From: Greg Kroah-Hartman Date: Sun, 16 Oct 2022 10:54:04 +0000 (+0200) Subject: 6.0-stable patches X-Git-Tag: v5.4.219~145 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=822ef90793312812ff826f90b528829cee2be1e5;p=thirdparty%2Fkernel%2Fstable-queue.git 6.0-stable patches added patches: arm64-errata-add-cortex-a55-to-the-repeat-tlbi-list.patch arm64-mte-avoid-setting-pg_mte_tagged-if-no-tags-cleared-or-restored.patch arm64-mte-move-register-initialization-to-c.patch clocksource-drivers-arm_arch_timer-fix-cntpct_lo-and-cntvct_lo-value.patch dm-verity-loadpin-only-trust-verity-targets-with-enforcement.patch dmaengine-mxs-use-platform_driver_register.patch dmaengine-qcom-adm-fix-wrong-calling-convention-for-prep_slave_sg.patch dmaengine-qcom-adm-fix-wrong-sizeof-config-in-slave_config.patch drm-udl-restore-display-mode-on-resume.patch drm-virtio-check-whether-transferred-2d-bo-is-shmem.patch drm-virtio-unlock-reservations-on-dma_resv_reserve_fences-error.patch drm-virtio-unlock-reservations-on-virtio_gpu_object_shmem_init-error.patch drm-virtio-use-appropriate-atomic-state-in-virtio_gpu_plane_cleanup_fb.patch nvme-multipath-fix-possible-hang-in-live-ns-resize-with-ana-access.patch nvmem-core-fix-memleak-in-nvmem_register.patch revert-drm-amdgpu-use-dirty-framebuffer-helper.patch um-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch --- diff --git a/queue-6.0/arm64-errata-add-cortex-a55-to-the-repeat-tlbi-list.patch b/queue-6.0/arm64-errata-add-cortex-a55-to-the-repeat-tlbi-list.patch new file mode 100644 index 00000000000..7a04557264a --- /dev/null +++ b/queue-6.0/arm64-errata-add-cortex-a55-to-the-repeat-tlbi-list.patch @@ -0,0 +1,79 @@ +From 171df58028bf4649460fb146a56a58dcb0c8f75a Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Fri, 30 Sep 2022 14:19:59 +0100 +Subject: arm64: errata: Add Cortex-A55 to the repeat tlbi list + +From: James Morse + +commit 171df58028bf4649460fb146a56a58dcb0c8f75a upstream. + +Cortex-A55 is affected by an erratum where in rare circumstances the +CPUs may not handle a race between a break-before-make sequence on one +CPU, and another CPU accessing the same page. This could allow a store +to a page that has been unmapped. + +Work around this by adding the affected CPUs to the list that needs +TLB sequences to be done twice. + +Signed-off-by: James Morse +Cc: +Link: https://lore.kernel.org/r/20220930131959.3082594-1-james.morse@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/arm64/silicon-errata.rst | 2 ++ + arch/arm64/Kconfig | 17 +++++++++++++++++ + arch/arm64/kernel/cpu_errata.c | 5 +++++ + 3 files changed, 24 insertions(+) + +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -76,6 +76,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A55 | #1530923 | ARM64_ERRATUM_1530923 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A55 | #2441007 | ARM64_ERRATUM_2441007 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A57 | #832075 | ARM64_ERRATUM_832075 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A57 | #852523 | N/A | +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -632,6 +632,23 @@ config ARM64_ERRATUM_1530923 + config ARM64_WORKAROUND_REPEAT_TLBI + bool + ++config ARM64_ERRATUM_2441007 ++ bool "Cortex-A55: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" ++ default y ++ select ARM64_WORKAROUND_REPEAT_TLBI ++ help ++ This option adds a workaround for ARM Cortex-A55 erratum #2441007. ++ ++ Under very rare circumstances, affected Cortex-A55 CPUs ++ may not handle a race between a break-before-make sequence on one ++ CPU, and another CPU accessing the same page. This could allow a ++ store to a page that has been unmapped. ++ ++ Work around this by adding the affected CPUs to the list that needs ++ TLB sequences to be done twice. ++ ++ If unsure, say Y. ++ + config ARM64_ERRATUM_1286807 + bool "Cortex-A76: Modification of the translation table for a virtual address might lead to read-after-read ordering violation" + default y +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -214,6 +214,11 @@ static const struct arm64_cpu_capabiliti + ERRATA_MIDR_RANGE(MIDR_QCOM_KRYO_4XX_GOLD, 0xc, 0xe, 0xf, 0xe), + }, + #endif ++#ifdef CONFIG_ARM64_ERRATUM_2441007 ++ { ++ ERRATA_MIDR_ALL_VERSIONS(MIDR_CORTEX_A55), ++ }, ++#endif + #ifdef CONFIG_ARM64_ERRATUM_2441009 + { + /* Cortex-A510 r0p0 -> r1p1. Fixed in r1p2 */ diff --git a/queue-6.0/arm64-mte-avoid-setting-pg_mte_tagged-if-no-tags-cleared-or-restored.patch b/queue-6.0/arm64-mte-avoid-setting-pg_mte_tagged-if-no-tags-cleared-or-restored.patch new file mode 100644 index 00000000000..1f1e462a0c9 --- /dev/null +++ b/queue-6.0/arm64-mte-avoid-setting-pg_mte_tagged-if-no-tags-cleared-or-restored.patch @@ -0,0 +1,95 @@ +From a8e5e5146ad08d794c58252bab00b261045ef16d Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Thu, 6 Oct 2022 17:33:54 +0100 +Subject: arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored + +From: Catalin Marinas + +commit a8e5e5146ad08d794c58252bab00b261045ef16d upstream. + +Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE +is untagged"), mte_sync_tags() was only called for pte_tagged() entries +(those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use +test_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently +setting PG_mte_tagged on an untagged page. + +The above commit was required as guests may enable MTE without any +control at the stage 2 mapping, nor a PROT_MTE mapping in the VMM. +However, the side-effect was that any page with a PTE that looked like +swap (or migration) was getting PG_mte_tagged set automatically. A +subsequent page copy (e.g. migration) copied the tags to the destination +page even if the tags were owned by KASAN. + +This issue was masked by the page_kasan_tag_reset() call introduced in +commit e5b8d9218951 ("arm64: mte: reset the page tag in page->flags"). +When this commit was reverted (20794545c146), KASAN started reporting +access faults because the overriding tags in a page did not match the +original page->flags (with CONFIG_KASAN_HW_TAGS=y): + + BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26 + Read at addr f5ff000017f2e000 by task syz-executor.1/2218 + Pointer tag: [f5], memory tag: [f2] + +Move the PG_mte_tagged bit setting from mte_sync_tags() to the actual +place where tags are cleared (mte_sync_page_tags()) or restored +(mte_restore_tags()). + +Signed-off-by: Catalin Marinas +Reported-by: syzbot+c2c79c6d6eddc5262b77@syzkaller.appspotmail.com +Fixes: 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE is untagged") +Cc: # 5.14.x +Cc: Steven Price +Cc: Andrey Konovalov +Cc: Vincenzo Frascino +Cc: Will Deacon +Link: https://lore.kernel.org/r/0000000000004387dc05e5888ae5@google.com/ +Reviewed-by: Steven Price +Link: https://lore.kernel.org/r/20221006163354.3194102-1-catalin.marinas@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/mte.c | 9 +++++++-- + arch/arm64/mm/mteswap.c | 7 ++++++- + 2 files changed, 13 insertions(+), 3 deletions(-) + +--- a/arch/arm64/kernel/mte.c ++++ b/arch/arm64/kernel/mte.c +@@ -48,7 +48,12 @@ static void mte_sync_page_tags(struct pa + if (!pte_is_tagged) + return; + +- mte_clear_page_tags(page_address(page)); ++ /* ++ * Test PG_mte_tagged again in case it was racing with another ++ * set_pte_at(). ++ */ ++ if (!test_and_set_bit(PG_mte_tagged, &page->flags)) ++ mte_clear_page_tags(page_address(page)); + } + + void mte_sync_tags(pte_t old_pte, pte_t pte) +@@ -64,7 +69,7 @@ void mte_sync_tags(pte_t old_pte, pte_t + + /* if PG_mte_tagged is set, tags have already been initialised */ + for (i = 0; i < nr_pages; i++, page++) { +- if (!test_and_set_bit(PG_mte_tagged, &page->flags)) ++ if (!test_bit(PG_mte_tagged, &page->flags)) + mte_sync_page_tags(page, old_pte, check_swap, + pte_is_tagged); + } +--- a/arch/arm64/mm/mteswap.c ++++ b/arch/arm64/mm/mteswap.c +@@ -53,7 +53,12 @@ bool mte_restore_tags(swp_entry_t entry, + if (!tags) + return false; + +- mte_restore_page_tags(page_address(page), tags); ++ /* ++ * Test PG_mte_tagged again in case it was racing with another ++ * set_pte_at(). ++ */ ++ if (!test_and_set_bit(PG_mte_tagged, &page->flags)) ++ mte_restore_page_tags(page_address(page), tags); + + return true; + } diff --git a/queue-6.0/arm64-mte-move-register-initialization-to-c.patch b/queue-6.0/arm64-mte-move-register-initialization-to-c.patch new file mode 100644 index 00000000000..18d137d2d9e --- /dev/null +++ b/queue-6.0/arm64-mte-move-register-initialization-to-c.patch @@ -0,0 +1,227 @@ +From 973b9e37330656dec719ede508e4dc40e5c2d80c Mon Sep 17 00:00:00 2001 +From: Peter Collingbourne +Date: Thu, 15 Sep 2022 15:20:53 -0700 +Subject: arm64: mte: move register initialization to C + +From: Peter Collingbourne + +commit 973b9e37330656dec719ede508e4dc40e5c2d80c upstream. + +If FEAT_MTE2 is disabled via the arm64.nomte command line argument on a +CPU that claims to support FEAT_MTE2, the kernel will use Tagged Normal +in the MAIR. If we interpret arm64.nomte to mean that the CPU does not +in fact implement FEAT_MTE2, setting the system register like this may +lead to UNSPECIFIED behavior. Fix it by arranging for MAIR to be set +in the C function cpu_enable_mte which is called based on the sanitized +version of the system register. + +There is no need for the rest of the MTE-related system register +initialization to happen from assembly, with the exception of TCR_EL1, +which must be set to include at least TBI1 because the secondary CPUs +access KASan-allocated data structures early. Therefore, make the TCR_EL1 +initialization unconditional and move the rest of the initialization to +cpu_enable_mte so that we no longer have a dependency on the unsanitized +ID register value. + +Co-developed-by: Evgenii Stepanov +Signed-off-by: Peter Collingbourne +Signed-off-by: Evgenii Stepanov +Suggested-by: Catalin Marinas +Reported-by: kernel test robot +Fixes: 3b714d24ef17 ("arm64: mte: CPU feature detection and initial sysreg configuration") +Cc: # 5.10.x +Link: https://lore.kernel.org/r/20220915222053.3484231-1-eugenis@google.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/mte.h | 5 ++++ + arch/arm64/kernel/cpufeature.c | 3 +- + arch/arm64/kernel/mte.c | 51 +++++++++++++++++++++++++++++++++++++++++ + arch/arm64/kernel/suspend.c | 2 + + arch/arm64/mm/proc.S | 46 ++++-------------------------------- + 5 files changed, 65 insertions(+), 42 deletions(-) + +--- a/arch/arm64/include/asm/mte.h ++++ b/arch/arm64/include/asm/mte.h +@@ -42,7 +42,9 @@ void mte_sync_tags(pte_t old_pte, pte_t + void mte_copy_page_tags(void *kto, const void *kfrom); + void mte_thread_init_user(void); + void mte_thread_switch(struct task_struct *next); ++void mte_cpu_setup(void); + void mte_suspend_enter(void); ++void mte_suspend_exit(void); + long set_mte_ctrl(struct task_struct *task, unsigned long arg); + long get_mte_ctrl(struct task_struct *task); + int mte_ptrace_copy_tags(struct task_struct *child, long request, +@@ -72,6 +74,9 @@ static inline void mte_thread_switch(str + static inline void mte_suspend_enter(void) + { + } ++static inline void mte_suspend_exit(void) ++{ ++} + static inline long set_mte_ctrl(struct task_struct *task, unsigned long arg) + { + return 0; +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -2034,7 +2034,8 @@ static void bti_enable(const struct arm6 + static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap) + { + sysreg_clear_set(sctlr_el1, 0, SCTLR_ELx_ATA | SCTLR_EL1_ATA0); +- isb(); ++ ++ mte_cpu_setup(); + + /* + * Clear the tags in the zero page. This needs to be done via the +--- a/arch/arm64/kernel/mte.c ++++ b/arch/arm64/kernel/mte.c +@@ -285,6 +285,49 @@ void mte_thread_switch(struct task_struc + mte_check_tfsr_el1(); + } + ++void mte_cpu_setup(void) ++{ ++ u64 rgsr; ++ ++ /* ++ * CnP must be enabled only after the MAIR_EL1 register has been set ++ * up. Inconsistent MAIR_EL1 between CPUs sharing the same TLB may ++ * lead to the wrong memory type being used for a brief window during ++ * CPU power-up. ++ * ++ * CnP is not a boot feature so MTE gets enabled before CnP, but let's ++ * make sure that is the case. ++ */ ++ BUG_ON(read_sysreg(ttbr0_el1) & TTBR_CNP_BIT); ++ BUG_ON(read_sysreg(ttbr1_el1) & TTBR_CNP_BIT); ++ ++ /* Normal Tagged memory type at the corresponding MAIR index */ ++ sysreg_clear_set(mair_el1, ++ MAIR_ATTRIDX(MAIR_ATTR_MASK, MT_NORMAL_TAGGED), ++ MAIR_ATTRIDX(MAIR_ATTR_NORMAL_TAGGED, ++ MT_NORMAL_TAGGED)); ++ ++ write_sysreg_s(KERNEL_GCR_EL1, SYS_GCR_EL1); ++ ++ /* ++ * If GCR_EL1.RRND=1 is implemented the same way as RRND=0, then ++ * RGSR_EL1.SEED must be non-zero for IRG to produce ++ * pseudorandom numbers. As RGSR_EL1 is UNKNOWN out of reset, we ++ * must initialize it. ++ */ ++ rgsr = (read_sysreg(CNTVCT_EL0) & SYS_RGSR_EL1_SEED_MASK) << ++ SYS_RGSR_EL1_SEED_SHIFT; ++ if (rgsr == 0) ++ rgsr = 1 << SYS_RGSR_EL1_SEED_SHIFT; ++ write_sysreg_s(rgsr, SYS_RGSR_EL1); ++ ++ /* clear any pending tag check faults in TFSR*_EL1 */ ++ write_sysreg_s(0, SYS_TFSR_EL1); ++ write_sysreg_s(0, SYS_TFSRE0_EL1); ++ ++ local_flush_tlb_all(); ++} ++ + void mte_suspend_enter(void) + { + if (!system_supports_mte()) +@@ -301,6 +344,14 @@ void mte_suspend_enter(void) + mte_check_tfsr_el1(); + } + ++void mte_suspend_exit(void) ++{ ++ if (!system_supports_mte()) ++ return; ++ ++ mte_cpu_setup(); ++} ++ + long set_mte_ctrl(struct task_struct *task, unsigned long arg) + { + u64 mte_ctrl = (~((arg & PR_MTE_TAG_MASK) >> PR_MTE_TAG_SHIFT) & +--- a/arch/arm64/kernel/suspend.c ++++ b/arch/arm64/kernel/suspend.c +@@ -43,6 +43,8 @@ void notrace __cpu_suspend_exit(void) + { + unsigned int cpu = smp_processor_id(); + ++ mte_suspend_exit(); ++ + /* + * We are resuming from reset with the idmap active in TTBR0_EL1. + * We must uninstall the idmap and restore the expected MMU +--- a/arch/arm64/mm/proc.S ++++ b/arch/arm64/mm/proc.S +@@ -48,17 +48,19 @@ + + #ifdef CONFIG_KASAN_HW_TAGS + #define TCR_MTE_FLAGS TCR_TCMA1 | TCR_TBI1 | TCR_TBID1 +-#else ++#elif defined(CONFIG_ARM64_MTE) + /* + * The mte_zero_clear_page_tags() implementation uses DC GZVA, which relies on + * TBI being enabled at EL1. + */ + #define TCR_MTE_FLAGS TCR_TBI1 | TCR_TBID1 ++#else ++#define TCR_MTE_FLAGS 0 + #endif + + /* + * Default MAIR_EL1. MT_NORMAL_TAGGED is initially mapped as Normal memory and +- * changed during __cpu_setup to Normal Tagged if the system supports MTE. ++ * changed during mte_cpu_setup to Normal Tagged if the system supports MTE. + */ + #define MAIR_EL1_SET \ + (MAIR_ATTRIDX(MAIR_ATTR_DEVICE_nGnRnE, MT_DEVICE_nGnRnE) | \ +@@ -426,46 +428,8 @@ SYM_FUNC_START(__cpu_setup) + mov_q mair, MAIR_EL1_SET + mov_q tcr, TCR_TxSZ(VA_BITS) | TCR_CACHE_FLAGS | TCR_SMP_FLAGS | \ + TCR_TG_FLAGS | TCR_KASLR_FLAGS | TCR_ASID16 | \ +- TCR_TBI0 | TCR_A1 | TCR_KASAN_SW_FLAGS +- +-#ifdef CONFIG_ARM64_MTE +- /* +- * Update MAIR_EL1, GCR_EL1 and TFSR*_EL1 if MTE is supported +- * (ID_AA64PFR1_EL1[11:8] > 1). +- */ +- mrs x10, ID_AA64PFR1_EL1 +- ubfx x10, x10, #ID_AA64PFR1_MTE_SHIFT, #4 +- cmp x10, #ID_AA64PFR1_MTE +- b.lt 1f +- +- /* Normal Tagged memory type at the corresponding MAIR index */ +- mov x10, #MAIR_ATTR_NORMAL_TAGGED +- bfi mair, x10, #(8 * MT_NORMAL_TAGGED), #8 ++ TCR_TBI0 | TCR_A1 | TCR_KASAN_SW_FLAGS | TCR_MTE_FLAGS + +- mov x10, #KERNEL_GCR_EL1 +- msr_s SYS_GCR_EL1, x10 +- +- /* +- * If GCR_EL1.RRND=1 is implemented the same way as RRND=0, then +- * RGSR_EL1.SEED must be non-zero for IRG to produce +- * pseudorandom numbers. As RGSR_EL1 is UNKNOWN out of reset, we +- * must initialize it. +- */ +- mrs x10, CNTVCT_EL0 +- ands x10, x10, #SYS_RGSR_EL1_SEED_MASK +- csinc x10, x10, xzr, ne +- lsl x10, x10, #SYS_RGSR_EL1_SEED_SHIFT +- msr_s SYS_RGSR_EL1, x10 +- +- /* clear any pending tag check faults in TFSR*_EL1 */ +- msr_s SYS_TFSR_EL1, xzr +- msr_s SYS_TFSRE0_EL1, xzr +- +- /* set the TCR_EL1 bits */ +- mov_q x10, TCR_MTE_FLAGS +- orr tcr, tcr, x10 +-1: +-#endif + tcr_clear_errata_bits tcr, x9, x5 + + #ifdef CONFIG_ARM64_VA_BITS_52 diff --git a/queue-6.0/clocksource-drivers-arm_arch_timer-fix-cntpct_lo-and-cntvct_lo-value.patch b/queue-6.0/clocksource-drivers-arm_arch_timer-fix-cntpct_lo-and-cntvct_lo-value.patch new file mode 100644 index 00000000000..c1999ae0831 --- /dev/null +++ b/queue-6.0/clocksource-drivers-arm_arch_timer-fix-cntpct_lo-and-cntvct_lo-value.patch @@ -0,0 +1,48 @@ +From af246cc6d0ed11318223606128bb0b09866c4c08 Mon Sep 17 00:00:00 2001 +From: Yang Guo +Date: Tue, 27 Sep 2022 11:32:21 +0800 +Subject: clocksource/drivers/arm_arch_timer: Fix CNTPCT_LO and CNTVCT_LO value + +From: Yang Guo + +commit af246cc6d0ed11318223606128bb0b09866c4c08 upstream. + +CNTPCT_LO and CNTVCT_LO are defined by mistake in commit '8b82c4f883a7', +so fix them according to the Arm ARM DDI 0487I.a, Table I2-4 +"CNTBaseN memory map" as follows: + +Offset Register Type Description +0x000 CNTPCT[31:0] RO Physical Count register. +0x004 CNTPCT[63:32] RO +0x008 CNTVCT[31:0] RO Virtual Count register. +0x00C CNTVCT[63:32] RO + +Fixes: 8b82c4f883a7 ("clocksource/drivers/arm_arch_timer: Move MMIO timer programming over to CVAL") +Cc: stable@vger.kernel.org +Cc: Daniel Lezcano +Cc: Thomas Gleixner +Cc: Marc Zyngier +Cc: Mark Rutland +Acked-by: Marc Zyngier +Signed-off-by: Yang Guo +Signed-off-by: Shaokun Zhang +Link: https://lore.kernel.org/r/20220927033221.49589-1-zhangshaokun@hisilicon.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/arm_arch_timer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clocksource/arm_arch_timer.c ++++ b/drivers/clocksource/arm_arch_timer.c +@@ -44,8 +44,8 @@ + #define CNTACR_RWVT BIT(4) + #define CNTACR_RWPT BIT(5) + +-#define CNTVCT_LO 0x00 +-#define CNTPCT_LO 0x08 ++#define CNTPCT_LO 0x00 ++#define CNTVCT_LO 0x08 + #define CNTFRQ 0x10 + #define CNTP_CVAL_LO 0x20 + #define CNTP_CTL 0x2c diff --git a/queue-6.0/dm-verity-loadpin-only-trust-verity-targets-with-enforcement.patch b/queue-6.0/dm-verity-loadpin-only-trust-verity-targets-with-enforcement.patch new file mode 100644 index 00000000000..accd3f20741 --- /dev/null +++ b/queue-6.0/dm-verity-loadpin-only-trust-verity-targets-with-enforcement.patch @@ -0,0 +1,97 @@ +From 916ef6232cc4b84db7082b4c3d3cf1753d9462ba Mon Sep 17 00:00:00 2001 +From: Matthias Kaehlcke +Date: Wed, 7 Sep 2022 13:30:58 -0700 +Subject: dm: verity-loadpin: Only trust verity targets with enforcement + +From: Matthias Kaehlcke + +commit 916ef6232cc4b84db7082b4c3d3cf1753d9462ba upstream. + +Verity targets can be configured to ignore corrupted data blocks. +LoadPin must only trust verity targets that are configured to +perform some kind of enforcement when data corruption is detected, +like returning an error, restarting the system or triggering a +panic. + +Fixes: b6c1c5745ccc ("dm: Add verity helpers for LoadPin") +Reported-by: Sarthak Kukreti +Signed-off-by: Matthias Kaehlcke +Reviewed-by: Sarthak Kukreti +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20220907133055.1.Ic8a1dafe960dc0f8302e189642bc88ebb785d274@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-loadpin.c | 8 ++++++++ + drivers/md/dm-verity-target.c | 16 ++++++++++++++++ + drivers/md/dm-verity.h | 1 + + 3 files changed, 25 insertions(+) + +diff --git a/drivers/md/dm-verity-loadpin.c b/drivers/md/dm-verity-loadpin.c +index 387ec43aef72..4f78cc55c251 100644 +--- a/drivers/md/dm-verity-loadpin.c ++++ b/drivers/md/dm-verity-loadpin.c +@@ -14,6 +14,7 @@ LIST_HEAD(dm_verity_loadpin_trusted_root_digests); + + static bool is_trusted_verity_target(struct dm_target *ti) + { ++ int verity_mode; + u8 *root_digest; + unsigned int digest_size; + struct dm_verity_loadpin_trusted_root_digest *trd; +@@ -22,6 +23,13 @@ static bool is_trusted_verity_target(struct dm_target *ti) + if (!dm_is_verity_target(ti)) + return false; + ++ verity_mode = dm_verity_get_mode(ti); ++ ++ if ((verity_mode != DM_VERITY_MODE_EIO) && ++ (verity_mode != DM_VERITY_MODE_RESTART) && ++ (verity_mode != DM_VERITY_MODE_PANIC)) ++ return false; ++ + if (dm_verity_get_root_digest(ti, &root_digest, &digest_size)) + return false; + +diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c +index 94b6cb599db4..8a00cc42e498 100644 +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -1446,6 +1446,22 @@ bool dm_is_verity_target(struct dm_target *ti) + return ti->type->module == THIS_MODULE; + } + ++/* ++ * Get the verity mode (error behavior) of a verity target. ++ * ++ * Returns the verity mode of the target, or -EINVAL if 'ti' is not a verity ++ * target. ++ */ ++int dm_verity_get_mode(struct dm_target *ti) ++{ ++ struct dm_verity *v = ti->private; ++ ++ if (!dm_is_verity_target(ti)) ++ return -EINVAL; ++ ++ return v->mode; ++} ++ + /* + * Get the root digest of a verity target. + * +diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h +index 45455de1b4bc..98f306ec6a33 100644 +--- a/drivers/md/dm-verity.h ++++ b/drivers/md/dm-verity.h +@@ -134,6 +134,7 @@ extern int verity_hash_for_block(struct dm_verity *v, struct dm_verity_io *io, + sector_t block, u8 *digest, bool *is_zero); + + extern bool dm_is_verity_target(struct dm_target *ti); ++extern int dm_verity_get_mode(struct dm_target *ti); + extern int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest, + unsigned int *digest_size); + +-- +2.38.0 + diff --git a/queue-6.0/dmaengine-mxs-use-platform_driver_register.patch b/queue-6.0/dmaengine-mxs-use-platform_driver_register.patch new file mode 100644 index 00000000000..4d1486c7a7b --- /dev/null +++ b/queue-6.0/dmaengine-mxs-use-platform_driver_register.patch @@ -0,0 +1,70 @@ +From 26696d4657167112a1079f86cba1739765c1360e Mon Sep 17 00:00:00 2001 +From: Dario Binacchi +Date: Wed, 21 Sep 2022 19:05:56 +0200 +Subject: dmaengine: mxs: use platform_driver_register + +From: Dario Binacchi + +commit 26696d4657167112a1079f86cba1739765c1360e upstream. + +Driver registration fails on SOC imx8mn as its supplier, the clock +control module, is probed later than subsys initcall level. This driver +uses platform_driver_probe which is not compatible with deferred probing +and won't be probed again later if probe function fails due to clock not +being available at that time. + +This patch replaces the use of platform_driver_probe with +platform_driver_register which will allow probing the driver later again +when the clock control module will be available. + +The __init annotation has been dropped because it is not compatible with +deferred probing. The code is not executed once and its memory cannot be +freed. + +Fixes: a580b8c5429a ("dmaengine: mxs-dma: add dma support for i.MX23/28") +Co-developed-by: Michael Trimarchi +Signed-off-by: Michael Trimarchi +Signed-off-by: Dario Binacchi +Acked-by: Sascha Hauer +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +Link: https://lore.kernel.org/r/20220921170556.1055962-1-dario.binacchi@amarulasolutions.com +Signed-off-by: Vinod Koul +--- + drivers/dma/mxs-dma.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/drivers/dma/mxs-dma.c ++++ b/drivers/dma/mxs-dma.c +@@ -670,7 +670,7 @@ static enum dma_status mxs_dma_tx_status + return mxs_chan->status; + } + +-static int __init mxs_dma_init(struct mxs_dma_engine *mxs_dma) ++static int mxs_dma_init(struct mxs_dma_engine *mxs_dma) + { + int ret; + +@@ -741,7 +741,7 @@ static struct dma_chan *mxs_dma_xlate(st + ofdma->of_node); + } + +-static int __init mxs_dma_probe(struct platform_device *pdev) ++static int mxs_dma_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; + const struct mxs_dma_type *dma_type; +@@ -839,10 +839,7 @@ static struct platform_driver mxs_dma_dr + .name = "mxs-dma", + .of_match_table = mxs_dma_dt_ids, + }, ++ .probe = mxs_dma_probe, + }; + +-static int __init mxs_dma_module_init(void) +-{ +- return platform_driver_probe(&mxs_dma_driver, mxs_dma_probe); +-} +-subsys_initcall(mxs_dma_module_init); ++builtin_platform_driver(mxs_dma_driver); diff --git a/queue-6.0/dmaengine-qcom-adm-fix-wrong-calling-convention-for-prep_slave_sg.patch b/queue-6.0/dmaengine-qcom-adm-fix-wrong-calling-convention-for-prep_slave_sg.patch new file mode 100644 index 00000000000..def5ac1cffe --- /dev/null +++ b/queue-6.0/dmaengine-qcom-adm-fix-wrong-calling-convention-for-prep_slave_sg.patch @@ -0,0 +1,99 @@ +From b9d2140c3badf4107973ad77c5a0ec3075705c85 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Fri, 16 Sep 2022 06:12:56 +0200 +Subject: dmaengine: qcom-adm: fix wrong calling convention for prep_slave_sg + +From: Christian Marangi + +commit b9d2140c3badf4107973ad77c5a0ec3075705c85 upstream. + +The calling convention for pre_slave_sg is to return NULL on error and +provide an error log to the system. Qcom-adm instead provide error +pointer when an error occur. This indirectly cause kernel panic for +example for the nandc driver that checks only if the pointer returned by +device_prep_slave_sg is not NULL. Returning an error pointer makes nandc +think the device_prep_slave_sg function correctly completed and makes +the kernel panics later in the code. + +While nandc is the one that makes the kernel crash, it was pointed out +that the real problem is qcom-adm not following calling convention for +that function. + +To fix this, drop returning error pointer and return NULL with an error +log. + +Fixes: 03de6b273805 ("dmaengine: qcom-adm: stop abusing slave_id config") +Fixes: 5c9f8c2dbdbe ("dmaengine: qcom: Add ADM driver") +Signed-off-by: Christian Marangi +Cc: stable@vger.kernel.org # v5.11+ +Link: https://lore.kernel.org/r/20220916041256.7104-1-ansuelsmth@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/qcom/qcom_adm.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/drivers/dma/qcom/qcom_adm.c ++++ b/drivers/dma/qcom/qcom_adm.c +@@ -379,13 +379,13 @@ static struct dma_async_tx_descriptor *a + if (blk_size < 0) { + dev_err(adev->dev, "invalid burst value: %d\n", + burst); +- return ERR_PTR(-EINVAL); ++ return NULL; + } + + crci = achan->crci & 0xf; + if (!crci || achan->crci > 0x1f) { + dev_err(adev->dev, "invalid crci value\n"); +- return ERR_PTR(-EINVAL); ++ return NULL; + } + } + +@@ -403,8 +403,10 @@ static struct dma_async_tx_descriptor *a + } + + async_desc = kzalloc(sizeof(*async_desc), GFP_NOWAIT); +- if (!async_desc) +- return ERR_PTR(-ENOMEM); ++ if (!async_desc) { ++ dev_err(adev->dev, "not enough memory for async_desc struct\n"); ++ return NULL; ++ } + + async_desc->mux = achan->mux ? ADM_CRCI_CTL_MUX_SEL : 0; + async_desc->crci = crci; +@@ -414,8 +416,10 @@ static struct dma_async_tx_descriptor *a + sizeof(*cple) + 2 * ADM_DESC_ALIGN; + + async_desc->cpl = kzalloc(async_desc->dma_len, GFP_NOWAIT); +- if (!async_desc->cpl) ++ if (!async_desc->cpl) { ++ dev_err(adev->dev, "not enough memory for cpl struct\n"); + goto free; ++ } + + async_desc->adev = adev; + +@@ -437,8 +441,10 @@ static struct dma_async_tx_descriptor *a + async_desc->dma_addr = dma_map_single(adev->dev, async_desc->cpl, + async_desc->dma_len, + DMA_TO_DEVICE); +- if (dma_mapping_error(adev->dev, async_desc->dma_addr)) ++ if (dma_mapping_error(adev->dev, async_desc->dma_addr)) { ++ dev_err(adev->dev, "dma mapping error for cpl\n"); + goto free; ++ } + + cple_addr = async_desc->dma_addr + ((void *)cple - async_desc->cpl); + +@@ -454,7 +460,7 @@ static struct dma_async_tx_descriptor *a + + free: + kfree(async_desc); +- return ERR_PTR(-ENOMEM); ++ return NULL; + } + + /** diff --git a/queue-6.0/dmaengine-qcom-adm-fix-wrong-sizeof-config-in-slave_config.patch b/queue-6.0/dmaengine-qcom-adm-fix-wrong-sizeof-config-in-slave_config.patch new file mode 100644 index 00000000000..a5291ab3731 --- /dev/null +++ b/queue-6.0/dmaengine-qcom-adm-fix-wrong-sizeof-config-in-slave_config.patch @@ -0,0 +1,40 @@ +From 7c8765308371be30f50c1b5b97618b731514b207 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Thu, 15 Sep 2022 22:48:44 +0200 +Subject: dmaengine: qcom-adm: fix wrong sizeof config in slave_config + +From: Christian Marangi + +commit 7c8765308371be30f50c1b5b97618b731514b207 upstream. + +Fix broken slave_config function that uncorrectly compare the +peripheral_size with the size of the config pointer instead of the size +of the config struct. This cause the crci value to be ignored and cause +a kernel panic on any slave that use adm driver. + +To fix this, compare to the size of the struct and NOT the size of the +pointer. + +Fixes: 03de6b273805 ("dmaengine: qcom-adm: stop abusing slave_id config") +Signed-off-by: Christian Marangi +Cc: stable@vger.kernel.org # v5.17+ +Reviewed-by: Arnd Bergmann +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20220915204844.3838-1-ansuelsmth@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/qcom/qcom_adm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/qcom/qcom_adm.c ++++ b/drivers/dma/qcom/qcom_adm.c +@@ -494,7 +494,7 @@ static int adm_slave_config(struct dma_c + + spin_lock_irqsave(&achan->vc.lock, flag); + memcpy(&achan->slave, cfg, sizeof(struct dma_slave_config)); +- if (cfg->peripheral_size == sizeof(config)) ++ if (cfg->peripheral_size == sizeof(*config)) + achan->crci = config->crci; + spin_unlock_irqrestore(&achan->vc.lock, flag); + diff --git a/queue-6.0/drm-udl-restore-display-mode-on-resume.patch b/queue-6.0/drm-udl-restore-display-mode-on-resume.patch new file mode 100644 index 00000000000..28741e060b6 --- /dev/null +++ b/queue-6.0/drm-udl-restore-display-mode-on-resume.patch @@ -0,0 +1,50 @@ +From 6d6e732835db92e66c28dbcf258a7e3d3c71420d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 8 Sep 2022 11:51:04 +0200 +Subject: drm/udl: Restore display mode on resume + +From: Takashi Iwai + +commit 6d6e732835db92e66c28dbcf258a7e3d3c71420d upstream. + +Restore the display mode whne resuming from suspend. Currently, the +display remains dark. + +On resume, the CRTC's mode does not change, but the 'active' flag +changes to 'true'. Taking this into account when considering a mode +switch restores the display mode. + +The bug is reproducable by using Gnome with udl and observing the +adapter's suspend/resume behavior. + +Actually, the whole check added in udl_simple_display_pipe_enable() +about the crtc_state->mode_changed was bogus. We should drop the +whole check and always apply the mode change in this function. + +[ tiwai -- Drop the mode_changed check entirely instead, per Daniel's + suggestion ] + +Fixes: 997d33c35618 ("drm/udl: Inline DPMS code into CRTC enable and disable functions") +Cc: +Suggested-by: Daniel Vetter +Reviewed-by: Daniel Vetter +Signed-off-by: Takashi Iwai +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220908095115.23396-2-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/udl/udl_modeset.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/gpu/drm/udl/udl_modeset.c ++++ b/drivers/gpu/drm/udl/udl_modeset.c +@@ -382,9 +382,6 @@ udl_simple_display_pipe_enable(struct dr + + udl_handle_damage(fb, &shadow_plane_state->data[0], 0, 0, fb->width, fb->height); + +- if (!crtc_state->mode_changed) +- return; +- + /* enable display */ + udl_crtc_write_mode_to_hw(crtc); + } diff --git a/queue-6.0/drm-virtio-check-whether-transferred-2d-bo-is-shmem.patch b/queue-6.0/drm-virtio-check-whether-transferred-2d-bo-is-shmem.patch new file mode 100644 index 00000000000..665598b1b1c --- /dev/null +++ b/queue-6.0/drm-virtio-check-whether-transferred-2d-bo-is-shmem.patch @@ -0,0 +1,33 @@ +From e473216b42aa1fd9fc6b94b608b42c210c655908 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 30 Jun 2022 23:07:19 +0300 +Subject: drm/virtio: Check whether transferred 2D BO is shmem + +From: Dmitry Osipenko + +commit e473216b42aa1fd9fc6b94b608b42c210c655908 upstream. + +Transferred 2D BO always must be a shmem BO. Add check for that to prevent +NULL dereference if userspace passes a VRAM BO. + +Cc: stable@vger.kernel.org +Reviewed-by: Emil Velikov +Signed-off-by: Dmitry Osipenko +Link: http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-3-dmitry.osipenko@collabora.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_vq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c +@@ -597,7 +597,7 @@ void virtio_gpu_cmd_transfer_to_host_2d( + bool use_dma_api = !virtio_has_dma_quirk(vgdev->vdev); + struct virtio_gpu_object_shmem *shmem = to_virtio_gpu_shmem(bo); + +- if (use_dma_api) ++ if (virtio_gpu_is_shmem(bo) && use_dma_api) + dma_sync_sgtable_for_device(vgdev->vdev->dev.parent, + shmem->pages, DMA_TO_DEVICE); + diff --git a/queue-6.0/drm-virtio-unlock-reservations-on-dma_resv_reserve_fences-error.patch b/queue-6.0/drm-virtio-unlock-reservations-on-dma_resv_reserve_fences-error.patch new file mode 100644 index 00000000000..94c444167a2 --- /dev/null +++ b/queue-6.0/drm-virtio-unlock-reservations-on-dma_resv_reserve_fences-error.patch @@ -0,0 +1,40 @@ +From 0f877398d30e1df657a31a62f7c7de1869b072b5 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 30 Jun 2022 23:07:21 +0300 +Subject: drm/virtio: Unlock reservations on dma_resv_reserve_fences() error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Osipenko + +commit 0f877398d30e1df657a31a62f7c7de1869b072b5 upstream. + +Unlock reservations on dma_resv_reserve_fences() error to fix recursive +locking of the reservations when this error happens. + +Cc: stable@vger.kernel.org +Fixes: c8d4c18bfbc4 ("dma-buf/drivers: make reserving a shared slot mandatory v4") +Reviewed-by: Thomas Hellström +Signed-off-by: Dmitry Osipenko +Link: http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-5-dmitry.osipenko@collabora.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_gem.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/virtio/virtgpu_gem.c ++++ b/drivers/gpu/drm/virtio/virtgpu_gem.c +@@ -228,8 +228,10 @@ int virtio_gpu_array_lock_resv(struct vi + + for (i = 0; i < objs->nents; ++i) { + ret = dma_resv_reserve_fences(objs->objs[i]->resv, 1); +- if (ret) ++ if (ret) { ++ virtio_gpu_array_unlock_resv(objs); + return ret; ++ } + } + return ret; + } diff --git a/queue-6.0/drm-virtio-unlock-reservations-on-virtio_gpu_object_shmem_init-error.patch b/queue-6.0/drm-virtio-unlock-reservations-on-virtio_gpu_object_shmem_init-error.patch new file mode 100644 index 00000000000..3ecc005d6a4 --- /dev/null +++ b/queue-6.0/drm-virtio-unlock-reservations-on-virtio_gpu_object_shmem_init-error.patch @@ -0,0 +1,35 @@ +From fdf0ff4d12cbcd76b53f27c96ce51ddca400884a Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 30 Jun 2022 23:07:20 +0300 +Subject: drm/virtio: Unlock reservations on virtio_gpu_object_shmem_init() error + +From: Dmitry Osipenko + +commit fdf0ff4d12cbcd76b53f27c96ce51ddca400884a upstream. + +Unlock reservations in the error code path of virtio_gpu_object_create() +to silence debug warning splat produced by ww_mutex_destroy(&obj->lock) +when GEM is released with the held lock. + +Cc: stable@vger.kernel.org +Fixes: 30172efbfb84 ("drm/virtio: blob prep: refactor getting pages and attaching backing") +Reviewed-by: Emil Velikov +Signed-off-by: Dmitry Osipenko +Link: http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-4-dmitry.osipenko@collabora.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_object.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/virtio/virtgpu_object.c ++++ b/drivers/gpu/drm/virtio/virtgpu_object.c +@@ -248,6 +248,8 @@ int virtio_gpu_object_create(struct virt + + ret = virtio_gpu_object_shmem_init(vgdev, bo, &ents, &nents); + if (ret != 0) { ++ if (fence) ++ virtio_gpu_array_unlock_resv(objs); + virtio_gpu_array_put_free(objs); + virtio_gpu_free_object(&shmem_obj->base); + return ret; diff --git a/queue-6.0/drm-virtio-use-appropriate-atomic-state-in-virtio_gpu_plane_cleanup_fb.patch b/queue-6.0/drm-virtio-use-appropriate-atomic-state-in-virtio_gpu_plane_cleanup_fb.patch new file mode 100644 index 00000000000..a4ed531c437 --- /dev/null +++ b/queue-6.0/drm-virtio-use-appropriate-atomic-state-in-virtio_gpu_plane_cleanup_fb.patch @@ -0,0 +1,43 @@ +From 4656b3a26a9e9fe5f04bfd2ab55b066266ba7f4d Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 30 Jun 2022 23:07:22 +0300 +Subject: drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb() + +From: Dmitry Osipenko + +commit 4656b3a26a9e9fe5f04bfd2ab55b066266ba7f4d upstream. + +Make virtio_gpu_plane_cleanup_fb() to clean the state which DRM core +wants to clean up and not the current plane's state. Normally the older +atomic state is cleaned up, but the newer state could also be cleaned up +in case of aborted commits. + +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Osipenko +Link: http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-6-dmitry.osipenko@collabora.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_plane.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/virtio/virtgpu_plane.c ++++ b/drivers/gpu/drm/virtio/virtgpu_plane.c +@@ -266,14 +266,14 @@ static int virtio_gpu_plane_prepare_fb(s + } + + static void virtio_gpu_plane_cleanup_fb(struct drm_plane *plane, +- struct drm_plane_state *old_state) ++ struct drm_plane_state *state) + { + struct virtio_gpu_framebuffer *vgfb; + +- if (!plane->state->fb) ++ if (!state->fb) + return; + +- vgfb = to_virtio_gpu_framebuffer(plane->state->fb); ++ vgfb = to_virtio_gpu_framebuffer(state->fb); + if (vgfb->fence) { + dma_fence_put(&vgfb->fence->f); + vgfb->fence = NULL; diff --git a/queue-6.0/nvme-multipath-fix-possible-hang-in-live-ns-resize-with-ana-access.patch b/queue-6.0/nvme-multipath-fix-possible-hang-in-live-ns-resize-with-ana-access.patch new file mode 100644 index 00000000000..1066912a738 --- /dev/null +++ b/queue-6.0/nvme-multipath-fix-possible-hang-in-live-ns-resize-with-ana-access.patch @@ -0,0 +1,66 @@ +From 72e3b8883a36e80ebfa41015c7b6926ce31ace05 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Thu, 29 Sep 2022 10:36:47 +0300 +Subject: nvme-multipath: fix possible hang in live ns resize with ANA access + +From: Sagi Grimberg + +commit 72e3b8883a36e80ebfa41015c7b6926ce31ace05 upstream. + +When we revalidate paths as part of ns size change (as of commit +e7d65803e2bb), it is possible that during the path revalidation, the +only paths that is IO capable (i.e. optimized/non-optimized) are the +ones that ns resize was not yet informed to the host, which will cause +inflight requests to be requeued (as we have available paths but none +are IO capable). These requests on the requeue list are waiting for +someone to resubmit them at some point. + +The IO capable paths will eventually notify the ns resize change to the +host, but there is nothing that will kick the requeue list to resubmit +the queued requests. + +Fix this by always kicking the requeue list, and if no IO capable path +exists, these requests will be queued again. + +A typical log that indicates that IOs are requeued: +-- +nvme nvme1: creating 4 I/O queues. +nvme nvme1: new ctrl: "testnqn1" +nvme nvme2: creating 4 I/O queues. +nvme nvme2: mapped 4/0/0 default/read/poll queues. +nvme nvme2: new ctrl: NQN "testnqn1", addr 127.0.0.1:8009 +nvme nvme1: rescanning namespaces. +nvme1n1: detected capacity change from 2097152 to 4194304 +block nvme1n1: no usable path - requeuing I/O +block nvme1n1: no usable path - requeuing I/O +block nvme1n1: no usable path - requeuing I/O +block nvme1n1: no usable path - requeuing I/O +block nvme1n1: no usable path - requeuing I/O +block nvme1n1: no usable path - requeuing I/O +block nvme1n1: no usable path - requeuing I/O +block nvme1n1: no usable path - requeuing I/O +block nvme1n1: no usable path - requeuing I/O +block nvme1n1: no usable path - requeuing I/O +nvme nvme2: rescanning namespaces. +-- + +Reported-by: Yogev Cohen +Fixes: e7d65803e2bb ("nvme-multipath: revalidate paths during rescan") +Signed-off-by: Sagi Grimberg +Cc: # v5.15+ +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/multipath.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -182,6 +182,7 @@ void nvme_mpath_revalidate_paths(struct + + for_each_node(node) + rcu_assign_pointer(head->current_path[node], NULL); ++ kblockd_schedule_work(&head->requeue_work); + } + + static bool nvme_path_is_disabled(struct nvme_ns *ns) diff --git a/queue-6.0/nvmem-core-fix-memleak-in-nvmem_register.patch b/queue-6.0/nvmem-core-fix-memleak-in-nvmem_register.patch new file mode 100644 index 00000000000..10e71e786f7 --- /dev/null +++ b/queue-6.0/nvmem-core-fix-memleak-in-nvmem_register.patch @@ -0,0 +1,57 @@ +From bd1244561fa2a4531ded40dbf09c9599084f8b29 Mon Sep 17 00:00:00 2001 +From: Gaosheng Cui +Date: Fri, 16 Sep 2022 13:04:02 +0100 +Subject: nvmem: core: Fix memleak in nvmem_register() + +From: Gaosheng Cui + +commit bd1244561fa2a4531ded40dbf09c9599084f8b29 upstream. + +dev_set_name will alloc memory for nvmem->dev.kobj.name in +nvmem_register, when nvmem_validate_keepouts failed, nvmem's +memory will be freed and return, but nobody will free memory +for nvmem->dev.kobj.name, there will be memleak, so moving +nvmem_validate_keepouts() after device_register() and let +the device core deal with cleaning name in error cases. + +Fixes: de0534df9347 ("nvmem: core: fix error handling while validating keepout regions") +Cc: stable@vger.kernel.org +Signed-off-by: Gaosheng Cui +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20220916120402.38753-1-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/core.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -829,21 +829,18 @@ struct nvmem_device *nvmem_register(cons + nvmem->dev.groups = nvmem_dev_groups; + #endif + +- if (nvmem->nkeepout) { +- rval = nvmem_validate_keepouts(nvmem); +- if (rval) { +- ida_free(&nvmem_ida, nvmem->id); +- kfree(nvmem); +- return ERR_PTR(rval); +- } +- } +- + dev_dbg(&nvmem->dev, "Registering nvmem device %s\n", config->name); + + rval = device_register(&nvmem->dev); + if (rval) + goto err_put_device; + ++ if (nvmem->nkeepout) { ++ rval = nvmem_validate_keepouts(nvmem); ++ if (rval) ++ goto err_device_del; ++ } ++ + if (config->compat) { + rval = nvmem_sysfs_setup_compat(nvmem, config); + if (rval) diff --git a/queue-6.0/revert-drm-amdgpu-use-dirty-framebuffer-helper.patch b/queue-6.0/revert-drm-amdgpu-use-dirty-framebuffer-helper.patch new file mode 100644 index 00000000000..e9f97f1acfc --- /dev/null +++ b/queue-6.0/revert-drm-amdgpu-use-dirty-framebuffer-helper.patch @@ -0,0 +1,64 @@ +From 17d819e2828cacca2e4c909044eb9798ed379cd2 Mon Sep 17 00:00:00 2001 +From: Hamza Mahfooz +Date: Wed, 5 Oct 2022 11:30:38 -0400 +Subject: Revert "drm/amdgpu: use dirty framebuffer helper" + +From: Hamza Mahfooz + +commit 17d819e2828cacca2e4c909044eb9798ed379cd2 upstream. + +This reverts commit 66f99628eb24409cb8feb5061f78283c8b65f820. + +Unfortunately, that commit causes performance regressions on non-PSR +setups. So, just revert it until FB_DAMAGE_CLIPS support can be added. + +Cc: stable@vger.kernel.org +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2189 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216554 +Fixes: 66f99628eb2440 ("drm/amdgpu: use dirty framebuffer helper") +Fixes: abbc7a3dafb91b ("drm/amdgpu: don't register a dirty callback for non-atomic") +Signed-off-by: Hamza Mahfooz +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +@@ -38,8 +38,6 @@ + #include + #include + #include +-#include +-#include + #include + #include + #include +@@ -500,12 +498,6 @@ static const struct drm_framebuffer_func + .create_handle = drm_gem_fb_create_handle, + }; + +-static const struct drm_framebuffer_funcs amdgpu_fb_funcs_atomic = { +- .destroy = drm_gem_fb_destroy, +- .create_handle = drm_gem_fb_create_handle, +- .dirty = drm_atomic_helper_dirtyfb, +-}; +- + uint32_t amdgpu_display_supported_domains(struct amdgpu_device *adev, + uint64_t bo_flags) + { +@@ -1108,10 +1100,8 @@ static int amdgpu_display_gem_fb_verify_ + if (ret) + goto err; + +- if (drm_drv_uses_atomic_modeset(dev)) +- ret = drm_framebuffer_init(dev, &rfb->base, &amdgpu_fb_funcs_atomic); +- else +- ret = drm_framebuffer_init(dev, &rfb->base, &amdgpu_fb_funcs); ++ ret = drm_framebuffer_init(dev, &rfb->base, &amdgpu_fb_funcs); ++ + if (ret) + goto err; + diff --git a/queue-6.0/series b/queue-6.0/series index 86310bae632..92ce8312f68 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -63,3 +63,20 @@ riscv-allow-prot_write-only-mmap.patch riscv-make-vm_write-imply-vm_read.patch riscv-always-honor-the-config_cmdline_force-when-parsing-dtb.patch riscv-pass-mno-relax-only-on-lld-15.0.0.patch +um-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch +nvmem-core-fix-memleak-in-nvmem_register.patch +nvme-multipath-fix-possible-hang-in-live-ns-resize-with-ana-access.patch +revert-drm-amdgpu-use-dirty-framebuffer-helper.patch +dm-verity-loadpin-only-trust-verity-targets-with-enforcement.patch +dmaengine-mxs-use-platform_driver_register.patch +dmaengine-qcom-adm-fix-wrong-sizeof-config-in-slave_config.patch +dmaengine-qcom-adm-fix-wrong-calling-convention-for-prep_slave_sg.patch +drm-virtio-check-whether-transferred-2d-bo-is-shmem.patch +drm-virtio-unlock-reservations-on-virtio_gpu_object_shmem_init-error.patch +drm-virtio-unlock-reservations-on-dma_resv_reserve_fences-error.patch +drm-virtio-use-appropriate-atomic-state-in-virtio_gpu_plane_cleanup_fb.patch +drm-udl-restore-display-mode-on-resume.patch +arm64-mte-move-register-initialization-to-c.patch +arm64-mte-avoid-setting-pg_mte_tagged-if-no-tags-cleared-or-restored.patch +arm64-errata-add-cortex-a55-to-the-repeat-tlbi-list.patch +clocksource-drivers-arm_arch_timer-fix-cntpct_lo-and-cntvct_lo-value.patch diff --git a/queue-6.0/um-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch b/queue-6.0/um-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch new file mode 100644 index 00000000000..1870887079a --- /dev/null +++ b/queue-6.0/um-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch @@ -0,0 +1,62 @@ +From 16c546e148fa6d14a019431436a6f7b4087dbccd Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Tue, 12 Jul 2022 15:52:55 +0800 +Subject: UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK + +From: Huacai Chen + +commit 16c546e148fa6d14a019431436a6f7b4087dbccd upstream. + +When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected, +cpu_max_bits_warn() generates a runtime warning similar as below while +we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) +instead of NR_CPUS to iterate CPUs. + +[ 3.052463] ------------[ cut here ]------------ +[ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0 +[ 3.070072] Modules linked in: efivarfs autofs4 +[ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052 +[ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000 +[ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430 +[ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff +[ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890 +[ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa +[ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000 +[ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000 +[ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000 +[ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286 +[ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c +[ 3.195868] ... +[ 3.199917] Call Trace: +[ 3.203941] [<90000000002086d8>] show_stack+0x38/0x14c +[ 3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88 +[ 3.217625] [<900000000023d268>] __warn+0xd0/0x100 +[ 3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc +[ 3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0 +[ 3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4 +[ 3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4 +[ 3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0 +[ 3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100 +[ 3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94 +[ 3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160 +[ 3.281824] ---[ end trace 8b484262b4b8c24c ]--- + +Cc: stable@vger.kernel.org +Signed-off-by: Huacai Chen +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + arch/um/kernel/um_arch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/um/kernel/um_arch.c ++++ b/arch/um/kernel/um_arch.c +@@ -96,7 +96,7 @@ static int show_cpuinfo(struct seq_file + + static void *c_start(struct seq_file *m, loff_t *pos) + { +- return *pos < NR_CPUS ? cpu_data + *pos : NULL; ++ return *pos < nr_cpu_ids ? cpu_data + *pos : NULL; + } + + static void *c_next(struct seq_file *m, void *v, loff_t *pos)