From: Sasha Levin Date: Mon, 30 Aug 2021 19:21:28 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.4.283~45 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f1454b3d0b5c72ac7ec508cce5e06e7310e995aa;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/drm-copy-drm_wait_vblank-to-user-before-returning.patch b/queue-4.14/drm-copy-drm_wait_vblank-to-user-before-returning.patch new file mode 100644 index 00000000000..3cd6e9d1dfd --- /dev/null +++ b/queue-4.14/drm-copy-drm_wait_vblank-to-user-before-returning.patch @@ -0,0 +1,70 @@ +From b090921d79bd8220ee7c031c4875ebe2ee7bf162 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 15:49:17 -0400 +Subject: drm: Copy drm_wait_vblank to user before returning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mark Yacoub + +[ Upstream commit fa0b1ef5f7a694f48e00804a391245f3471aa155 ] + +[Why] +Userspace should get back a copy of drm_wait_vblank that's been modified +even when drm_wait_vblank_ioctl returns a failure. + +Rationale: +drm_wait_vblank_ioctl modifies the request and expects the user to read +it back. When the type is RELATIVE, it modifies it to ABSOLUTE and updates +the sequence to become current_vblank_count + sequence (which was +RELATIVE), but now it became ABSOLUTE. +drmWaitVBlank (in libdrm) expects this to be the case as it modifies +the request to be Absolute so it expects the sequence to would have been +updated. + +The change is in compat_drm_wait_vblank, which is called by +drm_compat_ioctl. This change of copying the data back regardless of the +return number makes it en par with drm_ioctl, which always copies the +data before returning. + +[How] +Return from the function after everything has been copied to user. + +Fixes IGT:kms_flip::modeset-vs-vblank-race-interruptible +Tested on ChromeOS Trogdor(msm) + +Reviewed-by: Michel Dänzer +Signed-off-by: Mark Yacoub +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20210812194917.1703356-1-markyacoub@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_ioc32.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c +index 86105e7f07fc..6773e8f09fc3 100644 +--- a/drivers/gpu/drm/drm_ioc32.c ++++ b/drivers/gpu/drm/drm_ioc32.c +@@ -855,8 +855,6 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd, + req.request.sequence = req32.request.sequence; + req.request.signal = req32.request.signal; + err = drm_ioctl_kernel(file, drm_wait_vblank_ioctl, &req, DRM_UNLOCKED); +- if (err) +- return err; + + req32.reply.type = req.reply.type; + req32.reply.sequence = req.reply.sequence; +@@ -865,7 +863,7 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd, + if (copy_to_user(argp, &req32, sizeof(req32))) + return -EFAULT; + +- return 0; ++ return err; + } + + #if defined(CONFIG_X86) +-- +2.30.2 + diff --git a/queue-4.14/drm-nouveau-disp-power-down-unused-dp-links-during-i.patch b/queue-4.14/drm-nouveau-disp-power-down-unused-dp-links-during-i.patch new file mode 100644 index 00000000000..5539495870a --- /dev/null +++ b/queue-4.14/drm-nouveau-disp-power-down-unused-dp-links-during-i.patch @@ -0,0 +1,81 @@ +From af2e87008a02b954f98472d35b749d87338ffb13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 16:40:48 +1000 +Subject: drm/nouveau/disp: power down unused DP links during init + +From: Ben Skeggs + +[ Upstream commit 6eaa1f3c59a707332e921e32782ffcad49915c5e ] + +When booted with multiple displays attached, the EFI GOP driver on (at +least) Ampere, can leave DP links powered up that aren't being used to +display anything. This confuses our tracking of SOR routing, with the +likely result being a failed modeset and display engine hang. + +Fix this by (ab?)using the DisableLT IED script to power-down the link, +restoring HW to a state the driver expects. + +Signed-off-by: Ben Skeggs +Reviewed-by: Lyude Paul +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c | 2 +- + drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.h | 1 + + drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c | 9 +++++++++ + 3 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c +index 5e51a5c1eb01..d11cb1f887f7 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c +@@ -418,7 +418,7 @@ nvkm_dp_train(struct nvkm_dp *dp, u32 dataKBps) + return ret; + } + +-static void ++void + nvkm_dp_disable(struct nvkm_outp *outp, struct nvkm_ior *ior) + { + struct nvkm_dp *dp = nvkm_dp(outp); +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.h b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.h +index 495f665a0ee6..12d6ff4cfa95 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.h ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.h +@@ -32,6 +32,7 @@ struct nvkm_dp { + + int nvkm_dp_new(struct nvkm_disp *, int index, struct dcb_output *, + struct nvkm_outp **); ++void nvkm_dp_disable(struct nvkm_outp *, struct nvkm_ior *); + + /* DPCD Receiver Capabilities */ + #define DPCD_RC00_DPCD_REV 0x00000 +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c +index bbba77ff9385..81c0f0513c74 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c +@@ -22,6 +22,7 @@ + * Authors: Ben Skeggs + */ + #include "outp.h" ++#include "dp.h" + #include "ior.h" + + #include +@@ -207,6 +208,14 @@ nvkm_outp_init_route(struct nvkm_outp *outp) + if (!ior->arm.head || ior->arm.proto != proto) { + OUTP_DBG(outp, "no heads (%x %d %d)", ior->arm.head, + ior->arm.proto, proto); ++ ++ /* The EFI GOP driver on Ampere can leave unused DP links routed, ++ * which we don't expect. The DisableLT IED script *should* get ++ * us back to where we need to be. ++ */ ++ if (ior->func->route.get && !ior->arm.head && outp->info.type == DCB_OUTPUT_DP) ++ nvkm_dp_disable(outp, ior); ++ + return; + } + +-- +2.30.2 + diff --git a/queue-4.14/net-rds-dma_map_sg-is-entitled-to-merge-entries.patch b/queue-4.14/net-rds-dma_map_sg-is-entitled-to-merge-entries.patch new file mode 100644 index 00000000000..eaf613042e4 --- /dev/null +++ b/queue-4.14/net-rds-dma_map_sg-is-entitled-to-merge-entries.patch @@ -0,0 +1,49 @@ +From d314b08e17af3c35f39475849b6bca66be83983a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Aug 2021 10:04:37 -0700 +Subject: net/rds: dma_map_sg is entitled to merge entries + +From: Gerd Rausch + +[ Upstream commit fb4b1373dcab086d0619c29310f0466a0b2ceb8a ] + +Function "dma_map_sg" is entitled to merge adjacent entries +and return a value smaller than what was passed as "nents". + +Subsequently "ib_map_mr_sg" needs to work with this value ("sg_dma_len") +rather than the original "nents" parameter ("sg_len"). + +This old RDS bug was exposed and reliably causes kernel panics +(using RDMA operations "rds-stress -D") on x86_64 starting with: +commit c588072bba6b ("iommu/vt-d: Convert intel iommu driver to the iommu ops") + +Simply put: Linux 5.11 and later. + +Signed-off-by: Gerd Rausch +Acked-by: Santosh Shilimkar +Link: https://lore.kernel.org/r/60efc69f-1f35-529d-a7ef-da0549cad143@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rds/ib_frmr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/rds/ib_frmr.c b/net/rds/ib_frmr.c +index d290416e79e9..9fd550d4116c 100644 +--- a/net/rds/ib_frmr.c ++++ b/net/rds/ib_frmr.c +@@ -112,9 +112,9 @@ static int rds_ib_post_reg_frmr(struct rds_ib_mr *ibmr) + cpu_relax(); + } + +- ret = ib_map_mr_sg_zbva(frmr->mr, ibmr->sg, ibmr->sg_len, ++ ret = ib_map_mr_sg_zbva(frmr->mr, ibmr->sg, ibmr->sg_dma_len, + &off, PAGE_SIZE); +- if (unlikely(ret != ibmr->sg_len)) ++ if (unlikely(ret != ibmr->sg_dma_len)) + return ret < 0 ? ret : -EINVAL; + + /* Perform a WR for the fast_reg_mr. Each individual page +-- +2.30.2 + diff --git a/queue-4.14/opp-remove-warn-when-no-valid-opps-remain.patch b/queue-4.14/opp-remove-warn-when-no-valid-opps-remain.patch new file mode 100644 index 00000000000..ee1d8b8f2da --- /dev/null +++ b/queue-4.14/opp-remove-warn-when-no-valid-opps-remain.patch @@ -0,0 +1,41 @@ +From bbabb569efd92caac5b717471db6764ccece0e67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 10:30:56 +0200 +Subject: opp: remove WARN when no valid OPPs remain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Mirosław + +[ Upstream commit 335ffab3ef864539e814b9a2903b0ae420c1c067 ] + +This WARN can be triggered per-core and the stack trace is not useful. +Replace it with plain dev_err(). Fix a comment while at it. + +Signed-off-by: Michał Mirosław +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/base/power/opp/of.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/power/opp/of.c b/drivers/base/power/opp/of.c +index 87509cb69f79..68ae8e9c1edc 100644 +--- a/drivers/base/power/opp/of.c ++++ b/drivers/base/power/opp/of.c +@@ -402,8 +402,9 @@ static int _of_add_opp_table_v2(struct device *dev, struct device_node *opp_np) + } + } + +- /* There should be one of more OPP defined */ +- if (WARN_ON(!count)) { ++ /* There should be one or more OPPs defined */ ++ if (!count) { ++ dev_err(dev, "%s: no supported OPPs", __func__); + ret = -ENOENT; + goto put_opp_table; + } +-- +2.30.2 + diff --git a/queue-4.14/series b/queue-4.14/series index ee016092f54..345350187b4 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -10,3 +10,9 @@ ip_gre-add-validation-for-csum_start.patch xgene-v2-fix-a-resource-leak-in-the-error-handling-p.patch net-marvell-fix-mvneta_tx_in_prgrs-bit-number.patch usb-gadget-u_audio-fix-race-condition-on-endpoint-st.patch +opp-remove-warn-when-no-valid-opps-remain.patch +virtio-improve-vq-broken-access-to-avoid-any-compile.patch +vringh-use-wiov-used-to-check-for-read-write-desc-or.patch +drm-copy-drm_wait_vblank-to-user-before-returning.patch +drm-nouveau-disp-power-down-unused-dp-links-during-i.patch +net-rds-dma_map_sg-is-entitled-to-merge-entries.patch diff --git a/queue-4.14/virtio-improve-vq-broken-access-to-avoid-any-compile.patch b/queue-4.14/virtio-improve-vq-broken-access-to-avoid-any-compile.patch new file mode 100644 index 00000000000..3ed7fe0502c --- /dev/null +++ b/queue-4.14/virtio-improve-vq-broken-access-to-avoid-any-compile.patch @@ -0,0 +1,58 @@ +From 043b56a823ea2f2e1f017cae04c82990039d19ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 17:26:45 +0300 +Subject: virtio: Improve vq->broken access to avoid any compiler optimization + +From: Parav Pandit + +[ Upstream commit 60f0779862e4ab943810187752c462e85f5fa371 ] + +Currently vq->broken field is read by virtqueue_is_broken() in busy +loop in one context by virtnet_send_command(). + +vq->broken is set to true in other process context by +virtio_break_device(). Reader and writer are accessing it without any +synchronization. This may lead to a compiler optimization which may +result to optimize reading vq->broken only once. + +Hence, force reading vq->broken on each invocation of +virtqueue_is_broken() and also force writing it so that such +update is visible to the readers. + +It is a theoretical fix that isn't yet encountered in the field. + +Signed-off-by: Parav Pandit +Link: https://lore.kernel.org/r/20210721142648.1525924-2-parav@nvidia.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_ring.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c +index 51278f8bd3ab..22a4329ed200 100644 +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -1198,7 +1198,7 @@ bool virtqueue_is_broken(struct virtqueue *_vq) + { + struct vring_virtqueue *vq = to_vvq(_vq); + +- return vq->broken; ++ return READ_ONCE(vq->broken); + } + EXPORT_SYMBOL_GPL(virtqueue_is_broken); + +@@ -1212,7 +1212,9 @@ void virtio_break_device(struct virtio_device *dev) + + list_for_each_entry(_vq, &dev->vqs, list) { + struct vring_virtqueue *vq = to_vvq(_vq); +- vq->broken = true; ++ ++ /* Pairs with READ_ONCE() in virtqueue_is_broken(). */ ++ WRITE_ONCE(vq->broken, true); + } + } + EXPORT_SYMBOL_GPL(virtio_break_device); +-- +2.30.2 + diff --git a/queue-4.14/vringh-use-wiov-used-to-check-for-read-write-desc-or.patch b/queue-4.14/vringh-use-wiov-used-to-check-for-read-write-desc-or.patch new file mode 100644 index 00000000000..051a04e651c --- /dev/null +++ b/queue-4.14/vringh-use-wiov-used-to-check-for-read-write-desc-or.patch @@ -0,0 +1,50 @@ +From be437db1747680d7105ed7bd986084178cfd3c58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jun 2021 08:55:02 +0530 +Subject: vringh: Use wiov->used to check for read/write desc order + +From: Neeraj Upadhyay + +[ Upstream commit e74cfa91f42c50f7f649b0eca46aa049754ccdbd ] + +As __vringh_iov() traverses a descriptor chain, it populates +each descriptor entry into either read or write vring iov +and increments that iov's ->used member. So, as we iterate +over a descriptor chain, at any point, (riov/wriov)->used +value gives the number of descriptor enteries available, +which are to be read or written by the device. As all read +iovs must precede the write iovs, wiov->used should be zero +when we are traversing a read descriptor. Current code checks +for wiov->i, to figure out whether any previous entry in the +current descriptor chain was a write descriptor. However, +iov->i is only incremented, when these vring iovs are consumed, +at a later point, and remain 0 in __vringh_iov(). So, correct +the check for read and write descriptor order, to use +wiov->used. + +Acked-by: Jason Wang +Reviewed-by: Stefano Garzarella +Signed-off-by: Neeraj Upadhyay +Link: https://lore.kernel.org/r/1624591502-4827-1-git-send-email-neeraju@codeaurora.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vhost/vringh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c +index 1e2e01270be9..c23045aa9873 100644 +--- a/drivers/vhost/vringh.c ++++ b/drivers/vhost/vringh.c +@@ -330,7 +330,7 @@ __vringh_iov(struct vringh *vrh, u16 i, + iov = wiov; + else { + iov = riov; +- if (unlikely(wiov && wiov->i)) { ++ if (unlikely(wiov && wiov->used)) { + vringh_bad("Readable desc %p after writable", + &descs[i]); + err = -EINVAL; +-- +2.30.2 +