From: Greg Kroah-Hartman Date: Fri, 7 May 2021 14:17:01 +0000 (+0200) Subject: 5.12-stable patches X-Git-Tag: v5.4.118~99 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=982076b7b733646ea6d00320f177d51edcd147dd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.12-stable patches added patches: acpi-custom_method-fix-a-possible-memory-leak.patch acpi-custom_method-fix-potential-use-after-free-issue.patch arm-9056-1-decompressor-fix-bss-size-calculation-for-llvm-ld.lld.patch arm64-dts-marvell-armada-37xx-add-syscon-compatible-to-nb-clk-node.patch arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch dyndbg-fix-parsing-file-query-without-a-line-range-suffix.patch ecryptfs-fix-kernel-panic-with-null-dev_name.patch erofs-add-unsupported-inode-i_format-check.patch fs-epoll-restore-waking-from-ep_done_scan.patch ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch libceph-allow-addrvecs-with-a-single-none-blank-address.patch libceph-bump-cephxauthenticate-encoding-version.patch libceph-don-t-set-global_id-until-we-get-an-auth-ticket.patch mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch mmc-core-fix-hanging-on-i-o-during-system-suspend-for-removable-cards.patch mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch mmc-sdhci-check-for-reset-prior-to-dma-address-unmap.patch mmc-sdhci-pci-fix-initialization-of-some-sd-cards-for-intel-byt-based-controllers.patch mmc-sdhci-tegra-add-required-callbacks-to-set-clear-cqe_en-bit.patch mmc-uniphier-sd-fix-a-resource-leak-in-the-remove-function.patch mmc-uniphier-sd-fix-an-error-handling-path-in-uniphier_sd_probe.patch mtd-physmap-physmap-bt1-rom-fix-unintentional-stack-access.patch mtd-rawnand-atmel-update-ecc_stats.corrected-counter.patch mtd-spi-nor-core-fix-an-issue-of-releasing-resources-during-read-write.patch mtd-spinand-core-add-missing-module_device_table.patch nitro_enclaves-fix-stale-file-descriptors-on-failed-usercopy.patch reset-add-missing-empty-function-reset_control_rearm.patch revert-mtd-spi-nor-macronix-add-support-for-mx25l51245g.patch s390-cio-remove-invalid-condition-on-io_sch_unreg.patch s390-disassembler-increase-ebpf-disasm-buffer-size.patch s390-vfio-ap-fix-circular-lockdep-when-setting-clearing-crypto-masks.patch s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak.patch scsi-lpfc-fix-rmmod-crash-due-to-bad-ring-pointers-to-abort_iotag.patch scsi-mpt3sas-block-pci-config-access-from-userspace-during-reset.patch scsi-mpt3sas-only-one-vses-is-present-even-when-ioc-has-multi-vses.patch scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch scsi-qla2xxx-reserve-extra-irq-vectors.patch spi-spi-ti-qspi-free-dma-resources.patch spi-stm32-qspi-fix-pm_runtime-usage_count-counter.patch tpm-acpi-check-eventlog-signature-before-using-it.patch vhost-vdpa-fix-vm_flags-for-virtqueue-doorbell-mapping.patch --- diff --git a/queue-5.12/acpi-custom_method-fix-a-possible-memory-leak.patch b/queue-5.12/acpi-custom_method-fix-a-possible-memory-leak.patch new file mode 100644 index 00000000000..a4ad2c7f2e0 --- /dev/null +++ b/queue-5.12/acpi-custom_method-fix-a-possible-memory-leak.patch @@ -0,0 +1,36 @@ +From 1cfd8956437f842836e8a066b40d1ec2fc01f13e Mon Sep 17 00:00:00 2001 +From: Mark Langsdorf +Date: Tue, 27 Apr 2021 13:54:33 -0500 +Subject: ACPI: custom_method: fix a possible memory leak + +From: Mark Langsdorf + +commit 1cfd8956437f842836e8a066b40d1ec2fc01f13e upstream. + +In cm_write(), if the 'buf' is allocated memory but not fully consumed, +it is possible to reallocate the buffer without freeing it by passing +'*ppos' as 0 on a subsequent call. + +Add an explicit kfree() before kzalloc() to prevent the possible memory +leak. + +Fixes: 526b4af47f44 ("ACPI: Split out custom_method functionality into an own driver") +Signed-off-by: Mark Langsdorf +Cc: 5.4+ # 5.4+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/custom_method.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/acpi/custom_method.c ++++ b/drivers/acpi/custom_method.c +@@ -42,6 +42,8 @@ static ssize_t cm_write(struct file *fil + sizeof(struct acpi_table_header))) + return -EFAULT; + uncopied_bytes = max_size = table.length; ++ /* make sure the buf is not allocated */ ++ kfree(buf); + buf = kzalloc(max_size, GFP_KERNEL); + if (!buf) + return -ENOMEM; diff --git a/queue-5.12/acpi-custom_method-fix-potential-use-after-free-issue.patch b/queue-5.12/acpi-custom_method-fix-potential-use-after-free-issue.patch new file mode 100644 index 00000000000..bc7905f7dc9 --- /dev/null +++ b/queue-5.12/acpi-custom_method-fix-potential-use-after-free-issue.patch @@ -0,0 +1,45 @@ +From e483bb9a991bdae29a0caa4b3a6d002c968f94aa Mon Sep 17 00:00:00 2001 +From: Mark Langsdorf +Date: Fri, 23 Apr 2021 10:28:17 -0500 +Subject: ACPI: custom_method: fix potential use-after-free issue + +From: Mark Langsdorf + +commit e483bb9a991bdae29a0caa4b3a6d002c968f94aa upstream. + +In cm_write(), buf is always freed when reaching the end of the +function. If the requested count is less than table.length, the +allocated buffer will be freed but subsequent calls to cm_write() will +still try to access it. + +Remove the unconditional kfree(buf) at the end of the function and +set the buf to NULL in the -EINVAL error path to match the rest of +function. + +Fixes: 03d1571d9513 ("ACPI: custom_method: fix memory leaks") +Signed-off-by: Mark Langsdorf +Cc: 5.4+ # 5.4+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/custom_method.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/custom_method.c ++++ b/drivers/acpi/custom_method.c +@@ -55,6 +55,7 @@ static ssize_t cm_write(struct file *fil + (*ppos + count < count) || + (count > uncopied_bytes)) { + kfree(buf); ++ buf = NULL; + return -EINVAL; + } + +@@ -76,7 +77,6 @@ static ssize_t cm_write(struct file *fil + add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE); + } + +- kfree(buf); + return count; + } + diff --git a/queue-5.12/arm-9056-1-decompressor-fix-bss-size-calculation-for-llvm-ld.lld.patch b/queue-5.12/arm-9056-1-decompressor-fix-bss-size-calculation-for-llvm-ld.lld.patch new file mode 100644 index 00000000000..2bdc078d286 --- /dev/null +++ b/queue-5.12/arm-9056-1-decompressor-fix-bss-size-calculation-for-llvm-ld.lld.patch @@ -0,0 +1,60 @@ +From c4e792d1acce31c2eb7b9193ab06ab94de05bf42 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 5 Feb 2021 19:23:00 +0100 +Subject: ARM: 9056/1: decompressor: fix BSS size calculation for LLVM ld.lld + +From: Ard Biesheuvel + +commit c4e792d1acce31c2eb7b9193ab06ab94de05bf42 upstream. + +The LLVM ld.lld linker uses a different symbol type for __bss_start, +resulting in the calculation of KBSS_SZ to be thrown off. Up until now, +this has gone unnoticed as it only affects the appended DTB case, but +pending changes for ARM in the way the decompressed kernel is cleaned +from the caches has uncovered this problem. + +On a ld.lld build: + + $ nm vmlinux |grep bss_ + c1c22034 D __bss_start + c1c86e98 B __bss_stop + +resulting in + + $ readelf -s arch/arm/boot/compressed/vmlinux | grep bss_size + 433: c1c86e98 0 NOTYPE GLOBAL DEFAULT ABS _kernel_bss_size + +which is obviously incorrect, and may cause the cache clean to access +unmapped memory, or cause the size calculation to wrap, resulting in no +cache clean to be performed at all. + +Fix this by updating the sed regex to take D type symbols into account. + +Link: https://lore.kernel.org/linux-arm-kernel/6c65bcef-d4e7-25fa-43cf-2c435bb61bb9@collabora.com/ +Link: https://lore.kernel.org/linux-arm-kernel/20210205085220.31232-1-ardb@kernel.org/ + +Cc: # v4.19+ +Reviewed-by: Nick Desaulniers +Tested-by: Nick Desaulniers +Reported-by: Guillaume Tucker +Reported-by: "kernelci.org bot" +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/compressed/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/compressed/Makefile ++++ b/arch/arm/boot/compressed/Makefile +@@ -118,8 +118,8 @@ asflags-y := -DZIMAGE + + # Supply kernel BSS size to the decompressor via a linker symbol. + KBSS_SZ = $(shell echo $$(($$($(NM) $(obj)/../../../../vmlinux | \ +- sed -n -e 's/^\([^ ]*\) [AB] __bss_start$$/-0x\1/p' \ +- -e 's/^\([^ ]*\) [AB] __bss_stop$$/+0x\1/p') )) ) ++ sed -n -e 's/^\([^ ]*\) [ABD] __bss_start$$/-0x\1/p' \ ++ -e 's/^\([^ ]*\) [ABD] __bss_stop$$/+0x\1/p') )) ) + LDFLAGS_vmlinux = --defsym _kernel_bss_size=$(KBSS_SZ) + # Supply ZRELADDR to the decompressor via a linker symbol. + ifneq ($(CONFIG_AUTO_ZRELADDR),y) diff --git a/queue-5.12/arm64-dts-marvell-armada-37xx-add-syscon-compatible-to-nb-clk-node.patch b/queue-5.12/arm64-dts-marvell-armada-37xx-add-syscon-compatible-to-nb-clk-node.patch new file mode 100644 index 00000000000..ea039d63c1c --- /dev/null +++ b/queue-5.12/arm64-dts-marvell-armada-37xx-add-syscon-compatible-to-nb-clk-node.patch @@ -0,0 +1,40 @@ +From 1d88358a89dbac9c7d4559548b9a44840456e6fb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Thu, 14 Jan 2021 13:40:23 +0100 +Subject: arm64: dts: marvell: armada-37xx: add syscon compatible to NB clk node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 1d88358a89dbac9c7d4559548b9a44840456e6fb upstream. + +Add "syscon" compatible to the North Bridge clocks node to allow the +cpufreq driver to access these registers via syscon API. + +This is needed for a fix of cpufreq driver. + +Signed-off-by: Marek Behún +Fixes: e8d66e7927b2 ("arm64: dts: marvell: armada-37xx: add nodes...") +Cc: stable@vger.kernel.org +Cc: Gregory CLEMENT +Cc: Miquel Raynal +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/marvell/armada-37xx.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi +@@ -156,7 +156,8 @@ + }; + + nb_periph_clk: nb-periph-clk@13000 { +- compatible = "marvell,armada-3700-periph-clock-nb"; ++ compatible = "marvell,armada-3700-periph-clock-nb", ++ "syscon"; + reg = <0x13000 0x100>; + clocks = <&tbg 0>, <&tbg 1>, <&tbg 2>, + <&tbg 3>, <&xtalclk>; diff --git a/queue-5.12/arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch b/queue-5.12/arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch new file mode 100644 index 00000000000..d1e863a3a5f --- /dev/null +++ b/queue-5.12/arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch @@ -0,0 +1,33 @@ +From e4e5d030bd779fb8321d3b8bd65406fbe0827037 Mon Sep 17 00:00:00 2001 +From: Chunfeng Yun +Date: Tue, 16 Mar 2021 17:22:24 +0800 +Subject: arm64: dts: mt8173: fix property typo of 'phys' in dsi node + +From: Chunfeng Yun + +commit e4e5d030bd779fb8321d3b8bd65406fbe0827037 upstream. + +Use 'phys' instead of 'phy'. + +Fixes: 81ad4dbaf7af ("arm64: dts: mt8173: Add display subsystem related nodes") +Signed-off-by: Chunfeng Yun +Reviewed-by: Chun-Kuang Hu +Cc: stable +Link: https://lore.kernel.org/r/20210316092232.9806-5-chunfeng.yun@mediatek.com +Signed-off-by: Matthias Brugger +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/mediatek/mt8173.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/mediatek/mt8173.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8173.dtsi +@@ -1235,7 +1235,7 @@ + <&mmsys CLK_MM_DSI1_DIGITAL>, + <&mipi_tx1>; + clock-names = "engine", "digital", "hs"; +- phy = <&mipi_tx1>; ++ phys = <&mipi_tx1>; + phy-names = "dphy"; + status = "disabled"; + }; diff --git a/queue-5.12/dyndbg-fix-parsing-file-query-without-a-line-range-suffix.patch b/queue-5.12/dyndbg-fix-parsing-file-query-without-a-line-range-suffix.patch new file mode 100644 index 00000000000..cd94c9ad580 --- /dev/null +++ b/queue-5.12/dyndbg-fix-parsing-file-query-without-a-line-range-suffix.patch @@ -0,0 +1,38 @@ +From 7b1ae248279bea33af9e797a93c35f49601cb8a0 Mon Sep 17 00:00:00 2001 +From: Shuo Chen +Date: Wed, 14 Apr 2021 14:24:00 -0700 +Subject: dyndbg: fix parsing file query without a line-range suffix + +From: Shuo Chen + +commit 7b1ae248279bea33af9e797a93c35f49601cb8a0 upstream. + +Query like 'file tcp_input.c line 1234 +p' was broken by +commit aaebe329bff0 ("dyndbg: accept 'file foo.c:func1' and 'file +foo.c:10-100'") because a file name without a ':' now makes the loop in +ddebug_parse_query() exits early before parsing the 'line 1234' part. +As a result, all pr_debug() in tcp_input.c will be enabled, instead of only +the one on line 1234. Changing 'break' to 'continue' fixes this. + +Fixes: aaebe329bff0 ("dyndbg: accept 'file foo.c:func1' and 'file foo.c:10-100'") +Cc: stable +Reviewed-by: Eric Dumazet +Signed-off-by: Shuo Chen +Acked-by: Jason Baron +Link: https://lore.kernel.org/r/20210414212400.2927281-1-giantchen@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + lib/dynamic_debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -396,7 +396,7 @@ static int ddebug_parse_query(char *word + /* tail :$info is function or line-range */ + fline = strchr(query->filename, ':'); + if (!fline) +- break; ++ continue; + *fline++ = '\0'; + if (isalpha(*fline) || *fline == '*' || *fline == '?') { + /* take as function name */ diff --git a/queue-5.12/ecryptfs-fix-kernel-panic-with-null-dev_name.patch b/queue-5.12/ecryptfs-fix-kernel-panic-with-null-dev_name.patch new file mode 100644 index 00000000000..d024a0c0791 --- /dev/null +++ b/queue-5.12/ecryptfs-fix-kernel-panic-with-null-dev_name.patch @@ -0,0 +1,40 @@ +From 9046625511ad8dfbc8c6c2de16b3532c43d68d48 Mon Sep 17 00:00:00 2001 +From: Jeffrey Mitchell +Date: Fri, 26 Feb 2021 15:00:23 -0600 +Subject: ecryptfs: fix kernel panic with null dev_name + +From: Jeffrey Mitchell + +commit 9046625511ad8dfbc8c6c2de16b3532c43d68d48 upstream. + +When mounting eCryptfs, a null "dev_name" argument to ecryptfs_mount() +causes a kernel panic if the parsed options are valid. The easiest way to +reproduce this is to call mount() from userspace with an existing +eCryptfs mount's options and a "source" argument of 0. + +Error out if "dev_name" is null in ecryptfs_mount() + +Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig") +Cc: stable@vger.kernel.org +Signed-off-by: Jeffrey Mitchell +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman +--- + fs/ecryptfs/main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ecryptfs/main.c ++++ b/fs/ecryptfs/main.c +@@ -492,6 +492,12 @@ static struct dentry *ecryptfs_mount(str + goto out; + } + ++ if (!dev_name) { ++ rc = -EINVAL; ++ err = "Device name cannot be null"; ++ goto out; ++ } ++ + rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid); + if (rc) { + err = "Error parsing options"; diff --git a/queue-5.12/erofs-add-unsupported-inode-i_format-check.patch b/queue-5.12/erofs-add-unsupported-inode-i_format-check.patch new file mode 100644 index 00000000000..9f3531d732f --- /dev/null +++ b/queue-5.12/erofs-add-unsupported-inode-i_format-check.patch @@ -0,0 +1,52 @@ +From 24a806d849c0b0c1d0cd6a6b93ba4ae4c0ec9f08 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Mon, 29 Mar 2021 08:36:14 +0800 +Subject: erofs: add unsupported inode i_format check + +From: Gao Xiang + +commit 24a806d849c0b0c1d0cd6a6b93ba4ae4c0ec9f08 upstream. + +If any unknown i_format fields are set (may be of some new incompat +inode features), mark such inode as unsupported. + +Just in case of any new incompat i_format fields added in the future. + +Link: https://lore.kernel.org/r/20210329003614.6583-1-hsiangkao@aol.com +Fixes: 431339ba9042 ("staging: erofs: add inode operations") +Cc: # 4.19+ +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/erofs_fs.h | 3 +++ + fs/erofs/inode.c | 7 +++++++ + 2 files changed, 10 insertions(+) + +--- a/fs/erofs/erofs_fs.h ++++ b/fs/erofs/erofs_fs.h +@@ -75,6 +75,9 @@ static inline bool erofs_inode_is_data_c + #define EROFS_I_VERSION_BIT 0 + #define EROFS_I_DATALAYOUT_BIT 1 + ++#define EROFS_I_ALL \ ++ ((1 << (EROFS_I_DATALAYOUT_BIT + EROFS_I_DATALAYOUT_BITS)) - 1) ++ + /* 32-byte reduced form of an ondisk inode */ + struct erofs_inode_compact { + __le16 i_format; /* inode format hints */ +--- a/fs/erofs/inode.c ++++ b/fs/erofs/inode.c +@@ -44,6 +44,13 @@ static struct page *erofs_read_inode(str + dic = page_address(page) + *ofs; + ifmt = le16_to_cpu(dic->i_format); + ++ if (ifmt & ~EROFS_I_ALL) { ++ erofs_err(inode->i_sb, "unsupported i_format %u of nid %llu", ++ ifmt, vi->nid); ++ err = -EOPNOTSUPP; ++ goto err_out; ++ } ++ + vi->datalayout = erofs_inode_datalayout(ifmt); + if (vi->datalayout >= EROFS_INODE_DATALAYOUT_MAX) { + erofs_err(inode->i_sb, "unsupported datalayout %u of nid %llu", diff --git a/queue-5.12/fs-epoll-restore-waking-from-ep_done_scan.patch b/queue-5.12/fs-epoll-restore-waking-from-ep_done_scan.patch new file mode 100644 index 00000000000..730a536fd28 --- /dev/null +++ b/queue-5.12/fs-epoll-restore-waking-from-ep_done_scan.patch @@ -0,0 +1,52 @@ +From 7fab29e356309ff93a4b30ecc466129682ec190b Mon Sep 17 00:00:00 2001 +From: Davidlohr Bueso +Date: Thu, 6 May 2021 18:04:07 -0700 +Subject: fs/epoll: restore waking from ep_done_scan() + +From: Davidlohr Bueso + +commit 7fab29e356309ff93a4b30ecc466129682ec190b upstream. + +Commit 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested +epoll") changed the userspace visible behavior of exclusive waiters +blocked on a common epoll descriptor upon a single event becoming ready. + +Previously, all tasks doing epoll_wait would awake, and now only one is +awoken, potentially causing missed wakeups on applications that rely on +this behavior, such as Apache Qpid. + +While the aforementioned commit aims at having only a wakeup single path +in ep_poll_callback (with the exceptions of epoll_ctl cases), we need to +restore the wakeup in what was the old ep_scan_ready_list() such that +the next thread can be awoken, in a cascading style, after the waker's +corresponding ep_send_events(). + +Link: https://lkml.kernel.org/r/20210405231025.33829-3-dave@stgolabs.net +Fixes: 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll") +Signed-off-by: Davidlohr Bueso +Cc: Al Viro +Cc: Jason Baron +Cc: Roman Penyaev +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/eventpoll.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -657,6 +657,12 @@ static void ep_done_scan(struct eventpol + */ + list_splice(txlist, &ep->rdllist); + __pm_relax(ep->ws); ++ ++ if (!list_empty(&ep->rdllist)) { ++ if (waitqueue_active(&ep->wq)) ++ wake_up(&ep->wq); ++ } ++ + write_unlock_irq(&ep->lock); + } + diff --git a/queue-5.12/ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch b/queue-5.12/ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch new file mode 100644 index 00000000000..ee079a9091d --- /dev/null +++ b/queue-5.12/ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch @@ -0,0 +1,53 @@ +From 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 5 May 2021 10:38:24 -0400 +Subject: ftrace: Handle commands when closing set_ftrace_filter file + +From: Steven Rostedt (VMware) + +commit 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 upstream. + + # echo switch_mm:traceoff > /sys/kernel/tracing/set_ftrace_filter + +will cause switch_mm to stop tracing by the traceoff command. + + # echo -n switch_mm:traceoff > /sys/kernel/tracing/set_ftrace_filter + +does nothing. + +The reason is that the parsing in the write function only processes +commands if it finished parsing (there is white space written after the +command). That's to handle: + + write(fd, "switch_mm:", 10); + write(fd, "traceoff", 8); + +cases, where the command is broken over multiple writes. + +The problem is if the file descriptor is closed, then the write call is +not processed, and the command needs to be processed in the release code. +The release code can handle matching of functions, but does not handle +commands. + +Cc: stable@vger.kernel.org +Fixes: eda1e32855656 ("tracing: handle broken names in ftrace filter") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5631,7 +5631,10 @@ int ftrace_regex_release(struct inode *i + + parser = &iter->parser; + if (trace_parser_loaded(parser)) { +- ftrace_match_records(iter->hash, parser->buffer, parser->idx); ++ int enable = !(iter->flags & FTRACE_ITER_NOTRACE); ++ ++ ftrace_process_regex(iter, parser->buffer, ++ parser->idx, enable); + } + + trace_parser_put(parser); diff --git a/queue-5.12/libceph-allow-addrvecs-with-a-single-none-blank-address.patch b/queue-5.12/libceph-allow-addrvecs-with-a-single-none-blank-address.patch new file mode 100644 index 00000000000..e7146eaee06 --- /dev/null +++ b/queue-5.12/libceph-allow-addrvecs-with-a-single-none-blank-address.patch @@ -0,0 +1,74 @@ +From 3f1c6f2122fc780560f09735b6d1dbf39b44eb0f Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 3 May 2021 17:09:01 +0200 +Subject: libceph: allow addrvecs with a single NONE/blank address + +From: Ilya Dryomov + +commit 3f1c6f2122fc780560f09735b6d1dbf39b44eb0f upstream. + +Normally, an unused OSD id/slot is represented by an empty addrvec. +However, it also appears to be possible to generate an osdmap where +an unused OSD id/slot has an addrvec with a single blank address of +type NONE. Allow such addrvecs and make the end result be exactly +the same as for the empty addrvec case -- leave addr intact. + +Cc: stable@vger.kernel.org # 5.11+ +Signed-off-by: Ilya Dryomov +Reviewed-by: Jeff Layton +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/decode.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/net/ceph/decode.c ++++ b/net/ceph/decode.c +@@ -4,6 +4,7 @@ + #include + + #include ++#include /* for ceph_pr_addr() */ + + static int + ceph_decode_entity_addr_versioned(void **p, void *end, +@@ -110,6 +111,7 @@ int ceph_decode_entity_addrvec(void **p, + } + + ceph_decode_32_safe(p, end, addr_cnt, e_inval); ++ dout("%s addr_cnt %d\n", __func__, addr_cnt); + + found = false; + for (i = 0; i < addr_cnt; i++) { +@@ -117,6 +119,7 @@ int ceph_decode_entity_addrvec(void **p, + if (ret) + return ret; + ++ dout("%s i %d addr %s\n", __func__, i, ceph_pr_addr(&tmp_addr)); + if (tmp_addr.type == my_type) { + if (found) { + pr_err("another match of type %d in addrvec\n", +@@ -128,13 +131,18 @@ int ceph_decode_entity_addrvec(void **p, + found = true; + } + } +- if (!found && addr_cnt != 0) { +- pr_err("no match of type %d in addrvec\n", +- le32_to_cpu(my_type)); +- return -ENOENT; +- } + +- return 0; ++ if (found) ++ return 0; ++ ++ if (!addr_cnt) ++ return 0; /* normal -- e.g. unused OSD id/slot */ ++ ++ if (addr_cnt == 1 && !memchr_inv(&tmp_addr, 0, sizeof(tmp_addr))) ++ return 0; /* weird but effectively the same as !addr_cnt */ ++ ++ pr_err("no match of type %d in addrvec\n", le32_to_cpu(my_type)); ++ return -ENOENT; + + e_inval: + return -EINVAL; diff --git a/queue-5.12/libceph-bump-cephxauthenticate-encoding-version.patch b/queue-5.12/libceph-bump-cephxauthenticate-encoding-version.patch new file mode 100644 index 00000000000..3bcc71bcdb5 --- /dev/null +++ b/queue-5.12/libceph-bump-cephxauthenticate-encoding-version.patch @@ -0,0 +1,44 @@ +From 7807dafda21a549403d922da98dde0ddfeb70d08 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Wed, 14 Apr 2021 10:38:40 +0200 +Subject: libceph: bump CephXAuthenticate encoding version + +From: Ilya Dryomov + +commit 7807dafda21a549403d922da98dde0ddfeb70d08 upstream. + +A dummy v3 encoding (exactly the same as v2) was introduced so that +the monitors can distinguish broken clients that may not include their +auth ticket in CEPHX_GET_AUTH_SESSION_KEY request on reconnects, thus +failing to prove previous possession of their global_id (one part of +CVE-2021-20288). + +The kernel client has always included its auth ticket, so it is +compatible with enforcing mode as is. However we want to bump the +encoding version to avoid having to authenticate twice on the initial +connect -- all legacy (CephXAuthenticate < v3) are now forced do so in +order to expose insecure global_id reclaim. + +Marking for stable since at least for 5.11 and 5.12 it is trivial +(v2 -> v3). + +Cc: stable@vger.kernel.org # 5.11+ +URL: https://tracker.ceph.com/issues/50452 +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/auth_x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ceph/auth_x.c ++++ b/net/ceph/auth_x.c +@@ -526,7 +526,7 @@ static int ceph_x_build_request(struct c + if (ret < 0) + return ret; + +- auth->struct_v = 2; /* nautilus+ */ ++ auth->struct_v = 3; /* nautilus+ */ + auth->key = 0; + for (u = (u64 *)enc_buf; u + 1 <= (u64 *)(enc_buf + ret); u++) + auth->key ^= *(__le64 *)u; diff --git a/queue-5.12/libceph-don-t-set-global_id-until-we-get-an-auth-ticket.patch b/queue-5.12/libceph-don-t-set-global_id-until-we-get-an-auth-ticket.patch new file mode 100644 index 00000000000..7176525d9fa --- /dev/null +++ b/queue-5.12/libceph-don-t-set-global_id-until-we-get-an-auth-ticket.patch @@ -0,0 +1,101 @@ +From 61ca49a9105faefa003b37542cebad8722f8ae22 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 26 Apr 2021 19:11:37 +0200 +Subject: libceph: don't set global_id until we get an auth ticket + +From: Ilya Dryomov + +commit 61ca49a9105faefa003b37542cebad8722f8ae22 upstream. + +With the introduction of enforcing mode, setting global_id as soon +as we get it in the first MAuth reply will result in EACCES if the +connection is reset before we get the second MAuth reply containing +an auth ticket -- because on retry we would attempt to reclaim that +global_id with no auth ticket at hand. + +Neither ceph_auth_client nor ceph_mon_client depend on global_id +being set ealy, so just delay the setting until we get and process +the second MAuth reply. While at it, complain if the monitor sends +a zero global_id or changes our global_id as the session is likely +to fail after that. + +Cc: stable@vger.kernel.org # needs backporting for < 5.11 +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/auth.c | 36 +++++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 13 deletions(-) + +--- a/net/ceph/auth.c ++++ b/net/ceph/auth.c +@@ -36,6 +36,20 @@ static int init_protocol(struct ceph_aut + } + } + ++static void set_global_id(struct ceph_auth_client *ac, u64 global_id) ++{ ++ dout("%s global_id %llu\n", __func__, global_id); ++ ++ if (!global_id) ++ pr_err("got zero global_id\n"); ++ ++ if (ac->global_id && global_id != ac->global_id) ++ pr_err("global_id changed from %llu to %llu\n", ac->global_id, ++ global_id); ++ ++ ac->global_id = global_id; ++} ++ + /* + * setup, teardown. + */ +@@ -222,11 +236,6 @@ int ceph_handle_auth_reply(struct ceph_a + + payload_end = payload + payload_len; + +- if (global_id && ac->global_id != global_id) { +- dout(" set global_id %lld -> %lld\n", ac->global_id, global_id); +- ac->global_id = global_id; +- } +- + if (ac->negotiating) { + /* server does not support our protocols? */ + if (!protocol && result < 0) { +@@ -253,11 +262,16 @@ int ceph_handle_auth_reply(struct ceph_a + + ret = ac->ops->handle_reply(ac, result, payload, payload_end, + NULL, NULL, NULL, NULL); +- if (ret == -EAGAIN) ++ if (ret == -EAGAIN) { + ret = build_request(ac, true, reply_buf, reply_len); +- else if (ret) ++ goto out; ++ } else if (ret) { + pr_err("auth protocol '%s' mauth authentication failed: %d\n", + ceph_auth_proto_name(ac->protocol), result); ++ goto out; ++ } ++ ++ set_global_id(ac, global_id); + + out: + mutex_unlock(&ac->mutex); +@@ -484,15 +498,11 @@ int ceph_auth_handle_reply_done(struct c + int ret; + + mutex_lock(&ac->mutex); +- if (global_id && ac->global_id != global_id) { +- dout("%s global_id %llu -> %llu\n", __func__, ac->global_id, +- global_id); +- ac->global_id = global_id; +- } +- + ret = ac->ops->handle_reply(ac, 0, reply, reply + reply_len, + session_key, session_key_len, + con_secret, con_secret_len); ++ if (!ret) ++ set_global_id(ac, global_id); + mutex_unlock(&ac->mutex); + return ret; + } diff --git a/queue-5.12/mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch b/queue-5.12/mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch new file mode 100644 index 00000000000..223d1d6a875 --- /dev/null +++ b/queue-5.12/mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch @@ -0,0 +1,109 @@ +From 97fce126e279690105ee15be652b465fd96f9997 Mon Sep 17 00:00:00 2001 +From: Avri Altman +Date: Sun, 25 Apr 2021 09:02:06 +0300 +Subject: mmc: block: Issue a cache flush only when it's enabled + +From: Avri Altman + +commit 97fce126e279690105ee15be652b465fd96f9997 upstream. + +In command queueing mode, the cache isn't flushed via the mmc_flush_cache() +function, but instead by issuing a CMDQ_TASK_MGMT (CMD48) with a +FLUSH_CACHE opcode. In this path, we need to check if cache has been +enabled, before deciding to flush the cache, along the lines of what's +being done in mmc_flush_cache(). + +To fix this problem, let's add a new bus ops callback ->cache_enabled() and +implement it for the mmc bus type. In this way, the mmc block device driver +can call it to know whether cache flushing should be done. + +Fixes: 1e8e55b67030 (mmc: block: Add CQE support) +Cc: stable@vger.kernel.org +Reported-by: Brendan Peter +Signed-off-by: Avri Altman +Tested-by: Brendan Peter +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20210425060207.2591-2-avri.altman@wdc.com +Link: https://lore.kernel.org/r/20210425060207.2591-3-avri.altman@wdc.com +[Ulf: Squashed the two patches and made some minor updates] +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 4 ++++ + drivers/mmc/core/core.h | 9 +++++++++ + drivers/mmc/core/mmc.c | 7 +++++++ + drivers/mmc/core/mmc_ops.c | 4 +--- + 4 files changed, 21 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -2236,6 +2236,10 @@ enum mmc_issued mmc_blk_mq_issue_rq(stru + case MMC_ISSUE_ASYNC: + switch (req_op(req)) { + case REQ_OP_FLUSH: ++ if (!mmc_cache_enabled(host)) { ++ blk_mq_end_request(req, BLK_STS_OK); ++ return MMC_REQ_FINISHED; ++ } + ret = mmc_blk_cqe_issue_flush(mq, req); + break; + case REQ_OP_READ: +--- a/drivers/mmc/core/core.h ++++ b/drivers/mmc/core/core.h +@@ -29,6 +29,7 @@ struct mmc_bus_ops { + int (*shutdown)(struct mmc_host *); + int (*hw_reset)(struct mmc_host *); + int (*sw_reset)(struct mmc_host *); ++ bool (*cache_enabled)(struct mmc_host *); + }; + + void mmc_attach_bus(struct mmc_host *host, const struct mmc_bus_ops *ops); +@@ -171,4 +172,12 @@ static inline void mmc_post_req(struct m + host->ops->post_req(host, mrq, err); + } + ++static inline bool mmc_cache_enabled(struct mmc_host *host) ++{ ++ if (host->bus_ops->cache_enabled) ++ return host->bus_ops->cache_enabled(host); ++ ++ return false; ++} ++ + #endif +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -2029,6 +2029,12 @@ static void mmc_detect(struct mmc_host * + } + } + ++static bool _mmc_cache_enabled(struct mmc_host *host) ++{ ++ return host->card->ext_csd.cache_size > 0 && ++ host->card->ext_csd.cache_ctrl & 1; ++} ++ + static int _mmc_suspend(struct mmc_host *host, bool is_suspend) + { + int err = 0; +@@ -2208,6 +2214,7 @@ static const struct mmc_bus_ops mmc_ops + .alive = mmc_alive, + .shutdown = mmc_shutdown, + .hw_reset = _mmc_hw_reset, ++ .cache_enabled = _mmc_cache_enabled, + }; + + /* +--- a/drivers/mmc/core/mmc_ops.c ++++ b/drivers/mmc/core/mmc_ops.c +@@ -988,9 +988,7 @@ int mmc_flush_cache(struct mmc_card *car + { + int err = 0; + +- if (mmc_card_mmc(card) && +- (card->ext_csd.cache_size > 0) && +- (card->ext_csd.cache_ctrl & 1)) { ++ if (mmc_cache_enabled(card->host)) { + err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL, + EXT_CSD_FLUSH_CACHE, 1, + MMC_CACHE_FLUSH_TIMEOUT_MS); diff --git a/queue-5.12/mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch b/queue-5.12/mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch new file mode 100644 index 00000000000..b5eac2e98b6 --- /dev/null +++ b/queue-5.12/mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch @@ -0,0 +1,46 @@ +From aea0440ad023ab0662299326f941214b0d7480bd Mon Sep 17 00:00:00 2001 +From: Avri Altman +Date: Tue, 20 Apr 2021 16:46:41 +0300 +Subject: mmc: block: Update ext_csd.cache_ctrl if it was written + +From: Avri Altman + +commit aea0440ad023ab0662299326f941214b0d7480bd upstream. + +The cache function can be turned ON and OFF by writing to the CACHE_CTRL +byte (EXT_CSD byte [33]). However, card->ext_csd.cache_ctrl is only +set on init if cache size > 0. + +Fix that by explicitly setting ext_csd.cache_ctrl on ext-csd write. + +Signed-off-by: Avri Altman +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210420134641.57343-3-avri.altman@wdc.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -573,6 +573,18 @@ static int __mmc_blk_ioctl_cmd(struct mm + } + + /* ++ * Make sure to update CACHE_CTRL in case it was changed. The cache ++ * will get turned back on if the card is re-initialized, e.g. ++ * suspend/resume or hw reset in recovery. ++ */ ++ if ((MMC_EXTRACT_INDEX_FROM_ARG(cmd.arg) == EXT_CSD_CACHE_CTRL) && ++ (cmd.opcode == MMC_SWITCH)) { ++ u8 value = MMC_EXTRACT_VALUE_FROM_ARG(cmd.arg) & 1; ++ ++ card->ext_csd.cache_ctrl = value; ++ } ++ ++ /* + * According to the SD specs, some commands require a delay after + * issuing the command. + */ diff --git a/queue-5.12/mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch b/queue-5.12/mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch new file mode 100644 index 00000000000..bdd56b6ec54 --- /dev/null +++ b/queue-5.12/mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch @@ -0,0 +1,39 @@ +From 147186f531ae49c18b7a9091a2c40e83b3d95649 Mon Sep 17 00:00:00 2001 +From: DooHyun Hwang +Date: Wed, 10 Feb 2021 13:59:36 +0900 +Subject: mmc: core: Do a power cycle when the CMD11 fails + +From: DooHyun Hwang + +commit 147186f531ae49c18b7a9091a2c40e83b3d95649 upstream. + +A CMD11 is sent to the SD/SDIO card to start the voltage switch procedure +into 1.8V I/O. According to the SD spec a power cycle is needed of the +card, if it turns out that the CMD11 fails. Let's fix this, to allow a +retry of the initialization without the voltage switch, to succeed. + +Note that, whether it makes sense to also retry with the voltage switch +after the power cycle is a bit more difficult to know. At this point, we +treat it like the CMD11 isn't supported and therefore we skip it when +retrying. + +Signed-off-by: DooHyun Hwang +Link: https://lore.kernel.org/r/20210210045936.7809-1-dh0421.hwang@samsung.com +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -1207,7 +1207,7 @@ int mmc_set_uhs_voltage(struct mmc_host + + err = mmc_wait_for_cmd(host, &cmd, 0); + if (err) +- return err; ++ goto power_cycle; + + if (!mmc_host_is_spi(host) && (cmd.resp[0] & R1_ERROR)) + return -EIO; diff --git a/queue-5.12/mmc-core-fix-hanging-on-i-o-during-system-suspend-for-removable-cards.patch b/queue-5.12/mmc-core-fix-hanging-on-i-o-during-system-suspend-for-removable-cards.patch new file mode 100644 index 00000000000..8f428ac2779 --- /dev/null +++ b/queue-5.12/mmc-core-fix-hanging-on-i-o-during-system-suspend-for-removable-cards.patch @@ -0,0 +1,287 @@ +From 17a17bf50612e6048a9975450cf1bd30f93815b5 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Wed, 10 Mar 2021 16:29:00 +0100 +Subject: mmc: core: Fix hanging on I/O during system suspend for removable cards + +From: Ulf Hansson + +commit 17a17bf50612e6048a9975450cf1bd30f93815b5 upstream. + +The mmc core uses a PM notifier to temporarily during system suspend, turn +off the card detection mechanism for removal/insertion of (e)MMC/SD/SDIO +cards. Additionally, the notifier may be used to remove an SDIO card +entirely, if a corresponding SDIO functional driver don't have the system +suspend/resume callbacks assigned. This behaviour has been around for a +very long time. + +However, a recent bug report tells us there are problems with this +approach. More precisely, when receiving the PM_SUSPEND_PREPARE +notification, we may end up hanging on I/O to be completed, thus also +preventing the system from getting suspended. + +In the end what happens, is that the cancel_delayed_work_sync() in +mmc_pm_notify() ends up waiting for mmc_rescan() to complete - and since +mmc_rescan() wants to claim the host, it needs to wait for the I/O to be +completed first. + +Typically, this problem is triggered in Android, if there is ongoing I/O +while the user decides to suspend, resume and then suspend the system +again. This due to that after the resume, an mmc_rescan() work gets punted +to the workqueue, which job is to verify that the card remains inserted +after the system has resumed. + +To fix this problem, userspace needs to become frozen to suspend the I/O, +prior to turning off the card detection mechanism. Therefore, let's drop +the PM notifiers for mmc subsystem altogether and rely on the card +detection to be turned off/on as a part of the system_freezable_wq, that we +are already using. + +Moreover, to allow and SDIO card to be removed during system suspend, let's +manage this from a ->prepare() callback, assigned at the mmc_host_class +level. In this way, we can use the parent device (the mmc_host_class +device), to remove the card device that is the child, in the +device_prepare() phase. + +Reported-by: Kiwoong Kim +Cc: stable@vger.kernel.org # v4.5+ +Signed-off-by: Ulf Hansson +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20210310152900.149380-1-ulf.hansson@linaro.org +Reviewed-by: Kiwoong Kim +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/core.c | 74 ----------------------------------------------- + drivers/mmc/core/core.h | 8 ----- + drivers/mmc/core/host.c | 40 +++++++++++++++++++++++-- + drivers/mmc/core/sdio.c | 28 +++++++++++++---- + include/linux/mmc/host.h | 3 - + 5 files changed, 59 insertions(+), 94 deletions(-) + +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -2369,80 +2369,6 @@ void mmc_stop_host(struct mmc_host *host + mmc_release_host(host); + } + +-#ifdef CONFIG_PM_SLEEP +-/* Do the card removal on suspend if card is assumed removeable +- * Do that in pm notifier while userspace isn't yet frozen, so we will be able +- to sync the card. +-*/ +-static int mmc_pm_notify(struct notifier_block *notify_block, +- unsigned long mode, void *unused) +-{ +- struct mmc_host *host = container_of( +- notify_block, struct mmc_host, pm_notify); +- unsigned long flags; +- int err = 0; +- +- switch (mode) { +- case PM_HIBERNATION_PREPARE: +- case PM_SUSPEND_PREPARE: +- case PM_RESTORE_PREPARE: +- spin_lock_irqsave(&host->lock, flags); +- host->rescan_disable = 1; +- spin_unlock_irqrestore(&host->lock, flags); +- cancel_delayed_work_sync(&host->detect); +- +- if (!host->bus_ops) +- break; +- +- /* Validate prerequisites for suspend */ +- if (host->bus_ops->pre_suspend) +- err = host->bus_ops->pre_suspend(host); +- if (!err) +- break; +- +- if (!mmc_card_is_removable(host)) { +- dev_warn(mmc_dev(host), +- "pre_suspend failed for non-removable host: " +- "%d\n", err); +- /* Avoid removing non-removable hosts */ +- break; +- } +- +- /* Calling bus_ops->remove() with a claimed host can deadlock */ +- host->bus_ops->remove(host); +- mmc_claim_host(host); +- mmc_detach_bus(host); +- mmc_power_off(host); +- mmc_release_host(host); +- host->pm_flags = 0; +- break; +- +- case PM_POST_SUSPEND: +- case PM_POST_HIBERNATION: +- case PM_POST_RESTORE: +- +- spin_lock_irqsave(&host->lock, flags); +- host->rescan_disable = 0; +- spin_unlock_irqrestore(&host->lock, flags); +- _mmc_detect_change(host, 0, false); +- +- } +- +- return 0; +-} +- +-void mmc_register_pm_notifier(struct mmc_host *host) +-{ +- host->pm_notify.notifier_call = mmc_pm_notify; +- register_pm_notifier(&host->pm_notify); +-} +- +-void mmc_unregister_pm_notifier(struct mmc_host *host) +-{ +- unregister_pm_notifier(&host->pm_notify); +-} +-#endif +- + static int __init mmc_init(void) + { + int ret; +--- a/drivers/mmc/core/core.h ++++ b/drivers/mmc/core/core.h +@@ -94,14 +94,6 @@ int mmc_execute_tuning(struct mmc_card * + int mmc_hs200_to_hs400(struct mmc_card *card); + int mmc_hs400_to_hs200(struct mmc_card *card); + +-#ifdef CONFIG_PM_SLEEP +-void mmc_register_pm_notifier(struct mmc_host *host); +-void mmc_unregister_pm_notifier(struct mmc_host *host); +-#else +-static inline void mmc_register_pm_notifier(struct mmc_host *host) { } +-static inline void mmc_unregister_pm_notifier(struct mmc_host *host) { } +-#endif +- + void mmc_wait_for_req_done(struct mmc_host *host, struct mmc_request *mrq); + bool mmc_is_req_done(struct mmc_host *host, struct mmc_request *mrq); + +--- a/drivers/mmc/core/host.c ++++ b/drivers/mmc/core/host.c +@@ -35,6 +35,42 @@ + + static DEFINE_IDA(mmc_host_ida); + ++#ifdef CONFIG_PM_SLEEP ++static int mmc_host_class_prepare(struct device *dev) ++{ ++ struct mmc_host *host = cls_dev_to_mmc_host(dev); ++ ++ /* ++ * It's safe to access the bus_ops pointer, as both userspace and the ++ * workqueue for detecting cards are frozen at this point. ++ */ ++ if (!host->bus_ops) ++ return 0; ++ ++ /* Validate conditions for system suspend. */ ++ if (host->bus_ops->pre_suspend) ++ return host->bus_ops->pre_suspend(host); ++ ++ return 0; ++} ++ ++static void mmc_host_class_complete(struct device *dev) ++{ ++ struct mmc_host *host = cls_dev_to_mmc_host(dev); ++ ++ _mmc_detect_change(host, 0, false); ++} ++ ++static const struct dev_pm_ops mmc_host_class_dev_pm_ops = { ++ .prepare = mmc_host_class_prepare, ++ .complete = mmc_host_class_complete, ++}; ++ ++#define MMC_HOST_CLASS_DEV_PM_OPS (&mmc_host_class_dev_pm_ops) ++#else ++#define MMC_HOST_CLASS_DEV_PM_OPS NULL ++#endif ++ + static void mmc_host_classdev_release(struct device *dev) + { + struct mmc_host *host = cls_dev_to_mmc_host(dev); +@@ -46,6 +82,7 @@ static void mmc_host_classdev_release(st + static struct class mmc_host_class = { + .name = "mmc_host", + .dev_release = mmc_host_classdev_release, ++ .pm = MMC_HOST_CLASS_DEV_PM_OPS, + }; + + int mmc_register_host_class(void) +@@ -538,8 +575,6 @@ int mmc_add_host(struct mmc_host *host) + #endif + + mmc_start_host(host); +- mmc_register_pm_notifier(host); +- + return 0; + } + +@@ -555,7 +590,6 @@ EXPORT_SYMBOL(mmc_add_host); + */ + void mmc_remove_host(struct mmc_host *host) + { +- mmc_unregister_pm_notifier(host); + mmc_stop_host(host); + + #ifdef CONFIG_DEBUG_FS +--- a/drivers/mmc/core/sdio.c ++++ b/drivers/mmc/core/sdio.c +@@ -985,21 +985,37 @@ out: + */ + static int mmc_sdio_pre_suspend(struct mmc_host *host) + { +- int i, err = 0; ++ int i; + + for (i = 0; i < host->card->sdio_funcs; i++) { + struct sdio_func *func = host->card->sdio_func[i]; + if (func && sdio_func_present(func) && func->dev.driver) { + const struct dev_pm_ops *pmops = func->dev.driver->pm; +- if (!pmops || !pmops->suspend || !pmops->resume) { ++ if (!pmops || !pmops->suspend || !pmops->resume) + /* force removal of entire card in that case */ +- err = -ENOSYS; +- break; +- } ++ goto remove; + } + } + +- return err; ++ return 0; ++ ++remove: ++ if (!mmc_card_is_removable(host)) { ++ dev_warn(mmc_dev(host), ++ "missing suspend/resume ops for non-removable SDIO card\n"); ++ /* Don't remove a non-removable card - we can't re-detect it. */ ++ return 0; ++ } ++ ++ /* Remove the SDIO card and let it be re-detected later on. */ ++ mmc_sdio_remove(host); ++ mmc_claim_host(host); ++ mmc_detach_bus(host); ++ mmc_power_off(host); ++ mmc_release_host(host); ++ host->pm_flags = 0; ++ ++ return 0; + } + + /* +--- a/include/linux/mmc/host.h ++++ b/include/linux/mmc/host.h +@@ -302,9 +302,6 @@ struct mmc_host { + u32 ocr_avail_sdio; /* SDIO-specific OCR */ + u32 ocr_avail_sd; /* SD-specific OCR */ + u32 ocr_avail_mmc; /* MMC-specific OCR */ +-#ifdef CONFIG_PM_SLEEP +- struct notifier_block pm_notify; +-#endif + struct wakeup_source *ws; /* Enable consume of uevents */ + u32 max_current_330; + u32 max_current_300; diff --git a/queue-5.12/mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch b/queue-5.12/mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch new file mode 100644 index 00000000000..3689e4433bc --- /dev/null +++ b/queue-5.12/mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch @@ -0,0 +1,45 @@ +From 917a5336f2c27928be270226ab374ed0cbf3805d Mon Sep 17 00:00:00 2001 +From: Seunghui Lee +Date: Mon, 22 Feb 2021 17:31:56 +0900 +Subject: mmc: core: Set read only for SD cards with permanent write protect bit + +From: Seunghui Lee + +commit 917a5336f2c27928be270226ab374ed0cbf3805d upstream. + +Some of SD cards sets permanent write protection bit in their CSD register, +due to lifespan or internal problem. To avoid unnecessary I/O write +operations, let's parse the bits in the CSD during initialization and mark +the card as read only for this case. + +Signed-off-by: Seunghui Lee +Link: https://lore.kernel.org/r/20210222083156.19158-1-sh043.lee@samsung.com +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -135,6 +135,9 @@ static int mmc_decode_csd(struct mmc_car + csd->erase_size = UNSTUFF_BITS(resp, 39, 7) + 1; + csd->erase_size <<= csd->write_blkbits - 9; + } ++ ++ if (UNSTUFF_BITS(resp, 13, 1)) ++ mmc_card_set_readonly(card); + break; + case 1: + /* +@@ -169,6 +172,9 @@ static int mmc_decode_csd(struct mmc_car + csd->write_blkbits = 9; + csd->write_partial = 0; + csd->erase_size = 1; ++ ++ if (UNSTUFF_BITS(resp, 13, 1)) ++ mmc_card_set_readonly(card); + break; + default: + pr_err("%s: unrecognised CSD structure version %d\n", diff --git a/queue-5.12/mmc-sdhci-check-for-reset-prior-to-dma-address-unmap.patch b/queue-5.12/mmc-sdhci-check-for-reset-prior-to-dma-address-unmap.patch new file mode 100644 index 00000000000..c7f50ad2e39 --- /dev/null +++ b/queue-5.12/mmc-sdhci-check-for-reset-prior-to-dma-address-unmap.patch @@ -0,0 +1,109 @@ +From 21e35e898aa9ef7781632959db8613a5380f2eae Mon Sep 17 00:00:00 2001 +From: Pradeep P V K +Date: Wed, 3 Mar 2021 14:02:11 +0530 +Subject: mmc: sdhci: Check for reset prior to DMA address unmap + +From: Pradeep P V K + +commit 21e35e898aa9ef7781632959db8613a5380f2eae upstream. + +For data read commands, SDHC may initiate data transfers even before it +completely process the command response. In case command itself fails, +driver un-maps the memory associated with data transfer but this memory +can still be accessed by SDHC for the already initiated data transfer. +This scenario can lead to un-mapped memory access error. + +To avoid this scenario, reset SDHC (when command fails) prior to +un-mapping memory. Resetting SDHC ensures that all in-flight data +transfers are either aborted or completed. So we don't run into this +scenario. + +Swap the reset, un-map steps sequence in sdhci_request_done(). + +Suggested-by: Veerabhadrarao Badiganti +Signed-off-by: Pradeep P V K +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/1614760331-43499-1-git-send-email-pragalla@qti.qualcomm.com +Cc: stable@vger.kernel.org # v4.9+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.c | 60 ++++++++++++++++++++++++----------------------- + 1 file changed, 31 insertions(+), 29 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -2997,6 +2997,37 @@ static bool sdhci_request_done(struct sd + } + + /* ++ * The controller needs a reset of internal state machines ++ * upon error conditions. ++ */ ++ if (sdhci_needs_reset(host, mrq)) { ++ /* ++ * Do not finish until command and data lines are available for ++ * reset. Note there can only be one other mrq, so it cannot ++ * also be in mrqs_done, otherwise host->cmd and host->data_cmd ++ * would both be null. ++ */ ++ if (host->cmd || host->data_cmd) { ++ spin_unlock_irqrestore(&host->lock, flags); ++ return true; ++ } ++ ++ /* Some controllers need this kick or reset won't work here */ ++ if (host->quirks & SDHCI_QUIRK_CLOCK_BEFORE_RESET) ++ /* This is to force an update */ ++ host->ops->set_clock(host, host->clock); ++ ++ /* ++ * Spec says we should do both at the same time, but Ricoh ++ * controllers do not like that. ++ */ ++ sdhci_do_reset(host, SDHCI_RESET_CMD); ++ sdhci_do_reset(host, SDHCI_RESET_DATA); ++ ++ host->pending_reset = false; ++ } ++ ++ /* + * Always unmap the data buffers if they were mapped by + * sdhci_prepare_data() whenever we finish with a request. + * This avoids leaking DMA mappings on error. +@@ -3059,35 +3090,6 @@ static bool sdhci_request_done(struct sd + } + } + +- /* +- * The controller needs a reset of internal state machines +- * upon error conditions. +- */ +- if (sdhci_needs_reset(host, mrq)) { +- /* +- * Do not finish until command and data lines are available for +- * reset. Note there can only be one other mrq, so it cannot +- * also be in mrqs_done, otherwise host->cmd and host->data_cmd +- * would both be null. +- */ +- if (host->cmd || host->data_cmd) { +- spin_unlock_irqrestore(&host->lock, flags); +- return true; +- } +- +- /* Some controllers need this kick or reset won't work here */ +- if (host->quirks & SDHCI_QUIRK_CLOCK_BEFORE_RESET) +- /* This is to force an update */ +- host->ops->set_clock(host, host->clock); +- +- /* Spec says we should do both at the same time, but Ricoh +- controllers do not like that. */ +- sdhci_do_reset(host, SDHCI_RESET_CMD); +- sdhci_do_reset(host, SDHCI_RESET_DATA); +- +- host->pending_reset = false; +- } +- + host->mrqs_done[i] = NULL; + + spin_unlock_irqrestore(&host->lock, flags); diff --git a/queue-5.12/mmc-sdhci-pci-fix-initialization-of-some-sd-cards-for-intel-byt-based-controllers.patch b/queue-5.12/mmc-sdhci-pci-fix-initialization-of-some-sd-cards-for-intel-byt-based-controllers.patch new file mode 100644 index 00000000000..5088d2a70c5 --- /dev/null +++ b/queue-5.12/mmc-sdhci-pci-fix-initialization-of-some-sd-cards-for-intel-byt-based-controllers.patch @@ -0,0 +1,83 @@ +From 2970134b927834e9249659a70aac48e62dff804a Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 31 Mar 2021 11:17:52 +0300 +Subject: mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers + +From: Adrian Hunter + +commit 2970134b927834e9249659a70aac48e62dff804a upstream. + +Bus power may control card power, but the full reset done by SDHCI at +initialization still may not reset the power, whereas a direct write to +SDHCI_POWER_CONTROL can. That might be needed to initialize correctly, if +the card was left powered on previously. + +Signed-off-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210331081752.23621-1-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-core.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -516,6 +516,7 @@ struct intel_host { + int drv_strength; + bool d3_retune; + bool rpm_retune_ok; ++ bool needs_pwr_off; + u32 glk_rx_ctrl1; + u32 glk_tun_val; + u32 active_ltr; +@@ -643,9 +644,25 @@ out: + static void sdhci_intel_set_power(struct sdhci_host *host, unsigned char mode, + unsigned short vdd) + { ++ struct sdhci_pci_slot *slot = sdhci_priv(host); ++ struct intel_host *intel_host = sdhci_pci_priv(slot); + int cntr; + u8 reg; + ++ /* ++ * Bus power may control card power, but a full reset still may not ++ * reset the power, whereas a direct write to SDHCI_POWER_CONTROL can. ++ * That might be needed to initialize correctly, if the card was left ++ * powered on previously. ++ */ ++ if (intel_host->needs_pwr_off) { ++ intel_host->needs_pwr_off = false; ++ if (mode != MMC_POWER_OFF) { ++ sdhci_writeb(host, 0, SDHCI_POWER_CONTROL); ++ usleep_range(10000, 12500); ++ } ++ } ++ + sdhci_set_power(host, mode, vdd); + + if (mode == MMC_POWER_OFF) +@@ -1135,6 +1152,14 @@ static int byt_sdio_probe_slot(struct sd + return 0; + } + ++static void byt_needs_pwr_off(struct sdhci_pci_slot *slot) ++{ ++ struct intel_host *intel_host = sdhci_pci_priv(slot); ++ u8 reg = sdhci_readb(slot->host, SDHCI_POWER_CONTROL); ++ ++ intel_host->needs_pwr_off = reg & SDHCI_POWER_ON; ++} ++ + static int byt_sd_probe_slot(struct sdhci_pci_slot *slot) + { + byt_probe_slot(slot); +@@ -1152,6 +1177,8 @@ static int byt_sd_probe_slot(struct sdhc + slot->chip->pdev->subsystem_device == PCI_SUBDEVICE_ID_NI_78E3) + slot->host->mmc->caps2 |= MMC_CAP2_AVOID_3_3V; + ++ byt_needs_pwr_off(slot); ++ + return 0; + } + diff --git a/queue-5.12/mmc-sdhci-tegra-add-required-callbacks-to-set-clear-cqe_en-bit.patch b/queue-5.12/mmc-sdhci-tegra-add-required-callbacks-to-set-clear-cqe_en-bit.patch new file mode 100644 index 00000000000..77603f218e3 --- /dev/null +++ b/queue-5.12/mmc-sdhci-tegra-add-required-callbacks-to-set-clear-cqe_en-bit.patch @@ -0,0 +1,110 @@ +From 5ec6fa5a6dc5e42a4aa782f3a81d5f08b0fac1e6 Mon Sep 17 00:00:00 2001 +From: Aniruddha Tvs Rao +Date: Wed, 7 Apr 2021 10:46:17 +0100 +Subject: mmc: sdhci-tegra: Add required callbacks to set/clear CQE_EN bit + +From: Aniruddha Tvs Rao + +commit 5ec6fa5a6dc5e42a4aa782f3a81d5f08b0fac1e6 upstream. + +CMD8 is not supported with Command Queue Enabled. Add required callback +to clear CQE_EN and CQE_INTR fields in the host controller register +before sending CMD8. Add corresponding callback in the CQHCI resume path +to re-enable CQE_EN and CQE_INTR fields. + +Reported-by: Kamal Mostafa +Tested-by: Kamal Mostafa +Signed-off-by: Aniruddha Tvs Rao +Signed-off-by: Jon Hunter +Acked-by: Adrian Hunter +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20210407094617.770495-1-jonathanh@nvidia.com +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-tegra.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +--- a/drivers/mmc/host/sdhci-tegra.c ++++ b/drivers/mmc/host/sdhci-tegra.c +@@ -119,6 +119,10 @@ + /* SDMMC CQE Base Address for Tegra Host Ver 4.1 and Higher */ + #define SDHCI_TEGRA_CQE_BASE_ADDR 0xF000 + ++#define SDHCI_TEGRA_CQE_TRNS_MODE (SDHCI_TRNS_MULTI | \ ++ SDHCI_TRNS_BLK_CNT_EN | \ ++ SDHCI_TRNS_DMA) ++ + struct sdhci_tegra_soc_data { + const struct sdhci_pltfm_data *pdata; + u64 dma_mask; +@@ -1156,6 +1160,7 @@ static void tegra_sdhci_voltage_switch(s + static void tegra_cqhci_writel(struct cqhci_host *cq_host, u32 val, int reg) + { + struct mmc_host *mmc = cq_host->mmc; ++ struct sdhci_host *host = mmc_priv(mmc); + u8 ctrl; + ktime_t timeout; + bool timed_out; +@@ -1170,6 +1175,7 @@ static void tegra_cqhci_writel(struct cq + */ + if (reg == CQHCI_CTL && !(val & CQHCI_HALT) && + cqhci_readl(cq_host, CQHCI_CTL) & CQHCI_HALT) { ++ sdhci_writew(host, SDHCI_TEGRA_CQE_TRNS_MODE, SDHCI_TRANSFER_MODE); + sdhci_cqe_enable(mmc); + writel(val, cq_host->mmio + reg); + timeout = ktime_add_us(ktime_get(), 50); +@@ -1205,6 +1211,7 @@ static void sdhci_tegra_update_dcmd_desc + static void sdhci_tegra_cqe_enable(struct mmc_host *mmc) + { + struct cqhci_host *cq_host = mmc->cqe_private; ++ struct sdhci_host *host = mmc_priv(mmc); + u32 val; + + /* +@@ -1218,6 +1225,7 @@ static void sdhci_tegra_cqe_enable(struc + if (val & CQHCI_ENABLE) + cqhci_writel(cq_host, (val & ~CQHCI_ENABLE), + CQHCI_CFG); ++ sdhci_writew(host, SDHCI_TEGRA_CQE_TRNS_MODE, SDHCI_TRANSFER_MODE); + sdhci_cqe_enable(mmc); + if (val & CQHCI_ENABLE) + cqhci_writel(cq_host, val, CQHCI_CFG); +@@ -1281,12 +1289,36 @@ static void tegra_sdhci_set_timeout(stru + __sdhci_set_timeout(host, cmd); + } + ++static void sdhci_tegra_cqe_pre_enable(struct mmc_host *mmc) ++{ ++ struct cqhci_host *cq_host = mmc->cqe_private; ++ u32 reg; ++ ++ reg = cqhci_readl(cq_host, CQHCI_CFG); ++ reg |= CQHCI_ENABLE; ++ cqhci_writel(cq_host, reg, CQHCI_CFG); ++} ++ ++static void sdhci_tegra_cqe_post_disable(struct mmc_host *mmc) ++{ ++ struct cqhci_host *cq_host = mmc->cqe_private; ++ struct sdhci_host *host = mmc_priv(mmc); ++ u32 reg; ++ ++ reg = cqhci_readl(cq_host, CQHCI_CFG); ++ reg &= ~CQHCI_ENABLE; ++ cqhci_writel(cq_host, reg, CQHCI_CFG); ++ sdhci_writew(host, 0x0, SDHCI_TRANSFER_MODE); ++} ++ + static const struct cqhci_host_ops sdhci_tegra_cqhci_ops = { + .write_l = tegra_cqhci_writel, + .enable = sdhci_tegra_cqe_enable, + .disable = sdhci_cqe_disable, + .dumpregs = sdhci_tegra_dumpregs, + .update_dcmd_desc = sdhci_tegra_update_dcmd_desc, ++ .pre_enable = sdhci_tegra_cqe_pre_enable, ++ .post_disable = sdhci_tegra_cqe_post_disable, + }; + + static int tegra_sdhci_set_dma_mask(struct sdhci_host *host) diff --git a/queue-5.12/mmc-uniphier-sd-fix-a-resource-leak-in-the-remove-function.patch b/queue-5.12/mmc-uniphier-sd-fix-a-resource-leak-in-the-remove-function.patch new file mode 100644 index 00000000000..5cc251785a5 --- /dev/null +++ b/queue-5.12/mmc-uniphier-sd-fix-a-resource-leak-in-the-remove-function.patch @@ -0,0 +1,37 @@ +From e29c84857e2d51aa017ce04284b962742fb97d9e Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 20 Feb 2021 15:29:53 +0100 +Subject: mmc: uniphier-sd: Fix a resource leak in the remove function + +From: Christophe JAILLET + +commit e29c84857e2d51aa017ce04284b962742fb97d9e upstream. + +A 'tmio_mmc_host_free()' call is missing in the remove function, in order +to balance a 'tmio_mmc_host_alloc()' call in the probe. +This is done in the error handling path of the probe, but not in the remove +function. + +Add the missing call. + +Fixes: 3fd784f745dd ("mmc: uniphier-sd: add UniPhier SD/eMMC controller driver") +Signed-off-by: Christophe JAILLET +Reviewed-by: Masahiro Yamada +Link: https://lore.kernel.org/r/20210220142953.918608-1-christophe.jaillet@wanadoo.fr +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/uniphier-sd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/uniphier-sd.c ++++ b/drivers/mmc/host/uniphier-sd.c +@@ -660,6 +660,7 @@ static int uniphier_sd_remove(struct pla + + tmio_mmc_host_remove(host); + uniphier_sd_clk_disable(host); ++ tmio_mmc_host_free(host); + + return 0; + } diff --git a/queue-5.12/mmc-uniphier-sd-fix-an-error-handling-path-in-uniphier_sd_probe.patch b/queue-5.12/mmc-uniphier-sd-fix-an-error-handling-path-in-uniphier_sd_probe.patch new file mode 100644 index 00000000000..f3ba16a5a25 --- /dev/null +++ b/queue-5.12/mmc-uniphier-sd-fix-an-error-handling-path-in-uniphier_sd_probe.patch @@ -0,0 +1,47 @@ +From b03aec1c1f337dfdae44cdb0645ecac34208ae0a Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 20 Feb 2021 15:29:35 +0100 +Subject: mmc: uniphier-sd: Fix an error handling path in uniphier_sd_probe() + +From: Christophe JAILLET + +commit b03aec1c1f337dfdae44cdb0645ecac34208ae0a upstream. + +A 'uniphier_sd_clk_enable()' call should be balanced by a corresponding +'uniphier_sd_clk_disable()' call. +This is done in the remove function, but not in the error handling path of +the probe. + +Add the missing call. + +Fixes: 3fd784f745dd ("mmc: uniphier-sd: add UniPhier SD/eMMC controller driver") +Signed-off-by: Christophe JAILLET +Reviewed-by: Masahiro Yamada +Link: https://lore.kernel.org/r/20210220142935.918554-1-christophe.jaillet@wanadoo.fr +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/uniphier-sd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/uniphier-sd.c ++++ b/drivers/mmc/host/uniphier-sd.c +@@ -635,7 +635,7 @@ static int uniphier_sd_probe(struct plat + + ret = tmio_mmc_host_probe(host); + if (ret) +- goto free_host; ++ goto disable_clk; + + ret = devm_request_irq(dev, irq, tmio_mmc_irq, IRQF_SHARED, + dev_name(dev), host); +@@ -646,6 +646,8 @@ static int uniphier_sd_probe(struct plat + + remove_host: + tmio_mmc_host_remove(host); ++disable_clk: ++ uniphier_sd_clk_disable(host); + free_host: + tmio_mmc_host_free(host); + diff --git a/queue-5.12/mtd-physmap-physmap-bt1-rom-fix-unintentional-stack-access.patch b/queue-5.12/mtd-physmap-physmap-bt1-rom-fix-unintentional-stack-access.patch new file mode 100644 index 00000000000..d9075492b68 --- /dev/null +++ b/queue-5.12/mtd-physmap-physmap-bt1-rom-fix-unintentional-stack-access.patch @@ -0,0 +1,39 @@ +From 683313993dbe1651c7aa00bb42a041d70e914925 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Fri, 12 Feb 2021 04:40:22 -0600 +Subject: mtd: physmap: physmap-bt1-rom: Fix unintentional stack access + +From: Gustavo A. R. Silva + +commit 683313993dbe1651c7aa00bb42a041d70e914925 upstream. + +Cast &data to (char *) in order to avoid unintentionally accessing +the stack. + +Notice that data is of type u32, so any increment to &data +will be in the order of 4-byte chunks, and this piece of code +is actually intended to be a byte offset. + +Fixes: b3e79e7682e0 ("mtd: physmap: Add Baikal-T1 physically mapped ROM support") +Addresses-Coverity-ID: 1497765 ("Out-of-bounds access") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Acked-by: Serge Semin +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20210212104022.GA242669@embeddedor +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/maps/physmap-bt1-rom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/maps/physmap-bt1-rom.c ++++ b/drivers/mtd/maps/physmap-bt1-rom.c +@@ -79,7 +79,7 @@ static void __xipram bt1_rom_map_copy_fr + if (shift) { + chunk = min_t(ssize_t, 4 - shift, len); + data = readl_relaxed(src - shift); +- memcpy(to, &data + shift, chunk); ++ memcpy(to, (char *)&data + shift, chunk); + src += chunk; + to += chunk; + len -= chunk; diff --git a/queue-5.12/mtd-rawnand-atmel-update-ecc_stats.corrected-counter.patch b/queue-5.12/mtd-rawnand-atmel-update-ecc_stats.corrected-counter.patch new file mode 100644 index 00000000000..cfe4441c181 --- /dev/null +++ b/queue-5.12/mtd-rawnand-atmel-update-ecc_stats.corrected-counter.patch @@ -0,0 +1,39 @@ +From 33cebf701e98dd12b01d39d1c644387b27c1a627 Mon Sep 17 00:00:00 2001 +From: "Kai Stuhlemmer (ebee Engineering)" +Date: Mon, 22 Mar 2021 17:07:14 +0200 +Subject: mtd: rawnand: atmel: Update ecc_stats.corrected counter + +From: Kai Stuhlemmer (ebee Engineering) + +commit 33cebf701e98dd12b01d39d1c644387b27c1a627 upstream. + +Update MTD ECC statistics with the number of corrected bits. + +Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") +Cc: stable@vger.kernel.org +Signed-off-by: Kai Stuhlemmer (ebee Engineering) +Signed-off-by: Tudor Ambarus +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20210322150714.101585-1-tudor.ambarus@microchip.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/atmel/nand-controller.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/raw/atmel/nand-controller.c ++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c +@@ -883,10 +883,12 @@ static int atmel_nand_pmecc_correct_data + NULL, 0, + chip->ecc.strength); + +- if (ret >= 0) ++ if (ret >= 0) { ++ mtd->ecc_stats.corrected += ret; + max_bitflips = max(ret, max_bitflips); +- else ++ } else { + mtd->ecc_stats.failed++; ++ } + + databuf += chip->ecc.size; + eccbuf += chip->ecc.bytes; diff --git a/queue-5.12/mtd-spi-nor-core-fix-an-issue-of-releasing-resources-during-read-write.patch b/queue-5.12/mtd-spi-nor-core-fix-an-issue-of-releasing-resources-during-read-write.patch new file mode 100644 index 00000000000..a6327824c6d --- /dev/null +++ b/queue-5.12/mtd-spi-nor-core-fix-an-issue-of-releasing-resources-during-read-write.patch @@ -0,0 +1,84 @@ +From be94215be1ab19e5d38f50962f611c88d4bfc83a Mon Sep 17 00:00:00 2001 +From: Xiang Chen +Date: Thu, 1 Apr 2021 15:34:46 +0800 +Subject: mtd: spi-nor: core: Fix an issue of releasing resources during read/write + +From: Xiang Chen + +commit be94215be1ab19e5d38f50962f611c88d4bfc83a upstream. + +If rmmod the driver during read or write, the driver will release the +resources which are used during read or write, so it is possible to +refer to NULL pointer. + +Use the testcase "mtd_debug read /dev/mtd0 0xc00000 0x400000 dest_file & +sleep 0.5;rmmod spi_hisi_sfc_v3xx.ko", the issue can be reproduced in +hisi_sfc_v3xx driver. + +To avoid the issue, fill the interface _get_device and _put_device of +mtd_info to grab the reference to the spi controller driver module, so +the request of rmmod the driver is rejected before read/write is finished. + +Fixes: b199489d37b2 ("mtd: spi-nor: add the framework for SPI NOR") +Signed-off-by: Xiang Chen +Signed-off-by: Yicong Yang +Signed-off-by: Tudor Ambarus +Tested-by: Michael Walle +Tested-by: Tudor Ambarus +Reviewed-by: Michael Walle +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1617262486-4223-1-git-send-email-yangyicong@hisilicon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/core.c | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -3301,6 +3301,37 @@ static void spi_nor_resume(struct mtd_in + dev_err(dev, "resume() failed\n"); + } + ++static int spi_nor_get_device(struct mtd_info *mtd) ++{ ++ struct mtd_info *master = mtd_get_master(mtd); ++ struct spi_nor *nor = mtd_to_spi_nor(master); ++ struct device *dev; ++ ++ if (nor->spimem) ++ dev = nor->spimem->spi->controller->dev.parent; ++ else ++ dev = nor->dev; ++ ++ if (!try_module_get(dev->driver->owner)) ++ return -ENODEV; ++ ++ return 0; ++} ++ ++static void spi_nor_put_device(struct mtd_info *mtd) ++{ ++ struct mtd_info *master = mtd_get_master(mtd); ++ struct spi_nor *nor = mtd_to_spi_nor(master); ++ struct device *dev; ++ ++ if (nor->spimem) ++ dev = nor->spimem->spi->controller->dev.parent; ++ else ++ dev = nor->dev; ++ ++ module_put(dev->driver->owner); ++} ++ + void spi_nor_restore(struct spi_nor *nor) + { + /* restore the addressing mode */ +@@ -3495,6 +3526,8 @@ int spi_nor_scan(struct spi_nor *nor, co + mtd->_read = spi_nor_read; + mtd->_suspend = spi_nor_suspend; + mtd->_resume = spi_nor_resume; ++ mtd->_get_device = spi_nor_get_device; ++ mtd->_put_device = spi_nor_put_device; + + if (nor->params->locking_ops) { + mtd->_lock = spi_nor_lock; diff --git a/queue-5.12/mtd-spinand-core-add-missing-module_device_table.patch b/queue-5.12/mtd-spinand-core-add-missing-module_device_table.patch new file mode 100644 index 00000000000..2b5089634f1 --- /dev/null +++ b/queue-5.12/mtd-spinand-core-add-missing-module_device_table.patch @@ -0,0 +1,41 @@ +From 25fefc88c71f47db0466570335e3f75f10952e7a Mon Sep 17 00:00:00 2001 +From: Alexander Lobakin +Date: Tue, 23 Mar 2021 17:37:19 +0000 +Subject: mtd: spinand: core: add missing MODULE_DEVICE_TABLE() + +From: Alexander Lobakin + +commit 25fefc88c71f47db0466570335e3f75f10952e7a upstream. + +The module misses MODULE_DEVICE_TABLE() for both SPI and OF ID tables +and thus never autoloads on ID matches. +Add the missing declarations. +Present since day-0 of spinand framework introduction. + +Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs") +Cc: stable@vger.kernel.org # 4.19+ +Signed-off-by: Alexander Lobakin +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20210323173714.317884-1-alobakin@pm.me +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/spi/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -1263,12 +1263,14 @@ static const struct spi_device_id spinan + { .name = "spi-nand" }, + { /* sentinel */ }, + }; ++MODULE_DEVICE_TABLE(spi, spinand_ids); + + #ifdef CONFIG_OF + static const struct of_device_id spinand_of_ids[] = { + { .compatible = "spi-nand" }, + { /* sentinel */ }, + }; ++MODULE_DEVICE_TABLE(of, spinand_of_ids); + #endif + + static struct spi_mem_driver spinand_drv = { diff --git a/queue-5.12/nitro_enclaves-fix-stale-file-descriptors-on-failed-usercopy.patch b/queue-5.12/nitro_enclaves-fix-stale-file-descriptors-on-failed-usercopy.patch new file mode 100644 index 00000000000..350c863eb04 --- /dev/null +++ b/queue-5.12/nitro_enclaves-fix-stale-file-descriptors-on-failed-usercopy.patch @@ -0,0 +1,121 @@ +From f1ce3986baa62cffc3c5be156994de87524bab99 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Thu, 29 Apr 2021 19:59:41 +0300 +Subject: nitro_enclaves: Fix stale file descriptors on failed usercopy + +From: Mathias Krause + +commit f1ce3986baa62cffc3c5be156994de87524bab99 upstream. + +A failing usercopy of the slot uid will lead to a stale entry in the +file descriptor table as put_unused_fd() won't release it. This enables +userland to refer to a dangling 'file' object through that still valid +file descriptor, leading to all kinds of use-after-free exploitation +scenarios. + +Exchanging put_unused_fd() for close_fd(), ksys_close() or alike won't +solve the underlying issue, as the file descriptor might have been +replaced in the meantime, e.g. via userland calling close() on it +(leading to a NULL pointer dereference in the error handling code as +'fget(enclave_fd)' will return a NULL pointer) or by dup2()'ing a +completely different file object to that very file descriptor, leading +to the same situation: a dangling file descriptor pointing to a freed +object -- just in this case to a file object of user's choosing. + +Generally speaking, after the call to fd_install() the file descriptor +is live and userland is free to do whatever with it. We cannot rely on +it to still refer to our enclave object afterwards. In fact, by abusing +userfaultfd() userland can hit the condition without any racing and +abuse the error handling in the nitro code as it pleases. + +To fix the above issues, defer the call to fd_install() until all +possible errors are handled. In this case it's just the usercopy, so do +it directly in ne_create_vm_ioctl() itself. + +Signed-off-by: Mathias Krause +Signed-off-by: Andra Paraschiv +Cc: stable +Link: https://lore.kernel.org/r/20210429165941.27020-2-andraprs@amazon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virt/nitro_enclaves/ne_misc_dev.c | 43 +++++++++++------------------- + 1 file changed, 17 insertions(+), 26 deletions(-) + +--- a/drivers/virt/nitro_enclaves/ne_misc_dev.c ++++ b/drivers/virt/nitro_enclaves/ne_misc_dev.c +@@ -1524,7 +1524,8 @@ static const struct file_operations ne_e + * enclave file descriptor to be further used for enclave + * resources handling e.g. memory regions and CPUs. + * @ne_pci_dev : Private data associated with the PCI device. +- * @slot_uid: Generated unique slot id associated with an enclave. ++ * @slot_uid: User pointer to store the generated unique slot id ++ * associated with an enclave to. + * + * Context: Process context. This function is called with the ne_pci_dev enclave + * mutex held. +@@ -1532,7 +1533,7 @@ static const struct file_operations ne_e + * * Enclave fd on success. + * * Negative return value on failure. + */ +-static int ne_create_vm_ioctl(struct ne_pci_dev *ne_pci_dev, u64 *slot_uid) ++static int ne_create_vm_ioctl(struct ne_pci_dev *ne_pci_dev, u64 __user *slot_uid) + { + struct ne_pci_dev_cmd_reply cmd_reply = {}; + int enclave_fd = -1; +@@ -1634,7 +1635,18 @@ static int ne_create_vm_ioctl(struct ne_ + + list_add(&ne_enclave->enclave_list_entry, &ne_pci_dev->enclaves_list); + +- *slot_uid = ne_enclave->slot_uid; ++ if (copy_to_user(slot_uid, &ne_enclave->slot_uid, sizeof(ne_enclave->slot_uid))) { ++ /* ++ * As we're holding the only reference to 'enclave_file', fput() ++ * will call ne_enclave_release() which will do a proper cleanup ++ * of all so far allocated resources, leaving only the unused fd ++ * for us to free. ++ */ ++ fput(enclave_file); ++ put_unused_fd(enclave_fd); ++ ++ return -EFAULT; ++ } + + fd_install(enclave_fd, enclave_file); + +@@ -1671,34 +1683,13 @@ static long ne_ioctl(struct file *file, + switch (cmd) { + case NE_CREATE_VM: { + int enclave_fd = -1; +- struct file *enclave_file = NULL; + struct ne_pci_dev *ne_pci_dev = ne_devs.ne_pci_dev; +- int rc = -EINVAL; +- u64 slot_uid = 0; ++ u64 __user *slot_uid = (void __user *)arg; + + mutex_lock(&ne_pci_dev->enclaves_list_mutex); +- +- enclave_fd = ne_create_vm_ioctl(ne_pci_dev, &slot_uid); +- if (enclave_fd < 0) { +- rc = enclave_fd; +- +- mutex_unlock(&ne_pci_dev->enclaves_list_mutex); +- +- return rc; +- } +- ++ enclave_fd = ne_create_vm_ioctl(ne_pci_dev, slot_uid); + mutex_unlock(&ne_pci_dev->enclaves_list_mutex); + +- if (copy_to_user((void __user *)arg, &slot_uid, sizeof(slot_uid))) { +- enclave_file = fget(enclave_fd); +- /* Decrement file refs to have release() called. */ +- fput(enclave_file); +- fput(enclave_file); +- put_unused_fd(enclave_fd); +- +- return -EFAULT; +- } +- + return enclave_fd; + } + diff --git a/queue-5.12/reset-add-missing-empty-function-reset_control_rearm.patch b/queue-5.12/reset-add-missing-empty-function-reset_control_rearm.patch new file mode 100644 index 00000000000..38681ed5cec --- /dev/null +++ b/queue-5.12/reset-add-missing-empty-function-reset_control_rearm.patch @@ -0,0 +1,36 @@ +From 48582b2e3b87b794a9845d488af2c76ce055502b Mon Sep 17 00:00:00 2001 +From: Jim Quinlan +Date: Fri, 30 Apr 2021 11:21:54 -0400 +Subject: reset: add missing empty function reset_control_rearm() + +From: Jim Quinlan + +commit 48582b2e3b87b794a9845d488af2c76ce055502b upstream. + +All other functions are defined for when CONFIG_RESET_CONTROLLER +is not set. + +Fixes: 557acb3d2cd9 ("reset: make shared pulsed reset controls re-triggerable") +Link: https://lore.kernel.org/r/20210430152156.21162-2-jim2101024@gmail.com +Signed-off-by: Jim Quinlan +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v5.11+ +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/reset.h | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/include/linux/reset.h ++++ b/include/linux/reset.h +@@ -47,6 +47,11 @@ static inline int reset_control_reset(st + return 0; + } + ++static inline int reset_control_rearm(struct reset_control *rstc) ++{ ++ return 0; ++} ++ + static inline int reset_control_assert(struct reset_control *rstc) + { + return 0; diff --git a/queue-5.12/revert-mtd-spi-nor-macronix-add-support-for-mx25l51245g.patch b/queue-5.12/revert-mtd-spi-nor-macronix-add-support-for-mx25l51245g.patch new file mode 100644 index 00000000000..f1c4ef1acb9 --- /dev/null +++ b/queue-5.12/revert-mtd-spi-nor-macronix-add-support-for-mx25l51245g.patch @@ -0,0 +1,44 @@ +From 46094049a49be777f12a9589798f7c70b90cd03f Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Fri, 2 Apr 2021 11:20:30 +0300 +Subject: Revert "mtd: spi-nor: macronix: Add support for mx25l51245g" + +From: Tudor Ambarus + +commit 46094049a49be777f12a9589798f7c70b90cd03f upstream. + +This reverts commit 04b8edad262eec0d153005973dfbdd83423c0dcb. + +mx25l51245g and mx66l51235l have the same flash ID. The flash +detection returns the first entry in the flash_info array that +matches the flash ID that was read, thus for the 0xc2201a ID, +mx25l51245g was always hit, introducing a regression for +mx66l51235l. + +If one wants to differentiate the flash names, a better fix would be +to differentiate between the two at run-time, depending on SFDP, +and choose the correct name from a list of flash names, depending on +the SFDP differentiator. + +Fixes: 04b8edad262e ("mtd: spi-nor: macronix: Add support for mx25l51245g") +Signed-off-by: Tudor Ambarus +Acked-by: Pratyush Yadav +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210402082031.19055-2-tudor.ambarus@microchip.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/macronix.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/mtd/spi-nor/macronix.c ++++ b/drivers/mtd/spi-nor/macronix.c +@@ -73,9 +73,6 @@ static const struct flash_info macronix_ + SECT_4K | SPI_NOR_DUAL_READ | + SPI_NOR_QUAD_READ) }, + { "mx25l25655e", INFO(0xc22619, 0, 64 * 1024, 512, 0) }, +- { "mx25l51245g", INFO(0xc2201a, 0, 64 * 1024, 1024, +- SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ | +- SPI_NOR_4B_OPCODES) }, + { "mx66l51235l", INFO(0xc2201a, 0, 64 * 1024, 1024, + SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ | + SPI_NOR_4B_OPCODES) }, diff --git a/queue-5.12/s390-cio-remove-invalid-condition-on-io_sch_unreg.patch b/queue-5.12/s390-cio-remove-invalid-condition-on-io_sch_unreg.patch new file mode 100644 index 00000000000..fa66f4782a6 --- /dev/null +++ b/queue-5.12/s390-cio-remove-invalid-condition-on-io_sch_unreg.patch @@ -0,0 +1,42 @@ +From 2f7484fd73729f89085fe08d683f5a8d9e17fe99 Mon Sep 17 00:00:00 2001 +From: Vineeth Vijayan +Date: Fri, 23 Apr 2021 12:08:43 +0200 +Subject: s390/cio: remove invalid condition on IO_SCH_UNREG + +From: Vineeth Vijayan + +commit 2f7484fd73729f89085fe08d683f5a8d9e17fe99 upstream. + +The condition to check the cdev pointer validity on +css_sch_device_unregister() is a leftover from the 'commit 8cc0dcfdc1c0 +("s390/cio: remove pm support from ccw bus driver")'. This could lead to a +situation, where detaching the device is not happening completely. Remove +this invalid condition in the IO_SCH_UNREG case. + +Link: https://lore.kernel.org/r/20210423100843.2230969-1-vneethv@linux.ibm.com +Fixes: 8cc0dcfdc1c0 ("s390/cio: remove pm support from ccw bus driver") +Reported-by: Christian Ehrhardt +Suggested-by: Christian Ehrhardt +Cc: +Signed-off-by: Vineeth Vijayan +Tested-by: Julian Wiedmann +Reviewed-by: Peter Oberparleiter +Tested-by: Christian Ehrhardt +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/device.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/s390/cio/device.c ++++ b/drivers/s390/cio/device.c +@@ -1532,8 +1532,7 @@ static int io_subchannel_sch_event(struc + switch (action) { + case IO_SCH_ORPH_UNREG: + case IO_SCH_UNREG: +- if (!cdev) +- css_sch_device_unregister(sch); ++ css_sch_device_unregister(sch); + break; + case IO_SCH_ORPH_ATTACH: + case IO_SCH_UNREG_ATTACH: diff --git a/queue-5.12/s390-disassembler-increase-ebpf-disasm-buffer-size.patch b/queue-5.12/s390-disassembler-increase-ebpf-disasm-buffer-size.patch new file mode 100644 index 00000000000..d246de37867 --- /dev/null +++ b/queue-5.12/s390-disassembler-increase-ebpf-disasm-buffer-size.patch @@ -0,0 +1,74 @@ +From 6f3353c2d2b3eb4de52e9704cb962712033db181 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Tue, 20 Apr 2021 11:04:10 +0200 +Subject: s390/disassembler: increase ebpf disasm buffer size + +From: Vasily Gorbik + +commit 6f3353c2d2b3eb4de52e9704cb962712033db181 upstream. + +Current ebpf disassembly buffer size of 64 is too small. E.g. this line +takes 65 bytes: +01fffff8005822e: ec8100ed8065\tclgrj\t%r8,%r1,8,001fffff80058408\n\0 + +Double the buffer size like it is done for the kernel disassembly buffer. + +Fixes the following KASAN finding: + +UG: KASAN: stack-out-of-bounds in print_fn_code+0x34c/0x380 +Write of size 1 at addr 001fff800ad5f970 by task test_progs/853 + +CPU: 53 PID: 853 Comm: test_progs Not tainted +5.12.0-rc7-23786-g23457d86b1f0-dirty #19 +Hardware name: IBM 3906 M04 704 (LPAR) +Call Trace: + [<0000000cd8e0538a>] show_stack+0x17a/0x1668 + [<0000000cd8e2a5d8>] dump_stack+0x140/0x1b8 + [<0000000cd8e16e74>] print_address_description.constprop.0+0x54/0x260 + [<0000000cd75a8698>] kasan_report+0xc8/0x130 + [<0000000cd6e26da4>] print_fn_code+0x34c/0x380 + [<0000000cd6ea0f4e>] bpf_int_jit_compile+0xe3e/0xe58 + [<0000000cd72c4c88>] bpf_prog_select_runtime+0x5b8/0x9c0 + [<0000000cd72d1bf8>] bpf_prog_load+0xa78/0x19c0 + [<0000000cd72d7ad6>] __do_sys_bpf.part.0+0x18e/0x768 + [<0000000cd6e0f392>] do_syscall+0x12a/0x220 + [<0000000cd8e333f8>] __do_syscall+0x98/0xc8 + [<0000000cd8e54834>] system_call+0x6c/0x94 +1 lock held by test_progs/853: + #0: 0000000cd9bf7460 (report_lock){....}-{2:2}, at: + kasan_report+0x96/0x130 + +addr 001fff800ad5f970 is located in stack of task test_progs/853 at +offset 96 in frame: + print_fn_code+0x0/0x380 +this frame has 1 object: + [32, 96) 'buffer' + +Memory state around the buggy address: + 001fff800ad5f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 001fff800ad5f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>001fff800ad5f900: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 f3 f3 + ^ + 001fff800ad5f980: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 001fff800ad5fa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 + +Cc: +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/dis.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kernel/dis.c ++++ b/arch/s390/kernel/dis.c +@@ -563,7 +563,7 @@ void show_code(struct pt_regs *regs) + + void print_fn_code(unsigned char *code, unsigned long len) + { +- char buffer[64], *ptr; ++ char buffer[128], *ptr; + int opsize, i; + + while (len) { diff --git a/queue-5.12/s390-vfio-ap-fix-circular-lockdep-when-setting-clearing-crypto-masks.patch b/queue-5.12/s390-vfio-ap-fix-circular-lockdep-when-setting-clearing-crypto-masks.patch new file mode 100644 index 00000000000..700d63ccc3e --- /dev/null +++ b/queue-5.12/s390-vfio-ap-fix-circular-lockdep-when-setting-clearing-crypto-masks.patch @@ -0,0 +1,551 @@ +From 0cc00c8d40500c4c8fe058dc014bdaf44a82f4f7 Mon Sep 17 00:00:00 2001 +From: Tony Krowiak +Date: Thu, 25 Mar 2021 08:46:40 -0400 +Subject: s390/vfio-ap: fix circular lockdep when setting/clearing crypto masks + +From: Tony Krowiak + +commit 0cc00c8d40500c4c8fe058dc014bdaf44a82f4f7 upstream. + +This patch fixes a lockdep splat introduced by commit f21916ec4826 +("s390/vfio-ap: clean up vfio_ap resources when KVM pointer invalidated"). +The lockdep splat only occurs when starting a Secure Execution guest. +Crypto virtualization (vfio_ap) is not yet supported for SE guests; +however, in order to avoid this problem when support becomes available, +this fix is being provided. + +The circular locking dependency was introduced when the setting of the +masks in the guest's APCB was executed while holding the matrix_dev->lock. +While the lock is definitely needed to protect the setting/unsetting of the +matrix_mdev->kvm pointer, it is not necessarily critical for setting the +masks; so, the matrix_dev->lock will be released while the masks are being +set or cleared. + +Keep in mind, however, that another process that takes the matrix_dev->lock +can get control while the masks in the guest's APCB are being set or +cleared as a result of the driver being notified that the KVM pointer +has been set or unset. This could result in invalid access to the +matrix_mdev->kvm pointer by the intervening process. To avoid this +scenario, two new fields are being added to the ap_matrix_mdev struct: + +struct ap_matrix_mdev { + ... + bool kvm_busy; + wait_queue_head_t wait_for_kvm; + ... +}; + +The functions that handle notification that the KVM pointer value has +been set or cleared will set the kvm_busy flag to true until they are done +processing at which time they will set it to false and wake up the tasks on +the matrix_mdev->wait_for_kvm wait queue. Functions that require +access to matrix_mdev->kvm will sleep on the wait queue until they are +awakened at which time they can safely access the matrix_mdev->kvm +field. + +Fixes: f21916ec4826 ("s390/vfio-ap: clean up vfio_ap resources when KVM pointer invalidated") +Cc: stable@vger.kernel.org +Signed-off-by: Tony Krowiak +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/vfio_ap_ops.c | 308 +++++++++++++++++++++++----------- + drivers/s390/crypto/vfio_ap_private.h | 2 + 2 files changed, 215 insertions(+), 95 deletions(-) + +--- a/drivers/s390/crypto/vfio_ap_ops.c ++++ b/drivers/s390/crypto/vfio_ap_ops.c +@@ -294,6 +294,19 @@ static int handle_pqap(struct kvm_vcpu * + matrix_mdev = container_of(vcpu->kvm->arch.crypto.pqap_hook, + struct ap_matrix_mdev, pqap_hook); + ++ /* ++ * If the KVM pointer is in the process of being set, wait until the ++ * process has completed. ++ */ ++ wait_event_cmd(matrix_mdev->wait_for_kvm, ++ !matrix_mdev->kvm_busy, ++ mutex_unlock(&matrix_dev->lock), ++ mutex_lock(&matrix_dev->lock)); ++ ++ /* If the there is no guest using the mdev, there is nothing to do */ ++ if (!matrix_mdev->kvm) ++ goto out_unlock; ++ + q = vfio_ap_get_queue(matrix_mdev, apqn); + if (!q) + goto out_unlock; +@@ -337,6 +350,7 @@ static int vfio_ap_mdev_create(struct ko + + matrix_mdev->mdev = mdev; + vfio_ap_matrix_init(&matrix_dev->info, &matrix_mdev->matrix); ++ init_waitqueue_head(&matrix_mdev->wait_for_kvm); + mdev_set_drvdata(mdev, matrix_mdev); + matrix_mdev->pqap_hook.hook = handle_pqap; + matrix_mdev->pqap_hook.owner = THIS_MODULE; +@@ -351,17 +365,23 @@ static int vfio_ap_mdev_remove(struct md + { + struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev); + +- if (matrix_mdev->kvm) ++ mutex_lock(&matrix_dev->lock); ++ ++ /* ++ * If the KVM pointer is in flux or the guest is running, disallow ++ * un-assignment of control domain. ++ */ ++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) { ++ mutex_unlock(&matrix_dev->lock); + return -EBUSY; ++ } + +- mutex_lock(&matrix_dev->lock); + vfio_ap_mdev_reset_queues(mdev); + list_del(&matrix_mdev->node); +- mutex_unlock(&matrix_dev->lock); +- + kfree(matrix_mdev); + mdev_set_drvdata(mdev, NULL); + atomic_inc(&matrix_dev->available_instances); ++ mutex_unlock(&matrix_dev->lock); + + return 0; + } +@@ -606,24 +626,31 @@ static ssize_t assign_adapter_store(stru + struct mdev_device *mdev = mdev_from_dev(dev); + struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev); + +- /* If the guest is running, disallow assignment of adapter */ +- if (matrix_mdev->kvm) +- return -EBUSY; ++ mutex_lock(&matrix_dev->lock); ++ ++ /* ++ * If the KVM pointer is in flux or the guest is running, disallow ++ * un-assignment of adapter ++ */ ++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) { ++ ret = -EBUSY; ++ goto done; ++ } + + ret = kstrtoul(buf, 0, &apid); + if (ret) +- return ret; ++ goto done; + +- if (apid > matrix_mdev->matrix.apm_max) +- return -ENODEV; ++ if (apid > matrix_mdev->matrix.apm_max) { ++ ret = -ENODEV; ++ goto done; ++ } + + /* + * Set the bit in the AP mask (APM) corresponding to the AP adapter + * number (APID). The bits in the mask, from most significant to least + * significant bit, correspond to APIDs 0-255. + */ +- mutex_lock(&matrix_dev->lock); +- + ret = vfio_ap_mdev_verify_queues_reserved_for_apid(matrix_mdev, apid); + if (ret) + goto done; +@@ -672,22 +699,31 @@ static ssize_t unassign_adapter_store(st + struct mdev_device *mdev = mdev_from_dev(dev); + struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev); + +- /* If the guest is running, disallow un-assignment of adapter */ +- if (matrix_mdev->kvm) +- return -EBUSY; ++ mutex_lock(&matrix_dev->lock); ++ ++ /* ++ * If the KVM pointer is in flux or the guest is running, disallow ++ * un-assignment of adapter ++ */ ++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) { ++ ret = -EBUSY; ++ goto done; ++ } + + ret = kstrtoul(buf, 0, &apid); + if (ret) +- return ret; ++ goto done; + +- if (apid > matrix_mdev->matrix.apm_max) +- return -ENODEV; ++ if (apid > matrix_mdev->matrix.apm_max) { ++ ret = -ENODEV; ++ goto done; ++ } + +- mutex_lock(&matrix_dev->lock); + clear_bit_inv((unsigned long)apid, matrix_mdev->matrix.apm); ++ ret = count; ++done: + mutex_unlock(&matrix_dev->lock); +- +- return count; ++ return ret; + } + static DEVICE_ATTR_WO(unassign_adapter); + +@@ -753,17 +789,24 @@ static ssize_t assign_domain_store(struc + struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev); + unsigned long max_apqi = matrix_mdev->matrix.aqm_max; + +- /* If the guest is running, disallow assignment of domain */ +- if (matrix_mdev->kvm) +- return -EBUSY; ++ mutex_lock(&matrix_dev->lock); ++ ++ /* ++ * If the KVM pointer is in flux or the guest is running, disallow ++ * assignment of domain ++ */ ++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) { ++ ret = -EBUSY; ++ goto done; ++ } + + ret = kstrtoul(buf, 0, &apqi); + if (ret) +- return ret; +- if (apqi > max_apqi) +- return -ENODEV; +- +- mutex_lock(&matrix_dev->lock); ++ goto done; ++ if (apqi > max_apqi) { ++ ret = -ENODEV; ++ goto done; ++ } + + ret = vfio_ap_mdev_verify_queues_reserved_for_apqi(matrix_mdev, apqi); + if (ret) +@@ -814,22 +857,32 @@ static ssize_t unassign_domain_store(str + struct mdev_device *mdev = mdev_from_dev(dev); + struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev); + +- /* If the guest is running, disallow un-assignment of domain */ +- if (matrix_mdev->kvm) +- return -EBUSY; ++ mutex_lock(&matrix_dev->lock); ++ ++ /* ++ * If the KVM pointer is in flux or the guest is running, disallow ++ * un-assignment of domain ++ */ ++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) { ++ ret = -EBUSY; ++ goto done; ++ } + + ret = kstrtoul(buf, 0, &apqi); + if (ret) +- return ret; ++ goto done; + +- if (apqi > matrix_mdev->matrix.aqm_max) +- return -ENODEV; ++ if (apqi > matrix_mdev->matrix.aqm_max) { ++ ret = -ENODEV; ++ goto done; ++ } + +- mutex_lock(&matrix_dev->lock); + clear_bit_inv((unsigned long)apqi, matrix_mdev->matrix.aqm); +- mutex_unlock(&matrix_dev->lock); ++ ret = count; + +- return count; ++done: ++ mutex_unlock(&matrix_dev->lock); ++ return ret; + } + static DEVICE_ATTR_WO(unassign_domain); + +@@ -858,27 +911,36 @@ static ssize_t assign_control_domain_sto + struct mdev_device *mdev = mdev_from_dev(dev); + struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev); + +- /* If the guest is running, disallow assignment of control domain */ +- if (matrix_mdev->kvm) +- return -EBUSY; ++ mutex_lock(&matrix_dev->lock); ++ ++ /* ++ * If the KVM pointer is in flux or the guest is running, disallow ++ * assignment of control domain. ++ */ ++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) { ++ ret = -EBUSY; ++ goto done; ++ } + + ret = kstrtoul(buf, 0, &id); + if (ret) +- return ret; ++ goto done; + +- if (id > matrix_mdev->matrix.adm_max) +- return -ENODEV; ++ if (id > matrix_mdev->matrix.adm_max) { ++ ret = -ENODEV; ++ goto done; ++ } + + /* Set the bit in the ADM (bitmask) corresponding to the AP control + * domain number (id). The bits in the mask, from most significant to + * least significant, correspond to IDs 0 up to the one less than the + * number of control domains that can be assigned. + */ +- mutex_lock(&matrix_dev->lock); + set_bit_inv(id, matrix_mdev->matrix.adm); ++ ret = count; ++done: + mutex_unlock(&matrix_dev->lock); +- +- return count; ++ return ret; + } + static DEVICE_ATTR_WO(assign_control_domain); + +@@ -908,21 +970,30 @@ static ssize_t unassign_control_domain_s + struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev); + unsigned long max_domid = matrix_mdev->matrix.adm_max; + +- /* If the guest is running, disallow un-assignment of control domain */ +- if (matrix_mdev->kvm) +- return -EBUSY; ++ mutex_lock(&matrix_dev->lock); ++ ++ /* ++ * If the KVM pointer is in flux or the guest is running, disallow ++ * un-assignment of control domain. ++ */ ++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) { ++ ret = -EBUSY; ++ goto done; ++ } + + ret = kstrtoul(buf, 0, &domid); + if (ret) +- return ret; +- if (domid > max_domid) +- return -ENODEV; ++ goto done; ++ if (domid > max_domid) { ++ ret = -ENODEV; ++ goto done; ++ } + +- mutex_lock(&matrix_dev->lock); + clear_bit_inv(domid, matrix_mdev->matrix.adm); ++ ret = count; ++done: + mutex_unlock(&matrix_dev->lock); +- +- return count; ++ return ret; + } + static DEVICE_ATTR_WO(unassign_control_domain); + +@@ -1027,8 +1098,15 @@ static const struct attribute_group *vfi + * @matrix_mdev: a mediated matrix device + * @kvm: reference to KVM instance + * +- * Verifies no other mediated matrix device has @kvm and sets a reference to +- * it in @matrix_mdev->kvm. ++ * Sets all data for @matrix_mdev that are needed to manage AP resources ++ * for the guest whose state is represented by @kvm. ++ * ++ * Note: The matrix_dev->lock must be taken prior to calling ++ * this function; however, the lock will be temporarily released while the ++ * guest's AP configuration is set to avoid a potential lockdep splat. ++ * The kvm->lock is taken to set the guest's AP configuration which, under ++ * certain circumstances, will result in a circular lock dependency if this is ++ * done under the @matrix_mdev->lock. + * + * Return 0 if no other mediated matrix device has a reference to @kvm; + * otherwise, returns an -EPERM. +@@ -1038,14 +1116,25 @@ static int vfio_ap_mdev_set_kvm(struct a + { + struct ap_matrix_mdev *m; + +- list_for_each_entry(m, &matrix_dev->mdev_list, node) { +- if ((m != matrix_mdev) && (m->kvm == kvm)) +- return -EPERM; +- } ++ if (kvm->arch.crypto.crycbd) { ++ list_for_each_entry(m, &matrix_dev->mdev_list, node) { ++ if (m != matrix_mdev && m->kvm == kvm) ++ return -EPERM; ++ } + +- matrix_mdev->kvm = kvm; +- kvm_get_kvm(kvm); +- kvm->arch.crypto.pqap_hook = &matrix_mdev->pqap_hook; ++ kvm_get_kvm(kvm); ++ matrix_mdev->kvm_busy = true; ++ mutex_unlock(&matrix_dev->lock); ++ kvm_arch_crypto_set_masks(kvm, ++ matrix_mdev->matrix.apm, ++ matrix_mdev->matrix.aqm, ++ matrix_mdev->matrix.adm); ++ mutex_lock(&matrix_dev->lock); ++ kvm->arch.crypto.pqap_hook = &matrix_mdev->pqap_hook; ++ matrix_mdev->kvm = kvm; ++ matrix_mdev->kvm_busy = false; ++ wake_up_all(&matrix_mdev->wait_for_kvm); ++ } + + return 0; + } +@@ -1079,51 +1168,65 @@ static int vfio_ap_mdev_iommu_notifier(s + return NOTIFY_DONE; + } + ++/** ++ * vfio_ap_mdev_unset_kvm ++ * ++ * @matrix_mdev: a matrix mediated device ++ * ++ * Performs clean-up of resources no longer needed by @matrix_mdev. ++ * ++ * Note: The matrix_dev->lock must be taken prior to calling ++ * this function; however, the lock will be temporarily released while the ++ * guest's AP configuration is cleared to avoid a potential lockdep splat. ++ * The kvm->lock is taken to clear the guest's AP configuration which, under ++ * certain circumstances, will result in a circular lock dependency if this is ++ * done under the @matrix_mdev->lock. ++ * ++ */ + static void vfio_ap_mdev_unset_kvm(struct ap_matrix_mdev *matrix_mdev) + { +- kvm_arch_crypto_clear_masks(matrix_mdev->kvm); +- matrix_mdev->kvm->arch.crypto.pqap_hook = NULL; +- vfio_ap_mdev_reset_queues(matrix_mdev->mdev); +- kvm_put_kvm(matrix_mdev->kvm); +- matrix_mdev->kvm = NULL; ++ /* ++ * If the KVM pointer is in the process of being set, wait until the ++ * process has completed. ++ */ ++ wait_event_cmd(matrix_mdev->wait_for_kvm, ++ !matrix_mdev->kvm_busy, ++ mutex_unlock(&matrix_dev->lock), ++ mutex_lock(&matrix_dev->lock)); ++ ++ if (matrix_mdev->kvm) { ++ matrix_mdev->kvm_busy = true; ++ mutex_unlock(&matrix_dev->lock); ++ kvm_arch_crypto_clear_masks(matrix_mdev->kvm); ++ mutex_lock(&matrix_dev->lock); ++ vfio_ap_mdev_reset_queues(matrix_mdev->mdev); ++ matrix_mdev->kvm->arch.crypto.pqap_hook = NULL; ++ kvm_put_kvm(matrix_mdev->kvm); ++ matrix_mdev->kvm = NULL; ++ matrix_mdev->kvm_busy = false; ++ wake_up_all(&matrix_mdev->wait_for_kvm); ++ } + } + + static int vfio_ap_mdev_group_notifier(struct notifier_block *nb, + unsigned long action, void *data) + { +- int ret, notify_rc = NOTIFY_OK; ++ int notify_rc = NOTIFY_OK; + struct ap_matrix_mdev *matrix_mdev; + + if (action != VFIO_GROUP_NOTIFY_SET_KVM) + return NOTIFY_OK; + +- matrix_mdev = container_of(nb, struct ap_matrix_mdev, group_notifier); + mutex_lock(&matrix_dev->lock); ++ matrix_mdev = container_of(nb, struct ap_matrix_mdev, group_notifier); + +- if (!data) { +- if (matrix_mdev->kvm) +- vfio_ap_mdev_unset_kvm(matrix_mdev); +- goto notify_done; +- } +- +- ret = vfio_ap_mdev_set_kvm(matrix_mdev, data); +- if (ret) { +- notify_rc = NOTIFY_DONE; +- goto notify_done; +- } +- +- /* If there is no CRYCB pointer, then we can't copy the masks */ +- if (!matrix_mdev->kvm->arch.crypto.crycbd) { ++ if (!data) ++ vfio_ap_mdev_unset_kvm(matrix_mdev); ++ else if (vfio_ap_mdev_set_kvm(matrix_mdev, data)) + notify_rc = NOTIFY_DONE; +- goto notify_done; +- } +- +- kvm_arch_crypto_set_masks(matrix_mdev->kvm, matrix_mdev->matrix.apm, +- matrix_mdev->matrix.aqm, +- matrix_mdev->matrix.adm); + +-notify_done: + mutex_unlock(&matrix_dev->lock); ++ + return notify_rc; + } + +@@ -1258,8 +1361,7 @@ static void vfio_ap_mdev_release(struct + struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev); + + mutex_lock(&matrix_dev->lock); +- if (matrix_mdev->kvm) +- vfio_ap_mdev_unset_kvm(matrix_mdev); ++ vfio_ap_mdev_unset_kvm(matrix_mdev); + mutex_unlock(&matrix_dev->lock); + + vfio_unregister_notifier(mdev_dev(mdev), VFIO_IOMMU_NOTIFY, +@@ -1293,6 +1395,7 @@ static ssize_t vfio_ap_mdev_ioctl(struct + unsigned int cmd, unsigned long arg) + { + int ret; ++ struct ap_matrix_mdev *matrix_mdev; + + mutex_lock(&matrix_dev->lock); + switch (cmd) { +@@ -1300,6 +1403,21 @@ static ssize_t vfio_ap_mdev_ioctl(struct + ret = vfio_ap_mdev_get_device_info(arg); + break; + case VFIO_DEVICE_RESET: ++ matrix_mdev = mdev_get_drvdata(mdev); ++ if (WARN(!matrix_mdev, "Driver data missing from mdev!!")) { ++ ret = -EINVAL; ++ break; ++ } ++ ++ /* ++ * If the KVM pointer is in the process of being set, wait until ++ * the process has completed. ++ */ ++ wait_event_cmd(matrix_mdev->wait_for_kvm, ++ !matrix_mdev->kvm_busy, ++ mutex_unlock(&matrix_dev->lock), ++ mutex_lock(&matrix_dev->lock)); ++ + ret = vfio_ap_mdev_reset_queues(mdev); + break; + default: +--- a/drivers/s390/crypto/vfio_ap_private.h ++++ b/drivers/s390/crypto/vfio_ap_private.h +@@ -83,6 +83,8 @@ struct ap_matrix_mdev { + struct ap_matrix matrix; + struct notifier_block group_notifier; + struct notifier_block iommu_notifier; ++ bool kvm_busy; ++ wait_queue_head_t wait_for_kvm; + struct kvm *kvm; + struct kvm_s390_module_hook pqap_hook; + struct mdev_device *mdev; diff --git a/queue-5.12/s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak.patch b/queue-5.12/s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak.patch new file mode 100644 index 00000000000..d1d1a71665e --- /dev/null +++ b/queue-5.12/s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak.patch @@ -0,0 +1,49 @@ +From 70fac8088cfad9f3b379c9082832b4d7532c16c2 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Thu, 15 Apr 2021 11:22:03 +0200 +Subject: s390/zcrypt: fix zcard and zqueue hot-unplug memleak + +From: Harald Freudenberger + +commit 70fac8088cfad9f3b379c9082832b4d7532c16c2 upstream. + +Tests with kvm and a kmemdebug kernel showed, that on hot unplug the +zcard and zqueue structs for the unplugged card or queue are not +properly freed because of a mismatch with get/put for the embedded +kref counter. + +This fix now adjusts the handling of the kref counters. With init the +kref counter starts with 1. This initial value needs to drop to zero +with the unregister of the card or queue to trigger the release and +free the object. + +Fixes: 29c2680fd2bf ("s390/ap: fix ap devices reference counting") +Reported-by: Marc Hartmayer +Signed-off-by: Harald Freudenberger +Cc: stable@vger.kernel.org +Reviewed-by: Julian Wiedmann +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/zcrypt_card.c | 1 + + drivers/s390/crypto/zcrypt_queue.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/s390/crypto/zcrypt_card.c ++++ b/drivers/s390/crypto/zcrypt_card.c +@@ -192,5 +192,6 @@ void zcrypt_card_unregister(struct zcryp + spin_unlock(&zcrypt_list_lock); + sysfs_remove_group(&zc->card->ap_dev.device.kobj, + &zcrypt_card_attr_group); ++ zcrypt_card_put(zc); + } + EXPORT_SYMBOL(zcrypt_card_unregister); +--- a/drivers/s390/crypto/zcrypt_queue.c ++++ b/drivers/s390/crypto/zcrypt_queue.c +@@ -223,5 +223,6 @@ void zcrypt_queue_unregister(struct zcry + sysfs_remove_group(&zq->queue->ap_dev.device.kobj, + &zcrypt_queue_attr_group); + zcrypt_card_put(zc); ++ zcrypt_queue_put(zq); + } + EXPORT_SYMBOL(zcrypt_queue_unregister); diff --git a/queue-5.12/scsi-lpfc-fix-rmmod-crash-due-to-bad-ring-pointers-to-abort_iotag.patch b/queue-5.12/scsi-lpfc-fix-rmmod-crash-due-to-bad-ring-pointers-to-abort_iotag.patch new file mode 100644 index 00000000000..3561eecb0a3 --- /dev/null +++ b/queue-5.12/scsi-lpfc-fix-rmmod-crash-due-to-bad-ring-pointers-to-abort_iotag.patch @@ -0,0 +1,156 @@ +From 078c68b87a717b9fcd8e0f2109f73456fbc55490 Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Sun, 11 Apr 2021 18:31:12 -0700 +Subject: scsi: lpfc: Fix rmmod crash due to bad ring pointers to abort_iotag + +From: James Smart + +commit 078c68b87a717b9fcd8e0f2109f73456fbc55490 upstream. + +Rmmod on SLI-4 adapters is sometimes hitting a bad ptr dereference in +lpfc_els_free_iocb(). + +A prior patch refactored the lpfc_sli_abort_iocb() routine. One of the +changes was to convert from building/sending an abort within the routine to +using a common routine. The reworked routine passes, without modification, +the pring ptr to the new common routine. The older routine had logic to +check SLI-3 vs SLI-4 and adapt the pring ptr if necessary as callers were +passing SLI-3 pointers even when not on an SLI-4 adapter. The new routine +is missing this check and adapt, so the SLI-3 ring pointers are being used +in SLI-4 paths. + +Fix by cleaning up the calling routines. In review, there is no need to +pass the ring ptr argument to abort_iocb at all. The routine can look at +the adapter type itself and reference the proper ring. + +Link: https://lore.kernel.org/r/20210412013127.2387-2-jsmart2021@gmail.com +Fixes: db7531d2b377 ("scsi: lpfc: Convert abort handling to SLI-3 and SLI-4 handlers") +Cc: # v5.11+ +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_crtn.h | 4 ++-- + drivers/scsi/lpfc/lpfc_hbadisc.c | 10 +++------- + drivers/scsi/lpfc/lpfc_nportdisc.c | 4 +--- + drivers/scsi/lpfc/lpfc_sli.c | 20 +++++++++++++++----- + 4 files changed, 21 insertions(+), 17 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_crtn.h ++++ b/drivers/scsi/lpfc/lpfc_crtn.h +@@ -351,8 +351,8 @@ int lpfc_sli_hbq_size(void); + int lpfc_sli_issue_abort_iotag(struct lpfc_hba *, struct lpfc_sli_ring *, + struct lpfc_iocbq *, void *); + int lpfc_sli_sum_iocb(struct lpfc_vport *, uint16_t, uint64_t, lpfc_ctx_cmd); +-int lpfc_sli_abort_iocb(struct lpfc_vport *, struct lpfc_sli_ring *, uint16_t, +- uint64_t, lpfc_ctx_cmd); ++int lpfc_sli_abort_iocb(struct lpfc_vport *vport, u16 tgt_id, u64 lun_id, ++ lpfc_ctx_cmd abort_cmd); + int + lpfc_sli_abort_taskmgmt(struct lpfc_vport *, struct lpfc_sli_ring *, + uint16_t, uint64_t, lpfc_ctx_cmd); +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -140,11 +140,8 @@ lpfc_terminate_rport_io(struct fc_rport + "rport terminate: sid:x%x did:x%x flg:x%x", + ndlp->nlp_sid, ndlp->nlp_DID, ndlp->nlp_flag); + +- if (ndlp->nlp_sid != NLP_NO_SID) { +- lpfc_sli_abort_iocb(vport, +- &vport->phba->sli.sli3_ring[LPFC_FCP_RING], +- ndlp->nlp_sid, 0, LPFC_CTX_TGT); +- } ++ if (ndlp->nlp_sid != NLP_NO_SID) ++ lpfc_sli_abort_iocb(vport, ndlp->nlp_sid, 0, LPFC_CTX_TGT); + } + + /* +@@ -299,8 +296,7 @@ lpfc_dev_loss_tmo_handler(struct lpfc_no + + if (ndlp->nlp_sid != NLP_NO_SID) { + warn_on = 1; +- lpfc_sli_abort_iocb(vport, &phba->sli.sli3_ring[LPFC_FCP_RING], +- ndlp->nlp_sid, 0, LPFC_CTX_TGT); ++ lpfc_sli_abort_iocb(vport, ndlp->nlp_sid, 0, LPFC_CTX_TGT); + } + + if (warn_on) { +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -2633,12 +2633,10 @@ static uint32_t + lpfc_rcv_prlo_mapped_node(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + void *arg, uint32_t evt) + { +- struct lpfc_hba *phba = vport->phba; + struct lpfc_iocbq *cmdiocb = (struct lpfc_iocbq *) arg; + + /* flush the target */ +- lpfc_sli_abort_iocb(vport, &phba->sli.sli3_ring[LPFC_FCP_RING], +- ndlp->nlp_sid, 0, LPFC_CTX_TGT); ++ lpfc_sli_abort_iocb(vport, ndlp->nlp_sid, 0, LPFC_CTX_TGT); + + /* Treat like rcv logo */ + lpfc_rcv_logo(vport, ndlp, cmdiocb, ELS_CMD_PRLO); +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -11647,7 +11647,7 @@ lpfc_sli_issue_abort_iotag(struct lpfc_h + icmd = &cmdiocb->iocb; + if (icmd->ulpCommand == CMD_ABORT_XRI_CN || + icmd->ulpCommand == CMD_CLOSE_XRI_CN || +- (cmdiocb->iocb_flag & LPFC_DRIVER_ABORTED) != 0) ++ cmdiocb->iocb_flag & LPFC_DRIVER_ABORTED) + return IOCB_ABORTING; + + if (!pring) { +@@ -11945,7 +11945,6 @@ lpfc_sli_abort_fcp_cmpl(struct lpfc_hba + /** + * lpfc_sli_abort_iocb - issue abort for all commands on a host/target/LUN + * @vport: Pointer to virtual port. +- * @pring: Pointer to driver SLI ring object. + * @tgt_id: SCSI ID of the target. + * @lun_id: LUN ID of the scsi device. + * @abort_cmd: LPFC_CTX_LUN/LPFC_CTX_TGT/LPFC_CTX_HOST. +@@ -11960,18 +11959,22 @@ lpfc_sli_abort_fcp_cmpl(struct lpfc_hba + * FCP iocbs associated with SCSI target specified by tgt_id parameter. + * When abort_cmd == LPFC_CTX_HOST, the function sends abort to all + * FCP iocbs associated with virtual port. ++ * The pring used for SLI3 is sli3_ring[LPFC_FCP_RING], for SLI4 ++ * lpfc_sli4_calc_ring is used. + * This function returns number of iocbs it failed to abort. + * This function is called with no locks held. + **/ + int +-lpfc_sli_abort_iocb(struct lpfc_vport *vport, struct lpfc_sli_ring *pring, +- uint16_t tgt_id, uint64_t lun_id, lpfc_ctx_cmd abort_cmd) ++lpfc_sli_abort_iocb(struct lpfc_vport *vport, u16 tgt_id, u64 lun_id, ++ lpfc_ctx_cmd abort_cmd) + { + struct lpfc_hba *phba = vport->phba; ++ struct lpfc_sli_ring *pring = NULL; + struct lpfc_iocbq *iocbq; + int errcnt = 0, ret_val = 0; + unsigned long iflags; + int i; ++ void *fcp_cmpl = NULL; + + /* all I/Os are in process of being flushed */ + if (phba->hba_flag & HBA_IOQ_FLUSH) +@@ -11985,8 +11988,15 @@ lpfc_sli_abort_iocb(struct lpfc_vport *v + continue; + + spin_lock_irqsave(&phba->hbalock, iflags); ++ if (phba->sli_rev == LPFC_SLI_REV3) { ++ pring = &phba->sli.sli3_ring[LPFC_FCP_RING]; ++ fcp_cmpl = lpfc_sli_abort_fcp_cmpl; ++ } else if (phba->sli_rev == LPFC_SLI_REV4) { ++ pring = lpfc_sli4_calc_ring(phba, iocbq); ++ fcp_cmpl = lpfc_sli4_abort_fcp_cmpl; ++ } + ret_val = lpfc_sli_issue_abort_iotag(phba, pring, iocbq, +- lpfc_sli_abort_fcp_cmpl); ++ fcp_cmpl); + spin_unlock_irqrestore(&phba->hbalock, iflags); + if (ret_val != IOCB_SUCCESS) + errcnt++; diff --git a/queue-5.12/scsi-mpt3sas-block-pci-config-access-from-userspace-during-reset.patch b/queue-5.12/scsi-mpt3sas-block-pci-config-access-from-userspace-during-reset.patch new file mode 100644 index 00000000000..21cf064a27f --- /dev/null +++ b/queue-5.12/scsi-mpt3sas-block-pci-config-access-from-userspace-during-reset.patch @@ -0,0 +1,50 @@ +From 3c8604691d2acc7b7d4795d9695070de9eaa5828 Mon Sep 17 00:00:00 2001 +From: Sreekanth Reddy +Date: Tue, 30 Mar 2021 16:21:37 +0530 +Subject: scsi: mpt3sas: Block PCI config access from userspace during reset + +From: Sreekanth Reddy + +commit 3c8604691d2acc7b7d4795d9695070de9eaa5828 upstream. + +While diag reset is in progress there is short duration where all access to +controller's PCI config space from the host needs to be blocked. This is +due to a hardware limitation of the IOC controllers. + +Block all access to controller's config space from userland applications by +calling pci_cfg_access_lock() while diag reset is in progress and unlocking +it again after the controller comes back to ready state. + +Link: https://lore.kernel.org/r/20210330105137.20728-1-sreekanth.reddy@broadcom.com +Cc: stable@vger.kernel.org #v5.4.108+ +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -7252,6 +7252,8 @@ _base_diag_reset(struct MPT3SAS_ADAPTER + + ioc_info(ioc, "sending diag reset !!\n"); + ++ pci_cfg_access_lock(ioc->pdev); ++ + drsprintk(ioc, ioc_info(ioc, "clear interrupts\n")); + + count = 0; +@@ -7342,10 +7344,12 @@ _base_diag_reset(struct MPT3SAS_ADAPTER + goto out; + } + ++ pci_cfg_access_unlock(ioc->pdev); + ioc_info(ioc, "diag reset: SUCCESS\n"); + return 0; + + out: ++ pci_cfg_access_unlock(ioc->pdev); + ioc_err(ioc, "diag reset: FAILED\n"); + return -EFAULT; + } diff --git a/queue-5.12/scsi-mpt3sas-only-one-vses-is-present-even-when-ioc-has-multi-vses.patch b/queue-5.12/scsi-mpt3sas-only-one-vses-is-present-even-when-ioc-has-multi-vses.patch new file mode 100644 index 00000000000..13d32f02567 --- /dev/null +++ b/queue-5.12/scsi-mpt3sas-only-one-vses-is-present-even-when-ioc-has-multi-vses.patch @@ -0,0 +1,44 @@ +From 4c51f956965120b3441cdd39c358b87daba13e19 Mon Sep 17 00:00:00 2001 +From: Sreekanth Reddy +Date: Tue, 30 Mar 2021 16:20:04 +0530 +Subject: scsi: mpt3sas: Only one vSES is present even when IOC has multi vSES + +From: Sreekanth Reddy + +commit 4c51f956965120b3441cdd39c358b87daba13e19 upstream. + +Whenever the driver is adding a vSES to virtual-phys list it is +reinitializing the list head. Hence those vSES devices which were added +previously are lost. + +Stop reinitializing the list every time a new vSES device is added. + +Link: https://lore.kernel.org/r/20210330105004.20413-1-sreekanth.reddy@broadcom.com +Cc: stable@vger.kernel.org #v5.11.10+ +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -6483,6 +6483,9 @@ _scsih_alloc_vphy(struct MPT3SAS_ADAPTER + if (!vphy) + return NULL; + ++ if (!port->vphys_mask) ++ INIT_LIST_HEAD(&port->vphys_list); ++ + /* + * Enable bit corresponding to HBA phy number on its + * parent hba_port object's vphys_mask field. +@@ -6490,7 +6493,6 @@ _scsih_alloc_vphy(struct MPT3SAS_ADAPTER + port->vphys_mask |= (1 << phy_num); + vphy->phy_mask |= (1 << phy_num); + +- INIT_LIST_HEAD(&port->vphys_list); + list_add_tail(&vphy->list, &port->vphys_list); + + ioc_info(ioc, diff --git a/queue-5.12/scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch b/queue-5.12/scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch new file mode 100644 index 00000000000..722aa1cdafa --- /dev/null +++ b/queue-5.12/scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch @@ -0,0 +1,57 @@ +From 6641df81ab799f28a5d564f860233dd26cca0d93 Mon Sep 17 00:00:00 2001 +From: Arun Easi +Date: Mon, 29 Mar 2021 01:52:23 -0700 +Subject: scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() + +From: Arun Easi + +commit 6641df81ab799f28a5d564f860233dd26cca0d93 upstream. + + RIP: 0010:kmem_cache_free+0xfa/0x1b0 + Call Trace: + qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx] + scsi_queue_rq+0x5e2/0xa40 + __blk_mq_try_issue_directly+0x128/0x1d0 + blk_mq_request_issue_directly+0x4e/0xb0 + +Fix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now +allocated by upper layers. This fixes smatch warning of srb unintended +free. + +Link: https://lore.kernel.org/r/20210329085229.4367-7-njavali@marvell.com +Fixes: af2a0c51b120 ("scsi: qla2xxx: Fix SRB leak on switch command timeout") +Cc: stable@vger.kernel.org # 5.5 +Reported-by: Laurence Oberman +Reported-by: Dan Carpenter +Reviewed-by: Himanshu Madhani +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1013,8 +1013,6 @@ qla2xxx_mqueuecommand(struct Scsi_Host * + if (rval != QLA_SUCCESS) { + ql_dbg(ql_dbg_io + ql_dbg_verbose, vha, 0x3078, + "Start scsi failed rval=%d for cmd=%p.\n", rval, cmd); +- if (rval == QLA_INTERFACE_ERROR) +- goto qc24_free_sp_fail_command; + goto qc24_host_busy_free_sp; + } + +@@ -1026,11 +1024,6 @@ qc24_host_busy_free_sp: + qc24_target_busy: + return SCSI_MLQUEUE_TARGET_BUSY; + +-qc24_free_sp_fail_command: +- sp->free(sp); +- CMD_SP(cmd) = NULL; +- qla2xxx_rel_qpair_sp(sp->qpair, sp); +- + qc24_fail_command: + cmd->scsi_done(cmd); + diff --git a/queue-5.12/scsi-qla2xxx-reserve-extra-irq-vectors.patch b/queue-5.12/scsi-qla2xxx-reserve-extra-irq-vectors.patch new file mode 100644 index 00000000000..b987c3822a3 --- /dev/null +++ b/queue-5.12/scsi-qla2xxx-reserve-extra-irq-vectors.patch @@ -0,0 +1,112 @@ +From f02d4086a8f36a0e1aaebf559b54cf24a177a486 Mon Sep 17 00:00:00 2001 +From: Roman Bolshakov +Date: Mon, 12 Apr 2021 19:57:40 +0300 +Subject: scsi: qla2xxx: Reserve extra IRQ vectors + +From: Roman Bolshakov + +commit f02d4086a8f36a0e1aaebf559b54cf24a177a486 upstream. + +Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of +CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs. + +That breaks vector allocation assumptions in qla83xx_iospace_config(), +qla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions +computes maximum number of qpairs as: + + ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default + response queue) - 1 (ATIO, in dual or pure target mode) + +max_qpairs is set to zero in case of two CPUs and initiator mode. The +number is then used to allocate ha->queue_pair_map inside +qla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is +left NULL but the driver thinks there are queue pairs available. + +qla2xxx_queuecommand() tries to find a qpair in the map and crashes: + + if (ha->mqenable) { + uint32_t tag; + uint16_t hwq; + struct qla_qpair *qpair = NULL; + + tag = blk_mq_unique_tag(cmd->request); + hwq = blk_mq_unique_tag_to_hwq(tag); + qpair = ha->queue_pair_map[hwq]; # <- HERE + + if (qpair) + return qla2xxx_mqueuecommand(host, cmd, qpair); + } + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP PTI + CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 + Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc] + RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx] + Call Trace: + scsi_queue_rq+0x58c/0xa60 + blk_mq_dispatch_rq_list+0x2b7/0x6f0 + ? __sbitmap_get_word+0x2a/0x80 + __blk_mq_sched_dispatch_requests+0xb8/0x170 + blk_mq_sched_dispatch_requests+0x2b/0x50 + __blk_mq_run_hw_queue+0x49/0xb0 + __blk_mq_delay_run_hw_queue+0xfb/0x150 + blk_mq_sched_insert_request+0xbe/0x110 + blk_execute_rq+0x45/0x70 + __scsi_execute+0x10e/0x250 + scsi_probe_and_add_lun+0x228/0xda0 + __scsi_scan_target+0xf4/0x620 + ? __pm_runtime_resume+0x4f/0x70 + scsi_scan_target+0x100/0x110 + fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc] + process_one_work+0x1ea/0x3b0 + worker_thread+0x28/0x3b0 + ? process_one_work+0x3b0/0x3b0 + kthread+0x112/0x130 + ? kthread_park+0x80/0x80 + ret_from_fork+0x22/0x30 + +The driver should allocate enough vectors to provide every CPU it's own HW +queue and still handle reserved (MB, RSP, ATIO) interrupts. + +The change fixes the crash on dual core VM and prevents unbalanced QP +allocation where nr_hw_queues is two less than the number of CPUs. + +Link: https://lore.kernel.org/r/20210412165740.39318-1-r.bolshakov@yadro.com +Fixes: a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of CPUs") +Cc: Daniel Wagner +Cc: Himanshu Madhani +Cc: Quinn Tran +Cc: Nilesh Javali +Cc: Martin K. Petersen +Cc: stable@vger.kernel.org # 5.11+ +Reported-by: Aleksandr Volkov +Reported-by: Aleksandr Miloserdov +Reviewed-by: Daniel Wagner +Reviewed-by: Himanshu Madhani +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_isr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -4005,11 +4005,11 @@ qla24xx_enable_msix(struct qla_hw_data * + if (USER_CTRL_IRQ(ha) || !ha->mqiobase) { + /* user wants to control IRQ setting for target mode */ + ret = pci_alloc_irq_vectors(ha->pdev, min_vecs, +- min((u16)ha->msix_count, (u16)num_online_cpus()), ++ min((u16)ha->msix_count, (u16)(num_online_cpus() + min_vecs)), + PCI_IRQ_MSIX); + } else + ret = pci_alloc_irq_vectors_affinity(ha->pdev, min_vecs, +- min((u16)ha->msix_count, (u16)num_online_cpus()), ++ min((u16)ha->msix_count, (u16)(num_online_cpus() + min_vecs)), + PCI_IRQ_MSIX | PCI_IRQ_AFFINITY, + &desc); + diff --git a/queue-5.12/series b/queue-5.12/series index 88d1aee5b62..529f6ff44d7 100644 --- a/queue-5.12/series +++ b/queue-5.12/series @@ -5,3 +5,46 @@ bus-mhi-core-add-missing-checks-for-mmio-register-entries.patch bus-mhi-pci_generic-remove-wq_mem_reclaim-flag-from-state-workqueue.patch bus-mhi-core-fix-mhi-runtime_pm-behavior.patch bus-mhi-core-fix-invalid-error-returning-in-mhi_queue.patch +nitro_enclaves-fix-stale-file-descriptors-on-failed-usercopy.patch +dyndbg-fix-parsing-file-query-without-a-line-range-suffix.patch +s390-disassembler-increase-ebpf-disasm-buffer-size.patch +s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak.patch +s390-vfio-ap-fix-circular-lockdep-when-setting-clearing-crypto-masks.patch +s390-cio-remove-invalid-condition-on-io_sch_unreg.patch +vhost-vdpa-fix-vm_flags-for-virtqueue-doorbell-mapping.patch +tpm-acpi-check-eventlog-signature-before-using-it.patch +acpi-custom_method-fix-potential-use-after-free-issue.patch +acpi-custom_method-fix-a-possible-memory-leak.patch +ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch +arm-9056-1-decompressor-fix-bss-size-calculation-for-llvm-ld.lld.patch +arm64-dts-marvell-armada-37xx-add-syscon-compatible-to-nb-clk-node.patch +arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch +ecryptfs-fix-kernel-panic-with-null-dev_name.patch +fs-epoll-restore-waking-from-ep_done_scan.patch +reset-add-missing-empty-function-reset_control_rearm.patch +mtd-spi-nor-core-fix-an-issue-of-releasing-resources-during-read-write.patch +revert-mtd-spi-nor-macronix-add-support-for-mx25l51245g.patch +mtd-spinand-core-add-missing-module_device_table.patch +mtd-rawnand-atmel-update-ecc_stats.corrected-counter.patch +mtd-physmap-physmap-bt1-rom-fix-unintentional-stack-access.patch +erofs-add-unsupported-inode-i_format-check.patch +spi-stm32-qspi-fix-pm_runtime-usage_count-counter.patch +spi-spi-ti-qspi-free-dma-resources.patch +libceph-bump-cephxauthenticate-encoding-version.patch +libceph-allow-addrvecs-with-a-single-none-blank-address.patch +libceph-don-t-set-global_id-until-we-get-an-auth-ticket.patch +scsi-qla2xxx-reserve-extra-irq-vectors.patch +scsi-lpfc-fix-rmmod-crash-due-to-bad-ring-pointers-to-abort_iotag.patch +scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch +scsi-mpt3sas-only-one-vses-is-present-even-when-ioc-has-multi-vses.patch +scsi-mpt3sas-block-pci-config-access-from-userspace-during-reset.patch +mmc-uniphier-sd-fix-an-error-handling-path-in-uniphier_sd_probe.patch +mmc-uniphier-sd-fix-a-resource-leak-in-the-remove-function.patch +mmc-sdhci-check-for-reset-prior-to-dma-address-unmap.patch +mmc-sdhci-pci-fix-initialization-of-some-sd-cards-for-intel-byt-based-controllers.patch +mmc-sdhci-tegra-add-required-callbacks-to-set-clear-cqe_en-bit.patch +mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch +mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch +mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch +mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch +mmc-core-fix-hanging-on-i-o-during-system-suspend-for-removable-cards.patch diff --git a/queue-5.12/spi-spi-ti-qspi-free-dma-resources.patch b/queue-5.12/spi-spi-ti-qspi-free-dma-resources.patch new file mode 100644 index 00000000000..2f5e36772ff --- /dev/null +++ b/queue-5.12/spi-spi-ti-qspi-free-dma-resources.patch @@ -0,0 +1,65 @@ +From 1d309cd688a76fb733f0089d36dc630327b32d59 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Thu, 18 Feb 2021 15:09:50 +0200 +Subject: spi: spi-ti-qspi: Free DMA resources + +From: Tudor Ambarus + +commit 1d309cd688a76fb733f0089d36dc630327b32d59 upstream. + +Release the RX channel and free the dma coherent memory when +devm_spi_register_master() fails. + +Fixes: 5720ec0a6d26 ("spi: spi-ti-qspi: Add DMA support for QSPI mmap read") +Cc: stable@vger.kernel.org +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20210218130950.90155-1-tudor.ambarus@microchip.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-ti-qspi.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/spi/spi-ti-qspi.c ++++ b/drivers/spi/spi-ti-qspi.c +@@ -733,6 +733,17 @@ static int ti_qspi_runtime_resume(struct + return 0; + } + ++static void ti_qspi_dma_cleanup(struct ti_qspi *qspi) ++{ ++ if (qspi->rx_bb_addr) ++ dma_free_coherent(qspi->dev, QSPI_DMA_BUFFER_SIZE, ++ qspi->rx_bb_addr, ++ qspi->rx_bb_dma_addr); ++ ++ if (qspi->rx_chan) ++ dma_release_channel(qspi->rx_chan); ++} ++ + static const struct of_device_id ti_qspi_match[] = { + {.compatible = "ti,dra7xxx-qspi" }, + {.compatible = "ti,am4372-qspi" }, +@@ -886,6 +897,8 @@ no_dma: + if (!ret) + return 0; + ++ ti_qspi_dma_cleanup(qspi); ++ + pm_runtime_disable(&pdev->dev); + free_master: + spi_master_put(master); +@@ -904,12 +917,7 @@ static int ti_qspi_remove(struct platfor + pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + +- if (qspi->rx_bb_addr) +- dma_free_coherent(qspi->dev, QSPI_DMA_BUFFER_SIZE, +- qspi->rx_bb_addr, +- qspi->rx_bb_dma_addr); +- if (qspi->rx_chan) +- dma_release_channel(qspi->rx_chan); ++ ti_qspi_dma_cleanup(qspi); + + return 0; + } diff --git a/queue-5.12/spi-stm32-qspi-fix-pm_runtime-usage_count-counter.patch b/queue-5.12/spi-stm32-qspi-fix-pm_runtime-usage_count-counter.patch new file mode 100644 index 00000000000..615c6db4d13 --- /dev/null +++ b/queue-5.12/spi-stm32-qspi-fix-pm_runtime-usage_count-counter.patch @@ -0,0 +1,63 @@ +From 102e9d1936569d43f55dd1ea89be355ad207143c Mon Sep 17 00:00:00 2001 +From: Christophe Kerello +Date: Mon, 19 Apr 2021 14:15:39 +0200 +Subject: spi: stm32-qspi: fix pm_runtime usage_count counter + +From: Christophe Kerello + +commit 102e9d1936569d43f55dd1ea89be355ad207143c upstream. + +pm_runtime usage_count counter is not well managed. +pm_runtime_put_autosuspend callback drops the usage_counter but this +one has never been increased. Add pm_runtime_get_sync callback to bump up +the usage counter. It is also needed to use pm_runtime_force_suspend and +pm_runtime_force_resume APIs to handle properly the clock. + +Fixes: 9d282c17b023 ("spi: stm32-qspi: Add pm_runtime support") +Signed-off-by: Christophe Kerello +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210419121541.11617-2-patrice.chotard@foss.st.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-stm32-qspi.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-stm32-qspi.c ++++ b/drivers/spi/spi-stm32-qspi.c +@@ -727,21 +727,31 @@ static int __maybe_unused stm32_qspi_sus + { + pinctrl_pm_select_sleep_state(dev); + +- return 0; ++ return pm_runtime_force_suspend(dev); + } + + static int __maybe_unused stm32_qspi_resume(struct device *dev) + { + struct stm32_qspi *qspi = dev_get_drvdata(dev); ++ int ret; ++ ++ ret = pm_runtime_force_resume(dev); ++ if (ret < 0) ++ return ret; + + pinctrl_pm_select_default_state(dev); +- clk_prepare_enable(qspi->clk); ++ ++ ret = pm_runtime_get_sync(dev); ++ if (ret < 0) { ++ pm_runtime_put_noidle(dev); ++ return ret; ++ } + + writel_relaxed(qspi->cr_reg, qspi->io_base + QSPI_CR); + writel_relaxed(qspi->dcr_reg, qspi->io_base + QSPI_DCR); + +- pm_runtime_mark_last_busy(qspi->dev); +- pm_runtime_put_autosuspend(qspi->dev); ++ pm_runtime_mark_last_busy(dev); ++ pm_runtime_put_autosuspend(dev); + + return 0; + } diff --git a/queue-5.12/tpm-acpi-check-eventlog-signature-before-using-it.patch b/queue-5.12/tpm-acpi-check-eventlog-signature-before-using-it.patch new file mode 100644 index 00000000000..671e43829a5 --- /dev/null +++ b/queue-5.12/tpm-acpi-check-eventlog-signature-before-using-it.patch @@ -0,0 +1,91 @@ +From 3dcd15665aca80197333500a4be3900948afccc1 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Wed, 10 Mar 2021 17:19:15 -0500 +Subject: tpm: acpi: Check eventlog signature before using it + +From: Stefan Berger + +commit 3dcd15665aca80197333500a4be3900948afccc1 upstream. + +Check the eventlog signature before using it. This avoids using an +empty log, as may be the case when QEMU created the ACPI tables, +rather than probing the EFI log next. This resolves an issue where +the EFI log was empty since an empty ACPI log was used. + +Cc: stable@vger.kernel.org +Fixes: 85467f63a05c ("tpm: Add support for event log pointer found in TPM2 ACPI table") +Signed-off-by: Stefan Berger +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/eventlog/acpi.c | 33 ++++++++++++++++++++++++++++++++- + 1 file changed, 32 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/eventlog/acpi.c ++++ b/drivers/char/tpm/eventlog/acpi.c +@@ -41,6 +41,27 @@ struct acpi_tcpa { + }; + }; + ++/* Check that the given log is indeed a TPM2 log. */ ++static bool tpm_is_tpm2_log(void *bios_event_log, u64 len) ++{ ++ struct tcg_efi_specid_event_head *efispecid; ++ struct tcg_pcr_event *event_header; ++ int n; ++ ++ if (len < sizeof(*event_header)) ++ return false; ++ len -= sizeof(*event_header); ++ event_header = bios_event_log; ++ ++ if (len < sizeof(*efispecid)) ++ return false; ++ efispecid = (struct tcg_efi_specid_event_head *)event_header->event; ++ ++ n = memcmp(efispecid->signature, TCG_SPECID_SIG, ++ sizeof(TCG_SPECID_SIG)); ++ return n == 0; ++} ++ + /* read binary bios log */ + int tpm_read_log_acpi(struct tpm_chip *chip) + { +@@ -52,6 +73,7 @@ int tpm_read_log_acpi(struct tpm_chip *c + struct acpi_table_tpm2 *tbl; + struct acpi_tpm2_phy *tpm2_phy; + int format; ++ int ret; + + log = &chip->log; + +@@ -112,6 +134,7 @@ int tpm_read_log_acpi(struct tpm_chip *c + + log->bios_event_log_end = log->bios_event_log + len; + ++ ret = -EIO; + virt = acpi_os_map_iomem(start, len); + if (!virt) + goto err; +@@ -119,11 +142,19 @@ int tpm_read_log_acpi(struct tpm_chip *c + memcpy_fromio(log->bios_event_log, virt, len); + + acpi_os_unmap_iomem(virt, len); ++ ++ if (chip->flags & TPM_CHIP_FLAG_TPM2 && ++ !tpm_is_tpm2_log(log->bios_event_log, len)) { ++ /* try EFI log next */ ++ ret = -ENODEV; ++ goto err; ++ } ++ + return format; + + err: + kfree(log->bios_event_log); + log->bios_event_log = NULL; +- return -EIO; ++ return ret; + + } diff --git a/queue-5.12/vhost-vdpa-fix-vm_flags-for-virtqueue-doorbell-mapping.patch b/queue-5.12/vhost-vdpa-fix-vm_flags-for-virtqueue-doorbell-mapping.patch new file mode 100644 index 00000000000..5803f563a4a --- /dev/null +++ b/queue-5.12/vhost-vdpa-fix-vm_flags-for-virtqueue-doorbell-mapping.patch @@ -0,0 +1,37 @@ +From 3a3e0fad16d40a2aa68ddf7eea4acdf48b22dd44 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 13 Apr 2021 17:15:57 +0800 +Subject: vhost-vdpa: fix vm_flags for virtqueue doorbell mapping + +From: Jason Wang + +commit 3a3e0fad16d40a2aa68ddf7eea4acdf48b22dd44 upstream. + +The virtqueue doorbell is usually implemented via registeres but we +don't provide the necessary vma->flags like VM_PFNMAP. This may cause +several issues e.g when userspace tries to map the doorbell via vhost +IOTLB, kernel may panic due to the page is not backed by page +structure. This patch fixes this by setting the necessary +vm_flags. With this patch, try to map doorbell via IOTLB will fail +with bad address. + +Cc: stable@vger.kernel.org +Fixes: ddd89d0a059d ("vhost_vdpa: support doorbell mapping via mmap") +Signed-off-by: Jason Wang +Link: https://lore.kernel.org/r/20210413091557.29008-1-jasowang@redhat.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vdpa.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/vhost/vdpa.c ++++ b/drivers/vhost/vdpa.c +@@ -993,6 +993,7 @@ static int vhost_vdpa_mmap(struct file * + if (vma->vm_end - vma->vm_start != notify.size) + return -ENOTSUPP; + ++ vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP; + vma->vm_ops = &vhost_vdpa_vm_ops; + return 0; + }