From: Sasha Levin Date: Tue, 24 Aug 2021 02:59:50 +0000 (-0400) Subject: Fixes for 5.13 X-Git-Tag: v5.13.13~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dba7ae735a266c009597d5e5dfe5cfc619c6451b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.13 Signed-off-by: Sasha Levin --- diff --git a/queue-5.13/alsa-hda-fix-the-capture-switch-value-change-notific.patch b/queue-5.13/alsa-hda-fix-the-capture-switch-value-change-notific.patch new file mode 100644 index 00000000000..628fec9a360 --- /dev/null +++ b/queue-5.13/alsa-hda-fix-the-capture-switch-value-change-notific.patch @@ -0,0 +1,57 @@ +From 55f8c088e6fff16915dd198794eea467dd0d0059 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Aug 2021 18:14:41 +0200 +Subject: ALSA: hda - fix the 'Capture Switch' value change notifications + +From: Jaroslav Kysela + +[ Upstream commit a2befe9380dd04ee76c871568deca00eedf89134 ] + +The original code in the cap_put_caller() function does not +handle correctly the positive values returned from the passed +function for multiple iterations. It means that the change +notifications may be lost. + +Fixes: 352f7f914ebb ("ALSA: hda - Merge Realtek parser code to generic parser") +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213851 +Cc: +Signed-off-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20210811161441.1325250-1-perex@perex.cz +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_generic.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index 1f8018f9ce57..534c0df75172 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -3460,7 +3460,7 @@ static int cap_put_caller(struct snd_kcontrol *kcontrol, + struct hda_gen_spec *spec = codec->spec; + const struct hda_input_mux *imux; + struct nid_path *path; +- int i, adc_idx, err = 0; ++ int i, adc_idx, ret, err = 0; + + imux = &spec->input_mux; + adc_idx = kcontrol->id.index; +@@ -3470,9 +3470,13 @@ static int cap_put_caller(struct snd_kcontrol *kcontrol, + if (!path || !path->ctls[type]) + continue; + kcontrol->private_value = path->ctls[type]; +- err = func(kcontrol, ucontrol); +- if (err < 0) ++ ret = func(kcontrol, ucontrol); ++ if (ret < 0) { ++ err = ret; + break; ++ } ++ if (ret > 0) ++ err = 1; + } + mutex_unlock(&codec->control_mutex); + if (err >= 0 && spec->cap_sync_hook) +-- +2.30.2 + diff --git a/queue-5.13/alsa-hda-realtek-enable-4-speaker-output-for-dell-xp.patch b/queue-5.13/alsa-hda-realtek-enable-4-speaker-output-for-dell-xp.patch new file mode 100644 index 00000000000..a505377962a --- /dev/null +++ b/queue-5.13/alsa-hda-realtek-enable-4-speaker-output-for-dell-xp.patch @@ -0,0 +1,38 @@ +From 1be3a2226fa0dff139dd99ac6b231ae9d6e0900e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Aug 2021 15:46:05 -0700 +Subject: ALSA: hda/realtek: Enable 4-speaker output for Dell XPS 15 9510 + laptop + +From: Kristin Paget + +[ Upstream commit da94692001ea45ffa1f5e9f17ecdef7aecd90c27 ] + +The 2021-model XPS 15 appears to use the same 4-speakers-on-ALC289 audio +setup as the Precision models, so requires the same quirk to enable woofer +output. Tested on my own 9510. + +Signed-off-by: Kristin Paget +Cc: +Link: https://lore.kernel.org/r/e1fc95c5-c10a-1f98-a5c2-dd6e336157e1@tombom.co.uk +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 6d8c4dedfe0f..6ab53352fc9b 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8272,6 +8272,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1028, 0x0a2e, "Dell", ALC236_FIXUP_DELL_AIO_HEADSET_MIC), + SND_PCI_QUIRK(0x1028, 0x0a30, "Dell", ALC236_FIXUP_DELL_AIO_HEADSET_MIC), + SND_PCI_QUIRK(0x1028, 0x0a58, "Dell", ALC255_FIXUP_DELL_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1028, 0x0a61, "Dell XPS 15 9510", ALC289_FIXUP_DUAL_SPK), + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2), +-- +2.30.2 + diff --git a/queue-5.13/alsa-hda-realtek-limit-mic-boost-on-hp-probook-445-g.patch b/queue-5.13/alsa-hda-realtek-limit-mic-boost-on-hp-probook-445-g.patch new file mode 100644 index 00000000000..0ded4e53dc3 --- /dev/null +++ b/queue-5.13/alsa-hda-realtek-limit-mic-boost-on-hp-probook-445-g.patch @@ -0,0 +1,60 @@ +From b58d20d7e0c29c220a42842bb08aac964a42457f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 22:41:18 +0800 +Subject: ALSA: hda/realtek: Limit mic boost on HP ProBook 445 G8 + +From: Kai-Heng Feng + +[ Upstream commit 8903376dc69949199301b290cc22dc64ae5d8a6d ] + +The mic has lots of noises if mic boost is enabled. So disable mic boost +to get crystal clear audio capture. + +Signed-off-by: Kai-Heng Feng +Cc: +Link: https://lore.kernel.org/r/20210818144119.121738-1-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 6ab53352fc9b..0c6be8509855 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6598,6 +6598,7 @@ enum { + ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP, + ALC623_FIXUP_LENOVO_THINKSTATION_P340, + ALC255_FIXUP_ACER_HEADPHONE_AND_MIC, ++ ALC236_FIXUP_HP_LIMIT_INT_MIC_BOOST, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -8182,6 +8183,12 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC255_FIXUP_XIAOMI_HEADSET_MIC + }, ++ [ALC236_FIXUP_HP_LIMIT_INT_MIC_BOOST] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc269_fixup_limit_int_mic_boost, ++ .chained = true, ++ .chain_id = ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -8378,8 +8385,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8847, "HP EliteBook x360 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x884c, "HP EliteBook 840 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), +- SND_PCI_QUIRK(0x103c, 0x8862, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), +- SND_PCI_QUIRK(0x103c, 0x8863, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8862, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x103c, 0x8863, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), +-- +2.30.2 + diff --git a/queue-5.13/alsa-hda-via-apply-runtime-pm-workaround-for-asus-b2.patch b/queue-5.13/alsa-hda-via-apply-runtime-pm-workaround-for-asus-b2.patch new file mode 100644 index 00000000000..80478b750ab --- /dev/null +++ b/queue-5.13/alsa-hda-via-apply-runtime-pm-workaround-for-asus-b2.patch @@ -0,0 +1,38 @@ +From 06e6be4112ba4d86bc8dd37bbd13db80a7f52aed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Aug 2021 07:24:32 +0200 +Subject: ALSA: hda/via: Apply runtime PM workaround for ASUS B23E + +From: Takashi Iwai + +[ Upstream commit 4bf61ad5f0204b67ba570da6e5c052c2095e29df ] + +ASUS B23E requires the same workaround like other machines with +VT1802, otherwise it looses the codec power on a few nodes and the +sound kept silence. + +Fixes: a0645daf1610 ("ALSA: HDA: Early Forbid of runtime PM") +Link: https://lore.kernel.org/r/ac2232f142efcd67fe6ac38897f704f7176bd200.camel@gmail.com +Cc: +Link: https://lore.kernel.org/r/20210817052432.14751-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_via.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c +index a5c1a2c4eae4..773a136161f1 100644 +--- a/sound/pci/hda/patch_via.c ++++ b/sound/pci/hda/patch_via.c +@@ -1041,6 +1041,7 @@ static const struct hda_fixup via_fixups[] = { + }; + + static const struct snd_pci_quirk vt2002p_fixups[] = { ++ SND_PCI_QUIRK(0x1043, 0x13f7, "Asus B23E", VIA_FIXUP_POWER_SAVE), + SND_PCI_QUIRK(0x1043, 0x1487, "Asus G75", VIA_FIXUP_ASUS_G75), + SND_PCI_QUIRK(0x1043, 0x8532, "Asus X202E", VIA_FIXUP_INTMIC_BOOST), + SND_PCI_QUIRK_VENDOR(0x1558, "Clevo", VIA_FIXUP_POWER_SAVE), +-- +2.30.2 + diff --git a/queue-5.13/arm64-clean-vdso-vdso32-files.patch b/queue-5.13/arm64-clean-vdso-vdso32-files.patch new file mode 100644 index 00000000000..4fb56d8e624 --- /dev/null +++ b/queue-5.13/arm64-clean-vdso-vdso32-files.patch @@ -0,0 +1,59 @@ +From 21352d2a7981b1513ed0c9fd41735488bcfdd889 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 23:17:55 +0000 +Subject: arm64: clean vdso & vdso32 files + +From: Andrew Delgadillo + +[ Upstream commit 017f5fb9ce793e3558db94ee72068622bc0b79db ] + +commit a5b8ca97fbf8 ("arm64: do not descend to vdso directories twice") +changes the cleaning behavior of arm64's vdso files, in that vdso.lds, +vdso.so, and vdso.so.dbg are not removed upon a 'make clean/mrproper': + +$ make defconfig ARCH=arm64 +$ make ARCH=arm64 +$ make mrproper ARCH=arm64 +$ git clean -nxdf +Would remove arch/arm64/kernel/vdso/vdso.lds +Would remove arch/arm64/kernel/vdso/vdso.so +Would remove arch/arm64/kernel/vdso/vdso.so.dbg + +To remedy this, manually descend into arch/arm64/kernel/vdso upon +cleaning. + +After this commit: +$ make defconfig ARCH=arm64 +$ make ARCH=arm64 +$ make mrproper ARCH=arm64 +$ git clean -nxdf + + +Similar results are obtained for the vdso32 equivalent. + +Signed-off-by: Andrew Delgadillo +Cc: stable@vger.kernel.org +Fixes: a5b8ca97fbf8 ("arm64: do not descend to vdso directories twice") +Link: https://lore.kernel.org/r/20210810231755.1743524-1-adelg@google.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile +index b52481f0605d..02997b253dee 100644 +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -181,6 +181,8 @@ archprepare: + # We use MRPROPER_FILES and CLEAN_FILES now + archclean: + $(Q)$(MAKE) $(clean)=$(boot) ++ $(Q)$(MAKE) $(clean)=arch/arm64/kernel/vdso ++ $(Q)$(MAKE) $(clean)=arch/arm64/kernel/vdso32 + + ifeq ($(KBUILD_EXTMOD),) + # We need to generate vdso-offsets.h before compiling certain files in kernel/. +-- +2.30.2 + diff --git a/queue-5.13/asoc-intel-atom-fix-breakage-for-pcm-buffer-address-.patch b/queue-5.13/asoc-intel-atom-fix-breakage-for-pcm-buffer-address-.patch new file mode 100644 index 00000000000..21ab8dfe6d6 --- /dev/null +++ b/queue-5.13/asoc-intel-atom-fix-breakage-for-pcm-buffer-address-.patch @@ -0,0 +1,48 @@ +From 3d248768ae4ed63d0ad491c5b285bcc1b18cfaac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 17:29:45 +0200 +Subject: ASoC: intel: atom: Fix breakage for PCM buffer address setup + +From: Takashi Iwai + +[ Upstream commit 65ca89c2b12cca0d473f3dd54267568ad3af55cc ] + +The commit 2e6b836312a4 ("ASoC: intel: atom: Fix reference to PCM +buffer address") changed the reference of PCM buffer address to +substream->runtime->dma_addr as the buffer address may change +dynamically. However, I forgot that the dma_addr field is still not +set up for the CONTINUOUS buffer type (that this driver uses) yet in +5.14 and earlier kernels, and it resulted in garbage I/O. The problem +will be fixed in 5.15, but we need to address it quickly for now. + +The fix is to deduce the address again from the DMA pointer with +virt_to_phys(), but from the right one, substream->runtime->dma_area. + +Fixes: 2e6b836312a4 ("ASoC: intel: atom: Fix reference to PCM buffer address") +Reported-and-tested-by: Hans de Goede +Cc: +Acked-by: Mark Brown +Link: https://lore.kernel.org/r/2048c6aa-2187-46bd-6772-36a4fb3c5aeb@redhat.com +Link: https://lore.kernel.org/r/20210819152945.8510-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/soc/intel/atom/sst-mfld-platform-pcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +index 5db2f4865bbb..905c7965f653 100644 +--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c ++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +@@ -127,7 +127,7 @@ static void sst_fill_alloc_params(struct snd_pcm_substream *substream, + snd_pcm_uframes_t period_size; + ssize_t periodbytes; + ssize_t buffer_bytes = snd_pcm_lib_buffer_bytes(substream); +- u32 buffer_addr = substream->runtime->dma_addr; ++ u32 buffer_addr = virt_to_phys(substream->runtime->dma_area); + + channels = substream->runtime->channels; + period_size = substream->runtime->period_size; +-- +2.30.2 + diff --git a/queue-5.13/btrfs-prevent-rename2-from-exchanging-a-subvol-with-.patch b/queue-5.13/btrfs-prevent-rename2-from-exchanging-a-subvol-with-.patch new file mode 100644 index 00000000000..cd2793eedd4 --- /dev/null +++ b/queue-5.13/btrfs-prevent-rename2-from-exchanging-a-subvol-with-.patch @@ -0,0 +1,124 @@ +From 7c427c85a8d273299a237870e00495a52afd33a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 14:26:24 +1000 +Subject: btrfs: prevent rename2 from exchanging a subvol with a directory from + different parents + +From: NeilBrown + +[ Upstream commit 3f79f6f6247c83f448c8026c3ee16d4636ef8d4f ] + +Cross-rename lacks a check when that would prevent exchanging a +directory and subvolume from different parent subvolume. This causes +data inconsistencies and is caught before commit by tree-checker, +turning the filesystem to read-only. + +Calling the renameat2 with RENAME_EXCHANGE flags like + + renameat2(AT_FDCWD, namesrc, AT_FDCWD, namedest, (1 << 1)) + +on two paths: + + namesrc = dir1/subvol1/dir2 + namedest = subvol2/subvol3 + +will cause key order problem with following write time tree-checker +report: + + [1194842.307890] BTRFS critical (device loop1): corrupt leaf: root=5 block=27574272 slot=10 ino=258, invalid previous key objectid, have 257 expect 258 + [1194842.322221] BTRFS info (device loop1): leaf 27574272 gen 8 total ptrs 11 free space 15444 owner 5 + [1194842.331562] BTRFS info (device loop1): refs 2 lock_owner 0 current 26561 + [1194842.338772] item 0 key (256 1 0) itemoff 16123 itemsize 160 + [1194842.338793] inode generation 3 size 16 mode 40755 + [1194842.338801] item 1 key (256 12 256) itemoff 16111 itemsize 12 + [1194842.338809] item 2 key (256 84 2248503653) itemoff 16077 itemsize 34 + [1194842.338817] dir oid 258 type 2 + [1194842.338823] item 3 key (256 84 2363071922) itemoff 16043 itemsize 34 + [1194842.338830] dir oid 257 type 2 + [1194842.338836] item 4 key (256 96 2) itemoff 16009 itemsize 34 + [1194842.338843] item 5 key (256 96 3) itemoff 15975 itemsize 34 + [1194842.338852] item 6 key (257 1 0) itemoff 15815 itemsize 160 + [1194842.338863] inode generation 6 size 8 mode 40755 + [1194842.338869] item 7 key (257 12 256) itemoff 15801 itemsize 14 + [1194842.338876] item 8 key (257 84 2505409169) itemoff 15767 itemsize 34 + [1194842.338883] dir oid 256 type 2 + [1194842.338888] item 9 key (257 96 2) itemoff 15733 itemsize 34 + [1194842.338895] item 10 key (258 12 256) itemoff 15719 itemsize 14 + [1194842.339163] BTRFS error (device loop1): block=27574272 write time tree block corruption detected + [1194842.339245] ------------[ cut here ]------------ + [1194842.443422] WARNING: CPU: 6 PID: 26561 at fs/btrfs/disk-io.c:449 csum_one_extent_buffer+0xed/0x100 [btrfs] + [1194842.511863] CPU: 6 PID: 26561 Comm: kworker/u17:2 Not tainted 5.14.0-rc3-git+ #793 + [1194842.511870] Hardware name: empty empty/S3993, BIOS PAQEX0-3 02/24/2008 + [1194842.511876] Workqueue: btrfs-worker-high btrfs_work_helper [btrfs] + [1194842.511976] RIP: 0010:csum_one_extent_buffer+0xed/0x100 [btrfs] + [1194842.512068] RSP: 0018:ffffa2c284d77da0 EFLAGS: 00010282 + [1194842.512074] RAX: 0000000000000000 RBX: 0000000000001000 RCX: ffff928867bd9978 + [1194842.512078] RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff928867bd9970 + [1194842.512081] RBP: ffff92876b958000 R08: 0000000000000001 R09: 00000000000c0003 + [1194842.512085] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 + [1194842.512088] R13: ffff92875f989f98 R14: 0000000000000000 R15: 0000000000000000 + [1194842.512092] FS: 0000000000000000(0000) GS:ffff928867a00000(0000) knlGS:0000000000000000 + [1194842.512095] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [1194842.512099] CR2: 000055f5384da1f0 CR3: 0000000102fe4000 CR4: 00000000000006e0 + [1194842.512103] Call Trace: + [1194842.512128] ? run_one_async_free+0x10/0x10 [btrfs] + [1194842.631729] btree_csum_one_bio+0x1ac/0x1d0 [btrfs] + [1194842.631837] run_one_async_start+0x18/0x30 [btrfs] + [1194842.631938] btrfs_work_helper+0xd5/0x1d0 [btrfs] + [1194842.647482] process_one_work+0x262/0x5e0 + [1194842.647520] worker_thread+0x4c/0x320 + [1194842.655935] ? process_one_work+0x5e0/0x5e0 + [1194842.655946] kthread+0x135/0x160 + [1194842.655953] ? set_kthread_struct+0x40/0x40 + [1194842.655965] ret_from_fork+0x1f/0x30 + [1194842.672465] irq event stamp: 1729 + [1194842.672469] hardirqs last enabled at (1735): [] console_trylock_spinning+0x185/0x1a0 + [1194842.672477] hardirqs last disabled at (1740): [] console_trylock_spinning+0x15c/0x1a0 + [1194842.672482] softirqs last enabled at (1666): [] __do_softirq+0x2e1/0x50a + [1194842.672491] softirqs last disabled at (1651): [] __irq_exit_rcu+0xa7/0xd0 + +The corrupted data will not be written, and filesystem can be unmounted +and mounted again (all changes since the last commit will be lost). + +Add the missing check for new_ino so that all non-subvolumes must reside +under the same parent subvolume. There's an exception allowing to +exchange two subvolumes from any parents as the directory representing a +subvolume is only a logical link and does not have any other structures +related to the parent subvolume, unlike files, directories etc, that +are always in the inode namespace of the parent subvolume. + +Fixes: cdd1fedf8261 ("btrfs: add support for RENAME_EXCHANGE and RENAME_WHITEOUT") +CC: stable@vger.kernel.org # 4.7+ +Reviewed-by: Nikolay Borisov +Signed-off-by: NeilBrown +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 272eff4441bc..5d188d5af6fa 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -9191,8 +9191,14 @@ static int btrfs_rename_exchange(struct inode *old_dir, + bool dest_log_pinned = false; + bool need_abort = false; + +- /* we only allow rename subvolume link between subvolumes */ +- if (old_ino != BTRFS_FIRST_FREE_OBJECTID && root != dest) ++ /* ++ * For non-subvolumes allow exchange only within one subvolume, in the ++ * same inode namespace. Two subvolumes (represented as directory) can ++ * be exchanged as they're a logical link and have a fixed inode number. ++ */ ++ if (root != dest && ++ (old_ino != BTRFS_FIRST_FREE_OBJECTID || ++ new_ino != BTRFS_FIRST_FREE_OBJECTID)) + return -EXDEV; + + /* close the race window with snapshot create/destroy ioctl */ +-- +2.30.2 + diff --git a/queue-5.13/cfi-use-rcu_read_-un-lock_sched_notrace.patch b/queue-5.13/cfi-use-rcu_read_-un-lock_sched_notrace.patch new file mode 100644 index 00000000000..3cf1cb9b1cb --- /dev/null +++ b/queue-5.13/cfi-use-rcu_read_-un-lock_sched_notrace.patch @@ -0,0 +1,64 @@ +From b0989d5b35ba3861cda068affc91e13bee27c473 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Aug 2021 08:59:14 -0700 +Subject: cfi: Use rcu_read_{un}lock_sched_notrace + +From: Elliot Berman + +[ Upstream commit 14c4c8e41511aa8fba7fb239b20b6539b5bce201 ] + +If rcu_read_lock_sched tracing is enabled, the tracing subsystem can +perform a jump which needs to be checked by CFI. For example, stm_ftrace +source is enabled as a module and hooks into enabled ftrace events. This +can cause an recursive loop where find_shadow_check_fn -> +rcu_read_lock_sched -> (call to stm_ftrace generates cfi slowpath) -> +find_shadow_check_fn -> rcu_read_lock_sched -> ... + +To avoid the recursion, either the ftrace codes needs to be marked with +__no_cfi or CFI should not trace. Use the "_notrace" in CFI to avoid +tracing so that CFI can guard ftrace. + +Signed-off-by: Elliot Berman +Reviewed-by: Sami Tolvanen +Cc: stable@vger.kernel.org +Fixes: cf68fffb66d6 ("add support for Clang CFI") +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20210811155914.19550-1-quic_eberman@quicinc.com +Signed-off-by: Sasha Levin +--- + kernel/cfi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/cfi.c b/kernel/cfi.c +index e17a56639766..9594cfd1cf2c 100644 +--- a/kernel/cfi.c ++++ b/kernel/cfi.c +@@ -248,9 +248,9 @@ static inline cfi_check_fn find_shadow_check_fn(unsigned long ptr) + { + cfi_check_fn fn; + +- rcu_read_lock_sched(); ++ rcu_read_lock_sched_notrace(); + fn = ptr_to_check_fn(rcu_dereference_sched(cfi_shadow), ptr); +- rcu_read_unlock_sched(); ++ rcu_read_unlock_sched_notrace(); + + return fn; + } +@@ -269,11 +269,11 @@ static inline cfi_check_fn find_module_check_fn(unsigned long ptr) + cfi_check_fn fn = NULL; + struct module *mod; + +- rcu_read_lock_sched(); ++ rcu_read_lock_sched_notrace(); + mod = __module_address(ptr); + if (mod) + fn = mod->cfi_check; +- rcu_read_unlock_sched(); ++ rcu_read_unlock_sched_notrace(); + + return fn; + } +-- +2.30.2 + diff --git a/queue-5.13/clk-imx6q-fix-uart-earlycon-unwork.patch b/queue-5.13/clk-imx6q-fix-uart-earlycon-unwork.patch new file mode 100644 index 00000000000..ed7ad839e12 --- /dev/null +++ b/queue-5.13/clk-imx6q-fix-uart-earlycon-unwork.patch @@ -0,0 +1,41 @@ +From 7cbeb6063b2f1f4ce804ff54516171b6f2920fb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jul 2021 16:54:38 +0800 +Subject: clk: imx6q: fix uart earlycon unwork + +From: Dong Aisheng + +[ Upstream commit 283f1b9a0401859c53fdd6483ab66f1c4fadaea5 ] + +The earlycon depends on the bootloader setup UART clocks being retained. +There're actually two uart clocks (ipg, per) on MX6QDL, +but the 'Fixes' commit change to register only one which means +another clock may be disabled during booting phase +and result in the earlycon unwork. + +Cc: stable@vger.kernel.org # v5.10+ +Fixes: 379c9a24cc23 ("clk: imx: Fix reparenting of UARTs not associated with stdout") +Signed-off-by: Dong Aisheng +Link: https://lore.kernel.org/r/20210702085438.1988087-1-aisheng.dong@nxp.com +Reviewed-by: Abel Vesa +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx6q.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/imx/clk-imx6q.c b/drivers/clk/imx/clk-imx6q.c +index 496900de0b0b..de36f58d551c 100644 +--- a/drivers/clk/imx/clk-imx6q.c ++++ b/drivers/clk/imx/clk-imx6q.c +@@ -974,6 +974,6 @@ static void __init imx6q_clocks_init(struct device_node *ccm_node) + hws[IMX6QDL_CLK_PLL3_USB_OTG]->clk); + } + +- imx_register_uart_clocks(1); ++ imx_register_uart_clocks(2); + } + CLK_OF_DECLARE(imx6q, "fsl,imx6q-ccm", imx6q_clocks_init); +-- +2.30.2 + diff --git a/queue-5.13/clk-qcom-gdsc-ensure-regulator-init-state-matches-gd.patch b/queue-5.13/clk-qcom-gdsc-ensure-regulator-init-state-matches-gd.patch new file mode 100644 index 00000000000..67e86162882 --- /dev/null +++ b/queue-5.13/clk-qcom-gdsc-ensure-regulator-init-state-matches-gd.patch @@ -0,0 +1,122 @@ +From 63fe4d3ad9ad9a48aa2bc1491dda8d3c68733e27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 15:40:56 -0700 +Subject: clk: qcom: gdsc: Ensure regulator init state matches GDSC state + +From: Bjorn Andersson + +[ Upstream commit 9711759a87a041705148161b937ec847048d882e ] + +As GDSCs are registered and found to be already enabled gdsc_init() +ensures that 1) the kernel state matches the hardware state, and 2) +votable GDSCs are properly enabled from this master as well. + +But as the (optional) supply regulator is enabled deep into +gdsc_toggle_logic(), which is only executed for votable GDSCs, the +kernel's state of the regulator might not match the hardware. The +regulator might be automatically turned off if no other users are +present or the next call to gdsc_disable() would cause an unbalanced +regulator_disable(). + +Given that the votable case deals with an already enabled GDSC, most of +gdsc_enable() and gdsc_toggle_logic() can be skipped. Reduce it to just +clearing the SW_COLLAPSE_MASK and enabling hardware control to simply +call regulator_enable() in both cases. + +The enablement of hardware control seems to be an independent property +from the GDSC being enabled, so this is moved outside that conditional +segment. + +Lastly, as the propagation of ALWAYS_ON to GENPD_FLAG_ALWAYS_ON needs to +happen regardless of the initial state this is grouped together with the +other sc->pd updates at the end of the function. + +Cc: stable@vger.kernel.org +Fixes: 37416e554961 ("clk: qcom: gdsc: Handle GDSC regulator supplies") +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20210721224056.3035016-1-bjorn.andersson@linaro.org +[sboyd@kernel.org: Rephrase commit text] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gdsc.c | 54 +++++++++++++++++++++++++++-------------- + 1 file changed, 36 insertions(+), 18 deletions(-) + +diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c +index 51ed640e527b..4ece326ea233 100644 +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -357,27 +357,43 @@ static int gdsc_init(struct gdsc *sc) + if (on < 0) + return on; + +- /* +- * Votable GDSCs can be ON due to Vote from other masters. +- * If a Votable GDSC is ON, make sure we have a Vote. +- */ +- if ((sc->flags & VOTABLE) && on) +- gdsc_enable(&sc->pd); ++ if (on) { ++ /* The regulator must be on, sync the kernel state */ ++ if (sc->rsupply) { ++ ret = regulator_enable(sc->rsupply); ++ if (ret < 0) ++ return ret; ++ } + +- /* +- * Make sure the retain bit is set if the GDSC is already on, otherwise +- * we end up turning off the GDSC and destroying all the register +- * contents that we thought we were saving. +- */ +- if ((sc->flags & RETAIN_FF_ENABLE) && on) +- gdsc_retain_ff_on(sc); ++ /* ++ * Votable GDSCs can be ON due to Vote from other masters. ++ * If a Votable GDSC is ON, make sure we have a Vote. ++ */ ++ if (sc->flags & VOTABLE) { ++ ret = regmap_update_bits(sc->regmap, sc->gdscr, ++ SW_COLLAPSE_MASK, val); ++ if (ret) ++ return ret; ++ } ++ ++ /* Turn on HW trigger mode if supported */ ++ if (sc->flags & HW_CTRL) { ++ ret = gdsc_hwctrl(sc, true); ++ if (ret < 0) ++ return ret; ++ } + +- /* If ALWAYS_ON GDSCs are not ON, turn them ON */ +- if (sc->flags & ALWAYS_ON) { +- if (!on) +- gdsc_enable(&sc->pd); ++ /* ++ * Make sure the retain bit is set if the GDSC is already on, ++ * otherwise we end up turning off the GDSC and destroying all ++ * the register contents that we thought we were saving. ++ */ ++ if (sc->flags & RETAIN_FF_ENABLE) ++ gdsc_retain_ff_on(sc); ++ } else if (sc->flags & ALWAYS_ON) { ++ /* If ALWAYS_ON GDSCs are not ON, turn them ON */ ++ gdsc_enable(&sc->pd); + on = true; +- sc->pd.flags |= GENPD_FLAG_ALWAYS_ON; + } + + if (on || (sc->pwrsts & PWRSTS_RET)) +@@ -385,6 +401,8 @@ static int gdsc_init(struct gdsc *sc) + else + gdsc_clear_mem_on(sc); + ++ if (sc->flags & ALWAYS_ON) ++ sc->pd.flags |= GENPD_FLAG_ALWAYS_ON; + if (!sc->pd.power_off) + sc->pd.power_off = gdsc_disable; + if (!sc->pd.power_on) +-- +2.30.2 + diff --git a/queue-5.13/fs-warn-about-impending-deprecation-of-mandatory-loc.patch b/queue-5.13/fs-warn-about-impending-deprecation-of-mandatory-loc.patch new file mode 100644 index 00000000000..794fa24f10b --- /dev/null +++ b/queue-5.13/fs-warn-about-impending-deprecation-of-mandatory-loc.patch @@ -0,0 +1,41 @@ +From 9d244f3e38afd9f46a5b9b44582fa8a8c3d6aa7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Aug 2021 09:29:50 -0400 +Subject: fs: warn about impending deprecation of mandatory locks + +From: Jeff Layton + +[ Upstream commit fdd92b64d15bc4aec973caa25899afd782402e68 ] + +We've had CONFIG_MANDATORY_FILE_LOCKING since 2015 and a lot of distros +have disabled it. Warn the stragglers that still use "-o mand" that +we'll be dropping support for that mount option. + +Cc: stable@vger.kernel.org +Signed-off-by: Jeff Layton +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index caad091fb204..03770bae9dd5 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1716,8 +1716,12 @@ static inline bool may_mount(void) + } + + #ifdef CONFIG_MANDATORY_FILE_LOCKING +-static inline bool may_mandlock(void) ++static bool may_mandlock(void) + { ++ pr_warn_once("======================================================\n" ++ "WARNING: the mand mount option is being deprecated and\n" ++ " will be removed in v5.15!\n" ++ "======================================================\n"); + return capable(CAP_SYS_ADMIN); + } + #else +-- +2.30.2 + diff --git a/queue-5.13/hugetlb-don-t-pass-page-cache-pages-to-restore_reser.patch b/queue-5.13/hugetlb-don-t-pass-page-cache-pages-to-restore_reser.patch new file mode 100644 index 00000000000..0bbcdbba8c4 --- /dev/null +++ b/queue-5.13/hugetlb-don-t-pass-page-cache-pages-to-restore_reser.patch @@ -0,0 +1,149 @@ +From 4bdbec65684aeda1a9a19844006daaf717cb35de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 19:04:33 -0700 +Subject: hugetlb: don't pass page cache pages to restore_reserve_on_error + +From: Mike Kravetz + +[ Upstream commit c7b1850dfb41d0b4154aca8dbc04777fbd75616f ] + +syzbot hit kernel BUG at fs/hugetlbfs/inode.c:532 as described in [1]. +This BUG triggers if the HPageRestoreReserve flag is set on a page in +the page cache. It should never be set, as the routine +huge_add_to_page_cache explicitly clears the flag after adding a page to +the cache. + +The only code other than huge page allocation which sets the flag is +restore_reserve_on_error. It will potentially set the flag in rare out +of memory conditions. syzbot was injecting errors to cause memory +allocation errors which exercised this specific path. + +The code in restore_reserve_on_error is doing the right thing. However, +there are instances where pages in the page cache were being passed to +restore_reserve_on_error. This is incorrect, as once a page goes into +the cache reservation information will not be modified for the page +until it is removed from the cache. Error paths do not remove pages +from the cache, so even in the case of error, the page will remain in +the cache and no reservation adjustment is needed. + +Modify routines that potentially call restore_reserve_on_error with a +page cache page to no longer do so. + +Note on fixes tag: Prior to commit 846be08578ed ("mm/hugetlb: expand +restore_reserve_on_error functionality") the routine would not process +page cache pages because the HPageRestoreReserve flag is not set on such +pages. Therefore, this issue could not be trigggered. The code added +by commit 846be08578ed ("mm/hugetlb: expand restore_reserve_on_error +functionality") is needed and correct. It exposed incorrect calls to +restore_reserve_on_error which is the root cause addressed by this +commit. + +[1] https://lore.kernel.org/linux-mm/00000000000050776d05c9b7c7f0@google.com/ + +Link: https://lkml.kernel.org/r/20210818213304.37038-1-mike.kravetz@oracle.com +Fixes: 846be08578ed ("mm/hugetlb: expand restore_reserve_on_error functionality") +Signed-off-by: Mike Kravetz +Reported-by: +Cc: Mina Almasry +Cc: Axel Rasmussen +Cc: Peter Xu +Cc: Muchun Song +Cc: Michal Hocko +Cc: Naoya Horiguchi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/hugetlb.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 6e35481a0a6b..6ad419e7e0a4 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2286,7 +2286,7 @@ void restore_reserve_on_error(struct hstate *h, struct vm_area_struct *vma, + if (!rc) { + /* + * This indicates there is an entry in the reserve map +- * added by alloc_huge_page. We know it was added ++ * not added by alloc_huge_page. We know it was added + * before the alloc_huge_page call, otherwise + * HPageRestoreReserve would be set on the page. + * Remove the entry so that a subsequent allocation +@@ -4465,7 +4465,9 @@ static vm_fault_t hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma, + spin_unlock(ptl); + mmu_notifier_invalidate_range_end(&range); + out_release_all: +- restore_reserve_on_error(h, vma, haddr, new_page); ++ /* No restore in case of successful pagetable update (Break COW) */ ++ if (new_page != old_page) ++ restore_reserve_on_error(h, vma, haddr, new_page); + put_page(new_page); + out_release_old: + put_page(old_page); +@@ -4581,7 +4583,7 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, + pte_t new_pte; + spinlock_t *ptl; + unsigned long haddr = address & huge_page_mask(h); +- bool new_page = false; ++ bool new_page, new_pagecache_page = false; + + /* + * Currently, we are forced to kill the process in the event the +@@ -4604,6 +4606,7 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, + goto out; + + retry: ++ new_page = false; + page = find_lock_page(mapping, idx); + if (!page) { + /* Check for page in userfault range */ +@@ -4647,6 +4650,7 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, + goto retry; + goto out; + } ++ new_pagecache_page = true; + } else { + lock_page(page); + if (unlikely(anon_vma_prepare(vma))) { +@@ -4731,7 +4735,9 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, + spin_unlock(ptl); + backout_unlocked: + unlock_page(page); +- restore_reserve_on_error(h, vma, haddr, page); ++ /* restore reserve for newly allocated pages not in page cache */ ++ if (new_page && !new_pagecache_page) ++ restore_reserve_on_error(h, vma, haddr, page); + put_page(page); + goto out; + } +@@ -4940,6 +4946,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm, + int ret; + struct page *page; + int writable; ++ bool new_pagecache_page = false; + + mapping = dst_vma->vm_file->f_mapping; + idx = vma_hugecache_offset(h, dst_vma, dst_addr); +@@ -5004,6 +5011,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm, + ret = huge_add_to_page_cache(page, mapping, idx); + if (ret) + goto out_release_nounlock; ++ new_pagecache_page = true; + } + + ptl = huge_pte_lockptr(h, dst_mm, dst_pte); +@@ -5067,7 +5075,8 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm, + if (vm_shared || is_continue) + unlock_page(page); + out_release_nounlock: +- restore_reserve_on_error(h, dst_vma, dst_addr, page); ++ if (!new_pagecache_page) ++ restore_reserve_on_error(h, dst_vma, dst_addr, page); + put_page(page); + goto out; + } +-- +2.30.2 + diff --git a/queue-5.13/io_uring-fix-code-style-problems.patch b/queue-5.13/io_uring-fix-code-style-problems.patch new file mode 100644 index 00000000000..412c08f37fe --- /dev/null +++ b/queue-5.13/io_uring-fix-code-style-problems.patch @@ -0,0 +1,99 @@ +From 7a8ba1dc61486cb06d24d9a36cee316ed06b1daa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jun 2021 15:09:57 +0100 +Subject: io_uring: fix code style problems + +From: Pavel Begunkov + +[ Upstream commit fe7e325750299126b9cc86d3071af594b46c4518 ] + +Fix a bunch of problems mostly found by checkpatch.pl + +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/cfaf9a2f27b43934144fe9422a916bd327099f44.1624543113.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 0a5f105c657c..00746109e0c8 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -165,7 +165,7 @@ struct io_rings { + * Written by the application, shouldn't be modified by the + * kernel. + */ +- u32 cq_flags; ++ u32 cq_flags; + /* + * Number of completion events lost because the queue was full; + * this should be avoided by the application by making sure +@@ -850,7 +850,7 @@ struct io_kiocb { + struct hlist_node hash_node; + struct async_poll *apoll; + struct io_wq_work work; +- const struct cred *creds; ++ const struct cred *creds; + + /* store used ubuf, so we can prevent reloading */ + struct io_mapped_ubuf *imu; +@@ -1721,7 +1721,7 @@ static struct io_kiocb *io_alloc_req(struct io_ring_ctx *ctx) + { + struct io_submit_state *state = &ctx->submit_state; + +- BUILD_BUG_ON(IO_REQ_ALLOC_BATCH > ARRAY_SIZE(state->reqs)); ++ BUILD_BUG_ON(ARRAY_SIZE(state->reqs) < IO_REQ_ALLOC_BATCH); + + if (!state->free_reqs) { + gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; +@@ -2778,7 +2778,7 @@ static void kiocb_done(struct kiocb *kiocb, ssize_t ret, + else + io_rw_done(kiocb, ret); + +- if (check_reissue && req->flags & REQ_F_REISSUE) { ++ if (check_reissue && (req->flags & REQ_F_REISSUE)) { + req->flags &= ~REQ_F_REISSUE; + if (io_resubmit_prep(req)) { + req_ref_get(req); +@@ -3608,7 +3608,7 @@ static int io_shutdown(struct io_kiocb *req, unsigned int issue_flags) + static int __io_splice_prep(struct io_kiocb *req, + const struct io_uring_sqe *sqe) + { +- struct io_splice* sp = &req->splice; ++ struct io_splice *sp = &req->splice; + unsigned int valid_flags = SPLICE_F_FD_IN_FIXED | SPLICE_F_ALL; + + if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL)) +@@ -3662,7 +3662,7 @@ static int io_tee(struct io_kiocb *req, unsigned int issue_flags) + + static int io_splice_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) + { +- struct io_splice* sp = &req->splice; ++ struct io_splice *sp = &req->splice; + + sp->off_in = READ_ONCE(sqe->splice_off_in); + sp->off_out = READ_ONCE(sqe->off); +@@ -8563,6 +8563,7 @@ static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg) + ctx->cq_ev_fd = eventfd_ctx_fdget(fd); + if (IS_ERR(ctx->cq_ev_fd)) { + int ret = PTR_ERR(ctx->cq_ev_fd); ++ + ctx->cq_ev_fd = NULL; + return ret; + } +@@ -9362,9 +9363,8 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit, + io_cqring_overflow_flush(ctx, false); + + ret = -EOWNERDEAD; +- if (unlikely(ctx->sq_data->thread == NULL)) { ++ if (unlikely(ctx->sq_data->thread == NULL)) + goto out; +- } + if (flags & IORING_ENTER_SQ_WAKEUP) + wake_up(&ctx->sq_data->wait); + if (flags & IORING_ENTER_SQ_WAIT) { +-- +2.30.2 + diff --git a/queue-5.13/io_uring-fix-xa_alloc_cycle-error-return-value-check.patch b/queue-5.13/io_uring-fix-xa_alloc_cycle-error-return-value-check.patch new file mode 100644 index 00000000000..848a3233e63 --- /dev/null +++ b/queue-5.13/io_uring-fix-xa_alloc_cycle-error-return-value-check.patch @@ -0,0 +1,45 @@ +From 8fff17ee89ab3c60f9214a71426a37e2797ef7e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Aug 2021 14:53:59 -0600 +Subject: io_uring: fix xa_alloc_cycle() error return value check + +From: Jens Axboe + +[ Upstream commit a30f895ad3239f45012e860d4f94c1a388b36d14 ] + +We currently check for ret != 0 to indicate error, but '1' is a valid +return and just indicates that the allocation succeeded with a wrap. +Correct the check to be for < 0, like it was before the xarray +conversion. + +Cc: stable@vger.kernel.org +Fixes: 61cf93700fe6 ("io_uring: Convert personality_idr to XArray") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 221b80ae831f..9df82eee440a 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -9835,10 +9835,11 @@ static int io_register_personality(struct io_ring_ctx *ctx) + + ret = xa_alloc_cyclic(&ctx->personalities, &id, (void *)creds, + XA_LIMIT(0, USHRT_MAX), &ctx->pers_next, GFP_KERNEL); +- if (!ret) +- return id; +- put_cred(creds); +- return ret; ++ if (ret < 0) { ++ put_cred(creds); ++ return ret; ++ } ++ return id; + } + + static int io_register_restrictions(struct io_ring_ctx *ctx, void __user *arg, +-- +2.30.2 + diff --git a/queue-5.13/io_uring-only-assign-io_uring_enter-sqpoll-error-in-.patch b/queue-5.13/io_uring-only-assign-io_uring_enter-sqpoll-error-in-.patch new file mode 100644 index 00000000000..526b2719a01 --- /dev/null +++ b/queue-5.13/io_uring-only-assign-io_uring_enter-sqpoll-error-in-.patch @@ -0,0 +1,49 @@ +From ecbbeca9362ae9b584d56d7ec907e65381c3f181 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Aug 2021 09:04:40 -0600 +Subject: io_uring: only assign io_uring_enter() SQPOLL error in actual error + case + +From: Jens Axboe + +[ Upstream commit 21f965221e7c42609521342403e8fb91b8b3e76e ] + +If an SQPOLL based ring is newly created and an application issues an +io_uring_enter(2) system call on it, then we can return a spurious +-EOWNERDEAD error. This happens because there's nothing to submit, and +if the caller doesn't specify any other action, the initial error +assignment of -EOWNERDEAD never gets overwritten. This causes us to +return it directly, even if it isn't valid. + +Move the error assignment into the actual failure case instead. + +Cc: stable@vger.kernel.org +Fixes: d9d05217cb69 ("io_uring: stop SQPOLL submit on creator's death") +Reported-by: Sherlock Holo sherlockya@gmail.com +Link: https://github.com/axboe/liburing/issues/413 +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 00746109e0c8..221b80ae831f 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -9362,9 +9362,10 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit, + if (ctx->flags & IORING_SETUP_SQPOLL) { + io_cqring_overflow_flush(ctx, false); + +- ret = -EOWNERDEAD; +- if (unlikely(ctx->sq_data->thread == NULL)) ++ if (unlikely(ctx->sq_data->thread == NULL)) { ++ ret = -EOWNERDEAD; + goto out; ++ } + if (flags & IORING_ENTER_SQ_WAKEUP) + wake_up(&ctx->sq_data->wait); + if (flags & IORING_ENTER_SQ_WAIT) { +-- +2.30.2 + diff --git a/queue-5.13/iommu-dma-fix-leak-in-non-contiguous-api.patch b/queue-5.13/iommu-dma-fix-leak-in-non-contiguous-api.patch new file mode 100644 index 00000000000..b69e66f7fde --- /dev/null +++ b/queue-5.13/iommu-dma-fix-leak-in-non-contiguous-api.patch @@ -0,0 +1,50 @@ +From 6182250028c2c601bca089f06964074d54618290 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 22:05:52 -0300 +Subject: iommu/dma: Fix leak in non-contiguous API + +From: Ezequiel Garcia + +[ Upstream commit 0fbea680540108b09db7b26d9f4d24236d58a6ad ] + +Currently, iommu_dma_alloc_noncontiguous() allocates a +struct dma_sgt_handle object to hold some state needed for +iommu_dma_free_noncontiguous(). + +However, the handle is neither freed nor returned explicitly by +the ->alloc_noncontiguous method, and therefore seems leaked. +This was found by code inspection, so please review carefully and test. + +As a side note, it appears the struct dma_sgt_handle type is exposed +to users of the DMA-API by linux/dma-map-ops.h, but is has no users +or functions returning the type explicitly. + +This may indicate it's a good idea to move the struct dma_sgt_handle type +to drivers/iommu/dma-iommu.c. The decision is left to maintainers :-) + +Cc: stable@vger.kernel.org +Fixes: e817ee5f2f95c ("dma-iommu: implement ->alloc_noncontiguous") +Signed-off-by: Ezequiel Garcia +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20210723010552.50969-1-ezequiel@collabora.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/dma-iommu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c +index 5d96fcc45fec..698707699327 100644 +--- a/drivers/iommu/dma-iommu.c ++++ b/drivers/iommu/dma-iommu.c +@@ -768,6 +768,7 @@ static void iommu_dma_free_noncontiguous(struct device *dev, size_t size, + __iommu_dma_unmap(dev, sgt->sgl->dma_address, size); + __iommu_dma_free_pages(sh->pages, PAGE_ALIGN(size) >> PAGE_SHIFT); + sg_free_table(&sh->sgt); ++ kfree(sh); + } + #endif /* CONFIG_DMA_REMAP */ + +-- +2.30.2 + diff --git a/queue-5.13/ipack-tpci200-fix-many-double-free-issues-in-tpci200.patch b/queue-5.13/ipack-tpci200-fix-many-double-free-issues-in-tpci200.patch new file mode 100644 index 00000000000..77b3bdb9565 --- /dev/null +++ b/queue-5.13/ipack-tpci200-fix-many-double-free-issues-in-tpci200.patch @@ -0,0 +1,140 @@ +From aba13e1c50afecc829e661fbbfb2fcd92db127d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 18:03:18 +0800 +Subject: ipack: tpci200: fix many double free issues in tpci200_pci_probe + +From: Dongliang Mu + +[ Upstream commit 57a1681095f912239c7fb4d66683ab0425973838 ] + +The function tpci200_register called by tpci200_install and +tpci200_unregister called by tpci200_uninstall are in pair. However, +tpci200_unregister has some cleanup operations not in the +tpci200_register. So the error handling code of tpci200_pci_probe has +many different double free issues. + +Fix this problem by moving those cleanup operations out of +tpci200_unregister, into tpci200_pci_remove and reverting +the previous commit 9272e5d0028d ("ipack/carriers/tpci200: +Fix a double free in tpci200_pci_probe"). + +Fixes: 9272e5d0028d ("ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe") +Cc: stable@vger.kernel.org +Reported-by: Dongliang Mu +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20210810100323.3938492-1-mudongliangabcd@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/ipack/carriers/tpci200.c | 36 ++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/drivers/ipack/carriers/tpci200.c b/drivers/ipack/carriers/tpci200.c +index e1822e87ec3d..33a1b17a2628 100644 +--- a/drivers/ipack/carriers/tpci200.c ++++ b/drivers/ipack/carriers/tpci200.c +@@ -91,16 +91,13 @@ static void tpci200_unregister(struct tpci200_board *tpci200) + free_irq(tpci200->info->pdev->irq, (void *) tpci200); + + pci_iounmap(tpci200->info->pdev, tpci200->info->interface_regs); +- pci_iounmap(tpci200->info->pdev, tpci200->info->cfg_regs); + + pci_release_region(tpci200->info->pdev, TPCI200_IP_INTERFACE_BAR); + pci_release_region(tpci200->info->pdev, TPCI200_IO_ID_INT_SPACES_BAR); + pci_release_region(tpci200->info->pdev, TPCI200_MEM16_SPACE_BAR); + pci_release_region(tpci200->info->pdev, TPCI200_MEM8_SPACE_BAR); +- pci_release_region(tpci200->info->pdev, TPCI200_CFG_MEM_BAR); + + pci_disable_device(tpci200->info->pdev); +- pci_dev_put(tpci200->info->pdev); + } + + static void tpci200_enable_irq(struct tpci200_board *tpci200, +@@ -529,7 +526,7 @@ static int tpci200_pci_probe(struct pci_dev *pdev, + tpci200->info = kzalloc(sizeof(struct tpci200_infos), GFP_KERNEL); + if (!tpci200->info) { + ret = -ENOMEM; +- goto out_err_info; ++ goto err_tpci200; + } + + pci_dev_get(pdev); +@@ -540,7 +537,7 @@ static int tpci200_pci_probe(struct pci_dev *pdev, + if (ret) { + dev_err(&pdev->dev, "Failed to allocate PCI Configuration Memory"); + ret = -EBUSY; +- goto out_err_pci_request; ++ goto err_tpci200_info; + } + tpci200->info->cfg_regs = ioremap( + pci_resource_start(pdev, TPCI200_CFG_MEM_BAR), +@@ -548,7 +545,7 @@ static int tpci200_pci_probe(struct pci_dev *pdev, + if (!tpci200->info->cfg_regs) { + dev_err(&pdev->dev, "Failed to map PCI Configuration Memory"); + ret = -EFAULT; +- goto out_err_ioremap; ++ goto err_request_region; + } + + /* Disable byte swapping for 16 bit IP module access. This will ensure +@@ -571,7 +568,7 @@ static int tpci200_pci_probe(struct pci_dev *pdev, + if (ret) { + dev_err(&pdev->dev, "error during tpci200 install\n"); + ret = -ENODEV; +- goto out_err_install; ++ goto err_cfg_regs; + } + + /* Register the carrier in the industry pack bus driver */ +@@ -583,7 +580,7 @@ static int tpci200_pci_probe(struct pci_dev *pdev, + dev_err(&pdev->dev, + "error registering the carrier on ipack driver\n"); + ret = -EFAULT; +- goto out_err_bus_register; ++ goto err_tpci200_install; + } + + /* save the bus number given by ipack to logging purpose */ +@@ -594,19 +591,16 @@ static int tpci200_pci_probe(struct pci_dev *pdev, + tpci200_create_device(tpci200, i); + return 0; + +-out_err_bus_register: ++err_tpci200_install: + tpci200_uninstall(tpci200); +- /* tpci200->info->cfg_regs is unmapped in tpci200_uninstall */ +- tpci200->info->cfg_regs = NULL; +-out_err_install: +- if (tpci200->info->cfg_regs) +- iounmap(tpci200->info->cfg_regs); +-out_err_ioremap: ++err_cfg_regs: ++ pci_iounmap(tpci200->info->pdev, tpci200->info->cfg_regs); ++err_request_region: + pci_release_region(pdev, TPCI200_CFG_MEM_BAR); +-out_err_pci_request: +- pci_dev_put(pdev); ++err_tpci200_info: + kfree(tpci200->info); +-out_err_info: ++ pci_dev_put(pdev); ++err_tpci200: + kfree(tpci200); + return ret; + } +@@ -616,6 +610,12 @@ static void __tpci200_pci_remove(struct tpci200_board *tpci200) + ipack_bus_unregister(tpci200->info->ipack_bus); + tpci200_uninstall(tpci200); + ++ pci_iounmap(tpci200->info->pdev, tpci200->info->cfg_regs); ++ ++ pci_release_region(tpci200->info->pdev, TPCI200_CFG_MEM_BAR); ++ ++ pci_dev_put(tpci200->info->pdev); ++ + kfree(tpci200->info); + kfree(tpci200); + } +-- +2.30.2 + diff --git a/queue-5.13/ipack-tpci200-fix-memory-leak-in-the-tpci200_registe.patch b/queue-5.13/ipack-tpci200-fix-memory-leak-in-the-tpci200_registe.patch new file mode 100644 index 00000000000..2ac96f7a3a0 --- /dev/null +++ b/queue-5.13/ipack-tpci200-fix-memory-leak-in-the-tpci200_registe.patch @@ -0,0 +1,107 @@ +From 273085b7dbd9b6a58422034ac15a06509c13e535 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 18:03:19 +0800 +Subject: ipack: tpci200: fix memory leak in the tpci200_register + +From: Dongliang Mu + +[ Upstream commit 50f05bd114a46a74726e432bf81079d3f13a55b7 ] + +The error handling code in tpci200_register does not free interface_regs +allocated by ioremap and the current version of error handling code is +problematic. + +Fix this by refactoring the error handling code and free interface_regs +when necessary. + +Fixes: 43986798fd50 ("ipack: add error handling for ioremap_nocache") +Cc: stable@vger.kernel.org +Reported-by: Dongliang Mu +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20210810100323.3938492-2-mudongliangabcd@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/ipack/carriers/tpci200.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/drivers/ipack/carriers/tpci200.c b/drivers/ipack/carriers/tpci200.c +index 33a1b17a2628..c1098f40e03f 100644 +--- a/drivers/ipack/carriers/tpci200.c ++++ b/drivers/ipack/carriers/tpci200.c +@@ -256,7 +256,7 @@ static int tpci200_register(struct tpci200_board *tpci200) + "(bn 0x%X, sn 0x%X) failed to allocate PCI resource for BAR 2 !", + tpci200->info->pdev->bus->number, + tpci200->info->pdev->devfn); +- goto out_disable_pci; ++ goto err_disable_device; + } + + /* Request IO ID INT space (Bar 3) */ +@@ -268,7 +268,7 @@ static int tpci200_register(struct tpci200_board *tpci200) + "(bn 0x%X, sn 0x%X) failed to allocate PCI resource for BAR 3 !", + tpci200->info->pdev->bus->number, + tpci200->info->pdev->devfn); +- goto out_release_ip_space; ++ goto err_ip_interface_bar; + } + + /* Request MEM8 space (Bar 5) */ +@@ -279,7 +279,7 @@ static int tpci200_register(struct tpci200_board *tpci200) + "(bn 0x%X, sn 0x%X) failed to allocate PCI resource for BAR 5!", + tpci200->info->pdev->bus->number, + tpci200->info->pdev->devfn); +- goto out_release_ioid_int_space; ++ goto err_io_id_int_spaces_bar; + } + + /* Request MEM16 space (Bar 4) */ +@@ -290,7 +290,7 @@ static int tpci200_register(struct tpci200_board *tpci200) + "(bn 0x%X, sn 0x%X) failed to allocate PCI resource for BAR 4!", + tpci200->info->pdev->bus->number, + tpci200->info->pdev->devfn); +- goto out_release_mem8_space; ++ goto err_mem8_space_bar; + } + + /* Map internal tpci200 driver user space */ +@@ -304,7 +304,7 @@ static int tpci200_register(struct tpci200_board *tpci200) + tpci200->info->pdev->bus->number, + tpci200->info->pdev->devfn); + res = -ENOMEM; +- goto out_release_mem8_space; ++ goto err_mem16_space_bar; + } + + /* Initialize lock that protects interface_regs */ +@@ -343,18 +343,22 @@ static int tpci200_register(struct tpci200_board *tpci200) + "(bn 0x%X, sn 0x%X) unable to register IRQ !", + tpci200->info->pdev->bus->number, + tpci200->info->pdev->devfn); +- goto out_release_ioid_int_space; ++ goto err_interface_regs; + } + + return 0; + +-out_release_mem8_space: ++err_interface_regs: ++ pci_iounmap(tpci200->info->pdev, tpci200->info->interface_regs); ++err_mem16_space_bar: ++ pci_release_region(tpci200->info->pdev, TPCI200_MEM16_SPACE_BAR); ++err_mem8_space_bar: + pci_release_region(tpci200->info->pdev, TPCI200_MEM8_SPACE_BAR); +-out_release_ioid_int_space: ++err_io_id_int_spaces_bar: + pci_release_region(tpci200->info->pdev, TPCI200_IO_ID_INT_SPACES_BAR); +-out_release_ip_space: ++err_ip_interface_bar: + pci_release_region(tpci200->info->pdev, TPCI200_IP_INTERFACE_BAR); +-out_disable_pci: ++err_disable_device: + pci_disable_device(tpci200->info->pdev); + return res; + } +-- +2.30.2 + diff --git a/queue-5.13/kfence-fix-is_kfence_address-for-addresses-below-kfe.patch b/queue-5.13/kfence-fix-is_kfence_address-for-addresses-below-kfe.patch new file mode 100644 index 00000000000..5b3808ed926 --- /dev/null +++ b/queue-5.13/kfence-fix-is_kfence_address-for-addresses-below-kfe.patch @@ -0,0 +1,57 @@ +From 08a26464dc770d6e5ac68e668160a30c62aa268a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 19:04:30 -0700 +Subject: kfence: fix is_kfence_address() for addresses below KFENCE_POOL_SIZE + +From: Marco Elver + +[ Upstream commit a7cb5d23eaea148f8582229846f8dfff192f05c3 ] + +Originally the addr != NULL check was meant to take care of the case +where __kfence_pool == NULL (KFENCE is disabled). However, this does +not work for addresses where addr > 0 && addr < KFENCE_POOL_SIZE. + +This can be the case on NULL-deref where addr > 0 && addr < PAGE_SIZE or +any other faulting access with addr < KFENCE_POOL_SIZE. While the +kernel would likely crash, the stack traces and report might be +confusing due to double faults upon KFENCE's attempt to unprotect such +an address. + +Fix it by just checking that __kfence_pool != NULL instead. + +Link: https://lkml.kernel.org/r/20210818130300.2482437-1-elver@google.com +Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure") +Signed-off-by: Marco Elver +Reported-by: Kuan-Ying Lee +Acked-by: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: [5.12+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/kfence.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/include/linux/kfence.h b/include/linux/kfence.h +index a70d1ea03532..3fe6dd8a18c1 100644 +--- a/include/linux/kfence.h ++++ b/include/linux/kfence.h +@@ -51,10 +51,11 @@ extern atomic_t kfence_allocation_gate; + static __always_inline bool is_kfence_address(const void *addr) + { + /* +- * The non-NULL check is required in case the __kfence_pool pointer was +- * never initialized; keep it in the slow-path after the range-check. ++ * The __kfence_pool != NULL check is required to deal with the case ++ * where __kfence_pool == NULL && addr < KFENCE_POOL_SIZE. Keep it in ++ * the slow-path after the range-check! + */ +- return unlikely((unsigned long)((char *)addr - __kfence_pool) < KFENCE_POOL_SIZE && addr); ++ return unlikely((unsigned long)((char *)addr - __kfence_pool) < KFENCE_POOL_SIZE && __kfence_pool); + } + + /** +-- +2.30.2 + diff --git a/queue-5.13/mm-hwpoison-make-get_hwpoison_page-call-get_any_page.patch b/queue-5.13/mm-hwpoison-make-get_hwpoison_page-call-get_any_page.patch new file mode 100644 index 00000000000..76ec4bfe052 --- /dev/null +++ b/queue-5.13/mm-hwpoison-make-get_hwpoison_page-call-get_any_page.patch @@ -0,0 +1,319 @@ +From 266084e6da40fe6941a4cfa65d4b812cb5d16a26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 19:43:17 -0700 +Subject: mm,hwpoison: make get_hwpoison_page() call get_any_page() + +From: Naoya Horiguchi + +[ Upstream commit 0ed950d1f28142ccd9a9453c60df87853530d778 ] + +__get_hwpoison_page() could fail to grab refcount by some race condition, +so it's helpful if we can handle it by retrying. We already have retry +logic, so make get_hwpoison_page() call get_any_page() when called from +memory_failure(). + +As a result, get_hwpoison_page() can return negative values (i.e. error +code), so some callers are also changed to handle error cases. +soft_offline_page() does nothing for -EBUSY because that's enough and +users in userspace can easily handle it. unpoison_memory() is also +unchanged because it's broken and need thorough fixes (will be done +later). + +Link: https://lkml.kernel.org/r/20210603233632.2964832-3-nao.horiguchi@gmail.com +Signed-off-by: Naoya Horiguchi +Cc: Oscar Salvador +Cc: Muchun Song +Cc: Mike Kravetz +Cc: Michal Hocko +Cc: Tony Luck +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/hugetlb.c | 2 + + mm/memory-failure.c | 194 +++++++++++++++++++++++++------------------- + 2 files changed, 111 insertions(+), 85 deletions(-) + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 8363f737d5ad..6e35481a0a6b 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -5930,6 +5930,8 @@ int get_hwpoison_huge_page(struct page *page, bool *hugetlb) + *hugetlb = true; + if (HPageFreed(page) || HPageMigratable(page)) + ret = get_page_unless_zero(page); ++ else ++ ret = -EBUSY; + } + spin_unlock_irq(&hugetlb_lock); + return ret; +diff --git a/mm/memory-failure.c b/mm/memory-failure.c +index 6f5f78885ab4..18e83150194a 100644 +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -974,13 +974,6 @@ static inline bool HWPoisonHandlable(struct page *page) + return PageLRU(page) || __PageMovable(page); + } + +-/** +- * __get_hwpoison_page() - Get refcount for memory error handling: +- * @page: raw error page (hit by memory error) +- * +- * Return: return 0 if failed to grab the refcount, otherwise true (some +- * non-zero value.) +- */ + static int __get_hwpoison_page(struct page *page) + { + struct page *head = compound_head(page); +@@ -1025,15 +1018,6 @@ static int __get_hwpoison_page(struct page *page) + return 0; + } + +-/* +- * Safely get reference count of an arbitrary page. +- * +- * Returns 0 for a free page, 1 for an in-use page, +- * -EIO for a page-type we cannot handle and -EBUSY if we raced with an +- * allocation. +- * We only incremented refcount in case the page was already in-use and it +- * is a known type we can handle. +- */ + static int get_any_page(struct page *p, unsigned long flags) + { + int ret = 0, pass = 0; +@@ -1043,50 +1027,77 @@ static int get_any_page(struct page *p, unsigned long flags) + count_increased = true; + + try_again: +- if (!count_increased && !__get_hwpoison_page(p)) { +- if (page_count(p)) { +- /* We raced with an allocation, retry. */ +- if (pass++ < 3) +- goto try_again; +- ret = -EBUSY; +- } else if (!PageHuge(p) && !is_free_buddy_page(p)) { +- /* We raced with put_page, retry. */ ++ if (!count_increased) { ++ ret = __get_hwpoison_page(p); ++ if (!ret) { ++ if (page_count(p)) { ++ /* We raced with an allocation, retry. */ ++ if (pass++ < 3) ++ goto try_again; ++ ret = -EBUSY; ++ } else if (!PageHuge(p) && !is_free_buddy_page(p)) { ++ /* We raced with put_page, retry. */ ++ if (pass++ < 3) ++ goto try_again; ++ ret = -EIO; ++ } ++ goto out; ++ } else if (ret == -EBUSY) { ++ /* We raced with freeing huge page to buddy, retry. */ + if (pass++ < 3) + goto try_again; +- ret = -EIO; ++ goto out; + } ++ } ++ ++ if (PageHuge(p) || HWPoisonHandlable(p)) { ++ ret = 1; + } else { +- if (PageHuge(p) || HWPoisonHandlable(p)) { +- ret = 1; +- } else { +- /* +- * A page we cannot handle. Check whether we can turn +- * it into something we can handle. +- */ +- if (pass++ < 3) { +- put_page(p); +- shake_page(p, 1); +- count_increased = false; +- goto try_again; +- } ++ /* ++ * A page we cannot handle. Check whether we can turn ++ * it into something we can handle. ++ */ ++ if (pass++ < 3) { + put_page(p); +- ret = -EIO; ++ shake_page(p, 1); ++ count_increased = false; ++ goto try_again; + } ++ put_page(p); ++ ret = -EIO; + } +- ++out: + return ret; + } + +-static int get_hwpoison_page(struct page *p, unsigned long flags, +- enum mf_flags ctxt) ++/** ++ * get_hwpoison_page() - Get refcount for memory error handling ++ * @p: Raw error page (hit by memory error) ++ * @flags: Flags controlling behavior of error handling ++ * ++ * get_hwpoison_page() takes a page refcount of an error page to handle memory ++ * error on it, after checking that the error page is in a well-defined state ++ * (defined as a page-type we can successfully handle the memor error on it, ++ * such as LRU page and hugetlb page). ++ * ++ * Memory error handling could be triggered at any time on any type of page, ++ * so it's prone to race with typical memory management lifecycle (like ++ * allocation and free). So to avoid such races, get_hwpoison_page() takes ++ * extra care for the error page's state (as done in __get_hwpoison_page()), ++ * and has some retry logic in get_any_page(). ++ * ++ * Return: 0 on failure, ++ * 1 on success for in-use pages in a well-defined state, ++ * -EIO for pages on which we can not handle memory errors, ++ * -EBUSY when get_hwpoison_page() has raced with page lifecycle ++ * operations like allocation and free. ++ */ ++static int get_hwpoison_page(struct page *p, unsigned long flags) + { + int ret; + + zone_pcp_disable(page_zone(p)); +- if (ctxt == MF_SOFT_OFFLINE) +- ret = get_any_page(p, flags); +- else +- ret = __get_hwpoison_page(p); ++ ret = get_any_page(p, flags); + zone_pcp_enable(page_zone(p)); + + return ret; +@@ -1272,27 +1283,33 @@ static int memory_failure_hugetlb(unsigned long pfn, int flags) + + num_poisoned_pages_inc(); + +- if (!(flags & MF_COUNT_INCREASED) && !get_hwpoison_page(p, flags, 0)) { +- /* +- * Check "filter hit" and "race with other subpage." +- */ +- lock_page(head); +- if (PageHWPoison(head)) { +- if ((hwpoison_filter(p) && TestClearPageHWPoison(p)) +- || (p != head && TestSetPageHWPoison(head))) { +- num_poisoned_pages_dec(); +- unlock_page(head); +- return 0; ++ if (!(flags & MF_COUNT_INCREASED)) { ++ res = get_hwpoison_page(p, flags); ++ if (!res) { ++ /* ++ * Check "filter hit" and "race with other subpage." ++ */ ++ lock_page(head); ++ if (PageHWPoison(head)) { ++ if ((hwpoison_filter(p) && TestClearPageHWPoison(p)) ++ || (p != head && TestSetPageHWPoison(head))) { ++ num_poisoned_pages_dec(); ++ unlock_page(head); ++ return 0; ++ } + } ++ unlock_page(head); ++ res = MF_FAILED; ++ if (!dissolve_free_huge_page(p) && take_page_off_buddy(p)) { ++ page_ref_inc(p); ++ res = MF_RECOVERED; ++ } ++ action_result(pfn, MF_MSG_FREE_HUGE, res); ++ return res == MF_RECOVERED ? 0 : -EBUSY; ++ } else if (res < 0) { ++ action_result(pfn, MF_MSG_UNKNOWN, MF_IGNORED); ++ return -EBUSY; + } +- unlock_page(head); +- res = MF_FAILED; +- if (!dissolve_free_huge_page(p) && take_page_off_buddy(p)) { +- page_ref_inc(p); +- res = MF_RECOVERED; +- } +- action_result(pfn, MF_MSG_FREE_HUGE, res); +- return res == MF_RECOVERED ? 0 : -EBUSY; + } + + lock_page(head); +@@ -1493,28 +1510,35 @@ int memory_failure(unsigned long pfn, int flags) + * In fact it's dangerous to directly bump up page count from 0, + * that may make page_ref_freeze()/page_ref_unfreeze() mismatch. + */ +- if (!(flags & MF_COUNT_INCREASED) && !get_hwpoison_page(p, flags, 0)) { +- if (is_free_buddy_page(p)) { +- if (take_page_off_buddy(p)) { +- page_ref_inc(p); +- res = MF_RECOVERED; +- } else { +- /* We lost the race, try again */ +- if (retry) { +- ClearPageHWPoison(p); +- num_poisoned_pages_dec(); +- retry = false; +- goto try_again; ++ if (!(flags & MF_COUNT_INCREASED)) { ++ res = get_hwpoison_page(p, flags); ++ if (!res) { ++ if (is_free_buddy_page(p)) { ++ if (take_page_off_buddy(p)) { ++ page_ref_inc(p); ++ res = MF_RECOVERED; ++ } else { ++ /* We lost the race, try again */ ++ if (retry) { ++ ClearPageHWPoison(p); ++ num_poisoned_pages_dec(); ++ retry = false; ++ goto try_again; ++ } ++ res = MF_FAILED; + } +- res = MF_FAILED; ++ action_result(pfn, MF_MSG_BUDDY, res); ++ res = res == MF_RECOVERED ? 0 : -EBUSY; ++ } else { ++ action_result(pfn, MF_MSG_KERNEL_HIGH_ORDER, MF_IGNORED); ++ res = -EBUSY; + } +- action_result(pfn, MF_MSG_BUDDY, res); +- res = res == MF_RECOVERED ? 0 : -EBUSY; +- } else { +- action_result(pfn, MF_MSG_KERNEL_HIGH_ORDER, MF_IGNORED); ++ goto unlock_mutex; ++ } else if (res < 0) { ++ action_result(pfn, MF_MSG_UNKNOWN, MF_IGNORED); + res = -EBUSY; ++ goto unlock_mutex; + } +- goto unlock_mutex; + } + + if (PageTransHuge(hpage)) { +@@ -1792,7 +1816,7 @@ int unpoison_memory(unsigned long pfn) + return 0; + } + +- if (!get_hwpoison_page(p, flags, 0)) { ++ if (!get_hwpoison_page(p, flags)) { + if (TestClearPageHWPoison(p)) + num_poisoned_pages_dec(); + unpoison_pr_info("Unpoison: Software-unpoisoned free page %#lx\n", +@@ -2008,7 +2032,7 @@ int soft_offline_page(unsigned long pfn, int flags) + + retry: + get_online_mems(); +- ret = get_hwpoison_page(page, flags, MF_SOFT_OFFLINE); ++ ret = get_hwpoison_page(page, flags); + put_online_mems(); + + if (ret > 0) { +-- +2.30.2 + diff --git a/queue-5.13/mm-hwpoison-retry-with-shake_page-for-unhandlable-pa.patch b/queue-5.13/mm-hwpoison-retry-with-shake_page-for-unhandlable-pa.patch new file mode 100644 index 00000000000..dcf9d06db89 --- /dev/null +++ b/queue-5.13/mm-hwpoison-retry-with-shake_page-for-unhandlable-pa.patch @@ -0,0 +1,71 @@ +From 73c15dd5e5fa65e102f864b2934636d456afe237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 19:04:24 -0700 +Subject: mm/hwpoison: retry with shake_page() for unhandlable pages + +From: Naoya Horiguchi + +[ Upstream commit fcc00621d88b274b5dffd8daeea71d0e4c28b84e ] + +HWPoisonHandlable() sometimes returns false for typical user pages due +to races with average memory events like transfers over LRU lists. This +causes failures in hwpoison handling. + +There's retry code for such a case but does not work because the retry +loop reaches the retry limit too quickly before the page settles down to +handlable state. Let get_any_page() call shake_page() to fix it. + +[naoya.horiguchi@nec.com: get_any_page(): return -EIO when retry limit reached] + Link: https://lkml.kernel.org/r/20210819001958.2365157-1-naoya.horiguchi@linux.dev + +Link: https://lkml.kernel.org/r/20210817053703.2267588-1-naoya.horiguchi@linux.dev +Fixes: 25182f05ffed ("mm,hwpoison: fix race with hugetlb page allocation") +Signed-off-by: Naoya Horiguchi +Reported-by: Tony Luck +Reviewed-by: Yang Shi +Cc: Oscar Salvador +Cc: Muchun Song +Cc: Mike Kravetz +Cc: Michal Hocko +Cc: [5.13+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory-failure.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/mm/memory-failure.c b/mm/memory-failure.c +index 18e83150194a..624763fdecc5 100644 +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -990,7 +990,7 @@ static int __get_hwpoison_page(struct page *page) + * unexpected races caused by taking a page refcount. + */ + if (!HWPoisonHandlable(head)) +- return 0; ++ return -EBUSY; + + if (PageTransHuge(head)) { + /* +@@ -1043,9 +1043,15 @@ static int get_any_page(struct page *p, unsigned long flags) + } + goto out; + } else if (ret == -EBUSY) { +- /* We raced with freeing huge page to buddy, retry. */ +- if (pass++ < 3) ++ /* ++ * We raced with (possibly temporary) unhandlable ++ * page, retry. ++ */ ++ if (pass++ < 3) { ++ shake_page(p, 1); + goto try_again; ++ } ++ ret = -EIO; + goto out; + } + } +-- +2.30.2 + diff --git a/queue-5.13/mm-memcontrol-fix-occasional-ooms-due-to-proportiona.patch b/queue-5.13/mm-memcontrol-fix-occasional-ooms-due-to-proportiona.patch new file mode 100644 index 00000000000..ec19c7aad9b --- /dev/null +++ b/queue-5.13/mm-memcontrol-fix-occasional-ooms-due-to-proportiona.patch @@ -0,0 +1,164 @@ +From 469a2cce9e8880ef4c199737001dbd18c88548c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 19:04:21 -0700 +Subject: mm: memcontrol: fix occasional OOMs due to proportional memory.low + reclaim + +From: Johannes Weiner + +[ Upstream commit f56ce412a59d7d938b81de8878faef128812482c ] + +We've noticed occasional OOM killing when memory.low settings are in +effect for cgroups. This is unexpected and undesirable as memory.low is +supposed to express non-OOMing memory priorities between cgroups. + +The reason for this is proportional memory.low reclaim. When cgroups +are below their memory.low threshold, reclaim passes them over in the +first round, and then retries if it couldn't find pages anywhere else. +But when cgroups are slightly above their memory.low setting, page scan +force is scaled down and diminished in proportion to the overage, to the +point where it can cause reclaim to fail as well - only in that case we +currently don't retry, and instead trigger OOM. + +To fix this, hook proportional reclaim into the same retry logic we have +in place for when cgroups are skipped entirely. This way if reclaim +fails and some cgroups were scanned with diminished pressure, we'll try +another full-force cycle before giving up and OOMing. + +[akpm@linux-foundation.org: coding-style fixes] + +Link: https://lkml.kernel.org/r/20210817180506.220056-1-hannes@cmpxchg.org +Fixes: 9783aa9917f8 ("mm, memcg: proportional memory.{low,min} reclaim") +Signed-off-by: Johannes Weiner +Reported-by: Leon Yang +Reviewed-by: Rik van Riel +Reviewed-by: Shakeel Butt +Acked-by: Roman Gushchin +Acked-by: Chris Down +Acked-by: Michal Hocko +Cc: [5.4+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/memcontrol.h | 29 +++++++++++++++-------------- + mm/vmscan.c | 27 +++++++++++++++++++-------- + 2 files changed, 34 insertions(+), 22 deletions(-) + +diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h +index c193be760709..63f751faa5c1 100644 +--- a/include/linux/memcontrol.h ++++ b/include/linux/memcontrol.h +@@ -613,12 +613,15 @@ static inline bool mem_cgroup_disabled(void) + return !cgroup_subsys_enabled(memory_cgrp_subsys); + } + +-static inline unsigned long mem_cgroup_protection(struct mem_cgroup *root, +- struct mem_cgroup *memcg, +- bool in_low_reclaim) ++static inline void mem_cgroup_protection(struct mem_cgroup *root, ++ struct mem_cgroup *memcg, ++ unsigned long *min, ++ unsigned long *low) + { ++ *min = *low = 0; ++ + if (mem_cgroup_disabled()) +- return 0; ++ return; + + /* + * There is no reclaim protection applied to a targeted reclaim. +@@ -654,13 +657,10 @@ static inline unsigned long mem_cgroup_protection(struct mem_cgroup *root, + * + */ + if (root == memcg) +- return 0; +- +- if (in_low_reclaim) +- return READ_ONCE(memcg->memory.emin); ++ return; + +- return max(READ_ONCE(memcg->memory.emin), +- READ_ONCE(memcg->memory.elow)); ++ *min = READ_ONCE(memcg->memory.emin); ++ *low = READ_ONCE(memcg->memory.elow); + } + + void mem_cgroup_calculate_protection(struct mem_cgroup *root, +@@ -1165,11 +1165,12 @@ static inline void memcg_memory_event_mm(struct mm_struct *mm, + { + } + +-static inline unsigned long mem_cgroup_protection(struct mem_cgroup *root, +- struct mem_cgroup *memcg, +- bool in_low_reclaim) ++static inline void mem_cgroup_protection(struct mem_cgroup *root, ++ struct mem_cgroup *memcg, ++ unsigned long *min, ++ unsigned long *low) + { +- return 0; ++ *min = *low = 0; + } + + static inline void mem_cgroup_calculate_protection(struct mem_cgroup *root, +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 5199b9696bab..f62d81f61b56 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -100,9 +100,12 @@ struct scan_control { + unsigned int may_swap:1; + + /* +- * Cgroups are not reclaimed below their configured memory.low, +- * unless we threaten to OOM. If any cgroups are skipped due to +- * memory.low and nothing was reclaimed, go back for memory.low. ++ * Cgroup memory below memory.low is protected as long as we ++ * don't threaten to OOM. If any cgroup is reclaimed at ++ * reduced force or passed over entirely due to its memory.low ++ * setting (memcg_low_skipped), and nothing is reclaimed as a ++ * result, then go back for one more cycle that reclaims the protected ++ * memory (memcg_low_reclaim) to avert OOM. + */ + unsigned int memcg_low_reclaim:1; + unsigned int memcg_low_skipped:1; +@@ -2521,15 +2524,14 @@ static void get_scan_count(struct lruvec *lruvec, struct scan_control *sc, + for_each_evictable_lru(lru) { + int file = is_file_lru(lru); + unsigned long lruvec_size; ++ unsigned long low, min; + unsigned long scan; +- unsigned long protection; + + lruvec_size = lruvec_lru_size(lruvec, lru, sc->reclaim_idx); +- protection = mem_cgroup_protection(sc->target_mem_cgroup, +- memcg, +- sc->memcg_low_reclaim); ++ mem_cgroup_protection(sc->target_mem_cgroup, memcg, ++ &min, &low); + +- if (protection) { ++ if (min || low) { + /* + * Scale a cgroup's reclaim pressure by proportioning + * its current usage to its memory.low or memory.min +@@ -2560,6 +2562,15 @@ static void get_scan_count(struct lruvec *lruvec, struct scan_control *sc, + * hard protection. + */ + unsigned long cgroup_size = mem_cgroup_size(memcg); ++ unsigned long protection; ++ ++ /* memory.low scaling, make sure we retry before OOM */ ++ if (!sc->memcg_low_reclaim && low > min) { ++ protection = low; ++ sc->memcg_low_skipped = 1; ++ } else { ++ protection = min; ++ } + + /* Avoid TOCTOU with earlier protection check */ + cgroup_size = max(cgroup_size, protection); +-- +2.30.2 + diff --git a/queue-5.13/mmc-dw_mmc-fix-hang-on-data-crc-error.patch b/queue-5.13/mmc-dw_mmc-fix-hang-on-data-crc-error.patch new file mode 100644 index 00000000000..60c42d295f2 --- /dev/null +++ b/queue-5.13/mmc-dw_mmc-fix-hang-on-data-crc-error.patch @@ -0,0 +1,73 @@ +From 377652179653f5e80ae5bf842df2597647eb1287 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 12:22:32 +0200 +Subject: mmc: dw_mmc: Fix hang on data CRC error + +From: Vincent Whitchurch + +[ Upstream commit 25f8203b4be1937c4939bb98623e67dcfd7da4d1 ] + +When a Data CRC interrupt is received, the driver disables the DMA, then +sends the stop/abort command and then waits for Data Transfer Over. + +However, sometimes, when a data CRC error is received in the middle of a +multi-block write transfer, the Data Transfer Over interrupt is never +received, and the driver hangs and never completes the request. + +The driver sets the BMOD.SWR bit (SDMMC_IDMAC_SWRESET) when stopping the +DMA, but according to the manual CMD.STOP_ABORT_CMD should be programmed +"before assertion of SWR". Do these operations in the recommended +order. With this change the Data Transfer Over is always received +correctly in my tests. + +Signed-off-by: Vincent Whitchurch +Reviewed-by: Jaehoon Chung +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210630102232.16011-1-vincent.whitchurch@axis.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/dw_mmc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c +index d333130d1531..c3229d8c7041 100644 +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -2018,8 +2018,8 @@ static void dw_mci_tasklet_func(struct tasklet_struct *t) + continue; + } + +- dw_mci_stop_dma(host); + send_stop_abort(host, data); ++ dw_mci_stop_dma(host); + state = STATE_SENDING_STOP; + break; + } +@@ -2043,10 +2043,10 @@ static void dw_mci_tasklet_func(struct tasklet_struct *t) + */ + if (test_and_clear_bit(EVENT_DATA_ERROR, + &host->pending_events)) { +- dw_mci_stop_dma(host); + if (!(host->data_status & (SDMMC_INT_DRTO | + SDMMC_INT_EBE))) + send_stop_abort(host, data); ++ dw_mci_stop_dma(host); + state = STATE_DATA_ERROR; + break; + } +@@ -2079,10 +2079,10 @@ static void dw_mci_tasklet_func(struct tasklet_struct *t) + */ + if (test_and_clear_bit(EVENT_DATA_ERROR, + &host->pending_events)) { +- dw_mci_stop_dma(host); + if (!(host->data_status & (SDMMC_INT_DRTO | + SDMMC_INT_EBE))) + send_stop_abort(host, data); ++ dw_mci_stop_dma(host); + state = STATE_DATA_ERROR; + break; + } +-- +2.30.2 + diff --git a/queue-5.13/mmc-mmci-stm32-check-when-the-voltage-switch-procedu.patch b/queue-5.13/mmc-mmci-stm32-check-when-the-voltage-switch-procedu.patch new file mode 100644 index 00000000000..cde6900e88c --- /dev/null +++ b/queue-5.13/mmc-mmci-stm32-check-when-the-voltage-switch-procedu.patch @@ -0,0 +1,57 @@ +From 321279533ec24e0cdd9bfa686a0a0170974d2304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 16:33:53 +0200 +Subject: mmc: mmci: stm32: Check when the voltage switch procedure should be + done + +From: Christophe Kerello + +[ Upstream commit d8e193f13b07e6c0ffaa1a999386f1989f2b4c5e ] + +If the card has not been power cycled, it may still be using 1.8V +signaling. This situation is detected in mmc_sd_init_card function and +should be handled in mmci stm32 variant. The host->pwr_reg variable is +also correctly protected with spin locks. + +Fixes: 94b94a93e355 ("mmc: mmci_sdmmc: Implement signal voltage callbacks") +Signed-off-by: Christophe Kerello +Signed-off-by: Yann Gautier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210701143353.13188-1-yann.gautier@foss.st.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mmci_stm32_sdmmc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/mmci_stm32_sdmmc.c b/drivers/mmc/host/mmci_stm32_sdmmc.c +index 51db30acf4dc..fdaa11f92fe6 100644 +--- a/drivers/mmc/host/mmci_stm32_sdmmc.c ++++ b/drivers/mmc/host/mmci_stm32_sdmmc.c +@@ -479,8 +479,9 @@ static int sdmmc_post_sig_volt_switch(struct mmci_host *host, + u32 status; + int ret = 0; + +- if (ios->signal_voltage == MMC_SIGNAL_VOLTAGE_180) { +- spin_lock_irqsave(&host->lock, flags); ++ spin_lock_irqsave(&host->lock, flags); ++ if (ios->signal_voltage == MMC_SIGNAL_VOLTAGE_180 && ++ host->pwr_reg & MCI_STM32_VSWITCHEN) { + mmci_write_pwrreg(host, host->pwr_reg | MCI_STM32_VSWITCH); + spin_unlock_irqrestore(&host->lock, flags); + +@@ -492,9 +493,11 @@ static int sdmmc_post_sig_volt_switch(struct mmci_host *host, + + writel_relaxed(MCI_STM32_VSWENDC | MCI_STM32_CKSTOPC, + host->base + MMCICLEAR); ++ spin_lock_irqsave(&host->lock, flags); + mmci_write_pwrreg(host, host->pwr_reg & + ~(MCI_STM32_VSWITCHEN | MCI_STM32_VSWITCH)); + } ++ spin_unlock_irqrestore(&host->lock, flags); + + return ret; + } +-- +2.30.2 + diff --git a/queue-5.13/mmc-sdhci-iproc-cap-min-clock-frequency-on-bcm2711.patch b/queue-5.13/mmc-sdhci-iproc-cap-min-clock-frequency-on-bcm2711.patch new file mode 100644 index 00000000000..3f455d89ce7 --- /dev/null +++ b/queue-5.13/mmc-sdhci-iproc-cap-min-clock-frequency-on-bcm2711.patch @@ -0,0 +1,73 @@ +From 9898db62a1c2effc073e516510cf14bbd9724112 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Aug 2021 13:06:35 +0200 +Subject: mmc: sdhci-iproc: Cap min clock frequency on BCM2711 + +From: Nicolas Saenz Julienne + +[ Upstream commit c9107dd0b851777d7e134420baf13a5c5343bc16 ] + +There is a known bug on BCM2711's SDHCI core integration where the +controller will hang when the difference between the core clock and the +bus clock is too great. Specifically this can be reproduced under the +following conditions: + +- No SD card plugged in, polling thread is running, probing cards at + 100 kHz. +- BCM2711's core clock configured at 500MHz or more. + +So set 200 kHz as the minimum clock frequency available for that board. + +For more information on the issue see this: +https://lore.kernel.org/linux-mmc/20210322185816.27582-1-nsaenz@kernel.org/T/#m11f2783a09b581da6b8a15f302625b43a6ecdeca + +Fixes: f84e411c85be ("mmc: sdhci-iproc: Add support for emmc2 of the BCM2711") +Signed-off-by: Nicolas Saenz Julienne +Signed-off-by: Stefan Wahren +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1628334401-6577-5-git-send-email-stefan.wahren@i2se.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-iproc.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-iproc.c b/drivers/mmc/host/sdhci-iproc.c +index ddeaf8e1f72f..b9eb2ec61a83 100644 +--- a/drivers/mmc/host/sdhci-iproc.c ++++ b/drivers/mmc/host/sdhci-iproc.c +@@ -173,6 +173,23 @@ static unsigned int sdhci_iproc_get_max_clock(struct sdhci_host *host) + return pltfm_host->clock; + } + ++/* ++ * There is a known bug on BCM2711's SDHCI core integration where the ++ * controller will hang when the difference between the core clock and the bus ++ * clock is too great. Specifically this can be reproduced under the following ++ * conditions: ++ * ++ * - No SD card plugged in, polling thread is running, probing cards at ++ * 100 kHz. ++ * - BCM2711's core clock configured at 500MHz or more ++ * ++ * So we set 200kHz as the minimum clock frequency available for that SoC. ++ */ ++static unsigned int sdhci_iproc_bcm2711_get_min_clock(struct sdhci_host *host) ++{ ++ return 200000; ++} ++ + static const struct sdhci_ops sdhci_iproc_ops = { + .set_clock = sdhci_set_clock, + .get_max_clock = sdhci_iproc_get_max_clock, +@@ -271,6 +288,7 @@ static const struct sdhci_ops sdhci_iproc_bcm2711_ops = { + .set_clock = sdhci_set_clock, + .set_power = sdhci_set_power_and_bus_voltage, + .get_max_clock = sdhci_iproc_get_max_clock, ++ .get_min_clock = sdhci_iproc_bcm2711_get_min_clock, + .set_bus_width = sdhci_set_bus_width, + .reset = sdhci_reset, + .set_uhs_signaling = sdhci_set_uhs_signaling, +-- +2.30.2 + diff --git a/queue-5.13/mmc-sdhci-iproc-set-sdhci_quirk_cap_clock_base_broke.patch b/queue-5.13/mmc-sdhci-iproc-set-sdhci_quirk_cap_clock_base_broke.patch new file mode 100644 index 00000000000..de245112ca6 --- /dev/null +++ b/queue-5.13/mmc-sdhci-iproc-set-sdhci_quirk_cap_clock_base_broke.patch @@ -0,0 +1,41 @@ +From 60f6318bf1778e5d2dcade10d1eebc6f1c4a76f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Aug 2021 13:06:36 +0200 +Subject: mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711 + +From: Nicolas Saenz Julienne + +[ Upstream commit 419dd626e357e89fc9c4e3863592c8b38cfe1571 ] + +The controller doesn't seem to pick-up on clock changes, so set the +SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN flag to query the clock frequency +directly from the clock. + +Fixes: f84e411c85be ("mmc: sdhci-iproc: Add support for emmc2 of the BCM2711") +Signed-off-by: Nicolas Saenz Julienne +Signed-off-by: Stefan Wahren +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1628334401-6577-6-git-send-email-stefan.wahren@i2se.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-iproc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sdhci-iproc.c b/drivers/mmc/host/sdhci-iproc.c +index b9eb2ec61a83..9f0eef97ebdd 100644 +--- a/drivers/mmc/host/sdhci-iproc.c ++++ b/drivers/mmc/host/sdhci-iproc.c +@@ -295,7 +295,8 @@ static const struct sdhci_ops sdhci_iproc_bcm2711_ops = { + }; + + static const struct sdhci_pltfm_data sdhci_bcm2711_pltfm_data = { +- .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, ++ .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 | ++ SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN, + .ops = &sdhci_iproc_bcm2711_ops, + }; + +-- +2.30.2 + diff --git a/queue-5.13/mmc-sdhci-msm-update-the-software-timeout-value-for-.patch b/queue-5.13/mmc-sdhci-msm-update-the-software-timeout-value-for-.patch new file mode 100644 index 00000000000..c7bac3c24c0 --- /dev/null +++ b/queue-5.13/mmc-sdhci-msm-update-the-software-timeout-value-for-.patch @@ -0,0 +1,94 @@ +From d668fd7043c9b873f18ee8c817f65f231312f601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 17:16:14 +0530 +Subject: mmc: sdhci-msm: Update the software timeout value for sdhc + +From: Shaik Sajida Bhanu + +[ Upstream commit 67b13f3e221ed81b46a657e2b499bf8b20162476 ] + +Whenever SDHC run at clock rate 50MHZ or below, the hardware data +timeout value will be 21.47secs, which is approx. 22secs and we have +a current software timeout value as 10secs. We have to set software +timeout value more than the hardware data timeout value to avioid seeing +the below register dumps. + +[ 332.953670] mmc2: Timeout waiting for hardware interrupt. +[ 332.959608] mmc2: sdhci: ============ SDHCI REGISTER DUMP =========== +[ 332.966450] mmc2: sdhci: Sys addr: 0x00000000 | Version: 0x00007202 +[ 332.973256] mmc2: sdhci: Blk size: 0x00000200 | Blk cnt: 0x00000001 +[ 332.980054] mmc2: sdhci: Argument: 0x00000000 | Trn mode: 0x00000027 +[ 332.986864] mmc2: sdhci: Present: 0x01f801f6 | Host ctl: 0x0000001f +[ 332.993671] mmc2: sdhci: Power: 0x00000001 | Blk gap: 0x00000000 +[ 333.000583] mmc2: sdhci: Wake-up: 0x00000000 | Clock: 0x00000007 +[ 333.007386] mmc2: sdhci: Timeout: 0x0000000e | Int stat: 0x00000000 +[ 333.014182] mmc2: sdhci: Int enab: 0x03ff100b | Sig enab: 0x03ff100b +[ 333.020976] mmc2: sdhci: ACmd stat: 0x00000000 | Slot int: 0x00000000 +[ 333.027771] mmc2: sdhci: Caps: 0x322dc8b2 | Caps_1: 0x0000808f +[ 333.034561] mmc2: sdhci: Cmd: 0x0000183a | Max curr: 0x00000000 +[ 333.041359] mmc2: sdhci: Resp[0]: 0x00000900 | Resp[1]: 0x00000000 +[ 333.048157] mmc2: sdhci: Resp[2]: 0x00000000 | Resp[3]: 0x00000000 +[ 333.054945] mmc2: sdhci: Host ctl2: 0x00000000 +[ 333.059657] mmc2: sdhci: ADMA Err: 0x00000000 | ADMA Ptr: +0x0000000ffffff218 +[ 333.067178] mmc2: sdhci_msm: ----------- VENDOR REGISTER DUMP +----------- +[ 333.074343] mmc2: sdhci_msm: DLL sts: 0x00000000 | DLL cfg: +0x6000642c | DLL cfg2: 0x0020a000 +[ 333.083417] mmc2: sdhci_msm: DLL cfg3: 0x00000000 | DLL usr ctl: +0x00000000 | DDR cfg: 0x80040873 +[ 333.092850] mmc2: sdhci_msm: Vndr func: 0x00008a9c | Vndr func2 : +0xf88218a8 Vndr func3: 0x02626040 +[ 333.102371] mmc2: sdhci: ============================================ + +So, set software timeout value more than hardware timeout value. + +Signed-off-by: Shaik Sajida Bhanu +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1626435974-14462-1-git-send-email-sbhanu@codeaurora.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-msm.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c +index e44b7a66b73c..290a14cdc1cf 100644 +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -2089,6 +2089,23 @@ static void sdhci_msm_cqe_disable(struct mmc_host *mmc, bool recovery) + sdhci_cqe_disable(mmc, recovery); + } + ++static void sdhci_msm_set_timeout(struct sdhci_host *host, struct mmc_command *cmd) ++{ ++ u32 count, start = 15; ++ ++ __sdhci_set_timeout(host, cmd); ++ count = sdhci_readb(host, SDHCI_TIMEOUT_CONTROL); ++ /* ++ * Update software timeout value if its value is less than hardware data ++ * timeout value. Qcom SoC hardware data timeout value was calculated ++ * using 4 * MCLK * 2^(count + 13). where MCLK = 1 / host->clock. ++ */ ++ if (cmd && cmd->data && host->clock > 400000 && ++ host->clock <= 50000000 && ++ ((1 << (count + start)) > (10 * host->clock))) ++ host->data_timeout = 22LL * NSEC_PER_SEC; ++} ++ + static const struct cqhci_host_ops sdhci_msm_cqhci_ops = { + .enable = sdhci_msm_cqe_enable, + .disable = sdhci_msm_cqe_disable, +@@ -2438,6 +2455,7 @@ static const struct sdhci_ops sdhci_msm_ops = { + .irq = sdhci_msm_cqe_irq, + .dump_vendor_regs = sdhci_msm_dump_vendor_regs, + .set_power = sdhci_set_power_noreg, ++ .set_timeout = sdhci_msm_set_timeout, + }; + + static const struct sdhci_pltfm_data sdhci_msm_pdata = { +-- +2.30.2 + diff --git a/queue-5.13/opp-drop-empty-table-checks-from-_put-functions.patch b/queue-5.13/opp-drop-empty-table-checks-from-_put-functions.patch new file mode 100644 index 00000000000..f9a94951200 --- /dev/null +++ b/queue-5.13/opp-drop-empty-table-checks-from-_put-functions.patch @@ -0,0 +1,82 @@ +From e4e6b423d56c5d791b01468af753ae56f43f4ca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Aug 2021 19:43:44 +0300 +Subject: opp: Drop empty-table checks from _put functions + +From: Dmitry Osipenko + +[ Upstream commit c3ddfe66d2bb511f7fbcdc8e64952c7859e7e69d ] + +The current_opp is released only when whole OPP table is released, +otherwise it's only marked as removed by dev_pm_opp_remove_table(). +Functions like dev_pm_opp_put_clkname() and dev_pm_opp_put_supported_hw() +are checking whether OPP table is empty and it's not if current_opp is +set since it holds the refcount of OPP, this produces a noisy warning +from these functions about busy OPP table. Remove the checks to fix it. + +Cc: stable@vger.kernel.org +Fixes: 81c4d8a3c414 ("opp: Keep track of currently programmed OPP") +Signed-off-by: Dmitry Osipenko +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/opp/core.c | 15 --------------- + 1 file changed, 15 deletions(-) + +diff --git a/drivers/opp/core.c b/drivers/opp/core.c +index e366218d6736..4c23b5736c77 100644 +--- a/drivers/opp/core.c ++++ b/drivers/opp/core.c +@@ -1846,9 +1846,6 @@ void dev_pm_opp_put_supported_hw(struct opp_table *opp_table) + if (unlikely(!opp_table)) + return; + +- /* Make sure there are no concurrent readers while updating opp_table */ +- WARN_ON(!list_empty(&opp_table->opp_list)); +- + kfree(opp_table->supported_hw); + opp_table->supported_hw = NULL; + opp_table->supported_hw_count = 0; +@@ -1934,9 +1931,6 @@ void dev_pm_opp_put_prop_name(struct opp_table *opp_table) + if (unlikely(!opp_table)) + return; + +- /* Make sure there are no concurrent readers while updating opp_table */ +- WARN_ON(!list_empty(&opp_table->opp_list)); +- + kfree(opp_table->prop_name); + opp_table->prop_name = NULL; + +@@ -2046,9 +2040,6 @@ void dev_pm_opp_put_regulators(struct opp_table *opp_table) + if (!opp_table->regulators) + goto put_opp_table; + +- /* Make sure there are no concurrent readers while updating opp_table */ +- WARN_ON(!list_empty(&opp_table->opp_list)); +- + if (opp_table->enabled) { + for (i = opp_table->regulator_count - 1; i >= 0; i--) + regulator_disable(opp_table->regulators[i]); +@@ -2168,9 +2159,6 @@ void dev_pm_opp_put_clkname(struct opp_table *opp_table) + if (unlikely(!opp_table)) + return; + +- /* Make sure there are no concurrent readers while updating opp_table */ +- WARN_ON(!list_empty(&opp_table->opp_list)); +- + clk_put(opp_table->clk); + opp_table->clk = ERR_PTR(-EINVAL); + +@@ -2269,9 +2257,6 @@ void dev_pm_opp_unregister_set_opp_helper(struct opp_table *opp_table) + if (unlikely(!opp_table)) + return; + +- /* Make sure there are no concurrent readers while updating opp_table */ +- WARN_ON(!list_empty(&opp_table->opp_list)); +- + opp_table->set_opp = NULL; + + mutex_lock(&opp_table->lock); +-- +2.30.2 + diff --git a/queue-5.13/pci-increase-d3-delay-for-amd-renoir-cezanne-xhci.patch b/queue-5.13/pci-increase-d3-delay-for-amd-renoir-cezanne-xhci.patch new file mode 100644 index 00000000000..f52f5dda300 --- /dev/null +++ b/queue-5.13/pci-increase-d3-delay-for-amd-renoir-cezanne-xhci.patch @@ -0,0 +1,45 @@ +From 0c8432c16fb1e2c0ede82b92e280812a8b0d5f27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 22:58:58 -0400 +Subject: PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI + +From: Marcin Bachry + +[ Upstream commit e0bff43220925b7e527f9d3bc9f5c624177c959e ] + +The Renoir XHCI controller apparently doesn't resume reliably with the +standard D3hot-to-D0 delay. Increase it to 20ms. + +[Alex: I talked to the AMD USB hardware team and the AMD Windows team and +they are not aware of any HW errata or specific issues. The HW works fine +in Windows. I was told Windows uses a rather generous default delay of +100ms for PCI state transitions.] + +Link: https://lore.kernel.org/r/20210722025858.220064-1-alexander.deucher@amd.com +Signed-off-by: Marcin Bachry +Signed-off-by: Alex Deucher +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Cc: Mario Limonciello +Cc: Prike Liang +Cc: Shyam Sundar S K +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 6d74386eadc2..ab3de1551b50 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -1900,6 +1900,7 @@ static void quirk_ryzen_xhci_d3hot(struct pci_dev *dev) + } + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x15e0, quirk_ryzen_xhci_d3hot); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x15e1, quirk_ryzen_xhci_d3hot); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x1639, quirk_ryzen_xhci_d3hot); + + #ifdef CONFIG_X86_IO_APIC + static int dmi_disable_ioapicreroute(const struct dmi_system_id *d) +-- +2.30.2 + diff --git a/queue-5.13/powerpc-32s-fix-random-crashes-by-adding-isync-after.patch b/queue-5.13/powerpc-32s-fix-random-crashes-by-adding-isync-after.patch new file mode 100644 index 00000000000..25d234fb0ed --- /dev/null +++ b/queue-5.13/powerpc-32s-fix-random-crashes-by-adding-isync-after.patch @@ -0,0 +1,154 @@ +From bee8557c00b6d9d2bf72c0f50cc449e19a342a06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 06:49:29 +0000 +Subject: powerpc/32s: Fix random crashes by adding isync() after + locking/unlocking KUEP + +From: Christophe Leroy + +[ Upstream commit ef486bf448a057a6e2d50e40ae879f7add6585da ] + +Commit b5efec00b671 ("powerpc/32s: Move KUEP locking/unlocking in C") +removed the 'isync' instruction after adding/removing NX bit in user +segments. The reasoning behind this change was that when setting the +NX bit we don't mind it taking effect with delay as the kernel never +executes text from userspace, and when clearing the NX bit this is +to return to userspace and then the 'rfi' should synchronise the +context. + +However, it looks like on book3s/32 having a hash page table, at least +on the G3 processor, we get an unexpected fault from userspace, then +this is followed by something wrong in the verification of MSR_PR +at end of another interrupt. + +This is fixed by adding back the removed isync() following update +of NX bit in user segment registers. Only do it for cores with an +hash table, as 603 cores don't exhibit that problem and the two isync +increase ./null_syscall selftest by 6 cycles on an MPC 832x. + +First problem: unexpected WARN_ON() for mysterious PROTFAULT + + WARNING: CPU: 0 PID: 1660 at arch/powerpc/mm/fault.c:354 do_page_fault+0x6c/0x5b0 + Modules linked in: + CPU: 0 PID: 1660 Comm: Xorg Not tainted 5.13.0-pmac-00028-gb3c15b60339a #40 + NIP: c001b5c8 LR: c001b6f8 CTR: 00000000 + REGS: e2d09e40 TRAP: 0700 Not tainted (5.13.0-pmac-00028-gb3c15b60339a) + MSR: 00021032 CR: 42d04f30 XER: 20000000 + GPR00: c000424c e2d09f00 c301b680 e2d09f40 0000001e 42000000 00cba028 00000000 + GPR08: 08000000 48000010 c301b680 e2d09f30 22d09f30 00c1fff0 00cba000 a7b7ba4c + GPR16: 00000031 00000000 00000000 00000000 00000000 00000000 a7b7b0d0 00c5c010 + GPR24: a7b7b64c a7b7d2f0 00000004 00000000 c1efa6c0 00cba02c 00000300 e2d09f40 + NIP [c001b5c8] do_page_fault+0x6c/0x5b0 + LR [c001b6f8] do_page_fault+0x19c/0x5b0 + Call Trace: + [e2d09f00] [e2d09f04] 0xe2d09f04 (unreliable) + [e2d09f30] [c000424c] DataAccess_virt+0xd4/0xe4 + --- interrupt: 300 at 0xa7a261dc + NIP: a7a261dc LR: a7a253bc CTR: 00000000 + REGS: e2d09f40 TRAP: 0300 Not tainted (5.13.0-pmac-00028-gb3c15b60339a) + MSR: 0000d032 CR: 228428e2 XER: 20000000 + DAR: 00cba02c DSISR: 42000000 + GPR00: a7a27448 afa6b0e0 a74c35c0 a7b7b614 0000001e a7b7b614 00cba028 00000000 + GPR08: 00020fd9 00000031 00cb9ff8 a7a273b0 220028e2 00c1fff0 00cba000 a7b7ba4c + GPR16: 00000031 00000000 00000000 00000000 00000000 00000000 a7b7b0d0 00c5c010 + GPR24: a7b7b64c a7b7d2f0 00000004 00000002 0000001e a7b7b614 a7b7aff4 00000030 + NIP [a7a261dc] 0xa7a261dc + LR [a7a253bc] 0xa7a253bc + --- interrupt: 300 + Instruction dump: + 7c4a1378 810300a0 75278410 83820298 83a300a4 553b018c 551e0036 4082038c + 2e1b0000 40920228 75280800 41820220 <0fe00000> 3b600000 41920214 81420594 + +Second problem: MSR PR is seen unset allthough the interrupt frame shows it set + + kernel BUG at arch/powerpc/kernel/interrupt.c:458! + Oops: Exception in kernel mode, sig: 5 [#1] + BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac + Modules linked in: + CPU: 0 PID: 1660 Comm: Xorg Tainted: G W 5.13.0-pmac-00028-gb3c15b60339a #40 + NIP: c0011434 LR: c001629c CTR: 00000000 + REGS: e2d09e70 TRAP: 0700 Tainted: G W (5.13.0-pmac-00028-gb3c15b60339a) + MSR: 00029032 CR: 42d09f30 XER: 00000000 + GPR00: 00000000 e2d09f30 c301b680 e2d09f40 83440000 c44d0e68 e2d09e8c 00000000 + GPR08: 00000002 00dc228a 00004000 e2d09f30 22d09f30 00c1fff0 afa6ceb4 00c26144 + GPR16: 00c25fb8 00c26140 afa6ceb8 90000000 00c944d8 0000001c 00000000 00200000 + GPR24: 00000000 000001fb afa6d1b4 00000001 00000000 a539a2a0 a530fd80 00000089 + NIP [c0011434] interrupt_exit_kernel_prepare+0x10/0x70 + LR [c001629c] interrupt_return+0x9c/0x144 + Call Trace: + [e2d09f30] [c000424c] DataAccess_virt+0xd4/0xe4 (unreliable) + --- interrupt: 300 at 0xa09be008 + NIP: a09be008 LR: a09bdfe8 CTR: a09bdfc0 + REGS: e2d09f40 TRAP: 0300 Tainted: G W (5.13.0-pmac-00028-gb3c15b60339a) + MSR: 0000d032 CR: 420028e2 XER: 20000000 + DAR: a539a308 DSISR: 0a000000 + GPR00: a7b90d50 afa6b2d0 a74c35c0 a0a8b690 a0a8b698 a5365d70 a4fa82a8 00000004 + GPR08: 00000000 a09bdfc0 00000000 a5360000 a09bde7c 00c1fff0 afa6ceb4 00c26144 + GPR16: 00c25fb8 00c26140 afa6ceb8 90000000 00c944d8 0000001c 00000000 00200000 + GPR24: 00000000 000001fb afa6d1b4 00000001 00000000 a539a2a0 a530fd80 00000089 + NIP [a09be008] 0xa09be008 + LR [a09bdfe8] 0xa09bdfe8 + --- interrupt: 300 + Instruction dump: + 80010024 83e1001c 7c0803a6 4bffff80 3bc00800 4bffffd0 486b42fd 4bffffcc + 81430084 71480002 41820038 554a0462 <0f0a0000> 80620060 74630001 40820034 + +Fixes: b5efec00b671 ("powerpc/32s: Move KUEP locking/unlocking in C") +Cc: stable@vger.kernel.org # v5.13+ +Reported-by: Stan Johnson +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/4856f5574906e2aec0522be17bf3848a22b2cd0b.1629269345.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/book3s/32/kup.h | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/arch/powerpc/include/asm/book3s/32/kup.h b/arch/powerpc/include/asm/book3s/32/kup.h +index 5353ea68b912..c6cfca9d2bd7 100644 +--- a/arch/powerpc/include/asm/book3s/32/kup.h ++++ b/arch/powerpc/include/asm/book3s/32/kup.h +@@ -4,6 +4,8 @@ + + #include + #include ++#include ++#include + + #ifndef __ASSEMBLY__ + +@@ -18,6 +20,15 @@ static inline void kuep_lock(void) + return; + + update_user_segments(mfsr(0) | SR_NX); ++ /* ++ * This isync() shouldn't be necessary as the kernel is not excepted to ++ * run any instruction in userspace soon after the update of segments, ++ * but hash based cores (at least G3) seem to exhibit a random ++ * behaviour when the 'isync' is not there. 603 cores don't have this ++ * behaviour so don't do the 'isync' as it saves several CPU cycles. ++ */ ++ if (mmu_has_feature(MMU_FTR_HPTE_TABLE)) ++ isync(); /* Context sync required after mtsr() */ + } + + static inline void kuep_unlock(void) +@@ -26,6 +37,15 @@ static inline void kuep_unlock(void) + return; + + update_user_segments(mfsr(0) & ~SR_NX); ++ /* ++ * This isync() shouldn't be necessary as a 'rfi' will soon be executed ++ * to return to userspace, but hash based cores (at least G3) seem to ++ * exhibit a random behaviour when the 'isync' is not there. 603 cores ++ * don't have this behaviour so don't do the 'isync' as it saves several ++ * CPU cycles. ++ */ ++ if (mmu_has_feature(MMU_FTR_HPTE_TABLE)) ++ isync(); /* Context sync required after mtsr() */ + } + + #ifdef CONFIG_PPC_KUAP +-- +2.30.2 + diff --git a/queue-5.13/powerpc-32s-move-setup_-kuep-kuap-into-kuep-kuap-.c.patch b/queue-5.13/powerpc-32s-move-setup_-kuep-kuap-into-kuep-kuap-.c.patch new file mode 100644 index 00000000000..b523f886d66 --- /dev/null +++ b/queue-5.13/powerpc-32s-move-setup_-kuep-kuap-into-kuep-kuap-.c.patch @@ -0,0 +1,99 @@ +From 0e113bdf139f201f4f25ea0043149dd733fabd24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 08:41:36 +0000 +Subject: powerpc/32s: Move setup_{kuep/kuap}() into {kuep/kuap}.c + +From: Christophe Leroy + +[ Upstream commit 91ec66719d4c5c0e7b4e32585b01881660d1bc53 ] + +Avoids the #ifdef in mmu.c + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/0b7a13d414837e58264edc336b89c2fe9f35f9bc.1622708530.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/book3s32/Makefile | 1 + + arch/powerpc/mm/book3s32/kuap.c | 11 +++++++++++ + arch/powerpc/mm/book3s32/kuep.c | 8 ++++++++ + arch/powerpc/mm/book3s32/mmu.c | 20 -------------------- + 4 files changed, 20 insertions(+), 20 deletions(-) + create mode 100644 arch/powerpc/mm/book3s32/kuap.c + +diff --git a/arch/powerpc/mm/book3s32/Makefile b/arch/powerpc/mm/book3s32/Makefile +index 7f0c8a78ba0c..15f4773643d2 100644 +--- a/arch/powerpc/mm/book3s32/Makefile ++++ b/arch/powerpc/mm/book3s32/Makefile +@@ -10,3 +10,4 @@ obj-y += mmu.o mmu_context.o + obj-$(CONFIG_PPC_BOOK3S_603) += nohash_low.o + obj-$(CONFIG_PPC_BOOK3S_604) += hash_low.o tlb.o + obj-$(CONFIG_PPC_KUEP) += kuep.o ++obj-$(CONFIG_PPC_KUAP) += kuap.o +diff --git a/arch/powerpc/mm/book3s32/kuap.c b/arch/powerpc/mm/book3s32/kuap.c +new file mode 100644 +index 000000000000..1df55392878e +--- /dev/null ++++ b/arch/powerpc/mm/book3s32/kuap.c +@@ -0,0 +1,11 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later ++ ++#include ++ ++void __init setup_kuap(bool disabled) ++{ ++ pr_info("Activating Kernel Userspace Access Protection\n"); ++ ++ if (disabled) ++ pr_warn("KUAP cannot be disabled yet on 6xx when compiled in\n"); ++} +diff --git a/arch/powerpc/mm/book3s32/kuep.c b/arch/powerpc/mm/book3s32/kuep.c +index 8ed1b8634839..6eafe7b2b031 100644 +--- a/arch/powerpc/mm/book3s32/kuep.c ++++ b/arch/powerpc/mm/book3s32/kuep.c +@@ -38,3 +38,11 @@ void kuep_unlock(void) + { + kuep_update(mfsr(0) & ~SR_NX); + } ++ ++void __init setup_kuep(bool disabled) ++{ ++ pr_info("Activating Kernel Userspace Execution Prevention\n"); ++ ++ if (disabled) ++ pr_warn("KUEP cannot be disabled yet on 6xx when compiled in\n"); ++} +diff --git a/arch/powerpc/mm/book3s32/mmu.c b/arch/powerpc/mm/book3s32/mmu.c +index 159930351d9f..27061583a010 100644 +--- a/arch/powerpc/mm/book3s32/mmu.c ++++ b/arch/powerpc/mm/book3s32/mmu.c +@@ -445,26 +445,6 @@ void __init print_system_hash_info(void) + pr_info("Hash_mask = 0x%lx\n", Hash_mask); + } + +-#ifdef CONFIG_PPC_KUEP +-void __init setup_kuep(bool disabled) +-{ +- pr_info("Activating Kernel Userspace Execution Prevention\n"); +- +- if (disabled) +- pr_warn("KUEP cannot be disabled yet on 6xx when compiled in\n"); +-} +-#endif +- +-#ifdef CONFIG_PPC_KUAP +-void __init setup_kuap(bool disabled) +-{ +- pr_info("Activating Kernel Userspace Access Protection\n"); +- +- if (disabled) +- pr_warn("KUAP cannot be disabled yet on 6xx when compiled in\n"); +-} +-#endif +- + void __init early_init_mmu(void) + { + } +-- +2.30.2 + diff --git a/queue-5.13/powerpc-32s-refactor-update-of-user-segment-register.patch b/queue-5.13/powerpc-32s-refactor-update-of-user-segment-register.patch new file mode 100644 index 00000000000..cc12dcc1ca4 --- /dev/null +++ b/queue-5.13/powerpc-32s-refactor-update-of-user-segment-register.patch @@ -0,0 +1,166 @@ +From 714aa92b5161a606e474fc336a963ab0e0c53f33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 08:41:37 +0000 +Subject: powerpc/32s: Refactor update of user segment registers + +From: Christophe Leroy + +[ Upstream commit 91bb30822a2e1d7900f9f42e9e92647a9015f979 ] + +KUEP implements the update of user segment registers. + +Move it into mmu-hash.h in order to use it from other places. + +And inline kuep_lock() and kuep_unlock(). Inlining kuep_lock() is +important for system_call_exception(), otherwise system_call_exception() +has to save into stack the system call parameters that are used just +after, and doing that takes more instructions than kuep_lock() itself. + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/24591ca480d14a62ef910e38a5273d551262c4a2.1622708530.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/book3s/32/kup.h | 21 +++++++++++ + arch/powerpc/include/asm/book3s/32/mmu-hash.h | 27 ++++++++++++++ + arch/powerpc/include/asm/kup.h | 5 +-- + arch/powerpc/mm/book3s32/kuep.c | 37 ------------------- + 4 files changed, 49 insertions(+), 41 deletions(-) + +diff --git a/arch/powerpc/include/asm/book3s/32/kup.h b/arch/powerpc/include/asm/book3s/32/kup.h +index 1670dfe9d4f1..5353ea68b912 100644 +--- a/arch/powerpc/include/asm/book3s/32/kup.h ++++ b/arch/powerpc/include/asm/book3s/32/kup.h +@@ -7,6 +7,27 @@ + + #ifndef __ASSEMBLY__ + ++static __always_inline bool kuep_is_disabled(void) ++{ ++ return !IS_ENABLED(CONFIG_PPC_KUEP); ++} ++ ++static inline void kuep_lock(void) ++{ ++ if (kuep_is_disabled()) ++ return; ++ ++ update_user_segments(mfsr(0) | SR_NX); ++} ++ ++static inline void kuep_unlock(void) ++{ ++ if (kuep_is_disabled()) ++ return; ++ ++ update_user_segments(mfsr(0) & ~SR_NX); ++} ++ + #ifdef CONFIG_PPC_KUAP + + #include +diff --git a/arch/powerpc/include/asm/book3s/32/mmu-hash.h b/arch/powerpc/include/asm/book3s/32/mmu-hash.h +index b85f8e114a9c..cc0284bbac86 100644 +--- a/arch/powerpc/include/asm/book3s/32/mmu-hash.h ++++ b/arch/powerpc/include/asm/book3s/32/mmu-hash.h +@@ -102,6 +102,33 @@ extern s32 patch__hash_page_B, patch__hash_page_C; + extern s32 patch__flush_hash_A0, patch__flush_hash_A1, patch__flush_hash_A2; + extern s32 patch__flush_hash_B; + ++#include ++#include ++ ++#define UPDATE_TWO_USER_SEGMENTS(n) do { \ ++ if (TASK_SIZE > ((n) << 28)) \ ++ mtsr(val1, (n) << 28); \ ++ if (TASK_SIZE > (((n) + 1) << 28)) \ ++ mtsr(val2, ((n) + 1) << 28); \ ++ val1 = (val1 + 0x222) & 0xf0ffffff; \ ++ val2 = (val2 + 0x222) & 0xf0ffffff; \ ++} while (0) ++ ++static __always_inline void update_user_segments(u32 val) ++{ ++ int val1 = val; ++ int val2 = (val + 0x111) & 0xf0ffffff; ++ ++ UPDATE_TWO_USER_SEGMENTS(0); ++ UPDATE_TWO_USER_SEGMENTS(2); ++ UPDATE_TWO_USER_SEGMENTS(4); ++ UPDATE_TWO_USER_SEGMENTS(6); ++ UPDATE_TWO_USER_SEGMENTS(8); ++ UPDATE_TWO_USER_SEGMENTS(10); ++ UPDATE_TWO_USER_SEGMENTS(12); ++ UPDATE_TWO_USER_SEGMENTS(14); ++} ++ + #endif /* !__ASSEMBLY__ */ + + /* We happily ignore the smaller BATs on 601, we don't actually use +diff --git a/arch/powerpc/include/asm/kup.h b/arch/powerpc/include/asm/kup.h +index ec96232529ac..4b94d4293777 100644 +--- a/arch/powerpc/include/asm/kup.h ++++ b/arch/powerpc/include/asm/kup.h +@@ -46,10 +46,7 @@ void setup_kuep(bool disabled); + static inline void setup_kuep(bool disabled) { } + #endif /* CONFIG_PPC_KUEP */ + +-#if defined(CONFIG_PPC_KUEP) && defined(CONFIG_PPC_BOOK3S_32) +-void kuep_lock(void); +-void kuep_unlock(void); +-#else ++#ifndef CONFIG_PPC_BOOK3S_32 + static inline void kuep_lock(void) { } + static inline void kuep_unlock(void) { } + #endif +diff --git a/arch/powerpc/mm/book3s32/kuep.c b/arch/powerpc/mm/book3s32/kuep.c +index 6eafe7b2b031..919595f47e25 100644 +--- a/arch/powerpc/mm/book3s32/kuep.c ++++ b/arch/powerpc/mm/book3s32/kuep.c +@@ -1,43 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0-or-later + + #include +-#include +-#include +-#include +- +-#define KUEP_UPDATE_TWO_USER_SEGMENTS(n) do { \ +- if (TASK_SIZE > ((n) << 28)) \ +- mtsr(val1, (n) << 28); \ +- if (TASK_SIZE > (((n) + 1) << 28)) \ +- mtsr(val2, ((n) + 1) << 28); \ +- val1 = (val1 + 0x222) & 0xf0ffffff; \ +- val2 = (val2 + 0x222) & 0xf0ffffff; \ +-} while (0) +- +-static __always_inline void kuep_update(u32 val) +-{ +- int val1 = val; +- int val2 = (val + 0x111) & 0xf0ffffff; +- +- KUEP_UPDATE_TWO_USER_SEGMENTS(0); +- KUEP_UPDATE_TWO_USER_SEGMENTS(2); +- KUEP_UPDATE_TWO_USER_SEGMENTS(4); +- KUEP_UPDATE_TWO_USER_SEGMENTS(6); +- KUEP_UPDATE_TWO_USER_SEGMENTS(8); +- KUEP_UPDATE_TWO_USER_SEGMENTS(10); +- KUEP_UPDATE_TWO_USER_SEGMENTS(12); +- KUEP_UPDATE_TWO_USER_SEGMENTS(14); +-} +- +-void kuep_lock(void) +-{ +- kuep_update(mfsr(0) | SR_NX); +-} +- +-void kuep_unlock(void) +-{ +- kuep_update(mfsr(0) & ~SR_NX); +-} + + void __init setup_kuep(bool disabled) + { +-- +2.30.2 + diff --git a/queue-5.13/riscv-fix-a-number-of-free-d-resources-in-init_resou.patch b/queue-5.13/riscv-fix-a-number-of-free-d-resources-in-init_resou.patch new file mode 100644 index 00000000000..7c3b5e2b413 --- /dev/null +++ b/queue-5.13/riscv-fix-a-number-of-free-d-resources-in-init_resou.patch @@ -0,0 +1,50 @@ +From f96a34c8a41e3dc1c02a3fda69b8ab4d62b8c612 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Aug 2021 19:54:50 +0200 +Subject: riscv: Fix a number of free'd resources in init_resources() + +From: Petr Pavlu + +[ Upstream commit aa3e1ba32e553e611a58145c2eb349802feaa6eb ] + +Function init_resources() allocates a boot memory block to hold an array of +resources which it adds to iomem_resource. The array is filled in from its +end and the function then attempts to free any unused memory at the +beginning. The problem is that size of the unused memory is incorrectly +calculated and this can result in releasing memory which is in use by +active resources. Their data then gets corrupted later when the memory is +reused by a different part of the system. + +Fix the size of the released memory to correctly match the number of unused +resource entries. + +Fixes: ffe0e5261268 ("RISC-V: Improve init_resources()") +Signed-off-by: Petr Pavlu +Reviewed-by: Sunil V L +Acked-by: Nick Kossifidis +Tested-by: Sunil V L +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/setup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c +index 9a1b7a0603b2..f2a9cd4284b0 100644 +--- a/arch/riscv/kernel/setup.c ++++ b/arch/riscv/kernel/setup.c +@@ -230,8 +230,8 @@ static void __init init_resources(void) + } + + /* Clean-up any unused pre-allocated resources */ +- mem_res_sz = (num_resources - res_idx + 1) * sizeof(*mem_res); +- memblock_free(__pa(mem_res), mem_res_sz); ++ if (res_idx >= 0) ++ memblock_free(__pa(mem_res), (res_idx + 1) * sizeof(*mem_res)); + return; + + error: +-- +2.30.2 + diff --git a/queue-5.13/s390-pci-fix-use-after-free-of-zpci_dev.patch b/queue-5.13/s390-pci-fix-use-after-free-of-zpci_dev.patch new file mode 100644 index 00000000000..d4038e39378 --- /dev/null +++ b/queue-5.13/s390-pci-fix-use-after-free-of-zpci_dev.patch @@ -0,0 +1,89 @@ +From 43950f81790e1469510e61179b4e9bad5cea7882 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 12:11:16 +0200 +Subject: s390/pci: fix use after free of zpci_dev + +From: Niklas Schnelle + +[ Upstream commit 2a671f77ee49f3e78997b77fdee139467ff6a598 ] + +The struct pci_dev uses reference counting but zPCI assumed erroneously +that the last reference would always be the local reference after +calling pci_stop_and_remove_bus_device(). This is usually the case but +not how reference counting works and thus inherently fragile. + +In fact one case where this causes a NULL pointer dereference when on an +SRIOV device the function 0 was hot unplugged before another function of +the same multi-function device. In this case the second function's +pdev->sriov->dev reference keeps the struct pci_dev of function 0 alive +even after the unplug. This bug was previously hidden by the fact that +we were leaking the struct pci_dev which in turn means that it always +outlived the struct zpci_dev. This was fixed in commit 0b13525c20fe +("s390/pci: fix leak of PCI device structure") exposing the broken +behavior. + +Fix this by accounting for the long living reference a struct pci_dev +has to its underlying struct zpci_dev via the zbus->function[] array and +only release that in pcibios_release_device() ensuring that the struct +pci_dev is not left with a dangling reference. This is a minimal fix in +the future it would probably better to use fine grained reference +counting for struct zpci_dev. + +Fixes: 05bc1be6db4b2 ("s390/pci: create zPCI bus") +Cc: stable@vger.kernel.org +Reviewed-by: Matthew Rosato +Signed-off-by: Niklas Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci.c | 6 ++++++ + arch/s390/pci/pci_bus.h | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/arch/s390/pci/pci.c b/arch/s390/pci/pci.c +index b0993e05affe..8fcb7ecb7225 100644 +--- a/arch/s390/pci/pci.c ++++ b/arch/s390/pci/pci.c +@@ -560,9 +560,12 @@ static void zpci_cleanup_bus_resources(struct zpci_dev *zdev) + + int pcibios_add_device(struct pci_dev *pdev) + { ++ struct zpci_dev *zdev = to_zpci(pdev); + struct resource *res; + int i; + ++ /* The pdev has a reference to the zdev via its bus */ ++ zpci_zdev_get(zdev); + if (pdev->is_physfn) + pdev->no_vf_scan = 1; + +@@ -582,7 +585,10 @@ int pcibios_add_device(struct pci_dev *pdev) + + void pcibios_release_device(struct pci_dev *pdev) + { ++ struct zpci_dev *zdev = to_zpci(pdev); ++ + zpci_unmap_resources(pdev); ++ zpci_zdev_put(zdev); + } + + int pcibios_enable_device(struct pci_dev *pdev, int mask) +diff --git a/arch/s390/pci/pci_bus.h b/arch/s390/pci/pci_bus.h +index b877a97e6745..e359d2686178 100644 +--- a/arch/s390/pci/pci_bus.h ++++ b/arch/s390/pci/pci_bus.h +@@ -22,6 +22,11 @@ static inline void zpci_zdev_put(struct zpci_dev *zdev) + kref_put(&zdev->kref, zpci_release_device); + } + ++static inline void zpci_zdev_get(struct zpci_dev *zdev) ++{ ++ kref_get(&zdev->kref); ++} ++ + int zpci_alloc_domain(int domain); + void zpci_free_domain(int domain); + int zpci_setup_bus_resources(struct zpci_dev *zdev, +-- +2.30.2 + diff --git a/queue-5.13/series b/queue-5.13/series index 52dc865c1d5..5860a24a4be 100644 --- a/queue-5.13/series +++ b/queue-5.13/series @@ -82,3 +82,45 @@ i40e-fix-atr-queue-selection.patch iavf-fix-ping-is-lost-after-untrusted-vf-had-tried-t.patch revert-flow_offload-action-should-not-be-null-when-i.patch net-dpaa2-switch-disable-the-control-interface-on-er.patch +iommu-dma-fix-leak-in-non-contiguous-api.patch +mmc-dw_mmc-fix-hang-on-data-crc-error.patch +mmc-mmci-stm32-check-when-the-voltage-switch-procedu.patch +mmc-sdhci-msm-update-the-software-timeout-value-for-.patch +clk-imx6q-fix-uart-earlycon-unwork.patch +clk-qcom-gdsc-ensure-regulator-init-state-matches-gd.patch +arm64-clean-vdso-vdso32-files.patch +cfi-use-rcu_read_-un-lock_sched_notrace.patch +alsa-hda-fix-the-capture-switch-value-change-notific.patch +tracing-define-needed-config-dynamic_ftrace_with_arg.patch +tracing-histogram-fix-null-pointer-dereference-on-st.patch +slimbus-messaging-start-transaction-ids-from-1-inste.patch +slimbus-messaging-check-for-valid-transaction-id.patch +slimbus-ngd-set-correct-device-for-pm.patch +slimbus-ngd-reset-dma-setup-during-runtime-pm.patch +ipack-tpci200-fix-many-double-free-issues-in-tpci200.patch +ipack-tpci200-fix-memory-leak-in-the-tpci200_registe.patch +io_uring-fix-code-style-problems.patch +io_uring-only-assign-io_uring_enter-sqpoll-error-in-.patch +alsa-hda-realtek-enable-4-speaker-output-for-dell-xp.patch +opp-drop-empty-table-checks-from-_put-functions.patch +mmc-sdhci-iproc-cap-min-clock-frequency-on-bcm2711.patch +mmc-sdhci-iproc-set-sdhci_quirk_cap_clock_base_broke.patch +btrfs-prevent-rename2-from-exchanging-a-subvol-with-.patch +tracing-apply-trace-filters-on-all-output-channels.patch +alsa-hda-via-apply-runtime-pm-workaround-for-asus-b2.patch +s390-pci-fix-use-after-free-of-zpci_dev.patch +usb-typec-tcpm-fix-vdms-sometimes-not-being-forwarde.patch +powerpc-32s-move-setup_-kuep-kuap-into-kuep-kuap-.c.patch +powerpc-32s-refactor-update-of-user-segment-register.patch +powerpc-32s-fix-random-crashes-by-adding-isync-after.patch +pci-increase-d3-delay-for-amd-renoir-cezanne-xhci.patch +alsa-hda-realtek-limit-mic-boost-on-hp-probook-445-g.patch +asoc-intel-atom-fix-breakage-for-pcm-buffer-address-.patch +riscv-fix-a-number-of-free-d-resources-in-init_resou.patch +mm-memcontrol-fix-occasional-ooms-due-to-proportiona.patch +mm-hwpoison-make-get_hwpoison_page-call-get_any_page.patch +mm-hwpoison-retry-with-shake_page-for-unhandlable-pa.patch +kfence-fix-is_kfence_address-for-addresses-below-kfe.patch +hugetlb-don-t-pass-page-cache-pages-to-restore_reser.patch +io_uring-fix-xa_alloc_cycle-error-return-value-check.patch +fs-warn-about-impending-deprecation-of-mandatory-loc.patch diff --git a/queue-5.13/slimbus-messaging-check-for-valid-transaction-id.patch b/queue-5.13/slimbus-messaging-check-for-valid-transaction-id.patch new file mode 100644 index 00000000000..074fb73d795 --- /dev/null +++ b/queue-5.13/slimbus-messaging-check-for-valid-transaction-id.patch @@ -0,0 +1,53 @@ +From 32741f9decad4a31284f43b33240ac27b225cdf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 09:24:26 +0100 +Subject: slimbus: messaging: check for valid transaction id + +From: Srinivas Kandagatla + +[ Upstream commit a263c1ff6abe0e66712f40d595bbddc7a35907f8 ] + +In some usecases transaction ids are dynamically allocated inside +the controller driver after sending the messages which have generic +acknowledge responses. So check for this before refcounting pm_runtime. + +Without this we would end up imbalancing runtime pm count by +doing pm_runtime_put() in both slim_do_transfer() and slim_msg_response() +for a single pm_runtime_get() in slim_do_transfer() + +Fixes: d3062a210930 ("slimbus: messaging: add slim_alloc/free_txn_tid()") +Cc: +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20210809082428.11236-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/messaging.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/slimbus/messaging.c b/drivers/slimbus/messaging.c +index 6097ddc43a35..e5ae26227bdb 100644 +--- a/drivers/slimbus/messaging.c ++++ b/drivers/slimbus/messaging.c +@@ -131,7 +131,8 @@ int slim_do_transfer(struct slim_controller *ctrl, struct slim_msg_txn *txn) + goto slim_xfer_err; + } + } +- ++ /* Initialize tid to invalid value */ ++ txn->tid = 0; + need_tid = slim_tid_txn(txn->mt, txn->mc); + + if (need_tid) { +@@ -163,7 +164,7 @@ int slim_do_transfer(struct slim_controller *ctrl, struct slim_msg_txn *txn) + txn->mt, txn->mc, txn->la, ret); + + slim_xfer_err: +- if (!clk_pause_msg && (!need_tid || ret == -ETIMEDOUT)) { ++ if (!clk_pause_msg && (txn->tid == 0 || ret == -ETIMEDOUT)) { + /* + * remove runtime-pm vote if this was TX only, or + * if there was error during this transaction +-- +2.30.2 + diff --git a/queue-5.13/slimbus-messaging-start-transaction-ids-from-1-inste.patch b/queue-5.13/slimbus-messaging-start-transaction-ids-from-1-inste.patch new file mode 100644 index 00000000000..010dddf8f62 --- /dev/null +++ b/queue-5.13/slimbus-messaging-start-transaction-ids-from-1-inste.patch @@ -0,0 +1,42 @@ +From 9e0bcf5a84adff21958bf721e89303931417d949 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 09:24:25 +0100 +Subject: slimbus: messaging: start transaction ids from 1 instead of zero + +From: Srinivas Kandagatla + +[ Upstream commit 9659281ce78de0f15a4aa124da8f7450b1399c09 ] + +As tid is unsigned its hard to figure out if the tid is valid or +invalid. So Start the transaction ids from 1 instead of zero +so that we could differentiate between a valid tid and invalid tids + +This is useful in cases where controller would add a tid for controller +specific transfers. + +Fixes: d3062a210930 ("slimbus: messaging: add slim_alloc/free_txn_tid()") +Cc: +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20210809082428.11236-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/messaging.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/slimbus/messaging.c b/drivers/slimbus/messaging.c +index f2b5d347d227..6097ddc43a35 100644 +--- a/drivers/slimbus/messaging.c ++++ b/drivers/slimbus/messaging.c +@@ -66,7 +66,7 @@ int slim_alloc_txn_tid(struct slim_controller *ctrl, struct slim_msg_txn *txn) + int ret = 0; + + spin_lock_irqsave(&ctrl->txn_lock, flags); +- ret = idr_alloc_cyclic(&ctrl->tid_idr, txn, 0, ++ ret = idr_alloc_cyclic(&ctrl->tid_idr, txn, 1, + SLIM_MAX_TIDS, GFP_ATOMIC); + if (ret < 0) { + spin_unlock_irqrestore(&ctrl->txn_lock, flags); +-- +2.30.2 + diff --git a/queue-5.13/slimbus-ngd-reset-dma-setup-during-runtime-pm.patch b/queue-5.13/slimbus-ngd-reset-dma-setup-during-runtime-pm.patch new file mode 100644 index 00000000000..df05f862bf6 --- /dev/null +++ b/queue-5.13/slimbus-ngd-reset-dma-setup-during-runtime-pm.patch @@ -0,0 +1,59 @@ +From 391155dd5ea6463a80d0ca5a1fd64052cc78d635 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 09:24:28 +0100 +Subject: slimbus: ngd: reset dma setup during runtime pm + +From: Srinivas Kandagatla + +[ Upstream commit d77772538f00b7265deace6e77e555ee18365ad0 ] + +During suspend/resume NGD remote instance is power cycled along +with remotely controlled bam dma engine. +So Reset the dma configuration during this suspend resume path +so that we are not dealing with any stale dma setup. + +Without this transactions timeout after first suspend resume path. + +Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") +Cc: +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20210809082428.11236-5-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/qcom-ngd-ctrl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c +index f3ee8e036372..7040293c2ee8 100644 +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1080,7 +1080,8 @@ static void qcom_slim_ngd_setup(struct qcom_slim_ngd_ctrl *ctrl) + { + u32 cfg = readl_relaxed(ctrl->ngd->base); + +- if (ctrl->state == QCOM_SLIM_NGD_CTRL_DOWN) ++ if (ctrl->state == QCOM_SLIM_NGD_CTRL_DOWN || ++ ctrl->state == QCOM_SLIM_NGD_CTRL_ASLEEP) + qcom_slim_ngd_init_dma(ctrl); + + /* By default enable message queues */ +@@ -1131,6 +1132,7 @@ static int qcom_slim_ngd_power_up(struct qcom_slim_ngd_ctrl *ctrl) + dev_info(ctrl->dev, "Subsys restart: ADSP active framer\n"); + return 0; + } ++ qcom_slim_ngd_setup(ctrl); + return 0; + } + +@@ -1618,6 +1620,7 @@ static int __maybe_unused qcom_slim_ngd_runtime_suspend(struct device *dev) + struct qcom_slim_ngd_ctrl *ctrl = dev_get_drvdata(dev); + int ret = 0; + ++ qcom_slim_ngd_exit_dma(ctrl); + if (!ctrl->qmi.handle) + return 0; + +-- +2.30.2 + diff --git a/queue-5.13/slimbus-ngd-set-correct-device-for-pm.patch b/queue-5.13/slimbus-ngd-set-correct-device-for-pm.patch new file mode 100644 index 00000000000..7a92317f134 --- /dev/null +++ b/queue-5.13/slimbus-ngd-set-correct-device-for-pm.patch @@ -0,0 +1,68 @@ +From 55bede8a0535e4b599cff4ed55519b11f196c029 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 09:24:27 +0100 +Subject: slimbus: ngd: set correct device for pm + +From: Srinivas Kandagatla + +[ Upstream commit c0e38eaa8d5102c138e4f16658ea762417d42a8f ] + +For some reason we ended up using wrong device in some places for pm_runtime calls. +Fix this so that NGG driver can do runtime pm correctly. + +Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") +Cc: +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20210809082428.11236-4-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/qcom-ngd-ctrl.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c +index c054e83ab636..f3ee8e036372 100644 +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -618,7 +618,7 @@ static void qcom_slim_ngd_rx(struct qcom_slim_ngd_ctrl *ctrl, u8 *buf) + (mc == SLIM_USR_MC_GENERIC_ACK && + mt == SLIM_MSG_MT_SRC_REFERRED_USER)) { + slim_msg_response(&ctrl->ctrl, &buf[4], buf[3], len - 4); +- pm_runtime_mark_last_busy(ctrl->dev); ++ pm_runtime_mark_last_busy(ctrl->ctrl.dev); + } + } + +@@ -1257,13 +1257,14 @@ static int qcom_slim_ngd_enable(struct qcom_slim_ngd_ctrl *ctrl, bool enable) + } + /* controller state should be in sync with framework state */ + complete(&ctrl->qmi.qmi_comp); +- if (!pm_runtime_enabled(ctrl->dev) || +- !pm_runtime_suspended(ctrl->dev)) +- qcom_slim_ngd_runtime_resume(ctrl->dev); ++ if (!pm_runtime_enabled(ctrl->ctrl.dev) || ++ !pm_runtime_suspended(ctrl->ctrl.dev)) ++ qcom_slim_ngd_runtime_resume(ctrl->ctrl.dev); + else +- pm_runtime_resume(ctrl->dev); +- pm_runtime_mark_last_busy(ctrl->dev); +- pm_runtime_put(ctrl->dev); ++ pm_runtime_resume(ctrl->ctrl.dev); ++ ++ pm_runtime_mark_last_busy(ctrl->ctrl.dev); ++ pm_runtime_put(ctrl->ctrl.dev); + + ret = slim_register_controller(&ctrl->ctrl); + if (ret) { +@@ -1389,7 +1390,7 @@ static int qcom_slim_ngd_ssr_pdr_notify(struct qcom_slim_ngd_ctrl *ctrl, + /* Make sure the last dma xfer is finished */ + mutex_lock(&ctrl->tx_lock); + if (ctrl->state != QCOM_SLIM_NGD_CTRL_DOWN) { +- pm_runtime_get_noresume(ctrl->dev); ++ pm_runtime_get_noresume(ctrl->ctrl.dev); + ctrl->state = QCOM_SLIM_NGD_CTRL_DOWN; + qcom_slim_ngd_down(ctrl); + qcom_slim_ngd_exit_dma(ctrl); +-- +2.30.2 + diff --git a/queue-5.13/tracing-apply-trace-filters-on-all-output-channels.patch b/queue-5.13/tracing-apply-trace-filters-on-all-output-channels.patch new file mode 100644 index 00000000000..941fb1db73c --- /dev/null +++ b/queue-5.13/tracing-apply-trace-filters-on-all-output-channels.patch @@ -0,0 +1,106 @@ +From e6fbc5cb78076442aa117db8e1548c7cfa8ea260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Aug 2021 11:45:38 +0800 +Subject: tracing: Apply trace filters on all output channels + +From: Pingfan Liu + +[ Upstream commit 6c34df6f350df9579ce99d887a2b5fa14cc13b32 ] + +The event filters are not applied on all of the output, which results in +the flood of printk when using tp_printk. Unfolding +event_trigger_unlock_commit_regs() into trace_event_buffer_commit(), so +the filters can be applied on every output. + +Link: https://lkml.kernel.org/r/20210814034538.8428-1-kernelfans@gmail.com + +Cc: stable@vger.kernel.org +Fixes: 0daa2302968c1 ("tracing: Add tp_printk cmdline to have tracepoints go to printk()") +Signed-off-by: Pingfan Liu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 18 +++++++++++++++--- + kernel/trace/trace.h | 32 -------------------------------- + 2 files changed, 15 insertions(+), 35 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 018067e379f2..fa617a0a9eed 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2853,14 +2853,26 @@ int tracepoint_printk_sysctl(struct ctl_table *table, int write, + + void trace_event_buffer_commit(struct trace_event_buffer *fbuffer) + { ++ enum event_trigger_type tt = ETT_NONE; ++ struct trace_event_file *file = fbuffer->trace_file; ++ ++ if (__event_trigger_test_discard(file, fbuffer->buffer, fbuffer->event, ++ fbuffer->entry, &tt)) ++ goto discard; ++ + if (static_key_false(&tracepoint_printk_key.key)) + output_printk(fbuffer); + + if (static_branch_unlikely(&trace_event_exports_enabled)) + ftrace_exports(fbuffer->event, TRACE_EXPORT_EVENT); +- event_trigger_unlock_commit_regs(fbuffer->trace_file, fbuffer->buffer, +- fbuffer->event, fbuffer->entry, +- fbuffer->trace_ctx, fbuffer->regs); ++ ++ trace_buffer_unlock_commit_regs(file->tr, fbuffer->buffer, ++ fbuffer->event, fbuffer->trace_ctx, fbuffer->regs); ++ ++discard: ++ if (tt) ++ event_triggers_post_call(file, tt); ++ + } + EXPORT_SYMBOL_GPL(trace_event_buffer_commit); + +diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h +index cd80d046c7a5..1b60ecf85391 100644 +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -1391,38 +1391,6 @@ event_trigger_unlock_commit(struct trace_event_file *file, + event_triggers_post_call(file, tt); + } + +-/** +- * event_trigger_unlock_commit_regs - handle triggers and finish event commit +- * @file: The file pointer associated with the event +- * @buffer: The ring buffer that the event is being written to +- * @event: The event meta data in the ring buffer +- * @entry: The event itself +- * @trace_ctx: The tracing context flags. +- * +- * This is a helper function to handle triggers that require data +- * from the event itself. It also tests the event against filters and +- * if the event is soft disabled and should be discarded. +- * +- * Same as event_trigger_unlock_commit() but calls +- * trace_buffer_unlock_commit_regs() instead of trace_buffer_unlock_commit(). +- */ +-static inline void +-event_trigger_unlock_commit_regs(struct trace_event_file *file, +- struct trace_buffer *buffer, +- struct ring_buffer_event *event, +- void *entry, unsigned int trace_ctx, +- struct pt_regs *regs) +-{ +- enum event_trigger_type tt = ETT_NONE; +- +- if (!__event_trigger_test_discard(file, buffer, event, entry, &tt)) +- trace_buffer_unlock_commit_regs(file->tr, buffer, event, +- trace_ctx, regs); +- +- if (tt) +- event_triggers_post_call(file, tt); +-} +- + #define FILTER_PRED_INVALID ((unsigned short)-1) + #define FILTER_PRED_IS_RIGHT (1 << 15) + #define FILTER_PRED_FOLD (1 << 15) +-- +2.30.2 + diff --git a/queue-5.13/tracing-define-needed-config-dynamic_ftrace_with_arg.patch b/queue-5.13/tracing-define-needed-config-dynamic_ftrace_with_arg.patch new file mode 100644 index 00000000000..464199376ab --- /dev/null +++ b/queue-5.13/tracing-define-needed-config-dynamic_ftrace_with_arg.patch @@ -0,0 +1,62 @@ +From c847c6f709ac1b14d7e92e66064623139d87275c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 21:50:27 +0200 +Subject: tracing: define needed config DYNAMIC_FTRACE_WITH_ARGS + +From: Lukas Bulwahn + +[ Upstream commit 12f9951d3f311acb1d4ffe8e839bc2c07983546f ] + +Commit 2860cd8a2353 ("livepatch: Use the default ftrace_ops instead of +REGS when ARGS is available") intends to enable config LIVEPATCH when +ftrace with ARGS is available. However, the chain of configs to enable +LIVEPATCH is incomplete, as HAVE_DYNAMIC_FTRACE_WITH_ARGS is available, +but the definition of DYNAMIC_FTRACE_WITH_ARGS, combining DYNAMIC_FTRACE +and HAVE_DYNAMIC_FTRACE_WITH_ARGS, needed to enable LIVEPATCH, is missing +in the commit. + +Fortunately, ./scripts/checkkconfigsymbols.py detects this and warns: + +DYNAMIC_FTRACE_WITH_ARGS +Referencing files: kernel/livepatch/Kconfig + +So, define the config DYNAMIC_FTRACE_WITH_ARGS analogously to the already +existing similar configs, DYNAMIC_FTRACE_WITH_REGS and +DYNAMIC_FTRACE_WITH_DIRECT_CALLS, in ./kernel/trace/Kconfig to connect the +chain of configs. + +Link: https://lore.kernel.org/kernel-janitors/CAKXUXMwT2zS9fgyQHKUUiqo8ynZBdx2UEUu1WnV_q0OCmknqhw@mail.gmail.com/ +Link: https://lkml.kernel.org/r/20210806195027.16808-1-lukas.bulwahn@gmail.com + +Cc: Josh Poimboeuf +Cc: Jiri Kosina +Cc: Peter Zijlstra +Cc: Miroslav Benes +Cc: stable@vger.kernel.org +Fixes: 2860cd8a2353 ("livepatch: Use the default ftrace_ops instead of REGS when ARGS is available") +Signed-off-by: Lukas Bulwahn +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/Kconfig | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig +index 7fa82778c3e6..682334e018dd 100644 +--- a/kernel/trace/Kconfig ++++ b/kernel/trace/Kconfig +@@ -219,6 +219,11 @@ config DYNAMIC_FTRACE_WITH_DIRECT_CALLS + depends on DYNAMIC_FTRACE_WITH_REGS + depends on HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS + ++config DYNAMIC_FTRACE_WITH_ARGS ++ def_bool y ++ depends on DYNAMIC_FTRACE ++ depends on HAVE_DYNAMIC_FTRACE_WITH_ARGS ++ + config FUNCTION_PROFILER + bool "Kernel function profiler" + depends on FUNCTION_TRACER +-- +2.30.2 + diff --git a/queue-5.13/tracing-histogram-fix-null-pointer-dereference-on-st.patch b/queue-5.13/tracing-histogram-fix-null-pointer-dereference-on-st.patch new file mode 100644 index 00000000000..a3117d2d3fa --- /dev/null +++ b/queue-5.13/tracing-histogram-fix-null-pointer-dereference-on-st.patch @@ -0,0 +1,92 @@ +From b9bbe0c1adbf986120693e162ceac20d3759cef1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Aug 2021 00:30:11 -0400 +Subject: tracing / histogram: Fix NULL pointer dereference on strcmp() on NULL + event name + +From: Steven Rostedt (VMware) + +[ Upstream commit 5acce0bff2a0420ce87d4591daeb867f47d552c2 ] + +The following commands: + + # echo 'read_max u64 size;' > synthetic_events + # echo 'hist:keys=common_pid:count=count:onmax($count).trace(read_max,count)' > events/syscalls/sys_enter_read/trigger + +Causes: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP + CPU: 4 PID: 1763 Comm: bash Not tainted 5.14.0-rc2-test+ #155 + Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 +v03.03 07/14/2016 + RIP: 0010:strcmp+0xc/0x20 + Code: 75 f7 31 c0 0f b6 0c 06 88 0c 02 48 83 c0 01 84 c9 75 f1 4c 89 c0 +c3 0f 1f 80 00 00 00 00 31 c0 eb 08 48 83 c0 01 84 d2 74 0f <0f> b6 14 07 +3a 14 06 74 ef 19 c0 83 c8 01 c3 31 c0 c3 66 90 48 89 + RSP: 0018:ffffb5fdc0963ca8 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffffffffb3a4e040 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffff9714c0d0b640 RDI: 0000000000000000 + RBP: 0000000000000000 R08: 00000022986b7cde R09: ffffffffb3a4dff8 + R10: 0000000000000000 R11: 0000000000000000 R12: ffff9714c50603c8 + R13: 0000000000000000 R14: ffff97143fdf9e48 R15: ffff9714c01a2210 + FS: 00007f1fa6785740(0000) GS:ffff9714da400000(0000) +knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 000000002d863004 CR4: 00000000001706e0 + Call Trace: + __find_event_file+0x4e/0x80 + action_create+0x6b7/0xeb0 + ? kstrdup+0x44/0x60 + event_hist_trigger_func+0x1a07/0x2130 + trigger_process_regex+0xbd/0x110 + event_trigger_write+0x71/0xd0 + vfs_write+0xe9/0x310 + ksys_write+0x68/0xe0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f1fa6879e87 + +The problem was the "trace(read_max,count)" where the "count" should be +"$count" as "onmax()" only handles variables (although it really should be +able to figure out that "count" is a field of sys_enter_read). But there's +a path that does not find the variable and ends up passing a NULL for the +event, which ends up getting passed to "strcmp()". + +Add a check for NULL to return and error on the command with: + + # cat error_log + hist:syscalls:sys_enter_read: error: Couldn't create or find variable + Command: hist:keys=common_pid:count=count:onmax($count).trace(read_max,count) + ^ +Link: https://lkml.kernel.org/r/20210808003011.4037f8d0@oasis.local.home + +Cc: Masami Hiramatsu +Cc: stable@vger.kernel.org +Fixes: 50450603ec9cb tracing: Add 'onmax' hist trigger action support +Reviewed-by: Tom Zanussi +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_hist.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index c59793ffd59c..4a2e1d360437 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -3430,6 +3430,8 @@ trace_action_create_field_var(struct hist_trigger_data *hist_data, + event = data->match_data.event; + } + ++ if (!event) ++ goto free; + /* + * At this point, we're looking at a field on another + * event. Because we can't modify a hist trigger on +-- +2.30.2 + diff --git a/queue-5.13/usb-typec-tcpm-fix-vdms-sometimes-not-being-forwarde.patch b/queue-5.13/usb-typec-tcpm-fix-vdms-sometimes-not-being-forwarde.patch new file mode 100644 index 00000000000..fb73a6d37b9 --- /dev/null +++ b/queue-5.13/usb-typec-tcpm-fix-vdms-sometimes-not-being-forwarde.patch @@ -0,0 +1,91 @@ +From 74a896db27a2920d09348ca050639613011719af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Aug 2021 17:46:32 +0200 +Subject: usb: typec: tcpm: Fix VDMs sometimes not being forwarded to alt-mode + drivers + +From: Hans de Goede + +[ Upstream commit 5571ea3117ca22849072adb58074fb5a2fd12c00 ] + +Commit a20dcf53ea98 ("usb: typec: tcpm: Respond Not_Supported if no +snk_vdo"), stops tcpm_pd_data_request() calling tcpm_handle_vdm_request() +when port->nr_snk_vdo is not set. But the VDM might be intended for an +altmode-driver, in which case nr_snk_vdo does not matter. + +This change breaks the forwarding of connector hotplug (HPD) events +for displayport altmode on devices which don't set nr_snk_vdo. + +tcpm_pd_data_request() is the only caller of tcpm_handle_vdm_request(), +so we can move the nr_snk_vdo check to inside it, at which point we +have already looked up the altmode device so we can check for this too. + +Doing this check here also ensures that vdm_state gets set to +VDM_STATE_DONE if it was VDM_STATE_BUSY, even if we end up with +responding with PD_MSG_CTRL_NOT_SUPP later. + +Note that tcpm_handle_vdm_request() was already sending +PD_MSG_CTRL_NOT_SUPP in some circumstances, after moving the nr_snk_vdo +check the same error-path is now taken when that check fails. So that +we have only one error-path for this and not two. Replace the +tcpm_queue_message(PD_MSG_CTRL_NOT_SUPP) used by the existing error-path +with the more robust tcpm_pd_handle_msg() from the (now removed) second +error-path. + +Fixes: a20dcf53ea98 ("usb: typec: tcpm: Respond Not_Supported if no snk_vdo") +Cc: stable +Cc: Kyle Tso +Acked-by: Heikki Krogerus +Acked-by: Kyle Tso +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210816154632.381968-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/tcpm/tcpm.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c +index 426e37a1e78c..1b886d80ba1c 100644 +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -1709,6 +1709,10 @@ static int tcpm_pd_svdm(struct tcpm_port *port, struct typec_altmode *adev, + return rlen; + } + ++static void tcpm_pd_handle_msg(struct tcpm_port *port, ++ enum pd_msg_request message, ++ enum tcpm_ams ams); ++ + static void tcpm_handle_vdm_request(struct tcpm_port *port, + const __le32 *payload, int cnt) + { +@@ -1736,11 +1740,11 @@ static void tcpm_handle_vdm_request(struct tcpm_port *port, + port->vdm_state = VDM_STATE_DONE; + } + +- if (PD_VDO_SVDM(p[0])) { ++ if (PD_VDO_SVDM(p[0]) && (adev || tcpm_vdm_ams(port) || port->nr_snk_vdo)) { + rlen = tcpm_pd_svdm(port, adev, p, cnt, response, &adev_action); + } else { + if (port->negotiated_rev >= PD_REV30) +- tcpm_queue_message(port, PD_MSG_CTRL_NOT_SUPP); ++ tcpm_pd_handle_msg(port, PD_MSG_CTRL_NOT_SUPP, NONE_AMS); + } + + /* +@@ -2443,10 +2447,7 @@ static void tcpm_pd_data_request(struct tcpm_port *port, + NONE_AMS); + break; + case PD_DATA_VENDOR_DEF: +- if (tcpm_vdm_ams(port) || port->nr_snk_vdo) +- tcpm_handle_vdm_request(port, msg->payload, cnt); +- else if (port->negotiated_rev > PD_REV20) +- tcpm_pd_handle_msg(port, PD_MSG_CTRL_NOT_SUPP, NONE_AMS); ++ tcpm_handle_vdm_request(port, msg->payload, cnt); + break; + case PD_DATA_BIST: + port->bist_request = le32_to_cpu(msg->payload[0]); +-- +2.30.2 +