From: Sasha Levin Date: Tue, 10 Nov 2020 15:01:25 +0000 (-0500) Subject: Revert "Fixes for 5.8" X-Git-Tag: v4.4.243~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ed3d655109f5fc08e604e92d733c156d0aad15cc;p=thirdparty%2Fkernel%2Fstable-queue.git Revert "Fixes for 5.8" This reverts commit 26d1f20b8a8ddb60a28d0f2aa9802f3856b12780. Signed-off-by: Sasha Levin --- diff --git a/queue-5.8/acpi-nfit-fix-comparison-to-enxio.patch b/queue-5.8/acpi-nfit-fix-comparison-to-enxio.patch deleted file mode 100644 index aac179a844f..00000000000 --- a/queue-5.8/acpi-nfit-fix-comparison-to-enxio.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0f40c471116ba54d6124b80ae5aea1253f91cd81 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 27 Oct 2020 21:49:01 +0800 -Subject: ACPI: NFIT: Fix comparison to '-ENXIO' - -From: Zhang Qilong - -[ Upstream commit 85f971b65a692b68181438e099b946cc06ed499b ] - -Initial value of rc is '-ENXIO', and we should -use the initial value to check it. - -Signed-off-by: Zhang Qilong -Reviewed-by: Pankaj Gupta -Reviewed-by: Vishal Verma -[ rjw: Subject edit ] -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/acpi/nfit/core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c -index 1f72ce1a782b5..a296e6d8aeed4 100644 ---- a/drivers/acpi/nfit/core.c -+++ b/drivers/acpi/nfit/core.c -@@ -1552,7 +1552,7 @@ static ssize_t format1_show(struct device *dev, - le16_to_cpu(nfit_dcr->dcr->code)); - break; - } -- if (rc != ENXIO) -+ if (rc != -ENXIO) - break; - } - mutex_unlock(&acpi_desc->init_mutex); --- -2.27.0 - diff --git a/queue-5.8/arm-dts-mmp3-add-power-domain-for-the-camera.patch b/queue-5.8/arm-dts-mmp3-add-power-domain-for-the-camera.patch deleted file mode 100644 index 04e64543bc5..00000000000 --- a/queue-5.8/arm-dts-mmp3-add-power-domain-for-the-camera.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 491342819fa72b4c3dada2409e93ec43a2d8f124 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 26 Sep 2020 01:48:04 +0200 -Subject: ARM: dts: mmp3: Add power domain for the camera - -From: Lubomir Rintel - -[ Upstream commit 202f8e5c4975a95babf3bcdfb2c18952f06b030a ] - -The camera interfaces on MMP3 are on a separate power island that needs -to be turned on for them to operate and, ideally, turned off when the -cameras are not in use. - -This hooks the power island with the camera interfaces in the device -tree. - -Link: https://lore.kernel.org/r/20200925234805.228251-2-lkundrak@v3.sk -Signed-off-by: Lubomir Rintel -Signed-off-by: Arnd Bergmann -Signed-off-by: Sasha Levin ---- - arch/arm/boot/dts/mmp3.dtsi | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/arch/arm/boot/dts/mmp3.dtsi b/arch/arm/boot/dts/mmp3.dtsi -index 57231d49d9386..0c23d7f4b2f11 100644 ---- a/arch/arm/boot/dts/mmp3.dtsi -+++ b/arch/arm/boot/dts/mmp3.dtsi -@@ -295,6 +295,7 @@ - interrupts = ; - clocks = <&soc_clocks MMP2_CLK_CCIC0>; - clock-names = "axi"; -+ power-domains = <&soc_clocks MMP3_POWER_DOMAIN_CAMERA>; - #clock-cells = <0>; - clock-output-names = "mclk"; - status = "disabled"; -@@ -306,6 +307,7 @@ - interrupts = ; - clocks = <&soc_clocks MMP2_CLK_CCIC1>; - clock-names = "axi"; -+ power-domains = <&soc_clocks MMP3_POWER_DOMAIN_CAMERA>; - #clock-cells = <0>; - clock-output-names = "mclk"; - status = "disabled"; --- -2.27.0 - diff --git a/queue-5.8/arm-dts-sun4i-a10-fix-cpu_alert-temperature.patch b/queue-5.8/arm-dts-sun4i-a10-fix-cpu_alert-temperature.patch deleted file mode 100644 index 45ad4ae6b3b..00000000000 --- a/queue-5.8/arm-dts-sun4i-a10-fix-cpu_alert-temperature.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 0c340d975930937cc2f22d321a4d954fea34ebd7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 3 Oct 2020 12:03:32 +0200 -Subject: ARM: dts: sun4i-a10: fix cpu_alert temperature -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Clément Péron - -[ Upstream commit dea252fa41cd8ce332d148444e4799235a8a03ec ] - -When running dtbs_check thermal_zone warn about the -temperature declared. - -thermal-zones: cpu-thermal:trips:cpu-alert0:temperature:0:0: 850000 is greater than the maximum of 200000 - -It's indeed wrong the real value is 85°C and not 850°C. - -Signed-off-by: Clément Péron -Signed-off-by: Maxime Ripard -Link: https://lore.kernel.org/r/20201003100332.431178-1-peron.clem@gmail.com -Signed-off-by: Sasha Levin ---- - arch/arm/boot/dts/sun4i-a10.dtsi | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/arm/boot/dts/sun4i-a10.dtsi b/arch/arm/boot/dts/sun4i-a10.dtsi -index 0f95a6ef8543a..1c5a666c54b53 100644 ---- a/arch/arm/boot/dts/sun4i-a10.dtsi -+++ b/arch/arm/boot/dts/sun4i-a10.dtsi -@@ -143,7 +143,7 @@ - trips { - cpu_alert0: cpu-alert0 { - /* milliCelsius */ -- temperature = <850000>; -+ temperature = <85000>; - hysteresis = <2000>; - type = "passive"; - }; --- -2.27.0 - diff --git a/queue-5.8/arm64-dts-meson-add-missing-g12-rng-clock.patch b/queue-5.8/arm64-dts-meson-add-missing-g12-rng-clock.patch deleted file mode 100644 index 3d238fb5c37..00000000000 --- a/queue-5.8/arm64-dts-meson-add-missing-g12-rng-clock.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a7f20faa812a85b6b0cd31b22cb8de656c8ad8ad Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 25 Sep 2020 01:43:53 -0700 -Subject: arm64: dts: meson: add missing g12 rng clock - -From: Scott K Logan - -[ Upstream commit a1afbbb0285797e01313779c71287d936d069245 ] - -This adds the missing perpheral clock for the RNG for Amlogic G12. As -stated in amlogic,meson-rng.yaml, this isn't always necessary for the -RNG to function, but is better to have in case the clock is disabled for -some reason prior to loading. - -Signed-off-by: Scott K Logan -Suggested-by: Neil Armstrong -Reviewed-by: Neil Armstrong -Signed-off-by: Kevin Hilman -Link: https://lore.kernel.org/r/520a1a8ec7a958b3d918d89563ec7e93a4100a45.camel@cottsay.net -Signed-off-by: Sasha Levin ---- - arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi -index 593a006f4b7b3..6ec40af658ba0 100644 ---- a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi -+++ b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi -@@ -247,6 +247,8 @@ - hwrng: rng@218 { - compatible = "amlogic,meson-rng"; - reg = <0x0 0x218 0x0 0x4>; -+ clocks = <&clkc CLKID_RNG0>; -+ clock-names = "core"; - }; - }; - --- -2.27.0 - diff --git a/queue-5.8/arm64-smp-move-rcu_cpu_starting-earlier.patch b/queue-5.8/arm64-smp-move-rcu_cpu_starting-earlier.patch deleted file mode 100644 index 7d9e5c0dcc6..00000000000 --- a/queue-5.8/arm64-smp-move-rcu_cpu_starting-earlier.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 7c93cc15099891effaf476d5599b321f43c5fcf4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 28 Oct 2020 14:26:14 -0400 -Subject: arm64/smp: Move rcu_cpu_starting() earlier - -From: Qian Cai - -[ Upstream commit ce3d31ad3cac765484463b4f5a0b6b1f8f1a963e ] - -The call to rcu_cpu_starting() in secondary_start_kernel() is not early -enough in the CPU-hotplug onlining process, which results in lockdep -splats as follows: - - WARNING: suspicious RCU usage - ----------------------------- - kernel/locking/lockdep.c:3497 RCU-list traversed in non-reader section!! - - other info that might help us debug this: - - RCU used illegally from offline CPU! - rcu_scheduler_active = 1, debug_locks = 1 - no locks held by swapper/1/0. - - Call trace: - dump_backtrace+0x0/0x3c8 - show_stack+0x14/0x60 - dump_stack+0x14c/0x1c4 - lockdep_rcu_suspicious+0x134/0x14c - __lock_acquire+0x1c30/0x2600 - lock_acquire+0x274/0xc48 - _raw_spin_lock+0xc8/0x140 - vprintk_emit+0x90/0x3d0 - vprintk_default+0x34/0x40 - vprintk_func+0x378/0x590 - printk+0xa8/0xd4 - __cpuinfo_store_cpu+0x71c/0x868 - cpuinfo_store_cpu+0x2c/0xc8 - secondary_start_kernel+0x244/0x318 - -This is avoided by moving the call to rcu_cpu_starting up near the -beginning of the secondary_start_kernel() function. - -Signed-off-by: Qian Cai -Acked-by: Paul E. McKenney -Link: https://lore.kernel.org/lkml/160223032121.7002.1269740091547117869.tip-bot2@tip-bot2/ -Link: https://lore.kernel.org/r/20201028182614.13655-1-cai@redhat.com -Signed-off-by: Will Deacon -Signed-off-by: Sasha Levin ---- - arch/arm64/kernel/smp.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c -index 8cd6316a0d833..3e0fd4e6bcdcb 100644 ---- a/arch/arm64/kernel/smp.c -+++ b/arch/arm64/kernel/smp.c -@@ -214,6 +214,7 @@ asmlinkage notrace void secondary_start_kernel(void) - if (system_uses_irq_prio_masking()) - init_gic_priority_masking(); - -+ rcu_cpu_starting(cpu); - preempt_disable(); - trace_hardirqs_off(); - --- -2.27.0 - diff --git a/queue-5.8/blk-cgroup-fix-memleak-on-error-path.patch b/queue-5.8/blk-cgroup-fix-memleak-on-error-path.patch deleted file mode 100644 index aa04cab1a43..00000000000 --- a/queue-5.8/blk-cgroup-fix-memleak-on-error-path.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 055a9931e06467b4347cf59dca19f58b7eb5f654 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 22 Oct 2020 16:58:41 -0400 -Subject: blk-cgroup: Fix memleak on error path - -From: Gabriel Krisman Bertazi - -[ Upstream commit 52abfcbd57eefdd54737fc8c2dc79d8f46d4a3e5 ] - -If new_blkg allocation raced with blk_policy change and -blkg_lookup_check fails, new_blkg is leaked. - -Acked-by: Tejun Heo -Signed-off-by: Gabriel Krisman Bertazi -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - block/blk-cgroup.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c -index 6e8f5e60b0982..67619f4e24907 100644 ---- a/block/blk-cgroup.c -+++ b/block/blk-cgroup.c -@@ -682,6 +682,7 @@ int blkg_conf_prep(struct blkcg *blkcg, const struct blkcg_policy *pol, - blkg = blkg_lookup_check(pos, pol, q); - if (IS_ERR(blkg)) { - ret = PTR_ERR(blkg); -+ blkg_free(new_blkg); - goto fail_unlock; - } - --- -2.27.0 - diff --git a/queue-5.8/blk-cgroup-pre-allocate-tree-node-on-blkg_conf_prep.patch b/queue-5.8/blk-cgroup-pre-allocate-tree-node-on-blkg_conf_prep.patch deleted file mode 100644 index a44eebef3c7..00000000000 --- a/queue-5.8/blk-cgroup-pre-allocate-tree-node-on-blkg_conf_prep.patch +++ /dev/null @@ -1,82 +0,0 @@ -From b6c9a5fa318c8cce5b50d4f926cc20e88a9f8222 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 22 Oct 2020 16:58:42 -0400 -Subject: blk-cgroup: Pre-allocate tree node on blkg_conf_prep - -From: Gabriel Krisman Bertazi - -[ Upstream commit f255c19b3ab46d3cad3b1b2e1036f4c926cb1d0c ] - -Similarly to commit 457e490f2b741 ("blkcg: allocate struct blkcg_gq -outside request queue spinlock"), blkg_create can also trigger -occasional -ENOMEM failures at the radix insertion because any -allocation inside blkg_create has to be non-blocking, making it more -likely to fail. This causes trouble for userspace tools trying to -configure io weights who need to deal with this condition. - -This patch reduces the occurrence of -ENOMEMs on this path by preloading -the radix tree element on a GFP_KERNEL context, such that we guarantee -the later non-blocking insertion won't fail. - -A similar solution exists in blkcg_init_queue for the same situation. - -Acked-by: Tejun Heo -Signed-off-by: Gabriel Krisman Bertazi -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - block/blk-cgroup.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c -index 67619f4e24907..1cd0574b83bb2 100644 ---- a/block/blk-cgroup.c -+++ b/block/blk-cgroup.c -@@ -676,6 +676,12 @@ int blkg_conf_prep(struct blkcg *blkcg, const struct blkcg_policy *pol, - goto fail; - } - -+ if (radix_tree_preload(GFP_KERNEL)) { -+ blkg_free(new_blkg); -+ ret = -ENOMEM; -+ goto fail; -+ } -+ - rcu_read_lock(); - spin_lock_irq(&q->queue_lock); - -@@ -683,7 +689,7 @@ int blkg_conf_prep(struct blkcg *blkcg, const struct blkcg_policy *pol, - if (IS_ERR(blkg)) { - ret = PTR_ERR(blkg); - blkg_free(new_blkg); -- goto fail_unlock; -+ goto fail_preloaded; - } - - if (blkg) { -@@ -692,10 +698,12 @@ int blkg_conf_prep(struct blkcg *blkcg, const struct blkcg_policy *pol, - blkg = blkg_create(pos, q, new_blkg); - if (IS_ERR(blkg)) { - ret = PTR_ERR(blkg); -- goto fail_unlock; -+ goto fail_preloaded; - } - } - -+ radix_tree_preload_end(); -+ - if (pos == blkcg) - goto success; - } -@@ -705,6 +713,8 @@ int blkg_conf_prep(struct blkcg *blkcg, const struct blkcg_policy *pol, - ctx->body = input; - return 0; - -+fail_preloaded: -+ radix_tree_preload_end(); - fail_unlock: - spin_unlock_irq(&q->queue_lock); - rcu_read_unlock(); --- -2.27.0 - diff --git a/queue-5.8/btrfs-add-a-helper-to-read-the-tree_root-commit-root.patch b/queue-5.8/btrfs-add-a-helper-to-read-the-tree_root-commit-root.patch deleted file mode 100644 index ec6e8c8b349..00000000000 --- a/queue-5.8/btrfs-add-a-helper-to-read-the-tree_root-commit-root.patch +++ /dev/null @@ -1,424 +0,0 @@ -From 674f51560e66ba05253446a846dca965022ae10e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 19 Oct 2020 16:02:31 -0400 -Subject: btrfs: add a helper to read the tree_root commit root for backref - lookup - -From: Josef Bacik - -[ Upstream commit 49d11bead7d596e031fbd34051d8765587cd645b ] - -I got the following lockdep splat with tree locks converted to rwsem -patches on btrfs/104: - - ====================================================== - WARNING: possible circular locking dependency detected - 5.9.0+ #102 Not tainted - ------------------------------------------------------ - btrfs-cleaner/903 is trying to acquire lock: - ffff8e7fab6ffe30 (btrfs-root-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x32/0x170 - - but task is already holding lock: - ffff8e7fab628a88 (&fs_info->commit_root_sem){++++}-{3:3}, at: btrfs_find_all_roots+0x41/0x80 - - which lock already depends on the new lock. - - the existing dependency chain (in reverse order) is: - - -> #3 (&fs_info->commit_root_sem){++++}-{3:3}: - down_read+0x40/0x130 - caching_thread+0x53/0x5a0 - btrfs_work_helper+0xfa/0x520 - process_one_work+0x238/0x540 - worker_thread+0x55/0x3c0 - kthread+0x13a/0x150 - ret_from_fork+0x1f/0x30 - - -> #2 (&caching_ctl->mutex){+.+.}-{3:3}: - __mutex_lock+0x7e/0x7b0 - btrfs_cache_block_group+0x1e0/0x510 - find_free_extent+0xb6e/0x12f0 - btrfs_reserve_extent+0xb3/0x1b0 - btrfs_alloc_tree_block+0xb1/0x330 - alloc_tree_block_no_bg_flush+0x4f/0x60 - __btrfs_cow_block+0x11d/0x580 - btrfs_cow_block+0x10c/0x220 - commit_cowonly_roots+0x47/0x2e0 - btrfs_commit_transaction+0x595/0xbd0 - sync_filesystem+0x74/0x90 - generic_shutdown_super+0x22/0x100 - kill_anon_super+0x14/0x30 - btrfs_kill_super+0x12/0x20 - deactivate_locked_super+0x36/0xa0 - cleanup_mnt+0x12d/0x190 - task_work_run+0x5c/0xa0 - exit_to_user_mode_prepare+0x1df/0x200 - syscall_exit_to_user_mode+0x54/0x280 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - - -> #1 (&space_info->groups_sem){++++}-{3:3}: - down_read+0x40/0x130 - find_free_extent+0x2ed/0x12f0 - btrfs_reserve_extent+0xb3/0x1b0 - btrfs_alloc_tree_block+0xb1/0x330 - alloc_tree_block_no_bg_flush+0x4f/0x60 - __btrfs_cow_block+0x11d/0x580 - btrfs_cow_block+0x10c/0x220 - commit_cowonly_roots+0x47/0x2e0 - btrfs_commit_transaction+0x595/0xbd0 - sync_filesystem+0x74/0x90 - generic_shutdown_super+0x22/0x100 - kill_anon_super+0x14/0x30 - btrfs_kill_super+0x12/0x20 - deactivate_locked_super+0x36/0xa0 - cleanup_mnt+0x12d/0x190 - task_work_run+0x5c/0xa0 - exit_to_user_mode_prepare+0x1df/0x200 - syscall_exit_to_user_mode+0x54/0x280 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - - -> #0 (btrfs-root-00){++++}-{3:3}: - __lock_acquire+0x1167/0x2150 - lock_acquire+0xb9/0x3d0 - down_read_nested+0x43/0x130 - __btrfs_tree_read_lock+0x32/0x170 - __btrfs_read_lock_root_node+0x3a/0x50 - btrfs_search_slot+0x614/0x9d0 - btrfs_find_root+0x35/0x1b0 - btrfs_read_tree_root+0x61/0x120 - btrfs_get_root_ref+0x14b/0x600 - find_parent_nodes+0x3e6/0x1b30 - btrfs_find_all_roots_safe+0xb4/0x130 - btrfs_find_all_roots+0x60/0x80 - btrfs_qgroup_trace_extent_post+0x27/0x40 - btrfs_add_delayed_data_ref+0x3fd/0x460 - btrfs_free_extent+0x42/0x100 - __btrfs_mod_ref+0x1d7/0x2f0 - walk_up_proc+0x11c/0x400 - walk_up_tree+0xf0/0x180 - btrfs_drop_snapshot+0x1c7/0x780 - btrfs_clean_one_deleted_snapshot+0xfb/0x110 - cleaner_kthread+0xd4/0x140 - kthread+0x13a/0x150 - ret_from_fork+0x1f/0x30 - - other info that might help us debug this: - - Chain exists of: - btrfs-root-00 --> &caching_ctl->mutex --> &fs_info->commit_root_sem - - Possible unsafe locking scenario: - - CPU0 CPU1 - ---- ---- - lock(&fs_info->commit_root_sem); - lock(&caching_ctl->mutex); - lock(&fs_info->commit_root_sem); - lock(btrfs-root-00); - - *** DEADLOCK *** - - 3 locks held by btrfs-cleaner/903: - #0: ffff8e7fab628838 (&fs_info->cleaner_mutex){+.+.}-{3:3}, at: cleaner_kthread+0x6e/0x140 - #1: ffff8e7faadac640 (sb_internal){.+.+}-{0:0}, at: start_transaction+0x40b/0x5c0 - #2: ffff8e7fab628a88 (&fs_info->commit_root_sem){++++}-{3:3}, at: btrfs_find_all_roots+0x41/0x80 - - stack backtrace: - CPU: 0 PID: 903 Comm: btrfs-cleaner Not tainted 5.9.0+ #102 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014 - Call Trace: - dump_stack+0x8b/0xb0 - check_noncircular+0xcf/0xf0 - __lock_acquire+0x1167/0x2150 - ? __bfs+0x42/0x210 - lock_acquire+0xb9/0x3d0 - ? __btrfs_tree_read_lock+0x32/0x170 - down_read_nested+0x43/0x130 - ? __btrfs_tree_read_lock+0x32/0x170 - __btrfs_tree_read_lock+0x32/0x170 - __btrfs_read_lock_root_node+0x3a/0x50 - btrfs_search_slot+0x614/0x9d0 - ? find_held_lock+0x2b/0x80 - btrfs_find_root+0x35/0x1b0 - ? do_raw_spin_unlock+0x4b/0xa0 - btrfs_read_tree_root+0x61/0x120 - btrfs_get_root_ref+0x14b/0x600 - find_parent_nodes+0x3e6/0x1b30 - btrfs_find_all_roots_safe+0xb4/0x130 - btrfs_find_all_roots+0x60/0x80 - btrfs_qgroup_trace_extent_post+0x27/0x40 - btrfs_add_delayed_data_ref+0x3fd/0x460 - btrfs_free_extent+0x42/0x100 - __btrfs_mod_ref+0x1d7/0x2f0 - walk_up_proc+0x11c/0x400 - walk_up_tree+0xf0/0x180 - btrfs_drop_snapshot+0x1c7/0x780 - ? btrfs_clean_one_deleted_snapshot+0x73/0x110 - btrfs_clean_one_deleted_snapshot+0xfb/0x110 - cleaner_kthread+0xd4/0x140 - ? btrfs_alloc_root+0x50/0x50 - kthread+0x13a/0x150 - ? kthread_create_worker_on_cpu+0x40/0x40 - ret_from_fork+0x1f/0x30 - BTRFS info (device sdb): disk space caching is enabled - BTRFS info (device sdb): has skinny extents - -This happens because qgroups does a backref lookup when we create a -delayed ref. From here it may have to look up a root from an indirect -ref, which does a normal lookup on the tree_root, which takes the read -lock on the tree_root nodes. - -To fix this we need to add a variant for looking up roots that searches -the commit root of the tree_root. Then when we do the backref search -using the commit root we are sure to not take any locks on the tree_root -nodes. This gets rid of the lockdep splat when running btrfs/104. - -Reviewed-by: Filipe Manana -Signed-off-by: Josef Bacik -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/backref.c | 13 ++++- - fs/btrfs/disk-io.c | 139 ++++++++++++++++++++++++++++++++------------- - fs/btrfs/disk-io.h | 3 + - 3 files changed, 114 insertions(+), 41 deletions(-) - -diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c -index ea1c28ccb44ff..b948df7a929eb 100644 ---- a/fs/btrfs/backref.c -+++ b/fs/btrfs/backref.c -@@ -544,7 +544,18 @@ static int resolve_indirect_ref(struct btrfs_fs_info *fs_info, - int level = ref->level; - struct btrfs_key search_key = ref->key_for_search; - -- root = btrfs_get_fs_root(fs_info, ref->root_id, false); -+ /* -+ * If we're search_commit_root we could possibly be holding locks on -+ * other tree nodes. This happens when qgroups does backref walks when -+ * adding new delayed refs. To deal with this we need to look in cache -+ * for the root, and if we don't find it then we need to search the -+ * tree_root's commit root, thus the btrfs_get_fs_root_commit_root usage -+ * here. -+ */ -+ if (path->search_commit_root) -+ root = btrfs_get_fs_root_commit_root(fs_info, path, ref->root_id); -+ else -+ root = btrfs_get_fs_root(fs_info, ref->root_id, false); - if (IS_ERR(root)) { - ret = PTR_ERR(root); - goto out_free; -diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c -index e6dbfd09bf1cb..11e7ebd46f826 100644 ---- a/fs/btrfs/disk-io.c -+++ b/fs/btrfs/disk-io.c -@@ -1341,32 +1341,26 @@ int btrfs_add_log_tree(struct btrfs_trans_handle *trans, - return 0; - } - --struct btrfs_root *btrfs_read_tree_root(struct btrfs_root *tree_root, -- struct btrfs_key *key) -+static struct btrfs_root *read_tree_root_path(struct btrfs_root *tree_root, -+ struct btrfs_path *path, -+ struct btrfs_key *key) - { - struct btrfs_root *root; - struct btrfs_fs_info *fs_info = tree_root->fs_info; -- struct btrfs_path *path; - u64 generation; - int ret; - int level; - -- path = btrfs_alloc_path(); -- if (!path) -- return ERR_PTR(-ENOMEM); -- - root = btrfs_alloc_root(fs_info, key->objectid, GFP_NOFS); -- if (!root) { -- ret = -ENOMEM; -- goto alloc_fail; -- } -+ if (!root) -+ return ERR_PTR(-ENOMEM); - - ret = btrfs_find_root(tree_root, key, path, - &root->root_item, &root->root_key); - if (ret) { - if (ret > 0) - ret = -ENOENT; -- goto find_fail; -+ goto fail; - } - - generation = btrfs_root_generation(&root->root_item); -@@ -1377,21 +1371,31 @@ struct btrfs_root *btrfs_read_tree_root(struct btrfs_root *tree_root, - if (IS_ERR(root->node)) { - ret = PTR_ERR(root->node); - root->node = NULL; -- goto find_fail; -+ goto fail; - } else if (!btrfs_buffer_uptodate(root->node, generation, 0)) { - ret = -EIO; -- goto find_fail; -+ goto fail; - } - root->commit_root = btrfs_root_node(root); --out: -- btrfs_free_path(path); - return root; -- --find_fail: -+fail: - btrfs_put_root(root); --alloc_fail: -- root = ERR_PTR(ret); -- goto out; -+ return ERR_PTR(ret); -+} -+ -+struct btrfs_root *btrfs_read_tree_root(struct btrfs_root *tree_root, -+ struct btrfs_key *key) -+{ -+ struct btrfs_root *root; -+ struct btrfs_path *path; -+ -+ path = btrfs_alloc_path(); -+ if (!path) -+ return ERR_PTR(-ENOMEM); -+ root = read_tree_root_path(tree_root, path, key); -+ btrfs_free_path(path); -+ -+ return root; - } - - /* -@@ -1479,6 +1483,31 @@ static struct btrfs_root *btrfs_lookup_fs_root(struct btrfs_fs_info *fs_info, - return root; - } - -+static struct btrfs_root *btrfs_get_global_root(struct btrfs_fs_info *fs_info, -+ u64 objectid) -+{ -+ if (objectid == BTRFS_ROOT_TREE_OBJECTID) -+ return btrfs_grab_root(fs_info->tree_root); -+ if (objectid == BTRFS_EXTENT_TREE_OBJECTID) -+ return btrfs_grab_root(fs_info->extent_root); -+ if (objectid == BTRFS_CHUNK_TREE_OBJECTID) -+ return btrfs_grab_root(fs_info->chunk_root); -+ if (objectid == BTRFS_DEV_TREE_OBJECTID) -+ return btrfs_grab_root(fs_info->dev_root); -+ if (objectid == BTRFS_CSUM_TREE_OBJECTID) -+ return btrfs_grab_root(fs_info->csum_root); -+ if (objectid == BTRFS_QUOTA_TREE_OBJECTID) -+ return btrfs_grab_root(fs_info->quota_root) ? -+ fs_info->quota_root : ERR_PTR(-ENOENT); -+ if (objectid == BTRFS_UUID_TREE_OBJECTID) -+ return btrfs_grab_root(fs_info->uuid_root) ? -+ fs_info->uuid_root : ERR_PTR(-ENOENT); -+ if (objectid == BTRFS_FREE_SPACE_TREE_OBJECTID) -+ return btrfs_grab_root(fs_info->free_space_root) ? -+ fs_info->free_space_root : ERR_PTR(-ENOENT); -+ return NULL; -+} -+ - int btrfs_insert_fs_root(struct btrfs_fs_info *fs_info, - struct btrfs_root *root) - { -@@ -1576,25 +1605,9 @@ static struct btrfs_root *btrfs_get_root_ref(struct btrfs_fs_info *fs_info, - struct btrfs_key key; - int ret; - -- if (objectid == BTRFS_ROOT_TREE_OBJECTID) -- return btrfs_grab_root(fs_info->tree_root); -- if (objectid == BTRFS_EXTENT_TREE_OBJECTID) -- return btrfs_grab_root(fs_info->extent_root); -- if (objectid == BTRFS_CHUNK_TREE_OBJECTID) -- return btrfs_grab_root(fs_info->chunk_root); -- if (objectid == BTRFS_DEV_TREE_OBJECTID) -- return btrfs_grab_root(fs_info->dev_root); -- if (objectid == BTRFS_CSUM_TREE_OBJECTID) -- return btrfs_grab_root(fs_info->csum_root); -- if (objectid == BTRFS_QUOTA_TREE_OBJECTID) -- return btrfs_grab_root(fs_info->quota_root) ? -- fs_info->quota_root : ERR_PTR(-ENOENT); -- if (objectid == BTRFS_UUID_TREE_OBJECTID) -- return btrfs_grab_root(fs_info->uuid_root) ? -- fs_info->uuid_root : ERR_PTR(-ENOENT); -- if (objectid == BTRFS_FREE_SPACE_TREE_OBJECTID) -- return btrfs_grab_root(fs_info->free_space_root) ? -- fs_info->free_space_root : ERR_PTR(-ENOENT); -+ root = btrfs_get_global_root(fs_info, objectid); -+ if (root) -+ return root; - again: - root = btrfs_lookup_fs_root(fs_info, objectid); - if (root) { -@@ -1700,6 +1713,52 @@ static int btrfs_congested_fn(void *congested_data, int bdi_bits) - return ret; - } - -+/* -+ * btrfs_get_fs_root_commit_root - return a root for the given objectid -+ * @fs_info: the fs_info -+ * @objectid: the objectid we need to lookup -+ * -+ * This is exclusively used for backref walking, and exists specifically because -+ * of how qgroups does lookups. Qgroups will do a backref lookup at delayed ref -+ * creation time, which means we may have to read the tree_root in order to look -+ * up a fs root that is not in memory. If the root is not in memory we will -+ * read the tree root commit root and look up the fs root from there. This is a -+ * temporary root, it will not be inserted into the radix tree as it doesn't -+ * have the most uptodate information, it'll simply be discarded once the -+ * backref code is finished using the root. -+ */ -+struct btrfs_root *btrfs_get_fs_root_commit_root(struct btrfs_fs_info *fs_info, -+ struct btrfs_path *path, -+ u64 objectid) -+{ -+ struct btrfs_root *root; -+ struct btrfs_key key; -+ -+ ASSERT(path->search_commit_root && path->skip_locking); -+ -+ /* -+ * This can return -ENOENT if we ask for a root that doesn't exist, but -+ * since this is called via the backref walking code we won't be looking -+ * up a root that doesn't exist, unless there's corruption. So if root -+ * != NULL just return it. -+ */ -+ root = btrfs_get_global_root(fs_info, objectid); -+ if (root) -+ return root; -+ -+ root = btrfs_lookup_fs_root(fs_info, objectid); -+ if (root) -+ return root; -+ -+ key.objectid = objectid; -+ key.type = BTRFS_ROOT_ITEM_KEY; -+ key.offset = (u64)-1; -+ root = read_tree_root_path(fs_info->tree_root, path, &key); -+ btrfs_release_path(path); -+ -+ return root; -+} -+ - /* - * called by the kthread helper functions to finally call the bio end_io - * functions. This is where read checksum verification actually happens -diff --git a/fs/btrfs/disk-io.h b/fs/btrfs/disk-io.h -index 00dc39d47ed34..2e6da9ae8462f 100644 ---- a/fs/btrfs/disk-io.h -+++ b/fs/btrfs/disk-io.h -@@ -69,6 +69,9 @@ struct btrfs_root *btrfs_get_fs_root(struct btrfs_fs_info *fs_info, - u64 objectid, bool check_ref); - struct btrfs_root *btrfs_get_new_fs_root(struct btrfs_fs_info *fs_info, - u64 objectid, dev_t anon_dev); -+struct btrfs_root *btrfs_get_fs_root_commit_root(struct btrfs_fs_info *fs_info, -+ struct btrfs_path *path, -+ u64 objectid); - - void btrfs_free_fs_info(struct btrfs_fs_info *fs_info); - int btrfs_cleanup_fs_roots(struct btrfs_fs_info *fs_info); --- -2.27.0 - diff --git a/queue-5.8/drm-amdgpu-add-did-for-navi10-blockchain-sku.patch b/queue-5.8/drm-amdgpu-add-did-for-navi10-blockchain-sku.patch deleted file mode 100644 index 3c6ff9d7034..00000000000 --- a/queue-5.8/drm-amdgpu-add-did-for-navi10-blockchain-sku.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 43b272fc4681b74bd5088a65c8358244c011ab6f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 14 Oct 2020 17:05:50 +0800 -Subject: drm/amdgpu: add DID for navi10 blockchain SKU - -From: Tianci.Yin - -[ Upstream commit 8942881144a7365143f196f5eafed24783a424a3 ] - -Reviewed-by: Alex Deucher -Reviewed-by: Guchun Chen -Signed-off-by: Tianci.Yin -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c -index d73924e35a57e..92844ba2c9c4e 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c -@@ -1016,6 +1016,7 @@ static const struct pci_device_id pciidlist[] = { - {0x1002, 0x7319, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_NAVI10}, - {0x1002, 0x731A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_NAVI10}, - {0x1002, 0x731B, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_NAVI10}, -+ {0x1002, 0x731E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_NAVI10}, - {0x1002, 0x731F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_NAVI10}, - /* Navi14 */ - {0x1002, 0x7340, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_NAVI14}, --- -2.27.0 - diff --git a/queue-5.8/drm-nouveau-gem-fix-refcount_t-underflow-use-after-f.patch b/queue-5.8/drm-nouveau-gem-fix-refcount_t-underflow-use-after-f.patch deleted file mode 100644 index b76e52d1042..00000000000 --- a/queue-5.8/drm-nouveau-gem-fix-refcount_t-underflow-use-after-f.patch +++ /dev/null @@ -1,36 +0,0 @@ -From e73fa7d8a1d342dbad4ba8e492349797194c9796 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 7 Oct 2020 00:08:09 +0200 -Subject: drm/nouveau/gem: fix "refcount_t: underflow; use-after-free" - -From: Karol Herbst - -[ Upstream commit 925681454d7b557d404b5d28ef4469fac1b2e105 ] - -we can't use nouveau_bo_ref here as no ttm object was allocated and -nouveau_bo_ref mainly deals with that. Simply deallocate the object. - -Signed-off-by: Karol Herbst -Signed-off-by: Ben Skeggs -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/nouveau/nouveau_gem.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c -index c5ee5b7364a09..ee5fec1ad9a46 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_gem.c -+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c -@@ -197,7 +197,8 @@ nouveau_gem_new(struct nouveau_cli *cli, u64 size, int align, uint32_t domain, - * to the caller, instead of a normal nouveau_bo ttm reference. */ - ret = drm_gem_object_init(drm->dev, &nvbo->bo.base, size); - if (ret) { -- nouveau_bo_ref(NULL, &nvbo); -+ drm_gem_object_release(&nvbo->bo.base); -+ kfree(nvbo); - return ret; - } - --- -2.27.0 - diff --git a/queue-5.8/drm-nouveau-nouveau-fix-the-start-end-range-for-migr.patch b/queue-5.8/drm-nouveau-nouveau-fix-the-start-end-range-for-migr.patch deleted file mode 100644 index c2ef9d1d214..00000000000 --- a/queue-5.8/drm-nouveau-nouveau-fix-the-start-end-range-for-migr.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 72b286673db553a7c730733802a9e18ae1b1da5a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 31 Aug 2020 13:31:11 -0700 -Subject: drm/nouveau/nouveau: fix the start/end range for migration - -From: Ralph Campbell - -[ Upstream commit cfa736f5a6f31ca8a05459b5720aac030247ad1b ] - -The user level OpenCL code shouldn't have to align start and end -addresses to a page boundary. That is better handled in the nouveau -driver. The npages field is also redundant since it can be computed -from the start and end addresses. - -Signed-off-by: Ralph Campbell -Signed-off-by: Ben Skeggs -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/nouveau/nouveau_svm.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_svm.c b/drivers/gpu/drm/nouveau/nouveau_svm.c -index 6586d9d398740..11b7cc3625cf8 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_svm.c -+++ b/drivers/gpu/drm/nouveau/nouveau_svm.c -@@ -116,11 +116,11 @@ nouveau_svmm_bind(struct drm_device *dev, void *data, - struct nouveau_cli *cli = nouveau_cli(file_priv); - struct drm_nouveau_svm_bind *args = data; - unsigned target, cmd, priority; -- unsigned long addr, end, size; -+ unsigned long addr, end; - struct mm_struct *mm; - - args->va_start &= PAGE_MASK; -- args->va_end &= PAGE_MASK; -+ args->va_end = ALIGN(args->va_end, PAGE_SIZE); - - /* Sanity check arguments */ - if (args->reserved0 || args->reserved1) -@@ -129,8 +129,6 @@ nouveau_svmm_bind(struct drm_device *dev, void *data, - return -EINVAL; - if (args->va_start >= args->va_end) - return -EINVAL; -- if (!args->npages) -- return -EINVAL; - - cmd = args->header >> NOUVEAU_SVM_BIND_COMMAND_SHIFT; - cmd &= NOUVEAU_SVM_BIND_COMMAND_MASK; -@@ -162,12 +160,6 @@ nouveau_svmm_bind(struct drm_device *dev, void *data, - if (args->stride) - return -EINVAL; - -- size = ((unsigned long)args->npages) << PAGE_SHIFT; -- if ((args->va_start + size) <= args->va_start) -- return -EINVAL; -- if ((args->va_start + size) > args->va_end) -- return -EINVAL; -- - /* - * Ok we are ask to do something sane, for now we only support migrate - * commands but we will add things like memory policy (what to do on -@@ -182,7 +174,7 @@ nouveau_svmm_bind(struct drm_device *dev, void *data, - return -EINVAL; - } - -- for (addr = args->va_start, end = args->va_start + size; addr < end;) { -+ for (addr = args->va_start, end = args->va_end; addr < end;) { - struct vm_area_struct *vma; - unsigned long next; - --- -2.27.0 - diff --git a/queue-5.8/drm-sun4i-frontend-fix-the-scaler-phase-on-a33.patch b/queue-5.8/drm-sun4i-frontend-fix-the-scaler-phase-on-a33.patch deleted file mode 100644 index 0dd7622bab8..00000000000 --- a/queue-5.8/drm-sun4i-frontend-fix-the-scaler-phase-on-a33.patch +++ /dev/null @@ -1,36 +0,0 @@ -From d3f991f1650b6cbd8eaa3a85462664775431d260 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Oct 2020 11:36:42 +0200 -Subject: drm/sun4i: frontend: Fix the scaler phase on A33 - -From: Maxime Ripard - -[ Upstream commit e3190b5e9462067714d267c40d8c8c1d0463dda3 ] - -The A33 has a different phase parameter in the Allwinner BSP on the -channel1 than the one currently applied. Fix this. - -Signed-off-by: Maxime Ripard -Acked-by: Jernej Skrabec -Link: https://patchwork.freedesktop.org/patch/msgid/20201015093642.261440-3-maxime@cerno.tech -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/sun4i/sun4i_frontend.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/sun4i/sun4i_frontend.c b/drivers/gpu/drm/sun4i/sun4i_frontend.c -index c4959d9e16391..7186ba73d8e14 100644 ---- a/drivers/gpu/drm/sun4i/sun4i_frontend.c -+++ b/drivers/gpu/drm/sun4i/sun4i_frontend.c -@@ -694,7 +694,7 @@ static const struct sun4i_frontend_data sun4i_a10_frontend = { - }; - - static const struct sun4i_frontend_data sun8i_a33_frontend = { -- .ch_phase = { 0x400, 0x400 }, -+ .ch_phase = { 0x400, 0xfc400 }, - .has_coef_access_ctrl = true, - }; - --- -2.27.0 - diff --git a/queue-5.8/drm-sun4i-frontend-reuse-the-ch0-phase-for-rgb-forma.patch b/queue-5.8/drm-sun4i-frontend-reuse-the-ch0-phase-for-rgb-forma.patch deleted file mode 100644 index 5bb8f2c2aac..00000000000 --- a/queue-5.8/drm-sun4i-frontend-reuse-the-ch0-phase-for-rgb-forma.patch +++ /dev/null @@ -1,73 +0,0 @@ -From b6a906e25cd195e25846d7c1d7496c76ed268879 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Oct 2020 11:36:41 +0200 -Subject: drm/sun4i: frontend: Reuse the ch0 phase for RGB formats - -From: Maxime Ripard - -[ Upstream commit 2db9ef9d9e6ea89a9feb5338f58d1f8f83875577 ] - -When using the scaler on the A10-like frontend with single-planar formats, -the current code will setup the channel 0 filter (used for the R or Y -component) with a different phase parameter than the channel 1 filter (used -for the G/B or U/V components). - -This creates a bleed out that keeps repeating on of the last line of the -RGB plane across the rest of the display. The Allwinner BSP either applies -the same phase parameter over both channels or use a separate one, the -condition being whether the input format is YUV420 or not. - -Since YUV420 is both subsampled and multi-planar, and since YUYV is -subsampled but single-planar, we can rule out the subsampling and assume -that the condition is actually whether the format is single or -multi-planar. And it looks like applying the same phase parameter over both -channels for single-planar formats fixes our issue, while we keep the -multi-planar formats working properly. - -Reported-by: Taras Galchenko -Signed-off-by: Maxime Ripard -Acked-by: Jernej Skrabec -Link: https://patchwork.freedesktop.org/patch/msgid/20201015093642.261440-2-maxime@cerno.tech -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/sun4i/sun4i_frontend.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/drivers/gpu/drm/sun4i/sun4i_frontend.c b/drivers/gpu/drm/sun4i/sun4i_frontend.c -index 7462801b1fa8e..c4959d9e16391 100644 ---- a/drivers/gpu/drm/sun4i/sun4i_frontend.c -+++ b/drivers/gpu/drm/sun4i/sun4i_frontend.c -@@ -407,6 +407,7 @@ int sun4i_frontend_update_formats(struct sun4i_frontend *frontend, - struct drm_framebuffer *fb = state->fb; - const struct drm_format_info *format = fb->format; - uint64_t modifier = fb->modifier; -+ unsigned int ch1_phase_idx; - u32 out_fmt_val; - u32 in_fmt_val, in_mod_val, in_ps_val; - unsigned int i; -@@ -442,18 +443,19 @@ int sun4i_frontend_update_formats(struct sun4i_frontend *frontend, - * I have no idea what this does exactly, but it seems to be - * related to the scaler FIR filter phase parameters. - */ -+ ch1_phase_idx = (format->num_planes > 1) ? 1 : 0; - regmap_write(frontend->regs, SUN4I_FRONTEND_CH0_HORZPHASE_REG, - frontend->data->ch_phase[0]); - regmap_write(frontend->regs, SUN4I_FRONTEND_CH1_HORZPHASE_REG, -- frontend->data->ch_phase[1]); -+ frontend->data->ch_phase[ch1_phase_idx]); - regmap_write(frontend->regs, SUN4I_FRONTEND_CH0_VERTPHASE0_REG, - frontend->data->ch_phase[0]); - regmap_write(frontend->regs, SUN4I_FRONTEND_CH1_VERTPHASE0_REG, -- frontend->data->ch_phase[1]); -+ frontend->data->ch_phase[ch1_phase_idx]); - regmap_write(frontend->regs, SUN4I_FRONTEND_CH0_VERTPHASE1_REG, - frontend->data->ch_phase[0]); - regmap_write(frontend->regs, SUN4I_FRONTEND_CH1_VERTPHASE1_REG, -- frontend->data->ch_phase[1]); -+ frontend->data->ch_phase[ch1_phase_idx]); - - /* - * Checking the input format is sufficient since we currently only --- -2.27.0 - diff --git a/queue-5.8/drm-sun4i-frontend-rework-a-bit-the-phase-data.patch b/queue-5.8/drm-sun4i-frontend-rework-a-bit-the-phase-data.patch deleted file mode 100644 index a2763af54c9..00000000000 --- a/queue-5.8/drm-sun4i-frontend-rework-a-bit-the-phase-data.patch +++ /dev/null @@ -1,115 +0,0 @@ -From dabcccf94b215c48184002ca794f15a48247a623 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Oct 2020 11:36:40 +0200 -Subject: drm/sun4i: frontend: Rework a bit the phase data - -From: Maxime Ripard - -[ Upstream commit 84c971b356379c621df595bd00c3114579dfa59f ] - -The scaler filter phase setup in the allwinner kernel has two different -cases for setting up the scaler filter, the first one using different phase -parameters for the two channels, and the second one reusing the first -channel parameters on the second channel. - -The allwinner kernel has a third option where the horizontal phase of the -second channel will be set to a different value than the vertical one (and -seems like it's the same value than one used on the first channel). -However, that code path seems to never be taken, so we can ignore it for -now, and it's essentially what we're doing so far as well. - -Since we will have always the same values across each components of the -filter setup for a given channel, we can simplify a bit our frontend -structure by only storing the phase value we want to apply to a given -channel. - -Signed-off-by: Maxime Ripard -Acked-by: Jernej Skrabec -Link: https://patchwork.freedesktop.org/patch/msgid/20201015093642.261440-1-maxime@cerno.tech -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/sun4i/sun4i_frontend.c | 34 ++++++-------------------- - drivers/gpu/drm/sun4i/sun4i_frontend.h | 6 +---- - 2 files changed, 9 insertions(+), 31 deletions(-) - -diff --git a/drivers/gpu/drm/sun4i/sun4i_frontend.c b/drivers/gpu/drm/sun4i/sun4i_frontend.c -index ec2a032e07b97..7462801b1fa8e 100644 ---- a/drivers/gpu/drm/sun4i/sun4i_frontend.c -+++ b/drivers/gpu/drm/sun4i/sun4i_frontend.c -@@ -443,17 +443,17 @@ int sun4i_frontend_update_formats(struct sun4i_frontend *frontend, - * related to the scaler FIR filter phase parameters. - */ - regmap_write(frontend->regs, SUN4I_FRONTEND_CH0_HORZPHASE_REG, -- frontend->data->ch_phase[0].horzphase); -+ frontend->data->ch_phase[0]); - regmap_write(frontend->regs, SUN4I_FRONTEND_CH1_HORZPHASE_REG, -- frontend->data->ch_phase[1].horzphase); -+ frontend->data->ch_phase[1]); - regmap_write(frontend->regs, SUN4I_FRONTEND_CH0_VERTPHASE0_REG, -- frontend->data->ch_phase[0].vertphase[0]); -+ frontend->data->ch_phase[0]); - regmap_write(frontend->regs, SUN4I_FRONTEND_CH1_VERTPHASE0_REG, -- frontend->data->ch_phase[1].vertphase[0]); -+ frontend->data->ch_phase[1]); - regmap_write(frontend->regs, SUN4I_FRONTEND_CH0_VERTPHASE1_REG, -- frontend->data->ch_phase[0].vertphase[1]); -+ frontend->data->ch_phase[0]); - regmap_write(frontend->regs, SUN4I_FRONTEND_CH1_VERTPHASE1_REG, -- frontend->data->ch_phase[1].vertphase[1]); -+ frontend->data->ch_phase[1]); - - /* - * Checking the input format is sufficient since we currently only -@@ -687,30 +687,12 @@ static const struct dev_pm_ops sun4i_frontend_pm_ops = { - }; - - static const struct sun4i_frontend_data sun4i_a10_frontend = { -- .ch_phase = { -- { -- .horzphase = 0, -- .vertphase = { 0, 0 }, -- }, -- { -- .horzphase = 0xfc000, -- .vertphase = { 0xfc000, 0xfc000 }, -- }, -- }, -+ .ch_phase = { 0x000, 0xfc000 }, - .has_coef_rdy = true, - }; - - static const struct sun4i_frontend_data sun8i_a33_frontend = { -- .ch_phase = { -- { -- .horzphase = 0x400, -- .vertphase = { 0x400, 0x400 }, -- }, -- { -- .horzphase = 0x400, -- .vertphase = { 0x400, 0x400 }, -- }, -- }, -+ .ch_phase = { 0x400, 0x400 }, - .has_coef_access_ctrl = true, - }; - -diff --git a/drivers/gpu/drm/sun4i/sun4i_frontend.h b/drivers/gpu/drm/sun4i/sun4i_frontend.h -index 0c382c1ddb0fe..2e7b76e50c2ba 100644 ---- a/drivers/gpu/drm/sun4i/sun4i_frontend.h -+++ b/drivers/gpu/drm/sun4i/sun4i_frontend.h -@@ -115,11 +115,7 @@ struct reset_control; - struct sun4i_frontend_data { - bool has_coef_access_ctrl; - bool has_coef_rdy; -- -- struct { -- u32 horzphase; -- u32 vertphase[2]; -- } ch_phase[2]; -+ u32 ch_phase[2]; - }; - - struct sun4i_frontend { --- -2.27.0 - diff --git a/queue-5.8/drm-v3d-fix-double-free-in-v3d_submit_cl_ioctl.patch b/queue-5.8/drm-v3d-fix-double-free-in-v3d_submit_cl_ioctl.patch deleted file mode 100644 index bf666cf9089..00000000000 --- a/queue-5.8/drm-v3d-fix-double-free-in-v3d_submit_cl_ioctl.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 9f10fb242657d80590a2c0d224427f6f4c1b9cfa Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 26 Oct 2020 12:49:05 +0300 -Subject: drm/v3d: Fix double free in v3d_submit_cl_ioctl() - -From: Dan Carpenter - -[ Upstream commit 897dbea6b716c0f2c5bcd4ba1eb4d809caba290c ] - -Originally this error path used to leak "bin" but then we accidentally -applied two separate commits to fix it and ended up with a double free. - -Signed-off-by: Dan Carpenter -Signed-off-by: Maxime Ripard -Link: https://patchwork.freedesktop.org/patch/msgid/20201026094905.GA1634423@mwanda -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/v3d/v3d_gem.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c -index 09a7639cf161f..0e0f1cc3e283a 100644 ---- a/drivers/gpu/drm/v3d/v3d_gem.c -+++ b/drivers/gpu/drm/v3d/v3d_gem.c -@@ -568,7 +568,6 @@ v3d_submit_cl_ioctl(struct drm_device *dev, void *data, - ret = v3d_job_init(v3d, file_priv, &bin->base, - v3d_job_free, args->in_sync_bcl); - if (ret) { -- kfree(bin); - v3d_job_put(&render->base); - kfree(bin); - return ret; --- -2.27.0 - diff --git a/queue-5.8/drm-vc4-drv-add-error-handding-for-bind.patch b/queue-5.8/drm-vc4-drv-add-error-handding-for-bind.patch deleted file mode 100644 index ad5e1db0766..00000000000 --- a/queue-5.8/drm-vc4-drv-add-error-handding-for-bind.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 7be3b65849f00b7d2620d4b011d5eb231e325002 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 27 Oct 2020 13:14:42 +0900 -Subject: drm/vc4: drv: Add error handding for bind - -From: Hoegeun Kwon - -[ Upstream commit 9ce0af3e9573fb84c4c807183d13ea2a68271e4b ] - -There is a problem that if vc4_drm bind fails, a memory leak occurs on -the drm_property_create side. Add error handding for drm_mode_config. - -Signed-off-by: Hoegeun Kwon -Signed-off-by: Maxime Ripard -Link: https://patchwork.freedesktop.org/patch/msgid/20201027041442.30352-2-hoegeun.kwon@samsung.com -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/vc4/vc4_drv.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/gpu/drm/vc4/vc4_drv.c b/drivers/gpu/drm/vc4/vc4_drv.c -index 76f93b6627660..1dac8e28c7346 100644 ---- a/drivers/gpu/drm/vc4/vc4_drv.c -+++ b/drivers/gpu/drm/vc4/vc4_drv.c -@@ -306,6 +306,7 @@ static int vc4_drm_bind(struct device *dev) - component_unbind_all(dev, drm); - gem_destroy: - vc4_gem_destroy(drm); -+ drm_mode_config_cleanup(drm); - vc4_bo_cache_destroy(drm); - dev_put: - drm_dev_put(drm); --- -2.27.0 - diff --git a/queue-5.8/hyperv_fb-update-screen_info-after-removing-old-fram.patch b/queue-5.8/hyperv_fb-update-screen_info-after-removing-old-fram.patch deleted file mode 100644 index 88041a2bfdc..00000000000 --- a/queue-5.8/hyperv_fb-update-screen_info-after-removing-old-fram.patch +++ /dev/null @@ -1,56 +0,0 @@ -From d37e1aff1829c3494320df9bf529b6756334936e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 14 Oct 2020 17:24:29 +0800 -Subject: hyperv_fb: Update screen_info after removing old framebuffer - -From: Kairui Song - -[ Upstream commit 3cb73bc3fa2a3cb80b88aa63b48409939e0d996b ] - -On gen2 HyperV VM, hyperv_fb will remove the old framebuffer, and the -new allocated framebuffer address could be at a differnt location, -and it might be no longer a VGA framebuffer. - -Update screen_info so that after kexec the kernel won't try to reuse -the old invalid/stale framebuffer address as VGA, corrupting memory. - -[ mingo: Tidied up the changelog. ] - -Signed-off-by: Kairui Song -Signed-off-by: Ingo Molnar -Cc: Dexuan Cui -Cc: Jake Oshins -Cc: Wei Hu -Cc: "K. Y. Srinivasan" -Cc: Haiyang Zhang -Cc: Stephen Hemminger -Link: https://lore.kernel.org/r/20201014092429.1415040-3-kasong@redhat.com -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/hyperv_fb.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c -index e4c3c8b65da44..4235ea7a6c40c 100644 ---- a/drivers/video/fbdev/hyperv_fb.c -+++ b/drivers/video/fbdev/hyperv_fb.c -@@ -1114,8 +1114,15 @@ static int hvfb_getmem(struct hv_device *hdev, struct fb_info *info) - getmem_done: - remove_conflicting_framebuffers(info->apertures, - KBUILD_MODNAME, false); -- if (!gen2vm) -+ -+ if (gen2vm) { -+ /* framebuffer is reallocated, clear screen_info to avoid misuse from kexec */ -+ screen_info.lfb_size = 0; -+ screen_info.lfb_base = 0; -+ screen_info.orig_video_isVGA = 0; -+ } else { - pci_dev_put(pdev); -+ } - kfree(info->apertures); - - return 0; --- -2.27.0 - diff --git a/queue-5.8/io_uring-don-t-miss-setting-io_wq_work_concurrent.patch b/queue-5.8/io_uring-don-t-miss-setting-io_wq_work_concurrent.patch deleted file mode 100644 index 066d9e0c06d..00000000000 --- a/queue-5.8/io_uring-don-t-miss-setting-io_wq_work_concurrent.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 2a09579443976cf7299ed26cafdb7641e1dd350f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 22 Oct 2020 16:47:16 +0100 -Subject: io_uring: don't miss setting IO_WQ_WORK_CONCURRENT - -From: Pavel Begunkov - -[ Upstream commit feaadc4fc2ebdbd53ffed1735077725855a2af53 ] - -Set IO_WQ_WORK_CONCURRENT for all REQ_F_FORCE_ASYNC requests, do that in -that is also looks better. - -Signed-off-by: Pavel Begunkov -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - fs/io_uring.c | 10 +++------- - 1 file changed, 3 insertions(+), 7 deletions(-) - -diff --git a/fs/io_uring.c b/fs/io_uring.c -index 8e9c58fa76362..d84eb0cc49ee4 100644 ---- a/fs/io_uring.c -+++ b/fs/io_uring.c -@@ -1089,6 +1089,9 @@ static inline void io_prep_async_work(struct io_kiocb *req, - - io_req_init_async(req); - -+ if (req->flags & REQ_F_FORCE_ASYNC) -+ req->work.flags |= IO_WQ_WORK_CONCURRENT; -+ - if (req->flags & REQ_F_ISREG) { - if (def->hash_reg_file) - io_wq_hash_work(&req->work, file_inode(req->file)); -@@ -5876,13 +5879,6 @@ static void io_queue_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe) - if (unlikely(ret < 0)) - goto fail_req; - } -- -- /* -- * Never try inline submit of IOSQE_ASYNC is set, go straight -- * to async execution. -- */ -- io_req_init_async(req); -- req->work.flags |= IO_WQ_WORK_CONCURRENT; - io_queue_async_work(req); - } else { - __io_queue_sqe(req, sqe); --- -2.27.0 - diff --git a/queue-5.8/nvme-rdma-handle-unexpected-nvme-completion-data-len.patch b/queue-5.8/nvme-rdma-handle-unexpected-nvme-completion-data-len.patch deleted file mode 100644 index d34c7d66f48..00000000000 --- a/queue-5.8/nvme-rdma-handle-unexpected-nvme-completion-data-len.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 39e97e20a00e65fa9953794deb331283340ab779 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 25 Oct 2020 19:51:24 +0800 -Subject: nvme-rdma: handle unexpected nvme completion data length - -From: zhenwei pi - -[ Upstream commit 25c1ca6ecaba3b751d3f7ff92d5cddff3b05f8d0 ] - -Receiving a zero length message leads to the following warnings because -the CQE is processed twice: - -refcount_t: underflow; use-after-free. -WARNING: CPU: 0 PID: 0 at lib/refcount.c:28 - -RIP: 0010:refcount_warn_saturate+0xd9/0xe0 -Call Trace: - - nvme_rdma_recv_done+0xf3/0x280 [nvme_rdma] - __ib_process_cq+0x76/0x150 [ib_core] - ... - -Sanity check the received data length, to avoids this. - -Thanks to Chao Leng & Sagi for suggestions. - -Signed-off-by: zhenwei pi -Reviewed-by: Sagi Grimberg -Signed-off-by: Christoph Hellwig -Signed-off-by: Sasha Levin ---- - drivers/nvme/host/rdma.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c -index 4a0bc8927048a..6a6b39ce9aa1e 100644 ---- a/drivers/nvme/host/rdma.c -+++ b/drivers/nvme/host/rdma.c -@@ -1741,6 +1741,14 @@ static void nvme_rdma_recv_done(struct ib_cq *cq, struct ib_wc *wc) - return; - } - -+ /* sanity checking for received data length */ -+ if (unlikely(wc->byte_len < len)) { -+ dev_err(queue->ctrl->ctrl.device, -+ "Unexpected nvme completion length(%d)\n", wc->byte_len); -+ nvme_rdma_error_recovery(queue->ctrl); -+ return; -+ } -+ - ib_dma_sync_single_for_cpu(ibdev, qe->dma, len, DMA_FROM_DEVICE); - /* - * AEN requests are special as they don't time out and can --- -2.27.0 - diff --git a/queue-5.8/nvmet-fix-a-null-pointer-dereference-when-tracing-th.patch b/queue-5.8/nvmet-fix-a-null-pointer-dereference-when-tracing-th.patch deleted file mode 100644 index 2cc79610f7e..00000000000 --- a/queue-5.8/nvmet-fix-a-null-pointer-dereference-when-tracing-th.patch +++ /dev/null @@ -1,148 +0,0 @@ -From a422de1581885cd79a39df7d628242c672c3ac7a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 22 Oct 2020 16:58:21 -0700 -Subject: nvmet: fix a NULL pointer dereference when tracing the flush command - -From: Chaitanya Kulkarni - -[ Upstream commit 3c3751f2daf6675f6b5bee83b792354c272f5bd2 ] - -When target side trace in turned on and flush command is issued from the -host it results in the following Oops. - -[ 856.789724] BUG: kernel NULL pointer dereference, address: 0000000000000068 -[ 856.790686] #PF: supervisor read access in kernel mode -[ 856.791262] #PF: error_code(0x0000) - not-present page -[ 856.791863] PGD 6d7110067 P4D 6d7110067 PUD 66f0ad067 PMD 0 -[ 856.792527] Oops: 0000 [#1] SMP NOPTI -[ 856.792950] CPU: 15 PID: 7034 Comm: nvme Tainted: G OE 5.9.0nvme-5.9+ #71 -[ 856.793790] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e3214 -[ 856.794956] RIP: 0010:trace_event_raw_event_nvmet_req_init+0x13e/0x170 [nvmet] -[ 856.795734] Code: 41 5c 41 5d c3 31 d2 31 f6 e8 4e 9b b8 e0 e9 0e ff ff ff 49 8b 55 00 48 8b 38 8b 0 -[ 856.797740] RSP: 0018:ffffc90001be3a60 EFLAGS: 00010246 -[ 856.798375] RAX: 0000000000000000 RBX: ffff8887e7d2c01c RCX: 0000000000000000 -[ 856.799234] RDX: 0000000000000020 RSI: 0000000057e70ea2 RDI: ffff8887e7d2c034 -[ 856.800088] RBP: ffff88869f710578 R08: ffff888807500d40 R09: 00000000fffffffe -[ 856.800951] R10: 0000000064c66670 R11: 00000000ef955201 R12: ffff8887e7d2c034 -[ 856.801807] R13: ffff88869f7105c8 R14: 0000000000000040 R15: ffff88869f710440 -[ 856.802667] FS: 00007f6a22bd8780(0000) GS:ffff888813a00000(0000) knlGS:0000000000000000 -[ 856.803635] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 856.804367] CR2: 0000000000000068 CR3: 00000006d73e0000 CR4: 00000000003506e0 -[ 856.805283] Call Trace: -[ 856.805613] nvmet_req_init+0x27c/0x480 [nvmet] -[ 856.806200] nvme_loop_queue_rq+0xcb/0x1d0 [nvme_loop] -[ 856.806862] blk_mq_dispatch_rq_list+0x123/0x7b0 -[ 856.807459] ? kvm_sched_clock_read+0x14/0x30 -[ 856.808025] __blk_mq_sched_dispatch_requests+0xc7/0x170 -[ 856.808708] blk_mq_sched_dispatch_requests+0x30/0x60 -[ 856.809372] __blk_mq_run_hw_queue+0x70/0x100 -[ 856.809935] __blk_mq_delay_run_hw_queue+0x156/0x170 -[ 856.810574] blk_mq_run_hw_queue+0x86/0xe0 -[ 856.811104] blk_mq_sched_insert_request+0xef/0x160 -[ 856.811733] blk_execute_rq+0x69/0xc0 -[ 856.812212] ? blk_mq_rq_ctx_init+0xd0/0x230 -[ 856.812784] nvme_execute_passthru_rq+0x57/0x130 [nvme_core] -[ 856.813461] nvme_submit_user_cmd+0xeb/0x300 [nvme_core] -[ 856.814099] nvme_user_cmd.isra.82+0x11e/0x1a0 [nvme_core] -[ 856.814752] blkdev_ioctl+0x1dc/0x2c0 -[ 856.815197] block_ioctl+0x3f/0x50 -[ 856.815606] __x64_sys_ioctl+0x84/0xc0 -[ 856.816074] do_syscall_64+0x33/0x40 -[ 856.816533] entry_SYSCALL_64_after_hwframe+0x44/0xa9 -[ 856.817168] RIP: 0033:0x7f6a222ed107 -[ 856.817617] Code: 44 00 00 48 8b 05 81 cd 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 8 -[ 856.819901] RSP: 002b:00007ffca848f058 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 -[ 856.820846] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f6a222ed107 -[ 856.821726] RDX: 00007ffca848f060 RSI: 00000000c0484e43 RDI: 0000000000000003 -[ 856.822603] RBP: 0000000000000003 R08: 000000000000003f R09: 0000000000000005 -[ 856.823478] R10: 00007ffca848ece0 R11: 0000000000000202 R12: 00007ffca84912d3 -[ 856.824359] R13: 00007ffca848f4d0 R14: 0000000000000002 R15: 000000000067e900 -[ 856.825236] Modules linked in: nvme_loop(OE) nvmet(OE) nvme_fabrics(OE) null_blk nvme(OE) nvme_corel - -Move the nvmet_req_init() tracepoint after we parse the command in -nvmet_req_init() so that we can get rid of the duplicate -nvmet_find_namespace() call. -Rename __assign_disk_name() -> __assign_req_name(). Now that we call -tracepoint after parsing the command simplify the newly added -__assign_req_name() which fixes this bug. - -Signed-off-by: Chaitanya Kulkarni -Signed-off-by: Christoph Hellwig -Signed-off-by: Sasha Levin ---- - drivers/nvme/target/core.c | 4 ++-- - drivers/nvme/target/trace.h | 21 +++++++-------------- - 2 files changed, 9 insertions(+), 16 deletions(-) - -diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c -index 75ed95a250fb5..74f15e265389c 100644 ---- a/drivers/nvme/target/core.c -+++ b/drivers/nvme/target/core.c -@@ -923,8 +923,6 @@ bool nvmet_req_init(struct nvmet_req *req, struct nvmet_cq *cq, - req->error_loc = NVMET_NO_ERROR_LOC; - req->error_slba = 0; - -- trace_nvmet_req_init(req, req->cmd); -- - /* no support for fused commands yet */ - if (unlikely(flags & (NVME_CMD_FUSE_FIRST | NVME_CMD_FUSE_SECOND))) { - req->error_loc = offsetof(struct nvme_common_command, flags); -@@ -954,6 +952,8 @@ bool nvmet_req_init(struct nvmet_req *req, struct nvmet_cq *cq, - if (status) - goto fail; - -+ trace_nvmet_req_init(req, req->cmd); -+ - if (unlikely(!percpu_ref_tryget_live(&sq->ref))) { - status = NVME_SC_INVALID_FIELD | NVME_SC_DNR; - goto fail; -diff --git a/drivers/nvme/target/trace.h b/drivers/nvme/target/trace.h -index 0458046d65017..c14e3249a14dc 100644 ---- a/drivers/nvme/target/trace.h -+++ b/drivers/nvme/target/trace.h -@@ -46,19 +46,12 @@ static inline struct nvmet_ctrl *nvmet_req_to_ctrl(struct nvmet_req *req) - return req->sq->ctrl; - } - --static inline void __assign_disk_name(char *name, struct nvmet_req *req, -- bool init) -+static inline void __assign_req_name(char *name, struct nvmet_req *req) - { -- struct nvmet_ctrl *ctrl = nvmet_req_to_ctrl(req); -- struct nvmet_ns *ns; -- -- if ((init && req->sq->qid) || (!init && req->cq->qid)) { -- ns = nvmet_find_namespace(ctrl, req->cmd->rw.nsid); -- strncpy(name, ns->device_path, DISK_NAME_LEN); -- return; -- } -- -- memset(name, 0, DISK_NAME_LEN); -+ if (req->ns) -+ strncpy(name, req->ns->device_path, DISK_NAME_LEN); -+ else -+ memset(name, 0, DISK_NAME_LEN); - } - #endif - -@@ -81,7 +74,7 @@ TRACE_EVENT(nvmet_req_init, - TP_fast_assign( - __entry->cmd = cmd; - __entry->ctrl = nvmet_req_to_ctrl(req); -- __assign_disk_name(__entry->disk, req, true); -+ __assign_req_name(__entry->disk, req); - __entry->qid = req->sq->qid; - __entry->cid = cmd->common.command_id; - __entry->opcode = cmd->common.opcode; -@@ -121,7 +114,7 @@ TRACE_EVENT(nvmet_req_complete, - __entry->cid = req->cqe->command_id; - __entry->result = le64_to_cpu(req->cqe->result.u64); - __entry->status = le16_to_cpu(req->cqe->status) >> 1; -- __assign_disk_name(__entry->disk, req, false); -+ __assign_req_name(__entry->disk, req); - ), - TP_printk("nvmet%s: %sqid=%d, cmdid=%u, res=%#llx, status=%#x", - __print_ctrl_name(__entry->ctrl), --- -2.27.0 - diff --git a/queue-5.8/of-fix-reserved-memory-overlap-detection.patch b/queue-5.8/of-fix-reserved-memory-overlap-detection.patch deleted file mode 100644 index 22220db4fe3..00000000000 --- a/queue-5.8/of-fix-reserved-memory-overlap-detection.patch +++ /dev/null @@ -1,85 +0,0 @@ -From c50e357bc494f2f8b5611012ab01d1f08bb583a6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 21 Oct 2020 11:53:59 +0200 -Subject: of: Fix reserved-memory overlap detection - -From: Vincent Whitchurch - -[ Upstream commit ca05f33316559a04867295dd49f85aeedbfd6bfd ] - -The reserved-memory overlap detection code fails to detect overlaps if -either of the regions starts at address 0x0. The code explicitly checks -for and ignores such regions, apparently in order to ignore dynamically -allocated regions which have an address of 0x0 at this point. These -dynamically allocated regions also have a size of 0x0 at this point, so -fix this by removing the check and sorting the dynamically allocated -regions ahead of any static regions at address 0x0. - -For example, there are two overlaps in this case but they are not -currently reported: - - foo@0 { - reg = <0x0 0x2000>; - }; - - bar@0 { - reg = <0x0 0x1000>; - }; - - baz@1000 { - reg = <0x1000 0x1000>; - }; - - quux { - size = <0x1000>; - }; - -but they are after this patch: - - OF: reserved mem: OVERLAP DETECTED! - bar@0 (0x00000000--0x00001000) overlaps with foo@0 (0x00000000--0x00002000) - OF: reserved mem: OVERLAP DETECTED! - foo@0 (0x00000000--0x00002000) overlaps with baz@1000 (0x00001000--0x00002000) - -Signed-off-by: Vincent Whitchurch -Link: https://lore.kernel.org/r/ded6fd6b47b58741aabdcc6967f73eca6a3f311e.1603273666.git-series.vincent.whitchurch@axis.com -Signed-off-by: Rob Herring -Signed-off-by: Sasha Levin ---- - drivers/of/of_reserved_mem.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c -index 6877080c8af93..1e956729bad01 100644 ---- a/drivers/of/of_reserved_mem.c -+++ b/drivers/of/of_reserved_mem.c -@@ -200,6 +200,16 @@ static int __init __rmem_cmp(const void *a, const void *b) - if (ra->base > rb->base) - return 1; - -+ /* -+ * Put the dynamic allocations (address == 0, size == 0) before static -+ * allocations at address 0x0 so that overlap detection works -+ * correctly. -+ */ -+ if (ra->size < rb->size) -+ return -1; -+ if (ra->size > rb->size) -+ return 1; -+ - return 0; - } - -@@ -217,8 +227,7 @@ static void __init __rmem_check_for_overlap(void) - - this = &reserved_mem[i]; - next = &reserved_mem[i + 1]; -- if (!(this->base && next->base)) -- continue; -+ - if (this->base + this->size > next->base) { - phys_addr_t this_end, next_end; - --- -2.27.0 - diff --git a/queue-5.8/scsi-core-don-t-start-concurrent-async-scan-on-same-.patch b/queue-5.8/scsi-core-don-t-start-concurrent-async-scan-on-same-.patch deleted file mode 100644 index 3901869553b..00000000000 --- a/queue-5.8/scsi-core-don-t-start-concurrent-async-scan-on-same-.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 8dc2e291bdd4278121cebad9f651ff062ac7d8b7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 10 Oct 2020 11:25:39 +0800 -Subject: scsi: core: Don't start concurrent async scan on same host - -From: Ming Lei - -[ Upstream commit 831e3405c2a344018a18fcc2665acc5a38c3a707 ] - -The current scanning mechanism is supposed to fall back to a synchronous -host scan if an asynchronous scan is in progress. However, this rule isn't -strictly respected, scsi_prep_async_scan() doesn't hold scan_mutex when -checking shost->async_scan. When scsi_scan_host() is called concurrently, -two async scans on same host can be started and a hang in do_scan_async() -is observed. - -Fixes this issue by checking & setting shost->async_scan atomically with -shost->scan_mutex. - -Link: https://lore.kernel.org/r/20201010032539.426615-1-ming.lei@redhat.com -Cc: Christoph Hellwig -Cc: Ewan D. Milne -Cc: Hannes Reinecke -Cc: Bart Van Assche -Reviewed-by: Lee Duncan -Reviewed-by: Bart Van Assche -Signed-off-by: Ming Lei -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/scsi_scan.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c -index f2437a7570ce8..9af50e6f94c4c 100644 ---- a/drivers/scsi/scsi_scan.c -+++ b/drivers/scsi/scsi_scan.c -@@ -1714,15 +1714,16 @@ static void scsi_sysfs_add_devices(struct Scsi_Host *shost) - */ - static struct async_scan_data *scsi_prep_async_scan(struct Scsi_Host *shost) - { -- struct async_scan_data *data; -+ struct async_scan_data *data = NULL; - unsigned long flags; - - if (strncmp(scsi_scan_type, "sync", 4) == 0) - return NULL; - -+ mutex_lock(&shost->scan_mutex); - if (shost->async_scan) { - shost_printk(KERN_DEBUG, shost, "%s called twice\n", __func__); -- return NULL; -+ goto err; - } - - data = kmalloc(sizeof(*data), GFP_KERNEL); -@@ -1733,7 +1734,6 @@ static struct async_scan_data *scsi_prep_async_scan(struct Scsi_Host *shost) - goto err; - init_completion(&data->prev_finished); - -- mutex_lock(&shost->scan_mutex); - spin_lock_irqsave(shost->host_lock, flags); - shost->async_scan = 1; - spin_unlock_irqrestore(shost->host_lock, flags); -@@ -1748,6 +1748,7 @@ static struct async_scan_data *scsi_prep_async_scan(struct Scsi_Host *shost) - return data; - - err: -+ mutex_unlock(&shost->scan_mutex); - kfree(data); - return NULL; - } --- -2.27.0 - diff --git a/queue-5.8/scsi-ibmvscsi-fix-potential-race-after-loss-of-trans.patch b/queue-5.8/scsi-ibmvscsi-fix-potential-race-after-loss-of-trans.patch deleted file mode 100644 index d07bba0bcf2..00000000000 --- a/queue-5.8/scsi-ibmvscsi-fix-potential-race-after-loss-of-trans.patch +++ /dev/null @@ -1,149 +0,0 @@ -From 6878ec9d96e2438cae3df16dc1f109bc91802248 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 24 Oct 2020 19:13:55 -0500 -Subject: scsi: ibmvscsi: Fix potential race after loss of transport - -From: Tyrel Datwyler - -[ Upstream commit 665e0224a3d76f36da40bd9012270fa629aa42ed ] - -After a loss of transport due to an adapter migration or crash/disconnect -from the host partner there is a tiny window where we can race adjusting -the request_limit of the adapter. The request limit is atomically -increased/decreased to track the number of inflight requests against the -allowed limit of our VIOS partner. - -After a transport loss we set the request_limit to zero to reflect this -state. However, there is a window where the adapter may attempt to queue a -command because the transport loss event hasn't been fully processed yet -and request_limit is still greater than zero. The hypercall to send the -event will fail and the error path will increment the request_limit as a -result. If the adapter processes the transport event prior to this -increment the request_limit becomes out of sync with the adapter state and -can result in SCSI commands being submitted on the now reset connection -prior to an SRP Login resulting in a protocol violation. - -Fix this race by protecting request_limit with the host lock when changing -the value via atomic_set() to indicate no transport. - -Link: https://lore.kernel.org/r/20201025001355.4527-1-tyreld@linux.ibm.com -Signed-off-by: Tyrel Datwyler -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/ibmvscsi/ibmvscsi.c | 36 +++++++++++++++++++++++--------- - 1 file changed, 26 insertions(+), 10 deletions(-) - -diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c -index 14f687e9b1f44..62faeab47d905 100644 ---- a/drivers/scsi/ibmvscsi/ibmvscsi.c -+++ b/drivers/scsi/ibmvscsi/ibmvscsi.c -@@ -806,6 +806,22 @@ static void purge_requests(struct ibmvscsi_host_data *hostdata, int error_code) - spin_unlock_irqrestore(hostdata->host->host_lock, flags); - } - -+/** -+ * ibmvscsi_set_request_limit - Set the adapter request_limit in response to -+ * an adapter failure, reset, or SRP Login. Done under host lock to prevent -+ * race with SCSI command submission. -+ * @hostdata: adapter to adjust -+ * @limit: new request limit -+ */ -+static void ibmvscsi_set_request_limit(struct ibmvscsi_host_data *hostdata, int limit) -+{ -+ unsigned long flags; -+ -+ spin_lock_irqsave(hostdata->host->host_lock, flags); -+ atomic_set(&hostdata->request_limit, limit); -+ spin_unlock_irqrestore(hostdata->host->host_lock, flags); -+} -+ - /** - * ibmvscsi_reset_host - Reset the connection to the server - * @hostdata: struct ibmvscsi_host_data to reset -@@ -813,7 +829,7 @@ static void purge_requests(struct ibmvscsi_host_data *hostdata, int error_code) - static void ibmvscsi_reset_host(struct ibmvscsi_host_data *hostdata) - { - scsi_block_requests(hostdata->host); -- atomic_set(&hostdata->request_limit, 0); -+ ibmvscsi_set_request_limit(hostdata, 0); - - purge_requests(hostdata, DID_ERROR); - hostdata->action = IBMVSCSI_HOST_ACTION_RESET; -@@ -1146,13 +1162,13 @@ static void login_rsp(struct srp_event_struct *evt_struct) - dev_info(hostdata->dev, "SRP_LOGIN_REJ reason %u\n", - evt_struct->xfer_iu->srp.login_rej.reason); - /* Login failed. */ -- atomic_set(&hostdata->request_limit, -1); -+ ibmvscsi_set_request_limit(hostdata, -1); - return; - default: - dev_err(hostdata->dev, "Invalid login response typecode 0x%02x!\n", - evt_struct->xfer_iu->srp.login_rsp.opcode); - /* Login failed. */ -- atomic_set(&hostdata->request_limit, -1); -+ ibmvscsi_set_request_limit(hostdata, -1); - return; - } - -@@ -1163,7 +1179,7 @@ static void login_rsp(struct srp_event_struct *evt_struct) - * This value is set rather than added to request_limit because - * request_limit could have been set to -1 by this client. - */ -- atomic_set(&hostdata->request_limit, -+ ibmvscsi_set_request_limit(hostdata, - be32_to_cpu(evt_struct->xfer_iu->srp.login_rsp.req_lim_delta)); - - /* If we had any pending I/Os, kick them */ -@@ -1195,13 +1211,13 @@ static int send_srp_login(struct ibmvscsi_host_data *hostdata) - login->req_buf_fmt = cpu_to_be16(SRP_BUF_FORMAT_DIRECT | - SRP_BUF_FORMAT_INDIRECT); - -- spin_lock_irqsave(hostdata->host->host_lock, flags); - /* Start out with a request limit of 0, since this is negotiated in - * the login request we are just sending and login requests always - * get sent by the driver regardless of request_limit. - */ -- atomic_set(&hostdata->request_limit, 0); -+ ibmvscsi_set_request_limit(hostdata, 0); - -+ spin_lock_irqsave(hostdata->host->host_lock, flags); - rc = ibmvscsi_send_srp_event(evt_struct, hostdata, login_timeout * 2); - spin_unlock_irqrestore(hostdata->host->host_lock, flags); - dev_info(hostdata->dev, "sent SRP login\n"); -@@ -1781,7 +1797,7 @@ static void ibmvscsi_handle_crq(struct viosrp_crq *crq, - return; - case VIOSRP_CRQ_XPORT_EVENT: /* Hypervisor telling us the connection is closed */ - scsi_block_requests(hostdata->host); -- atomic_set(&hostdata->request_limit, 0); -+ ibmvscsi_set_request_limit(hostdata, 0); - if (crq->format == 0x06) { - /* We need to re-setup the interpartition connection */ - dev_info(hostdata->dev, "Re-enabling adapter!\n"); -@@ -2137,12 +2153,12 @@ static void ibmvscsi_do_work(struct ibmvscsi_host_data *hostdata) - } - - hostdata->action = IBMVSCSI_HOST_ACTION_NONE; -+ spin_unlock_irqrestore(hostdata->host->host_lock, flags); - - if (rc) { -- atomic_set(&hostdata->request_limit, -1); -+ ibmvscsi_set_request_limit(hostdata, -1); - dev_err(hostdata->dev, "error after %s\n", action); - } -- spin_unlock_irqrestore(hostdata->host->host_lock, flags); - - scsi_unblock_requests(hostdata->host); - } -@@ -2226,7 +2242,7 @@ static int ibmvscsi_probe(struct vio_dev *vdev, const struct vio_device_id *id) - init_waitqueue_head(&hostdata->work_wait_q); - hostdata->host = host; - hostdata->dev = dev; -- atomic_set(&hostdata->request_limit, -1); -+ ibmvscsi_set_request_limit(hostdata, -1); - hostdata->host->max_sectors = IBMVSCSI_MAX_SECTORS_DEFAULT; - - if (map_persist_bufs(hostdata)) { --- -2.27.0 - diff --git a/queue-5.8/series b/queue-5.8/series deleted file mode 100644 index 31d28fbb21f..00000000000 --- a/queue-5.8/series +++ /dev/null @@ -1,26 +0,0 @@ -arm-dts-sun4i-a10-fix-cpu_alert-temperature.patch -arm64-dts-meson-add-missing-g12-rng-clock.patch -x86-kexec-use-up-to-dated-screen_info-copy-to-fill-b.patch -hyperv_fb-update-screen_info-after-removing-old-fram.patch -io_uring-don-t-miss-setting-io_wq_work_concurrent.patch -of-fix-reserved-memory-overlap-detection.patch -arm-dts-mmp3-add-power-domain-for-the-camera.patch -drm-sun4i-frontend-rework-a-bit-the-phase-data.patch -drm-sun4i-frontend-reuse-the-ch0-phase-for-rgb-forma.patch -drm-sun4i-frontend-fix-the-scaler-phase-on-a33.patch -drm-v3d-fix-double-free-in-v3d_submit_cl_ioctl.patch -blk-cgroup-fix-memleak-on-error-path.patch -blk-cgroup-pre-allocate-tree-node-on-blkg_conf_prep.patch -btrfs-add-a-helper-to-read-the-tree_root-commit-root.patch -scsi-core-don-t-start-concurrent-async-scan-on-same-.patch -drm-amdgpu-add-did-for-navi10-blockchain-sku.patch -scsi-ibmvscsi-fix-potential-race-after-loss-of-trans.patch -vsock-use-ns_capable_noaudit-on-socket-create.patch -nvme-rdma-handle-unexpected-nvme-completion-data-len.patch -nvmet-fix-a-null-pointer-dereference-when-tracing-th.patch -drm-vc4-drv-add-error-handding-for-bind.patch -acpi-nfit-fix-comparison-to-enxio.patch -usb-cdns3-gadget-suspicious-implicit-sign-extension.patch -drm-nouveau-nouveau-fix-the-start-end-range-for-migr.patch -drm-nouveau-gem-fix-refcount_t-underflow-use-after-f.patch -arm64-smp-move-rcu_cpu_starting-earlier.patch diff --git a/queue-5.8/usb-cdns3-gadget-suspicious-implicit-sign-extension.patch b/queue-5.8/usb-cdns3-gadget-suspicious-implicit-sign-extension.patch deleted file mode 100644 index 73f7fda71df..00000000000 --- a/queue-5.8/usb-cdns3-gadget-suspicious-implicit-sign-extension.patch +++ /dev/null @@ -1,48 +0,0 @@ -From e11e375132567f33c0e7b953cd72db2aff5f3e3e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 22 Oct 2020 08:55:03 +0800 -Subject: usb: cdns3: gadget: suspicious implicit sign extension - -From: Peter Chen - -[ Upstream commit 5fca3f062879f8e5214c56f3e3e2be6727900f5d ] - -The code: -trb->length = cpu_to_le32(TRB_BURST_LEN(priv_ep->trb_burst_size) - | TRB_LEN(length)); - -TRB_BURST_LEN(priv_ep->trb_burst_size) may be overflow for int 32 if -priv_ep->trb_burst_size is equal or larger than 0x80; - -Below is the Coverity warning: -sign_extension: Suspicious implicit sign extension: priv_ep->trb_burst_size -with type u8 (8 bits, unsigned) is promoted in priv_ep->trb_burst_size << 24 -to type int (32 bits, signed), then sign-extended to type unsigned long -(64 bits, unsigned). If priv_ep->trb_burst_size << 24 is greater than 0x7FFFFFFF, -the upper bits of the result will all be 1. - -To fix it, it needs to add an explicit cast to unsigned int type for ((p) << 24). - -Reviewed-by: Jun Li -Signed-off-by: Peter Chen -Signed-off-by: Sasha Levin ---- - drivers/usb/cdns3/gadget.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/usb/cdns3/gadget.h b/drivers/usb/cdns3/gadget.h -index 52765b098b9e1..28c4f6aca6891 100644 ---- a/drivers/usb/cdns3/gadget.h -+++ b/drivers/usb/cdns3/gadget.h -@@ -1067,7 +1067,7 @@ struct cdns3_trb { - #define TRB_TDL_SS_SIZE_GET(p) (((p) & GENMASK(23, 17)) >> 17) - - /* transfer_len bitmasks - bits 31:24 */ --#define TRB_BURST_LEN(p) (((p) << 24) & GENMASK(31, 24)) -+#define TRB_BURST_LEN(p) ((unsigned int)((p) << 24) & GENMASK(31, 24)) - #define TRB_BURST_LEN_GET(p) (((p) & GENMASK(31, 24)) >> 24) - - /* Data buffer pointer bitmasks*/ --- -2.27.0 - diff --git a/queue-5.8/vsock-use-ns_capable_noaudit-on-socket-create.patch b/queue-5.8/vsock-use-ns_capable_noaudit-on-socket-create.patch deleted file mode 100644 index 0f9eddd2285..00000000000 --- a/queue-5.8/vsock-use-ns_capable_noaudit-on-socket-create.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 780a26f9586ae80f9bab4807865041780fe753a5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 23 Oct 2020 16:37:57 +0200 -Subject: vsock: use ns_capable_noaudit() on socket create - -From: Jeff Vander Stoep - -[ Upstream commit af545bb5ee53f5261db631db2ac4cde54038bdaf ] - -During __vsock_create() CAP_NET_ADMIN is used to determine if the -vsock_sock->trusted should be set to true. This value is used later -for determing if a remote connection should be allowed to connect -to a restricted VM. Unfortunately, if the caller doesn't have -CAP_NET_ADMIN, an audit message such as an selinux denial is -generated even if the caller does not want a trusted socket. - -Logging errors on success is confusing. To avoid this, switch the -capable(CAP_NET_ADMIN) check to the noaudit version. - -Reported-by: Roman Kiryanov -https://android-review.googlesource.com/c/device/generic/goldfish/+/1468545/ -Signed-off-by: Jeff Vander Stoep -Reviewed-by: James Morris -Link: https://lore.kernel.org/r/20201023143757.377574-1-jeffv@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/vmw_vsock/af_vsock.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c -index 6cd0df1c5caf6..08c9a43e9049c 100644 ---- a/net/vmw_vsock/af_vsock.c -+++ b/net/vmw_vsock/af_vsock.c -@@ -739,7 +739,7 @@ static struct sock *__vsock_create(struct net *net, - vsk->buffer_min_size = psk->buffer_min_size; - vsk->buffer_max_size = psk->buffer_max_size; - } else { -- vsk->trusted = capable(CAP_NET_ADMIN); -+ vsk->trusted = ns_capable_noaudit(&init_user_ns, CAP_NET_ADMIN); - vsk->owner = get_current_cred(); - vsk->connect_timeout = VSOCK_DEFAULT_CONNECT_TIMEOUT; - vsk->buffer_size = VSOCK_DEFAULT_BUFFER_SIZE; --- -2.27.0 - diff --git a/queue-5.8/x86-kexec-use-up-to-dated-screen_info-copy-to-fill-b.patch b/queue-5.8/x86-kexec-use-up-to-dated-screen_info-copy-to-fill-b.patch deleted file mode 100644 index 1008c71404c..00000000000 --- a/queue-5.8/x86-kexec-use-up-to-dated-screen_info-copy-to-fill-b.patch +++ /dev/null @@ -1,50 +0,0 @@ -From e34edf785169c4df649d06be8ac768a0172bb1eb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 14 Oct 2020 17:24:28 +0800 -Subject: x86/kexec: Use up-to-dated screen_info copy to fill boot params - -From: Kairui Song - -[ Upstream commit afc18069a2cb7ead5f86623a5f3d4ad6e21f940d ] - -kexec_file_load() currently reuses the old boot_params.screen_info, -but if drivers have change the hardware state, boot_param.screen_info -could contain invalid info. - -For example, the video type might be no longer VGA, or the frame buffer -address might be changed. If the kexec kernel keeps using the old screen_info, -kexec'ed kernel may attempt to write to an invalid framebuffer -memory region. - -There are two screen_info instances globally available, boot_params.screen_info -and screen_info. Later one is a copy, and is updated by drivers. - -So let kexec_file_load use the updated copy. - -[ mingo: Tidied up the changelog. ] - -Signed-off-by: Kairui Song -Signed-off-by: Ingo Molnar -Link: https://lore.kernel.org/r/20201014092429.1415040-2-kasong@redhat.com -Signed-off-by: Sasha Levin ---- - arch/x86/kernel/kexec-bzimage64.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c -index db6578d45157e..7d520bada6bfc 100644 ---- a/arch/x86/kernel/kexec-bzimage64.c -+++ b/arch/x86/kernel/kexec-bzimage64.c -@@ -209,8 +209,7 @@ setup_boot_parameters(struct kimage *image, struct boot_params *params, - params->hdr.hardware_subarch = boot_params.hdr.hardware_subarch; - - /* Copying screen_info will do? */ -- memcpy(¶ms->screen_info, &boot_params.screen_info, -- sizeof(struct screen_info)); -+ memcpy(¶ms->screen_info, &screen_info, sizeof(struct screen_info)); - - /* Fill in memsize later */ - params->screen_info.ext_mem_k = 0; --- -2.27.0 -