From: Sasha Levin Date: Mon, 27 Sep 2021 05:02:45 +0000 (-0400) Subject: Fixes for 5.14 X-Git-Tag: v5.4.150~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dccbe2e9662231a3ce72793ceb2d0e86e26a8347;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.14 Signed-off-by: Sasha Levin --- diff --git a/queue-5.14/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch b/queue-5.14/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch new file mode 100644 index 00000000000..04c1de653fe --- /dev/null +++ b/queue-5.14/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch @@ -0,0 +1,69 @@ +From c8a6d42c9ad510eade894b2a1f1553a3b62b2ac1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 22:00:33 -0700 +Subject: alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to + volatile + +From: Guenter Roeck + +[ Upstream commit 35a3f4ef0ab543daa1725b0c963eb8c05e3376f8 ] + +Some drivers pass a pointer to volatile data to virt_to_bus() and +virt_to_phys(), and that works fine. One exception is alpha. This +results in a number of compile errors such as + + drivers/net/wan/lmc/lmc_main.c: In function 'lmc_softreset': + drivers/net/wan/lmc/lmc_main.c:1782:50: error: + passing argument 1 of 'virt_to_bus' discards 'volatile' + qualifier from pointer target type + + drivers/atm/ambassador.c: In function 'do_loader_command': + drivers/atm/ambassador.c:1747:58: error: + passing argument 1 of 'virt_to_bus' discards 'volatile' + qualifier from pointer target type + +Declare the parameter of virt_to_phys and virt_to_bus as pointer to +volatile to fix the problem. + +Signed-off-by: Guenter Roeck +Acked-by: Arnd Bergmann +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/alpha/include/asm/io.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h +index 0fab5ac90775..c9cb554fbe54 100644 +--- a/arch/alpha/include/asm/io.h ++++ b/arch/alpha/include/asm/io.h +@@ -60,7 +60,7 @@ extern inline void set_hae(unsigned long new_hae) + * Change virtual addresses to physical addresses and vv. + */ + #ifdef USE_48_BIT_KSEG +-static inline unsigned long virt_to_phys(void *address) ++static inline unsigned long virt_to_phys(volatile void *address) + { + return (unsigned long)address - IDENT_ADDR; + } +@@ -70,7 +70,7 @@ static inline void * phys_to_virt(unsigned long address) + return (void *) (address + IDENT_ADDR); + } + #else +-static inline unsigned long virt_to_phys(void *address) ++static inline unsigned long virt_to_phys(volatile void *address) + { + unsigned long phys = (unsigned long)address; + +@@ -106,7 +106,7 @@ static inline void * phys_to_virt(unsigned long address) + extern unsigned long __direct_map_base; + extern unsigned long __direct_map_size; + +-static inline unsigned long __deprecated virt_to_bus(void *address) ++static inline unsigned long __deprecated virt_to_bus(volatile void *address) + { + unsigned long phys = virt_to_phys(address); + unsigned long bus = phys + __direct_map_base; +-- +2.33.0 + diff --git a/queue-5.14/amd-display-downgrade-validation-failure-log-level.patch b/queue-5.14/amd-display-downgrade-validation-failure-log-level.patch new file mode 100644 index 00000000000..815cd328137 --- /dev/null +++ b/queue-5.14/amd-display-downgrade-validation-failure-log-level.patch @@ -0,0 +1,50 @@ +From 6899d0ef732225e71fc6425758a0d5fa148287bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 14:19:34 +0000 +Subject: amd/display: downgrade validation failure log level + +From: Simon Ser + +[ Upstream commit 7bbee36d71502ab9a341505da89a017c7ae2e6b2 ] + +In amdgpu_dm_atomic_check, dc_validate_global_state is called. On +failure this logs a warning to the kernel journal. However warnings +shouldn't be used for atomic test-only commit failures: user-space +might be perfoming a lot of atomic test-only commits to find the +best hardware configuration. + +Downgrade the log to a regular DRM atomic message. While at it, use +the new device-aware logging infrastructure. + +This fixes error messages in the kernel when running gamescope [1]. + +[1]: https://github.com/Plagman/gamescope/issues/245 + +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Simon Ser +Cc: Alex Deucher +Cc: Harry Wentland +Cc: Nicholas Kazlauskas +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 6a4c6c47dcfa..a4a4bb43c108 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -10469,7 +10469,8 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev, + goto fail; + status = dc_validate_global_state(dc, dm_state->context, false); + if (status != DC_OK) { +- DC_LOG_WARNING("DC global validation failure: %s (%d)", ++ drm_dbg_atomic(dev, ++ "DC global validation failure: %s (%d)", + dc_status_to_str(status), status); + ret = -EINVAL; + goto fail; +-- +2.33.0 + diff --git a/queue-5.14/amd-display-enable-panel-orientation-quirks.patch b/queue-5.14/amd-display-enable-panel-orientation-quirks.patch new file mode 100644 index 00000000000..85a569bf3e0 --- /dev/null +++ b/queue-5.14/amd-display-enable-panel-orientation-quirks.patch @@ -0,0 +1,77 @@ +From 4ea66392d4ac100d0235a048d0b636a0dba7c000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 15:37:41 +0000 +Subject: amd/display: enable panel orientation quirks + +From: Simon Ser + +[ Upstream commit cd51a57eb59fd56f3fe7ce9cadef444451bcf804 ] + +This patch allows panel orientation quirks from DRM core to be +used. They attach a DRM connector property "panel orientation" +which indicates in which direction the panel has been mounted. +Some machines have the internal screen mounted with a rotation. + +Since the panel orientation quirks need the native mode from the +EDID, check for it in amdgpu_dm_connector_ddc_get_modes. + +Signed-off-by: Simon Ser +Cc: Alex Deucher +Cc: Harry Wentland +Cc: Nicholas Kazlauskas +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 28 +++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index e7cf79b386da..3bb567ea2cef 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -7514,6 +7514,32 @@ static void amdgpu_dm_connector_add_common_modes(struct drm_encoder *encoder, + } + } + ++static void amdgpu_set_panel_orientation(struct drm_connector *connector) ++{ ++ struct drm_encoder *encoder; ++ struct amdgpu_encoder *amdgpu_encoder; ++ const struct drm_display_mode *native_mode; ++ ++ if (connector->connector_type != DRM_MODE_CONNECTOR_eDP && ++ connector->connector_type != DRM_MODE_CONNECTOR_LVDS) ++ return; ++ ++ encoder = amdgpu_dm_connector_to_encoder(connector); ++ if (!encoder) ++ return; ++ ++ amdgpu_encoder = to_amdgpu_encoder(encoder); ++ ++ native_mode = &amdgpu_encoder->native_mode; ++ if (native_mode->hdisplay == 0 || native_mode->vdisplay == 0) ++ return; ++ ++ drm_connector_set_panel_orientation_with_quirk(connector, ++ DRM_MODE_PANEL_ORIENTATION_UNKNOWN, ++ native_mode->hdisplay, ++ native_mode->vdisplay); ++} ++ + static void amdgpu_dm_connector_ddc_get_modes(struct drm_connector *connector, + struct edid *edid) + { +@@ -7542,6 +7568,8 @@ static void amdgpu_dm_connector_ddc_get_modes(struct drm_connector *connector, + * restored here. + */ + amdgpu_dm_update_freesync_caps(connector, edid); ++ ++ amdgpu_set_panel_orientation(connector); + } else { + amdgpu_dm_connector->num_modes = 0; + } +-- +2.33.0 + diff --git a/queue-5.14/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch b/queue-5.14/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch new file mode 100644 index 00000000000..f2c6f889117 --- /dev/null +++ b/queue-5.14/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch @@ -0,0 +1,42 @@ +From 4ddab171c612f1d432a0bfb867d74e8f58524534 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 17:44:02 +0800 +Subject: arm64: Mark __stack_chk_guard as __ro_after_init + +From: Dan Li + +[ Upstream commit 9fcb2e93f41c07a400885325e7dbdfceba6efaec ] + +__stack_chk_guard is setup once while init stage and never changed +after that. + +Although the modification of this variable at runtime will usually +cause the kernel to crash (so does the attacker), it should be marked +as __ro_after_init, and it should not affect performance if it is +placed in the ro_after_init section. + +Signed-off-by: Dan Li +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/1631612642-102881-1-git-send-email-ashimida@linux.alibaba.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/process.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c +index c8989b999250..c858b857c1ec 100644 +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -60,7 +60,7 @@ + + #if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_STACKPROTECTOR_PER_TASK) + #include +-unsigned long __stack_chk_guard __read_mostly; ++unsigned long __stack_chk_guard __ro_after_init; + EXPORT_SYMBOL(__stack_chk_guard); + #endif + +-- +2.33.0 + diff --git a/queue-5.14/blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch b/queue-5.14/blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch new file mode 100644 index 00000000000..5a9a1c465f4 --- /dev/null +++ b/queue-5.14/blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch @@ -0,0 +1,181 @@ +From e5471cdd131c99d491451f5fa2d316523230956f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 12:26:05 +0800 +Subject: blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd + +From: Li Jinlin + +[ Upstream commit 858560b27645e7e97aca37ee8f232cccd658fbd2 ] + +KASAN reports a use-after-free report when doing fuzz test: + +[693354.104835] ================================================================== +[693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160 +[693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338 + +[693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147 +[693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018 +[693354.105612] Call Trace: +[693354.105621] dump_stack+0xf1/0x19b +[693354.105626] ? show_regs_print_info+0x5/0x5 +[693354.105634] ? printk+0x9c/0xc3 +[693354.105638] ? cpumask_weight+0x1f/0x1f +[693354.105648] print_address_description+0x70/0x360 +[693354.105654] kasan_report+0x1b2/0x330 +[693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160 +[693354.105665] ? bfq_io_set_weight_legacy+0xd3/0x160 +[693354.105670] bfq_io_set_weight_legacy+0xd3/0x160 +[693354.105675] ? bfq_cpd_init+0x20/0x20 +[693354.105683] cgroup_file_write+0x3aa/0x510 +[693354.105693] ? ___slab_alloc+0x507/0x540 +[693354.105698] ? cgroup_file_poll+0x60/0x60 +[693354.105702] ? 0xffffffff89600000 +[693354.105708] ? usercopy_abort+0x90/0x90 +[693354.105716] ? mutex_lock+0xef/0x180 +[693354.105726] kernfs_fop_write+0x1ab/0x280 +[693354.105732] ? cgroup_file_poll+0x60/0x60 +[693354.105738] vfs_write+0xe7/0x230 +[693354.105744] ksys_write+0xb0/0x140 +[693354.105749] ? __ia32_sys_read+0x50/0x50 +[693354.105760] do_syscall_64+0x112/0x370 +[693354.105766] ? syscall_return_slowpath+0x260/0x260 +[693354.105772] ? do_page_fault+0x9b/0x270 +[693354.105779] ? prepare_exit_to_usermode+0xf9/0x1a0 +[693354.105784] ? enter_from_user_mode+0x30/0x30 +[693354.105793] entry_SYSCALL_64_after_hwframe+0x65/0xca + +[693354.105875] Allocated by task 1453337: +[693354.106001] kasan_kmalloc+0xa0/0xd0 +[693354.106006] kmem_cache_alloc_node_trace+0x108/0x220 +[693354.106010] bfq_pd_alloc+0x96/0x120 +[693354.106015] blkcg_activate_policy+0x1b7/0x2b0 +[693354.106020] bfq_create_group_hierarchy+0x1e/0x80 +[693354.106026] bfq_init_queue+0x678/0x8c0 +[693354.106031] blk_mq_init_sched+0x1f8/0x460 +[693354.106037] elevator_switch_mq+0xe1/0x240 +[693354.106041] elevator_switch+0x25/0x40 +[693354.106045] elv_iosched_store+0x1a1/0x230 +[693354.106049] queue_attr_store+0x78/0xb0 +[693354.106053] kernfs_fop_write+0x1ab/0x280 +[693354.106056] vfs_write+0xe7/0x230 +[693354.106060] ksys_write+0xb0/0x140 +[693354.106064] do_syscall_64+0x112/0x370 +[693354.106069] entry_SYSCALL_64_after_hwframe+0x65/0xca + +[693354.106114] Freed by task 1453336: +[693354.106225] __kasan_slab_free+0x130/0x180 +[693354.106229] kfree+0x90/0x1b0 +[693354.106233] blkcg_deactivate_policy+0x12c/0x220 +[693354.106238] bfq_exit_queue+0xf5/0x110 +[693354.106241] blk_mq_exit_sched+0x104/0x130 +[693354.106245] __elevator_exit+0x45/0x60 +[693354.106249] elevator_switch_mq+0xd6/0x240 +[693354.106253] elevator_switch+0x25/0x40 +[693354.106257] elv_iosched_store+0x1a1/0x230 +[693354.106261] queue_attr_store+0x78/0xb0 +[693354.106264] kernfs_fop_write+0x1ab/0x280 +[693354.106268] vfs_write+0xe7/0x230 +[693354.106271] ksys_write+0xb0/0x140 +[693354.106275] do_syscall_64+0x112/0x370 +[693354.106280] entry_SYSCALL_64_after_hwframe+0x65/0xca + +[693354.106329] The buggy address belongs to the object at ffff888be0a35580 + which belongs to the cache kmalloc-1k of size 1024 +[693354.106736] The buggy address is located 228 bytes inside of + 1024-byte region [ffff888be0a35580, ffff888be0a35980) +[693354.107114] The buggy address belongs to the page: +[693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0 +[693354.107606] flags: 0x17ffffc0008100(slab|head) +[693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080 +[693354.108020] raw: 0000000000000000 00000000001c001c 00000001ffffffff 0000000000000000 +[693354.108278] page dumped because: kasan: bad access detected + +[693354.108511] Memory state around the buggy address: +[693354.108671] ffff888be0a35500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[693354.116396] ffff888be0a35580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[693354.124473] >ffff888be0a35600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[693354.132421] ^ +[693354.140284] ffff888be0a35680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[693354.147912] ffff888be0a35700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[693354.155281] ================================================================== + +blkgs are protected by both queue and blkcg locks and holding +either should stabilize them. However, the path of destroying +blkg policy data is only protected by queue lock in +blkcg_activate_policy()/blkcg_deactivate_policy(). Other tasks +can get the blkg policy data before the blkg policy data is +destroyed, and use it after destroyed, which will result in a +use-after-free. + +CPU0 CPU1 +blkcg_deactivate_policy + spin_lock_irq(&q->queue_lock) + bfq_io_set_weight_legacy + spin_lock_irq(&blkcg->lock) + blkg_to_bfqg(blkg) + pd_to_bfqg(blkg->pd[pol->plid]) + ^^^^^^blkg->pd[pol->plid] != NULL + bfqg != NULL + pol->pd_free_fn(blkg->pd[pol->plid]) + pd_to_bfqg(blkg->pd[pol->plid]) + bfqg_put(bfqg) + kfree(bfqg) + blkg->pd[pol->plid] = NULL + spin_unlock_irq(q->queue_lock); + bfq_group_set_weight(bfqg, val, 0) + bfqg->entity.new_weight + ^^^^^^trigger uaf here + spin_unlock_irq(&blkcg->lock); + +Fix by grabbing the matching blkcg lock before trying to +destroy blkg policy data. + +Suggested-by: Tejun Heo +Signed-off-by: Li Jinlin +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20210914042605.3260596-1-lijinlin3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-cgroup.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c +index 26446f97deee..28e11decbac5 100644 +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -1385,10 +1385,14 @@ enomem: + /* alloc failed, nothing's initialized yet, free everything */ + spin_lock_irq(&q->queue_lock); + list_for_each_entry(blkg, &q->blkg_list, q_node) { ++ struct blkcg *blkcg = blkg->blkcg; ++ ++ spin_lock(&blkcg->lock); + if (blkg->pd[pol->plid]) { + pol->pd_free_fn(blkg->pd[pol->plid]); + blkg->pd[pol->plid] = NULL; + } ++ spin_unlock(&blkcg->lock); + } + spin_unlock_irq(&q->queue_lock); + ret = -ENOMEM; +@@ -1420,12 +1424,16 @@ void blkcg_deactivate_policy(struct request_queue *q, + __clear_bit(pol->plid, q->blkcg_pols); + + list_for_each_entry(blkg, &q->blkg_list, q_node) { ++ struct blkcg *blkcg = blkg->blkcg; ++ ++ spin_lock(&blkcg->lock); + if (blkg->pd[pol->plid]) { + if (pol->pd_offline_fn) + pol->pd_offline_fn(blkg->pd[pol->plid]); + pol->pd_free_fn(blkg->pd[pol->plid]); + blkg->pd[pol->plid] = NULL; + } ++ spin_unlock(&blkcg->lock); + } + + spin_unlock_irq(&q->queue_lock); +-- +2.33.0 + diff --git a/queue-5.14/blk-mq-avoid-to-iterate-over-stale-request.patch b/queue-5.14/blk-mq-avoid-to-iterate-over-stale-request.patch new file mode 100644 index 00000000000..a7f592580f0 --- /dev/null +++ b/queue-5.14/blk-mq-avoid-to-iterate-over-stale-request.patch @@ -0,0 +1,54 @@ +From 30e3a58bc095a519dedb0292655b5eb7b815d27d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 14:50:03 +0800 +Subject: blk-mq: avoid to iterate over stale request + +From: Ming Lei + +[ Upstream commit 67f3b2f822b7e71cfc9b42dbd9f3144fa2933e0b ] + +blk-mq can't run allocating driver tag and updating ->rqs[tag] +atomically, meantime blk-mq doesn't clear ->rqs[tag] after the driver +tag is released. + +So there is chance to iterating over one stale request just after the +tag is allocated and before updating ->rqs[tag]. + +scsi_host_busy_iter() calls scsi_host_check_in_flight() to count scsi +in-flight requests after scsi host is blocked, so no new scsi command can +be marked as SCMD_STATE_INFLIGHT. However, driver tag allocation still can +be run by blk-mq core. One request is marked as SCMD_STATE_INFLIGHT, +but this request may have been kept in another slot of ->rqs[], meantime +the slot can be allocated out but ->rqs[] isn't updated yet. Then this +in-flight request is counted twice as SCMD_STATE_INFLIGHT. This way causes +trouble in handling scsi error. + +Fixes the issue by not iterating over stale request. + +Cc: linux-scsi@vger.kernel.org +Cc: "Martin K. Petersen" +Reported-by: luojiaxing +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20210906065003.439019-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq-tag.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c +index 86f87346232a..ff5caeb82542 100644 +--- a/block/blk-mq-tag.c ++++ b/block/blk-mq-tag.c +@@ -208,7 +208,7 @@ static struct request *blk_mq_find_and_get_req(struct blk_mq_tags *tags, + + spin_lock_irqsave(&tags->lock, flags); + rq = tags->rqs[bitnr]; +- if (!rq || !refcount_inc_not_zero(&rq->ref)) ++ if (!rq || rq->tag != bitnr || !refcount_inc_not_zero(&rq->ref)) + rq = NULL; + spin_unlock_irqrestore(&tags->lock, flags); + return rq; +-- +2.33.0 + diff --git a/queue-5.14/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch b/queue-5.14/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch new file mode 100644 index 00000000000..e2239d4bc44 --- /dev/null +++ b/queue-5.14/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch @@ -0,0 +1,93 @@ +From 3e201a536efc3b9c761b5a02b16988dc5809c41f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 21:49:21 +0800 +Subject: blktrace: Fix uaf in blk_trace access after removing by sysfs + +From: Zhihao Cheng + +[ Upstream commit 5afedf670caf30a2b5a52da96eb7eac7dee6a9c9 ] + +There is an use-after-free problem triggered by following process: + + P1(sda) P2(sdb) + echo 0 > /sys/block/sdb/trace/enable + blk_trace_remove_queue + synchronize_rcu + blk_trace_free + relay_close +rcu_read_lock +__blk_add_trace + trace_note_tsk + (Iterate running_trace_list) + relay_close_buf + relay_destroy_buf + kfree(buf) + trace_note(sdb's bt) + relay_reserve + buf->offset <- nullptr deference (use-after-free) !!! +rcu_read_unlock + +[ 502.714379] BUG: kernel NULL pointer dereference, address: +0000000000000010 +[ 502.715260] #PF: supervisor read access in kernel mode +[ 502.715903] #PF: error_code(0x0000) - not-present page +[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 +[ 502.717252] Oops: 0000 [#1] SMP +[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360 +[ 502.732872] Call Trace: +[ 502.733193] __blk_add_trace.cold+0x137/0x1a3 +[ 502.733734] blk_add_trace_rq+0x7b/0xd0 +[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0 +[ 502.734755] blk_mq_start_request+0xde/0x1b0 +[ 502.735287] scsi_queue_rq+0x528/0x1140 +... +[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0 +[ 502.747501] sg_ioctl+0x466/0x1100 + +Reproduce method: + ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) + ioctl(/dev/sda, BLKTRACESTART) + ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) + ioctl(/dev/sdb, BLKTRACESTART) + + echo 0 > /sys/block/sdb/trace/enable & + // Add delay(mdelay/msleep) before kernel enters blk_trace_free() + + ioctl$SG_IO(/dev/sda, SG_IO, ...) + // Enters trace_note_tsk() after blk_trace_free() returned + // Use mdelay in rcu region rather than msleep(which may schedule out) + +Remove blk_trace from running_list before calling blk_trace_free() by +sysfs if blk_trace is at Blktrace_running state. + +Fixes: c71a896154119f ("blktrace: add ftrace plugin") +Signed-off-by: Zhihao Cheng +Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index c221e4c3f625..fa91f398f28b 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1605,6 +1605,14 @@ static int blk_trace_remove_queue(struct request_queue *q) + if (bt == NULL) + return -EINVAL; + ++ if (bt->trace_state == Blktrace_running) { ++ bt->trace_state = Blktrace_stopped; ++ spin_lock_irq(&running_trace_lock); ++ list_del_init(&bt->running_list); ++ spin_unlock_irq(&running_trace_lock); ++ relay_flush(bt->rchan); ++ } ++ + put_probe_ref(); + synchronize_rcu(); + blk_trace_free(bt); +-- +2.33.0 + diff --git a/queue-5.14/block-check-if-a-profile-is-actually-registered-in-b.patch b/queue-5.14/block-check-if-a-profile-is-actually-registered-in-b.patch new file mode 100644 index 00000000000..ece2f86c389 --- /dev/null +++ b/queue-5.14/block-check-if-a-profile-is-actually-registered-in-b.patch @@ -0,0 +1,45 @@ +From 78df999d0d1dd8c159139c3ad11a3a6a91ad59c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 09:06:55 +0200 +Subject: block: check if a profile is actually registered in + blk_integrity_unregister + +From: Christoph Hellwig + +[ Upstream commit 783a40a1b3ac7f3714d2776fa8ac8cce3535e4f6 ] + +While clearing the profile itself is harmless, we really should not clear +the stable writes flag if it wasn't set due to a registered integrity +profile. + +Reported-by: Lihong Kou +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Link: https://lore.kernel.org/r/20210914070657.87677-2-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-integrity.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/block/blk-integrity.c b/block/blk-integrity.c +index 410da060d1f5..e9f943de377a 100644 +--- a/block/blk-integrity.c ++++ b/block/blk-integrity.c +@@ -426,8 +426,12 @@ EXPORT_SYMBOL(blk_integrity_register); + */ + void blk_integrity_unregister(struct gendisk *disk) + { ++ struct blk_integrity *bi = &disk->queue->integrity; ++ ++ if (!bi->profile) ++ return; + blk_queue_flag_clear(QUEUE_FLAG_STABLE_WRITES, disk->queue); +- memset(&disk->queue->integrity, 0, sizeof(struct blk_integrity)); ++ memset(bi, 0, sizeof(*bi)); + } + EXPORT_SYMBOL(blk_integrity_unregister); + +-- +2.33.0 + diff --git a/queue-5.14/block-flush-the-integrity-workqueue-in-blk_integrity.patch b/queue-5.14/block-flush-the-integrity-workqueue-in-blk_integrity.patch new file mode 100644 index 00000000000..dcf70ab5d6a --- /dev/null +++ b/queue-5.14/block-flush-the-integrity-workqueue-in-blk_integrity.patch @@ -0,0 +1,54 @@ +From 725400c5318c24b36514d6df734924cd8db86056 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 09:06:56 +0200 +Subject: block: flush the integrity workqueue in blk_integrity_unregister + +From: Lihong Kou + +[ Upstream commit 3df49967f6f1d2121b0c27c381ca1c8386b1dab9 ] + +When the integrity profile is unregistered there can still be integrity +reads queued up which could see a NULL verify_fn as shown by the race +window below: + +CPU0 CPU1 + process_one_work nvme_validate_ns + bio_integrity_verify_fn nvme_update_ns_info + nvme_update_disk_info + blk_integrity_unregister + ---set queue->integrity as 0 + bio_integrity_process + --access bi->profile->verify_fn(bi is a pointer of queue->integity) + +Before calling blk_integrity_unregister in nvme_update_disk_info, we must +make sure that there is no work item in the kintegrityd_wq. Just call +blk_flush_integrity to flush the work queue so the bug can be resolved. + +Signed-off-by: Lihong Kou +[hch: split up and shortened the changelog] +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Link: https://lore.kernel.org/r/20210914070657.87677-3-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-integrity.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/block/blk-integrity.c b/block/blk-integrity.c +index e9f943de377a..9e83159f5a52 100644 +--- a/block/blk-integrity.c ++++ b/block/blk-integrity.c +@@ -430,6 +430,9 @@ void blk_integrity_unregister(struct gendisk *disk) + + if (!bi->profile) + return; ++ ++ /* ensure all bios are off the integrity workqueue */ ++ blk_flush_integrity(); + blk_queue_flag_clear(QUEUE_FLAG_STABLE_WRITES, disk->queue); + memset(bi, 0, sizeof(*bi)); + } +-- +2.33.0 + diff --git a/queue-5.14/bpf-add-oversize-check-before-call-kvcalloc.patch b/queue-5.14/bpf-add-oversize-check-before-call-kvcalloc.patch new file mode 100644 index 00000000000..117b4e13a82 --- /dev/null +++ b/queue-5.14/bpf-add-oversize-check-before-call-kvcalloc.patch @@ -0,0 +1,60 @@ +From b94f4ecef0d8475fcce000a98070952dd8e4f361 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Sep 2021 08:55:57 +0800 +Subject: bpf: Add oversize check before call kvcalloc() + +From: Bixuan Cui + +[ Upstream commit 0e6491b559704da720f6da09dd0a52c4df44c514 ] + +Commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") add the +oversize check. When the allocation is larger than what kmalloc() supports, +the following warning triggered: + +WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597 +Modules linked in: +CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597 +Call Trace: + kvmalloc include/linux/mm.h:806 [inline] + kvmalloc_array include/linux/mm.h:824 [inline] + kvcalloc include/linux/mm.h:829 [inline] + check_btf_line kernel/bpf/verifier.c:9925 [inline] + check_btf_info kernel/bpf/verifier.c:10049 [inline] + bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759 + bpf_prog_load kernel/bpf/syscall.c:2301 [inline] + __sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587 + __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] + __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] + __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com +Signed-off-by: Bixuan Cui +Signed-off-by: Alexei Starovoitov +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20210911005557.45518-1-cuibixuan@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 9d94ac6ff50c..592b9b68cbd9 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -9641,6 +9641,8 @@ static int check_btf_line(struct bpf_verifier_env *env, + nr_linfo = attr->line_info_cnt; + if (!nr_linfo) + return 0; ++ if (nr_linfo > INT_MAX / sizeof(struct bpf_line_info)) ++ return -EINVAL; + + rec_size = attr->line_info_rec_size; + if (rec_size < MIN_BPF_LINEINFO_SIZE || +-- +2.33.0 + diff --git a/queue-5.14/cifs-fix-a-sign-extension-bug.patch b/queue-5.14/cifs-fix-a-sign-extension-bug.patch new file mode 100644 index 00000000000..ea44efa78b8 --- /dev/null +++ b/queue-5.14/cifs-fix-a-sign-extension-bug.patch @@ -0,0 +1,46 @@ +From 65b91cc68871b6f8166f0fb0b66b7f9353d2e91d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 23:33:35 +0300 +Subject: cifs: fix a sign extension bug + +From: Dan Carpenter + +[ Upstream commit e946d3c887a9dc33aa82a349c6284f4a084163f4 ] + +The problem is the mismatched types between "ctx->total_len" which is +an unsigned int, "rc" which is an int, and "ctx->rc" which is a +ssize_t. The code does: + + ctx->rc = (rc == 0) ? ctx->total_len : rc; + +We want "ctx->rc" to store the negative "rc" error code. But what +happens is that "rc" is type promoted to a high unsigned int and +'ctx->rc" will store the high positive value instead of a negative +value. + +The fix is to change "rc" from an int to a ssize_t. + +Fixes: c610c4b619e5 ("CIFS: Add asynchronous write support through kernel AIO") +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 9d3bc6784771..ab2734159c19 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -3110,7 +3110,7 @@ static void collect_uncached_write_data(struct cifs_aio_ctx *ctx) + struct cifs_tcon *tcon; + struct cifs_sb_info *cifs_sb; + struct dentry *dentry = ctx->cfile->dentry; +- int rc; ++ ssize_t rc; + + tcon = tlink_tcon(ctx->cfile->tlink); + cifs_sb = CIFS_SB(dentry->d_sb); +-- +2.33.0 + diff --git a/queue-5.14/compiler.h-introduce-absolute_pointer-macro.patch b/queue-5.14/compiler.h-introduce-absolute_pointer-macro.patch new file mode 100644 index 00000000000..88fb8642da7 --- /dev/null +++ b/queue-5.14/compiler.h-introduce-absolute_pointer-macro.patch @@ -0,0 +1,44 @@ +From 6627ba51336b3bda64ec2a9b6c5df3c4d0234028 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 20:52:24 -0700 +Subject: compiler.h: Introduce absolute_pointer macro + +From: Guenter Roeck + +[ Upstream commit f6b5f1a56987de837f8e25cd560847106b8632a8 ] + +absolute_pointer() disassociates a pointer from its originating symbol +type and context. Use it to prevent compiler warnings/errors such as + + drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe': + arch/m68k/include/asm/string.h:72:25: error: + '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread] + +Such warnings may be reported by gcc 11.x for string and memory +operations on fixed addresses. + +Suggested-by: Linus Torvalds +Signed-off-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/compiler.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index b67261a1e3e9..3d5af56337bd 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -188,6 +188,8 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val, + (typeof(ptr)) (__ptr + (off)); }) + #endif + ++#define absolute_pointer(val) RELOC_HIDE((void *)(val), 0) ++ + #ifndef OPTIMIZER_HIDE_VAR + /* Make the optimizer believe the variable can be manipulated arbitrarily. */ + #define OPTIMIZER_HIDE_VAR(var) \ +-- +2.33.0 + diff --git a/queue-5.14/cpufreq-intel_pstate-override-parameters-if-hwp-forc.patch b/queue-5.14/cpufreq-intel_pstate-override-parameters-if-hwp-forc.patch new file mode 100644 index 00000000000..afe1da63537 --- /dev/null +++ b/queue-5.14/cpufreq-intel_pstate-override-parameters-if-hwp-forc.patch @@ -0,0 +1,82 @@ +From cc1d4a403d7801f58263d10be969be077083f4eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Sep 2021 11:50:29 -0700 +Subject: cpufreq: intel_pstate: Override parameters if HWP forced by BIOS + +From: Doug Smythies + +[ Upstream commit d9a7e9df731670acdc69e81748941ad338f47fab ] + +If HWP has been already been enabled by BIOS, it may be +necessary to override some kernel command line parameters. +Once it has been enabled it requires a reset to be disabled. + +Suggested-by: Rafael J. Wysocki +Signed-off-by: Doug Smythies +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index bb4549959b11..e7cd3882bda4 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -3251,11 +3251,15 @@ static int __init intel_pstate_init(void) + if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) + return -ENODEV; + +- if (no_load) +- return -ENODEV; +- + id = x86_match_cpu(hwp_support_ids); + if (id) { ++ bool hwp_forced = intel_pstate_hwp_is_enabled(); ++ ++ if (hwp_forced) ++ pr_info("HWP enabled by BIOS\n"); ++ else if (no_load) ++ return -ENODEV; ++ + copy_cpu_funcs(&core_funcs); + /* + * Avoid enabling HWP for processors without EPP support, +@@ -3265,8 +3269,7 @@ static int __init intel_pstate_init(void) + * If HWP is enabled already, though, there is no choice but to + * deal with it. + */ +- if ((!no_hwp && boot_cpu_has(X86_FEATURE_HWP_EPP)) || +- intel_pstate_hwp_is_enabled()) { ++ if ((!no_hwp && boot_cpu_has(X86_FEATURE_HWP_EPP)) || hwp_forced) { + hwp_active++; + hwp_mode_bdw = id->driver_data; + intel_pstate.attr = hwp_cpufreq_attrs; +@@ -3278,7 +3281,11 @@ static int __init intel_pstate_init(void) + + goto hwp_cpu_matched; + } ++ pr_info("HWP not enabled\n"); + } else { ++ if (no_load) ++ return -ENODEV; ++ + id = x86_match_cpu(intel_pstate_cpu_ids); + if (!id) { + pr_info("CPU model not supported\n"); +@@ -3357,10 +3364,9 @@ static int __init intel_pstate_setup(char *str) + else if (!strcmp(str, "passive")) + default_driver = &intel_cpufreq; + +- if (!strcmp(str, "no_hwp")) { +- pr_info("HWP disabled\n"); ++ if (!strcmp(str, "no_hwp")) + no_hwp = 1; +- } ++ + if (!strcmp(str, "force")) + force_load = 1; + if (!strcmp(str, "hwp_only")) +-- +2.33.0 + diff --git a/queue-5.14/dma-debug-prevent-an-error-message-from-causing-runt.patch b/queue-5.14/dma-debug-prevent-an-error-message-from-causing-runt.patch new file mode 100644 index 00000000000..d001eec012b --- /dev/null +++ b/queue-5.14/dma-debug-prevent-an-error-message-from-causing-runt.patch @@ -0,0 +1,44 @@ +From 9e2ca5e8d80cfd7a80d3d9dbcf0597c8745bce04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 19:53:37 -0400 +Subject: dma-debug: prevent an error message from causing runtime problems + +From: Hamza Mahfooz + +[ Upstream commit 510e1a724ab1bf38150be2c1acabb303f98d0047 ] + +For some drivers, that use the DMA API. This error message can be reached +several millions of times per second, causing spam to the kernel's printk +buffer and bringing the CPU usage up to 100% (so, it should be rate +limited). However, since there is at least one driver that is in the +mainline and suffers from the error condition, it is more useful to +err_printk() here instead of just rate limiting the error message (in hopes +that it will make it easier for other drivers that suffer from this issue +to be spotted). + +Link: https://lkml.kernel.org/r/fd67fbac-64bf-f0ea-01e1-5938ccfab9d0@arm.com +Reported-by: Jeremy Linton +Signed-off-by: Hamza Mahfooz +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/debug.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c +index f2faa13534e5..70519f67556f 100644 +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -567,7 +567,8 @@ static void add_dma_entry(struct dma_debug_entry *entry) + pr_err("cacheline tracking ENOMEM, dma-debug disabled\n"); + global_disable = true; + } else if (rc == -EEXIST) { +- pr_err("cacheline tracking EEXIST, overlapping mappings aren't supported\n"); ++ err_printk(entry->dev, entry, ++ "cacheline tracking EEXIST, overlapping mappings aren't supported\n"); + } + } + +-- +2.33.0 + diff --git a/queue-5.14/drm-amd-display-fix-unstable-hpcp-compliance-on-chro.patch b/queue-5.14/drm-amd-display-fix-unstable-hpcp-compliance-on-chro.patch new file mode 100644 index 00000000000..d9b7a0c9838 --- /dev/null +++ b/queue-5.14/drm-amd-display-fix-unstable-hpcp-compliance-on-chro.patch @@ -0,0 +1,64 @@ +From fc2904418b0e7ad8b98ef818b8d459948a30273d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Aug 2021 06:58:38 -0400 +Subject: drm/amd/display: Fix unstable HPCP compliance on Chrome Barcelo + +From: Qingqing Zhuo + +[ Upstream commit 4e00a434a08e0654a4dd9347485d9ec85deee1ef ] + +[Why] +Intermittently, there presents two occurrences of 0 stream +commits in a single HPD event. Current HDCP sequence does +not consider such scenerio, and will thus disable HDCP. + +[How] +Add condition check to include stream remove and re-enable +case for HDCP enable. + +Reviewed-by: Bhawanpreet Lakha +Acked-by: Mikita Lipski +Signed-off-by: Qingqing Zhuo +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 22 +++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index a4a4bb43c108..e7cf79b386da 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -8051,8 +8051,26 @@ static bool is_content_protection_different(struct drm_connector_state *state, + state->content_protection == DRM_MODE_CONTENT_PROTECTION_ENABLED) + state->content_protection = DRM_MODE_CONTENT_PROTECTION_DESIRED; + +- /* Check if something is connected/enabled, otherwise we start hdcp but nothing is connected/enabled +- * hot-plug, headless s3, dpms ++ /* Stream removed and re-enabled ++ * ++ * Can sometimes overlap with the HPD case, ++ * thus set update_hdcp to false to avoid ++ * setting HDCP multiple times. ++ * ++ * Handles: DESIRED -> DESIRED (Special case) ++ */ ++ if (!(old_state->crtc && old_state->crtc->enabled) && ++ state->crtc && state->crtc->enabled && ++ connector->state->content_protection == DRM_MODE_CONTENT_PROTECTION_DESIRED) { ++ dm_con_state->update_hdcp = false; ++ return true; ++ } ++ ++ /* Hot-plug, headless s3, dpms ++ * ++ * Only start HDCP if the display is connected/enabled. ++ * update_hdcp flag will be set to false until the next ++ * HPD comes in. + * + * Handles: DESIRED -> DESIRED (Special case) + */ +-- +2.33.0 + diff --git a/queue-5.14/drm-amd-display-link-training-retry-fix-for-abort-ca.patch b/queue-5.14/drm-amd-display-link-training-retry-fix-for-abort-ca.patch new file mode 100644 index 00000000000..5a680cb9e65 --- /dev/null +++ b/queue-5.14/drm-amd-display-link-training-retry-fix-for-abort-ca.patch @@ -0,0 +1,51 @@ +From 6ab81c0ca7d6d1363fe5c48aa95720c166114eee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Aug 2021 14:01:10 -0400 +Subject: drm/amd/display: Link training retry fix for abort case + +From: Meenakshikumar Somasundaram + +[ Upstream commit 71ae30997a8f1791835167d3ceb8d1fab32407db ] + +[Why] +If link training is aborted, it shall be retried if sink is present. + +[How] +Check hpd status to find out whether sink is present or not. If sink is +present, then link training shall be tried again with same settings. +Otherwise, link training shall be aborted. + +Reviewed-by: Jimmy Kizito +Acked-by: Mikita Lipski +Signed-off-by: Meenakshikumar Somasundaram +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +index a6d0fd24fd02..83ef72a3ebf4 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +@@ -1849,9 +1849,13 @@ bool perform_link_training_with_retries( + dp_disable_link_phy(link, signal); + + /* Abort link training if failure due to sink being unplugged. */ +- if (status == LINK_TRAINING_ABORT) +- break; +- else if (do_fallback) { ++ if (status == LINK_TRAINING_ABORT) { ++ enum dc_connection_type type = dc_connection_none; ++ ++ dc_link_detect_sink(link, &type); ++ if (type == dc_connection_none) ++ break; ++ } else if (do_fallback) { + decide_fallback_link_setting(*link_setting, ¤t_setting, status); + /* Fail link training if reduced link bandwidth no longer meets + * stream requirements. +-- +2.33.0 + diff --git a/queue-5.14/drm-amdkfd-make-needs_pcie_atomics-fw-version-depend.patch b/queue-5.14/drm-amdkfd-make-needs_pcie_atomics-fw-version-depend.patch new file mode 100644 index 00000000000..856eb4c749c --- /dev/null +++ b/queue-5.14/drm-amdkfd-make-needs_pcie_atomics-fw-version-depend.patch @@ -0,0 +1,166 @@ +From 66800cbc4aa6d16778af7c798f838e838cb4d32f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Aug 2021 17:42:15 -0400 +Subject: drm/amdkfd: make needs_pcie_atomics FW-version dependent + +From: Felix Kuehling + +[ Upstream commit fb932dfeb87411a8a01c995576198bfc302df339 ] + +On some GPUs the PCIe atomic requirement for KFD depends on the MEC +firmware version. Add a firmware version check for this. The minimum +firmware version that works without atomics can be updated in the +device_info structure for each GPU type. + +Move PCIe atomic detection from kgd2kfd_probe into kgd2kfd_device_init +because the MEC firmware is not loaded yet at the probe stage. + +Signed-off-by: Felix Kuehling +Reviewed-by: Guchun Chen +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 44 ++++++++++++++++--------- + drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 1 + + 2 files changed, 29 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +index 9e52948d4992..5a872adcfdb9 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +@@ -447,6 +447,7 @@ static const struct kfd_device_info navi10_device_info = { + .needs_iommu_device = false, + .supports_cwsr = true, + .needs_pci_atomics = true, ++ .no_atomic_fw_version = 145, + .num_sdma_engines = 2, + .num_xgmi_sdma_engines = 0, + .num_sdma_queues_per_engine = 8, +@@ -465,6 +466,7 @@ static const struct kfd_device_info navi12_device_info = { + .needs_iommu_device = false, + .supports_cwsr = true, + .needs_pci_atomics = true, ++ .no_atomic_fw_version = 145, + .num_sdma_engines = 2, + .num_xgmi_sdma_engines = 0, + .num_sdma_queues_per_engine = 8, +@@ -483,6 +485,7 @@ static const struct kfd_device_info navi14_device_info = { + .needs_iommu_device = false, + .supports_cwsr = true, + .needs_pci_atomics = true, ++ .no_atomic_fw_version = 145, + .num_sdma_engines = 2, + .num_xgmi_sdma_engines = 0, + .num_sdma_queues_per_engine = 8, +@@ -501,6 +504,7 @@ static const struct kfd_device_info sienna_cichlid_device_info = { + .needs_iommu_device = false, + .supports_cwsr = true, + .needs_pci_atomics = true, ++ .no_atomic_fw_version = 92, + .num_sdma_engines = 4, + .num_xgmi_sdma_engines = 0, + .num_sdma_queues_per_engine = 8, +@@ -519,6 +523,7 @@ static const struct kfd_device_info navy_flounder_device_info = { + .needs_iommu_device = false, + .supports_cwsr = true, + .needs_pci_atomics = true, ++ .no_atomic_fw_version = 92, + .num_sdma_engines = 2, + .num_xgmi_sdma_engines = 0, + .num_sdma_queues_per_engine = 8, +@@ -536,7 +541,8 @@ static const struct kfd_device_info vangogh_device_info = { + .mqd_size_aligned = MQD_SIZE_ALIGNED, + .needs_iommu_device = false, + .supports_cwsr = true, +- .needs_pci_atomics = false, ++ .needs_pci_atomics = true, ++ .no_atomic_fw_version = 92, + .num_sdma_engines = 1, + .num_xgmi_sdma_engines = 0, + .num_sdma_queues_per_engine = 2, +@@ -555,6 +561,7 @@ static const struct kfd_device_info dimgrey_cavefish_device_info = { + .needs_iommu_device = false, + .supports_cwsr = true, + .needs_pci_atomics = true, ++ .no_atomic_fw_version = 92, + .num_sdma_engines = 2, + .num_xgmi_sdma_engines = 0, + .num_sdma_queues_per_engine = 8, +@@ -573,6 +580,7 @@ static const struct kfd_device_info beige_goby_device_info = { + .needs_iommu_device = false, + .supports_cwsr = true, + .needs_pci_atomics = true, ++ .no_atomic_fw_version = 92, + .num_sdma_engines = 1, + .num_xgmi_sdma_engines = 0, + .num_sdma_queues_per_engine = 8, +@@ -590,7 +598,8 @@ static const struct kfd_device_info yellow_carp_device_info = { + .mqd_size_aligned = MQD_SIZE_ALIGNED, + .needs_iommu_device = false, + .supports_cwsr = true, +- .needs_pci_atomics = false, ++ .needs_pci_atomics = true, ++ .no_atomic_fw_version = 92, + .num_sdma_engines = 1, + .num_xgmi_sdma_engines = 0, + .num_sdma_queues_per_engine = 2, +@@ -659,20 +668,6 @@ struct kfd_dev *kgd2kfd_probe(struct kgd_dev *kgd, + if (!kfd) + return NULL; + +- /* Allow BIF to recode atomics to PCIe 3.0 AtomicOps. +- * 32 and 64-bit requests are possible and must be +- * supported. +- */ +- kfd->pci_atomic_requested = amdgpu_amdkfd_have_atomics_support(kgd); +- if (device_info->needs_pci_atomics && +- !kfd->pci_atomic_requested) { +- dev_info(kfd_device, +- "skipped device %x:%x, PCI rejects atomics\n", +- pdev->vendor, pdev->device); +- kfree(kfd); +- return NULL; +- } +- + kfd->kgd = kgd; + kfd->device_info = device_info; + kfd->pdev = pdev; +@@ -772,6 +767,23 @@ bool kgd2kfd_device_init(struct kfd_dev *kfd, + kfd->vm_info.vmid_num_kfd = kfd->vm_info.last_vmid_kfd + - kfd->vm_info.first_vmid_kfd + 1; + ++ /* Allow BIF to recode atomics to PCIe 3.0 AtomicOps. ++ * 32 and 64-bit requests are possible and must be ++ * supported. ++ */ ++ kfd->pci_atomic_requested = amdgpu_amdkfd_have_atomics_support(kfd->kgd); ++ if (!kfd->pci_atomic_requested && ++ kfd->device_info->needs_pci_atomics && ++ (!kfd->device_info->no_atomic_fw_version || ++ kfd->mec_fw_version < kfd->device_info->no_atomic_fw_version)) { ++ dev_info(kfd_device, ++ "skipped device %x:%x, PCI rejects atomics %d<%d\n", ++ kfd->pdev->vendor, kfd->pdev->device, ++ kfd->mec_fw_version, ++ kfd->device_info->no_atomic_fw_version); ++ return false; ++ } ++ + /* Verify module parameters regarding mapped process number*/ + if ((hws_max_conc_proc < 0) + || (hws_max_conc_proc > kfd->vm_info.vmid_num_kfd)) { +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h +index 3426743ed228..b38a84a27438 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h +@@ -206,6 +206,7 @@ struct kfd_device_info { + bool supports_cwsr; + bool needs_iommu_device; + bool needs_pci_atomics; ++ uint32_t no_atomic_fw_version; + unsigned int num_sdma_engines; + unsigned int num_xgmi_sdma_engines; + unsigned int num_sdma_queues_per_engine; +-- +2.33.0 + diff --git a/queue-5.14/drm-ttm-fix-type-mismatch-error-on-sparc64.patch b/queue-5.14/drm-ttm-fix-type-mismatch-error-on-sparc64.patch new file mode 100644 index 00000000000..f658e914557 --- /dev/null +++ b/queue-5.14/drm-ttm-fix-type-mismatch-error-on-sparc64.patch @@ -0,0 +1,49 @@ +From 1b89308b8160aac95a50647a59f165db46cc3d05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 18:03:02 +0800 +Subject: drm/ttm: fix type mismatch error on sparc64 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Huang Rui + +[ Upstream commit 3ca706c189db861b2ca2019a0901b94050ca49d8 ] + +On sparc64, __fls() returns an "int", but the drm TTM code expected it +to be "unsigned long" as on x86. As a result, on sparc (and arc, and +m68k) you get build errors because 'min()' checks that the types match. + +As suggested by Linus, it can use min_t instead of min to force the type +to be "unsigned int". + +Suggested-by: Linus Torvalds +Signed-off-by: Huang Rui +Reviewed-by: Christian König +Cc: Alex Deucher +Cc: David Airlie +Cc: Daniel Vetter +Cc: Guenter Roeck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ttm/ttm_pool.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/ttm/ttm_pool.c b/drivers/gpu/drm/ttm/ttm_pool.c +index cb38b1a17b09..82cbb29a05aa 100644 +--- a/drivers/gpu/drm/ttm/ttm_pool.c ++++ b/drivers/gpu/drm/ttm/ttm_pool.c +@@ -383,7 +383,8 @@ int ttm_pool_alloc(struct ttm_pool *pool, struct ttm_tt *tt, + else + gfp_flags |= GFP_HIGHUSER; + +- for (order = min(MAX_ORDER - 1UL, __fls(num_pages)); num_pages; ++ for (order = min_t(unsigned int, MAX_ORDER - 1, __fls(num_pages)); ++ num_pages; + order = min_t(unsigned int, order, __fls(num_pages))) { + bool apply_caching = false; + struct ttm_pool_type *pt; +-- +2.33.0 + diff --git a/queue-5.14/fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch b/queue-5.14/fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch new file mode 100644 index 00000000000..49e869b52af --- /dev/null +++ b/queue-5.14/fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch @@ -0,0 +1,42 @@ +From 57364df7a17c3314747038ceaf149433feef0b6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 14:40:42 +0800 +Subject: fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() + +From: Jiapeng Chong + +[ Upstream commit a1e4470823d99e75b596748086e120dea169ed3c ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'ret'. + +Eliminate the follow smatch warning: + +drivers/fpga/machxo2-spi.c:341 machxo2_write_complete() + warn: missing error code 'ret'. + +[mdf@kernel.org: Reworded commit message] +Fixes: 88fb3a002330 ("fpga: lattice machxo2: Add Lattice MachXO2 support") +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Signed-off-by: Moritz Fischer +Signed-off-by: Sasha Levin +--- + drivers/fpga/machxo2-spi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/fpga/machxo2-spi.c b/drivers/fpga/machxo2-spi.c +index b4a530a31302..ea2ec3c6815c 100644 +--- a/drivers/fpga/machxo2-spi.c ++++ b/drivers/fpga/machxo2-spi.c +@@ -338,6 +338,7 @@ static int machxo2_write_complete(struct fpga_manager *mgr, + break; + if (++refreshloop == MACHXO2_MAX_REFRESH_LOOP) { + machxo2_cleanup(mgr); ++ ret = -EINVAL; + goto fail; + } + } while (1); +-- +2.33.0 + diff --git a/queue-5.14/fpga-machxo2-spi-return-an-error-on-failure.patch b/queue-5.14/fpga-machxo2-spi-return-an-error-on-failure.patch new file mode 100644 index 00000000000..7cf16f0f6a7 --- /dev/null +++ b/queue-5.14/fpga-machxo2-spi-return-an-error-on-failure.patch @@ -0,0 +1,56 @@ +From 2bf388c1795eff953e758088cf5053db484718c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 09:40:36 -0700 +Subject: fpga: machxo2-spi: Return an error on failure + +From: Tom Rix + +[ Upstream commit 34331739e19fd6a293d488add28832ad49c9fc54 ] + +Earlier successes leave 'ret' in a non error state, so these errors are +not reported. Set ret to -EINVAL before going to the error handler. + +This addresses two issues reported by smatch: +drivers/fpga/machxo2-spi.c:229 machxo2_write_init() + warn: missing error code 'ret' + +drivers/fpga/machxo2-spi.c:316 machxo2_write_complete() + warn: missing error code 'ret' + +[mdf@kernel.org: Reworded commit message] +Fixes: 88fb3a002330 ("fpga: lattice machxo2: Add Lattice MachXO2 support") +Reported-by: Dan Carpenter +Signed-off-by: Tom Rix +Signed-off-by: Moritz Fischer +Signed-off-by: Sasha Levin +--- + drivers/fpga/machxo2-spi.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/fpga/machxo2-spi.c b/drivers/fpga/machxo2-spi.c +index 1afb41aa20d7..b4a530a31302 100644 +--- a/drivers/fpga/machxo2-spi.c ++++ b/drivers/fpga/machxo2-spi.c +@@ -225,8 +225,10 @@ static int machxo2_write_init(struct fpga_manager *mgr, + goto fail; + + get_status(spi, &status); +- if (test_bit(FAIL, &status)) ++ if (test_bit(FAIL, &status)) { ++ ret = -EINVAL; + goto fail; ++ } + dump_status_reg(&status); + + spi_message_init(&msg); +@@ -313,6 +315,7 @@ static int machxo2_write_complete(struct fpga_manager *mgr, + dump_status_reg(&status); + if (!test_bit(DONE, &status)) { + machxo2_cleanup(mgr); ++ ret = -EINVAL; + goto fail; + } + +-- +2.33.0 + diff --git a/queue-5.14/io_uring-don-t-punt-files-update-to-io-wq-unconditio.patch b/queue-5.14/io_uring-don-t-punt-files-update-to-io-wq-unconditio.patch new file mode 100644 index 00000000000..f767976f592 --- /dev/null +++ b/queue-5.14/io_uring-don-t-punt-files-update-to-io-wq-unconditio.patch @@ -0,0 +1,48 @@ +From 2eb9b752ea6bb77e7e416de3300ea09fe7066a6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 08:43:54 -0600 +Subject: io_uring: don't punt files update to io-wq unconditionally + +From: Jens Axboe + +[ Upstream commit cdb31c29d397a8076d81fd1458d091c647ef94ba ] + +There's no reason to punt it unconditionally, we just need to ensure that +the submit lock grabbing is conditional. + +Fixes: 05f3fb3c5397 ("io_uring: avoid ring quiesce for fixed file set unregister and update") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 187eb1907bde..699a08d724c2 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -5919,19 +5919,16 @@ static int io_files_update(struct io_kiocb *req, unsigned int issue_flags) + struct io_uring_rsrc_update2 up; + int ret; + +- if (issue_flags & IO_URING_F_NONBLOCK) +- return -EAGAIN; +- + up.offset = req->rsrc_update.offset; + up.data = req->rsrc_update.arg; + up.nr = 0; + up.tags = 0; + up.resv = 0; + +- mutex_lock(&ctx->uring_lock); ++ io_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); + ret = __io_register_rsrc_update(ctx, IORING_RSRC_FILE, + &up, req->rsrc_update.nr_args); +- mutex_unlock(&ctx->uring_lock); ++ io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); + + if (ret < 0) + req_set_fail(req); +-- +2.33.0 + diff --git a/queue-5.14/io_uring-fix-missing-set-of-epolloneshot-for-cq-ring.patch b/queue-5.14/io_uring-fix-missing-set-of-epolloneshot-for-cq-ring.patch new file mode 100644 index 00000000000..1737481a627 --- /dev/null +++ b/queue-5.14/io_uring-fix-missing-set-of-epolloneshot-for-cq-ring.patch @@ -0,0 +1,40 @@ +From 094285a50f040bc69e8c074f30cf7459026bde1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Sep 2021 18:12:37 +0800 +Subject: io_uring: fix missing set of EPOLLONESHOT for CQ ring overflow + +From: Hao Xu + +[ Upstream commit a62682f92eedb41c1cd8290fa875a4b85624fb9a ] + +We should set EPOLLONESHOT if cqring_fill_event() returns false since +io_poll_add() decides to put req or not by it. + +Fixes: 5082620fb2ca ("io_uring: terminate multishot poll for CQ ring overflow") +Signed-off-by: Hao Xu +Link: https://lore.kernel.org/r/20210922101238.7177-3-haoxu@linux.alibaba.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 27a1c813f1e1..739e58ccc982 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4968,8 +4968,10 @@ static bool io_poll_complete(struct io_kiocb *req, __poll_t mask) + } + if (req->poll.events & EPOLLONESHOT) + flags = 0; +- if (!io_cqring_fill_event(ctx, req->user_data, error, flags)) ++ if (!io_cqring_fill_event(ctx, req->user_data, error, flags)) { ++ req->poll.events |= EPOLLONESHOT; + flags = 0; ++ } + if (flags & IORING_CQE_F_MORE) + ctx->cq_extra++; + +-- +2.33.0 + diff --git a/queue-5.14/io_uring-fix-race-between-poll-completion-and-cancel.patch b/queue-5.14/io_uring-fix-race-between-poll-completion-and-cancel.patch new file mode 100644 index 00000000000..edc5e362e5b --- /dev/null +++ b/queue-5.14/io_uring-fix-race-between-poll-completion-and-cancel.patch @@ -0,0 +1,71 @@ +From 2463ccfa8ddbfb67c569038aae873daa937c4319 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Sep 2021 18:12:36 +0800 +Subject: io_uring: fix race between poll completion and cancel_hash insertion + +From: Hao Xu + +[ Upstream commit bd99c71bd14072ce2920f6d0c2fe43df072c653c ] + +If poll arming and poll completion runs in parallel, there maybe races. +For instance, run io_poll_add in iowq and io_poll_task_func in original +context, then: + + iowq original context + io_poll_add + vfs_poll + (interruption happens + tw queued to original + context) io_poll_task_func + generate cqe + del from cancel_hash[] + if !poll.done + insert to cancel_hash[] + +The entry left in cancel_hash[], similar case for fast poll. +Fix it by set poll.done = true when del from cancel_hash[]. + +Fixes: 5082620fb2ca ("io_uring: terminate multishot poll for CQ ring overflow") +Signed-off-by: Hao Xu +Link: https://lore.kernel.org/r/20210922101238.7177-2-haoxu@linux.alibaba.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 754d59f734d8..27a1c813f1e1 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4968,10 +4968,8 @@ static bool io_poll_complete(struct io_kiocb *req, __poll_t mask) + } + if (req->poll.events & EPOLLONESHOT) + flags = 0; +- if (!io_cqring_fill_event(ctx, req->user_data, error, flags)) { +- req->poll.done = true; ++ if (!io_cqring_fill_event(ctx, req->user_data, error, flags)) + flags = 0; +- } + if (flags & IORING_CQE_F_MORE) + ctx->cq_extra++; + +@@ -4993,6 +4991,7 @@ static void io_poll_task_func(struct io_kiocb *req) + if (done) { + io_poll_remove_double(req); + hash_del(&req->hash_node); ++ req->poll.done = true; + } else { + req->result = 0; + add_wait_queue(req->poll.head, &req->poll.wait); +@@ -5126,6 +5125,7 @@ static void io_async_task_func(struct io_kiocb *req) + + hash_del(&req->hash_node); + io_poll_remove_double(req); ++ apoll->poll.done = true; + spin_unlock_irq(&ctx->completion_lock); + + if (!READ_ONCE(apoll->poll.canceled)) +-- +2.33.0 + diff --git a/queue-5.14/io_uring-put-provided-buffer-meta-data-under-memcg-a.patch b/queue-5.14/io_uring-put-provided-buffer-meta-data-under-memcg-a.patch new file mode 100644 index 00000000000..32719c64d28 --- /dev/null +++ b/queue-5.14/io_uring-put-provided-buffer-meta-data-under-memcg-a.patch @@ -0,0 +1,36 @@ +From 3d2a0d0b3a1597944ff9a53105cdef8c4b2ede1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 07:39:08 -0600 +Subject: io_uring: put provided buffer meta data under memcg accounting + +From: Jens Axboe + +[ Upstream commit 9990da93d2bf9892c2c14c958bef050d4e461a1a ] + +For each provided buffer, we allocate a struct io_buffer to hold the +data associated with it. As a large number of buffers can be provided, +account that data with memcg. + +Fixes: ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 739e58ccc982..187eb1907bde 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4043,7 +4043,7 @@ static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head) + int i, bid = pbuf->bid; + + for (i = 0; i < pbuf->nbufs; i++) { +- buf = kmalloc(sizeof(*buf), GFP_KERNEL); ++ buf = kmalloc(sizeof(*buf), GFP_KERNEL_ACCOUNT); + if (!buf) + break; + +-- +2.33.0 + diff --git a/queue-5.14/ipv6-delay-fib6_sernum-increase-in-fib6_add.patch b/queue-5.14/ipv6-delay-fib6_sernum-increase-in-fib6_add.patch new file mode 100644 index 00000000000..f85797a112c --- /dev/null +++ b/queue-5.14/ipv6-delay-fib6_sernum-increase-in-fib6_add.patch @@ -0,0 +1,44 @@ +From 1e6f7a9658b549594fb759728797fb22f8c658ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 16:39:18 +0800 +Subject: ipv6: delay fib6_sernum increase in fib6_add + +From: zhang kai + +[ Upstream commit e87b5052271e39d62337ade531992b7e5d8c2cfa ] + +only increase fib6_sernum in net namespace after add fib6_info +successfully. + +Signed-off-by: zhang kai +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_fib.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index ef75c9b05f17..68e94e9f5089 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1378,7 +1378,6 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt, + int err = -ENOMEM; + int allow_create = 1; + int replace_required = 0; +- int sernum = fib6_new_sernum(info->nl_net); + + if (info->nlh) { + if (!(info->nlh->nlmsg_flags & NLM_F_CREATE)) +@@ -1478,7 +1477,7 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt, + if (!err) { + if (rt->nh) + list_add(&rt->nh_list, &rt->nh->f6i_list); +- __fib6_update_sernum_upto_root(rt, sernum); ++ __fib6_update_sernum_upto_root(rt, fib6_new_sernum(info->nl_net)); + fib6_start_gc(info->nl_net, rt); + } + +-- +2.33.0 + diff --git a/queue-5.14/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch b/queue-5.14/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch new file mode 100644 index 00000000000..f2209674ddf --- /dev/null +++ b/queue-5.14/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch @@ -0,0 +1,41 @@ +From 5fc9f315bcbfb0e5fb31ae3e20148073c4d4ed0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 10:20:55 +0800 +Subject: irqchip/gic-v3-its: Fix potential VPE leak on error + +From: Kaige Fu + +[ Upstream commit 280bef512933b2dda01d681d8cbe499b98fc5bdd ] + +In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error, +there is an off-by-one in the number of VPEs to be freed. + +Fix it by simply passing the number of VPEs allocated, which is the +index of the loop iterating over the VPEs. + +Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown") +Signed-off-by: Kaige Fu +[maz: fixed commit message] +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/d9e36dee512e63670287ed9eff884a5d8d6d27f2.1631672311.git.kaige.fu@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index ba39668c3e08..51584f4cccf4 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -4501,7 +4501,7 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq + + if (err) { + if (i > 0) +- its_vpe_irq_domain_free(domain, virq, i - 1); ++ its_vpe_irq_domain_free(domain, virq, i); + + its_lpi_free(bitmap, base, nr_ids); + its_free_prop_table(vprop_page); +-- +2.33.0 + diff --git a/queue-5.14/irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch b/queue-5.14/irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch new file mode 100644 index 00000000000..243d1a8ce14 --- /dev/null +++ b/queue-5.14/irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch @@ -0,0 +1,55 @@ +From 29a683b7166c0108bb4ffb9eb9ecc419503f54e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Sep 2021 09:25:19 -0700 +Subject: irqchip/goldfish-pic: Select GENERIC_IRQ_CHIP to fix build + +From: Randy Dunlap + +[ Upstream commit 969ac78db78c723a24e9410666b457cc1b0cb3c3 ] + +irq-goldfish-pic uses GENERIC_IRQ_CHIP interfaces so select that symbol +to fix build errors. + +Fixes these build errors: + +mips-linux-ld: drivers/irqchip/irq-goldfish-pic.o: in function `goldfish_pic_of_init': +irq-goldfish-pic.c:(.init.text+0xc0): undefined reference to `irq_alloc_generic_chip' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0xf4): undefined reference to `irq_gc_unmask_enable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0xf8): undefined reference to `irq_gc_unmask_enable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x100): undefined reference to `irq_gc_mask_disable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x104): undefined reference to `irq_gc_mask_disable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x11c): undefined reference to `irq_setup_generic_chip' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x168): undefined reference to `irq_remove_generic_chip' + +Fixes: 4235ff50cf98 ("irqchip/irq-goldfish-pic: Add Goldfish PIC driver") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Miodrag Dinic +Cc: Geert Uytterhoeven +Cc: Bartosz Golaszewski +Cc: Thomas Gleixner +Cc: Marc Zyngier +Cc: Goran Ferenc +Cc: Aleksandar Markovic +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210905162519.21507-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/irqchip/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig +index 4d5924e9f766..aca7b595c4c7 100644 +--- a/drivers/irqchip/Kconfig ++++ b/drivers/irqchip/Kconfig +@@ -409,6 +409,7 @@ config MESON_IRQ_GPIO + config GOLDFISH_PIC + bool "Goldfish programmable interrupt controller" + depends on MIPS && (GOLDFISH || COMPILE_TEST) ++ select GENERIC_IRQ_CHIP + select IRQ_DOMAIN + help + Say yes here to enable Goldfish interrupt controller driver used +-- +2.33.0 + diff --git a/queue-5.14/libperf-evsel-make-use-of-fd-robust.patch b/queue-5.14/libperf-evsel-make-use-of-fd-robust.patch new file mode 100644 index 00000000000..4c18d1ca409 --- /dev/null +++ b/queue-5.14/libperf-evsel-make-use-of-fd-robust.patch @@ -0,0 +1,241 @@ +From 808321ea84ed85e1642be56c7ea17f564c155f88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Sep 2021 22:44:40 -0700 +Subject: libperf evsel: Make use of FD robust. + +From: Ian Rogers + +[ Upstream commit aba5daeb645181ee5a046bc00c231fd045882aaa ] + +FD uses xyarray__entry that may return NULL if an index is out of +bounds. If NULL is returned then a segv happens as FD unconditionally +dereferences the pointer. This was happening in a case of with perf +iostat as shown below. The fix is to make FD an "int*" rather than an +int and handle the NULL case as either invalid input or a closed fd. + + $ sudo gdb --args perf stat --iostat list + ... + Breakpoint 1, perf_evsel__alloc_fd (evsel=0x5555560951a0, ncpus=1, nthreads=1) at evsel.c:50 + 50 { + (gdb) bt + #0 perf_evsel__alloc_fd (evsel=0x5555560951a0, ncpus=1, nthreads=1) at evsel.c:50 + #1 0x000055555585c188 in evsel__open_cpu (evsel=0x5555560951a0, cpus=0x555556093410, + threads=0x555556086fb0, start_cpu=0, end_cpu=1) at util/evsel.c:1792 + #2 0x000055555585cfb2 in evsel__open (evsel=0x5555560951a0, cpus=0x0, threads=0x555556086fb0) + at util/evsel.c:2045 + #3 0x000055555585d0db in evsel__open_per_thread (evsel=0x5555560951a0, threads=0x555556086fb0) + at util/evsel.c:2065 + #4 0x00005555558ece64 in create_perf_stat_counter (evsel=0x5555560951a0, + config=0x555555c34700 , target=0x555555c2f1c0 , cpu=0) at util/stat.c:590 + #5 0x000055555578e927 in __run_perf_stat (argc=1, argv=0x7fffffffe4a0, run_idx=0) + at builtin-stat.c:833 + #6 0x000055555578f3c6 in run_perf_stat (argc=1, argv=0x7fffffffe4a0, run_idx=0) + at builtin-stat.c:1048 + #7 0x0000555555792ee5 in cmd_stat (argc=1, argv=0x7fffffffe4a0) at builtin-stat.c:2534 + #8 0x0000555555835ed3 in run_builtin (p=0x555555c3f540 , argc=3, + argv=0x7fffffffe4a0) at perf.c:313 + #9 0x0000555555836154 in handle_internal_command (argc=3, argv=0x7fffffffe4a0) at perf.c:365 + #10 0x000055555583629f in run_argv (argcp=0x7fffffffe2ec, argv=0x7fffffffe2e0) at perf.c:409 + #11 0x0000555555836692 in main (argc=3, argv=0x7fffffffe4a0) at perf.c:539 + ... + (gdb) c + Continuing. + Error: + The sys_perf_event_open() syscall returned with 22 (Invalid argument) for event (uncore_iio_0/event=0x83,umask=0x04,ch_mask=0xF,fc_mask=0x07/). + /bin/dmesg | grep -i perf may provide additional information. + + Program received signal SIGSEGV, Segmentation fault. + 0x00005555559b03ea in perf_evsel__close_fd_cpu (evsel=0x5555560951a0, cpu=1) at evsel.c:166 + 166 if (FD(evsel, cpu, thread) >= 0) + +v3. fixes a bug in perf_evsel__run_ioctl where the sense of a branch was + backward. + +Signed-off-by: Ian Rogers +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lore.kernel.org/lkml/20210918054440.2350466-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/perf/evsel.c | 64 +++++++++++++++++++++++++++--------------- + 1 file changed, 41 insertions(+), 23 deletions(-) + +diff --git a/tools/lib/perf/evsel.c b/tools/lib/perf/evsel.c +index d8886720e83d..8441e3e1aaac 100644 +--- a/tools/lib/perf/evsel.c ++++ b/tools/lib/perf/evsel.c +@@ -43,7 +43,7 @@ void perf_evsel__delete(struct perf_evsel *evsel) + free(evsel); + } + +-#define FD(e, x, y) (*(int *) xyarray__entry(e->fd, x, y)) ++#define FD(e, x, y) ((int *) xyarray__entry(e->fd, x, y)) + #define MMAP(e, x, y) (e->mmap ? ((struct perf_mmap *) xyarray__entry(e->mmap, x, y)) : NULL) + + int perf_evsel__alloc_fd(struct perf_evsel *evsel, int ncpus, int nthreads) +@@ -54,7 +54,10 @@ int perf_evsel__alloc_fd(struct perf_evsel *evsel, int ncpus, int nthreads) + int cpu, thread; + for (cpu = 0; cpu < ncpus; cpu++) { + for (thread = 0; thread < nthreads; thread++) { +- FD(evsel, cpu, thread) = -1; ++ int *fd = FD(evsel, cpu, thread); ++ ++ if (fd) ++ *fd = -1; + } + } + } +@@ -80,7 +83,7 @@ sys_perf_event_open(struct perf_event_attr *attr, + static int get_group_fd(struct perf_evsel *evsel, int cpu, int thread, int *group_fd) + { + struct perf_evsel *leader = evsel->leader; +- int fd; ++ int *fd; + + if (evsel == leader) { + *group_fd = -1; +@@ -95,10 +98,10 @@ static int get_group_fd(struct perf_evsel *evsel, int cpu, int thread, int *grou + return -ENOTCONN; + + fd = FD(leader, cpu, thread); +- if (fd == -1) ++ if (fd == NULL || *fd == -1) + return -EBADF; + +- *group_fd = fd; ++ *group_fd = *fd; + + return 0; + } +@@ -138,7 +141,11 @@ int perf_evsel__open(struct perf_evsel *evsel, struct perf_cpu_map *cpus, + + for (cpu = 0; cpu < cpus->nr; cpu++) { + for (thread = 0; thread < threads->nr; thread++) { +- int fd, group_fd; ++ int fd, group_fd, *evsel_fd; ++ ++ evsel_fd = FD(evsel, cpu, thread); ++ if (evsel_fd == NULL) ++ return -EINVAL; + + err = get_group_fd(evsel, cpu, thread, &group_fd); + if (err < 0) +@@ -151,7 +158,7 @@ int perf_evsel__open(struct perf_evsel *evsel, struct perf_cpu_map *cpus, + if (fd < 0) + return -errno; + +- FD(evsel, cpu, thread) = fd; ++ *evsel_fd = fd; + } + } + +@@ -163,9 +170,12 @@ static void perf_evsel__close_fd_cpu(struct perf_evsel *evsel, int cpu) + int thread; + + for (thread = 0; thread < xyarray__max_y(evsel->fd); ++thread) { +- if (FD(evsel, cpu, thread) >= 0) +- close(FD(evsel, cpu, thread)); +- FD(evsel, cpu, thread) = -1; ++ int *fd = FD(evsel, cpu, thread); ++ ++ if (fd && *fd >= 0) { ++ close(*fd); ++ *fd = -1; ++ } + } + } + +@@ -209,13 +219,12 @@ void perf_evsel__munmap(struct perf_evsel *evsel) + + for (cpu = 0; cpu < xyarray__max_x(evsel->fd); cpu++) { + for (thread = 0; thread < xyarray__max_y(evsel->fd); thread++) { +- int fd = FD(evsel, cpu, thread); +- struct perf_mmap *map = MMAP(evsel, cpu, thread); ++ int *fd = FD(evsel, cpu, thread); + +- if (fd < 0) ++ if (fd == NULL || *fd < 0) + continue; + +- perf_mmap__munmap(map); ++ perf_mmap__munmap(MMAP(evsel, cpu, thread)); + } + } + +@@ -239,15 +248,16 @@ int perf_evsel__mmap(struct perf_evsel *evsel, int pages) + + for (cpu = 0; cpu < xyarray__max_x(evsel->fd); cpu++) { + for (thread = 0; thread < xyarray__max_y(evsel->fd); thread++) { +- int fd = FD(evsel, cpu, thread); +- struct perf_mmap *map = MMAP(evsel, cpu, thread); ++ int *fd = FD(evsel, cpu, thread); ++ struct perf_mmap *map; + +- if (fd < 0) ++ if (fd == NULL || *fd < 0) + continue; + ++ map = MMAP(evsel, cpu, thread); + perf_mmap__init(map, NULL, false, NULL); + +- ret = perf_mmap__mmap(map, &mp, fd, cpu); ++ ret = perf_mmap__mmap(map, &mp, *fd, cpu); + if (ret) { + perf_evsel__munmap(evsel); + return ret; +@@ -260,7 +270,9 @@ int perf_evsel__mmap(struct perf_evsel *evsel, int pages) + + void *perf_evsel__mmap_base(struct perf_evsel *evsel, int cpu, int thread) + { +- if (FD(evsel, cpu, thread) < 0 || MMAP(evsel, cpu, thread) == NULL) ++ int *fd = FD(evsel, cpu, thread); ++ ++ if (fd == NULL || *fd < 0 || MMAP(evsel, cpu, thread) == NULL) + return NULL; + + return MMAP(evsel, cpu, thread)->base; +@@ -295,17 +307,18 @@ int perf_evsel__read(struct perf_evsel *evsel, int cpu, int thread, + struct perf_counts_values *count) + { + size_t size = perf_evsel__read_size(evsel); ++ int *fd = FD(evsel, cpu, thread); + + memset(count, 0, sizeof(*count)); + +- if (FD(evsel, cpu, thread) < 0) ++ if (fd == NULL || *fd < 0) + return -EINVAL; + + if (MMAP(evsel, cpu, thread) && + !perf_mmap__read_self(MMAP(evsel, cpu, thread), count)) + return 0; + +- if (readn(FD(evsel, cpu, thread), count->values, size) <= 0) ++ if (readn(*fd, count->values, size) <= 0) + return -errno; + + return 0; +@@ -318,8 +331,13 @@ static int perf_evsel__run_ioctl(struct perf_evsel *evsel, + int thread; + + for (thread = 0; thread < xyarray__max_y(evsel->fd); thread++) { +- int fd = FD(evsel, cpu, thread), +- err = ioctl(fd, ioc, arg); ++ int err; ++ int *fd = FD(evsel, cpu, thread); ++ ++ if (fd == NULL || *fd < 0) ++ return -1; ++ ++ err = ioctl(*fd, ioc, arg); + + if (err) + return err; +-- +2.33.0 + diff --git a/queue-5.14/m68k-double-cast-io-functions-to-unsigned-long.patch b/queue-5.14/m68k-double-cast-io-functions-to-unsigned-long.patch new file mode 100644 index 00000000000..5b08840cc5f --- /dev/null +++ b/queue-5.14/m68k-double-cast-io-functions-to-unsigned-long.patch @@ -0,0 +1,68 @@ +From 9c2aa1c5206532b189a56da3c55fd63aba0baa2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 23:07:29 -0700 +Subject: m68k: Double cast io functions to unsigned long + +From: Guenter Roeck + +[ Upstream commit b1a89856fbf63fffde6a4771d8f1ac21df549e50 ] + +m68k builds fail widely with errors such as + +arch/m68k/include/asm/raw_io.h:20:19: error: + cast to pointer from integer of different size +arch/m68k/include/asm/raw_io.h:30:32: error: + cast to pointer from integer of different size [-Werror=int-to-p + +On m68k, io functions are defined as macros. The problem is seen if the +macro parameter variable size differs from the size of a pointer. Cast +the parameter of all io macros to unsigned long before casting it to +a pointer to fix the problem. + +Signed-off-by: Guenter Roeck +Link: https://lore.kernel.org/r/20210907060729.2391992-1-linux@roeck-us.net +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/raw_io.h | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/m68k/include/asm/raw_io.h b/arch/m68k/include/asm/raw_io.h +index 911826ea83ce..80eb2396d01e 100644 +--- a/arch/m68k/include/asm/raw_io.h ++++ b/arch/m68k/include/asm/raw_io.h +@@ -17,21 +17,21 @@ + * two accesses to memory, which may be undesirable for some devices. + */ + #define in_8(addr) \ +- ({ u8 __v = (*(__force volatile u8 *) (addr)); __v; }) ++ ({ u8 __v = (*(__force volatile u8 *) (unsigned long)(addr)); __v; }) + #define in_be16(addr) \ +- ({ u16 __v = (*(__force volatile u16 *) (addr)); __v; }) ++ ({ u16 __v = (*(__force volatile u16 *) (unsigned long)(addr)); __v; }) + #define in_be32(addr) \ +- ({ u32 __v = (*(__force volatile u32 *) (addr)); __v; }) ++ ({ u32 __v = (*(__force volatile u32 *) (unsigned long)(addr)); __v; }) + #define in_le16(addr) \ +- ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (addr)); __v; }) ++ ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (unsigned long)(addr)); __v; }) + #define in_le32(addr) \ +- ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (addr)); __v; }) ++ ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (unsigned long)(addr)); __v; }) + +-#define out_8(addr,b) (void)((*(__force volatile u8 *) (addr)) = (b)) +-#define out_be16(addr,w) (void)((*(__force volatile u16 *) (addr)) = (w)) +-#define out_be32(addr,l) (void)((*(__force volatile u32 *) (addr)) = (l)) +-#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (addr)) = cpu_to_le16(w)) +-#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (addr)) = cpu_to_le32(l)) ++#define out_8(addr,b) (void)((*(__force volatile u8 *) (unsigned long)(addr)) = (b)) ++#define out_be16(addr,w) (void)((*(__force volatile u16 *) (unsigned long)(addr)) = (w)) ++#define out_be32(addr,l) (void)((*(__force volatile u32 *) (unsigned long)(addr)) = (l)) ++#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (unsigned long)(addr)) = cpu_to_le16(w)) ++#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (unsigned long)(addr)) = cpu_to_le32(l)) + + #define raw_inb in_8 + #define raw_inw in_be16 +-- +2.33.0 + diff --git a/queue-5.14/md-fix-a-lock-order-reversal-in-md_alloc.patch b/queue-5.14/md-fix-a-lock-order-reversal-in-md_alloc.patch new file mode 100644 index 00000000000..6c7c5107902 --- /dev/null +++ b/queue-5.14/md-fix-a-lock-order-reversal-in-md_alloc.patch @@ -0,0 +1,61 @@ +From 6ebc679d202f662fb44df84c7af5a42d1105788b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 13:38:29 +0200 +Subject: md: fix a lock order reversal in md_alloc + +From: Christoph Hellwig + +[ Upstream commit 7df835a32a8bedf7ce88efcfa7c9b245b52ff139 ] + +Commit b0140891a8cea3 ("md: Fix race when creating a new md device.") +not only moved assigning mddev->gendisk before calling add_disk, which +fixes the races described in the commit log, but also added a +mddev->open_mutex critical section over add_disk and creation of the +md kobj. Adding a kobject after add_disk is racy vs deleting the gendisk +right after adding it, but md already prevents against that by holding +a mddev->active reference. + +On the other hand taking this lock added a lock order reversal with what +is not disk->open_mutex (used to be bdev->bd_mutex when the commit was +added) for partition devices, which need that lock for the internal open +for the partition scan, and a recent commit also takes it for +non-partitioned devices, leading to further lockdep splatter. + +Fixes: b0140891a8ce ("md: Fix race when creating a new md device.") +Fixes: d62633873590 ("block: support delayed holder registration") +Reported-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com +Signed-off-by: Christoph Hellwig +Tested-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com +Reviewed-by: NeilBrown +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index ae8fe54ea358..6c0c3d0d905a 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5700,10 +5700,6 @@ static int md_alloc(dev_t dev, char *name) + disk->flags |= GENHD_FL_EXT_DEVT; + disk->events |= DISK_EVENT_MEDIA_CHANGE; + mddev->gendisk = disk; +- /* As soon as we call add_disk(), another thread could get +- * through to md_open, so make sure it doesn't get too far +- */ +- mutex_lock(&mddev->open_mutex); + add_disk(disk); + + error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, "%s", "md"); +@@ -5718,7 +5714,6 @@ static int md_alloc(dev_t dev, char *name) + if (mddev->kobj.sd && + sysfs_create_group(&mddev->kobj, &md_bitmap_group)) + pr_debug("pointless warning\n"); +- mutex_unlock(&mddev->open_mutex); + abort: + mutex_unlock(&disks_mutex); + if (!error && mddev->kobj.sd) { +-- +2.33.0 + diff --git a/queue-5.14/net-6pack-fix-tx-timeout-and-slot-time.patch b/queue-5.14/net-6pack-fix-tx-timeout-and-slot-time.patch new file mode 100644 index 00000000000..75ff80371b9 --- /dev/null +++ b/queue-5.14/net-6pack-fix-tx-timeout-and-slot-time.patch @@ -0,0 +1,59 @@ +From f09f33bd8e209fe89c45d057d10cb472e806e895 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 20:57:43 -0700 +Subject: net: 6pack: Fix tx timeout and slot time + +From: Guenter Roeck + +[ Upstream commit 3c0d2a46c0141913dc6fd126c57d0615677d946e ] + +tx timeout and slot time are currently specified in units of HZ. On +Alpha, HZ is defined as 1024. When building alpha:allmodconfig, this +results in the following error message. + + drivers/net/hamradio/6pack.c: In function 'sixpack_open': + drivers/net/hamradio/6pack.c:71:41: error: + unsigned conversion from 'int' to 'unsigned char' + changes value from '256' to '0' + +In the 6PACK protocol, tx timeout is specified in units of 10 ms and +transmitted over the wire: + + https://www.linux-ax25.org/wiki/6PACK + +Defining a value dependent on HZ doesn't really make sense, and +presumably comes from the (very historical) situation where HZ was +originally 100. + +Note that the SIXP_SLOTTIME use explicitly is about 10ms granularity: + + mod_timer(&sp->tx_t, jiffies + ((when + 1) * HZ) / 100); + +and the SIXP_TXDELAY walue is sent as a byte over the wire. + +Signed-off-by: Guenter Roeck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/6pack.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c +index 8fe8887d506a..6192244b304a 100644 +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -68,9 +68,9 @@ + #define SIXP_DAMA_OFF 0 + + /* default level 2 parameters */ +-#define SIXP_TXDELAY (HZ/4) /* in 1 s */ ++#define SIXP_TXDELAY 25 /* 250 ms */ + #define SIXP_PERSIST 50 /* in 256ths */ +-#define SIXP_SLOTTIME (HZ/10) /* in 1 s */ ++#define SIXP_SLOTTIME 10 /* 100 ms */ + #define SIXP_INIT_RESYNC_TIMEOUT (3*HZ/2) /* in 1 s */ + #define SIXP_RESYNC_TIMEOUT 5*HZ /* in 1 s */ + +-- +2.33.0 + diff --git a/queue-5.14/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch b/queue-5.14/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch new file mode 100644 index 00000000000..b1630f7f30c --- /dev/null +++ b/queue-5.14/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch @@ -0,0 +1,43 @@ +From b8896c3b42a87817e1c53f1538693a65568f2ef6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 20:52:25 -0700 +Subject: net: i825xx: Use absolute_pointer for memcpy from fixed memory + location + +From: Guenter Roeck + +[ Upstream commit dff2d13114f0beec448da9b3716204eb34b0cf41 ] + +gcc 11.x reports the following compiler warning/error. + + drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe': + arch/m68k/include/asm/string.h:72:25: error: + '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread] + +Use absolute_pointer() to work around the problem. + +Cc: Geert Uytterhoeven +Signed-off-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/i825xx/82596.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/i825xx/82596.c b/drivers/net/ethernet/i825xx/82596.c +index fc8c7cd67471..8b12a5ab3818 100644 +--- a/drivers/net/ethernet/i825xx/82596.c ++++ b/drivers/net/ethernet/i825xx/82596.c +@@ -1155,7 +1155,7 @@ struct net_device * __init i82596_probe(int unit) + err = -ENODEV; + goto out; + } +- memcpy(eth_addr, (void *) 0xfffc1f2c, ETH_ALEN); /* YUCK! Get addr from NOVRAM */ ++ memcpy(eth_addr, absolute_pointer(0xfffc1f2c), ETH_ALEN); /* YUCK! Get addr from NOVRAM */ + dev->base_addr = MVME_I596_BASE; + dev->irq = (unsigned) MVME16x_IRQ_I596; + goto found; +-- +2.33.0 + diff --git a/queue-5.14/net-macb-fix-use-after-free-on-rmmod.patch b/queue-5.14/net-macb-fix-use-after-free-on-rmmod.patch new file mode 100644 index 00000000000..cf8f1d7d9cd --- /dev/null +++ b/queue-5.14/net-macb-fix-use-after-free-on-rmmod.patch @@ -0,0 +1,44 @@ +From 66bd5d5dd93ab54340a9ecd87677746cd7275108 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 12:02:32 -0700 +Subject: net: macb: fix use after free on rmmod + +From: Tong Zhang + +[ Upstream commit d82d5303c4c539db86588ffb5dc5b26c3f1513e8 ] + +plat_dev->dev->platform_data is released by platform_device_unregister(), +use of pclk and hclk is a use-after-free. Since device unregister won't +need a clk device we adjust the function call sequence to fix this issue. + +[ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] +[ 31.275563] Freed by task 306: +[ 30.276782] platform_device_release+0x25/0x80 + +Suggested-by: Nicolas Ferre +Signed-off-by: Tong Zhang +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c +index 8b7b59908a1a..f66d22de5168 100644 +--- a/drivers/net/ethernet/cadence/macb_pci.c ++++ b/drivers/net/ethernet/cadence/macb_pci.c +@@ -111,9 +111,9 @@ static void macb_remove(struct pci_dev *pdev) + struct platform_device *plat_dev = pci_get_drvdata(pdev); + struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev); + +- platform_device_unregister(plat_dev); + clk_unregister(plat_data->pclk); + clk_unregister(plat_data->hclk); ++ platform_device_unregister(plat_dev); + } + + static const struct pci_device_id dev_id_table[] = { +-- +2.33.0 + diff --git a/queue-5.14/net-phylink-update-sfp-selected-interface-on-adverti.patch b/queue-5.14/net-phylink-update-sfp-selected-interface-on-adverti.patch new file mode 100644 index 00000000000..0d5121fd038 --- /dev/null +++ b/queue-5.14/net-phylink-update-sfp-selected-interface-on-adverti.patch @@ -0,0 +1,86 @@ +From 163a52593772e305436711522d5fa513bfaaf7f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 05:14:49 +0000 +Subject: net: phylink: Update SFP selected interface on advertising changes + +From: Nathan Rossi + +[ Upstream commit ea269a6f720782ed94171fb962b14ce07c372138 ] + +Currently changes to the advertising state via ethtool do not cause any +reselection of the configured interface mode after the SFP is already +inserted and initially configured. + +While it is not typical to change the advertised link modes for an +interface using an SFP in certain use cases it is desirable. In the case +of a SFP port that is capable of handling both SFP and SFP+ modules it +will automatically select between 1G and 10G modes depending on the +supported mode of the SFP. However if the SFP module is capable of +working in multiple modes (e.g. a SFP+ DAC that can operate at 1G or +10G), one end of the cable may be attached to a SFP 1000base-x port thus +the SFP+ end must be manually configured to the 1000base-x mode in order +for the link to be established. + +This change causes the ethtool setting of advertised mode changes to +reselect the interface mode so that the link can be established. +Additionally when a module is inserted the advertising mode is reset to +match the supported modes of the module. + +Signed-off-by: Nathan Rossi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phylink.c | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index 42e5a681183f..0d3d9c3ee83c 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -1604,6 +1604,32 @@ int phylink_ethtool_ksettings_set(struct phylink *pl, + if (config.an_enabled && phylink_is_empty_linkmode(config.advertising)) + return -EINVAL; + ++ /* If this link is with an SFP, ensure that changes to advertised modes ++ * also cause the associated interface to be selected such that the ++ * link can be configured correctly. ++ */ ++ if (pl->sfp_port && pl->sfp_bus) { ++ config.interface = sfp_select_interface(pl->sfp_bus, ++ config.advertising); ++ if (config.interface == PHY_INTERFACE_MODE_NA) { ++ phylink_err(pl, ++ "selection of interface failed, advertisement %*pb\n", ++ __ETHTOOL_LINK_MODE_MASK_NBITS, ++ config.advertising); ++ return -EINVAL; ++ } ++ ++ /* Revalidate with the selected interface */ ++ linkmode_copy(support, pl->supported); ++ if (phylink_validate(pl, support, &config)) { ++ phylink_err(pl, "validation of %s/%s with support %*pb failed\n", ++ phylink_an_mode_str(pl->cur_link_an_mode), ++ phy_modes(config.interface), ++ __ETHTOOL_LINK_MODE_MASK_NBITS, support); ++ return -EINVAL; ++ } ++ } ++ + mutex_lock(&pl->state_mutex); + pl->link_config.speed = config.speed; + pl->link_config.duplex = config.duplex; +@@ -2183,7 +2209,9 @@ static int phylink_sfp_config(struct phylink *pl, u8 mode, + if (phy_interface_mode_is_8023z(iface) && pl->phydev) + return -EINVAL; + +- changed = !linkmode_equal(pl->supported, support); ++ changed = !linkmode_equal(pl->supported, support) || ++ !linkmode_equal(pl->link_config.advertising, ++ config.advertising); + if (changed) { + linkmode_copy(pl->supported, support); + linkmode_copy(pl->link_config.advertising, config.advertising); +-- +2.33.0 + diff --git a/queue-5.14/net-stmmac-allow-csr-clock-of-300mhz.patch b/queue-5.14/net-stmmac-allow-csr-clock-of-300mhz.patch new file mode 100644 index 00000000000..90adfa5458f --- /dev/null +++ b/queue-5.14/net-stmmac-allow-csr-clock-of-300mhz.patch @@ -0,0 +1,59 @@ +From 0ba7aa5ca9a827e17a28acb0526f8333a8cf73c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 21:55:34 +0200 +Subject: net: stmmac: allow CSR clock of 300MHz + +From: Jesper Nilsson + +[ Upstream commit 08dad2f4d541fcfe5e7bfda72cc6314bbfd2802f ] + +The Synopsys Ethernet IP uses the CSR clock as a base clock for MDC. +The divisor used is set in the MAC_MDIO_Address register field CR +(Clock Rate) + +The divisor is there to change the CSR clock into a clock that falls +below the IEEE 802.3 specified max frequency of 2.5MHz. + +If the CSR clock is 300MHz, the code falls back to using the reset +value in the MAC_MDIO_Address register, as described in the comment +above this code. + +However, 300MHz is actually an allowed value and the proper divider +can be estimated quite easily (it's just 1Hz difference!) + +A CSR frequency of 300MHz with the maximum clock rate value of 0x5 +(STMMAC_CSR_250_300M, a divisor of 124) gives somewhere around +~2.42MHz which is below the IEEE 802.3 specified maximum. + +For the ARTPEC-8 SoC, the CSR clock is this problematic 300MHz, +and unfortunately, the reset-value of the MAC_MDIO_Address CR field +is 0x0. + +This leads to a clock rate of zero and a divisor of 42, and gives an +MDC frequency of ~7.14MHz. + +Allow CSR clock of 300MHz by making the comparison inclusive. + +Signed-off-by: Jesper Nilsson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 0dbd189c2721..2218bc3a624b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -309,7 +309,7 @@ static void stmmac_clk_csr_set(struct stmmac_priv *priv) + priv->clk_csr = STMMAC_CSR_100_150M; + else if ((clk_rate >= CSR_F_150M) && (clk_rate < CSR_F_250M)) + priv->clk_csr = STMMAC_CSR_150_250M; +- else if ((clk_rate >= CSR_F_250M) && (clk_rate < CSR_F_300M)) ++ else if ((clk_rate >= CSR_F_250M) && (clk_rate <= CSR_F_300M)) + priv->clk_csr = STMMAC_CSR_250_300M; + } + +-- +2.33.0 + diff --git a/queue-5.14/nvme-keep-ctrl-namespaces-ordered.patch b/queue-5.14/nvme-keep-ctrl-namespaces-ordered.patch new file mode 100644 index 00000000000..bc28f823b40 --- /dev/null +++ b/queue-5.14/nvme-keep-ctrl-namespaces-ordered.patch @@ -0,0 +1,101 @@ +From 86a5c1280973b82df74951e5bd6ac97678615dd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 08:38:20 +0200 +Subject: nvme: keep ctrl->namespaces ordered + +From: Christoph Hellwig + +[ Upstream commit 298ba0e3d4af539cc37f982d4c011a0f07fca48c ] + +Various places in the nvme code that rely on ctrl->namespace to be +ordered. Ensure that the namespae is inserted into the list at the +right position from the start instead of sorting it after the fact. + +Fixes: 540c801c65eb ("NVMe: Implement namespace list scanning") +Reported-by: Anton Eidelman +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 33 +++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 16 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 84e7cb9f1968..e2374319df61 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -13,7 +13,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -3688,15 +3687,6 @@ out_unlock: + return ret; + } + +-static int ns_cmp(void *priv, const struct list_head *a, +- const struct list_head *b) +-{ +- struct nvme_ns *nsa = container_of(a, struct nvme_ns, list); +- struct nvme_ns *nsb = container_of(b, struct nvme_ns, list); +- +- return nsa->head->ns_id - nsb->head->ns_id; +-} +- + struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid) + { + struct nvme_ns *ns, *ret = NULL; +@@ -3717,6 +3707,22 @@ struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid) + } + EXPORT_SYMBOL_NS_GPL(nvme_find_get_ns, NVME_TARGET_PASSTHRU); + ++/* ++ * Add the namespace to the controller list while keeping the list ordered. ++ */ ++static void nvme_ns_add_to_ctrl_list(struct nvme_ns *ns) ++{ ++ struct nvme_ns *tmp; ++ ++ list_for_each_entry_reverse(tmp, &ns->ctrl->namespaces, list) { ++ if (tmp->head->ns_id < ns->head->ns_id) { ++ list_add(&ns->list, &tmp->list); ++ return; ++ } ++ } ++ list_add(&ns->list, &ns->ctrl->namespaces); ++} ++ + static void nvme_alloc_ns(struct nvme_ctrl *ctrl, unsigned nsid, + struct nvme_ns_ids *ids) + { +@@ -3778,9 +3784,8 @@ static void nvme_alloc_ns(struct nvme_ctrl *ctrl, unsigned nsid, + } + + down_write(&ctrl->namespaces_rwsem); +- list_add_tail(&ns->list, &ctrl->namespaces); ++ nvme_ns_add_to_ctrl_list(ns); + up_write(&ctrl->namespaces_rwsem); +- + nvme_get_ctrl(ctrl); + + device_add_disk(ctrl->device, ns->disk, nvme_ns_id_attr_groups); +@@ -4059,10 +4064,6 @@ static void nvme_scan_work(struct work_struct *work) + if (nvme_scan_ns_list(ctrl) != 0) + nvme_scan_ns_sequential(ctrl); + mutex_unlock(&ctrl->scan_lock); +- +- down_write(&ctrl->namespaces_rwsem); +- list_sort(NULL, &ctrl->namespaces, ns_cmp); +- up_write(&ctrl->namespaces_rwsem); + } + + /* +-- +2.33.0 + diff --git a/queue-5.14/nvme-multipath-fix-ana-state-updates-when-a-namespac.patch b/queue-5.14/nvme-multipath-fix-ana-state-updates-when-a-namespac.patch new file mode 100644 index 00000000000..1fd7a27939b --- /dev/null +++ b/queue-5.14/nvme-multipath-fix-ana-state-updates-when-a-namespac.patch @@ -0,0 +1,61 @@ +From 3d12c23cfea90bfa71eaf7a2d034f753b6a700df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Sep 2021 12:54:57 -0600 +Subject: nvme-multipath: fix ANA state updates when a namespace is not present + +From: Anton Eidelman + +[ Upstream commit 79f528afa93918519574773ea49a444c104bc1bd ] + +nvme_update_ana_state() has a deficiency that results in a failure to +properly update the ana state for a namespace in the following case: + + NSIDs in ctrl->namespaces: 1, 3, 4 + NSIDs in desc->nsids: 1, 2, 3, 4 + +Loop iteration 0: + ns index = 0, n = 0, ns->head->ns_id = 1, nsid = 1, MATCH. +Loop iteration 1: + ns index = 1, n = 1, ns->head->ns_id = 3, nsid = 2, NO MATCH. +Loop iteration 2: + ns index = 2, n = 2, ns->head->ns_id = 4, nsid = 4, MATCH. + +Where the update to the ANA state of NSID 3 is missed. To fix this +increment n and retry the update with the same ns when ns->head->ns_id is +higher than nsid, + +Signed-off-by: Anton Eidelman +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 3f32c5e86bfc..abc9bdfd48bd 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -583,14 +583,17 @@ static int nvme_update_ana_state(struct nvme_ctrl *ctrl, + + down_read(&ctrl->namespaces_rwsem); + list_for_each_entry(ns, &ctrl->namespaces, list) { +- unsigned nsid = le32_to_cpu(desc->nsids[n]); +- ++ unsigned nsid; ++again: ++ nsid = le32_to_cpu(desc->nsids[n]); + if (ns->head->ns_id < nsid) + continue; + if (ns->head->ns_id == nsid) + nvme_update_ns_ana_state(desc, ns); + if (++n == nr_nsids) + break; ++ if (ns->head->ns_id > nsid) ++ goto again; + } + up_read(&ctrl->namespaces_rwsem); + return 0; +-- +2.33.0 + diff --git a/queue-5.14/nvme-rdma-destroy-cm-id-before-destroy-qp-to-avoid-u.patch b/queue-5.14/nvme-rdma-destroy-cm-id-before-destroy-qp-to-avoid-u.patch new file mode 100644 index 00000000000..47f795c0f29 --- /dev/null +++ b/queue-5.14/nvme-rdma-destroy-cm-id-before-destroy-qp-to-avoid-u.patch @@ -0,0 +1,81 @@ +From ef36966ce2f2ac2d2bb2b4f98a5637a050f1b3c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 11:51:34 +0800 +Subject: nvme-rdma: destroy cm id before destroy qp to avoid use after free + +From: Ruozhu Li + +[ Upstream commit 9817d763dbe15327b9b3ff4404fa6f27f927e744 ] + +We should always destroy cm_id before destroy qp to avoid to get cma +event after qp was destroyed, which may lead to use after free. +In RDMA connection establishment error flow, don't destroy qp in cm +event handler.Just report cm_error to upper level, qp will be destroy +in nvme_rdma_alloc_queue() after destroy cm id. + +Signed-off-by: Ruozhu Li +Reviewed-by: Max Gurtovoy +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index a68704e39084..042c594bc57e 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -656,8 +656,8 @@ static void nvme_rdma_free_queue(struct nvme_rdma_queue *queue) + if (!test_and_clear_bit(NVME_RDMA_Q_ALLOCATED, &queue->flags)) + return; + +- nvme_rdma_destroy_queue_ib(queue); + rdma_destroy_id(queue->cm_id); ++ nvme_rdma_destroy_queue_ib(queue); + mutex_destroy(&queue->queue_lock); + } + +@@ -1815,14 +1815,10 @@ static int nvme_rdma_conn_established(struct nvme_rdma_queue *queue) + for (i = 0; i < queue->queue_size; i++) { + ret = nvme_rdma_post_recv(queue, &queue->rsp_ring[i]); + if (ret) +- goto out_destroy_queue_ib; ++ return ret; + } + + return 0; +- +-out_destroy_queue_ib: +- nvme_rdma_destroy_queue_ib(queue); +- return ret; + } + + static int nvme_rdma_conn_rejected(struct nvme_rdma_queue *queue, +@@ -1916,14 +1912,10 @@ static int nvme_rdma_route_resolved(struct nvme_rdma_queue *queue) + if (ret) { + dev_err(ctrl->ctrl.device, + "rdma_connect_locked failed (%d).\n", ret); +- goto out_destroy_queue_ib; ++ return ret; + } + + return 0; +- +-out_destroy_queue_ib: +- nvme_rdma_destroy_queue_ib(queue); +- return ret; + } + + static int nvme_rdma_cm_handler(struct rdma_cm_id *cm_id, +@@ -1954,8 +1946,6 @@ static int nvme_rdma_cm_handler(struct rdma_cm_id *cm_id, + case RDMA_CM_EVENT_ROUTE_ERROR: + case RDMA_CM_EVENT_CONNECT_ERROR: + case RDMA_CM_EVENT_UNREACHABLE: +- nvme_rdma_destroy_queue_ib(queue); +- fallthrough; + case RDMA_CM_EVENT_ADDR_ERROR: + dev_dbg(queue->ctrl->ctrl.device, + "CM error event %d\n", ev->event); +-- +2.33.0 + diff --git a/queue-5.14/nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch b/queue-5.14/nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch new file mode 100644 index 00000000000..19119d4ed62 --- /dev/null +++ b/queue-5.14/nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch @@ -0,0 +1,75 @@ +From b7ad2165bfa3b8566104df5c94321da58702ca16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 18:38:55 +0300 +Subject: nvme-tcp: fix incorrect h2cdata pdu offset accounting + +From: Sagi Grimberg + +[ Upstream commit e371af033c560b9dd1e861f8f0b503142bf0a06c ] + +When the controller sends us multiple r2t PDUs in a single +request we need to account for it correctly as our send/recv +context run concurrently (i.e. we get a new r2t with r2t_offset +before we updated our iterator and req->data_sent marker). This +can cause wrong offsets to be sent to the controller. + +To fix that, we will first know that this may happen only in +the send sequence of the last page, hence we will take +the r2t_offset to the h2c PDU data_offset, and in +nvme_tcp_try_send_data loop, we make sure to increment +the request markers also when we completed a PDU but +we are expecting more r2t PDUs as we still did not send +the entire data of the request. + +Fixes: 825619b09ad3 ("nvme-tcp: fix possible use-after-completion") +Reported-by: Nowak, Lukasz +Tested-by: Nowak, Lukasz +Signed-off-by: Sagi Grimberg +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 19a711395cdc..fd28a23d45ed 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -614,7 +614,7 @@ static int nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req, + cpu_to_le32(data->hdr.hlen + hdgst + req->pdu_len + ddgst); + data->ttag = pdu->ttag; + data->command_id = nvme_cid(rq); +- data->data_offset = cpu_to_le32(req->data_sent); ++ data->data_offset = pdu->r2t_offset; + data->data_length = cpu_to_le32(req->pdu_len); + return 0; + } +@@ -940,7 +940,15 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) + nvme_tcp_ddgst_update(queue->snd_hash, page, + offset, ret); + +- /* fully successful last write*/ ++ /* ++ * update the request iterator except for the last payload send ++ * in the request where we don't want to modify it as we may ++ * compete with the RX path completing the request. ++ */ ++ if (req->data_sent + ret < req->data_len) ++ nvme_tcp_advance_req(req, ret); ++ ++ /* fully successful last send in current PDU */ + if (last && ret == len) { + if (queue->data_digest) { + nvme_tcp_ddgst_final(queue->snd_hash, +@@ -952,7 +960,6 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) + } + return 1; + } +- nvme_tcp_advance_req(req, ret); + } + return -EAGAIN; + } +-- +2.33.0 + diff --git a/queue-5.14/parisc-use-absolute_pointer-to-define-page0.patch b/queue-5.14/parisc-use-absolute_pointer-to-define-page0.patch new file mode 100644 index 00000000000..80111b060b4 --- /dev/null +++ b/queue-5.14/parisc-use-absolute_pointer-to-define-page0.patch @@ -0,0 +1,38 @@ +From ddbacedc6432fb0c0a744de9f082c9af13101fda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 08:35:42 +0200 +Subject: parisc: Use absolute_pointer() to define PAGE0 + +From: Helge Deller + +[ Upstream commit 90cc7bed1ed19f869ae7221a6b41887fe762a6a3 ] + +Use absolute_pointer() wrapper for PAGE0 to avoid this compiler warning: + + arch/parisc/kernel/setup.c: In function 'start_parisc': + error: '__builtin_memcmp_eq' specified bound 8 exceeds source size 0 + +Signed-off-by: Helge Deller +Co-Developed-by: Guenter Roeck +Suggested-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/parisc/include/asm/page.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/parisc/include/asm/page.h b/arch/parisc/include/asm/page.h +index d00313d1274e..0561568f7b48 100644 +--- a/arch/parisc/include/asm/page.h ++++ b/arch/parisc/include/asm/page.h +@@ -184,7 +184,7 @@ extern int npmem_ranges; + #include + #include + +-#define PAGE0 ((struct zeropage *)__PAGE_OFFSET) ++#define PAGE0 ((struct zeropage *)absolute_pointer(__PAGE_OFFSET)) + + /* DEFINITION OF THE ZERO-PAGE (PAG0) */ + /* based on work by Jason Eckhardt (jason@equator.com) */ +-- +2.33.0 + diff --git a/queue-5.14/qnx4-avoid-stringop-overread-errors.patch b/queue-5.14/qnx4-avoid-stringop-overread-errors.patch new file mode 100644 index 00000000000..b94d95a5bb8 --- /dev/null +++ b/queue-5.14/qnx4-avoid-stringop-overread-errors.patch @@ -0,0 +1,134 @@ +From 42b05b95d7bdbcb08841db9b3bcba8532de38589 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 13:56:37 -0700 +Subject: qnx4: avoid stringop-overread errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit b7213ffa0e585feb1aee3e7173e965e66ee0abaa ] + +The qnx4 directory entries are 64-byte blocks that have different +contents depending on the a status byte that is in the last byte of the +block. + +In particular, a directory entry can be either a "link info" entry with +a 48-byte name and pointers to the real inode information, or an "inode +entry" with a smaller 16-byte name and the full inode information. + +But the code was written to always just treat the directory name as if +it was part of that "inode entry", and just extend the name to the +longer case if the status byte said it was a link entry. + +That work just fine and gives the right results, but now that gcc is +tracking data structure accesses much more, the code can trigger a +compiler error about using up to 48 bytes (the long name) in a structure +that only has that shorter name in it: + + fs/qnx4/dir.c: In function ‘qnx4_readdir’: + fs/qnx4/dir.c:51:32: error: ‘strnlen’ specified bound 48 exceeds source size 16 [-Werror=stringop-overread] + 51 | size = strnlen(de->di_fname, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + In file included from fs/qnx4/qnx4.h:3, + from fs/qnx4/dir.c:16: + include/uapi/linux/qnx4_fs.h:45:25: note: source object declared here + 45 | char di_fname[QNX4_SHORT_NAME_MAX]; + | ^~~~~~~~ + +which is because the source code doesn't really make this whole "one of +two different types" explicit. + +Fix this by introducing a very explicit union of the two types, and +basically explaining to the compiler what is really going on. + +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/qnx4/dir.c | 51 ++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 34 insertions(+), 17 deletions(-) + +diff --git a/fs/qnx4/dir.c b/fs/qnx4/dir.c +index a6ee23aadd28..2a66844b7ff8 100644 +--- a/fs/qnx4/dir.c ++++ b/fs/qnx4/dir.c +@@ -15,13 +15,27 @@ + #include + #include "qnx4.h" + ++/* ++ * A qnx4 directory entry is an inode entry or link info ++ * depending on the status field in the last byte. The ++ * first byte is where the name start either way, and a ++ * zero means it's empty. ++ */ ++union qnx4_directory_entry { ++ struct { ++ char de_name; ++ char de_pad[62]; ++ char de_status; ++ }; ++ struct qnx4_inode_entry inode; ++ struct qnx4_link_info link; ++}; ++ + static int qnx4_readdir(struct file *file, struct dir_context *ctx) + { + struct inode *inode = file_inode(file); + unsigned int offset; + struct buffer_head *bh; +- struct qnx4_inode_entry *de; +- struct qnx4_link_info *le; + unsigned long blknum; + int ix, ino; + int size; +@@ -38,27 +52,30 @@ static int qnx4_readdir(struct file *file, struct dir_context *ctx) + } + ix = (ctx->pos >> QNX4_DIR_ENTRY_SIZE_BITS) % QNX4_INODES_PER_BLOCK; + for (; ix < QNX4_INODES_PER_BLOCK; ix++, ctx->pos += QNX4_DIR_ENTRY_SIZE) { ++ union qnx4_directory_entry *de; ++ const char *name; ++ + offset = ix * QNX4_DIR_ENTRY_SIZE; +- de = (struct qnx4_inode_entry *) (bh->b_data + offset); +- if (!de->di_fname[0]) ++ de = (union qnx4_directory_entry *) (bh->b_data + offset); ++ ++ if (!de->de_name) + continue; +- if (!(de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK))) ++ if (!(de->de_status & (QNX4_FILE_USED|QNX4_FILE_LINK))) + continue; +- if (!(de->di_status & QNX4_FILE_LINK)) +- size = QNX4_SHORT_NAME_MAX; +- else +- size = QNX4_NAME_MAX; +- size = strnlen(de->di_fname, size); +- QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, de->di_fname)); +- if (!(de->di_status & QNX4_FILE_LINK)) ++ if (!(de->de_status & QNX4_FILE_LINK)) { ++ size = sizeof(de->inode.di_fname); ++ name = de->inode.di_fname; + ino = blknum * QNX4_INODES_PER_BLOCK + ix - 1; +- else { +- le = (struct qnx4_link_info*)de; +- ino = ( le32_to_cpu(le->dl_inode_blk) - 1 ) * ++ } else { ++ size = sizeof(de->link.dl_fname); ++ name = de->link.dl_fname; ++ ino = ( le32_to_cpu(de->link.dl_inode_blk) - 1 ) * + QNX4_INODES_PER_BLOCK + +- le->dl_inode_ndx; ++ de->link.dl_inode_ndx; + } +- if (!dir_emit(ctx, de->di_fname, size, ino, DT_UNKNOWN)) { ++ size = strnlen(name, size); ++ QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, name)); ++ if (!dir_emit(ctx, name, size, ino, DT_UNKNOWN)) { + brelse(bh); + return 0; + } +-- +2.33.0 + diff --git a/queue-5.14/revert-drm-vc4-hdmi-runtime-pm-changes.patch b/queue-5.14/revert-drm-vc4-hdmi-runtime-pm-changes.patch new file mode 100644 index 00000000000..1d9c825092a --- /dev/null +++ b/queue-5.14/revert-drm-vc4-hdmi-runtime-pm-changes.patch @@ -0,0 +1,148 @@ +From 1fac40f15c2365a70d234e57d2ccec5fa97ccbd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Sep 2021 10:06:46 -0700 +Subject: Revert drm/vc4 hdmi runtime PM changes + +From: Linus Torvalds + +[ Upstream commit b1044a9b8100a0cc5c9d2e1e2f9ca4bb8e32b23a ] + +This reverts commits + + 9984d6664ce9 ("drm/vc4: hdmi: Make sure the controller is powered in detect") + 411efa18e4b0 ("drm/vc4: hdmi: Move the HSM clock enable to runtime_pm") + +as Michael Stapelberg reports that the new runtime PM changes cause his +Raspberry Pi 3 to hang on boot, probably due to interactions with other +changes in the DRM tree (because a bisect points to the merge in commit +e058a84bfddc: "Merge tag 'drm-next-2021-07-01' of git://.../drm"). + +Revert these two commits until it's been resolved. + +Link: https://lore.kernel.org/all/871r5mp7h2.fsf@midna.i-did-not-set--mail-host-address--so-tickle-me/ +Reported-and-tested-by: Michael Stapelberg +Cc: Maxime Ripard +Cc: Dave Stevenson +Cc: Dave Airlie +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 44 ++++++++-------------------------- + 1 file changed, 10 insertions(+), 34 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index f91d37beb113..3b391dee3044 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -166,8 +166,6 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force) + struct vc4_hdmi *vc4_hdmi = connector_to_vc4_hdmi(connector); + bool connected = false; + +- WARN_ON(pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev)); +- + if (vc4_hdmi->hpd_gpio && + gpiod_get_value_cansleep(vc4_hdmi->hpd_gpio)) { + connected = true; +@@ -188,12 +186,10 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force) + } + } + +- pm_runtime_put(&vc4_hdmi->pdev->dev); + return connector_status_connected; + } + + cec_phys_addr_invalidate(vc4_hdmi->cec_adap); +- pm_runtime_put(&vc4_hdmi->pdev->dev); + return connector_status_disconnected; + } + +@@ -635,6 +631,7 @@ static void vc4_hdmi_encoder_post_crtc_powerdown(struct drm_encoder *encoder, + vc4_hdmi->variant->phy_disable(vc4_hdmi); + + clk_disable_unprepare(vc4_hdmi->pixel_bvb_clock); ++ clk_disable_unprepare(vc4_hdmi->hsm_clock); + clk_disable_unprepare(vc4_hdmi->pixel_clock); + + ret = pm_runtime_put(&vc4_hdmi->pdev->dev); +@@ -945,6 +942,13 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder, + return; + } + ++ ret = clk_prepare_enable(vc4_hdmi->hsm_clock); ++ if (ret) { ++ DRM_ERROR("Failed to turn on HSM clock: %d\n", ret); ++ clk_disable_unprepare(vc4_hdmi->pixel_clock); ++ return; ++ } ++ + vc4_hdmi_cec_update_clk_div(vc4_hdmi); + + if (pixel_rate > 297000000) +@@ -957,6 +961,7 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder, + ret = clk_set_min_rate(vc4_hdmi->pixel_bvb_clock, bvb_rate); + if (ret) { + DRM_ERROR("Failed to set pixel bvb clock rate: %d\n", ret); ++ clk_disable_unprepare(vc4_hdmi->hsm_clock); + clk_disable_unprepare(vc4_hdmi->pixel_clock); + return; + } +@@ -964,6 +969,7 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder, + ret = clk_prepare_enable(vc4_hdmi->pixel_bvb_clock); + if (ret) { + DRM_ERROR("Failed to turn on pixel bvb clock: %d\n", ret); ++ clk_disable_unprepare(vc4_hdmi->hsm_clock); + clk_disable_unprepare(vc4_hdmi->pixel_clock); + return; + } +@@ -2110,29 +2116,6 @@ static int vc5_hdmi_init_resources(struct vc4_hdmi *vc4_hdmi) + return 0; + } + +-#ifdef CONFIG_PM +-static int vc4_hdmi_runtime_suspend(struct device *dev) +-{ +- struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev); +- +- clk_disable_unprepare(vc4_hdmi->hsm_clock); +- +- return 0; +-} +- +-static int vc4_hdmi_runtime_resume(struct device *dev) +-{ +- struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev); +- int ret; +- +- ret = clk_prepare_enable(vc4_hdmi->hsm_clock); +- if (ret) +- return ret; +- +- return 0; +-} +-#endif +- + static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data) + { + const struct vc4_hdmi_variant *variant = of_device_get_match_data(dev); +@@ -2380,18 +2363,11 @@ static const struct of_device_id vc4_hdmi_dt_match[] = { + {} + }; + +-static const struct dev_pm_ops vc4_hdmi_pm_ops = { +- SET_RUNTIME_PM_OPS(vc4_hdmi_runtime_suspend, +- vc4_hdmi_runtime_resume, +- NULL) +-}; +- + struct platform_driver vc4_hdmi_driver = { + .probe = vc4_hdmi_dev_probe, + .remove = vc4_hdmi_dev_remove, + .driver = { + .name = "vc4_hdmi", + .of_match_table = vc4_hdmi_dt_match, +- .pm = &vc4_hdmi_pm_ops, + }, + }; +-- +2.33.0 + diff --git a/queue-5.14/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch b/queue-5.14/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch new file mode 100644 index 00000000000..5ceaaefdc80 --- /dev/null +++ b/queue-5.14/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch @@ -0,0 +1,53 @@ +From 91079c33aa4653b56e1183156998a5e66b80e739 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 16:53:36 +0800 +Subject: scsi: iscsi: Adjust iface sysfs attr detection + +From: Baokun Li + +[ Upstream commit 4e28550829258f7dab97383acaa477bd724c0ff4 ] + +ISCSI_NET_PARAM_IFACE_ENABLE belongs to enum iscsi_net_param instead of +iscsi_iface_param so move it to ISCSI_NET_PARAM. Otherwise, when we call +into the driver, we might not match and return that we don't want attr +visible in sysfs. Found in code review. + +Link: https://lore.kernel.org/r/20210901085336.2264295-1-libaokun1@huawei.com +Fixes: e746f3451ec7 ("scsi: iscsi: Fix iface sysfs attr detection") +Reviewed-by: Lee Duncan +Signed-off-by: Baokun Li +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index d8b05d8b5470..922e4c7bd88e 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -441,9 +441,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + struct iscsi_transport *t = iface->transport; + int param = -1; + +- if (attr == &dev_attr_iface_enabled.attr) +- param = ISCSI_NET_PARAM_IFACE_ENABLE; +- else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) ++ if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) + param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO; + else if (attr == &dev_attr_iface_header_digest.attr) + param = ISCSI_IFACE_PARAM_HDRDGST_EN; +@@ -483,7 +481,9 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + if (param != -1) + return t->attr_is_visible(ISCSI_IFACE_PARAM, param); + +- if (attr == &dev_attr_iface_vlan_id.attr) ++ if (attr == &dev_attr_iface_enabled.attr) ++ param = ISCSI_NET_PARAM_IFACE_ENABLE; ++ else if (attr == &dev_attr_iface_vlan_id.attr) + param = ISCSI_NET_PARAM_VLAN_ID; + else if (attr == &dev_attr_iface_vlan_priority.attr) + param = ISCSI_NET_PARAM_VLAN_PRIORITY; +-- +2.33.0 + diff --git a/queue-5.14/scsi-lpfc-use-correct-scnprintf-limit.patch b/queue-5.14/scsi-lpfc-use-correct-scnprintf-limit.patch new file mode 100644 index 00000000000..70f91d572a1 --- /dev/null +++ b/queue-5.14/scsi-lpfc-use-correct-scnprintf-limit.patch @@ -0,0 +1,39 @@ +From 0e394032d5d4197d25cce568720cbda2a9b44312 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 16:23:31 +0300 +Subject: scsi: lpfc: Use correct scnprintf() limit + +From: Dan Carpenter + +[ Upstream commit 6dacc371b77f473770ec646e220303a84fe96c11 ] + +The limit should be "PAGE_SIZE - len" instead of "PAGE_SIZE". We're not +going to hit the limit so this fix will not affect runtime. + +Link: https://lore.kernel.org/r/20210916132331.GE25094@kili +Fixes: 5b9e70b22cc5 ("scsi: lpfc: raise sg count for nvme to use available sg resources") +Reviewed-by: James Smart +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_attr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c +index eb88aaaf36eb..c34a7f744601 100644 +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -6022,7 +6022,8 @@ lpfc_sg_seg_cnt_show(struct device *dev, struct device_attribute *attr, + len = scnprintf(buf, PAGE_SIZE, "SGL sz: %d total SGEs: %d\n", + phba->cfg_sg_dma_buf_size, phba->cfg_total_seg_cnt); + +- len += scnprintf(buf + len, PAGE_SIZE, "Cfg: %d SCSI: %d NVME: %d\n", ++ len += scnprintf(buf + len, PAGE_SIZE - len, ++ "Cfg: %d SCSI: %d NVME: %d\n", + phba->cfg_sg_seg_cnt, phba->cfg_scsi_seg_cnt, + phba->cfg_nvme_seg_cnt); + return len; +-- +2.33.0 + diff --git a/queue-5.14/scsi-qla2xxx-restore-initiator-in-dual-mode.patch b/queue-5.14/scsi-qla2xxx-restore-initiator-in-dual-mode.patch new file mode 100644 index 00000000000..6b49664516c --- /dev/null +++ b/queue-5.14/scsi-qla2xxx-restore-initiator-in-dual-mode.patch @@ -0,0 +1,41 @@ +From 63f1b03bcf91003125ea89d1f6c19bad9aece025 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 18:32:39 +0300 +Subject: scsi: qla2xxx: Restore initiator in dual mode + +From: Dmitry Bogdanov + +[ Upstream commit 5f8579038842d77e6ce05e1df6bf9dd493b0e3ef ] + +In dual mode in case of disabling the target, the whole port goes offline +and initiator is turned off too. + +Fix restoring initiator mode after disabling target in dual mode. + +Link: https://lore.kernel.org/r/20210915153239.8035-1-d.bogdanov@yadro.com +Fixes: 0645cb8350cd ("scsi: qla2xxx: Add mode control for each physical port") +Reviewed-by: Himanshu Madhani +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index f8f471157109..70b507d177f1 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -7014,7 +7014,8 @@ qla2x00_abort_isp(scsi_qla_host_t *vha) + return 0; + break; + case QLA2XXX_INI_MODE_DUAL: +- if (!qla_dual_mode_enabled(vha)) ++ if (!qla_dual_mode_enabled(vha) && ++ !qla_ini_mode_enabled(vha)) + return 0; + break; + case QLA2XXX_INI_MODE_ENABLED: +-- +2.33.0 + diff --git a/queue-5.14/scsi-sd_zbc-support-disks-with-more-than-2-32-logica.patch b/queue-5.14/scsi-sd_zbc-support-disks-with-more-than-2-32-logica.patch new file mode 100644 index 00000000000..ecd463e5916 --- /dev/null +++ b/queue-5.14/scsi-sd_zbc-support-disks-with-more-than-2-32-logica.patch @@ -0,0 +1,50 @@ +From 2253faad6ab29a6bc2453dce6ec48d61ccd0aa4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Sep 2021 14:23:14 -0700 +Subject: scsi: sd_zbc: Support disks with more than 2**32 logical blocks + +From: Bart Van Assche + +[ Upstream commit 1d479e6c9cb2b40abfb455863a4e9335db882e33 ] + +This patch addresses the following Coverity report about the zno * +sdkp->zone_blocks expression: + +CID 1475514 (#1 of 1): Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN) +overflow_before_widen: Potentially overflowing expression zno * +sdkp->zone_blocks with type unsigned int (32 bits, unsigned) is evaluated +using 32-bit arithmetic, and then used in a context that expects an +expression of type sector_t (64 bits, unsigned). + +Link: https://lore.kernel.org/r/20210917212314.2362324-1-bvanassche@acm.org +Fixes: 5795eb443060 ("scsi: sd_zbc: emulate ZONE_APPEND commands") +Cc: Johannes Thumshirn +Cc: Damien Le Moal +Cc: Hannes Reinecke +Reviewed-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: Johannes Thumshirn +Reviewed-by: Himanshu Madhani +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sd_zbc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c +index ea8b3f6ee5cd..06ee1f045e97 100644 +--- a/drivers/scsi/sd_zbc.c ++++ b/drivers/scsi/sd_zbc.c +@@ -280,7 +280,7 @@ static void sd_zbc_update_wp_offset_workfn(struct work_struct *work) + { + struct scsi_disk *sdkp; + unsigned long flags; +- unsigned int zno; ++ sector_t zno; + int ret; + + sdkp = container_of(work, struct scsi_disk, zone_wp_offset_work); +-- +2.33.0 + diff --git a/queue-5.14/scsi-target-fix-the-pgr-alua_support_store-functions.patch b/queue-5.14/scsi-target-fix-the-pgr-alua_support_store-functions.patch new file mode 100644 index 00000000000..7006baf15a3 --- /dev/null +++ b/queue-5.14/scsi-target-fix-the-pgr-alua_support_store-functions.patch @@ -0,0 +1,111 @@ +From 28fa28cc38d098421aa076e47d4b56ce6b00ecaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 17:18:09 +0200 +Subject: scsi: target: Fix the pgr/alua_support_store functions + +From: Maurizio Lombardi + +[ Upstream commit ef7ae7f746e95c6fa4ec2bcfacb949c36263da78 ] + +Commit 356ba2a8bc8d ("scsi: target: tcmu: Make pgr_support and alua_support +attributes writable") introduced support for changeable alua_support and +pgr_support target attributes. These can only be changed if the backstore +is user-backed, otherwise the kernel returns -EINVAL. + +This triggers a warning in the targetcli/rtslib code when performing a +target restore that includes non-userbacked backstores: + + # targetctl restore + Storage Object block/storage1: Cannot set attribute alua_support: + [Errno 22] Invalid argument, skipped + Storage Object block/storage1: Cannot set attribute pgr_support: + [Errno 22] Invalid argument, skipped + +Fix this warning by returning an error code only if we are really going to +flip the PGR/ALUA bit in the transport_flags field, otherwise we will do +nothing and return success. + +Return ENOSYS instead of EINVAL if the pgr/alua attributes can not be +changed, this way it will be possible for userspace to understand if the +operation failed because an invalid value has been passed to strtobool() or +because the attributes are fixed. + +Fixes: 356ba2a8bc8d ("scsi: target: tcmu: Make pgr_support and alua_support attributes writable") +Link: https://lore.kernel.org/r/20210906151809.52811-1-mlombard@redhat.com +Reviewed-by: Bodo Stroesser +Signed-off-by: Maurizio Lombardi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_configfs.c | 32 +++++++++++++++++---------- + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c +index 102ec644bc8a..023bd4516a68 100644 +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -1110,20 +1110,24 @@ static ssize_t alua_support_store(struct config_item *item, + { + struct se_dev_attrib *da = to_attrib(item); + struct se_device *dev = da->da_dev; +- bool flag; ++ bool flag, oldflag; + int ret; + ++ ret = strtobool(page, &flag); ++ if (ret < 0) ++ return ret; ++ ++ oldflag = !(dev->transport_flags & TRANSPORT_FLAG_PASSTHROUGH_ALUA); ++ if (flag == oldflag) ++ return count; ++ + if (!(dev->transport->transport_flags_changeable & + TRANSPORT_FLAG_PASSTHROUGH_ALUA)) { + pr_err("dev[%p]: Unable to change SE Device alua_support:" + " alua_support has fixed value\n", dev); +- return -EINVAL; ++ return -ENOSYS; + } + +- ret = strtobool(page, &flag); +- if (ret < 0) +- return ret; +- + if (flag) + dev->transport_flags &= ~TRANSPORT_FLAG_PASSTHROUGH_ALUA; + else +@@ -1145,20 +1149,24 @@ static ssize_t pgr_support_store(struct config_item *item, + { + struct se_dev_attrib *da = to_attrib(item); + struct se_device *dev = da->da_dev; +- bool flag; ++ bool flag, oldflag; + int ret; + ++ ret = strtobool(page, &flag); ++ if (ret < 0) ++ return ret; ++ ++ oldflag = !(dev->transport_flags & TRANSPORT_FLAG_PASSTHROUGH_PGR); ++ if (flag == oldflag) ++ return count; ++ + if (!(dev->transport->transport_flags_changeable & + TRANSPORT_FLAG_PASSTHROUGH_PGR)) { + pr_err("dev[%p]: Unable to change SE Device pgr_support:" + " pgr_support has fixed value\n", dev); +- return -EINVAL; ++ return -ENOSYS; + } + +- ret = strtobool(page, &flag); +- if (ret < 0) +- return ret; +- + if (flag) + dev->transport_flags &= ~TRANSPORT_FLAG_PASSTHROUGH_PGR; + else +-- +2.33.0 + diff --git a/queue-5.14/scsi-ufs-core-unbreak-the-reset-handler.patch b/queue-5.14/scsi-ufs-core-unbreak-the-reset-handler.patch new file mode 100644 index 00000000000..b1e8d981daa --- /dev/null +++ b/queue-5.14/scsi-ufs-core-unbreak-the-reset-handler.patch @@ -0,0 +1,41 @@ +From 75e34d00f49764c124fd21a46352c204de956370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 10:54:04 -0700 +Subject: scsi: ufs: core: Unbreak the reset handler + +From: Bart Van Assche + +[ Upstream commit d04a968c33684b15d1206e23fc1119ce0f0587fb ] + +A command tag is passed as the second argument of the +__ufshcd_transfer_req_compl() call in ufshcd_eh_device_reset_handler() +instead of a bitmask. Fix this by passing a bitmask as argument instead of +a command tag. + +Link: https://lore.kernel.org/r/20210916175408.2260084-1-bvanassche@acm.org +Fixes: a45f937110fa ("scsi: ufs: Optimize host lock on transfer requests send/compl paths") +Cc: Can Guo +Reviewed-by: Avri Altman +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index a858e7d998a6..3a204324151a 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -6858,7 +6858,7 @@ static int ufshcd_eh_device_reset_handler(struct scsi_cmnd *cmd) + err = ufshcd_clear_cmd(hba, pos); + if (err) + break; +- __ufshcd_transfer_req_compl(hba, pos, /*retry_requests=*/true); ++ __ufshcd_transfer_req_compl(hba, 1U << pos, false); + } + } + +-- +2.33.0 + diff --git a/queue-5.14/scsi-ufs-retry-aborted-scsi-commands-instead-of-comp.patch b/queue-5.14/scsi-ufs-retry-aborted-scsi-commands-instead-of-comp.patch new file mode 100644 index 00000000000..20ef5960480 --- /dev/null +++ b/queue-5.14/scsi-ufs-retry-aborted-scsi-commands-instead-of-comp.patch @@ -0,0 +1,149 @@ +From 68d6abafede93a988ae2936a0cc3c204071e5e5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 20:34:38 -0700 +Subject: scsi: ufs: Retry aborted SCSI commands instead of completing these + successfully + +From: Bart Van Assche + +[ Upstream commit 73dc3c4ac703c6fea4b40e8ed1ddd80564da3dea ] + +Neither SAM nor the UFS standard require that the UFS controller fills in +the completion status of commands that have been aborted (LUN RESET aborts +pending commands). Hence do not rely on the completion status provided by +the UFS controller for aborted commands but instead ask the SCSI core to +retry SCSI commands that have been aborted. + +Link: https://lore.kernel.org/r/20210722033439.26550-18-bvanassche@acm.org +Cc: Adrian Hunter +Cc: Stanley Chu +Cc: Can Guo +Cc: Asutosh Das +Cc: Avri Altman +Reviewed-by: Bean Huo +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 35 +++++++++++++++++++++++------------ + 1 file changed, 23 insertions(+), 12 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index b43abba84a6f..a858e7d998a6 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -5229,10 +5229,12 @@ static irqreturn_t ufshcd_uic_cmd_compl(struct ufs_hba *hba, u32 intr_status) + /** + * __ufshcd_transfer_req_compl - handle SCSI and query command completion + * @hba: per adapter instance +- * @completed_reqs: requests to complete ++ * @completed_reqs: bitmask that indicates which requests to complete ++ * @retry_requests: whether to ask the SCSI core to retry completed requests + */ + static void __ufshcd_transfer_req_compl(struct ufs_hba *hba, +- unsigned long completed_reqs) ++ unsigned long completed_reqs, ++ bool retry_requests) + { + struct ufshcd_lrb *lrbp; + struct scsi_cmnd *cmd; +@@ -5250,7 +5252,8 @@ static void __ufshcd_transfer_req_compl(struct ufs_hba *hba, + if (unlikely(ufshcd_should_inform_monitor(hba, lrbp))) + ufshcd_update_monitor(hba, lrbp); + ufshcd_add_command_trace(hba, index, UFS_CMD_COMP); +- result = ufshcd_transfer_rsp_status(hba, lrbp); ++ result = retry_requests ? DID_BUS_BUSY << 16 : ++ ufshcd_transfer_rsp_status(hba, lrbp); + scsi_dma_unmap(cmd); + cmd->result = result; + /* Mark completed command as NULL in LRB */ +@@ -5276,12 +5279,14 @@ static void __ufshcd_transfer_req_compl(struct ufs_hba *hba, + /** + * ufshcd_transfer_req_compl - handle SCSI and query command completion + * @hba: per adapter instance ++ * @retry_requests: whether or not to ask to retry requests + * + * Returns + * IRQ_HANDLED - If interrupt is valid + * IRQ_NONE - If invalid interrupt + */ +-static irqreturn_t ufshcd_transfer_req_compl(struct ufs_hba *hba) ++static irqreturn_t ufshcd_transfer_req_compl(struct ufs_hba *hba, ++ bool retry_requests) + { + unsigned long completed_reqs, flags; + u32 tr_doorbell; +@@ -5303,7 +5308,8 @@ static irqreturn_t ufshcd_transfer_req_compl(struct ufs_hba *hba) + spin_unlock_irqrestore(hba->host->host_lock, flags); + + if (completed_reqs) { +- __ufshcd_transfer_req_compl(hba, completed_reqs); ++ __ufshcd_transfer_req_compl(hba, completed_reqs, ++ retry_requests); + return IRQ_HANDLED; + } else { + return IRQ_NONE; +@@ -5782,7 +5788,13 @@ out: + /* Complete requests that have door-bell cleared */ + static void ufshcd_complete_requests(struct ufs_hba *hba) + { +- ufshcd_transfer_req_compl(hba); ++ ufshcd_transfer_req_compl(hba, /*retry_requests=*/false); ++ ufshcd_tmc_handler(hba); ++} ++ ++static void ufshcd_retry_aborted_requests(struct ufs_hba *hba) ++{ ++ ufshcd_transfer_req_compl(hba, /*retry_requests=*/true); + ufshcd_tmc_handler(hba); + } + +@@ -6124,8 +6136,7 @@ static void ufshcd_err_handler(struct work_struct *work) + } + + lock_skip_pending_xfer_clear: +- /* Complete the requests that are cleared by s/w */ +- ufshcd_complete_requests(hba); ++ ufshcd_retry_aborted_requests(hba); + + spin_lock_irqsave(hba->host->host_lock, flags); + hba->silence_err_logs = false; +@@ -6423,7 +6434,7 @@ static irqreturn_t ufshcd_sl_intr(struct ufs_hba *hba, u32 intr_status) + retval |= ufshcd_tmc_handler(hba); + + if (intr_status & UTP_TRANSFER_REQ_COMPL) +- retval |= ufshcd_transfer_req_compl(hba); ++ retval |= ufshcd_transfer_req_compl(hba, /*retry_requests=*/false); + + return retval; + } +@@ -6847,7 +6858,7 @@ static int ufshcd_eh_device_reset_handler(struct scsi_cmnd *cmd) + err = ufshcd_clear_cmd(hba, pos); + if (err) + break; +- __ufshcd_transfer_req_compl(hba, pos); ++ __ufshcd_transfer_req_compl(hba, pos, /*retry_requests=*/true); + } + } + +@@ -7018,7 +7029,7 @@ static int ufshcd_abort(struct scsi_cmnd *cmd) + dev_err(hba->dev, + "%s: cmd was completed, but without a notifying intr, tag = %d", + __func__, tag); +- __ufshcd_transfer_req_compl(hba, 1UL << tag); ++ __ufshcd_transfer_req_compl(hba, 1UL << tag, /*retry_requests=*/false); + goto release; + } + +@@ -7083,7 +7094,7 @@ static int ufshcd_host_reset_and_restore(struct ufs_hba *hba) + */ + ufshcd_hba_stop(hba); + hba->silence_err_logs = true; +- ufshcd_complete_requests(hba); ++ ufshcd_retry_aborted_requests(hba); + hba->silence_err_logs = false; + + /* scale up clocks to max frequency before full reinitialization */ +-- +2.33.0 + diff --git a/queue-5.14/scsi-ufs-revert-utilize-transfer-request-list-comple.patch b/queue-5.14/scsi-ufs-revert-utilize-transfer-request-list-comple.patch new file mode 100644 index 00000000000..0598963883d --- /dev/null +++ b/queue-5.14/scsi-ufs-revert-utilize-transfer-request-list-comple.patch @@ -0,0 +1,170 @@ +From 0189a929fc6a6a867378e3077a0c128415bf43e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 20:34:32 -0700 +Subject: scsi: ufs: Revert "Utilize Transfer Request List Completion + Notification Register" + +From: Bart Van Assche + +[ Upstream commit 1f522c5049016cfea4f9d131ae9089e6fdba3980 ] + +Using the UTRLCNR register involves two MMIO accesses in the hot path while +using the doorbell register only involves a single MMIO access. Since MMIO +accesses take time, do not use the UTRLCNR register. The spinlock +contention on the SCSI host lock that is reintroduced by this commit will +be addressed later. + +This reverts commit 6f7151729647e58ac7c522081255fd0c07b38105. + +Link: https://lore.kernel.org/r/20210722033439.26550-12-bvanassche@acm.org +Cc: Adrian Hunter +Cc: Stanley Chu +Cc: Can Guo +Cc: Asutosh Das +Cc: Avri Altman +Tested-by: Bean Huo +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 52 +++++++++++---------------------------- + drivers/scsi/ufs/ufshcd.h | 5 ---- + drivers/scsi/ufs/ufshci.h | 1 - + 3 files changed, 15 insertions(+), 43 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 15ac5fa14805..b43abba84a6f 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -2112,6 +2112,7 @@ static inline + void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag) + { + struct ufshcd_lrb *lrbp = &hba->lrb[task_tag]; ++ unsigned long flags; + + lrbp->issue_time_stamp = ktime_get(); + lrbp->compl_time_stamp = ktime_set(0, 0); +@@ -2120,19 +2121,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag) + ufshcd_clk_scaling_start_busy(hba); + if (unlikely(ufshcd_should_inform_monitor(hba, lrbp))) + ufshcd_start_monitor(hba, lrbp); +- if (ufshcd_has_utrlcnr(hba)) { +- set_bit(task_tag, &hba->outstanding_reqs); +- ufshcd_writel(hba, 1 << task_tag, +- REG_UTP_TRANSFER_REQ_DOOR_BELL); +- } else { +- unsigned long flags; +- +- spin_lock_irqsave(hba->host->host_lock, flags); +- set_bit(task_tag, &hba->outstanding_reqs); +- ufshcd_writel(hba, 1 << task_tag, +- REG_UTP_TRANSFER_REQ_DOOR_BELL); +- spin_unlock_irqrestore(hba->host->host_lock, flags); +- } ++ spin_lock_irqsave(hba->host->host_lock, flags); ++ set_bit(task_tag, &hba->outstanding_reqs); ++ ufshcd_writel(hba, 1 << task_tag, REG_UTP_TRANSFER_REQ_DOOR_BELL); ++ spin_unlock_irqrestore(hba->host->host_lock, flags); + /* Make sure that doorbell is committed immediately */ + wmb(); + } +@@ -5282,17 +5274,17 @@ static void __ufshcd_transfer_req_compl(struct ufs_hba *hba, + } + + /** +- * ufshcd_trc_handler - handle transfer requests completion ++ * ufshcd_transfer_req_compl - handle SCSI and query command completion + * @hba: per adapter instance +- * @use_utrlcnr: get completed requests from UTRLCNR + * + * Returns + * IRQ_HANDLED - If interrupt is valid + * IRQ_NONE - If invalid interrupt + */ +-static irqreturn_t ufshcd_trc_handler(struct ufs_hba *hba, bool use_utrlcnr) ++static irqreturn_t ufshcd_transfer_req_compl(struct ufs_hba *hba) + { +- unsigned long completed_reqs = 0; ++ unsigned long completed_reqs, flags; ++ u32 tr_doorbell; + + /* Resetting interrupt aggregation counters first and reading the + * DOOR_BELL afterward allows us to handle all the completed requests. +@@ -5305,24 +5297,10 @@ static irqreturn_t ufshcd_trc_handler(struct ufs_hba *hba, bool use_utrlcnr) + !(hba->quirks & UFSHCI_QUIRK_SKIP_RESET_INTR_AGGR)) + ufshcd_reset_intr_aggr(hba); + +- if (use_utrlcnr) { +- u32 utrlcnr; +- +- utrlcnr = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_LIST_COMPL); +- if (utrlcnr) { +- ufshcd_writel(hba, utrlcnr, +- REG_UTP_TRANSFER_REQ_LIST_COMPL); +- completed_reqs = utrlcnr; +- } +- } else { +- unsigned long flags; +- u32 tr_doorbell; +- +- spin_lock_irqsave(hba->host->host_lock, flags); +- tr_doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL); +- completed_reqs = tr_doorbell ^ hba->outstanding_reqs; +- spin_unlock_irqrestore(hba->host->host_lock, flags); +- } ++ spin_lock_irqsave(hba->host->host_lock, flags); ++ tr_doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL); ++ completed_reqs = tr_doorbell ^ hba->outstanding_reqs; ++ spin_unlock_irqrestore(hba->host->host_lock, flags); + + if (completed_reqs) { + __ufshcd_transfer_req_compl(hba, completed_reqs); +@@ -5804,7 +5782,7 @@ out: + /* Complete requests that have door-bell cleared */ + static void ufshcd_complete_requests(struct ufs_hba *hba) + { +- ufshcd_trc_handler(hba, false); ++ ufshcd_transfer_req_compl(hba); + ufshcd_tmc_handler(hba); + } + +@@ -6445,7 +6423,7 @@ static irqreturn_t ufshcd_sl_intr(struct ufs_hba *hba, u32 intr_status) + retval |= ufshcd_tmc_handler(hba); + + if (intr_status & UTP_TRANSFER_REQ_COMPL) +- retval |= ufshcd_trc_handler(hba, ufshcd_has_utrlcnr(hba)); ++ retval |= ufshcd_transfer_req_compl(hba); + + return retval; + } +diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h +index 194755c9ddfe..86d4765a17b8 100644 +--- a/drivers/scsi/ufs/ufshcd.h ++++ b/drivers/scsi/ufs/ufshcd.h +@@ -1160,11 +1160,6 @@ static inline u32 ufshcd_vops_get_ufs_hci_version(struct ufs_hba *hba) + return ufshcd_readl(hba, REG_UFS_VERSION); + } + +-static inline bool ufshcd_has_utrlcnr(struct ufs_hba *hba) +-{ +- return (hba->ufs_version >= ufshci_version(3, 0)); +-} +- + static inline int ufshcd_vops_clk_scale_notify(struct ufs_hba *hba, + bool up, enum ufs_notify_change_status status) + { +diff --git a/drivers/scsi/ufs/ufshci.h b/drivers/scsi/ufs/ufshci.h +index 5affb1fce5ad..de95be5d11d4 100644 +--- a/drivers/scsi/ufs/ufshci.h ++++ b/drivers/scsi/ufs/ufshci.h +@@ -39,7 +39,6 @@ enum { + REG_UTP_TRANSFER_REQ_DOOR_BELL = 0x58, + REG_UTP_TRANSFER_REQ_LIST_CLEAR = 0x5C, + REG_UTP_TRANSFER_REQ_LIST_RUN_STOP = 0x60, +- REG_UTP_TRANSFER_REQ_LIST_COMPL = 0x64, + REG_UTP_TASK_REQ_LIST_BASE_L = 0x70, + REG_UTP_TASK_REQ_LIST_BASE_H = 0x74, + REG_UTP_TASK_REQ_DOOR_BELL = 0x78, +-- +2.33.0 + diff --git a/queue-5.14/series b/queue-5.14/series index 262f745bd43..ff87b8bdb33 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -89,3 +89,61 @@ net-mlx4_en-don-t-allow-arfs-for-encapsulated-packet.patch atlantic-fix-issue-in-the-pm-resume-flow.patch drm-amdkfd-map-svm-range-with-correct-access-permiss.patch drm-amdkfd-fix-dma-mapping-leaking-warning.patch +scsi-iscsi-adjust-iface-sysfs-attr-detection.patch +scsi-target-fix-the-pgr-alua_support_store-functions.patch +tty-synclink_gt-rename-a-conflicting-function-name.patch +fpga-machxo2-spi-return-an-error-on-failure.patch +fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch +x86-fault-fix-wrong-signal-when-vsyscall-fails-with-.patch +nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch +nvme-keep-ctrl-namespaces-ordered.patch +thermal-core-potential-buffer-overflow-in-thermal_bu.patch +cifs-fix-a-sign-extension-bug.patch +scsi-sd_zbc-support-disks-with-more-than-2-32-logica.patch +scsi-ufs-revert-utilize-transfer-request-list-comple.patch +scsi-ufs-retry-aborted-scsi-commands-instead-of-comp.patch +scsi-ufs-core-unbreak-the-reset-handler.patch +scsi-qla2xxx-restore-initiator-in-dual-mode.patch +scsi-lpfc-use-correct-scnprintf-limit.patch +irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch +irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch +md-fix-a-lock-order-reversal-in-md_alloc.patch +x86-asm-fix-setz-size-enqcmds-build-failure.patch +io_uring-fix-race-between-poll-completion-and-cancel.patch +io_uring-fix-missing-set-of-epolloneshot-for-cq-ring.patch +io_uring-put-provided-buffer-meta-data-under-memcg-a.patch +io_uring-don-t-punt-files-update-to-io-wq-unconditio.patch +blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch +net-phylink-update-sfp-selected-interface-on-adverti.patch +net-macb-fix-use-after-free-on-rmmod.patch +net-stmmac-allow-csr-clock-of-300mhz.patch +blk-mq-avoid-to-iterate-over-stale-request.patch +m68k-double-cast-io-functions-to-unsigned-long.patch +ipv6-delay-fib6_sernum-increase-in-fib6_add.patch +dma-debug-prevent-an-error-message-from-causing-runt.patch +cpufreq-intel_pstate-override-parameters-if-hwp-forc.patch +bpf-add-oversize-check-before-call-kvcalloc.patch +xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch +nvme-multipath-fix-ana-state-updates-when-a-namespac.patch +nvme-rdma-destroy-cm-id-before-destroy-qp-to-avoid-u.patch +sparc32-page-align-size-in-arch_dma_alloc.patch +amd-display-downgrade-validation-failure-log-level.patch +drm-ttm-fix-type-mismatch-error-on-sparc64.patch +block-check-if-a-profile-is-actually-registered-in-b.patch +block-flush-the-integrity-workqueue-in-blk_integrity.patch +blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch +compiler.h-introduce-absolute_pointer-macro.patch +net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch +sparc-avoid-stringop-overread-errors.patch +qnx4-avoid-stringop-overread-errors.patch +parisc-use-absolute_pointer-to-define-page0.patch +drm-amdkfd-make-needs_pcie_atomics-fw-version-depend.patch +drm-amd-display-fix-unstable-hpcp-compliance-on-chro.patch +drm-amd-display-link-training-retry-fix-for-abort-ca.patch +amd-display-enable-panel-orientation-quirks.patch +arm64-mark-__stack_chk_guard-as-__ro_after_init.patch +alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch +net-6pack-fix-tx-timeout-and-slot-time.patch +spi-fix-tegra20-build-with-config_pm-n.patch +libperf-evsel-make-use-of-fd-robust.patch +revert-drm-vc4-hdmi-runtime-pm-changes.patch diff --git a/queue-5.14/sparc-avoid-stringop-overread-errors.patch b/queue-5.14/sparc-avoid-stringop-overread-errors.patch new file mode 100644 index 00000000000..d3e640af4f6 --- /dev/null +++ b/queue-5.14/sparc-avoid-stringop-overread-errors.patch @@ -0,0 +1,65 @@ +From bd1cca633bd4949d4f953cb8a2109461071b4e43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 16:06:04 -0700 +Subject: sparc: avoid stringop-overread errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit fc7c028dcdbfe981bca75d2a7b95f363eb691ef3 ] + +The sparc mdesc code does pointer games with 'struct mdesc_hdr', but +didn't describe to the compiler how that header is then followed by the +data that the header describes. + +As a result, gcc is now unhappy since it does stricter pointer range +tracking, and doesn't understand about how these things work. This +results in various errors like: + + arch/sparc/kernel/mdesc.c: In function ‘mdesc_node_by_name’: + arch/sparc/kernel/mdesc.c:647:22: error: ‘strcmp’ reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread] + 647 | if (!strcmp(names + ep[ret].name_offset, name)) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +which are easily avoided by just describing 'struct mdesc_hdr' better, +and making the node_block() helper function look into that unsized +data[] that follows the header. + +This makes the sparc64 build happy again at least for my cross-compiler +version (gcc version 11.2.1). + +Link: https://lore.kernel.org/lkml/CAHk-=wi4NW3NC0xWykkw=6LnjQD6D_rtRtxY9g8gQAJXtQMi8A@mail.gmail.com/ +Cc: Guenter Roeck +Cc: David S. Miller +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/mdesc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c +index 8e645ddac58e..30f171b7b00c 100644 +--- a/arch/sparc/kernel/mdesc.c ++++ b/arch/sparc/kernel/mdesc.c +@@ -39,6 +39,7 @@ struct mdesc_hdr { + u32 node_sz; /* node block size */ + u32 name_sz; /* name block size */ + u32 data_sz; /* data block size */ ++ char data[]; + } __attribute__((aligned(16))); + + struct mdesc_elem { +@@ -612,7 +613,7 @@ EXPORT_SYMBOL(mdesc_get_node_info); + + static struct mdesc_elem *node_block(struct mdesc_hdr *mdesc) + { +- return (struct mdesc_elem *) (mdesc + 1); ++ return (struct mdesc_elem *) mdesc->data; + } + + static void *name_block(struct mdesc_hdr *mdesc) +-- +2.33.0 + diff --git a/queue-5.14/sparc32-page-align-size-in-arch_dma_alloc.patch b/queue-5.14/sparc32-page-align-size-in-arch_dma_alloc.patch new file mode 100644 index 00000000000..b6db36d970c --- /dev/null +++ b/queue-5.14/sparc32-page-align-size-in-arch_dma_alloc.patch @@ -0,0 +1,40 @@ +From ecf21571e1a25b24e3acc7f8fa5ae0aefd3e5b83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 09:48:22 +0200 +Subject: sparc32: page align size in arch_dma_alloc + +From: Andreas Larsson + +[ Upstream commit 59583f747664046aaae5588d56d5954fab66cce8 ] + +Commit 53b7670e5735 ("sparc: factor the dma coherent mapping into +helper") lost the page align for the calls to dma_make_coherent and +srmmu_unmapiorange. The latter cannot handle a non page aligned len +argument. + +Signed-off-by: Andreas Larsson +Reviewed-by: Sam Ravnborg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/ioport.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/sparc/kernel/ioport.c b/arch/sparc/kernel/ioport.c +index 8e1d72a16759..7ceae24b0ca9 100644 +--- a/arch/sparc/kernel/ioport.c ++++ b/arch/sparc/kernel/ioport.c +@@ -356,7 +356,9 @@ err_nomem: + void arch_dma_free(struct device *dev, size_t size, void *cpu_addr, + dma_addr_t dma_addr, unsigned long attrs) + { +- if (!sparc_dma_free_resource(cpu_addr, PAGE_ALIGN(size))) ++ size = PAGE_ALIGN(size); ++ ++ if (!sparc_dma_free_resource(cpu_addr, size)) + return; + + dma_make_coherent(dma_addr, size); +-- +2.33.0 + diff --git a/queue-5.14/spi-fix-tegra20-build-with-config_pm-n.patch b/queue-5.14/spi-fix-tegra20-build-with-config_pm-n.patch new file mode 100644 index 00000000000..3122412f65f --- /dev/null +++ b/queue-5.14/spi-fix-tegra20-build-with-config_pm-n.patch @@ -0,0 +1,59 @@ +From 2712e1e306fd7c8b98b1faafa5b49fd395110118 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 10:05:06 -0700 +Subject: spi: Fix tegra20 build with CONFIG_PM=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit efafec27c5658ed987e720130772f8933c685e87 ] + +Without CONFIG_PM enabled, the SET_RUNTIME_PM_OPS() macro ends up being +empty, and the only use of tegra_slink_runtime_{resume,suspend} goes +away, resulting in + + drivers/spi/spi-tegra20-slink.c:1200:12: error: ‘tegra_slink_runtime_resume’ defined but not used [-Werror=unused-function] + 1200 | static int tegra_slink_runtime_resume(struct device *dev) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/spi/spi-tegra20-slink.c:1188:12: error: ‘tegra_slink_runtime_suspend’ defined but not used [-Werror=unused-function] + 1188 | static int tegra_slink_runtime_suspend(struct device *dev) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + +mark the functions __maybe_unused to make the build happy. + +This hits the alpha allmodconfig build (and others). + +Reported-by: Guenter Roeck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra20-slink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-tegra20-slink.c b/drivers/spi/spi-tegra20-slink.c +index 6a726c95ac7a..dc1a6899ba3b 100644 +--- a/drivers/spi/spi-tegra20-slink.c ++++ b/drivers/spi/spi-tegra20-slink.c +@@ -1206,7 +1206,7 @@ static int tegra_slink_resume(struct device *dev) + } + #endif + +-static int tegra_slink_runtime_suspend(struct device *dev) ++static int __maybe_unused tegra_slink_runtime_suspend(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct tegra_slink_data *tspi = spi_master_get_devdata(master); +@@ -1218,7 +1218,7 @@ static int tegra_slink_runtime_suspend(struct device *dev) + return 0; + } + +-static int tegra_slink_runtime_resume(struct device *dev) ++static int __maybe_unused tegra_slink_runtime_resume(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct tegra_slink_data *tspi = spi_master_get_devdata(master); +-- +2.33.0 + diff --git a/queue-5.14/thermal-core-potential-buffer-overflow-in-thermal_bu.patch b/queue-5.14/thermal-core-potential-buffer-overflow-in-thermal_bu.patch new file mode 100644 index 00000000000..01c5f81c03c --- /dev/null +++ b/queue-5.14/thermal-core-potential-buffer-overflow-in-thermal_bu.patch @@ -0,0 +1,52 @@ +From 743b225785c5fd7d49f618ec140171ca52a2d41b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 16:13:42 +0300 +Subject: thermal/core: Potential buffer overflow in + thermal_build_list_of_policies() + +From: Dan Carpenter + +[ Upstream commit 1bb30b20b49773369c299d4d6c65227201328663 ] + +After printing the list of thermal governors, then this function prints +a newline character. The problem is that "size" has not been updated +after printing the last governor. This means that it can write one +character (the NUL terminator) beyond the end of the buffer. + +Get rid of the "size" variable and just use "PAGE_SIZE - count" directly. + +Fixes: 1b4f48494eb2 ("thermal: core: group functions related to governor handling") +Signed-off-by: Dan Carpenter +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210916131342.GB25094@kili +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index 97ef9b040b84..51374f4e1cca 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -222,15 +222,14 @@ int thermal_build_list_of_policies(char *buf) + { + struct thermal_governor *pos; + ssize_t count = 0; +- ssize_t size = PAGE_SIZE; + + mutex_lock(&thermal_governor_lock); + + list_for_each_entry(pos, &thermal_governor_list, governor_list) { +- size = PAGE_SIZE - count; +- count += scnprintf(buf + count, size, "%s ", pos->name); ++ count += scnprintf(buf + count, PAGE_SIZE - count, "%s ", ++ pos->name); + } +- count += scnprintf(buf + count, size, "\n"); ++ count += scnprintf(buf + count, PAGE_SIZE - count, "\n"); + + mutex_unlock(&thermal_governor_lock); + +-- +2.33.0 + diff --git a/queue-5.14/tty-synclink_gt-rename-a-conflicting-function-name.patch b/queue-5.14/tty-synclink_gt-rename-a-conflicting-function-name.patch new file mode 100644 index 00000000000..dcd37584e86 --- /dev/null +++ b/queue-5.14/tty-synclink_gt-rename-a-conflicting-function-name.patch @@ -0,0 +1,235 @@ +From 82c7a9c24961e75e15fcecb0ea60b73eb48fc794 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 17:38:06 -0700 +Subject: tty: synclink_gt: rename a conflicting function name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 06e49073dfba24df4b1073a068631b13a0039c34 ] + +'set_signals()' in synclink_gt.c conflicts with an exported symbol +in arch/um/, so change set_signals() to set_gtsignals(). Keep +the function names similar by also changing get_signals() to +get_gtsignals(). + +../drivers/tty/synclink_gt.c:442:13: error: conflicting types for ‘set_signals’ + static void set_signals(struct slgt_info *info); + ^~~~~~~~~~~ +In file included from ../include/linux/irqflags.h:16:0, + from ../include/linux/spinlock.h:58, + from ../include/linux/mm_types.h:9, + from ../include/linux/buildid.h:5, + from ../include/linux/module.h:14, + from ../drivers/tty/synclink_gt.c:46: +../arch/um/include/asm/irqflags.h:6:5: note: previous declaration of ‘set_signals’ was here + int set_signals(int enable); + ^~~~~~~~~~~ + +Fixes: 705b6c7b34f2 ("[PATCH] new driver synclink_gt") +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: Paul Fulghum +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20210902003806.17054-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclink_gt.c | 44 +++++++++++++++++++-------------------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index 5bb928b7873e..2f5fbd7db7ca 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -438,8 +438,8 @@ static void reset_tbufs(struct slgt_info *info); + static void tdma_reset(struct slgt_info *info); + static bool tx_load(struct slgt_info *info, const char *buf, unsigned int count); + +-static void get_signals(struct slgt_info *info); +-static void set_signals(struct slgt_info *info); ++static void get_gtsignals(struct slgt_info *info); ++static void set_gtsignals(struct slgt_info *info); + static void set_rate(struct slgt_info *info, u32 data_rate); + + static void bh_transmit(struct slgt_info *info); +@@ -720,7 +720,7 @@ static void set_termios(struct tty_struct *tty, struct ktermios *old_termios) + if ((old_termios->c_cflag & CBAUD) && !C_BAUD(tty)) { + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +@@ -730,7 +730,7 @@ static void set_termios(struct tty_struct *tty, struct ktermios *old_termios) + if (!C_CRTSCTS(tty) || !tty_throttled(tty)) + info->signals |= SerialSignal_RTS; + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +@@ -1181,7 +1181,7 @@ static inline void line_info(struct seq_file *m, struct slgt_info *info) + + /* output current serial signal states */ + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + + stat_buf[0] = 0; +@@ -1281,7 +1281,7 @@ static void throttle(struct tty_struct * tty) + if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->signals &= ~SerialSignal_RTS; +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -1306,7 +1306,7 @@ static void unthrottle(struct tty_struct * tty) + if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->signals |= SerialSignal_RTS; +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -1477,7 +1477,7 @@ static int hdlcdev_open(struct net_device *dev) + + /* inform generic HDLC layer of current DCD status */ + spin_lock_irqsave(&info->lock, flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock, flags); + if (info->signals & SerialSignal_DCD) + netif_carrier_on(dev); +@@ -2232,7 +2232,7 @@ static void isr_txeom(struct slgt_info *info, unsigned short status) + if (info->params.mode != MGSL_MODE_ASYNC && info->drop_rts_on_tx_done) { + info->signals &= ~SerialSignal_RTS; + info->drop_rts_on_tx_done = false; +- set_signals(info); ++ set_gtsignals(info); + } + + #if SYNCLINK_GENERIC_HDLC +@@ -2397,7 +2397,7 @@ static void shutdown(struct slgt_info *info) + + if (!info->port.tty || info->port.tty->termios.c_cflag & HUPCL) { + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_gtsignals(info); + } + + flush_cond_wait(&info->gpio_wait_q); +@@ -2425,7 +2425,7 @@ static void program_hw(struct slgt_info *info) + else + async_mode(info); + +- set_signals(info); ++ set_gtsignals(info); + + info->dcd_chkcount = 0; + info->cts_chkcount = 0; +@@ -2433,7 +2433,7 @@ static void program_hw(struct slgt_info *info) + info->dsr_chkcount = 0; + + slgt_irq_on(info, IRQ_DCD | IRQ_CTS | IRQ_DSR | IRQ_RI); +- get_signals(info); ++ get_gtsignals(info); + + if (info->netcount || + (info->port.tty && info->port.tty->termios.c_cflag & CREAD)) +@@ -2670,7 +2670,7 @@ static int wait_mgsl_event(struct slgt_info *info, int __user *mask_ptr) + spin_lock_irqsave(&info->lock,flags); + + /* return immediately if state matches requested events */ +- get_signals(info); ++ get_gtsignals(info); + s = info->signals; + + events = mask & +@@ -3088,7 +3088,7 @@ static int tiocmget(struct tty_struct *tty) + unsigned long flags; + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + + result = ((info->signals & SerialSignal_RTS) ? TIOCM_RTS:0) + +@@ -3127,7 +3127,7 @@ static int tiocmset(struct tty_struct *tty, + info->signals &= ~SerialSignal_DTR; + + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + return 0; + } +@@ -3138,7 +3138,7 @@ static int carrier_raised(struct tty_port *port) + struct slgt_info *info = container_of(port, struct slgt_info, port); + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + return (info->signals & SerialSignal_DCD) ? 1 : 0; + } +@@ -3153,7 +3153,7 @@ static void dtr_rts(struct tty_port *port, int on) + info->signals |= SerialSignal_RTS | SerialSignal_DTR; + else + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +@@ -3951,10 +3951,10 @@ static void tx_start(struct slgt_info *info) + + if (info->params.mode != MGSL_MODE_ASYNC) { + if (info->params.flags & HDLC_FLAG_AUTO_RTS) { +- get_signals(info); ++ get_gtsignals(info); + if (!(info->signals & SerialSignal_RTS)) { + info->signals |= SerialSignal_RTS; +- set_signals(info); ++ set_gtsignals(info); + info->drop_rts_on_tx_done = true; + } + } +@@ -4008,7 +4008,7 @@ static void reset_port(struct slgt_info *info) + rx_stop(info); + + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_gtsignals(info); + + slgt_irq_off(info, IRQ_ALL | IRQ_MASTER); + } +@@ -4430,7 +4430,7 @@ static void tx_set_idle(struct slgt_info *info) + /* + * get state of V24 status (input) signals + */ +-static void get_signals(struct slgt_info *info) ++static void get_gtsignals(struct slgt_info *info) + { + unsigned short status = rd_reg16(info, SSR); + +@@ -4492,7 +4492,7 @@ static void msc_set_vcr(struct slgt_info *info) + /* + * set state of V24 control (output) signals + */ +-static void set_signals(struct slgt_info *info) ++static void set_gtsignals(struct slgt_info *info) + { + unsigned char val = rd_reg8(info, VCR); + if (info->signals & SerialSignal_DTR) +-- +2.33.0 + diff --git a/queue-5.14/x86-asm-fix-setz-size-enqcmds-build-failure.patch b/queue-5.14/x86-asm-fix-setz-size-enqcmds-build-failure.patch new file mode 100644 index 00000000000..08da810b433 --- /dev/null +++ b/queue-5.14/x86-asm-fix-setz-size-enqcmds-build-failure.patch @@ -0,0 +1,43 @@ +From 3c7900992e1ed1197ff20ebf44b0c1a601c43f04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 15:33:32 -0700 +Subject: x86/asm: Fix SETZ size enqcmds() build failure + +From: Kees Cook + +[ Upstream commit d81ff5fe14a950f53e2833cfa196e7bb3fd5d4e3 ] + +When building under GCC 4.9 and 5.5: + + arch/x86/include/asm/special_insns.h: Assembler messages: + arch/x86/include/asm/special_insns.h:286: Error: operand size mismatch for `setz' + +Change the type to "bool" for condition code arguments, as documented. + +Fixes: 7f5933f81bd8 ("x86/asm: Add an enqcmds() wrapper for the ENQCMDS instruction") +Co-developed-by: Arnd Bergmann +Signed-off-by: Arnd Bergmann +Signed-off-by: Kees Cook +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20210910223332.3224851-1-keescook@chromium.org +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/special_insns.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/special_insns.h b/arch/x86/include/asm/special_insns.h +index f3fbb84ff8a7..68c257a3de0d 100644 +--- a/arch/x86/include/asm/special_insns.h ++++ b/arch/x86/include/asm/special_insns.h +@@ -275,7 +275,7 @@ static inline int enqcmds(void __iomem *dst, const void *src) + { + const struct { char _[64]; } *__src = src; + struct { char _[64]; } __iomem *__dst = dst; +- int zf; ++ bool zf; + + /* + * ENQCMDS %(rdx), rax +-- +2.33.0 + diff --git a/queue-5.14/x86-fault-fix-wrong-signal-when-vsyscall-fails-with-.patch b/queue-5.14/x86-fault-fix-wrong-signal-when-vsyscall-fails-with-.patch new file mode 100644 index 00000000000..40260c6c609 --- /dev/null +++ b/queue-5.14/x86-fault-fix-wrong-signal-when-vsyscall-fails-with-.patch @@ -0,0 +1,149 @@ +From a2ea08f2477036015aa4910bd51c1cd366876ca7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jul 2021 11:01:52 +0800 +Subject: x86/fault: Fix wrong signal when vsyscall fails with pkey + +From: Jiashuo Liang + +[ Upstream commit d4ffd5df9d18031b6a53f934388726775b4452d3 ] + +The function __bad_area_nosemaphore() calls kernelmode_fixup_or_oops() +with the parameter @signal being actually @pkey, which will send a +signal numbered with the argument in @pkey. + +This bug can be triggered when the kernel fails to access user-given +memory pages that are protected by a pkey, so it can go down the +do_user_addr_fault() path and pass the !user_mode() check in +__bad_area_nosemaphore(). + +Most cases will simply run the kernel fixup code to make an -EFAULT. But +when another condition current->thread.sig_on_uaccess_err is met, which +is only used to emulate vsyscall, the kernel will generate the wrong +signal. + +Add a new parameter @pkey to kernelmode_fixup_or_oops() to fix this. + + [ bp: Massage commit message, fix build error as reported by the 0day + bot: https://lkml.kernel.org/r/202109202245.APvuT8BX-lkp@intel.com ] + +Fixes: 5042d40a264c ("x86/fault: Bypass no_context() for implicit kernel faults from usermode") +Reported-by: kernel test robot +Signed-off-by: Jiashuo Liang +Signed-off-by: Borislav Petkov +Acked-by: Dave Hansen +Link: https://lkml.kernel.org/r/20210730030152.249106-1-liangjs@pku.edu.cn +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/pkeys.h | 2 -- + arch/x86/mm/fault.c | 26 ++++++++++++++++++-------- + include/linux/pkeys.h | 2 ++ + 3 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/include/asm/pkeys.h b/arch/x86/include/asm/pkeys.h +index 5c7bcaa79623..1d5f14aff5f6 100644 +--- a/arch/x86/include/asm/pkeys.h ++++ b/arch/x86/include/asm/pkeys.h +@@ -2,8 +2,6 @@ + #ifndef _ASM_X86_PKEYS_H + #define _ASM_X86_PKEYS_H + +-#define ARCH_DEFAULT_PKEY 0 +- + /* + * If more than 16 keys are ever supported, a thorough audit + * will be necessary to ensure that the types that store key +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index b2eefdefc108..84a2c8c4af73 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -710,7 +710,8 @@ oops: + + static noinline void + kernelmode_fixup_or_oops(struct pt_regs *regs, unsigned long error_code, +- unsigned long address, int signal, int si_code) ++ unsigned long address, int signal, int si_code, ++ u32 pkey) + { + WARN_ON_ONCE(user_mode(regs)); + +@@ -735,8 +736,12 @@ kernelmode_fixup_or_oops(struct pt_regs *regs, unsigned long error_code, + + set_signal_archinfo(address, error_code); + +- /* XXX: hwpoison faults will set the wrong code. */ +- force_sig_fault(signal, si_code, (void __user *)address); ++ if (si_code == SEGV_PKUERR) { ++ force_sig_pkuerr((void __user *)address, pkey); ++ } else { ++ /* XXX: hwpoison faults will set the wrong code. */ ++ force_sig_fault(signal, si_code, (void __user *)address); ++ } + } + + /* +@@ -798,7 +803,8 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, + struct task_struct *tsk = current; + + if (!user_mode(regs)) { +- kernelmode_fixup_or_oops(regs, error_code, address, pkey, si_code); ++ kernelmode_fixup_or_oops(regs, error_code, address, ++ SIGSEGV, si_code, pkey); + return; + } + +@@ -930,7 +936,8 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, + { + /* Kernel mode? Handle exceptions or die: */ + if (!user_mode(regs)) { +- kernelmode_fixup_or_oops(regs, error_code, address, SIGBUS, BUS_ADRERR); ++ kernelmode_fixup_or_oops(regs, error_code, address, ++ SIGBUS, BUS_ADRERR, ARCH_DEFAULT_PKEY); + return; + } + +@@ -1396,7 +1403,8 @@ good_area: + */ + if (!user_mode(regs)) + kernelmode_fixup_or_oops(regs, error_code, address, +- SIGBUS, BUS_ADRERR); ++ SIGBUS, BUS_ADRERR, ++ ARCH_DEFAULT_PKEY); + return; + } + +@@ -1416,7 +1424,8 @@ good_area: + return; + + if (fatal_signal_pending(current) && !user_mode(regs)) { +- kernelmode_fixup_or_oops(regs, error_code, address, 0, 0); ++ kernelmode_fixup_or_oops(regs, error_code, address, ++ 0, 0, ARCH_DEFAULT_PKEY); + return; + } + +@@ -1424,7 +1433,8 @@ good_area: + /* Kernel mode? Handle exceptions or die: */ + if (!user_mode(regs)) { + kernelmode_fixup_or_oops(regs, error_code, address, +- SIGSEGV, SEGV_MAPERR); ++ SIGSEGV, SEGV_MAPERR, ++ ARCH_DEFAULT_PKEY); + return; + } + +diff --git a/include/linux/pkeys.h b/include/linux/pkeys.h +index 6beb26b7151d..86be8bf27b41 100644 +--- a/include/linux/pkeys.h ++++ b/include/linux/pkeys.h +@@ -4,6 +4,8 @@ + + #include + ++#define ARCH_DEFAULT_PKEY 0 ++ + #ifdef CONFIG_ARCH_HAS_PKEYS + #include + #else /* ! CONFIG_ARCH_HAS_PKEYS */ +-- +2.33.0 + diff --git a/queue-5.14/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch b/queue-5.14/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch new file mode 100644 index 00000000000..119ab7c409b --- /dev/null +++ b/queue-5.14/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch @@ -0,0 +1,195 @@ +From 1c19dc1a6dcd5f65af3fa67761aa15121ab1d025 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Aug 2021 14:32:06 +0200 +Subject: xen/balloon: use a kernel thread instead a workqueue + +From: Juergen Gross + +[ Upstream commit 8480ed9c2bbd56fc86524998e5f2e3e22f5038f6 ] + +Today the Xen ballooning is done via delayed work in a workqueue. This +might result in workqueue hangups being reported in case of large +amounts of memory are being ballooned in one go (here 16GB): + +BUG: workqueue lockup - pool cpus=6 node=0 flags=0x0 nice=0 stuck for 64s! +Showing busy workqueues and worker pools: +workqueue events: flags=0x0 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=2/256 refcnt=3 + in-flight: 229:balloon_process + pending: cache_reap +workqueue events_freezable_power_: flags=0x84 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2 + pending: disk_events_workfn +workqueue mm_percpu_wq: flags=0x8 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2 + pending: vmstat_update +pool 12: cpus=6 node=0 flags=0x0 nice=0 hung=64s workers=3 idle: 2222 43 + +This can easily be avoided by using a dedicated kernel thread for doing +the ballooning work. + +Reported-by: Jan Beulich +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/r/20210827123206.15429-1-jgross@suse.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/balloon.c | 62 +++++++++++++++++++++++++++++++------------ + 1 file changed, 45 insertions(+), 17 deletions(-) + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index 671c71245a7b..2d2803883306 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -43,6 +43,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -115,7 +117,7 @@ static struct ctl_table xen_root[] = { + #define EXTENT_ORDER (fls(XEN_PFN_PER_PAGE) - 1) + + /* +- * balloon_process() state: ++ * balloon_thread() state: + * + * BP_DONE: done or nothing to do, + * BP_WAIT: wait to be rescheduled, +@@ -130,6 +132,8 @@ enum bp_state { + BP_ECANCELED + }; + ++/* Main waiting point for xen-balloon thread. */ ++static DECLARE_WAIT_QUEUE_HEAD(balloon_thread_wq); + + static DEFINE_MUTEX(balloon_mutex); + +@@ -144,10 +148,6 @@ static xen_pfn_t frame_list[PAGE_SIZE / sizeof(xen_pfn_t)]; + static LIST_HEAD(ballooned_pages); + static DECLARE_WAIT_QUEUE_HEAD(balloon_wq); + +-/* Main work function, always executed in process context. */ +-static void balloon_process(struct work_struct *work); +-static DECLARE_DELAYED_WORK(balloon_worker, balloon_process); +- + /* When ballooning out (allocating memory to return to Xen) we don't really + want the kernel to try too hard since that can trigger the oom killer. */ + #define GFP_BALLOON \ +@@ -366,7 +366,7 @@ static void xen_online_page(struct page *page, unsigned int order) + static int xen_memory_notifier(struct notifier_block *nb, unsigned long val, void *v) + { + if (val == MEM_ONLINE) +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + + return NOTIFY_OK; + } +@@ -491,18 +491,43 @@ static enum bp_state decrease_reservation(unsigned long nr_pages, gfp_t gfp) + } + + /* +- * As this is a work item it is guaranteed to run as a single instance only. ++ * Stop waiting if either state is not BP_EAGAIN and ballooning action is ++ * needed, or if the credit has changed while state is BP_EAGAIN. ++ */ ++static bool balloon_thread_cond(enum bp_state state, long credit) ++{ ++ if (state != BP_EAGAIN) ++ credit = 0; ++ ++ return current_credit() != credit || kthread_should_stop(); ++} ++ ++/* ++ * As this is a kthread it is guaranteed to run as a single instance only. + * We may of course race updates of the target counts (which are protected + * by the balloon lock), or with changes to the Xen hard limit, but we will + * recover from these in time. + */ +-static void balloon_process(struct work_struct *work) ++static int balloon_thread(void *unused) + { + enum bp_state state = BP_DONE; + long credit; ++ unsigned long timeout; ++ ++ set_freezable(); ++ for (;;) { ++ if (state == BP_EAGAIN) ++ timeout = balloon_stats.schedule_delay * HZ; ++ else ++ timeout = 3600 * HZ; ++ credit = current_credit(); + ++ wait_event_interruptible_timeout(balloon_thread_wq, ++ balloon_thread_cond(state, credit), timeout); ++ ++ if (kthread_should_stop()) ++ return 0; + +- do { + mutex_lock(&balloon_mutex); + + credit = current_credit(); +@@ -529,12 +554,7 @@ static void balloon_process(struct work_struct *work) + mutex_unlock(&balloon_mutex); + + cond_resched(); +- +- } while (credit && state == BP_DONE); +- +- /* Schedule more work if there is some still to be done. */ +- if (state == BP_EAGAIN) +- schedule_delayed_work(&balloon_worker, balloon_stats.schedule_delay * HZ); ++ } + } + + /* Resets the Xen limit, sets new target, and kicks off processing. */ +@@ -542,7 +562,7 @@ void balloon_set_new_target(unsigned long target) + { + /* No need for lock. Not read-modify-write updates. */ + balloon_stats.target_pages = target; +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + } + EXPORT_SYMBOL_GPL(balloon_set_new_target); + +@@ -647,7 +667,7 @@ void free_xenballooned_pages(int nr_pages, struct page **pages) + + /* The balloon may be too large now. Shrink it if needed. */ + if (current_credit()) +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + + mutex_unlock(&balloon_mutex); + } +@@ -679,6 +699,8 @@ static void __init balloon_add_region(unsigned long start_pfn, + + static int __init balloon_init(void) + { ++ struct task_struct *task; ++ + if (!xen_domain()) + return -ENODEV; + +@@ -722,6 +744,12 @@ static int __init balloon_init(void) + } + #endif + ++ task = kthread_run(balloon_thread, NULL, "xen-balloon"); ++ if (IS_ERR(task)) { ++ pr_err("xen-balloon thread could not be started, ballooning will not work!\n"); ++ return PTR_ERR(task); ++ } ++ + /* Init the xen-balloon driver. */ + xen_balloon_init(); + +-- +2.33.0 +