stackdepot-turn-depot_lock-spinlock-to-raw_spinl.patch b/queue-4.14/lib-stackdepot-turn-depot_lock-spinlock-to-raw_spinl.patch new file mode 100644 index 00000000000..6b6482ab500 --- /dev/null +++ b/queue-4.14/lib-stackdepot-turn-depot_lock-spinlock-to-raw_spinl.patch @@ -0,0 +1,80 @@ +From 008ffbeb9ee1f7904a8856648616b7b098d8d2b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 18:03:40 -0700 +Subject: lib: stackdepot: turn depot_lock spinlock to raw_spinlock + +From: Zqiang + +[ Upstream commit 78564b9434878d686c5f88c4488b20cccbcc42bc ] + +In RT system, the spin_lock will be replaced by sleepable rt_mutex lock, +in __call_rcu(), disable interrupts before calling +kasan_record_aux_stack(), will trigger this calltrace: + + BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:951 + in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 19, name: pgdatinit0 + Call Trace: + ___might_sleep.cold+0x1b2/0x1f1 + rt_spin_lock+0x3b/0xb0 + stack_depot_save+0x1b9/0x440 + kasan_save_stack+0x32/0x40 + kasan_record_aux_stack+0xa5/0xb0 + __call_rcu+0x117/0x880 + __exit_signal+0xafb/0x1180 + release_task+0x1d6/0x480 + exit_notify+0x303/0x750 + do_exit+0x678/0xcf0 + kthread+0x364/0x4f0 + ret_from_fork+0x22/0x30 + +Replace spinlock with raw_spinlock. + +Link: https://lkml.kernel.org/r/20210329084009.27013-1-qiang.zhang@windriver.com +Signed-off-by: Zqiang +Reported-by: Andrew Halaney +Cc: Alexander Potapenko +Cc: Gustavo A. R. Silva +Cc: Vijayanand Jitta +Cc: Vinayak Menon +Cc: Yogesh Lal +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/stackdepot.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/stackdepot.c b/lib/stackdepot.c +index 759ff419fe61..c519aa07d2e9 100644 +--- a/lib/stackdepot.c ++++ b/lib/stackdepot.c +@@ -78,7 +78,7 @@ static void *stack_slabs[STACK_ALLOC_MAX_SLABS]; + static int depot_index; + static int next_slab_inited; + static size_t depot_offset; +-static DEFINE_SPINLOCK(depot_lock); ++static DEFINE_RAW_SPINLOCK(depot_lock); + + static bool init_stack_slab(void **prealloc) + { +@@ -253,7 +253,7 @@ depot_stack_handle_t depot_save_stack(struct stack_trace *trace, + prealloc = page_address(page); + } + +- spin_lock_irqsave(&depot_lock, flags); ++ raw_spin_lock_irqsave(&depot_lock, flags); + + found = find_stack(*bucket, trace->entries, trace->nr_entries, hash); + if (!found) { +@@ -277,7 +277,7 @@ depot_stack_handle_t depot_save_stack(struct stack_trace *trace, + WARN_ON(!init_stack_slab(&prealloc)); + } + +- spin_unlock_irqrestore(&depot_lock, flags); ++ raw_spin_unlock_irqrestore(&depot_lock, flags); + exit: + if (prealloc) { + /* Nobody used this memory, ok to free it. */ +-- +2.30.2 + diff --git a/queue-4.14/pci-thunder-fix-compile-testing.patch b/queue-4.14/pci-thunder-fix-compile-testing.patch new file mode 100644 index 00000000000..dce58ae7003 --- /dev/null +++ b/queue-4.14/pci-thunder-fix-compile-testing.patch @@ -0,0 +1,101 @@ +From 7bdf431b73a82c80897d2547bd1657cbd28f2481 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Mar 2021 16:24:47 +0100 +Subject: PCI: thunder: Fix compile testing + +From: Arnd Bergmann + +[ Upstream commit 16f7ae5906dfbeff54f74ec75d0563bb3a87ab0b ] + +Compile-testing these drivers is currently broken. Enabling it causes a +couple of build failures though: + + drivers/pci/controller/pci-thunder-ecam.c:119:30: error: shift count >= width of type [-Werror,-Wshift-count-overflow] + drivers/pci/controller/pci-thunder-pem.c:54:2: error: implicit declaration of function 'writeq' [-Werror,-Wimplicit-function-declaration] + drivers/pci/controller/pci-thunder-pem.c:392:8: error: implicit declaration of function 'acpi_get_rc_resources' [-Werror,-Wimplicit-function-declaration] + +Fix them with the obvious one-line changes. + +Link: https://lore.kernel.org/r/20210308152501.2135937-2-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Bjorn Helgaas +Reviewed-by: Kuppuswamy Sathyanarayanan +Reviewed-by: Robert Richter +Signed-off-by: Sasha Levin +--- + drivers/pci/host/pci-thunder-ecam.c | 2 +- + drivers/pci/host/pci-thunder-pem.c | 13 +++++++------ + drivers/pci/pci.h | 6 ++++++ + 3 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/drivers/pci/host/pci-thunder-ecam.c b/drivers/pci/host/pci-thunder-ecam.c +index fc0ca03f280e..ea4d12c76cfe 100644 +--- a/drivers/pci/host/pci-thunder-ecam.c ++++ b/drivers/pci/host/pci-thunder-ecam.c +@@ -119,7 +119,7 @@ static int thunder_ecam_p2_config_read(struct pci_bus *bus, unsigned int devfn, + * the config space access window. Since we are working with + * the high-order 32 bits, shift everything down by 32 bits. + */ +- node_bits = (cfg->res.start >> 32) & (1 << 12); ++ node_bits = upper_32_bits(cfg->res.start) & (1 << 12); + + v |= node_bits; + set_val(v, where, size, val); +diff --git a/drivers/pci/host/pci-thunder-pem.c b/drivers/pci/host/pci-thunder-pem.c +index 6e066f8b74df..1b133bf644bd 100644 +--- a/drivers/pci/host/pci-thunder-pem.c ++++ b/drivers/pci/host/pci-thunder-pem.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include "../pci.h" + + #if defined(CONFIG_PCI_HOST_THUNDER_PEM) || (defined(CONFIG_ACPI) && defined(CONFIG_PCI_QUIRKS)) +@@ -325,9 +326,9 @@ static int thunder_pem_init(struct device *dev, struct pci_config_window *cfg, + * structure here for the BAR. + */ + bar4_start = res_pem->start + 0xf00000; +- pem_pci->ea_entry[0] = (u32)bar4_start | 2; +- pem_pci->ea_entry[1] = (u32)(res_pem->end - bar4_start) & ~3u; +- pem_pci->ea_entry[2] = (u32)(bar4_start >> 32); ++ pem_pci->ea_entry[0] = lower_32_bits(bar4_start) | 2; ++ pem_pci->ea_entry[1] = lower_32_bits(res_pem->end - bar4_start) & ~3u; ++ pem_pci->ea_entry[2] = upper_32_bits(bar4_start); + + cfg->priv = pem_pci; + return 0; +@@ -335,9 +336,9 @@ static int thunder_pem_init(struct device *dev, struct pci_config_window *cfg, + + #if defined(CONFIG_ACPI) && defined(CONFIG_PCI_QUIRKS) + +-#define PEM_RES_BASE 0x87e0c0000000UL +-#define PEM_NODE_MASK GENMASK(45, 44) +-#define PEM_INDX_MASK GENMASK(26, 24) ++#define PEM_RES_BASE 0x87e0c0000000ULL ++#define PEM_NODE_MASK GENMASK_ULL(45, 44) ++#define PEM_INDX_MASK GENMASK_ULL(26, 24) + #define PEM_MIN_DOM_IN_NODE 4 + #define PEM_MAX_DOM_IN_NODE 10 + +diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h +index fdb02c1f94bb..9f5215e25df4 100644 +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -365,6 +365,12 @@ static inline int pci_dev_specific_reset(struct pci_dev *dev, int probe) + #if defined(CONFIG_PCI_QUIRKS) && defined(CONFIG_ARM64) + int acpi_get_rc_resources(struct device *dev, const char *hid, u16 segment, + struct resource *res); ++#else ++static inline int acpi_get_rc_resources(struct device *dev, const char *hid, ++ u16 segment, struct resource *res) ++{ ++ return -ENODEV; ++} + #endif + + #endif /* DRIVERS_PCI_H */ +-- +2.30.2 + diff --git a/queue-4.14/serial-8250-fix-potential-deadlock-in-rs485-mode.patch b/queue-4.14/serial-8250-fix-potential-deadlock-in-rs485-mode.patch new file mode 100644 index 00000000000..84cd4c5be97 --- /dev/null +++ b/queue-4.14/serial-8250-fix-potential-deadlock-in-rs485-mode.patch @@ -0,0 +1,62 @@ +From 0c2d60da50179b7cf9fd2482e1e4083aa6de969a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Oct 2017 15:16:30 +0300 +Subject: serial: 8250: fix potential deadlock in rs485-mode + +From: Tomas Melin + +[ Upstream commit b86f86e8e7c5264bb8f5835d60f9ec840d9f5a7a ] + +Canceling hrtimer when holding uart spinlock can deadlock. + +CPU0: syscall write + -> get uart port spinlock + -> write uart + -> start_tx_rs485 + -> hrtimer_cancel + -> wait for hrtimer callback to finish + +CPU1: hrtimer IRQ + -> run hrtimer + -> em485_handle_stop_tx + -> get uart port spinlock + +CPU0 is waiting for the hrtimer callback to finish, but the hrtimer +callback running on CPU1 is waiting to get the uart port spinlock. + +This deadlock can be avoided by not canceling the hrtimers in these paths. +Setting active_timer=NULL can be done without accessing hrtimer, +and that will effectively cancel operations that would otherwise have been +performed by the hrtimer callback. + +Signed-off-by: Tomas Melin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_port.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index 9880a50d664f..25e8ccd6865a 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1527,7 +1527,6 @@ static inline void __stop_tx(struct uart_8250_port *p) + return; + + em485->active_timer = NULL; +- hrtimer_cancel(&em485->start_tx_timer); + + __stop_tx_rs485(p); + } +@@ -1591,8 +1590,6 @@ static inline void start_tx_rs485(struct uart_port *port) + serial8250_stop_rx(&up->port); + + em485->active_timer = NULL; +- if (hrtimer_is_queued(&em485->stop_tx_timer)) +- hrtimer_cancel(&em485->stop_tx_timer); + + mcr = serial8250_in_MCR(up); + if (!!(up->port.rs485.flags & SER_RS485_RTS_ON_SEND) != +-- +2.30.2 + diff --git a/queue-4.14/series b/queue-4.14/series index 30960239011..d65b2b5adad 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -304,3 +304,16 @@ kgdb-fix-gcc-11-warning-on-indentation.patch usb-sl811-hcd-improve-misleading-indentation.patch cxgb4-fix-the-wmisleading-indentation-warning.patch isdn-capi-fix-mismatched-prototypes.patch +arm-9058-1-cache-v7-refactor-v7_invalidate_l1-to-avo.patch +pci-thunder-fix-compile-testing.patch +arm-9066-1-ftrace-pause-unpause-function-graph-trace.patch +acpi-hotplug-pci-fix-reference-count-leak-in-enable_.patch +input-elants_i2c-do-not-bind-to-i2c-hid-compatible-a.patch +input-silead-add-workaround-for-x86-bios-es-which-br.patch +um-mark-all-kernel-symbols-as-local.patch +ceph-fix-fscache-invalidation.patch +gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-dell-.patch +alsa-hda-generic-change-the-dac-ctl-name-for-lo-spk-.patch +block-reexpand-iov_iter-after-read-write.patch +lib-stackdepot-turn-depot_lock-spinlock-to-raw_spinl.patch +serial-8250-fix-potential-deadlock-in-rs485-mode.patch diff --git a/queue-4.14/um-mark-all-kernel-symbols-as-local.patch b/queue-4.14/um-mark-all-kernel-symbols-as-local.patch new file mode 100644 index 00000000000..e22ac3d607f --- /dev/null +++ b/queue-4.14/um-mark-all-kernel-symbols-as-local.patch @@ -0,0 +1,111 @@ +From ddda7ae96af5bbe1383d70fac2ac646e869e0250 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Mar 2021 21:43:15 +0100 +Subject: um: Mark all kernel symbols as local + +From: Johannes Berg + +[ Upstream commit d5027ca63e0e778b641cf23e3f5c6d6212cf412b ] + +Ritesh reported a bug [1] against UML, noting that it crashed on +startup. The backtrace shows the following (heavily redacted): + +(gdb) bt +... + #26 0x0000000060015b5d in sem_init () at ipc/sem.c:268 + #27 0x00007f89906d92f7 in ?? () from /lib/x86_64-linux-gnu/libcom_err.so.2 + #28 0x00007f8990ab8fb2 in call_init (...) at dl-init.c:72 +... + #40 0x00007f89909bf3a6 in nss_load_library (...) at nsswitch.c:359 +... + #44 0x00007f8990895e35 in _nss_compat_getgrnam_r (...) at nss_compat/compat-grp.c:486 + #45 0x00007f8990968b85 in __getgrnam_r [...] + #46 0x00007f89909d6b77 in grantpt [...] + #47 0x00007f8990a9394e in __GI_openpty [...] + #48 0x00000000604a1f65 in openpty_cb (...) at arch/um/os-Linux/sigio.c:407 + #49 0x00000000604a58d0 in start_idle_thread (...) at arch/um/os-Linux/skas/process.c:598 + #50 0x0000000060004a3d in start_uml () at arch/um/kernel/skas/process.c:45 + #51 0x00000000600047b2 in linux_main (...) at arch/um/kernel/um_arch.c:334 + #52 0x000000006000574f in main (...) at arch/um/os-Linux/main.c:144 + +indicating that the UML function openpty_cb() calls openpty(), +which internally calls __getgrnam_r(), which causes the nsswitch +machinery to get started. + +This loads, through lots of indirection that I snipped, the +libcom_err.so.2 library, which (in an unknown function, "??") +calls sem_init(). + +Now, of course it wants to get libpthread's sem_init(), since +it's linked against libpthread. However, the dynamic linker +looks up that symbol against the binary first, and gets the +kernel's sem_init(). + +Hajime Tazaki noted that "objcopy -L" can localize a symbol, +so the dynamic linker wouldn't do the lookup this way. I tried, +but for some reason that didn't seem to work. + +Doing the same thing in the linker script instead does seem to +work, though I cannot entirely explain - it *also* works if I +just add "VERSION { { global: *; }; }" instead, indicating that +something else is happening that I don't really understand. It +may be that explicitly doing that marks them with some kind of +empty version, and that's different from the default. + +Explicitly marking them with a version breaks kallsyms, so that +doesn't seem to be possible. + +Marking all the symbols as local seems correct, and does seem +to address the issue, so do that. Also do it for static link, +nsswitch libraries could still be loaded there. + +[1] https://bugs.debian.org/983379 + +Reported-by: Ritesh Raj Sarraf +Signed-off-by: Johannes Berg +Acked-By: Anton Ivanov +Tested-By: Ritesh Raj Sarraf +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/kernel/dyn.lds.S | 6 ++++++ + arch/um/kernel/uml.lds.S | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/arch/um/kernel/dyn.lds.S b/arch/um/kernel/dyn.lds.S +index d417e3899700..06309bdbfbbf 100644 +--- a/arch/um/kernel/dyn.lds.S ++++ b/arch/um/kernel/dyn.lds.S +@@ -7,6 +7,12 @@ OUTPUT_ARCH(ELF_ARCH) + ENTRY(_start) + jiffies = jiffies_64; + ++VERSION { ++ { ++ local: *; ++ }; ++} ++ + SECTIONS + { + PROVIDE (__executable_start = START); +diff --git a/arch/um/kernel/uml.lds.S b/arch/um/kernel/uml.lds.S +index 3d6ed6ba5b78..c3e32fa3941f 100644 +--- a/arch/um/kernel/uml.lds.S ++++ b/arch/um/kernel/uml.lds.S +@@ -7,6 +7,12 @@ OUTPUT_ARCH(ELF_ARCH) + ENTRY(_start) + jiffies = jiffies_64; + ++VERSION { ++ { ++ local: *; ++ }; ++} ++ + SECTIONS + { + /* This must contain the right address - not quite the default ELF one.*/ +-- +2.30.2 +