From: Greg Kroah-Hartman Date: Sat, 9 Oct 2021 14:18:01 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.14.12~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a0364b49232d69f81628c2c6737aee18ac59d544;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm-dts-imx6dl-yapp4-fix-lp5562-led-driver-probe.patch arm-dts-omap3430-sdp-fix-nand-device-node.patch arm-dts-qcom-apq8064-use-compatible-which-contains-chipid.patch mmc-meson-gx-do-not-use-memcpy_to-fromio-for-dram-access-quirk.patch mmc-sdhci-of-at91-replace-while-loop-with-read_poll_timeout.patch mmc-sdhci-of-at91-wait-for-calibration-done-before-proceed.patch nfsd-fix-error-handling-of-register_pernet_subsys-in-init_nfsd.patch nfsd4-handle-the-nfsv4-readdir-dircount-hint-being-zero.patch ovl-fix-iocb_direct-if-underlying-fs-doesn-t-support-direct-io.patch ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch sunrpc-fix-sign-error-causing-rpcsec_gss-drops.patch xen-balloon-fix-cancelled-balloon-action.patch --- diff --git a/queue-5.10/arm-dts-imx6dl-yapp4-fix-lp5562-led-driver-probe.patch b/queue-5.10/arm-dts-imx6dl-yapp4-fix-lp5562-led-driver-probe.patch new file mode 100644 index 00000000000..2f4b170dcb6 --- /dev/null +++ b/queue-5.10/arm-dts-imx6dl-yapp4-fix-lp5562-led-driver-probe.patch @@ -0,0 +1,80 @@ +From 9b663b34c94a78f39fa2c7a8271b1f828b546e16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Vok=C3=A1=C4=8D?= +Date: Wed, 18 Aug 2021 09:02:08 +0200 +Subject: ARM: dts: imx6dl-yapp4: Fix lp5562 LED driver probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Vokáč + +commit 9b663b34c94a78f39fa2c7a8271b1f828b546e16 upstream. + +Since the LED multicolor framework support was added in commit +92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx") +LEDs on this platform stopped working. + +Author of the framework attempted to accommodate this DT to the +framework in commit b86d3d21cd4c ("ARM: dts: imx6dl-yapp4: Add reg property +to the lp5562 channel node") but that is not sufficient. A color property +is now required even if the multicolor framework is not used, otherwise +the driver probe fails: + + lp5562: probe of 1-0030 failed with error -22 + +Add the color property to fix this. + +Fixes: 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx") +Cc: +Cc: linux-leds@vger.kernel.org +Signed-off-by: Michal Vokáč +Acked-by: Pavel Machek +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx6dl-yapp4-common.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi ++++ b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + #include + + / { +@@ -275,6 +276,7 @@ + led-cur = /bits/ 8 <0x20>; + max-cur = /bits/ 8 <0x60>; + reg = <0>; ++ color = ; + }; + + chan@1 { +@@ -282,6 +284,7 @@ + led-cur = /bits/ 8 <0x20>; + max-cur = /bits/ 8 <0x60>; + reg = <1>; ++ color = ; + }; + + chan@2 { +@@ -289,6 +292,7 @@ + led-cur = /bits/ 8 <0x20>; + max-cur = /bits/ 8 <0x60>; + reg = <2>; ++ color = ; + }; + + chan@3 { +@@ -296,6 +300,7 @@ + led-cur = /bits/ 8 <0x0>; + max-cur = /bits/ 8 <0x0>; + reg = <3>; ++ color = ; + }; + }; + diff --git a/queue-5.10/arm-dts-omap3430-sdp-fix-nand-device-node.patch b/queue-5.10/arm-dts-omap3430-sdp-fix-nand-device-node.patch new file mode 100644 index 00000000000..d3d815f7875 --- /dev/null +++ b/queue-5.10/arm-dts-omap3430-sdp-fix-nand-device-node.patch @@ -0,0 +1,31 @@ +From 80d680fdccba214e8106dc1aa33de5207ad75394 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Thu, 2 Sep 2021 12:58:28 +0300 +Subject: ARM: dts: omap3430-sdp: Fix NAND device node + +From: Roger Quadros + +commit 80d680fdccba214e8106dc1aa33de5207ad75394 upstream. + +Nand is on CS1 so reg properties first field should be 1 not 0. + +Fixes: 44e4716499b8 ("ARM: dts: omap3: Fix NAND device nodes") +Cc: stable@vger.kernel.org # v4.6+ +Signed-off-by: Roger Quadros +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/omap3430-sdp.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/omap3430-sdp.dts ++++ b/arch/arm/boot/dts/omap3430-sdp.dts +@@ -101,7 +101,7 @@ + + nand@1,0 { + compatible = "ti,omap2-nand"; +- reg = <0 0 4>; /* CS0, offset 0, IO size 4 */ ++ reg = <1 0 4>; /* CS1, offset 0, IO size 4 */ + interrupt-parent = <&gpmc>; + interrupts = <0 IRQ_TYPE_NONE>, /* fifoevent */ + <1 IRQ_TYPE_NONE>; /* termcount */ diff --git a/queue-5.10/arm-dts-qcom-apq8064-use-compatible-which-contains-chipid.patch b/queue-5.10/arm-dts-qcom-apq8064-use-compatible-which-contains-chipid.patch new file mode 100644 index 00000000000..0f654b16025 --- /dev/null +++ b/queue-5.10/arm-dts-qcom-apq8064-use-compatible-which-contains-chipid.patch @@ -0,0 +1,43 @@ +From f5c03f131dae3f06d08464e6157dd461200f78d9 Mon Sep 17 00:00:00 2001 +From: David Heidelberg +Date: Wed, 18 Aug 2021 08:53:17 +0200 +Subject: ARM: dts: qcom: apq8064: use compatible which contains chipid + +From: David Heidelberg + +commit f5c03f131dae3f06d08464e6157dd461200f78d9 upstream. + +Also resolves these kernel warnings for APQ8064: +adreno 4300000.adreno-3xx: Using legacy qcom,chipid binding! +adreno 4300000.adreno-3xx: Use compatible qcom,adreno-320.2 instead. + +Tested on Nexus 7 2013, no functional changes. + +Cc: +Signed-off-by: David Heidelberg +Link: https://lore.kernel.org/r/20210818065317.19822-1-david@ixit.cz +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/qcom-apq8064.dtsi | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi +@@ -1148,7 +1148,7 @@ + }; + + gpu: adreno-3xx@4300000 { +- compatible = "qcom,adreno-3xx"; ++ compatible = "qcom,adreno-320.2", "qcom,adreno"; + reg = <0x04300000 0x20000>; + reg-names = "kgsl_3d0_reg_memory"; + interrupts = ; +@@ -1163,7 +1163,6 @@ + <&mmcc GFX3D_AHB_CLK>, + <&mmcc GFX3D_AXI_CLK>, + <&mmcc MMSS_IMEM_AHB_CLK>; +- qcom,chipid = <0x03020002>; + + iommus = <&gfx3d 0 + &gfx3d 1 diff --git a/queue-5.10/mmc-meson-gx-do-not-use-memcpy_to-fromio-for-dram-access-quirk.patch b/queue-5.10/mmc-meson-gx-do-not-use-memcpy_to-fromio-for-dram-access-quirk.patch new file mode 100644 index 00000000000..b8e123405dd --- /dev/null +++ b/queue-5.10/mmc-meson-gx-do-not-use-memcpy_to-fromio-for-dram-access-quirk.patch @@ -0,0 +1,154 @@ +From 8a38a4d51c5055d0201542e5ea3c0cb287f6e223 Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Tue, 28 Sep 2021 09:36:52 +0200 +Subject: mmc: meson-gx: do not use memcpy_to/fromio for dram-access-quirk + +From: Neil Armstrong + +commit 8a38a4d51c5055d0201542e5ea3c0cb287f6e223 upstream. + +The memory at the end of the controller only accepts 32bit read/write +accesses, but the arm64 memcpy_to/fromio implementation only uses 64bit +(which will be split into two 32bit access) and 8bit leading to incomplete +copies to/from this memory when the buffer is not multiple of 8bytes. + +Add a local copy using writel/readl accesses to make sure we use the right +memory access width. + +The switch to memcpy_to/fromio was done because of 285133040e6c +("arm64: Import latest memcpy()/memmove() implementation"), but using memcpy +worked before since it mainly used 32bit memory acceses. + +Fixes: 103a5348c22c ("mmc: meson-gx: use memcpy_to/fromio for dram-access-quirk") +Reported-by: Christian Hewitt +Suggested-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Tested-by: Martin Blumenstingl +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210928073652.434690-1-narmstrong@baylibre.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/meson-gx-mmc.c | 73 ++++++++++++++++++++++++++++++++-------- + 1 file changed, 59 insertions(+), 14 deletions(-) + +--- a/drivers/mmc/host/meson-gx-mmc.c ++++ b/drivers/mmc/host/meson-gx-mmc.c +@@ -735,7 +735,7 @@ static void meson_mmc_desc_chain_transfe + writel(start, host->regs + SD_EMMC_START); + } + +-/* local sg copy to buffer version with _to/fromio usage for dram_access_quirk */ ++/* local sg copy for dram_access_quirk */ + static void meson_mmc_copy_buffer(struct meson_host *host, struct mmc_data *data, + size_t buflen, bool to_buffer) + { +@@ -753,21 +753,27 @@ static void meson_mmc_copy_buffer(struct + sg_miter_start(&miter, sgl, nents, sg_flags); + + while ((offset < buflen) && sg_miter_next(&miter)) { +- unsigned int len; ++ unsigned int buf_offset = 0; ++ unsigned int len, left; ++ u32 *buf = miter.addr; + + len = min(miter.length, buflen - offset); ++ left = len; + +- /* When dram_access_quirk, the bounce buffer is a iomem mapping */ +- if (host->dram_access_quirk) { +- if (to_buffer) +- memcpy_toio(host->bounce_iomem_buf + offset, miter.addr, len); +- else +- memcpy_fromio(miter.addr, host->bounce_iomem_buf + offset, len); ++ if (to_buffer) { ++ do { ++ writel(*buf++, host->bounce_iomem_buf + offset + buf_offset); ++ ++ buf_offset += 4; ++ left -= 4; ++ } while (left); + } else { +- if (to_buffer) +- memcpy(host->bounce_buf + offset, miter.addr, len); +- else +- memcpy(miter.addr, host->bounce_buf + offset, len); ++ do { ++ *buf++ = readl(host->bounce_iomem_buf + offset + buf_offset); ++ ++ buf_offset += 4; ++ left -= 4; ++ } while (left); + } + + offset += len; +@@ -819,7 +825,11 @@ static void meson_mmc_start_cmd(struct m + if (data->flags & MMC_DATA_WRITE) { + cmd_cfg |= CMD_CFG_DATA_WR; + WARN_ON(xfer_bytes > host->bounce_buf_size); +- meson_mmc_copy_buffer(host, data, xfer_bytes, true); ++ if (host->dram_access_quirk) ++ meson_mmc_copy_buffer(host, data, xfer_bytes, true); ++ else ++ sg_copy_to_buffer(data->sg, data->sg_len, ++ host->bounce_buf, xfer_bytes); + dma_wmb(); + } + +@@ -838,12 +848,43 @@ static void meson_mmc_start_cmd(struct m + writel(cmd->arg, host->regs + SD_EMMC_CMD_ARG); + } + ++static int meson_mmc_validate_dram_access(struct mmc_host *mmc, struct mmc_data *data) ++{ ++ struct scatterlist *sg; ++ int i; ++ ++ /* Reject request if any element offset or size is not 32bit aligned */ ++ for_each_sg(data->sg, sg, data->sg_len, i) { ++ if (!IS_ALIGNED(sg->offset, sizeof(u32)) || ++ !IS_ALIGNED(sg->length, sizeof(u32))) { ++ dev_err(mmc_dev(mmc), "unaligned sg offset %u len %u\n", ++ data->sg->offset, data->sg->length); ++ return -EINVAL; ++ } ++ } ++ ++ return 0; ++} ++ + static void meson_mmc_request(struct mmc_host *mmc, struct mmc_request *mrq) + { + struct meson_host *host = mmc_priv(mmc); + bool needs_pre_post_req = mrq->data && + !(mrq->data->host_cookie & SD_EMMC_PRE_REQ_DONE); + ++ /* ++ * The memory at the end of the controller used as bounce buffer for ++ * the dram_access_quirk only accepts 32bit read/write access, ++ * check the aligment and length of the data before starting the request. ++ */ ++ if (host->dram_access_quirk && mrq->data) { ++ mrq->cmd->error = meson_mmc_validate_dram_access(mmc, mrq->data); ++ if (mrq->cmd->error) { ++ mmc_request_done(mmc, mrq); ++ return; ++ } ++ } ++ + if (needs_pre_post_req) { + meson_mmc_get_transfer_mode(mmc, mrq); + if (!meson_mmc_desc_chain_mode(mrq->data)) +@@ -988,7 +1029,11 @@ static irqreturn_t meson_mmc_irq_thread( + if (meson_mmc_bounce_buf_read(data)) { + xfer_bytes = data->blksz * data->blocks; + WARN_ON(xfer_bytes > host->bounce_buf_size); +- meson_mmc_copy_buffer(host, data, xfer_bytes, false); ++ if (host->dram_access_quirk) ++ meson_mmc_copy_buffer(host, data, xfer_bytes, false); ++ else ++ sg_copy_from_buffer(data->sg, data->sg_len, ++ host->bounce_buf, xfer_bytes); + } + + next_cmd = meson_mmc_get_next_command(cmd); diff --git a/queue-5.10/mmc-sdhci-of-at91-replace-while-loop-with-read_poll_timeout.patch b/queue-5.10/mmc-sdhci-of-at91-replace-while-loop-with-read_poll_timeout.patch new file mode 100644 index 00000000000..9b964274964 --- /dev/null +++ b/queue-5.10/mmc-sdhci-of-at91-replace-while-loop-with-read_poll_timeout.patch @@ -0,0 +1,53 @@ +From 30d4b990ec644e8bd49ef0a2f074fabc0d189e53 Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Fri, 24 Sep 2021 11:28:51 +0300 +Subject: mmc: sdhci-of-at91: replace while loop with read_poll_timeout + +From: Claudiu Beznea + +commit 30d4b990ec644e8bd49ef0a2f074fabc0d189e53 upstream. + +Replace while loop with read_poll_timeout(). + +Signed-off-by: Claudiu Beznea +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210924082851.2132068-3-claudiu.beznea@microchip.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-of-at91.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +--- a/drivers/mmc/host/sdhci-of-at91.c ++++ b/drivers/mmc/host/sdhci-of-at91.c +@@ -62,7 +62,6 @@ static void sdhci_at91_set_force_card_de + static void sdhci_at91_set_clock(struct sdhci_host *host, unsigned int clock) + { + u16 clk; +- unsigned long timeout; + + host->mmc->actual_clock = 0; + +@@ -87,16 +86,11 @@ static void sdhci_at91_set_clock(struct + sdhci_writew(host, clk, SDHCI_CLOCK_CONTROL); + + /* Wait max 20 ms */ +- timeout = 20; +- while (!((clk = sdhci_readw(host, SDHCI_CLOCK_CONTROL)) +- & SDHCI_CLOCK_INT_STABLE)) { +- if (timeout == 0) { +- pr_err("%s: Internal clock never stabilised.\n", +- mmc_hostname(host->mmc)); +- return; +- } +- timeout--; +- mdelay(1); ++ if (read_poll_timeout(sdhci_readw, clk, (clk & SDHCI_CLOCK_INT_STABLE), ++ 1000, 20000, false, host, SDHCI_CLOCK_CONTROL)) { ++ pr_err("%s: Internal clock never stabilised.\n", ++ mmc_hostname(host->mmc)); ++ return; + } + + clk |= SDHCI_CLOCK_CARD_EN; diff --git a/queue-5.10/mmc-sdhci-of-at91-wait-for-calibration-done-before-proceed.patch b/queue-5.10/mmc-sdhci-of-at91-wait-for-calibration-done-before-proceed.patch new file mode 100644 index 00000000000..13d6202c987 --- /dev/null +++ b/queue-5.10/mmc-sdhci-of-at91-wait-for-calibration-done-before-proceed.patch @@ -0,0 +1,54 @@ +From af467fad78f03a42de8b72190f6a595366b870db Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Fri, 24 Sep 2021 11:28:50 +0300 +Subject: mmc: sdhci-of-at91: wait for calibration done before proceed + +From: Claudiu Beznea + +commit af467fad78f03a42de8b72190f6a595366b870db upstream. + +Datasheet specifies that at the end of calibration the SDMMC_CALCR_EN +bit will be cleared. No commands should be send before calibration is +done. + +Fixes: dbdea70f71d67 ("mmc: sdhci-of-at91: fix CALCR register being rewritten") +Fixes: 727d836a375ad ("mmc: sdhci-of-at91: add DT property to enable calibration on full reset") +Signed-off-by: Claudiu Beznea +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210924082851.2132068-2-claudiu.beznea@microchip.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-of-at91.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mmc/host/sdhci-of-at91.c ++++ b/drivers/mmc/host/sdhci-of-at91.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -114,6 +115,7 @@ static void sdhci_at91_reset(struct sdhc + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_at91_priv *priv = sdhci_pltfm_priv(pltfm_host); ++ unsigned int tmp; + + sdhci_reset(host, mask); + +@@ -126,6 +128,10 @@ static void sdhci_at91_reset(struct sdhc + + sdhci_writel(host, calcr | SDMMC_CALCR_ALWYSON | SDMMC_CALCR_EN, + SDMMC_CALCR); ++ ++ if (read_poll_timeout(sdhci_readl, tmp, !(tmp & SDMMC_CALCR_EN), ++ 10, 20000, false, host, SDMMC_CALCR)) ++ dev_err(mmc_dev(host->mmc), "Failed to calibrate\n"); + } + } + diff --git a/queue-5.10/nfsd-fix-error-handling-of-register_pernet_subsys-in-init_nfsd.patch b/queue-5.10/nfsd-fix-error-handling-of-register_pernet_subsys-in-init_nfsd.patch new file mode 100644 index 00000000000..54de9b00262 --- /dev/null +++ b/queue-5.10/nfsd-fix-error-handling-of-register_pernet_subsys-in-init_nfsd.patch @@ -0,0 +1,43 @@ +From 1d625050c7c2dd877e108e382b8aaf1ae3cfe1f4 Mon Sep 17 00:00:00 2001 +From: Patrick Ho +Date: Sat, 21 Aug 2021 02:56:26 -0400 +Subject: nfsd: fix error handling of register_pernet_subsys() in init_nfsd() + +From: Patrick Ho + +commit 1d625050c7c2dd877e108e382b8aaf1ae3cfe1f4 upstream. + +init_nfsd() should not unregister pernet subsys if the register fails +but should instead unwind from the last successful operation which is +register_filesystem(). + +Unregistering a failed register_pernet_subsys() call can result in +a kernel GPF as revealed by programmatically injecting an error in +register_pernet_subsys(). + +Verified the fix handled failure gracefully with no lingering nfsd +entry in /proc/filesystems. This change was introduced by the commit +bd5ae9288d64 ("nfsd: register pernet ops last, unregister first"), +the original error handling logic was correct. + +Fixes: bd5ae9288d64 ("nfsd: register pernet ops last, unregister first") +Cc: stable@vger.kernel.org +Signed-off-by: Patrick Ho +Acked-by: J. Bruce Fields +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1547,7 +1547,7 @@ static int __init init_nfsd(void) + goto out_free_all; + return 0; + out_free_all: +- unregister_pernet_subsys(&nfsd_net_ops); ++ unregister_filesystem(&nfsd_fs_type); + out_free_exports: + remove_proc_entry("fs/nfs/exports", NULL); + remove_proc_entry("fs/nfs", NULL); diff --git a/queue-5.10/nfsd4-handle-the-nfsv4-readdir-dircount-hint-being-zero.patch b/queue-5.10/nfsd4-handle-the-nfsv4-readdir-dircount-hint-being-zero.patch new file mode 100644 index 00000000000..cc61782b425 --- /dev/null +++ b/queue-5.10/nfsd4-handle-the-nfsv4-readdir-dircount-hint-being-zero.patch @@ -0,0 +1,52 @@ +From f2e717d655040d632c9015f19aa4275f8b16e7f2 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 30 Sep 2021 15:44:41 -0400 +Subject: nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero + +From: Trond Myklebust + +commit f2e717d655040d632c9015f19aa4275f8b16e7f2 upstream. + +RFC3530 notes that the 'dircount' field may be zero, in which case the +recommendation is to ignore it, and only enforce the 'maxcount' field. +In RFC5661, this recommendation to ignore a zero valued field becomes a +requirement. + +Fixes: aee377644146 ("nfsd4: fix rd_dircount enforcement") +Cc: +Signed-off-by: Trond Myklebust +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4xdr.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3427,15 +3427,18 @@ nfsd4_encode_dirent(void *ccdv, const ch + goto fail; + cd->rd_maxcount -= entry_bytes; + /* +- * RFC 3530 14.2.24 describes rd_dircount as only a "hint", so +- * let's always let through the first entry, at least: ++ * RFC 3530 14.2.24 describes rd_dircount as only a "hint", and ++ * notes that it could be zero. If it is zero, then the server ++ * should enforce only the rd_maxcount value. + */ +- if (!cd->rd_dircount) +- goto fail; +- name_and_cookie = 4 + 4 * XDR_QUADLEN(namlen) + 8; +- if (name_and_cookie > cd->rd_dircount && cd->cookie_offset) +- goto fail; +- cd->rd_dircount -= min(cd->rd_dircount, name_and_cookie); ++ if (cd->rd_dircount) { ++ name_and_cookie = 4 + 4 * XDR_QUADLEN(namlen) + 8; ++ if (name_and_cookie > cd->rd_dircount && cd->cookie_offset) ++ goto fail; ++ cd->rd_dircount -= min(cd->rd_dircount, name_and_cookie); ++ if (!cd->rd_dircount) ++ cd->rd_maxcount = 0; ++ } + + cd->cookie_offset = cookie_offset; + skip_entry: diff --git a/queue-5.10/ovl-fix-iocb_direct-if-underlying-fs-doesn-t-support-direct-io.patch b/queue-5.10/ovl-fix-iocb_direct-if-underlying-fs-doesn-t-support-direct-io.patch new file mode 100644 index 00000000000..5341ef4037f --- /dev/null +++ b/queue-5.10/ovl-fix-iocb_direct-if-underlying-fs-doesn-t-support-direct-io.patch @@ -0,0 +1,71 @@ +From 1dc1eed46f9fa4cb8a07baa24fb44c96d6dd35c9 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 27 Sep 2021 11:23:57 +0200 +Subject: ovl: fix IOCB_DIRECT if underlying fs doesn't support direct IO + +From: Miklos Szeredi + +commit 1dc1eed46f9fa4cb8a07baa24fb44c96d6dd35c9 upstream. + +Normally the check at open time suffices, but e.g loop device does set +IOCB_DIRECT after doing its own checks (which are not sufficent for +overlayfs). + +Make sure we don't call the underlying filesystem read/write method with +the IOCB_DIRECT if it's not supported. + +Reported-by: Huang Jianan +Fixes: 16914e6fc7e1 ("ovl: add ovl_read_iter()") +Cc: # v4.19 +Tested-by: Huang Jianan +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/file.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/file.c ++++ b/fs/overlayfs/file.c +@@ -301,6 +301,12 @@ static ssize_t ovl_read_iter(struct kioc + if (ret) + return ret; + ++ ret = -EINVAL; ++ if (iocb->ki_flags & IOCB_DIRECT && ++ (!real.file->f_mapping->a_ops || ++ !real.file->f_mapping->a_ops->direct_IO)) ++ goto out_fdput; ++ + old_cred = ovl_override_creds(file_inode(file)->i_sb); + if (is_sync_kiocb(iocb)) { + ret = vfs_iter_read(real.file, iter, &iocb->ki_pos, +@@ -325,7 +331,7 @@ static ssize_t ovl_read_iter(struct kioc + out: + revert_creds(old_cred); + ovl_file_accessed(file); +- ++out_fdput: + fdput(real); + + return ret; +@@ -354,6 +360,12 @@ static ssize_t ovl_write_iter(struct kio + if (ret) + goto out_unlock; + ++ ret = -EINVAL; ++ if (iocb->ki_flags & IOCB_DIRECT && ++ (!real.file->f_mapping->a_ops || ++ !real.file->f_mapping->a_ops->direct_IO)) ++ goto out_fdput; ++ + if (!ovl_should_sync(OVL_FS(inode->i_sb))) + ifl &= ~(IOCB_DSYNC | IOCB_SYNC); + +@@ -389,6 +401,7 @@ static ssize_t ovl_write_iter(struct kio + } + out: + revert_creds(old_cred); ++out_fdput: + fdput(real); + + out_unlock: diff --git a/queue-5.10/ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch b/queue-5.10/ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch new file mode 100644 index 00000000000..33a7a372319 --- /dev/null +++ b/queue-5.10/ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch @@ -0,0 +1,62 @@ +From a295aef603e109a47af355477326bd41151765b6 Mon Sep 17 00:00:00 2001 +From: Zheng Liang +Date: Fri, 24 Sep 2021 09:16:27 +0800 +Subject: ovl: fix missing negative dentry check in ovl_rename() + +From: Zheng Liang + +commit a295aef603e109a47af355477326bd41151765b6 upstream. + +The following reproducer + + mkdir lower upper work merge + touch lower/old + touch lower/new + mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge + rm merge/new + mv merge/old merge/new & unlink upper/new + +may result in this race: + +PROCESS A: + rename("merge/old", "merge/new"); + overwrite=true,ovl_lower_positive(old)=true, + ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE + +PROCESS B: + unlink("upper/new"); + +PROCESS A: + lookup newdentry in new_upperdir + call vfs_rename() with negative newdentry and RENAME_EXCHANGE + +Fix by adding the missing check for negative newdentry. + +Signed-off-by: Zheng Liang +Fixes: e9be9d5e76e3 ("overlay filesystem") +Cc: # v3.18 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/dir.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -1214,9 +1214,13 @@ static int ovl_rename(struct inode *oldd + goto out_dput; + } + } else { +- if (!d_is_negative(newdentry) && +- (!new_opaque || !ovl_is_whiteout(newdentry))) +- goto out_dput; ++ if (!d_is_negative(newdentry)) { ++ if (!new_opaque || !ovl_is_whiteout(newdentry)) ++ goto out_dput; ++ } else { ++ if (flags & RENAME_EXCHANGE) ++ goto out_dput; ++ } + } + + if (olddentry == trap) diff --git a/queue-5.10/series b/queue-5.10/series index b928930eed4..ce42df57e97 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -5,3 +5,15 @@ usb-cdc-acm-fix-break-reporting.patch usb-typec-tcpm-handle-src_startup-state-if-cc-changes.patch drm-nouveau-kms-tu102-delay-enabling-cursor-until-after-assign_windows.patch xen-privcmd-fix-error-handling-in-mmap-resource-processing.patch +mmc-meson-gx-do-not-use-memcpy_to-fromio-for-dram-access-quirk.patch +mmc-sdhci-of-at91-wait-for-calibration-done-before-proceed.patch +mmc-sdhci-of-at91-replace-while-loop-with-read_poll_timeout.patch +ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch +ovl-fix-iocb_direct-if-underlying-fs-doesn-t-support-direct-io.patch +nfsd-fix-error-handling-of-register_pernet_subsys-in-init_nfsd.patch +nfsd4-handle-the-nfsv4-readdir-dircount-hint-being-zero.patch +sunrpc-fix-sign-error-causing-rpcsec_gss-drops.patch +xen-balloon-fix-cancelled-balloon-action.patch +arm-dts-omap3430-sdp-fix-nand-device-node.patch +arm-dts-imx6dl-yapp4-fix-lp5562-led-driver-probe.patch +arm-dts-qcom-apq8064-use-compatible-which-contains-chipid.patch diff --git a/queue-5.10/sunrpc-fix-sign-error-causing-rpcsec_gss-drops.patch b/queue-5.10/sunrpc-fix-sign-error-causing-rpcsec_gss-drops.patch new file mode 100644 index 00000000000..1bd0e75f5e5 --- /dev/null +++ b/queue-5.10/sunrpc-fix-sign-error-causing-rpcsec_gss-drops.patch @@ -0,0 +1,42 @@ +From 2ba5acfb34957e8a7fe47cd78c77ca88e9cc2b03 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Fri, 1 Oct 2021 09:59:21 -0400 +Subject: SUNRPC: fix sign error causing rpcsec_gss drops + +From: J. Bruce Fields + +commit 2ba5acfb34957e8a7fe47cd78c77ca88e9cc2b03 upstream. + +If sd_max is unsigned, then sd_max - GSS_SEQ_WIN is a very large number +whenever sd_max is less than GSS_SEQ_WIN, and the comparison: + + seq_num <= sd->sd_max - GSS_SEQ_WIN + +in gss_check_seq_num is pretty much always true, even when that's +clearly not what was intended. + +This was causing pynfs to hang when using krb5, because pynfs uses zero +as the initial gss sequence number. That's perfectly legal, but this +logic error causes knfsd to drop the rpc in that case. Out-of-order +sequence IDs in the first GSS_SEQ_WIN (128) calls will also cause this. + +Fixes: 10b9d99a3dbb ("SUNRPC: Augment server-side rpcgss tracepoints") +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/auth_gss/svcauth_gss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -643,7 +643,7 @@ static bool gss_check_seq_num(const stru + } + __set_bit(seq_num % GSS_SEQ_WIN, sd->sd_win); + goto ok; +- } else if (seq_num <= sd->sd_max - GSS_SEQ_WIN) { ++ } else if (seq_num + GSS_SEQ_WIN <= sd->sd_max) { + goto toolow; + } + if (__test_and_set_bit(seq_num % GSS_SEQ_WIN, sd->sd_win)) diff --git a/queue-5.10/xen-balloon-fix-cancelled-balloon-action.patch b/queue-5.10/xen-balloon-fix-cancelled-balloon-action.patch new file mode 100644 index 00000000000..805ec0901dc --- /dev/null +++ b/queue-5.10/xen-balloon-fix-cancelled-balloon-action.patch @@ -0,0 +1,73 @@ +From 319933a80fd4f07122466a77f93e5019d71be74c Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Tue, 5 Oct 2021 15:34:33 +0200 +Subject: xen/balloon: fix cancelled balloon action +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +commit 319933a80fd4f07122466a77f93e5019d71be74c upstream. + +In case a ballooning action is cancelled the new kernel thread handling +the ballooning might end up in a busy loop. + +Fix that by handling the cancelled action gracefully. + +While at it introduce a short wait for the BP_WAIT case. + +Cc: stable@vger.kernel.org +Fixes: 8480ed9c2bbd56 ("xen/balloon: use a kernel thread instead a workqueue") +Reported-by: Marek Marczykowski-Górecki +Signed-off-by: Juergen Gross +Tested-by: Jason Andryuk +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/r/20211005133433.32008-1-jgross@suse.com +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/balloon.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -491,12 +491,12 @@ static enum bp_state decrease_reservatio + } + + /* +- * Stop waiting if either state is not BP_EAGAIN and ballooning action is +- * needed, or if the credit has changed while state is BP_EAGAIN. ++ * Stop waiting if either state is BP_DONE and ballooning action is ++ * needed, or if the credit has changed while state is not BP_DONE. + */ + static bool balloon_thread_cond(enum bp_state state, long credit) + { +- if (state != BP_EAGAIN) ++ if (state == BP_DONE) + credit = 0; + + return current_credit() != credit || kthread_should_stop(); +@@ -516,10 +516,19 @@ static int balloon_thread(void *unused) + + set_freezable(); + for (;;) { +- if (state == BP_EAGAIN) +- timeout = balloon_stats.schedule_delay * HZ; +- else ++ switch (state) { ++ case BP_DONE: ++ case BP_ECANCELED: + timeout = 3600 * HZ; ++ break; ++ case BP_EAGAIN: ++ timeout = balloon_stats.schedule_delay * HZ; ++ break; ++ case BP_WAIT: ++ timeout = HZ; ++ break; ++ } ++ + credit = current_credit(); + + wait_event_freezable_timeout(balloon_thread_wq,