From 1854edb4aa3ea3a16c49f9a22f1237fe2acc22a6 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 2 Nov 2020 00:20:05 -0500 Subject: [PATCH] Fixes for 5.8 Signed-off-by: Sasha Levin --- ...bounds-and-numa_off-protections-to-p.patch | 42 +++ ...ndling-of-changes-from-acpi-6.2-to-a.patch | 44 +++ ...dirty-range-encoding-in-page-private.patch | 90 ++++++ ...assert-on-unpurgeable-server-records.patch | 62 ++++ ...-use-after-free-in-afs_xattr_get_acl.patch | 36 +++ ...under_page-to-not-clear-pg_writeback.patch | 84 +++++ ...gion-encoding-on-ppc32-with-64k-page.patch | 108 +++++++ ...page-leak-on-afs_write_begin-failure.patch | 80 +++++ ...e-ref-on-page-when-pg_private-is-set.patch | 170 ++++++++++ ...ere-page-private-is-set-during-write.patch | 93 ++++++ ...ivate-manipulations-in-inline-functi.patch | 201 ++++++++++++ ...ix-the-errors-detected-by-dtbs_check.patch | 95 ++++++ ...eakpoint-handle-inexact-watchpoint-a.patch | 188 +++++++++++ ...ts-omap4-fix-sgx-clock-rate-for-4430.patch | 70 +++++ ...align-spi-gpio-node-name-with-dtsche.patch | 38 +++ ...10-move-fixed-clocks-under-root-node.patch | 85 +++++ ...move-pmu-node-out-of-clock-controlle.patch | 57 ++++ ...remove-dedicated-audio-subsystem-nod.patch | 106 +++++++ ...remove-dma-controller-bus-node-name-.patch | 87 ++++++ ...s-ulcb-add-full-pwr-cycle-in-suspend.patch | 36 +++ ...se-efi-pe-coff-header-padding-to-64-.patch | 45 +++ ...cpu_all_mask-when-node-is-numa_no_no.patch | 61 ++++ ...top-using-mpidr-for-topology-informa.patch | 138 +++++++++ ...-fix-config_generic_iomap-pci_iounma.patch | 114 +++++++ ...untime-pm-issue-in-sof-when-hdmi-cod.patch | 55 ++++ ...sata_nv-fix-retrieving-of-active-qcs.patch | 43 +++ ...retry-packets-update-in-station-dump.patch | 75 +++++ ...nss-calculation-when-stbc-is-enabled.patch | 58 ++++ ...overy-process-when-payload-length-ex.patch | 85 +++++ ...-disable-softirqs-for-ath11k_regd_up.patch | 137 ++++++++ ...arning-caused-by-lockdep_assert_held.patch | 77 +++++ ...tomic-instead-of-gfp_kernel-in-ath11.patch | 82 +++++ ...nly-dispatched-requests-for-inflight.patch | 53 ++++ ...log-unknown-link-speed-appropriately.patch | 51 +++ ...tr-arithmetic-with-opcode-add-and-of.patch | 119 +++++++ ...ning-message-after-dongle-setup-fail.patch | 76 +++++ ...ac-increase-f2-watermark-for-bcm4329.patch | 40 +++ .../btrfs-fix-replace-of-seed-device.patch | 115 +++++++ ...t-rely-on-caller-to-provide-non-null.patch | 43 +++ ...rt-suspends-due-to-outgoing-pending-.patch | 51 +++ ...xcan-disable-clocks-during-stop-mode.patch | 85 +++++ ...es-parent-d_name-in-cap-reconnect-me.patch | 188 +++++++++++ .../cifs-handle-eintr-in-cifs_setattr.patch | 57 ++++ ...ockdomain-fix-static-checker-warning.patch | 40 +++ ...ysfs-functional-on-topologies-with-p.patch | 143 +++++++++ ...freq-sti-cpufreq-add-stih418-support.patch | 46 +++ ...rrectly-handle-result-of-arm_cpuidle.patch | 135 ++++++++ ...hdlc_fr-correctly-handle-special-skb.patch | 188 +++++++++++ ...-rdc321x_wdt-fix-race-condition-bugs.patch | 62 ++++ ...-avoid-set-zero-in-the-requested-clk.patch | 55 ++++ ...amd-display-check-clock-table-return.patch | 60 ++++ ...hdmi-remote-sink-need-mode-validatio.patch | 49 +++ ...dgpu-no-sysfs-not-an-error-condition.patch | 43 +++ ...re-ras-flags-when-user-resets-eeprom.patch | 52 ++++ ...sys-dsi-add-support-for-non-continuo.patch | 67 ++++ ...ctor-set-default-status-connected-fo.patch | 41 +++ ...ips-add-checking-if-ge_b850v3_lvds_i.patch | 60 ++++ ...ommon-struct-sg_table-related-issues.patch | 72 +++++ ...ommon-struct-sg_table-related-issues.patch | 95 ++++++ ...-common-struct-sg_table-related-issu.patch | 85 +++++ ...cheduler-scheduler-priority-fixes-v2.patch | 199 ++++++++++++ ...warning-in-vkms_get_vblank_timestamp.patch | 78 +++++ ...detect-already-used-quota-file-early.patch | 48 +++ ...2fs-add-trace-exit-in-exception-path.patch | 40 +++ ...oper-size-memory-for-zstd-decompress.patch | 86 +++++ ...x-to-disallow-enabling-compress-on-n.patch | 37 +++ ...ity-check-on-zoned-block-device-path.patch | 62 ++++ ...k-segment-boundary-during-sit-page-r.patch | 60 ++++ ...sbi_need_fsck-flag-for-inconsistent-.patch | 51 +++ ...f2fs-fix-uninit-value-in-f2fs_lookup.patch | 81 +++++ ...-errors-of-f2fs_get_meta_page_nofail.patch | 131 ++++++++ ...i-add-missing-rx-size-re-initialisat.patch | 124 ++++++++ ...i-expand-smc-hvc-message-pool-to-mor.patch | 44 +++ ...irmware-arm_scmi-fix-arch_cold_reset.patch | 39 +++ ...i-move-scmi-bus-init-and-exit-calls-.patch | 98 ++++++ ...incorrect-should_fail_futex-handling.patch | 49 +++ ...dation-checks-for-size-of-superblock.patch | 62 ++++ ...te_inode_pages_final-for-address-spa.patch | 42 +++ ...ointer-dereference-in-gfs2_rgrp_dump.patch | 127 ++++++++ ...e-after-free-in-sysfs-deregistration.patch | 189 +++++++++++ ...e-security-from-arb_mst_quiet-regist.patch | 208 +++++++++++++ .../handle-status_io_timeout-gracefully.patch | 153 +++++++++ ...-generic-kretprobe-trampoline-handle.patch | 120 +++++++ ...m-sdm845-enable-keepalive-for-the-mm.patch | 52 ++++ ...con-work-properly-with-kgdb_earlycon.patch | 70 +++++ ...v-do-not-allocate-hpt-for-a-nested-g.patch | 101 ++++++ ...sing-queue-hash-initialization-to-80.patch | 39 +++ ...map_get_counter-returns-wrong-blocks.patch | 53 ++++ ...a-imx274-fix-frame-interval-handling.patch | 54 ++++ ...mprove-queue-set-up-flow-for-bug-fix.patch | 41 +++ ...ck-status-of-tw5864_frameinterval_ge.patch | 63 ++++ ...ix-dereference-of-out-of-bound-list-.patch | 75 +++++ ...h-rgb-bt2020-and-hsv-are-always-full.patch | 117 +++++++ ...-remove-bogus-debugfs-error-handling.patch | 75 +++++ ...-common-struct-sg_table-related-issu.patch | 65 ++++ ...se-after-free-in-mlxsw_emad_trans_fi.patch | 166 ++++++++++ ...vate_mm-vs-tlb-shootdown-and-lazy-tl.patch | 116 +++++++ .../mmc-via-sdmmc-fix-data-race-bug.patch | 48 +++ ...fig-put-is-called-before-the-notifyi.patch | 43 +++ ...e-sun_server.sun_path-to-have-addr-s.patch | 45 +++ ...5-add-missing-crypto_hash-dependency.patch | 37 +++ ...en-copy_file_range-is-attempted-with.patch | 62 ++++ ...gation-related-tracepoints-to-make-t.patch | 76 +++++ ...rdma-fix-crash-when-connect-rejected.patch | 47 +++ ...ntx2-af-fix-ld-custom-ltype-aliasing.patch | 51 +++ ...acpi-add-ampere-altra-soc-mcfg-quirk.patch | 87 ++++++ ...7xxx-report-not-charging-on-all-type.patch | 55 ++++ ...t_power-add-missing-newlines-when-pr.patch | 84 +++++ ...le-isa-v3.1-local-copy-paste-context.patch | 100 ++++++ ...powernv-smp-fix-spurious-dbg-warning.patch | 55 ++++ ...elect-arch_want_irqs_off_activate_mm.patch | 50 +++ ...nt-ptrace-fix-sethwdebug-when-config.patch | 45 +++ ...reduce-log_buf_shift-range-for-h8300.patch | 42 +++ ...-how-failing-destroy-is-handled-duri.patch | 96 ++++++ ...vlink-deadlock-on-net-namespace-dele.patch | 126 ++++++++ ...dma-qedr-fix-memory-leak-in-iwarp-cm.patch | 37 +++ ...-at_vector_size_arch-for-arch_dlinfo.patch | 38 +++ ...ink-use-complete_all-for-open-states.patch | 57 ++++ ...tartup-avoid-save_area_sync-overflow.patch | 62 ++++ ...bpf-fix-possible-deadlock-in-xdpsock.patch | 41 +++ ...up-allocation-and-freeing-of-sgtable.patch | 265 ++++++++++++++++ ...fine-string-const-as-global-for-test.patch | 57 ++++ ...-x86-fsgsbase-reap-a-forgotten-child.patch | 36 +++ ...policycaps-with-read_once-write_once.patch | 99 ++++++ queue-5.8/series | 149 +++++++++ .../sgl_alloc_order-fix-memory-leak.patch | 42 +++ ...c-sleep-waiting-for-tcs-slots-to-be-.patch | 293 ++++++++++++++++++ ...m_cpumask-clearing-to-fix-kthread_us.patch | 179 +++++++++++ ...tigate-cond_resched-in-xprt_transmit.patch | 55 ++++ ...skip-ree-kernel-login-method-as-well.patch | 38 +++ ...c-events-replace-buggy-strcat-with-s.patch | 125 ++++++++ ...-uio-id-after-uio-file-node-is-freed.patch | 85 +++++ .../um-change-sigio_spinlock-to-a-mutex.patch | 78 +++++ queue-5.8/usb-adutux-fix-debugging.patch | 35 +++ ...-not-queue-work-if-dr_mode-is-not-us.patch | 89 ++++++ ...gra-fix-error-handling-in-tegra_ehci.patch | 42 +++ ...uring-pr_swap-source-caps-should-be-.patch | 80 +++++ ...plicate-actions-when-suspending-a-ru.patch | 58 ++++ ...eo-fbdev-pvr2fb-initialize-variables.patch | 49 +++ ...don-t-call-text_poke-in-lazy-tlb-mod.patch | 60 ++++ ...lize-mem_limit-to-the-real-maximum-a.patch | 158 ++++++++++ ...ix-inactive-tasks-with-stack-pointer.patch | 145 +++++++++ ...ommon-struct-sg_table-related-issues.patch | 80 +++++ ...-buffer-overrun-due-to-crafted-h_len.patch | 119 +++++++ ...rder-in-which-child-and-parent-defer.patch | 218 +++++++++++++ ...t-blocks-when-we-re-doing-a-remap-bu.patch | 63 ++++ ...-bitmap-summary-file-truncation-when.patch | 70 +++++ ...nt-items-created-as-part-of-finishin.patch | 134 ++++++++ ...s-b_ops-member-when-zeroing-bitmap-s.patch | 90 ++++++ ...type-flag-when-growing-summary-bitma.patch | 85 +++++ 150 files changed, 12588 insertions(+) create mode 100644 queue-5.8/acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch create mode 100644 queue-5.8/acpi-hmat-fix-handling-of-changes-from-acpi-6.2-to-a.patch create mode 100644 queue-5.8/afs-alter-dirty-range-encoding-in-page-private.patch create mode 100644 queue-5.8/afs-don-t-assert-on-unpurgeable-server-records.patch create mode 100644 queue-5.8/afs-fix-a-use-after-free-in-afs_xattr_get_acl.patch create mode 100644 queue-5.8/afs-fix-afs_launder_page-to-not-clear-pg_writeback.patch create mode 100644 queue-5.8/afs-fix-dirty-region-encoding-on-ppc32-with-64k-page.patch create mode 100644 queue-5.8/afs-fix-page-leak-on-afs_write_begin-failure.patch create mode 100644 queue-5.8/afs-fix-to-take-ref-on-page-when-pg_private-is-set.patch create mode 100644 queue-5.8/afs-fix-where-page-private-is-set-during-write.patch create mode 100644 queue-5.8/afs-wrap-page-private-manipulations-in-inline-functi.patch create mode 100644 queue-5.8/arc-dts-fix-the-errors-detected-by-dtbs_check.patch create mode 100644 queue-5.8/arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch create mode 100644 queue-5.8/arm-dts-omap4-fix-sgx-clock-rate-for-4430.patch create mode 100644 queue-5.8/arm-dts-s5pv210-align-spi-gpio-node-name-with-dtsche.patch create mode 100644 queue-5.8/arm-dts-s5pv210-move-fixed-clocks-under-root-node.patch create mode 100644 queue-5.8/arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch create mode 100644 queue-5.8/arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch create mode 100644 queue-5.8/arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch create mode 100644 queue-5.8/arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch create mode 100644 queue-5.8/arm64-efi-increase-efi-pe-coff-header-padding-to-64-.patch create mode 100644 queue-5.8/arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch create mode 100644 queue-5.8/arm64-topology-stop-using-mpidr-for-topology-informa.patch create mode 100644 queue-5.8/asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch create mode 100644 queue-5.8/asoc-sof-fix-a-runtime-pm-issue-in-sof-when-hdmi-cod.patch create mode 100644 queue-5.8/ata-sata_nv-fix-retrieving-of-active-qcs.patch create mode 100644 queue-5.8/ath10k-fix-retry-packets-update-in-station-dump.patch create mode 100644 queue-5.8/ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch create mode 100644 queue-5.8/ath10k-start-recovery-process-when-payload-length-ex.patch create mode 100644 queue-5.8/ath11k-change-to-disable-softirqs-for-ath11k_regd_up.patch create mode 100644 queue-5.8/ath11k-fix-warning-caused-by-lockdep_assert_held.patch create mode 100644 queue-5.8/ath11k-use-gfp_atomic-instead-of-gfp_kernel-in-ath11.patch create mode 100644 queue-5.8/block-consider-only-dispatched-requests-for-inflight.patch create mode 100644 queue-5.8/bnxt_en-log-unknown-link-speed-appropriately.patch create mode 100644 queue-5.8/bpf-permit-map_ptr-arithmetic-with-opcode-add-and-of.patch create mode 100644 queue-5.8/brcmfmac-fix-warning-message-after-dongle-setup-fail.patch create mode 100644 queue-5.8/brcmfmac-increase-f2-watermark-for-bcm4329.patch create mode 100644 queue-5.8/btrfs-fix-replace-of-seed-device.patch create mode 100644 queue-5.8/bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch create mode 100644 queue-5.8/bus-mhi-core-abort-suspends-due-to-outgoing-pending-.patch create mode 100644 queue-5.8/can-flexcan-disable-clocks-during-stop-mode.patch create mode 100644 queue-5.8/ceph-encode-inodes-parent-d_name-in-cap-reconnect-me.patch create mode 100644 queue-5.8/cifs-handle-eintr-in-cifs_setattr.patch create mode 100644 queue-5.8/clk-ti-clockdomain-fix-static-checker-warning.patch create mode 100644 queue-5.8/coresight-make-sysfs-functional-on-topologies-with-p.patch create mode 100644 queue-5.8/cpufreq-sti-cpufreq-add-stih418-support.patch create mode 100644 queue-5.8/cpuidle-tegra-correctly-handle-result-of-arm_cpuidle.patch create mode 100644 queue-5.8/drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch create mode 100644 queue-5.8/drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch create mode 100644 queue-5.8/drm-amd-display-avoid-set-zero-in-the-requested-clk.patch create mode 100644 queue-5.8/drm-amd-display-check-clock-table-return.patch create mode 100644 queue-5.8/drm-amd-display-hdmi-remote-sink-need-mode-validatio.patch create mode 100644 queue-5.8/drm-amdgpu-no-sysfs-not-an-error-condition.patch create mode 100644 queue-5.8/drm-amdgpu-restore-ras-flags-when-user-resets-eeprom.patch create mode 100644 queue-5.8/drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch create mode 100644 queue-5.8/drm-bridge_connector-set-default-status-connected-fo.patch create mode 100644 queue-5.8/drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch create mode 100644 queue-5.8/drm-exynos-fix-common-struct-sg_table-related-issues.patch create mode 100644 queue-5.8/drm-lima-fix-common-struct-sg_table-related-issues.patch create mode 100644 queue-5.8/drm-panfrost-fix-common-struct-sg_table-related-issu.patch create mode 100644 queue-5.8/drm-scheduler-scheduler-priority-fixes-v2.patch create mode 100644 queue-5.8/drm-vkms-avoid-warning-in-vkms_get_vblank_timestamp.patch create mode 100644 queue-5.8/ext4-detect-already-used-quota-file-early.patch create mode 100644 queue-5.8/f2fs-add-trace-exit-in-exception-path.patch create mode 100644 queue-5.8/f2fs-allocate-proper-size-memory-for-zstd-decompress.patch create mode 100644 queue-5.8/f2fs-compress-fix-to-disallow-enabling-compress-on-n.patch create mode 100644 queue-5.8/f2fs-do-sanity-check-on-zoned-block-device-path.patch create mode 100644 queue-5.8/f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch create mode 100644 queue-5.8/f2fs-fix-to-set-sbi_need_fsck-flag-for-inconsistent-.patch create mode 100644 queue-5.8/f2fs-fix-uninit-value-in-f2fs_lookup.patch create mode 100644 queue-5.8/f2fs-handle-errors-of-f2fs_get_meta_page_nofail.patch create mode 100644 queue-5.8/firmware-arm_scmi-add-missing-rx-size-re-initialisat.patch create mode 100644 queue-5.8/firmware-arm_scmi-expand-smc-hvc-message-pool-to-mor.patch create mode 100644 queue-5.8/firmware-arm_scmi-fix-arch_cold_reset.patch create mode 100644 queue-5.8/firmware-arm_scmi-move-scmi-bus-init-and-exit-calls-.patch create mode 100644 queue-5.8/futex-fix-incorrect-should_fail_futex-handling.patch create mode 100644 queue-5.8/gfs2-add-validation-checks-for-size-of-superblock.patch create mode 100644 queue-5.8/gfs2-call-truncate_inode_pages_final-for-address-spa.patch create mode 100644 queue-5.8/gfs2-fix-null-pointer-dereference-in-gfs2_rgrp_dump.patch create mode 100644 queue-5.8/gfs2-use-after-free-in-sysfs-deregistration.patch create mode 100644 queue-5.8/habanalabs-remove-security-from-arb_mst_quiet-regist.patch create mode 100644 queue-5.8/handle-status_io_timeout-gracefully.patch create mode 100644 queue-5.8/ia64-kprobes-use-generic-kretprobe-trampoline-handle.patch create mode 100644 queue-5.8/interconnect-qcom-sdm845-enable-keepalive-for-the-mm.patch create mode 100644 queue-5.8/kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch create mode 100644 queue-5.8/kvm-ppc-book3s-hv-do-not-allocate-hpt-for-a-nested-g.patch create mode 100644 queue-5.8/mac80211-add-missing-queue-hash-initialization-to-80.patch create mode 100644 queue-5.8/md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch create mode 100644 queue-5.8/media-imx274-fix-frame-interval-handling.patch create mode 100644 queue-5.8/media-platform-improve-queue-set-up-flow-for-bug-fix.patch create mode 100644 queue-5.8/media-tw5864-check-status-of-tw5864_frameinterval_ge.patch create mode 100644 queue-5.8/media-uvcvideo-fix-dereference-of-out-of-bound-list-.patch create mode 100644 queue-5.8/media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch create mode 100644 queue-5.8/memory-emif-remove-bogus-debugfs-error-handling.patch create mode 100644 queue-5.8/misc-fastrpc-fix-common-struct-sg_table-related-issu.patch create mode 100644 queue-5.8/mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch create mode 100644 queue-5.8/mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tl.patch create mode 100644 queue-5.8/mmc-via-sdmmc-fix-data-race-bug.patch create mode 100644 queue-5.8/nbd-make-the-config-put-is-called-before-the-notifyi.patch create mode 100644 queue-5.8/net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch create mode 100644 queue-5.8/nfc-s3fwrn5-add-missing-crypto_hash-dependency.patch create mode 100644 queue-5.8/nfs4-fix-oops-when-copy_file_range-is-attempted-with.patch create mode 100644 queue-5.8/nfsd-rename-delegation-related-tracepoints-to-make-t.patch create mode 100644 queue-5.8/nvme-rdma-fix-crash-when-connect-rejected.patch create mode 100644 queue-5.8/octeontx2-af-fix-ld-custom-ltype-aliasing.patch create mode 100644 queue-5.8/pci-acpi-add-ampere-altra-soc-mcfg-quirk.patch create mode 100644 queue-5.8/power-supply-bq27xxx-report-not-charging-on-all-type.patch create mode 100644 queue-5.8/power-supply-test_power-add-missing-newlines-when-pr.patch create mode 100644 queue-5.8/powerpc-64s-handle-isa-v3.1-local-copy-paste-context.patch create mode 100644 queue-5.8/powerpc-powernv-smp-fix-spurious-dbg-warning.patch create mode 100644 queue-5.8/powerpc-select-arch_want_irqs_off_activate_mm.patch create mode 100644 queue-5.8/powerpc-watchpoint-ptrace-fix-sethwdebug-when-config.patch create mode 100644 queue-5.8/printk-reduce-log_buf_shift-range-for-h8300.patch create mode 100644 queue-5.8/rdma-core-change-how-failing-destroy-is-handled-duri.patch create mode 100644 queue-5.8/rdma-mlx5-fix-devlink-deadlock-on-net-namespace-dele.patch create mode 100644 queue-5.8/rdma-qedr-fix-memory-leak-in-iwarp-cm.patch create mode 100644 queue-5.8/riscv-define-at_vector_size_arch-for-arch_dlinfo.patch create mode 100644 queue-5.8/rpmsg-glink-use-complete_all-for-open-states.patch create mode 100644 queue-5.8/s390-startup-avoid-save_area_sync-overflow.patch create mode 100644 queue-5.8/samples-bpf-fix-possible-deadlock-in-xdpsock.patch create mode 100644 queue-5.8/scsi-core-clean-up-allocation-and-freeing-of-sgtable.patch create mode 100644 queue-5.8/selftests-bpf-define-string-const-as-global-for-test.patch create mode 100644 queue-5.8/selftests-x86-fsgsbase-reap-a-forgotten-child.patch create mode 100644 queue-5.8/selinux-access-policycaps-with-read_once-write_once.patch create mode 100644 queue-5.8/series create mode 100644 queue-5.8/sgl_alloc_order-fix-memory-leak.patch create mode 100644 queue-5.8/soc-qcom-rpmh-rsc-sleep-waiting-for-tcs-slots-to-be-.patch create mode 100644 queue-5.8/sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch create mode 100644 queue-5.8/sunrpc-mitigate-cond_resched-in-xprt_transmit.patch create mode 100644 queue-5.8/tee-client-uuid-skip-ree-kernel-login-method-as-well.patch create mode 100644 queue-5.8/tracing-synthetic-events-replace-buggy-strcat-with-s.patch create mode 100644 queue-5.8/uio-free-uio-id-after-uio-file-node-is-freed.patch create mode 100644 queue-5.8/um-change-sigio_spinlock-to-a-mutex.patch create mode 100644 queue-5.8/usb-adutux-fix-debugging.patch create mode 100644 queue-5.8/usb-dwc3-core-do-not-queue-work-if-dr_mode-is-not-us.patch create mode 100644 queue-5.8/usb-host-ehci-tegra-fix-error-handling-in-tegra_ehci.patch create mode 100644 queue-5.8/usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch create mode 100644 queue-5.8/usb-xhci-omit-duplicate-actions-when-suspending-a-ru.patch create mode 100644 queue-5.8/video-fbdev-pvr2fb-initialize-variables.patch create mode 100644 queue-5.8/x86-alternative-don-t-call-text_poke-in-lazy-tlb-mod.patch create mode 100644 queue-5.8/x86-kaslr-initialize-mem_limit-to-the-real-maximum-a.patch create mode 100644 queue-5.8/x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch create mode 100644 queue-5.8/xen-gntdev-fix-common-struct-sg_table-related-issues.patch create mode 100644 queue-5.8/xfs-avoid-lr-buffer-overrun-due-to-crafted-h_len.patch create mode 100644 queue-5.8/xfs-change-the-order-in-which-child-and-parent-defer.patch create mode 100644 queue-5.8/xfs-don-t-free-rt-blocks-when-we-re-doing-a-remap-bu.patch create mode 100644 queue-5.8/xfs-fix-realtime-bitmap-summary-file-truncation-when.patch create mode 100644 queue-5.8/xfs-log-new-intent-items-created-as-part-of-finishin.patch create mode 100644 queue-5.8/xfs-set-xfs_buf-s-b_ops-member-when-zeroing-bitmap-s.patch create mode 100644 queue-5.8/xfs-set-xfs_buf-type-flag-when-growing-summary-bitma.patch diff --git a/queue-5.8/acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch b/queue-5.8/acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch new file mode 100644 index 00000000000..cb85f7cc482 --- /dev/null +++ b/queue-5.8/acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch @@ -0,0 +1,42 @@ +From 74eb4f2db353c736e1db84310e3ad7f35a8dfcec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 22:24:25 +0800 +Subject: ACPI: Add out of bounds and numa_off protections to pxm_to_node() + +From: Jonathan Cameron + +[ Upstream commit 8a3decac087aa897df5af04358c2089e52e70ac4 ] + +The function should check the validity of the pxm value before using +it to index the pxm_to_node_map[] array. + +Whilst hardening this code may be good in general, the main intent +here is to enable following patches that use this function to replace +acpi_map_pxm_to_node() for non SRAT usecases which should return +NO_NUMA_NODE for PXM entries not matching with those in SRAT. + +Signed-off-by: Jonathan Cameron +Reviewed-by: Barry Song +Reviewed-by: Hanjun Guo +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/srat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/numa/srat.c b/drivers/acpi/numa/srat.c +index 5be5a977da1bf..8ef44ee0d76bd 100644 +--- a/drivers/acpi/numa/srat.c ++++ b/drivers/acpi/numa/srat.c +@@ -31,7 +31,7 @@ int acpi_numa __initdata; + + int pxm_to_node(int pxm) + { +- if (pxm < 0) ++ if (pxm < 0 || pxm >= MAX_PXM_DOMAINS || numa_off) + return NUMA_NO_NODE; + return pxm_to_node_map[pxm]; + } +-- +2.27.0 + diff --git a/queue-5.8/acpi-hmat-fix-handling-of-changes-from-acpi-6.2-to-a.patch b/queue-5.8/acpi-hmat-fix-handling-of-changes-from-acpi-6.2-to-a.patch new file mode 100644 index 00000000000..466e1f13a2e --- /dev/null +++ b/queue-5.8/acpi-hmat-fix-handling-of-changes-from-acpi-6.2-to-a.patch @@ -0,0 +1,44 @@ +From da113f5562eeffb6f455b588f03046757ba289a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 22:05:45 +0800 +Subject: ACPI: HMAT: Fix handling of changes from ACPI 6.2 to ACPI 6.3 + +From: Jonathan Cameron + +[ Upstream commit 2c5b9bde95c96942f2873cea6ef383c02800e4a8 ] + +In ACPI 6.3, the Memory Proximity Domain Attributes Structure +changed substantially. One of those changes was that the flag +for "Memory Proximity Domain field is valid" was deprecated. + +This was because the field "Proximity Domain for the Memory" +became a required field and hence having a validity flag makes +no sense. + +So the correct logic is to always assume the field is there. +Current code assumes it never is. + +Signed-off-by: Jonathan Cameron +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index 2c32cfb723701..6a91a55229aee 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -424,7 +424,8 @@ static int __init hmat_parse_proximity_domain(union acpi_subtable_headers *heade + pr_info("HMAT: Memory Flags:%04x Processor Domain:%u Memory Domain:%u\n", + p->flags, p->processor_PD, p->memory_PD); + +- if (p->flags & ACPI_HMAT_MEMORY_PD_VALID && hmat_revision == 1) { ++ if ((hmat_revision == 1 && p->flags & ACPI_HMAT_MEMORY_PD_VALID) || ++ hmat_revision > 1) { + target = find_mem_target(p->memory_PD); + if (!target) { + pr_debug("HMAT: Memory Domain missing from SRAT\n"); +-- +2.27.0 + diff --git a/queue-5.8/afs-alter-dirty-range-encoding-in-page-private.patch b/queue-5.8/afs-alter-dirty-range-encoding-in-page-private.patch new file mode 100644 index 00000000000..73066ec2b19 --- /dev/null +++ b/queue-5.8/afs-alter-dirty-range-encoding-in-page-private.patch @@ -0,0 +1,90 @@ +From 315973cf58d6093efef3cc89301c777891c0c27c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 13:57:44 +0000 +Subject: afs: Alter dirty range encoding in page->private + +From: David Howells + +[ Upstream commit 65dd2d6072d393a3aa14ded8afa9a12f27d9c8ad ] + +Currently, page->private on an afs page is used to store the range of +dirtied data within the page, where the range includes the lower bound, but +excludes the upper bound (e.g. 0-1 is a range covering a single byte). + +This, however, requires a superfluous bit for the last-byte bound so that +on a 4KiB page, it can say 0-4096 to indicate the whole page, the idea +being that having both numbers the same would indicate an empty range. +This is unnecessary as the PG_private bit is clear if it's an empty range +(as is PG_dirty). + +Alter the way the dirty range is encoded in page->private such that the +upper bound is reduced by 1 (e.g. 0-0 is then specified the same single +byte range mentioned above). + +Applying this to both bounds frees up two bits, one of which can be used in +a future commit. + +This allows the afs filesystem to be compiled on ppc32 with 64K pages; +without this, the following warnings are seen: + +../fs/afs/internal.h: In function 'afs_page_dirty_to': +../fs/afs/internal.h:881:15: warning: right shift count >= width of type [-Wshift-count-overflow] + 881 | return (priv >> __AFS_PAGE_PRIV_SHIFT) & __AFS_PAGE_PRIV_MASK; + | ^~ +../fs/afs/internal.h: In function 'afs_page_dirty': +../fs/afs/internal.h:886:28: warning: left shift count >= width of type [-Wshift-count-overflow] + 886 | return ((unsigned long)to << __AFS_PAGE_PRIV_SHIFT) | from; + | ^~ + +Fixes: 4343d00872e1 ("afs: Get rid of the afs_writeback record") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/internal.h | 6 +++--- + fs/afs/write.c | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index d303a40974ce5..50b313bb7f787 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -860,7 +860,7 @@ struct afs_vnode_cache_aux { + * splitting the field into two parts. However, we need to represent a range + * 0...PAGE_SIZE inclusive, so we can't support 64K pages on a 32-bit system. + */ +-#if PAGE_SIZE > 32768 ++#ifdef CONFIG_64BIT + #define __AFS_PAGE_PRIV_MASK 0xffffffffUL + #define __AFS_PAGE_PRIV_SHIFT 32 + #else +@@ -875,12 +875,12 @@ static inline size_t afs_page_dirty_from(unsigned long priv) + + static inline size_t afs_page_dirty_to(unsigned long priv) + { +- return (priv >> __AFS_PAGE_PRIV_SHIFT) & __AFS_PAGE_PRIV_MASK; ++ return ((priv >> __AFS_PAGE_PRIV_SHIFT) & __AFS_PAGE_PRIV_MASK) + 1; + } + + static inline unsigned long afs_page_dirty(size_t from, size_t to) + { +- return ((unsigned long)to << __AFS_PAGE_PRIV_SHIFT) | from; ++ return ((unsigned long)(to - 1) << __AFS_PAGE_PRIV_SHIFT) | from; + } + + #include +diff --git a/fs/afs/write.c b/fs/afs/write.c +index 76fb2c64d49dc..189e298343a29 100644 +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -93,7 +93,7 @@ int afs_write_begin(struct file *file, struct address_space *mapping, + /* We want to store information about how much of a page is altered in + * page->private. + */ +- BUILD_BUG_ON(PAGE_SIZE > 32768 && sizeof(page->private) < 8); ++ BUILD_BUG_ON(PAGE_SIZE - 1 > __AFS_PAGE_PRIV_MASK && sizeof(page->private) < 8); + + page = grab_cache_page_write_begin(mapping, index, flags); + if (!page) +-- +2.27.0 + diff --git a/queue-5.8/afs-don-t-assert-on-unpurgeable-server-records.patch b/queue-5.8/afs-don-t-assert-on-unpurgeable-server-records.patch new file mode 100644 index 00000000000..88396e7ce84 --- /dev/null +++ b/queue-5.8/afs-don-t-assert-on-unpurgeable-server-records.patch @@ -0,0 +1,62 @@ +From f30e6f61eee2dd85f9b5c2f72957f577af7d20f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 09:02:25 +0100 +Subject: afs: Don't assert on unpurgeable server records + +From: David Howells + +[ Upstream commit 7530d3eb3dcf1a30750e8e7f1f88b782b96b72b8 ] + +Don't give an assertion failure on unpurgeable afs_server records - which +kills the thread - but rather emit a trace line when we are purging a +record (which only happens during network namespace removal or rmmod) and +print a notice of the problem. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/server.c | 7 ++++++- + include/trace/events/afs.h | 2 ++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/afs/server.c b/fs/afs/server.c +index e82e452e26124..684a2b02b9ff7 100644 +--- a/fs/afs/server.c ++++ b/fs/afs/server.c +@@ -550,7 +550,12 @@ void afs_manage_servers(struct work_struct *work) + + _debug("manage %pU %u", &server->uuid, active); + +- ASSERTIFCMP(purging, active, ==, 0); ++ if (purging) { ++ trace_afs_server(server, atomic_read(&server->ref), ++ active, afs_server_trace_purging); ++ if (active != 0) ++ pr_notice("Can't purge s=%08x\n", server->debug_id); ++ } + + if (active == 0) { + time64_t expire_at = server->unuse_time; +diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h +index 05b5506cd24ca..1ba6fc9e030fb 100644 +--- a/include/trace/events/afs.h ++++ b/include/trace/events/afs.h +@@ -40,6 +40,7 @@ enum afs_server_trace { + afs_server_trace_get_new_cbi, + afs_server_trace_get_probe, + afs_server_trace_give_up_cb, ++ afs_server_trace_purging, + afs_server_trace_put_call, + afs_server_trace_put_cbi, + afs_server_trace_put_find_rsq, +@@ -270,6 +271,7 @@ enum afs_cb_break_reason { + EM(afs_server_trace_get_new_cbi, "GET cbi ") \ + EM(afs_server_trace_get_probe, "GET probe") \ + EM(afs_server_trace_give_up_cb, "giveup-cb") \ ++ EM(afs_server_trace_purging, "PURGE ") \ + EM(afs_server_trace_put_call, "PUT call ") \ + EM(afs_server_trace_put_cbi, "PUT cbi ") \ + EM(afs_server_trace_put_find_rsq, "PUT f-rsq") \ +-- +2.27.0 + diff --git a/queue-5.8/afs-fix-a-use-after-free-in-afs_xattr_get_acl.patch b/queue-5.8/afs-fix-a-use-after-free-in-afs_xattr_get_acl.patch new file mode 100644 index 00000000000..36a5b52ded8 --- /dev/null +++ b/queue-5.8/afs-fix-a-use-after-free-in-afs_xattr_get_acl.patch @@ -0,0 +1,36 @@ +From 108417581c99f54c3c0316b703c9712f9152494c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 11:58:12 +0300 +Subject: afs: Fix a use after free in afs_xattr_get_acl() + +From: Dan Carpenter + +[ Upstream commit 248c944e2159de4868bef558feea40214aaf8464 ] + +The "op" pointer is freed earlier when we call afs_put_operation(). + +Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept") +Signed-off-by: Dan Carpenter +Signed-off-by: David Howells +cc: Colin Ian King +Signed-off-by: Sasha Levin +--- + fs/afs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c +index 84f3c4f575318..38884d6c57cdc 100644 +--- a/fs/afs/xattr.c ++++ b/fs/afs/xattr.c +@@ -85,7 +85,7 @@ static int afs_xattr_get_acl(const struct xattr_handler *handler, + if (acl->size <= size) + memcpy(buffer, acl->data, acl->size); + else +- op->error = -ERANGE; ++ ret = -ERANGE; + } + } + +-- +2.27.0 + diff --git a/queue-5.8/afs-fix-afs_launder_page-to-not-clear-pg_writeback.patch b/queue-5.8/afs-fix-afs_launder_page-to-not-clear-pg_writeback.patch new file mode 100644 index 00000000000..e9b89377233 --- /dev/null +++ b/queue-5.8/afs-fix-afs_launder_page-to-not-clear-pg_writeback.patch @@ -0,0 +1,84 @@ +From b81766f8c6e555d8437e75a032b2d2e2ec7f4d7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Oct 2020 14:40:31 +0100 +Subject: afs: Fix afs_launder_page to not clear PG_writeback + +From: David Howells + +[ Upstream commit d383e346f97d6bb0d654bb3d63c44ab106d92d29 ] + +Fix afs_launder_page() to not clear PG_writeback on the page it is +laundering as the flag isn't set in this case. + +Fixes: 4343d00872e1 ("afs: Get rid of the afs_writeback record") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/internal.h | 1 + + fs/afs/write.c | 10 ++++++---- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index 7689f4535ef9c..4d7d5a365ab3d 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -809,6 +809,7 @@ struct afs_operation { + pgoff_t last; /* last page in mapping to deal with */ + unsigned first_offset; /* offset into mapping[first] */ + unsigned last_to; /* amount of mapping[last] */ ++ bool laundering; /* Laundering page, PG_writeback not set */ + } store; + struct { + struct iattr *attr; +diff --git a/fs/afs/write.c b/fs/afs/write.c +index 0a98cf36e78a3..8cc86dc92db69 100644 +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -396,7 +396,8 @@ static void afs_store_data_success(struct afs_operation *op) + op->ctime = op->file[0].scb.status.mtime_client; + afs_vnode_commit_status(op, &op->file[0]); + if (op->error == 0) { +- afs_pages_written_back(vnode, op->store.first, op->store.last); ++ if (!op->store.laundering) ++ afs_pages_written_back(vnode, op->store.first, op->store.last); + afs_stat_v(vnode, n_stores); + atomic_long_add((op->store.last * PAGE_SIZE + op->store.last_to) - + (op->store.first * PAGE_SIZE + op->store.first_offset), +@@ -415,7 +416,7 @@ static const struct afs_operation_ops afs_store_data_operation = { + */ + static int afs_store_data(struct address_space *mapping, + pgoff_t first, pgoff_t last, +- unsigned offset, unsigned to) ++ unsigned offset, unsigned to, bool laundering) + { + struct afs_vnode *vnode = AFS_FS_I(mapping->host); + struct afs_operation *op; +@@ -448,6 +449,7 @@ static int afs_store_data(struct address_space *mapping, + op->store.last = last; + op->store.first_offset = offset; + op->store.last_to = to; ++ op->store.laundering = laundering; + op->mtime = vnode->vfs_inode.i_mtime; + op->flags |= AFS_OPERATION_UNINTR; + op->ops = &afs_store_data_operation; +@@ -601,7 +603,7 @@ no_more: + if (end > i_size) + to = i_size & ~PAGE_MASK; + +- ret = afs_store_data(mapping, first, last, offset, to); ++ ret = afs_store_data(mapping, first, last, offset, to, false); + switch (ret) { + case 0: + ret = count; +@@ -921,7 +923,7 @@ int afs_launder_page(struct page *page) + + trace_afs_page_dirty(vnode, tracepoint_string("launder"), + page->index, priv); +- ret = afs_store_data(mapping, page->index, page->index, t, f); ++ ret = afs_store_data(mapping, page->index, page->index, t, f, true); + } + + trace_afs_page_dirty(vnode, tracepoint_string("laundered"), +-- +2.27.0 + diff --git a/queue-5.8/afs-fix-dirty-region-encoding-on-ppc32-with-64k-page.patch b/queue-5.8/afs-fix-dirty-region-encoding-on-ppc32-with-64k-page.patch new file mode 100644 index 00000000000..354316a7cc9 --- /dev/null +++ b/queue-5.8/afs-fix-dirty-region-encoding-on-ppc32-with-64k-page.patch @@ -0,0 +1,108 @@ +From dcc0595250241f4162a57750fc5b6de7e9fef422 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 12:08:39 +0000 +Subject: afs: Fix dirty-region encoding on ppc32 with 64K pages + +From: David Howells + +[ Upstream commit 2d9900f26ad61e63a34f239bc76c80d2f8a6ff41 ] + +The dirty region bounds stored in page->private on an afs page are 15 bits +on a 32-bit box and can, at most, represent a range of up to 32K within a +32K page with a resolution of 1 byte. This is a problem for powerpc32 with +64K pages enabled. + +Further, transparent huge pages may get up to 2M, which will be a problem +for the afs filesystem on all 32-bit arches in the future. + +Fix this by decreasing the resolution. For the moment, a 64K page will +have a resolution determined from PAGE_SIZE. In the future, the page will +need to be passed in to the helper functions so that the page size can be +assessed and the resolution determined dynamically. + +Note that this might not be the ideal way to handle this, since it may +allow some leakage of undirtied zero bytes to the server's copy in the case +of a 3rd-party conflict. Fixing that would require a separately allocated +record and is a more complicated fix. + +Fixes: 4343d00872e1 ("afs: Get rid of the afs_writeback record") +Reported-by: kernel test robot +Signed-off-by: David Howells +Reviewed-by: Matthew Wilcox (Oracle) +Signed-off-by: Sasha Levin +--- + fs/afs/internal.h | 24 ++++++++++++++++++++---- + fs/afs/write.c | 5 ----- + 2 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index 50b313bb7f787..7f3a9705393dd 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -858,7 +858,8 @@ struct afs_vnode_cache_aux { + /* + * We use page->private to hold the amount of the page that we've written to, + * splitting the field into two parts. However, we need to represent a range +- * 0...PAGE_SIZE inclusive, so we can't support 64K pages on a 32-bit system. ++ * 0...PAGE_SIZE, so we reduce the resolution if the size of the page ++ * exceeds what we can encode. + */ + #ifdef CONFIG_64BIT + #define __AFS_PAGE_PRIV_MASK 0xffffffffUL +@@ -868,19 +869,34 @@ struct afs_vnode_cache_aux { + #define __AFS_PAGE_PRIV_SHIFT 16 + #endif + ++static inline unsigned int afs_page_dirty_resolution(void) ++{ ++ int shift = PAGE_SHIFT - (__AFS_PAGE_PRIV_SHIFT - 1); ++ return (shift > 0) ? shift : 0; ++} ++ + static inline size_t afs_page_dirty_from(unsigned long priv) + { +- return priv & __AFS_PAGE_PRIV_MASK; ++ unsigned long x = priv & __AFS_PAGE_PRIV_MASK; ++ ++ /* The lower bound is inclusive */ ++ return x << afs_page_dirty_resolution(); + } + + static inline size_t afs_page_dirty_to(unsigned long priv) + { +- return ((priv >> __AFS_PAGE_PRIV_SHIFT) & __AFS_PAGE_PRIV_MASK) + 1; ++ unsigned long x = (priv >> __AFS_PAGE_PRIV_SHIFT) & __AFS_PAGE_PRIV_MASK; ++ ++ /* The upper bound is immediately beyond the region */ ++ return (x + 1) << afs_page_dirty_resolution(); + } + + static inline unsigned long afs_page_dirty(size_t from, size_t to) + { +- return ((unsigned long)(to - 1) << __AFS_PAGE_PRIV_SHIFT) | from; ++ unsigned int res = afs_page_dirty_resolution(); ++ from >>= res; ++ to = (to - 1) >> res; ++ return (to << __AFS_PAGE_PRIV_SHIFT) | from; + } + + #include +diff --git a/fs/afs/write.c b/fs/afs/write.c +index 189e298343a29..d23be82ff262f 100644 +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -90,11 +90,6 @@ int afs_write_begin(struct file *file, struct address_space *mapping, + _enter("{%llx:%llu},{%lx},%u,%u", + vnode->fid.vid, vnode->fid.vnode, index, from, to); + +- /* We want to store information about how much of a page is altered in +- * page->private. +- */ +- BUILD_BUG_ON(PAGE_SIZE - 1 > __AFS_PAGE_PRIV_MASK && sizeof(page->private) < 8); +- + page = grab_cache_page_write_begin(mapping, index, flags); + if (!page) + return -ENOMEM; +-- +2.27.0 + diff --git a/queue-5.8/afs-fix-page-leak-on-afs_write_begin-failure.patch b/queue-5.8/afs-fix-page-leak-on-afs_write_begin-failure.patch new file mode 100644 index 00000000000..be9b9a030d6 --- /dev/null +++ b/queue-5.8/afs-fix-page-leak-on-afs_write_begin-failure.patch @@ -0,0 +1,80 @@ +From a07f7a60e1f36f135dada508e534f5fb44637c01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Oct 2020 14:03:03 +0100 +Subject: afs: Fix page leak on afs_write_begin() failure + +From: David Howells + +[ Upstream commit 21db2cdc667f744691a407105b7712bc18d74023 ] + +Fix the leak of the target page in afs_write_begin() when it fails. + +Fixes: 15b4650e55e0 ("afs: convert to new aops") +Signed-off-by: David Howells +cc: Nick Piggin +Signed-off-by: Sasha Levin +--- + fs/afs/write.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/fs/afs/write.c b/fs/afs/write.c +index 2109fcfbae5c3..49a568ed9b2a0 100644 +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -76,7 +76,7 @@ static int afs_fill_page(struct afs_vnode *vnode, struct key *key, + */ + int afs_write_begin(struct file *file, struct address_space *mapping, + loff_t pos, unsigned len, unsigned flags, +- struct page **pagep, void **fsdata) ++ struct page **_page, void **fsdata) + { + struct afs_vnode *vnode = AFS_FS_I(file_inode(file)); + struct page *page; +@@ -110,9 +110,6 @@ int afs_write_begin(struct file *file, struct address_space *mapping, + SetPageUptodate(page); + } + +- /* page won't leak in error case: it eventually gets cleaned off LRU */ +- *pagep = page; +- + try_again: + /* See if this page is already partially written in a way that we can + * merge the new write with. +@@ -155,6 +152,7 @@ try_again: + set_page_private(page, priv); + else + attach_page_private(page, (void *)priv); ++ *_page = page; + _leave(" = 0"); + return 0; + +@@ -164,17 +162,18 @@ try_again: + flush_conflicting_write: + _debug("flush conflict"); + ret = write_one_page(page); +- if (ret < 0) { +- _leave(" = %d", ret); +- return ret; +- } ++ if (ret < 0) ++ goto error; + + ret = lock_page_killable(page); +- if (ret < 0) { +- _leave(" = %d", ret); +- return ret; +- } ++ if (ret < 0) ++ goto error; + goto try_again; ++ ++error: ++ put_page(page); ++ _leave(" = %d", ret); ++ return ret; + } + + /* +-- +2.27.0 + diff --git a/queue-5.8/afs-fix-to-take-ref-on-page-when-pg_private-is-set.patch b/queue-5.8/afs-fix-to-take-ref-on-page-when-pg_private-is-set.patch new file mode 100644 index 00000000000..24238e0cf23 --- /dev/null +++ b/queue-5.8/afs-fix-to-take-ref-on-page-when-pg_private-is-set.patch @@ -0,0 +1,170 @@ +From 2f0268fcdb54a5c3d8457d91d59c539c47a0e550 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 13:22:19 +0100 +Subject: afs: Fix to take ref on page when PG_private is set + +From: David Howells + +[ Upstream commit fa04a40b169fcee615afbae97f71a09332993f64 ] + +Fix afs to take a ref on a page when it sets PG_private on it and to drop +the ref when removing the flag. + +Note that in afs_write_begin(), a lot of the time, PG_private is already +set on a page to which we're going to add some data. In such a case, we +leave the bit set and mustn't increment the page count. + +As suggested by Matthew Wilcox, use attach/detach_page_private() where +possible. + +Fixes: 31143d5d515e ("AFS: implement basic file write support") +Reported-by: Matthew Wilcox (Oracle) +Signed-off-by: David Howells +Reviewed-by: Matthew Wilcox (Oracle) +Signed-off-by: Sasha Levin +--- + fs/afs/dir.c | 12 ++++-------- + fs/afs/dir_edit.c | 6 ++---- + fs/afs/file.c | 8 ++------ + fs/afs/write.c | 18 ++++++++++-------- + 4 files changed, 18 insertions(+), 26 deletions(-) + +diff --git a/fs/afs/dir.c b/fs/afs/dir.c +index 96757f3abd74d..e3347351d7c57 100644 +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -281,8 +281,7 @@ retry: + if (ret < 0) + goto error; + +- set_page_private(req->pages[i], 1); +- SetPagePrivate(req->pages[i]); ++ attach_page_private(req->pages[i], (void *)1); + unlock_page(req->pages[i]); + i++; + } else { +@@ -1975,8 +1974,7 @@ static int afs_dir_releasepage(struct page *page, gfp_t gfp_flags) + + _enter("{{%llx:%llu}[%lu]}", dvnode->fid.vid, dvnode->fid.vnode, page->index); + +- set_page_private(page, 0); +- ClearPagePrivate(page); ++ detach_page_private(page); + + /* The directory will need reloading. */ + if (test_and_clear_bit(AFS_VNODE_DIR_VALID, &dvnode->flags)) +@@ -2003,8 +2001,6 @@ static void afs_dir_invalidatepage(struct page *page, unsigned int offset, + afs_stat_v(dvnode, n_inval); + + /* we clean up only if the entire page is being invalidated */ +- if (offset == 0 && length == PAGE_SIZE) { +- set_page_private(page, 0); +- ClearPagePrivate(page); +- } ++ if (offset == 0 && length == PAGE_SIZE) ++ detach_page_private(page); + } +diff --git a/fs/afs/dir_edit.c b/fs/afs/dir_edit.c +index b108528bf010d..2ffe09abae7fc 100644 +--- a/fs/afs/dir_edit.c ++++ b/fs/afs/dir_edit.c +@@ -243,10 +243,8 @@ void afs_edit_dir_add(struct afs_vnode *vnode, + index, gfp); + if (!page) + goto error; +- if (!PagePrivate(page)) { +- set_page_private(page, 1); +- SetPagePrivate(page); +- } ++ if (!PagePrivate(page)) ++ attach_page_private(page, (void *)1); + dir_page = kmap(page); + } + +diff --git a/fs/afs/file.c b/fs/afs/file.c +index 6f6ed1605cfe3..f5d87827c7bf8 100644 +--- a/fs/afs/file.c ++++ b/fs/afs/file.c +@@ -626,11 +626,9 @@ static void afs_invalidatepage(struct page *page, unsigned int offset, + #endif + + if (PagePrivate(page)) { +- priv = page_private(page); ++ priv = (unsigned long)detach_page_private(page); + trace_afs_page_dirty(vnode, tracepoint_string("inval"), + page->index, priv); +- set_page_private(page, 0); +- ClearPagePrivate(page); + } + } + +@@ -660,11 +658,9 @@ static int afs_releasepage(struct page *page, gfp_t gfp_flags) + #endif + + if (PagePrivate(page)) { +- priv = page_private(page); ++ priv = (unsigned long)detach_page_private(page); + trace_afs_page_dirty(vnode, tracepoint_string("rel"), + page->index, priv); +- set_page_private(page, 0); +- ClearPagePrivate(page); + } + + /* indicate that the page can be released */ +diff --git a/fs/afs/write.c b/fs/afs/write.c +index 8cc86dc92db69..2109fcfbae5c3 100644 +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -151,8 +151,10 @@ try_again: + priv |= f; + trace_afs_page_dirty(vnode, tracepoint_string("begin"), + page->index, priv); +- SetPagePrivate(page); +- set_page_private(page, priv); ++ if (PagePrivate(page)) ++ set_page_private(page, priv); ++ else ++ attach_page_private(page, (void *)priv); + _leave(" = 0"); + return 0; + +@@ -334,10 +336,9 @@ static void afs_pages_written_back(struct afs_vnode *vnode, + ASSERTCMP(pv.nr, ==, count); + + for (loop = 0; loop < count; loop++) { +- priv = page_private(pv.pages[loop]); ++ priv = (unsigned long)detach_page_private(pv.pages[loop]); + trace_afs_page_dirty(vnode, tracepoint_string("clear"), + pv.pages[loop]->index, priv); +- set_page_private(pv.pages[loop], 0); + end_page_writeback(pv.pages[loop]); + } + first += count; +@@ -863,8 +864,10 @@ vm_fault_t afs_page_mkwrite(struct vm_fault *vmf) + priv |= 0; /* From */ + trace_afs_page_dirty(vnode, tracepoint_string("mkwrite"), + vmf->page->index, priv); +- SetPagePrivate(vmf->page); +- set_page_private(vmf->page, priv); ++ if (PagePrivate(vmf->page)) ++ set_page_private(vmf->page, priv); ++ else ++ attach_page_private(vmf->page, (void *)priv); + file_update_time(file); + + sb_end_pagefault(inode->i_sb); +@@ -926,10 +929,9 @@ int afs_launder_page(struct page *page) + ret = afs_store_data(mapping, page->index, page->index, t, f, true); + } + ++ priv = (unsigned long)detach_page_private(page); + trace_afs_page_dirty(vnode, tracepoint_string("laundered"), + page->index, priv); +- set_page_private(page, 0); +- ClearPagePrivate(page); + + #ifdef CONFIG_AFS_FSCACHE + if (PageFsCache(page)) { +-- +2.27.0 + diff --git a/queue-5.8/afs-fix-where-page-private-is-set-during-write.patch b/queue-5.8/afs-fix-where-page-private-is-set-during-write.patch new file mode 100644 index 00000000000..abbac1ce383 --- /dev/null +++ b/queue-5.8/afs-fix-where-page-private-is-set-during-write.patch @@ -0,0 +1,93 @@ +From fcfd9f34bba75adc54f00649423b0685f3d6720b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 14:05:33 +0000 +Subject: afs: Fix where page->private is set during write + +From: David Howells + +[ Upstream commit f792e3ac82fe2c6c863e93187eb7ddfccab68fa7 ] + +In afs, page->private is set to indicate the dirty region of a page. This +is done in afs_write_begin(), but that can't take account of whether the +copy into the page actually worked. + +Fix this by moving the change of page->private into afs_write_end(). + +Fixes: 4343d00872e1 ("afs: Get rid of the afs_writeback record") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/write.c | 41 ++++++++++++++++++++++++++--------------- + 1 file changed, 26 insertions(+), 15 deletions(-) + +diff --git a/fs/afs/write.c b/fs/afs/write.c +index 49a568ed9b2a0..4e796f49723fb 100644 +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -135,23 +135,8 @@ try_again: + if (!test_bit(AFS_VNODE_NEW_CONTENT, &vnode->flags) && + (to < f || from > t)) + goto flush_conflicting_write; +- if (from < f) +- f = from; +- if (to > t) +- t = to; +- } else { +- f = from; +- t = to; + } + +- priv = (unsigned long)t << AFS_PRIV_SHIFT; +- priv |= f; +- trace_afs_page_dirty(vnode, tracepoint_string("begin"), +- page->index, priv); +- if (PagePrivate(page)) +- set_page_private(page, priv); +- else +- attach_page_private(page, (void *)priv); + *_page = page; + _leave(" = 0"); + return 0; +@@ -185,6 +170,9 @@ int afs_write_end(struct file *file, struct address_space *mapping, + { + struct afs_vnode *vnode = AFS_FS_I(file_inode(file)); + struct key *key = afs_file_key(file); ++ unsigned long priv; ++ unsigned int f, from = pos & (PAGE_SIZE - 1); ++ unsigned int t, to = from + copied; + loff_t i_size, maybe_i_size; + int ret; + +@@ -216,6 +204,29 @@ int afs_write_end(struct file *file, struct address_space *mapping, + SetPageUptodate(page); + } + ++ if (PagePrivate(page)) { ++ priv = page_private(page); ++ f = priv & AFS_PRIV_MAX; ++ t = priv >> AFS_PRIV_SHIFT; ++ if (from < f) ++ f = from; ++ if (to > t) ++ t = to; ++ priv = (unsigned long)t << AFS_PRIV_SHIFT; ++ priv |= f; ++ set_page_private(page, priv); ++ trace_afs_page_dirty(vnode, tracepoint_string("dirty+"), ++ page->index, priv); ++ } else { ++ f = from; ++ t = to; ++ priv = (unsigned long)t << AFS_PRIV_SHIFT; ++ priv |= f; ++ attach_page_private(page, (void *)priv); ++ trace_afs_page_dirty(vnode, tracepoint_string("dirty"), ++ page->index, priv); ++ } ++ + set_page_dirty(page); + if (PageDirty(page)) + _debug("dirtied"); +-- +2.27.0 + diff --git a/queue-5.8/afs-wrap-page-private-manipulations-in-inline-functi.patch b/queue-5.8/afs-wrap-page-private-manipulations-in-inline-functi.patch new file mode 100644 index 00000000000..10e0975459f --- /dev/null +++ b/queue-5.8/afs-wrap-page-private-manipulations-in-inline-functi.patch @@ -0,0 +1,201 @@ +From 282851a5c7cd9c7c32d0099b38be7095373db8d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 13:22:47 +0000 +Subject: afs: Wrap page->private manipulations in inline functions + +From: David Howells + +[ Upstream commit 185f0c7073bd5c78f86265f703f5daf1306ab5a7 ] + +The afs filesystem uses page->private to store the dirty range within a +page such that in the event of a conflicting 3rd-party write to the server, +we write back just the bits that got changed locally. + +However, there are a couple of problems with this: + + (1) I need a bit to note if the page might be mapped so that partial + invalidation doesn't shrink the range. + + (2) There aren't necessarily sufficient bits to store the entire range of + data altered (say it's a 32-bit system with 64KiB pages or transparent + huge pages are in use). + +So wrap the accesses in inline functions so that future commits can change +how this works. + +Also move them out of the tracing header into the in-directory header. +There's not really any need for them to be in the tracing header. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/internal.h | 28 ++++++++++++++++++++++++++++ + fs/afs/write.c | 31 +++++++++++++------------------ + include/trace/events/afs.h | 19 +++---------------- + 3 files changed, 44 insertions(+), 34 deletions(-) + +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index 4d7d5a365ab3d..d303a40974ce5 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -855,6 +855,34 @@ struct afs_vnode_cache_aux { + u64 data_version; + } __packed; + ++/* ++ * We use page->private to hold the amount of the page that we've written to, ++ * splitting the field into two parts. However, we need to represent a range ++ * 0...PAGE_SIZE inclusive, so we can't support 64K pages on a 32-bit system. ++ */ ++#if PAGE_SIZE > 32768 ++#define __AFS_PAGE_PRIV_MASK 0xffffffffUL ++#define __AFS_PAGE_PRIV_SHIFT 32 ++#else ++#define __AFS_PAGE_PRIV_MASK 0xffffUL ++#define __AFS_PAGE_PRIV_SHIFT 16 ++#endif ++ ++static inline size_t afs_page_dirty_from(unsigned long priv) ++{ ++ return priv & __AFS_PAGE_PRIV_MASK; ++} ++ ++static inline size_t afs_page_dirty_to(unsigned long priv) ++{ ++ return (priv >> __AFS_PAGE_PRIV_SHIFT) & __AFS_PAGE_PRIV_MASK; ++} ++ ++static inline unsigned long afs_page_dirty(size_t from, size_t to) ++{ ++ return ((unsigned long)to << __AFS_PAGE_PRIV_SHIFT) | from; ++} ++ + #include + + /*****************************************************************************/ +diff --git a/fs/afs/write.c b/fs/afs/write.c +index 4e796f49723fb..76fb2c64d49dc 100644 +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -117,8 +117,8 @@ try_again: + t = f = 0; + if (PagePrivate(page)) { + priv = page_private(page); +- f = priv & AFS_PRIV_MAX; +- t = priv >> AFS_PRIV_SHIFT; ++ f = afs_page_dirty_from(priv); ++ t = afs_page_dirty_to(priv); + ASSERTCMP(f, <=, t); + } + +@@ -206,22 +206,18 @@ int afs_write_end(struct file *file, struct address_space *mapping, + + if (PagePrivate(page)) { + priv = page_private(page); +- f = priv & AFS_PRIV_MAX; +- t = priv >> AFS_PRIV_SHIFT; ++ f = afs_page_dirty_from(priv); ++ t = afs_page_dirty_to(priv); + if (from < f) + f = from; + if (to > t) + t = to; +- priv = (unsigned long)t << AFS_PRIV_SHIFT; +- priv |= f; ++ priv = afs_page_dirty(f, t); + set_page_private(page, priv); + trace_afs_page_dirty(vnode, tracepoint_string("dirty+"), + page->index, priv); + } else { +- f = from; +- t = to; +- priv = (unsigned long)t << AFS_PRIV_SHIFT; +- priv |= f; ++ priv = afs_page_dirty(from, to); + attach_page_private(page, (void *)priv); + trace_afs_page_dirty(vnode, tracepoint_string("dirty"), + page->index, priv); +@@ -522,8 +518,8 @@ static int afs_write_back_from_locked_page(struct address_space *mapping, + */ + start = primary_page->index; + priv = page_private(primary_page); +- offset = priv & AFS_PRIV_MAX; +- to = priv >> AFS_PRIV_SHIFT; ++ offset = afs_page_dirty_from(priv); ++ to = afs_page_dirty_to(priv); + trace_afs_page_dirty(vnode, tracepoint_string("store"), + primary_page->index, priv); + +@@ -568,8 +564,8 @@ static int afs_write_back_from_locked_page(struct address_space *mapping, + } + + priv = page_private(page); +- f = priv & AFS_PRIV_MAX; +- t = priv >> AFS_PRIV_SHIFT; ++ f = afs_page_dirty_from(priv); ++ t = afs_page_dirty_to(priv); + if (f != 0 && + !test_bit(AFS_VNODE_NEW_CONTENT, &vnode->flags)) { + unlock_page(page); +@@ -870,8 +866,7 @@ vm_fault_t afs_page_mkwrite(struct vm_fault *vmf) + */ + wait_on_page_writeback(vmf->page); + +- priv = (unsigned long)PAGE_SIZE << AFS_PRIV_SHIFT; /* To */ +- priv |= 0; /* From */ ++ priv = afs_page_dirty(0, PAGE_SIZE); + trace_afs_page_dirty(vnode, tracepoint_string("mkwrite"), + vmf->page->index, priv); + if (PagePrivate(vmf->page)) +@@ -930,8 +925,8 @@ int afs_launder_page(struct page *page) + f = 0; + t = PAGE_SIZE; + if (PagePrivate(page)) { +- f = priv & AFS_PRIV_MAX; +- t = priv >> AFS_PRIV_SHIFT; ++ f = afs_page_dirty_from(priv); ++ t = afs_page_dirty_to(priv); + } + + trace_afs_page_dirty(vnode, tracepoint_string("launder"), +diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h +index 5f0c1cf1ea130..05b5506cd24ca 100644 +--- a/include/trace/events/afs.h ++++ b/include/trace/events/afs.h +@@ -884,19 +884,6 @@ TRACE_EVENT(afs_dir_check_failed, + __entry->vnode, __entry->off, __entry->i_size) + ); + +-/* +- * We use page->private to hold the amount of the page that we've written to, +- * splitting the field into two parts. However, we need to represent a range +- * 0...PAGE_SIZE inclusive, so we can't support 64K pages on a 32-bit system. +- */ +-#if PAGE_SIZE > 32768 +-#define AFS_PRIV_MAX 0xffffffff +-#define AFS_PRIV_SHIFT 32 +-#else +-#define AFS_PRIV_MAX 0xffff +-#define AFS_PRIV_SHIFT 16 +-#endif +- + TRACE_EVENT(afs_page_dirty, + TP_PROTO(struct afs_vnode *vnode, const char *where, + pgoff_t page, unsigned long priv), +@@ -917,10 +904,10 @@ TRACE_EVENT(afs_page_dirty, + __entry->priv = priv; + ), + +- TP_printk("vn=%p %lx %s %lu-%lu", ++ TP_printk("vn=%p %lx %s %zx-%zx", + __entry->vnode, __entry->page, __entry->where, +- __entry->priv & AFS_PRIV_MAX, +- __entry->priv >> AFS_PRIV_SHIFT) ++ afs_page_dirty_from(__entry->priv), ++ afs_page_dirty_to(__entry->priv)) + ); + + TRACE_EVENT(afs_call_state, +-- +2.27.0 + diff --git a/queue-5.8/arc-dts-fix-the-errors-detected-by-dtbs_check.patch b/queue-5.8/arc-dts-fix-the-errors-detected-by-dtbs_check.patch new file mode 100644 index 00000000000..40bc3925a23 --- /dev/null +++ b/queue-5.8/arc-dts-fix-the-errors-detected-by-dtbs_check.patch @@ -0,0 +1,95 @@ +From d05c46a6de6889531b938faac11f12353c120be3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 15:17:54 +0800 +Subject: ARC: [dts] fix the errors detected by dtbs_check + +From: Zhen Lei + +[ Upstream commit 05b1be68c4d6d76970025e6139bfd735c2256ee5 ] + +xxx/arc/boot/dts/axs101.dt.yaml: dw-apb-ictl@e0012000: $nodename:0: \ +'dw-apb-ictl@e0012000' does not match '^interrupt-controller(@[0-9a-f,]+)*$' + From schema: xxx/interrupt-controller/snps,dw-apb-ictl.yaml + +The node name of the interrupt controller must start with +"interrupt-controller" instead of "dw-apb-ictl". + +Signed-off-by: Zhen Lei +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/boot/dts/axc001.dtsi | 2 +- + arch/arc/boot/dts/axc003.dtsi | 2 +- + arch/arc/boot/dts/axc003_idu.dtsi | 2 +- + arch/arc/boot/dts/vdk_axc003.dtsi | 2 +- + arch/arc/boot/dts/vdk_axc003_idu.dtsi | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arc/boot/dts/axc001.dtsi b/arch/arc/boot/dts/axc001.dtsi +index 79ec27c043c1d..2a151607b0805 100644 +--- a/arch/arc/boot/dts/axc001.dtsi ++++ b/arch/arc/boot/dts/axc001.dtsi +@@ -91,7 +91,7 @@ + * avoid duplicating the MB dtsi file given that IRQ from + * this intc to cpu intc are different for axs101 and axs103 + */ +- mb_intc: dw-apb-ictl@e0012000 { ++ mb_intc: interrupt-controller@e0012000 { + #interrupt-cells = <1>; + compatible = "snps,dw-apb-ictl"; + reg = < 0x0 0xe0012000 0x0 0x200 >; +diff --git a/arch/arc/boot/dts/axc003.dtsi b/arch/arc/boot/dts/axc003.dtsi +index ac8e1b463a709..cd1edcf4f95ef 100644 +--- a/arch/arc/boot/dts/axc003.dtsi ++++ b/arch/arc/boot/dts/axc003.dtsi +@@ -129,7 +129,7 @@ + * avoid duplicating the MB dtsi file given that IRQ from + * this intc to cpu intc are different for axs101 and axs103 + */ +- mb_intc: dw-apb-ictl@e0012000 { ++ mb_intc: interrupt-controller@e0012000 { + #interrupt-cells = <1>; + compatible = "snps,dw-apb-ictl"; + reg = < 0x0 0xe0012000 0x0 0x200 >; +diff --git a/arch/arc/boot/dts/axc003_idu.dtsi b/arch/arc/boot/dts/axc003_idu.dtsi +index 9da21e7fd246f..70779386ca796 100644 +--- a/arch/arc/boot/dts/axc003_idu.dtsi ++++ b/arch/arc/boot/dts/axc003_idu.dtsi +@@ -135,7 +135,7 @@ + * avoid duplicating the MB dtsi file given that IRQ from + * this intc to cpu intc are different for axs101 and axs103 + */ +- mb_intc: dw-apb-ictl@e0012000 { ++ mb_intc: interrupt-controller@e0012000 { + #interrupt-cells = <1>; + compatible = "snps,dw-apb-ictl"; + reg = < 0x0 0xe0012000 0x0 0x200 >; +diff --git a/arch/arc/boot/dts/vdk_axc003.dtsi b/arch/arc/boot/dts/vdk_axc003.dtsi +index f8be7ba8dad49..c21d0eb07bf67 100644 +--- a/arch/arc/boot/dts/vdk_axc003.dtsi ++++ b/arch/arc/boot/dts/vdk_axc003.dtsi +@@ -46,7 +46,7 @@ + + }; + +- mb_intc: dw-apb-ictl@e0012000 { ++ mb_intc: interrupt-controller@e0012000 { + #interrupt-cells = <1>; + compatible = "snps,dw-apb-ictl"; + reg = < 0xe0012000 0x200 >; +diff --git a/arch/arc/boot/dts/vdk_axc003_idu.dtsi b/arch/arc/boot/dts/vdk_axc003_idu.dtsi +index 0afa3e53a4e39..4d348853ac7c5 100644 +--- a/arch/arc/boot/dts/vdk_axc003_idu.dtsi ++++ b/arch/arc/boot/dts/vdk_axc003_idu.dtsi +@@ -54,7 +54,7 @@ + + }; + +- mb_intc: dw-apb-ictl@e0012000 { ++ mb_intc: interrupt-controller@e0012000 { + #interrupt-cells = <1>; + compatible = "snps,dw-apb-ictl"; + reg = < 0xe0012000 0x200 >; +-- +2.27.0 + diff --git a/queue-5.8/arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch b/queue-5.8/arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch new file mode 100644 index 00000000000..f5118432e89 --- /dev/null +++ b/queue-5.8/arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch @@ -0,0 +1,188 @@ +From 500cc85357eaec7ffdf43cf6eba227360ded5c24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 23:24:35 +0100 +Subject: ARM: 8997/2: hw_breakpoint: Handle inexact watchpoint addresses + +From: Douglas Anderson + +[ Upstream commit 22c9e58299e5f18274788ce54c03d4fb761e3c5d ] + +This is commit fdfeff0f9e3d ("arm64: hw_breakpoint: Handle inexact +watchpoint addresses") but ported to arm32, which has the same +problem. + +This problem was found by Android CTS tests, notably the +"watchpoint_imprecise" test [1]. I tested locally against a copycat +(simplified) version of the test though. + +[1] https://android.googlesource.com/platform/bionic/+/master/tests/sys_ptrace_test.cpp + +Link: https://lkml.kernel.org/r/20191019111216.1.I82eae759ca6dc28a245b043f485ca490e3015321@changeid + +Signed-off-by: Douglas Anderson +Reviewed-by: Matthias Kaehlcke +Acked-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/hw_breakpoint.c | 100 +++++++++++++++++++++++--------- + 1 file changed, 72 insertions(+), 28 deletions(-) + +diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c +index 7fff88e612525..4b0e4b19b04ed 100644 +--- a/arch/arm/kernel/hw_breakpoint.c ++++ b/arch/arm/kernel/hw_breakpoint.c +@@ -683,6 +683,40 @@ static void disable_single_step(struct perf_event *bp) + arch_install_hw_breakpoint(bp); + } + ++/* ++ * Arm32 hardware does not always report a watchpoint hit address that matches ++ * one of the watchpoints set. It can also report an address "near" the ++ * watchpoint if a single instruction access both watched and unwatched ++ * addresses. There is no straight-forward way, short of disassembling the ++ * offending instruction, to map that address back to the watchpoint. This ++ * function computes the distance of the memory access from the watchpoint as a ++ * heuristic for the likelyhood that a given access triggered the watchpoint. ++ * ++ * See this same function in the arm64 platform code, which has the same ++ * problem. ++ * ++ * The function returns the distance of the address from the bytes watched by ++ * the watchpoint. In case of an exact match, it returns 0. ++ */ ++static u32 get_distance_from_watchpoint(unsigned long addr, u32 val, ++ struct arch_hw_breakpoint_ctrl *ctrl) ++{ ++ u32 wp_low, wp_high; ++ u32 lens, lene; ++ ++ lens = __ffs(ctrl->len); ++ lene = __fls(ctrl->len); ++ ++ wp_low = val + lens; ++ wp_high = val + lene; ++ if (addr < wp_low) ++ return wp_low - addr; ++ else if (addr > wp_high) ++ return addr - wp_high; ++ else ++ return 0; ++} ++ + static int watchpoint_fault_on_uaccess(struct pt_regs *regs, + struct arch_hw_breakpoint *info) + { +@@ -692,23 +726,25 @@ static int watchpoint_fault_on_uaccess(struct pt_regs *regs, + static void watchpoint_handler(unsigned long addr, unsigned int fsr, + struct pt_regs *regs) + { +- int i, access; +- u32 val, ctrl_reg, alignment_mask; ++ int i, access, closest_match = 0; ++ u32 min_dist = -1, dist; ++ u32 val, ctrl_reg; + struct perf_event *wp, **slots; + struct arch_hw_breakpoint *info; + struct arch_hw_breakpoint_ctrl ctrl; + + slots = this_cpu_ptr(wp_on_reg); + ++ /* ++ * Find all watchpoints that match the reported address. If no exact ++ * match is found. Attribute the hit to the closest watchpoint. ++ */ ++ rcu_read_lock(); + for (i = 0; i < core_num_wrps; ++i) { +- rcu_read_lock(); +- + wp = slots[i]; +- + if (wp == NULL) +- goto unlock; ++ continue; + +- info = counter_arch_bp(wp); + /* + * The DFAR is an unknown value on debug architectures prior + * to 7.1. Since we only allow a single watchpoint on these +@@ -717,33 +753,31 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + */ + if (debug_arch < ARM_DEBUG_ARCH_V7_1) { + BUG_ON(i > 0); ++ info = counter_arch_bp(wp); + info->trigger = wp->attr.bp_addr; + } else { +- if (info->ctrl.len == ARM_BREAKPOINT_LEN_8) +- alignment_mask = 0x7; +- else +- alignment_mask = 0x3; +- +- /* Check if the watchpoint value matches. */ +- val = read_wb_reg(ARM_BASE_WVR + i); +- if (val != (addr & ~alignment_mask)) +- goto unlock; +- +- /* Possible match, check the byte address select. */ +- ctrl_reg = read_wb_reg(ARM_BASE_WCR + i); +- decode_ctrl_reg(ctrl_reg, &ctrl); +- if (!((1 << (addr & alignment_mask)) & ctrl.len)) +- goto unlock; +- + /* Check that the access type matches. */ + if (debug_exception_updates_fsr()) { + access = (fsr & ARM_FSR_ACCESS_MASK) ? + HW_BREAKPOINT_W : HW_BREAKPOINT_R; + if (!(access & hw_breakpoint_type(wp))) +- goto unlock; ++ continue; + } + ++ val = read_wb_reg(ARM_BASE_WVR + i); ++ ctrl_reg = read_wb_reg(ARM_BASE_WCR + i); ++ decode_ctrl_reg(ctrl_reg, &ctrl); ++ dist = get_distance_from_watchpoint(addr, val, &ctrl); ++ if (dist < min_dist) { ++ min_dist = dist; ++ closest_match = i; ++ } ++ /* Is this an exact match? */ ++ if (dist != 0) ++ continue; ++ + /* We have a winner. */ ++ info = counter_arch_bp(wp); + info->trigger = addr; + } + +@@ -765,13 +799,23 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + * we can single-step over the watchpoint trigger. + */ + if (!is_default_overflow_handler(wp)) +- goto unlock; +- ++ continue; + step: + enable_single_step(wp, instruction_pointer(regs)); +-unlock: +- rcu_read_unlock(); + } ++ ++ if (min_dist > 0 && min_dist != -1) { ++ /* No exact match found. */ ++ wp = slots[closest_match]; ++ info = counter_arch_bp(wp); ++ info->trigger = addr; ++ pr_debug("watchpoint fired: address = 0x%x\n", info->trigger); ++ perf_bp_event(wp, regs); ++ if (is_default_overflow_handler(wp)) ++ enable_single_step(wp, instruction_pointer(regs)); ++ } ++ ++ rcu_read_unlock(); + } + + static void watchpoint_single_step_handler(unsigned long pc) +-- +2.27.0 + diff --git a/queue-5.8/arm-dts-omap4-fix-sgx-clock-rate-for-4430.patch b/queue-5.8/arm-dts-omap4-fix-sgx-clock-rate-for-4430.patch new file mode 100644 index 00000000000..5610ed62077 --- /dev/null +++ b/queue-5.8/arm-dts-omap4-fix-sgx-clock-rate-for-4430.patch @@ -0,0 +1,70 @@ +From 6a802d40ae6bd920e2544ac656d69a134f7fdff4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2020 14:02:48 -0700 +Subject: ARM: dts: omap4: Fix sgx clock rate for 4430 + +From: Tony Lindgren + +[ Upstream commit 19d3e9a0bdd57b90175f30390edeb06851f5f9f3 ] + +We currently have a different clock rate for droid4 compared to the +stock v3.0.8 based Android Linux kernel: + +# cat /sys/kernel/debug/clk/dpll_*_m7x2_ck/clk_rate +266666667 +307200000 +# cat /sys/kernel/debug/clk/l3_gfx_cm:clk:0000:0/clk_rate +307200000 + +Let's fix this by configuring sgx to use 153.6 MHz instead of 307.2 MHz. +Looks like also at least duover needs this change to avoid hangs, so +let's apply it for all 4430. + +This helps a bit with thermal issues that seem to be related to memory +corruption when using sgx. It seems that other driver related issues +still remain though. + +Cc: Arthur Demchenkov +Cc: Merlijn Wajer +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap4.dtsi | 2 +- + arch/arm/boot/dts/omap443x.dtsi | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/omap4.dtsi b/arch/arm/boot/dts/omap4.dtsi +index 4400f5f8e0992..a70c50edd764b 100644 +--- a/arch/arm/boot/dts/omap4.dtsi ++++ b/arch/arm/boot/dts/omap4.dtsi +@@ -389,7 +389,7 @@ + status = "disabled"; + }; + +- target-module@56000000 { ++ sgx_module: target-module@56000000 { + compatible = "ti,sysc-omap4", "ti,sysc"; + reg = <0x5600fe00 0x4>, + <0x5600fe10 0x4>; +diff --git a/arch/arm/boot/dts/omap443x.dtsi b/arch/arm/boot/dts/omap443x.dtsi +index cbcdcb4e7d1c2..86b9caf461dfa 100644 +--- a/arch/arm/boot/dts/omap443x.dtsi ++++ b/arch/arm/boot/dts/omap443x.dtsi +@@ -74,3 +74,13 @@ + }; + + /include/ "omap443x-clocks.dtsi" ++ ++/* ++ * Use dpll_per for sgx at 153.6MHz like droid4 stock v3.0.8 Android kernel ++ */ ++&sgx_module { ++ assigned-clocks = <&l3_gfx_clkctrl OMAP4_GPU_CLKCTRL 24>, ++ <&dpll_per_m7x2_ck>; ++ assigned-clock-rates = <0>, <153600000>; ++ assigned-clock-parents = <&dpll_per_m7x2_ck>; ++}; +-- +2.27.0 + diff --git a/queue-5.8/arm-dts-s5pv210-align-spi-gpio-node-name-with-dtsche.patch b/queue-5.8/arm-dts-s5pv210-align-spi-gpio-node-name-with-dtsche.patch new file mode 100644 index 00000000000..23eb5fb63d9 --- /dev/null +++ b/queue-5.8/arm-dts-s5pv210-align-spi-gpio-node-name-with-dtsche.patch @@ -0,0 +1,38 @@ +From 42a1ad94a21a0bf0b8e227671e7f531bc7c64ba3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 18:11:40 +0200 +Subject: ARM: dts: s5pv210: align SPI GPIO node name with dtschema in Aries + +From: Krzysztof Kozlowski + +[ Upstream commit 1ed7f6d0bab2f1794f1eb4ed032e90575552fd21 ] + +The device tree schema expects SPI controller to be named "spi", +otherwise dtbs_check complain with a warning like: + + spi-gpio-0: $nodename:0: 'spi-gpio-0' does not match '^spi(@.*|-[0-9a-f])*$' + +Signed-off-by: Krzysztof Kozlowski +Tested-by: Jonathan Bakker +Link: https://lore.kernel.org/r/20200907161141.31034-25-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210-aries.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/s5pv210-aries.dtsi b/arch/arm/boot/dts/s5pv210-aries.dtsi +index cf858029292ed..aa2138048165c 100644 +--- a/arch/arm/boot/dts/s5pv210-aries.dtsi ++++ b/arch/arm/boot/dts/s5pv210-aries.dtsi +@@ -507,7 +507,7 @@ + value = <0x5200>; + }; + +- spi_lcd: spi-gpio-0 { ++ spi_lcd: spi-2 { + compatible = "spi-gpio"; + #address-cells = <1>; + #size-cells = <0>; +-- +2.27.0 + diff --git a/queue-5.8/arm-dts-s5pv210-move-fixed-clocks-under-root-node.patch b/queue-5.8/arm-dts-s5pv210-move-fixed-clocks-under-root-node.patch new file mode 100644 index 00000000000..2d2ad0ec952 --- /dev/null +++ b/queue-5.8/arm-dts-s5pv210-move-fixed-clocks-under-root-node.patch @@ -0,0 +1,85 @@ +From 97d89c374e2a29710da707944b511f5ce68c7102 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 18:11:22 +0200 +Subject: ARM: dts: s5pv210: move fixed clocks under root node + +From: Krzysztof Kozlowski + +[ Upstream commit d38cae370e5f2094cbc38db3082b8e9509ae52ce ] + +The fixed clocks are kept under dedicated 'external-clocks' node, thus a +fake 'reg' was added. This is not correct with dtschema as fixed-clock +binding does not have a 'reg' property. Moving fixed clocks out of +'soc' to root node fixes multiple dtbs_check warnings: + + external-clocks: $nodename:0: 'external-clocks' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$' + external-clocks: #size-cells:0:0: 0 is not one of [1, 2] + external-clocks: oscillator@0:reg:0: [0] is too short + external-clocks: oscillator@1:reg:0: [1] is too short + external-clocks: 'ranges' is a required property + oscillator@0: 'reg' does not match any of the regexes: 'pinctrl-[0-9]+' + +Signed-off-by: Krzysztof Kozlowski +Tested-by: Jonathan Bakker +Link: https://lore.kernel.org/r/20200907161141.31034-7-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210.dtsi | 36 +++++++++++++--------------------- + 1 file changed, 14 insertions(+), 22 deletions(-) + +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi +index 84e4447931de5..5c760a6d79557 100644 +--- a/arch/arm/boot/dts/s5pv210.dtsi ++++ b/arch/arm/boot/dts/s5pv210.dtsi +@@ -52,34 +52,26 @@ + }; + }; + ++ xxti: oscillator-0 { ++ compatible = "fixed-clock"; ++ clock-frequency = <0>; ++ clock-output-names = "xxti"; ++ #clock-cells = <0>; ++ }; ++ ++ xusbxti: oscillator-1 { ++ compatible = "fixed-clock"; ++ clock-frequency = <0>; ++ clock-output-names = "xusbxti"; ++ #clock-cells = <0>; ++ }; ++ + soc { + compatible = "simple-bus"; + #address-cells = <1>; + #size-cells = <1>; + ranges; + +- external-clocks { +- compatible = "simple-bus"; +- #address-cells = <1>; +- #size-cells = <0>; +- +- xxti: oscillator@0 { +- compatible = "fixed-clock"; +- reg = <0>; +- clock-frequency = <0>; +- clock-output-names = "xxti"; +- #clock-cells = <0>; +- }; +- +- xusbxti: oscillator@1 { +- compatible = "fixed-clock"; +- reg = <1>; +- clock-frequency = <0>; +- clock-output-names = "xusbxti"; +- #clock-cells = <0>; +- }; +- }; +- + onenand: onenand@b0600000 { + compatible = "samsung,s5pv210-onenand"; + reg = <0xb0600000 0x2000>, +-- +2.27.0 + diff --git a/queue-5.8/arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch b/queue-5.8/arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch new file mode 100644 index 00000000000..e4b6ae4a923 --- /dev/null +++ b/queue-5.8/arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch @@ -0,0 +1,57 @@ +From 21ca881bdecc6af30e0de403c83968f41dc5e250 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 18:11:23 +0200 +Subject: ARM: dts: s5pv210: move PMU node out of clock controller + +From: Krzysztof Kozlowski + +[ Upstream commit bb98fff84ad1ea321823759edaba573a16fa02bd ] + +The Power Management Unit (PMU) is a separate device which has little +common with clock controller. Moving it to one level up (from clock +controller child to SoC) allows to remove fake simple-bus compatible and +dtbs_check warnings like: + + clock-controller@e0100000: $nodename:0: + 'clock-controller@e0100000' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$' + +Signed-off-by: Krzysztof Kozlowski +Tested-by: Jonathan Bakker +Link: https://lore.kernel.org/r/20200907161141.31034-8-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210.dtsi | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi +index 5c760a6d79557..46221a5c8ce59 100644 +--- a/arch/arm/boot/dts/s5pv210.dtsi ++++ b/arch/arm/boot/dts/s5pv210.dtsi +@@ -92,19 +92,16 @@ + }; + + clocks: clock-controller@e0100000 { +- compatible = "samsung,s5pv210-clock", "simple-bus"; ++ compatible = "samsung,s5pv210-clock"; + reg = <0xe0100000 0x10000>; + clock-names = "xxti", "xusbxti"; + clocks = <&xxti>, <&xusbxti>; + #clock-cells = <1>; +- #address-cells = <1>; +- #size-cells = <1>; +- ranges; ++ }; + +- pmu_syscon: syscon@e0108000 { +- compatible = "samsung-s5pv210-pmu", "syscon"; +- reg = <0xe0108000 0x8000>; +- }; ++ pmu_syscon: syscon@e0108000 { ++ compatible = "samsung-s5pv210-pmu", "syscon"; ++ reg = <0xe0108000 0x8000>; + }; + + pinctrl0: pinctrl@e0200000 { +-- +2.27.0 + diff --git a/queue-5.8/arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch b/queue-5.8/arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch new file mode 100644 index 00000000000..cc710aa7d9e --- /dev/null +++ b/queue-5.8/arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch @@ -0,0 +1,106 @@ +From 430db4438be7ab616f76dcd28bca92d32dcb5a1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 18:11:24 +0200 +Subject: ARM: dts: s5pv210: remove dedicated 'audio-subsystem' node + +From: Krzysztof Kozlowski + +[ Upstream commit 6c17a2974abf68a58517f75741b15c4aba42b4b8 ] + +The 'audio-subsystem' node is an artificial creation, not representing +real hardware. The hardware is described by its nodes - AUDSS clock +controller and I2S0. + +Remove the 'audio-subsystem' node along with its undocumented compatible +to fix dtbs_check warnings like: + + audio-subsystem: $nodename:0: 'audio-subsystem' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$' + +Signed-off-by: Krzysztof Kozlowski +Tested-by: Jonathan Bakker +Link: https://lore.kernel.org/r/20200907161141.31034-9-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210.dtsi | 65 +++++++++++++++------------------- + 1 file changed, 29 insertions(+), 36 deletions(-) + +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi +index 46221a5c8ce59..2871351ab9074 100644 +--- a/arch/arm/boot/dts/s5pv210.dtsi ++++ b/arch/arm/boot/dts/s5pv210.dtsi +@@ -223,43 +223,36 @@ + status = "disabled"; + }; + +- audio-subsystem { +- compatible = "samsung,s5pv210-audss", "simple-bus"; +- #address-cells = <1>; +- #size-cells = <1>; +- ranges; +- +- clk_audss: clock-controller@eee10000 { +- compatible = "samsung,s5pv210-audss-clock"; +- reg = <0xeee10000 0x1000>; +- clock-names = "hclk", "xxti", +- "fout_epll", +- "sclk_audio0"; +- clocks = <&clocks DOUT_HCLKP>, <&xxti>, +- <&clocks FOUT_EPLL>, +- <&clocks SCLK_AUDIO0>; +- #clock-cells = <1>; +- }; ++ clk_audss: clock-controller@eee10000 { ++ compatible = "samsung,s5pv210-audss-clock"; ++ reg = <0xeee10000 0x1000>; ++ clock-names = "hclk", "xxti", ++ "fout_epll", ++ "sclk_audio0"; ++ clocks = <&clocks DOUT_HCLKP>, <&xxti>, ++ <&clocks FOUT_EPLL>, ++ <&clocks SCLK_AUDIO0>; ++ #clock-cells = <1>; ++ }; + +- i2s0: i2s@eee30000 { +- compatible = "samsung,s5pv210-i2s"; +- reg = <0xeee30000 0x1000>; +- interrupt-parent = <&vic2>; +- interrupts = <16>; +- dma-names = "rx", "tx", "tx-sec"; +- dmas = <&pdma1 9>, <&pdma1 10>, <&pdma1 11>; +- clock-names = "iis", +- "i2s_opclk0", +- "i2s_opclk1"; +- clocks = <&clk_audss CLK_I2S>, +- <&clk_audss CLK_I2S>, +- <&clk_audss CLK_DOUT_AUD_BUS>; +- samsung,idma-addr = <0xc0010000>; +- pinctrl-names = "default"; +- pinctrl-0 = <&i2s0_bus>; +- #sound-dai-cells = <0>; +- status = "disabled"; +- }; ++ i2s0: i2s@eee30000 { ++ compatible = "samsung,s5pv210-i2s"; ++ reg = <0xeee30000 0x1000>; ++ interrupt-parent = <&vic2>; ++ interrupts = <16>; ++ dma-names = "rx", "tx", "tx-sec"; ++ dmas = <&pdma1 9>, <&pdma1 10>, <&pdma1 11>; ++ clock-names = "iis", ++ "i2s_opclk0", ++ "i2s_opclk1"; ++ clocks = <&clk_audss CLK_I2S>, ++ <&clk_audss CLK_I2S>, ++ <&clk_audss CLK_DOUT_AUD_BUS>; ++ samsung,idma-addr = <0xc0010000>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&i2s0_bus>; ++ #sound-dai-cells = <0>; ++ status = "disabled"; + }; + + i2s1: i2s@e2100000 { +-- +2.27.0 + diff --git a/queue-5.8/arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch b/queue-5.8/arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch new file mode 100644 index 00000000000..47cb02cf0fb --- /dev/null +++ b/queue-5.8/arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch @@ -0,0 +1,87 @@ +From ff75bbcc676b91c0b14c2a19fcc2284b3ea72024 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 18:11:21 +0200 +Subject: ARM: dts: s5pv210: remove DMA controller bus node name to fix + dtschema warnings + +From: Krzysztof Kozlowski + +[ Upstream commit ea4e792f3c8931fffec4d700cf6197d84e9f35a6 ] + +There is no need to keep DMA controller nodes under AMBA bus node. +Remove the "amba" node to fix dtschema warnings like: + + amba: $nodename:0: 'amba' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$' + +Signed-off-by: Krzysztof Kozlowski +Tested-by: Jonathan Bakker +Link: https://lore.kernel.org/r/20200907161141.31034-6-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210.dtsi | 49 +++++++++++++++------------------- + 1 file changed, 21 insertions(+), 28 deletions(-) + +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi +index 1b0ee884e91db..84e4447931de5 100644 +--- a/arch/arm/boot/dts/s5pv210.dtsi ++++ b/arch/arm/boot/dts/s5pv210.dtsi +@@ -128,35 +128,28 @@ + }; + }; + +- amba { +- #address-cells = <1>; +- #size-cells = <1>; +- compatible = "simple-bus"; +- ranges; +- +- pdma0: dma@e0900000 { +- compatible = "arm,pl330", "arm,primecell"; +- reg = <0xe0900000 0x1000>; +- interrupt-parent = <&vic0>; +- interrupts = <19>; +- clocks = <&clocks CLK_PDMA0>; +- clock-names = "apb_pclk"; +- #dma-cells = <1>; +- #dma-channels = <8>; +- #dma-requests = <32>; +- }; ++ pdma0: dma@e0900000 { ++ compatible = "arm,pl330", "arm,primecell"; ++ reg = <0xe0900000 0x1000>; ++ interrupt-parent = <&vic0>; ++ interrupts = <19>; ++ clocks = <&clocks CLK_PDMA0>; ++ clock-names = "apb_pclk"; ++ #dma-cells = <1>; ++ #dma-channels = <8>; ++ #dma-requests = <32>; ++ }; + +- pdma1: dma@e0a00000 { +- compatible = "arm,pl330", "arm,primecell"; +- reg = <0xe0a00000 0x1000>; +- interrupt-parent = <&vic0>; +- interrupts = <20>; +- clocks = <&clocks CLK_PDMA1>; +- clock-names = "apb_pclk"; +- #dma-cells = <1>; +- #dma-channels = <8>; +- #dma-requests = <32>; +- }; ++ pdma1: dma@e0a00000 { ++ compatible = "arm,pl330", "arm,primecell"; ++ reg = <0xe0a00000 0x1000>; ++ interrupt-parent = <&vic0>; ++ interrupts = <20>; ++ clocks = <&clocks CLK_PDMA1>; ++ clock-names = "apb_pclk"; ++ #dma-cells = <1>; ++ #dma-channels = <8>; ++ #dma-requests = <32>; + }; + + adc: adc@e1700000 { +-- +2.27.0 + diff --git a/queue-5.8/arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch b/queue-5.8/arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch new file mode 100644 index 00000000000..3622c4d75ae --- /dev/null +++ b/queue-5.8/arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch @@ -0,0 +1,36 @@ +From 82a0f6f3f538d7de79cc9b047fdf697c0d71aa90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 21:33:21 +0900 +Subject: arm64: dts: renesas: ulcb: add full-pwr-cycle-in-suspend into eMMC + nodes + +From: Yoshihiro Shimoda + +[ Upstream commit 992d7a8b88c83c05664b649fc54501ce58e19132 ] + +Add full-pwr-cycle-in-suspend property to do a graceful shutdown of +the eMMC device in system suspend. + +Signed-off-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/1594989201-24228-1-git-send-email-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/ulcb.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/renesas/ulcb.dtsi b/arch/arm64/boot/dts/renesas/ulcb.dtsi +index ff88af8e39d3f..a2e085db87c53 100644 +--- a/arch/arm64/boot/dts/renesas/ulcb.dtsi ++++ b/arch/arm64/boot/dts/renesas/ulcb.dtsi +@@ -469,6 +469,7 @@ + mmc-hs200-1_8v; + mmc-hs400-1_8v; + non-removable; ++ full-pwr-cycle-in-suspend; + status = "okay"; + }; + +-- +2.27.0 + diff --git a/queue-5.8/arm64-efi-increase-efi-pe-coff-header-padding-to-64-.patch b/queue-5.8/arm64-efi-increase-efi-pe-coff-header-padding-to-64-.patch new file mode 100644 index 00000000000..9eb86086b72 --- /dev/null +++ b/queue-5.8/arm64-efi-increase-efi-pe-coff-header-padding-to-64-.patch @@ -0,0 +1,45 @@ +From 33f07498e257a4102580263c501ba150b66a3fa1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Oct 2020 08:32:06 +0100 +Subject: arm64: efi: increase EFI PE/COFF header padding to 64 KB + +From: Ard Biesheuvel + +[ Upstream commit a2d50c1c77aa879af24f9f67b33186737b3d4885 ] + +Commit 76085aff29f5 ("efi/libstub/arm64: align PE/COFF sections to segment +alignment") increased the PE/COFF section alignment to match the minimum +segment alignment of the kernel image, which ensures that the kernel does +not need to be moved around in memory by the EFI stub if it was built as +relocatable. + +However, the first PE/COFF section starts at _stext, which is only 4 KB +aligned, and so the section layout is inconsistent. Existing EFI loaders +seem to care little about this, but it is better to clean this up. + +So let's pad the header to 64 KB to match the PE/COFF section alignment. + +Fixes: 76085aff29f5 ("efi/libstub/arm64: align PE/COFF sections to segment alignment") +Signed-off-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20201027073209.2897-2-ardb@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/efi-header.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/efi-header.S b/arch/arm64/kernel/efi-header.S +index df67c0f2a077e..a71844fb923ee 100644 +--- a/arch/arm64/kernel/efi-header.S ++++ b/arch/arm64/kernel/efi-header.S +@@ -147,6 +147,6 @@ efi_debug_entry: + * correctly at this alignment, we must ensure that .text is + * placed at a 4k boundary in the Image to begin with. + */ +- .align 12 ++ .balign SEGMENT_ALIGN + efi_header_end: + .endm +-- +2.27.0 + diff --git a/queue-5.8/arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch b/queue-5.8/arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch new file mode 100644 index 00000000000..57dccc3fab4 --- /dev/null +++ b/queue-5.8/arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch @@ -0,0 +1,61 @@ +From 22db3eabf651fcdee630d089e9636763e1ddf719 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 10:39:36 +0800 +Subject: arm64/mm: return cpu_all_mask when node is NUMA_NO_NODE + +From: Zhengyuan Liu + +[ Upstream commit a194c5f2d2b3a05428805146afcabe5140b5d378 ] + +The @node passed to cpumask_of_node() can be NUMA_NO_NODE, in that +case it will trigger the following WARN_ON(node >= nr_node_ids) due to +mismatched data types of @node and @nr_node_ids. Actually we should +return cpu_all_mask just like most other architectures do if passed +NUMA_NO_NODE. + +Also add a similar check to the inline cpumask_of_node() in numa.h. + +Signed-off-by: Zhengyuan Liu +Reviewed-by: Gavin Shan +Link: https://lore.kernel.org/r/20200921023936.21846-1-liuzhengyuan@tj.kylinos.cn +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/numa.h | 3 +++ + arch/arm64/mm/numa.c | 6 +++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/numa.h b/arch/arm64/include/asm/numa.h +index 626ad01e83bf0..dd870390d639f 100644 +--- a/arch/arm64/include/asm/numa.h ++++ b/arch/arm64/include/asm/numa.h +@@ -25,6 +25,9 @@ const struct cpumask *cpumask_of_node(int node); + /* Returns a pointer to the cpumask of CPUs on Node 'node'. */ + static inline const struct cpumask *cpumask_of_node(int node) + { ++ if (node == NUMA_NO_NODE) ++ return cpu_all_mask; ++ + return node_to_cpumask_map[node]; + } + #endif +diff --git a/arch/arm64/mm/numa.c b/arch/arm64/mm/numa.c +index aafcee3e3f7ef..58c83c2b8748f 100644 +--- a/arch/arm64/mm/numa.c ++++ b/arch/arm64/mm/numa.c +@@ -46,7 +46,11 @@ EXPORT_SYMBOL(node_to_cpumask_map); + */ + const struct cpumask *cpumask_of_node(int node) + { +- if (WARN_ON(node >= nr_node_ids)) ++ ++ if (node == NUMA_NO_NODE) ++ return cpu_all_mask; ++ ++ if (WARN_ON(node < 0 || node >= nr_node_ids)) + return cpu_none_mask; + + if (WARN_ON(node_to_cpumask_map[node] == NULL)) +-- +2.27.0 + diff --git a/queue-5.8/arm64-topology-stop-using-mpidr-for-topology-informa.patch b/queue-5.8/arm64-topology-stop-using-mpidr-for-topology-informa.patch new file mode 100644 index 00000000000..34afa030280 --- /dev/null +++ b/queue-5.8/arm64-topology-stop-using-mpidr-for-topology-informa.patch @@ -0,0 +1,138 @@ +From 7ff9b5c97511f261a95f1036f52167d63b9d0f34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Aug 2020 14:00:16 +0100 +Subject: arm64: topology: Stop using MPIDR for topology information + +From: Valentin Schneider + +[ Upstream commit 3102bc0e6ac752cc5df896acb557d779af4d82a1 ] + +In the absence of ACPI or DT topology data, we fallback to haphazardly +decoding *something* out of MPIDR. Sadly, the contents of that register are +mostly unusable due to the implementation leniancy and things like Aff0 +having to be capped to 15 (despite being encoded on 8 bits). + +Consider a simple system with a single package of 32 cores, all under the +same LLC. We ought to be shoving them in the same core_sibling mask, but +MPIDR is going to look like: + + | CPU | 0 | ... | 15 | 16 | ... | 31 | + |------+---+-----+----+----+-----+----+ + | Aff0 | 0 | ... | 15 | 0 | ... | 15 | + | Aff1 | 0 | ... | 0 | 1 | ... | 1 | + | Aff2 | 0 | ... | 0 | 0 | ... | 0 | + +Which will eventually yield + + core_sibling(0-15) == 0-15 + core_sibling(16-31) == 16-31 + +NUMA woes +========= + +If we try to play games with this and set up NUMA boundaries within those +groups of 16 cores via e.g. QEMU: + + # Node0: 0-9; Node1: 10-19 + $ qemu-system-aarch64 \ + -smp 20 -numa node,cpus=0-9,nodeid=0 -numa node,cpus=10-19,nodeid=1 + +The scheduler's MC domain (all CPUs with same LLC) is going to be built via + + arch_topology.c::cpu_coregroup_mask() + +In there we try to figure out a sensible mask out of the topology +information we have. In short, here we'll pick the smallest of NUMA or +core sibling mask. + + node_mask(CPU9) == 0-9 + core_sibling(CPU9) == 0-15 + +MC mask for CPU9 will thus be 0-9, not a problem. + + node_mask(CPU10) == 10-19 + core_sibling(CPU10) == 0-15 + +MC mask for CPU10 will thus be 10-19, not a problem. + + node_mask(CPU16) == 10-19 + core_sibling(CPU16) == 16-19 + +MC mask for CPU16 will thus be 16-19... Uh oh. CPUs 16-19 are in two +different unique MC spans, and the scheduler has no idea what to make of +that. That triggers the WARN_ON() added by commit + + ccf74128d66c ("sched/topology: Assert non-NUMA topology masks don't (partially) overlap") + +Fixing MPIDR-derived topology +============================= + +We could try to come up with some cleverer scheme to figure out which of +the available masks to pick, but really if one of those masks resulted from +MPIDR then it should be discarded because it's bound to be bogus. + +I was hoping to give MPIDR a chance for SMT, to figure out which threads are +in the same core using Aff1-3 as core ID, but Sudeep and Robin pointed out +to me that there are systems out there where *all* cores have non-zero +values in their higher affinity fields (e.g. RK3288 has "5" in all of its +cores' MPIDR.Aff1), which would expose a bogus core ID to userspace. + +Stop using MPIDR for topology information. When no other source of topology +information is available, mark each CPU as its own core and its NUMA node +as its LLC domain. + +Signed-off-by: Valentin Schneider +Reviewed-by: Sudeep Holla +Link: https://lore.kernel.org/r/20200829130016.26106-1-valentin.schneider@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/topology.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/arch/arm64/kernel/topology.c b/arch/arm64/kernel/topology.c +index 0801a0f3c156a..ff1dd1dbfe641 100644 +--- a/arch/arm64/kernel/topology.c ++++ b/arch/arm64/kernel/topology.c +@@ -36,21 +36,23 @@ void store_cpu_topology(unsigned int cpuid) + if (mpidr & MPIDR_UP_BITMASK) + return; + +- /* Create cpu topology mapping based on MPIDR. */ +- if (mpidr & MPIDR_MT_BITMASK) { +- /* Multiprocessor system : Multi-threads per core */ +- cpuid_topo->thread_id = MPIDR_AFFINITY_LEVEL(mpidr, 0); +- cpuid_topo->core_id = MPIDR_AFFINITY_LEVEL(mpidr, 1); +- cpuid_topo->package_id = MPIDR_AFFINITY_LEVEL(mpidr, 2) | +- MPIDR_AFFINITY_LEVEL(mpidr, 3) << 8; +- } else { +- /* Multiprocessor system : Single-thread per core */ +- cpuid_topo->thread_id = -1; +- cpuid_topo->core_id = MPIDR_AFFINITY_LEVEL(mpidr, 0); +- cpuid_topo->package_id = MPIDR_AFFINITY_LEVEL(mpidr, 1) | +- MPIDR_AFFINITY_LEVEL(mpidr, 2) << 8 | +- MPIDR_AFFINITY_LEVEL(mpidr, 3) << 16; +- } ++ /* ++ * This would be the place to create cpu topology based on MPIDR. ++ * ++ * However, it cannot be trusted to depict the actual topology; some ++ * pieces of the architecture enforce an artificial cap on Aff0 values ++ * (e.g. GICv3's ICC_SGI1R_EL1 limits it to 15), leading to an ++ * artificial cycling of Aff1, Aff2 and Aff3 values. IOW, these end up ++ * having absolutely no relationship to the actual underlying system ++ * topology, and cannot be reasonably used as core / package ID. ++ * ++ * If the MT bit is set, Aff0 *could* be used to define a thread ID, but ++ * we still wouldn't be able to obtain a sane core ID. This means we ++ * need to entirely ignore MPIDR for any topology deduction. ++ */ ++ cpuid_topo->thread_id = -1; ++ cpuid_topo->core_id = cpuid; ++ cpuid_topo->package_id = cpu_to_node(cpuid); + + pr_debug("CPU%u: cluster %d core %d thread %d mpidr %#016llx\n", + cpuid, cpuid_topo->package_id, cpuid_topo->core_id, +-- +2.27.0 + diff --git a/queue-5.8/asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch b/queue-5.8/asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch new file mode 100644 index 00000000000..f108ca1fcdb --- /dev/null +++ b/queue-5.8/asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch @@ -0,0 +1,114 @@ +From 1c5d5c353afac28113fbbb69a994c129d9c3b4b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 12:06:58 +0100 +Subject: asm-generic/io.h: Fix !CONFIG_GENERIC_IOMAP pci_iounmap() + implementation + +From: Lorenzo Pieralisi + +[ Upstream commit f5810e5c329238b8553ebd98b914bdbefd8e6737 ] + +For arches that do not select CONFIG_GENERIC_IOMAP, the current +pci_iounmap() function does nothing causing obvious memory leaks +for mapped regions that are backed by MMIO physical space. + +In order to detect if a mapped pointer is IO vs MMIO, a check must made +available to the pci_iounmap() function so that it can actually detect +whether the pointer has to be unmapped. + +In configurations where CONFIG_HAS_IOPORT_MAP && !CONFIG_GENERIC_IOMAP, +a mapped port is detected using an ioport_map() stub defined in +asm-generic/io.h. + +Use the same logic to implement a stub (ie __pci_ioport_unmap()) that +detects if the passed in pointer in pci_iounmap() is IO vs MMIO to +iounmap conditionally and call it in pci_iounmap() fixing the issue. + +Leave __pci_ioport_unmap() as a NOP for all other config options. + +Tested-by: George Cherian +Link: https://lore.kernel.org/lkml/20200905024811.74701-1-yangyingliang@huawei.com +Link: https://lore.kernel.org/lkml/20200824132046.3114383-1-george.cherian@marvell.com +Link: https://lore.kernel.org/r/a9daf8d8444d0ebd00bc6d64e336ec49dbb50784.1600254147.git.lorenzo.pieralisi@arm.com +Reported-by: George Cherian +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Catalin Marinas +Cc: Arnd Bergmann +Cc: George Cherian +Cc: Will Deacon +Cc: Bjorn Helgaas +Cc: Catalin Marinas +Cc: Yang Yingliang +Signed-off-by: Sasha Levin +--- + include/asm-generic/io.h | 39 +++++++++++++++++++++++++++------------ + 1 file changed, 27 insertions(+), 12 deletions(-) + +diff --git a/include/asm-generic/io.h b/include/asm-generic/io.h +index 30a3aab312e6c..89057394e1862 100644 +--- a/include/asm-generic/io.h ++++ b/include/asm-generic/io.h +@@ -911,18 +911,6 @@ static inline void iowrite64_rep(volatile void __iomem *addr, + #include + #define __io_virt(x) ((void __force *)(x)) + +-#ifndef CONFIG_GENERIC_IOMAP +-struct pci_dev; +-extern void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long max); +- +-#ifndef pci_iounmap +-#define pci_iounmap pci_iounmap +-static inline void pci_iounmap(struct pci_dev *dev, void __iomem *p) +-{ +-} +-#endif +-#endif /* CONFIG_GENERIC_IOMAP */ +- + /* + * Change virtual addresses to physical addresses and vv. + * These are pretty trivial +@@ -1016,6 +1004,16 @@ static inline void __iomem *ioport_map(unsigned long port, unsigned int nr) + port &= IO_SPACE_LIMIT; + return (port > MMIO_UPPER_LIMIT) ? NULL : PCI_IOBASE + port; + } ++#define __pci_ioport_unmap __pci_ioport_unmap ++static inline void __pci_ioport_unmap(void __iomem *p) ++{ ++ uintptr_t start = (uintptr_t) PCI_IOBASE; ++ uintptr_t addr = (uintptr_t) p; ++ ++ if (addr >= start && addr < start + IO_SPACE_LIMIT) ++ return; ++ iounmap(p); ++} + #endif + + #ifndef ioport_unmap +@@ -1030,6 +1028,23 @@ extern void ioport_unmap(void __iomem *p); + #endif /* CONFIG_GENERIC_IOMAP */ + #endif /* CONFIG_HAS_IOPORT_MAP */ + ++#ifndef CONFIG_GENERIC_IOMAP ++struct pci_dev; ++extern void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long max); ++ ++#ifndef __pci_ioport_unmap ++static inline void __pci_ioport_unmap(void __iomem *p) {} ++#endif ++ ++#ifndef pci_iounmap ++#define pci_iounmap pci_iounmap ++static inline void pci_iounmap(struct pci_dev *dev, void __iomem *p) ++{ ++ __pci_ioport_unmap(p); ++} ++#endif ++#endif /* CONFIG_GENERIC_IOMAP */ ++ + /* + * Convert a virtual cached pointer to an uncached pointer + */ +-- +2.27.0 + diff --git a/queue-5.8/asoc-sof-fix-a-runtime-pm-issue-in-sof-when-hdmi-cod.patch b/queue-5.8/asoc-sof-fix-a-runtime-pm-issue-in-sof-when-hdmi-cod.patch new file mode 100644 index 00000000000..dba8848bff2 --- /dev/null +++ b/queue-5.8/asoc-sof-fix-a-runtime-pm-issue-in-sof-when-hdmi-cod.patch @@ -0,0 +1,55 @@ +From 4bc26337ae8c5ea95a5416041df01a59070fb1b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 16:50:35 -0700 +Subject: ASoC: SOF: fix a runtime pm issue in SOF when HDMI codec doesn't work + +From: Rander Wang + +[ Upstream commit 6c63c954e1c52f1262f986f36d95f557c6f8fa94 ] + +When hda_codec_probe() doesn't initialize audio component, we disable +the codec and keep going. However,the resources are not released. The +child_count of SOF device is increased in snd_hdac_ext_bus_device_init +but is not decrease in error case, so SOF can't get suspended. + +snd_hdac_ext_bus_device_exit will be invoked in HDA framework if it +gets a error. Now copy this behavior to release resources and decrease +SOF device child_count to release SOF device. + +Signed-off-by: Rander Wang +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Bard Liao +Reviewed-by: Guennadi Liakhovetski +Signed-off-by: Ranjani Sridharan +Link: https://lore.kernel.org/r/20200825235040.1586478-3-ranjani.sridharan@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/hda-codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/sof/intel/hda-codec.c b/sound/soc/sof/intel/hda-codec.c +index 2c5c451fa19d7..c475955c6eeba 100644 +--- a/sound/soc/sof/intel/hda-codec.c ++++ b/sound/soc/sof/intel/hda-codec.c +@@ -151,7 +151,7 @@ static int hda_codec_probe(struct snd_sof_dev *sdev, int address, + if (!hdev->bus->audio_component) { + dev_dbg(sdev->dev, + "iDisp hw present but no driver\n"); +- return -ENOENT; ++ goto error; + } + hda_priv->need_display_power = true; + } +@@ -174,7 +174,7 @@ static int hda_codec_probe(struct snd_sof_dev *sdev, int address, + * other return codes without modification + */ + if (ret == 0) +- ret = -ENOENT; ++ goto error; + } + + return ret; +-- +2.27.0 + diff --git a/queue-5.8/ata-sata_nv-fix-retrieving-of-active-qcs.patch b/queue-5.8/ata-sata_nv-fix-retrieving-of-active-qcs.patch new file mode 100644 index 00000000000..47001d984d4 --- /dev/null +++ b/queue-5.8/ata-sata_nv-fix-retrieving-of-active-qcs.patch @@ -0,0 +1,43 @@ +From c124aced1bd6e10c5b68ac65f9b0679ee3cc609f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 07:28:19 +0200 +Subject: ata: sata_nv: Fix retrieving of active qcs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sascha Hauer + +[ Upstream commit 8e4c309f9f33b76c09daa02b796ef87918eee494 ] + +ata_qc_complete_multiple() has to be called with the tags physically +active, that is the hw tag is at bit 0. ap->qc_active has the same tag +at bit ATA_TAG_INTERNAL instead, so call ata_qc_get_active() to fix that +up. This is done in the vein of 8385d756e114 ("libata: Fix retrieving of +active qcs"). + +Fixes: 28361c403683 ("libata: add extra internal command") +Tested-by: Pali Rohár +Signed-off-by: Sascha Hauer +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_nv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/sata_nv.c b/drivers/ata/sata_nv.c +index eb9dc14e5147a..20190f66ced98 100644 +--- a/drivers/ata/sata_nv.c ++++ b/drivers/ata/sata_nv.c +@@ -2100,7 +2100,7 @@ static int nv_swncq_sdbfis(struct ata_port *ap) + pp->dhfis_bits &= ~done_mask; + pp->dmafis_bits &= ~done_mask; + pp->sdbfis_bits |= done_mask; +- ata_qc_complete_multiple(ap, ap->qc_active ^ done_mask); ++ ata_qc_complete_multiple(ap, ata_qc_get_active(ap) ^ done_mask); + + if (!ap->qc_active) { + DPRINTK("over\n"); +-- +2.27.0 + diff --git a/queue-5.8/ath10k-fix-retry-packets-update-in-station-dump.patch b/queue-5.8/ath10k-fix-retry-packets-update-in-station-dump.patch new file mode 100644 index 00000000000..6dc2113d6fb --- /dev/null +++ b/queue-5.8/ath10k-fix-retry-packets-update-in-station-dump.patch @@ -0,0 +1,75 @@ +From 393aa5711cf443bb0275f767d3dc80a9f7c1c715 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 20:29:01 +0300 +Subject: ath10k: fix retry packets update in station dump + +From: Venkateswara Naralasetty + +[ Upstream commit 67b927f9820847d30e97510b2f00cd142b9559b6 ] + +When tx status enabled, retry count is updated from tx completion status. +which is not working as expected due to firmware limitation where +firmware can not provide per MSDU rate statistics from tx completion +status. Due to this tx retry count is always 0 in station dump. + +Fix this issue by updating the retry packet count from per peer +statistics. This patch will not break on SDIO devices since, this retry +count is already updating from peer statistics for SDIO devices. + +Tested-on: QCA9984 PCI 10.4-3.6-00104 +Tested-on: QCA9882 PCI 10.2.4-1.0-00047 + +Signed-off-by: Venkateswara Naralasetty +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1591856446-26977-1-git-send-email-vnaralas@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 8 +++++--- + drivers/net/wireless/ath/ath10k/mac.c | 5 +++-- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index 215ade6faf328..69ad4ca1a87c1 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -3583,12 +3583,14 @@ ath10k_update_per_peer_tx_stats(struct ath10k *ar, + } + + if (ar->htt.disable_tx_comp) { +- arsta->tx_retries += peer_stats->retry_pkts; + arsta->tx_failed += peer_stats->failed_pkts; +- ath10k_dbg(ar, ATH10K_DBG_HTT, "htt tx retries %d tx failed %d\n", +- arsta->tx_retries, arsta->tx_failed); ++ ath10k_dbg(ar, ATH10K_DBG_HTT, "tx failed %d\n", ++ arsta->tx_failed); + } + ++ arsta->tx_retries += peer_stats->retry_pkts; ++ ath10k_dbg(ar, ATH10K_DBG_HTT, "htt tx retries %d", arsta->tx_retries); ++ + if (ath10k_debug_is_extd_tx_stats_enabled(ar)) + ath10k_accumulate_per_peer_tx_stats(ar, arsta, peer_stats, + rate_idx); +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 77daca67a8e14..3e3896214e8b2 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -8547,12 +8547,13 @@ static void ath10k_sta_statistics(struct ieee80211_hw *hw, + sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BITRATE); + + if (ar->htt.disable_tx_comp) { +- sinfo->tx_retries = arsta->tx_retries; +- sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_RETRIES); + sinfo->tx_failed = arsta->tx_failed; + sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_FAILED); + } + ++ sinfo->tx_retries = arsta->tx_retries; ++ sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_RETRIES); ++ + ath10k_mac_sta_get_peer_stats_info(ar, sta, sinfo); + } + +-- +2.27.0 + diff --git a/queue-5.8/ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch b/queue-5.8/ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch new file mode 100644 index 00000000000..25c581514c0 --- /dev/null +++ b/queue-5.8/ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch @@ -0,0 +1,58 @@ +From 013bf73d79cd18c2fe241a6dfb1313a6648a380b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 13:46:11 +0530 +Subject: ath10k: fix VHT NSS calculation when STBC is enabled + +From: Sathishkumar Muruganandam + +[ Upstream commit 99f41b8e43b8b4b31262adb8ac3e69088fff1289 ] + +When STBC is enabled, NSTS_SU value need to be accounted for VHT NSS +calculation for SU case. + +Without this fix, 1SS + STBC enabled case was reported wrongly as 2SS +in radiotap header on monitor mode capture. + +Tested-on: QCA9984 10.4-3.10-00047 + +Signed-off-by: Sathishkumar Muruganandam +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1597392971-3897-1-git-send-email-murugana@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index 69ad4ca1a87c1..a00498338b1cc 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -949,6 +949,7 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar, + u8 preamble = 0; + u8 group_id; + u32 info1, info2, info3; ++ u32 stbc, nsts_su; + + info1 = __le32_to_cpu(rxd->ppdu_start.info1); + info2 = __le32_to_cpu(rxd->ppdu_start.info2); +@@ -993,11 +994,16 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar, + */ + bw = info2 & 3; + sgi = info3 & 1; ++ stbc = (info2 >> 3) & 1; + group_id = (info2 >> 4) & 0x3F; + + if (GROUP_ID_IS_SU_MIMO(group_id)) { + mcs = (info3 >> 4) & 0x0F; +- nss = ((info2 >> 10) & 0x07) + 1; ++ nsts_su = ((info2 >> 10) & 0x07); ++ if (stbc) ++ nss = (nsts_su >> 2) + 1; ++ else ++ nss = (nsts_su + 1); + } else { + /* Hardware doesn't decode VHT-SIG-B into Rx descriptor + * so it's impossible to decode MCS. Also since +-- +2.27.0 + diff --git a/queue-5.8/ath10k-start-recovery-process-when-payload-length-ex.patch b/queue-5.8/ath10k-start-recovery-process-when-payload-length-ex.patch new file mode 100644 index 00000000000..b879c2e649e --- /dev/null +++ b/queue-5.8/ath10k-start-recovery-process-when-payload-length-ex.patch @@ -0,0 +1,85 @@ +From d6e16b40da053b815eff335ae9ffb05292700bef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 18:17:08 +0300 +Subject: ath10k: start recovery process when payload length exceeds max htc + length for sdio + +From: Wen Gong + +[ Upstream commit 2fd3c8f34d08af0a6236085f9961866ad92ef9ec ] + +When simulate random transfer fail for sdio write and read, it happened +"payload length exceeds max htc length" and recovery later sometimes. + +Test steps: +1. Add config and update kernel: +CONFIG_FAIL_MMC_REQUEST=y +CONFIG_FAULT_INJECTION=y +CONFIG_FAULT_INJECTION_DEBUG_FS=y + +2. Run simulate fail: +cd /sys/kernel/debug/mmc1/fail_mmc_request +echo 10 > probability +echo 10 > times # repeat until hitting issues + +3. It happened payload length exceeds max htc length. +[ 199.935506] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088 +.... +[ 264.990191] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088 + +4. after some time, such as 60 seconds, it start recovery which triggered +by wmi command timeout for periodic scan. +[ 269.229232] ieee80211 phy0: Hardware restart was requested +[ 269.734693] ath10k_sdio mmc1:0001:1: device successfully recovered + +The simulate fail of sdio is not a real sdio transter fail, it only +set an error status in mmc_should_fail_request after the transfer end, +actually the transfer is success, then sdio_io_rw_ext_helper will +return error status and stop transfer the left data. For example, +the really RX len is 286 bytes, then it will split to 2 blocks in +sdio_io_rw_ext_helper, one is 256 bytes, left is 30 bytes, if the +first 256 bytes get an error status by mmc_should_fail_request,then +the left 30 bytes will not read in this RX operation. Then when the +next RX arrive, the left 30 bytes will be considered as the header +of the read, the top 4 bytes of the 30 bytes will be considered as +lookaheads, but actually the 4 bytes is not the lookaheads, so the len +from this lookaheads is not correct, it exceeds max htc length 4088 +sometimes. When happened exceeds, the buffer chain is not matched between +firmware and ath10k, then it need to start recovery ASAP. Recently then +recovery will be started by wmi command timeout, but it will be long time +later, for example, it is 60+ seconds later from the periodic scan, if +it does not have periodic scan, it will be longer. + +Start recovery when it happened "payload length exceeds max htc length" +will be reasonable. + +This patch only effect sdio chips. + +Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00029. + +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200108031957.22308-3-wgong@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/sdio.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c +index 63f882c690bff..0841e69b10b1a 100644 +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -557,6 +557,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar, + le16_to_cpu(htc_hdr->len), + ATH10K_HTC_MBOX_MAX_PAYLOAD_LENGTH); + ret = -ENOMEM; ++ ++ queue_work(ar->workqueue, &ar->restart_work); ++ ath10k_warn(ar, "exceeds length, start recovery\n"); ++ + goto err; + } + +-- +2.27.0 + diff --git a/queue-5.8/ath11k-change-to-disable-softirqs-for-ath11k_regd_up.patch b/queue-5.8/ath11k-change-to-disable-softirqs-for-ath11k_regd_up.patch new file mode 100644 index 00000000000..444772bf5ad --- /dev/null +++ b/queue-5.8/ath11k-change-to-disable-softirqs-for-ath11k_regd_up.patch @@ -0,0 +1,137 @@ +From 42f382d323a8f9d3122b43e56cffc0600af146cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 20:15:34 +0300 +Subject: ath11k: change to disable softirqs for ath11k_regd_update to solve + deadlock + +From: Wen Gong + +[ Upstream commit df648808c6b9989555e247530d8ca0ad0094b361 ] + +After base_lock which occupy by ath11k_regd_update, the softirq run for +WMI_REG_CHAN_LIST_CC_EVENTID maybe arrived and it also need to accuire +the spin lock, then deadlock happend, change to disable softirqis to solve it. + +[ 235.576990] ================================ +[ 235.576991] WARNING: inconsistent lock state +[ 235.576993] 5.9.0-rc5-wt-ath+ #196 Not tainted +[ 235.576994] -------------------------------- +[ 235.576995] inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. +[ 235.576997] kworker/u16:1/98 [HC0[0]:SC0[0]:HE1:SE1] takes: +[ 235.576998] ffff9655f75cad98 (&ab->base_lock){+.?.}-{2:2}, at: ath11k_regd_update+0x28/0x1d0 [ath11k] +[ 235.577009] {IN-SOFTIRQ-W} state was registered at: +[ 235.577013] __lock_acquire+0x219/0x6e0 +[ 235.577015] lock_acquire+0xb6/0x270 +[ 235.577018] _raw_spin_lock+0x2c/0x70 +[ 235.577023] ath11k_reg_chan_list_event.isra.0+0x10d/0x1e0 [ath11k] +[ 235.577028] ath11k_wmi_tlv_op_rx+0x3c3/0x560 [ath11k] +[ 235.577033] ath11k_htc_rx_completion_handler+0x207/0x370 [ath11k] +[ 235.577039] ath11k_ce_recv_process_cb+0x15e/0x1e0 [ath11k] +[ 235.577041] ath11k_pci_ce_tasklet+0x10/0x30 [ath11k_pci] +[ 235.577043] tasklet_action_common.constprop.0+0xd4/0xf0 +[ 235.577045] __do_softirq+0xc9/0x482 +[ 235.577046] asm_call_on_stack+0x12/0x20 +[ 235.577048] do_softirq_own_stack+0x49/0x60 +[ 235.577049] irq_exit_rcu+0x9a/0xd0 +[ 235.577050] common_interrupt+0xa1/0x190 +[ 235.577052] asm_common_interrupt+0x1e/0x40 +[ 235.577053] cpu_idle_poll.isra.0+0x2e/0x60 +[ 235.577055] do_idle+0x5f/0xe0 +[ 235.577056] cpu_startup_entry+0x14/0x20 +[ 235.577058] start_kernel+0x443/0x464 +[ 235.577060] secondary_startup_64+0xa4/0xb0 +[ 235.577061] irq event stamp: 432035 +[ 235.577063] hardirqs last enabled at (432035): [] _raw_spin_unlock_irqrestore+0x34/0x40 +[ 235.577064] hardirqs last disabled at (432034): [] _raw_spin_lock_irqsave+0x63/0x80 +[ 235.577066] softirqs last enabled at (431998): [] inet6_fill_ifla6_attrs+0x3f1/0x430 +[ 235.577067] softirqs last disabled at (431996): [] inet6_fill_ifla6_attrs+0x3cf/0x430 +[ 235.577068] +[ 235.577068] other info that might help us debug this: +[ 235.577069] Possible unsafe locking scenario: +[ 235.577069] +[ 235.577070] CPU0 +[ 235.577070] ---- +[ 235.577071] lock(&ab->base_lock); +[ 235.577072] +[ 235.577073] lock(&ab->base_lock); +[ 235.577074] +[ 235.577074] *** DEADLOCK *** +[ 235.577074] +[ 235.577075] 3 locks held by kworker/u16:1/98: +[ 235.577076] #0: ffff9655f75b1d48 ((wq_completion)ath11k_qmi_driver_event){+.+.}-{0:0}, at: process_one_work+0x1d3/0x5d0 +[ 235.577079] #1: ffffa33cc02f3e70 ((work_completion)(&ab->qmi.event_work)){+.+.}-{0:0}, at: process_one_work+0x1d3/0x5d0 +[ 235.577081] #2: ffff9655f75cad50 (&ab->core_lock){+.+.}-{3:3}, at: ath11k_core_qmi_firmware_ready.part.0+0x4e/0x160 [ath11k] +[ 235.577087] +[ 235.577087] stack backtrace: +[ 235.577088] CPU: 3 PID: 98 Comm: kworker/u16:1 Not tainted 5.9.0-rc5-wt-ath+ #196 +[ 235.577089] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0049.2018.0801.1601 08/01/2018 +[ 235.577095] Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work [ath11k] +[ 235.577096] Call Trace: +[ 235.577100] dump_stack+0x77/0xa0 +[ 235.577102] mark_lock_irq.cold+0x15/0x3c +[ 235.577104] mark_lock+0x1d7/0x540 +[ 235.577105] mark_usage+0xc7/0x140 +[ 235.577107] __lock_acquire+0x219/0x6e0 +[ 235.577108] ? sched_clock_cpu+0xc/0xb0 +[ 235.577110] lock_acquire+0xb6/0x270 +[ 235.577116] ? ath11k_regd_update+0x28/0x1d0 [ath11k] +[ 235.577118] ? atomic_notifier_chain_register+0x2d/0x40 +[ 235.577120] _raw_spin_lock+0x2c/0x70 +[ 235.577125] ? ath11k_regd_update+0x28/0x1d0 [ath11k] +[ 235.577130] ath11k_regd_update+0x28/0x1d0 [ath11k] +[ 235.577136] __ath11k_mac_register+0x3fb/0x480 [ath11k] +[ 235.577141] ath11k_mac_register+0x119/0x180 [ath11k] +[ 235.577146] ath11k_core_pdev_create+0x17/0xe0 [ath11k] +[ 235.577150] ath11k_core_qmi_firmware_ready.part.0+0x65/0x160 [ath11k] +[ 235.577155] ath11k_qmi_driver_event_work+0x1c5/0x230 [ath11k] +[ 235.577158] process_one_work+0x265/0x5d0 +[ 235.577160] worker_thread+0x49/0x300 +[ 235.577161] ? process_one_work+0x5d0/0x5d0 +[ 235.577163] kthread+0x135/0x150 +[ 235.577164] ? kthread_create_worker_on_cpu+0x60/0x60 +[ 235.577166] ret_from_fork+0x22/0x30 + +Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 + +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1601399736-3210-7-git-send-email-kvalo@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/reg.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/reg.c b/drivers/net/wireless/ath/ath11k/reg.c +index 453aa9c069691..dc52d701ad08f 100644 +--- a/drivers/net/wireless/ath/ath11k/reg.c ++++ b/drivers/net/wireless/ath/ath11k/reg.c +@@ -202,7 +202,7 @@ int ath11k_regd_update(struct ath11k *ar, bool init) + ab = ar->ab; + pdev_id = ar->pdev_idx; + +- spin_lock(&ab->base_lock); ++ spin_lock_bh(&ab->base_lock); + + if (init) { + /* Apply the regd received during init through +@@ -223,7 +223,7 @@ int ath11k_regd_update(struct ath11k *ar, bool init) + + if (!regd) { + ret = -EINVAL; +- spin_unlock(&ab->base_lock); ++ spin_unlock_bh(&ab->base_lock); + goto err; + } + +@@ -234,7 +234,7 @@ int ath11k_regd_update(struct ath11k *ar, bool init) + if (regd_copy) + ath11k_copy_regd(regd, regd_copy); + +- spin_unlock(&ab->base_lock); ++ spin_unlock_bh(&ab->base_lock); + + if (!regd_copy) { + ret = -ENOMEM; +-- +2.27.0 + diff --git a/queue-5.8/ath11k-fix-warning-caused-by-lockdep_assert_held.patch b/queue-5.8/ath11k-fix-warning-caused-by-lockdep_assert_held.patch new file mode 100644 index 00000000000..5f2b3041abd --- /dev/null +++ b/queue-5.8/ath11k-fix-warning-caused-by-lockdep_assert_held.patch @@ -0,0 +1,77 @@ +From 0159c718632ceddc5b276716ba2afed2fd6d8084 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 13:51:12 +0300 +Subject: ath11k: fix warning caused by lockdep_assert_held + +From: Carl Huang + +[ Upstream commit 2f588660e34a982377109872757f1b99d7748d21 ] + +Fix warning caused by lockdep_assert_held when CONFIG_LOCKDEP is enabled. + +[ 271.940647] WARNING: CPU: 6 PID: 0 at drivers/net/wireless/ath/ath11k/hal.c:818 ath11k_hal_srng_access_begin+0x31/0x40 [ath11k] +[ 271.940655] Modules linked in: qrtr_mhi qrtr ns ath11k_pci mhi ath11k qmi_helpers nvme nvme_core +[ 271.940675] CPU: 6 PID: 0 Comm: swapper/6 Kdump: loaded Tainted: G W 5.9.0-rc5-kalle-bringup-wt-ath+ #4 +[ 271.940682] Hardware name: Dell Inc. Inspiron 7590/08717F, BIOS 1.3.0 07/22/2019 +[ 271.940698] RIP: 0010:ath11k_hal_srng_access_begin+0x31/0x40 [ath11k] +[ 271.940708] Code: 48 89 f3 85 c0 75 11 48 8b 83 a8 00 00 00 8b 00 89 83 b0 00 00 00 5b c3 48 8d 7e 58 be ff ff ff ff e8 53 24 ec fa 85 c0 75 dd <0f> 0b eb d9 90 66 2e 0f 1f 84 00 00 00 00 00 55 53 48 89 f3 8b 35 +[ 271.940718] RSP: 0018:ffffbdf0c0230df8 EFLAGS: 00010246 +[ 271.940727] RAX: 0000000000000000 RBX: ffffa12b34e67680 RCX: ffffa12b57a0d800 +[ 271.940735] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffffa12b34e676d8 +[ 271.940742] RBP: ffffa12b34e60000 R08: 0000000000000001 R09: 0000000000000001 +[ 271.940753] R10: 0000000000000001 R11: 0000000000000046 R12: 0000000000000000 +[ 271.940763] R13: ffffa12b34e60000 R14: ffffa12b34e60000 R15: 0000000000000000 +[ 271.940774] FS: 0000000000000000(0000) GS:ffffa12b5a400000(0000) knlGS:0000000000000000 +[ 271.940788] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 271.940798] CR2: 00007f8bef282008 CR3: 00000001f4224004 CR4: 00000000003706e0 +[ 271.940805] Call Trace: +[ 271.940813] +[ 271.940835] ath11k_dp_tx_completion_handler+0x9e/0x950 [ath11k] +[ 271.940847] ? lock_acquire+0xba/0x3b0 +[ 271.940876] ath11k_dp_service_srng+0x5a/0x2e0 [ath11k] +[ 271.940893] ath11k_pci_ext_grp_napi_poll+0x1e/0x80 [ath11k_pci] +[ 271.940908] net_rx_action+0x283/0x4f0 +[ 271.940931] __do_softirq+0xcb/0x499 +[ 271.940950] asm_call_on_stack+0x12/0x20 +[ 271.940963] +[ 271.940979] do_softirq_own_stack+0x4d/0x60 +[ 271.940991] irq_exit_rcu+0xb0/0xc0 +[ 271.941001] common_interrupt+0xce/0x190 +[ 271.941014] asm_common_interrupt+0x1e/0x40 +[ 271.941026] RIP: 0010:cpuidle_enter_state+0x115/0x500 + +Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 + +Signed-off-by: Carl Huang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1601463073-12106-5-git-send-email-kvalo@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/dp_tx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c +index 41c990aec6b7d..7264bbdf76750 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_tx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_tx.c +@@ -509,6 +509,8 @@ void ath11k_dp_tx_completion_handler(struct ath11k_base *ab, int ring_id) + u32 msdu_id; + u8 mac_id; + ++ spin_lock_bh(&status_ring->lock); ++ + ath11k_hal_srng_access_begin(ab, status_ring); + + while ((ATH11K_TX_COMPL_NEXT(tx_ring->tx_status_head) != +@@ -528,6 +530,8 @@ void ath11k_dp_tx_completion_handler(struct ath11k_base *ab, int ring_id) + + ath11k_hal_srng_access_end(ab, status_ring); + ++ spin_unlock_bh(&status_ring->lock); ++ + while (ATH11K_TX_COMPL_NEXT(tx_ring->tx_status_tail) != tx_ring->tx_status_head) { + struct hal_wbm_release_ring *tx_status; + u32 desc_id; +-- +2.27.0 + diff --git a/queue-5.8/ath11k-use-gfp_atomic-instead-of-gfp_kernel-in-ath11.patch b/queue-5.8/ath11k-use-gfp_atomic-instead-of-gfp_kernel-in-ath11.patch new file mode 100644 index 00000000000..e4875232c9f --- /dev/null +++ b/queue-5.8/ath11k-use-gfp_atomic-instead-of-gfp_kernel-in-ath11.patch @@ -0,0 +1,82 @@ +From 51476ba8851eeb6d15d2e5b5d1bf0b7a1617000f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 20:15:35 +0300 +Subject: ath11k: Use GFP_ATOMIC instead of GFP_KERNEL in + ath11k_dp_htt_get_ppdu_desc + +From: Wen Gong + +[ Upstream commit 6a8be1baa9116a038cb4f6158cc10134387ca0d0 ] + +With SLUB DEBUG CONFIG below crash is seen as kmem_cache_alloc +is being called in non-atomic context. + +To fix this issue, use GFP_ATOMIC instead of GFP_KERNEL kzalloc. + +[ 357.217088] BUG: sleeping function called from invalid context at mm/slab.h:498 +[ 357.217091] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/0 +[ 357.217092] INFO: lockdep is turned off. +[ 357.217095] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.9.0-rc5-wt-ath+ #196 +[ 357.217096] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0049.2018.0801.1601 08/01/2018 +[ 357.217097] Call Trace: +[ 357.217098] +[ 357.217107] ? ath11k_dp_htt_get_ppdu_desc+0xa9/0x170 [ath11k] +[ 357.217110] dump_stack+0x77/0xa0 +[ 357.217113] ___might_sleep.cold+0xa6/0xb6 +[ 357.217116] kmem_cache_alloc_trace+0x1f2/0x270 +[ 357.217122] ath11k_dp_htt_get_ppdu_desc+0xa9/0x170 [ath11k] +[ 357.217129] ath11k_htt_pull_ppdu_stats.isra.0+0x96/0x270 [ath11k] +[ 357.217135] ath11k_dp_htt_htc_t2h_msg_handler+0xe7/0x1d0 [ath11k] +[ 357.217137] ? trace_hardirqs_on+0x1c/0x100 +[ 357.217143] ath11k_htc_rx_completion_handler+0x207/0x370 [ath11k] +[ 357.217149] ath11k_ce_recv_process_cb+0x15e/0x1e0 [ath11k] +[ 357.217151] ? handle_irq_event+0x70/0xa8 +[ 357.217154] ath11k_pci_ce_tasklet+0x10/0x30 [ath11k_pci] +[ 357.217157] tasklet_action_common.constprop.0+0xd4/0xf0 +[ 357.217160] __do_softirq+0xc9/0x482 +[ 357.217162] asm_call_on_stack+0x12/0x20 +[ 357.217163] +[ 357.217166] do_softirq_own_stack+0x49/0x60 +[ 357.217167] irq_exit_rcu+0x9a/0xd0 +[ 357.217169] common_interrupt+0xa1/0x190 +[ 357.217171] asm_common_interrupt+0x1e/0x40 +[ 357.217173] RIP: 0010:cpu_idle_poll.isra.0+0x2e/0x60 +[ 357.217175] Code: 8b 35 26 27 74 69 e8 11 c8 3d ff e8 bc fa 42 ff e8 e7 9f 4a ff fb 65 48 8b 1c 25 80 90 01 00 48 8b 03 a8 08 74 0b eb 1c f3 90 <48> 8b 03 a8 08 75 13 8b 0 +[ 357.217177] RSP: 0018:ffffffff97403ee0 EFLAGS: 00000202 +[ 357.217178] RAX: 0000000000000001 RBX: ffffffff9742b8c0 RCX: 0000000000b890ca +[ 357.217180] RDX: 0000000000b890ca RSI: 0000000000000001 RDI: ffffffff968d0c49 +[ 357.217181] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 +[ 357.217182] R10: ffffffff9742b8c0 R11: 0000000000000046 R12: 0000000000000000 +[ 357.217183] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000066fdf520 +[ 357.217186] ? cpu_idle_poll.isra.0+0x19/0x60 +[ 357.217189] do_idle+0x5f/0xe0 +[ 357.217191] cpu_startup_entry+0x14/0x20 +[ 357.217193] start_kernel+0x443/0x464 +[ 357.217196] secondary_startup_64+0xa4/0xb0 + +Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 + +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1601399736-3210-8-git-send-email-kvalo@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c +index a54610d75c40a..69cc40cad12fb 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -1423,7 +1423,7 @@ struct htt_ppdu_stats_info *ath11k_dp_htt_get_ppdu_desc(struct ath11k *ar, + } + spin_unlock_bh(&ar->data_lock); + +- ppdu_info = kzalloc(sizeof(*ppdu_info), GFP_KERNEL); ++ ppdu_info = kzalloc(sizeof(*ppdu_info), GFP_ATOMIC); + if (!ppdu_info) + return NULL; + +-- +2.27.0 + diff --git a/queue-5.8/block-consider-only-dispatched-requests-for-inflight.patch b/queue-5.8/block-consider-only-dispatched-requests-for-inflight.patch new file mode 100644 index 00000000000..d9d8a6378bc --- /dev/null +++ b/queue-5.8/block-consider-only-dispatched-requests-for-inflight.patch @@ -0,0 +1,53 @@ +From 6a6a9de3b447723e4c15644eac6e1feb954193b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Oct 2020 15:41:25 -0400 +Subject: block: Consider only dispatched requests for inflight statistic + +From: Gabriel Krisman Bertazi + +[ Upstream commit a926c7afffcc0f2e35e6acbccb16921bacf34617 ] + +According to Documentation/block/stat.rst, inflight should not include +I/O requests that are in the queue but not yet dispatched to the device, +but blk-mq identifies as inflight any request that has a tag allocated, +which, for queues without elevator, happens at request allocation time +and before it is queued in the ctx (default case in blk_mq_submit_bio). + +In addition, current behavior is different for queues with elevator from +queues without it, since for the former the driver tag is allocated at +dispatch time. A more precise approach would be to only consider +requests with state MQ_RQ_IN_FLIGHT. + +This effectively reverts commit 6131837b1de6 ("blk-mq: count allocated +but not started requests in iostats inflight") to consolidate blk-mq +behavior with itself (elevator case) and with original documentation, +but it differs from the behavior used by the legacy path. + +This version differs from v1 by using blk_mq_rq_state to access the +state attribute. Avoid using blk_mq_request_started, which was +suggested, since we don't want to include MQ_RQ_COMPLETE. + +Signed-off-by: Gabriel Krisman Bertazi +Cc: Omar Sandoval +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 8e623e0282757..88b0dc0034cff 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -103,7 +103,7 @@ static bool blk_mq_check_inflight(struct blk_mq_hw_ctx *hctx, + { + struct mq_inflight *mi = priv; + +- if (rq->part == mi->part) ++ if (rq->part == mi->part && blk_mq_rq_state(rq) == MQ_RQ_IN_FLIGHT) + mi->inflight[rq_data_dir(rq)]++; + + return true; +-- +2.27.0 + diff --git a/queue-5.8/bnxt_en-log-unknown-link-speed-appropriately.patch b/queue-5.8/bnxt_en-log-unknown-link-speed-appropriately.patch new file mode 100644 index 00000000000..4c856a45d34 --- /dev/null +++ b/queue-5.8/bnxt_en-log-unknown-link-speed-appropriately.patch @@ -0,0 +1,51 @@ +From 18c1ae7c087a07aea4965a4d8667afcc7c9d075a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 05:10:51 -0400 +Subject: bnxt_en: Log unknown link speed appropriately. + +From: Michael Chan + +[ Upstream commit 8eddb3e7ce124dd6375d3664f1aae13873318b0f ] + +If the VF virtual link is set to always enabled, the speed may be +unknown when the physical link is down. The driver currently logs +the link speed as 4294967295 Mbps which is SPEED_UNKNOWN. Modify +the link up log message as "speed unknown" which makes more sense. + +Reviewed-by: Vasundhara Volam +Reviewed-by: Edwin Peer +Signed-off-by: Michael Chan +Link: https://lore.kernel.org/r/1602493854-29283-7-git-send-email-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index f3c125d50d7a0..f41a9fa29bb06 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -8419,6 +8419,11 @@ static void bnxt_report_link(struct bnxt *bp) + u16 fec; + + netif_carrier_on(bp->dev); ++ speed = bnxt_fw_to_ethtool_speed(bp->link_info.link_speed); ++ if (speed == SPEED_UNKNOWN) { ++ netdev_info(bp->dev, "NIC Link is Up, speed unknown\n"); ++ return; ++ } + if (bp->link_info.duplex == BNXT_LINK_DUPLEX_FULL) + duplex = "full"; + else +@@ -8431,7 +8436,6 @@ static void bnxt_report_link(struct bnxt *bp) + flow_ctrl = "ON - receive"; + else + flow_ctrl = "none"; +- speed = bnxt_fw_to_ethtool_speed(bp->link_info.link_speed); + netdev_info(bp->dev, "NIC Link is Up, %u Mbps %s duplex, Flow control: %s\n", + speed, duplex, flow_ctrl); + if (bp->flags & BNXT_FLAG_EEE_CAP) +-- +2.27.0 + diff --git a/queue-5.8/bpf-permit-map_ptr-arithmetic-with-opcode-add-and-of.patch b/queue-5.8/bpf-permit-map_ptr-arithmetic-with-opcode-add-and-of.patch new file mode 100644 index 00000000000..d0d3697f318 --- /dev/null +++ b/queue-5.8/bpf-permit-map_ptr-arithmetic-with-opcode-add-and-of.patch @@ -0,0 +1,119 @@ +From 57c3cb139e8294e415f72bf81c24ec01ae3eea3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 10:57:02 -0700 +Subject: bpf: Permit map_ptr arithmetic with opcode add and offset 0 + +From: Yonghong Song + +[ Upstream commit 7c6967326267bd5c0dded0a99541357d70dd11ac ] + +Commit 41c48f3a98231 ("bpf: Support access +to bpf map fields") added support to access map fields +with CORE support. For example, + + struct bpf_map { + __u32 max_entries; + } __attribute__((preserve_access_index)); + + struct bpf_array { + struct bpf_map map; + __u32 elem_size; + } __attribute__((preserve_access_index)); + + struct { + __uint(type, BPF_MAP_TYPE_ARRAY); + __uint(max_entries, 4); + __type(key, __u32); + __type(value, __u32); + } m_array SEC(".maps"); + + SEC("cgroup_skb/egress") + int cg_skb(void *ctx) + { + struct bpf_array *array = (struct bpf_array *)&m_array; + + /* .. array->map.max_entries .. */ + } + +In kernel, bpf_htab has similar structure, + + struct bpf_htab { + struct bpf_map map; + ... + } + +In the above cg_skb(), to access array->map.max_entries, with CORE, the clang will +generate two builtin's. + base = &m_array; + /* access array.map */ + map_addr = __builtin_preserve_struct_access_info(base, 0, 0); + /* access array.map.max_entries */ + max_entries_addr = __builtin_preserve_struct_access_info(map_addr, 0, 0); + max_entries = *max_entries_addr; + +In the current llvm, if two builtin's are in the same function or +in the same function after inlining, the compiler is smart enough to chain +them together and generates like below: + base = &m_array; + max_entries = *(base + reloc_offset); /* reloc_offset = 0 in this case */ +and we are fine. + +But if we force no inlining for one of functions in test_map_ptr() selftest, e.g., +check_default(), the above two __builtin_preserve_* will be in two different +functions. In this case, we will have code like: + func check_hash(): + reloc_offset_map = 0; + base = &m_array; + map_base = base + reloc_offset_map; + check_default(map_base, ...) + func check_default(map_base, ...): + max_entries = *(map_base + reloc_offset_max_entries); + +In kernel, map_ptr (CONST_PTR_TO_MAP) does not allow any arithmetic. +The above "map_base = base + reloc_offset_map" will trigger a verifier failure. + ; VERIFY(check_default(&hash->map, map)); + 0: (18) r7 = 0xffffb4fe8018a004 + 2: (b4) w1 = 110 + 3: (63) *(u32 *)(r7 +0) = r1 + R1_w=invP110 R7_w=map_value(id=0,off=4,ks=4,vs=8,imm=0) R10=fp0 + ; VERIFY_TYPE(BPF_MAP_TYPE_HASH, check_hash); + 4: (18) r1 = 0xffffb4fe8018a000 + 6: (b4) w2 = 1 + 7: (63) *(u32 *)(r1 +0) = r2 + R1_w=map_value(id=0,off=0,ks=4,vs=8,imm=0) R2_w=invP1 R7_w=map_value(id=0,off=4,ks=4,vs=8,imm=0) R10=fp0 + 8: (b7) r2 = 0 + 9: (18) r8 = 0xffff90bcb500c000 + 11: (18) r1 = 0xffff90bcb500c000 + 13: (0f) r1 += r2 + R1 pointer arithmetic on map_ptr prohibited + +To fix the issue, let us permit map_ptr + 0 arithmetic which will +result in exactly the same map_ptr. + +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20200908175702.2463625-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 12eb9e47d101c..725edce5ecfc5 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5071,6 +5071,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, + dst, reg_type_str[ptr_reg->type]); + return -EACCES; + case CONST_PTR_TO_MAP: ++ /* smin_val represents the known value */ ++ if (known && smin_val == 0 && opcode == BPF_ADD) ++ break; ++ /* fall-through */ + case PTR_TO_PACKET_END: + case PTR_TO_SOCKET: + case PTR_TO_SOCKET_OR_NULL: +-- +2.27.0 + diff --git a/queue-5.8/brcmfmac-fix-warning-message-after-dongle-setup-fail.patch b/queue-5.8/brcmfmac-fix-warning-message-after-dongle-setup-fail.patch new file mode 100644 index 00000000000..557370a6119 --- /dev/null +++ b/queue-5.8/brcmfmac-fix-warning-message-after-dongle-setup-fail.patch @@ -0,0 +1,76 @@ +From 51049dd8e6697493e92c1c30455ecf5696537864 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 00:49:22 -0500 +Subject: brcmfmac: Fix warning message after dongle setup failed + +From: Wright Feng + +[ Upstream commit 6aa5a83a7ed8036c1388a811eb8bdfa77b21f19c ] + +Brcmfmac showed warning message in fweh.c when checking the size of event +queue which is not initialized. Therefore, we only cancel the worker and +reset event handler only when it is initialized. + +[ 145.505899] brcmfmac 0000:02:00.0: brcmf_pcie_setup: Dongle setup +[ 145.929970] ------------[ cut here ]------------ +[ 145.929994] WARNING: CPU: 0 PID: 288 at drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c:312 +brcmf_fweh_detach+0xbc/0xd0 [brcmfmac] +... +[ 145.930029] Call Trace: +[ 145.930036] brcmf_detach+0x77/0x100 [brcmfmac] +[ 145.930043] brcmf_pcie_remove+0x79/0x130 [brcmfmac] +[ 145.930046] pci_device_remove+0x39/0xc0 +[ 145.930048] device_release_driver_internal+0x141/0x200 +[ 145.930049] device_release_driver+0x12/0x20 +[ 145.930054] brcmf_pcie_setup+0x101/0x3c0 [brcmfmac] +[ 145.930060] brcmf_fw_request_done+0x11d/0x1f0 [brcmfmac] +[ 145.930062] ? lock_timer_base+0x7d/0xa0 +[ 145.930063] ? internal_add_timer+0x1f/0xa0 +[ 145.930064] ? add_timer+0x11a/0x1d0 +[ 145.930066] ? __kmalloc_track_caller+0x18c/0x230 +[ 145.930068] ? kstrdup_const+0x23/0x30 +[ 145.930069] ? add_dr+0x46/0x80 +[ 145.930070] ? devres_add+0x3f/0x50 +[ 145.930072] ? usermodehelper_read_unlock+0x15/0x20 +[ 145.930073] ? _request_firmware+0x288/0xa20 +[ 145.930075] request_firmware_work_func+0x36/0x60 +[ 145.930077] process_one_work+0x144/0x360 +[ 145.930078] worker_thread+0x4d/0x3c0 +[ 145.930079] kthread+0x112/0x150 +[ 145.930080] ? rescuer_thread+0x340/0x340 +[ 145.930081] ? kthread_park+0x60/0x60 +[ 145.930083] ret_from_fork+0x25/0x30 + +Signed-off-by: Wright Feng +Signed-off-by: Chi-hsien Lin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200928054922.44580-3-wright.feng@cypress.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +index a5cced2c89ac6..921b94c4f5f9a 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -304,10 +304,12 @@ void brcmf_fweh_detach(struct brcmf_pub *drvr) + { + struct brcmf_fweh_info *fweh = &drvr->fweh; + +- /* cancel the worker */ +- cancel_work_sync(&fweh->event_work); +- WARN_ON(!list_empty(&fweh->event_q)); +- memset(fweh->evt_handler, 0, sizeof(fweh->evt_handler)); ++ /* cancel the worker if initialized */ ++ if (fweh->event_work.func) { ++ cancel_work_sync(&fweh->event_work); ++ WARN_ON(!list_empty(&fweh->event_q)); ++ memset(fweh->evt_handler, 0, sizeof(fweh->evt_handler)); ++ } + } + + /** +-- +2.27.0 + diff --git a/queue-5.8/brcmfmac-increase-f2-watermark-for-bcm4329.patch b/queue-5.8/brcmfmac-increase-f2-watermark-for-bcm4329.patch new file mode 100644 index 00000000000..23309091520 --- /dev/null +++ b/queue-5.8/brcmfmac-increase-f2-watermark-for-bcm4329.patch @@ -0,0 +1,40 @@ +From 09b9f7aae7cc571d5e9313480040111e4bdbca62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Aug 2020 22:14:37 +0300 +Subject: brcmfmac: increase F2 watermark for BCM4329 + +From: Dmitry Osipenko + +[ Upstream commit 317da69d10b0247c4042354eb90c75b81620ce9d ] + +This patch fixes SDHCI CRC errors during of RX throughput testing on +BCM4329 chip if SDIO BUS is clocked above 25MHz. In particular the +checksum problem is observed on NVIDIA Tegra20 SoCs. The good watermark +value is borrowed from downstream BCMDHD driver and it's matching to the +value that is already used for the BCM4339 chip, hence let's re-use it +for BCM4329. + +Reviewed-by: Arend van Spriel +Signed-off-by: Dmitry Osipenko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200830191439.10017-2-digetx@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +index bc02168ebb536..9ac9e6085a0c5 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -4227,6 +4227,7 @@ static void brcmf_sdio_firmware_callback(struct device *dev, int err, + brcmf_sdiod_writeb(sdiod, SBSDIO_FUNC1_MESBUSYCTRL, + CY_43012_MESBUSYCTRL, &err); + break; ++ case SDIO_DEVICE_ID_BROADCOM_4329: + case SDIO_DEVICE_ID_BROADCOM_4339: + brcmf_dbg(INFO, "set F2 watermark to 0x%x*4 bytes for 4339\n", + CY_4339_F2_WATERMARK); +-- +2.27.0 + diff --git a/queue-5.8/btrfs-fix-replace-of-seed-device.patch b/queue-5.8/btrfs-fix-replace-of-seed-device.patch new file mode 100644 index 00000000000..2092c024be7 --- /dev/null +++ b/queue-5.8/btrfs-fix-replace-of-seed-device.patch @@ -0,0 +1,115 @@ +From 50c7dcfaf65913cd5f6b58f832bf05a8e5d8c4fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 01:34:22 +0800 +Subject: btrfs: fix replace of seed device + +From: Anand Jain + +[ Upstream commit c6a5d954950c5031444173ad2195efc163afcac9 ] + +If you replace a seed device in a sprouted fs, it appears to have +successfully replaced the seed device, but if you look closely, it +didn't. Here is an example. + + $ mkfs.btrfs /dev/sda + $ btrfstune -S1 /dev/sda + $ mount /dev/sda /btrfs + $ btrfs device add /dev/sdb /btrfs + $ umount /btrfs + $ btrfs device scan --forget + $ mount -o device=/dev/sda /dev/sdb /btrfs + $ btrfs replace start -f /dev/sda /dev/sdc /btrfs + $ echo $? + 0 + + BTRFS info (device sdb): dev_replace from /dev/sda (devid 1) to /dev/sdc started + BTRFS info (device sdb): dev_replace from /dev/sda (devid 1) to /dev/sdc finished + + $ btrfs fi show + Label: none uuid: ab2c88b7-be81-4a7e-9849-c3666e7f9f4f + Total devices 2 FS bytes used 256.00KiB + devid 1 size 3.00GiB used 520.00MiB path /dev/sdc + devid 2 size 3.00GiB used 896.00MiB path /dev/sdb + + Label: none uuid: 10bd3202-0415-43af-96a8-d5409f310a7e + Total devices 1 FS bytes used 128.00KiB + devid 1 size 3.00GiB used 536.00MiB path /dev/sda + +So as per the replace start command and kernel log replace was successful. +Now let's try to clean mount. + + $ umount /btrfs + $ btrfs device scan --forget + + $ mount -o device=/dev/sdc /dev/sdb /btrfs + mount: /btrfs: wrong fs type, bad option, bad superblock on /dev/sdb, missing codepage or helper program, or other error. + + [ 636.157517] BTRFS error (device sdc): failed to read chunk tree: -2 + [ 636.180177] BTRFS error (device sdc): open_ctree failed + +That's because per dev items it is still looking for the original seed +device. + + $ btrfs inspect-internal dump-tree -d /dev/sdb + + item 0 key (DEV_ITEMS DEV_ITEM 1) itemoff 16185 itemsize 98 + devid 1 total_bytes 3221225472 bytes_used 545259520 + io_align 4096 io_width 4096 sector_size 4096 type 0 + generation 6 start_offset 0 dev_group 0 + seek_speed 0 bandwidth 0 + uuid 59368f50-9af2-4b17-91da-8a783cc418d4 <--- seed uuid + fsid 10bd3202-0415-43af-96a8-d5409f310a7e <--- seed fsid + item 1 key (DEV_ITEMS DEV_ITEM 2) itemoff 16087 itemsize 98 + devid 2 total_bytes 3221225472 bytes_used 939524096 + io_align 4096 io_width 4096 sector_size 4096 type 0 + generation 0 start_offset 0 dev_group 0 + seek_speed 0 bandwidth 0 + uuid 56a0a6bc-4630-4998-8daf-3c3030c4256a <- sprout uuid + fsid ab2c88b7-be81-4a7e-9849-c3666e7f9f4f <- sprout fsid + +But the replaced target has the following uuid+fsid in its superblock +which doesn't match with the expected uuid+fsid in its devitem. + + $ btrfs in dump-super /dev/sdc | egrep '^generation|dev_item.uuid|dev_item.fsid|devid' + generation 20 + dev_item.uuid 59368f50-9af2-4b17-91da-8a783cc418d4 + dev_item.fsid ab2c88b7-be81-4a7e-9849-c3666e7f9f4f [match] + dev_item.devid 1 + +So if you provide the original seed device the mount shall be +successful. Which so long happening in the test case btrfs/163. + + $ btrfs device scan --forget + $ mount -o device=/dev/sda /dev/sdb /btrfs + +Fix in this patch: +If a seed is not sprouted then there is no replacement of it, because of +its read-only filesystem with a read-only device. Similarly, in the case +of a sprouted filesystem, the seed device is still read only. So, mark +it as you can't replace a seed device, you can only add a new device and +then delete the seed device. If replace is attempted then returns +-EINVAL. + +Signed-off-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/dev-replace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c +index e4a1c6afe35dc..0cb36746060da 100644 +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -230,7 +230,7 @@ static int btrfs_init_dev_replace_tgtdev(struct btrfs_fs_info *fs_info, + int ret = 0; + + *device_out = NULL; +- if (fs_info->fs_devices->seeding) { ++ if (srcdev->fs_devices->seeding) { + btrfs_err(fs_info, "the filesystem is a seed filesystem!"); + return -EINVAL; + } +-- +2.27.0 + diff --git a/queue-5.8/bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch b/queue-5.8/bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch new file mode 100644 index 00000000000..0b4bc17ce01 --- /dev/null +++ b/queue-5.8/bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch @@ -0,0 +1,43 @@ +From 326464243a3efa714138ded524eba3f684009dc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 11:54:38 +0300 +Subject: bus/fsl_mc: Do not rely on caller to provide non NULL mc_io + +From: Diana Craciun + +[ Upstream commit 5026cf605143e764e1785bbf9158559d17f8d260 ] + +Before destroying the mc_io, check first that it was +allocated. + +Reviewed-by: Laurentiu Tudor +Acked-by: Laurentiu Tudor +Signed-off-by: Diana Craciun +Link: https://lore.kernel.org/r/20200929085441.17448-11-diana.craciun@oss.nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/bus/fsl-mc/mc-io.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/bus/fsl-mc/mc-io.c b/drivers/bus/fsl-mc/mc-io.c +index 6ae48ad804091..e1dfe4a765198 100644 +--- a/drivers/bus/fsl-mc/mc-io.c ++++ b/drivers/bus/fsl-mc/mc-io.c +@@ -129,7 +129,12 @@ error_destroy_mc_io: + */ + void fsl_destroy_mc_io(struct fsl_mc_io *mc_io) + { +- struct fsl_mc_device *dpmcp_dev = mc_io->dpmcp_dev; ++ struct fsl_mc_device *dpmcp_dev; ++ ++ if (!mc_io) ++ return; ++ ++ dpmcp_dev = mc_io->dpmcp_dev; + + if (dpmcp_dev) + fsl_mc_io_unset_dpmcp(mc_io); +-- +2.27.0 + diff --git a/queue-5.8/bus-mhi-core-abort-suspends-due-to-outgoing-pending-.patch b/queue-5.8/bus-mhi-core-abort-suspends-due-to-outgoing-pending-.patch new file mode 100644 index 00000000000..3f7fdede7a6 --- /dev/null +++ b/queue-5.8/bus-mhi-core-abort-suspends-due-to-outgoing-pending-.patch @@ -0,0 +1,51 @@ +From 43b86af96ef295e8426200c718acfe56a03943ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 23:22:02 +0530 +Subject: bus: mhi: core: Abort suspends due to outgoing pending packets + +From: Bhaumik Bhatt + +[ Upstream commit 515847c557dd33167be86cb429fc0674a331bc88 ] + +Add the missing check to abort suspends if a client driver has pending +outgoing packets to send to the device. This allows better utilization +of the MHI bus wherein clients on the host are not left waiting for +longer suspend or resume cycles to finish for data transfers. + +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Bhaumik Bhatt +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20200929175218.8178-4-manivannan.sadhasivam@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/bus/mhi/core/pm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/bus/mhi/core/pm.c b/drivers/bus/mhi/core/pm.c +index 7960980780832..661d704c8093d 100644 +--- a/drivers/bus/mhi/core/pm.c ++++ b/drivers/bus/mhi/core/pm.c +@@ -686,7 +686,8 @@ int mhi_pm_suspend(struct mhi_controller *mhi_cntrl) + return -EIO; + + /* Return busy if there are any pending resources */ +- if (atomic_read(&mhi_cntrl->dev_wake)) ++ if (atomic_read(&mhi_cntrl->dev_wake) || ++ atomic_read(&mhi_cntrl->pending_pkts)) + return -EBUSY; + + /* Take MHI out of M2 state */ +@@ -712,7 +713,8 @@ int mhi_pm_suspend(struct mhi_controller *mhi_cntrl) + + write_lock_irq(&mhi_cntrl->pm_lock); + +- if (atomic_read(&mhi_cntrl->dev_wake)) { ++ if (atomic_read(&mhi_cntrl->dev_wake) || ++ atomic_read(&mhi_cntrl->pending_pkts)) { + write_unlock_irq(&mhi_cntrl->pm_lock); + return -EBUSY; + } +-- +2.27.0 + diff --git a/queue-5.8/can-flexcan-disable-clocks-during-stop-mode.patch b/queue-5.8/can-flexcan-disable-clocks-during-stop-mode.patch new file mode 100644 index 00000000000..dc20ace70e2 --- /dev/null +++ b/queue-5.8/can-flexcan-disable-clocks-during-stop-mode.patch @@ -0,0 +1,85 @@ +From dbbd18b8ae3d89a978c98d96810d149fbde12ebc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 09:00:13 +0000 +Subject: can: flexcan: disable clocks during stop mode + +From: Joakim Zhang + +[ Upstream commit 02f71c6605e1f8259c07f16178330db766189a74 ] + +Disable clocks while CAN core is in stop mode. + +Signed-off-by: Joakim Zhang +Tested-by: Sean Nyekjaer +Link: https://lore.kernel.org/r/20191210085721.9853-2-qiangqing.zhang@nxp.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/flexcan.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index 2ac7a667bde35..bc21a82cf3a76 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -1722,8 +1722,6 @@ static int __maybe_unused flexcan_suspend(struct device *device) + err = flexcan_chip_disable(priv); + if (err) + return err; +- +- err = pm_runtime_force_suspend(device); + } + netif_stop_queue(dev); + netif_device_detach(dev); +@@ -1749,10 +1747,6 @@ static int __maybe_unused flexcan_resume(struct device *device) + if (err) + return err; + } else { +- err = pm_runtime_force_resume(device); +- if (err) +- return err; +- + err = flexcan_chip_enable(priv); + } + } +@@ -1783,8 +1777,16 @@ static int __maybe_unused flexcan_noirq_suspend(struct device *device) + struct net_device *dev = dev_get_drvdata(device); + struct flexcan_priv *priv = netdev_priv(dev); + +- if (netif_running(dev) && device_may_wakeup(device)) +- flexcan_enable_wakeup_irq(priv, true); ++ if (netif_running(dev)) { ++ int err; ++ ++ if (device_may_wakeup(device)) ++ flexcan_enable_wakeup_irq(priv, true); ++ ++ err = pm_runtime_force_suspend(device); ++ if (err) ++ return err; ++ } + + return 0; + } +@@ -1794,8 +1796,16 @@ static int __maybe_unused flexcan_noirq_resume(struct device *device) + struct net_device *dev = dev_get_drvdata(device); + struct flexcan_priv *priv = netdev_priv(dev); + +- if (netif_running(dev) && device_may_wakeup(device)) +- flexcan_enable_wakeup_irq(priv, false); ++ if (netif_running(dev)) { ++ int err; ++ ++ err = pm_runtime_force_resume(device); ++ if (err) ++ return err; ++ ++ if (device_may_wakeup(device)) ++ flexcan_enable_wakeup_irq(priv, false); ++ } + + return 0; + } +-- +2.27.0 + diff --git a/queue-5.8/ceph-encode-inodes-parent-d_name-in-cap-reconnect-me.patch b/queue-5.8/ceph-encode-inodes-parent-d_name-in-cap-reconnect-me.patch new file mode 100644 index 00000000000..c2af365bed8 --- /dev/null +++ b/queue-5.8/ceph-encode-inodes-parent-d_name-in-cap-reconnect-me.patch @@ -0,0 +1,188 @@ +From 8d3537679626eda173871b3ad3c56308f8e152ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 15:23:03 +0800 +Subject: ceph: encode inodes' parent/d_name in cap reconnect message + +From: Yan, Zheng + +[ Upstream commit a33f6432b3a63a4909dbbb0967f7c9df8ff2de91 ] + +Since nautilus, MDS tracks dirfrags whose child inodes have caps in open +file table. When MDS recovers, it prefetches all of these dirfrags. This +avoids using backtrace to load inodes. But dirfrags prefetch may load +lots of useless inodes into cache, and make MDS run out of memory. + +Recent MDS adds an option that disables dirfrags prefetch. When dirfrags +prefetch is disabled. Recovering MDS only prefetches corresponding dir +inodes. Including inodes' parent/d_name in cap reconnect message can +help MDS to load inodes into its cache. + +Signed-off-by: "Yan, Zheng" +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/mds_client.c | 89 ++++++++++++++++++++++++++++++-------------- + 1 file changed, 61 insertions(+), 28 deletions(-) + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index 903b6a35b321b..862a5b10ab0ee 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -3531,6 +3531,39 @@ fail_msg: + return err; + } + ++static struct dentry* d_find_primary(struct inode *inode) ++{ ++ struct dentry *alias, *dn = NULL; ++ ++ if (hlist_empty(&inode->i_dentry)) ++ return NULL; ++ ++ spin_lock(&inode->i_lock); ++ if (hlist_empty(&inode->i_dentry)) ++ goto out_unlock; ++ ++ if (S_ISDIR(inode->i_mode)) { ++ alias = hlist_entry(inode->i_dentry.first, struct dentry, d_u.d_alias); ++ if (!IS_ROOT(alias)) ++ dn = dget(alias); ++ goto out_unlock; ++ } ++ ++ hlist_for_each_entry(alias, &inode->i_dentry, d_u.d_alias) { ++ spin_lock(&alias->d_lock); ++ if (!d_unhashed(alias) && ++ (ceph_dentry(alias)->flags & CEPH_DENTRY_PRIMARY_LINK)) { ++ dn = dget_dlock(alias); ++ } ++ spin_unlock(&alias->d_lock); ++ if (dn) ++ break; ++ } ++out_unlock: ++ spin_unlock(&inode->i_lock); ++ return dn; ++} ++ + /* + * Encode information about a cap for a reconnect with the MDS. + */ +@@ -3544,13 +3577,32 @@ static int reconnect_caps_cb(struct inode *inode, struct ceph_cap *cap, + struct ceph_inode_info *ci = cap->ci; + struct ceph_reconnect_state *recon_state = arg; + struct ceph_pagelist *pagelist = recon_state->pagelist; +- int err; ++ struct dentry *dentry; ++ char *path; ++ int pathlen, err; ++ u64 pathbase; + u64 snap_follows; + + dout(" adding %p ino %llx.%llx cap %p %lld %s\n", + inode, ceph_vinop(inode), cap, cap->cap_id, + ceph_cap_string(cap->issued)); + ++ dentry = d_find_primary(inode); ++ if (dentry) { ++ /* set pathbase to parent dir when msg_version >= 2 */ ++ path = ceph_mdsc_build_path(dentry, &pathlen, &pathbase, ++ recon_state->msg_version >= 2); ++ dput(dentry); ++ if (IS_ERR(path)) { ++ err = PTR_ERR(path); ++ goto out_err; ++ } ++ } else { ++ path = NULL; ++ pathlen = 0; ++ pathbase = 0; ++ } ++ + spin_lock(&ci->i_ceph_lock); + cap->seq = 0; /* reset cap seq */ + cap->issue_seq = 0; /* and issue_seq */ +@@ -3571,7 +3623,7 @@ static int reconnect_caps_cb(struct inode *inode, struct ceph_cap *cap, + rec.v2.wanted = cpu_to_le32(__ceph_caps_wanted(ci)); + rec.v2.issued = cpu_to_le32(cap->issued); + rec.v2.snaprealm = cpu_to_le64(ci->i_snap_realm->ino); +- rec.v2.pathbase = 0; ++ rec.v2.pathbase = cpu_to_le64(pathbase); + rec.v2.flock_len = (__force __le32) + ((ci->i_ceph_flags & CEPH_I_ERROR_FILELOCK) ? 0 : 1); + } else { +@@ -3582,7 +3634,7 @@ static int reconnect_caps_cb(struct inode *inode, struct ceph_cap *cap, + ceph_encode_timespec64(&rec.v1.mtime, &inode->i_mtime); + ceph_encode_timespec64(&rec.v1.atime, &inode->i_atime); + rec.v1.snaprealm = cpu_to_le64(ci->i_snap_realm->ino); +- rec.v1.pathbase = 0; ++ rec.v1.pathbase = cpu_to_le64(pathbase); + } + + if (list_empty(&ci->i_cap_snaps)) { +@@ -3644,7 +3696,7 @@ encode_again: + sizeof(struct ceph_filelock); + rec.v2.flock_len = cpu_to_le32(struct_len); + +- struct_len += sizeof(u32) + sizeof(rec.v2); ++ struct_len += sizeof(u32) + pathlen + sizeof(rec.v2); + + if (struct_v >= 2) + struct_len += sizeof(u64); /* snap_follows */ +@@ -3668,7 +3720,7 @@ encode_again: + ceph_pagelist_encode_8(pagelist, 1); + ceph_pagelist_encode_32(pagelist, struct_len); + } +- ceph_pagelist_encode_string(pagelist, NULL, 0); ++ ceph_pagelist_encode_string(pagelist, path, pathlen); + ceph_pagelist_append(pagelist, &rec, sizeof(rec.v2)); + ceph_locks_to_pagelist(flocks, pagelist, + num_fcntl_locks, num_flock_locks); +@@ -3677,39 +3729,20 @@ encode_again: + out_freeflocks: + kfree(flocks); + } else { +- u64 pathbase = 0; +- int pathlen = 0; +- char *path = NULL; +- struct dentry *dentry; +- +- dentry = d_find_alias(inode); +- if (dentry) { +- path = ceph_mdsc_build_path(dentry, +- &pathlen, &pathbase, 0); +- dput(dentry); +- if (IS_ERR(path)) { +- err = PTR_ERR(path); +- goto out_err; +- } +- rec.v1.pathbase = cpu_to_le64(pathbase); +- } +- + err = ceph_pagelist_reserve(pagelist, + sizeof(u64) + sizeof(u32) + + pathlen + sizeof(rec.v1)); +- if (err) { +- goto out_freepath; +- } ++ if (err) ++ goto out_err; + + ceph_pagelist_encode_64(pagelist, ceph_ino(inode)); + ceph_pagelist_encode_string(pagelist, path, pathlen); + ceph_pagelist_append(pagelist, &rec, sizeof(rec.v1)); +-out_freepath: +- ceph_mdsc_free_path(path, pathlen); + } + + out_err: +- if (err >= 0) ++ ceph_mdsc_free_path(path, pathlen); ++ if (!err) + recon_state->nr_caps++; + return err; + } +-- +2.27.0 + diff --git a/queue-5.8/cifs-handle-eintr-in-cifs_setattr.patch b/queue-5.8/cifs-handle-eintr-in-cifs_setattr.patch new file mode 100644 index 00000000000..9d27ba4b058 --- /dev/null +++ b/queue-5.8/cifs-handle-eintr-in-cifs_setattr.patch @@ -0,0 +1,57 @@ +From aa291889be2f1f01447b1503e4a822a6810e82b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 09:32:56 +1000 +Subject: cifs: handle -EINTR in cifs_setattr + +From: Ronnie Sahlberg + +[ Upstream commit c6cc4c5a72505a0ecefc9b413f16bec512f38078 ] + +RHBZ: 1848178 + +Some calls that set attributes, like utimensat(), are not supposed to return +-EINTR and thus do not have handlers for this in glibc which causes us +to leak -EINTR to the applications which are also unprepared to handle it. + +For example tar will break if utimensat() return -EINTR and abort unpacking +the archive. Other applications may break too. + +To handle this we add checks, and retry, for -EINTR in cifs_setattr() + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/inode.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index 7708175062eba..8c0b7f40714ba 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -2885,13 +2885,18 @@ cifs_setattr(struct dentry *direntry, struct iattr *attrs) + { + struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb); + struct cifs_tcon *pTcon = cifs_sb_master_tcon(cifs_sb); ++ int rc, retries = 0; + +- if (pTcon->unix_ext) +- return cifs_setattr_unix(direntry, attrs); +- +- return cifs_setattr_nounix(direntry, attrs); ++ do { ++ if (pTcon->unix_ext) ++ rc = cifs_setattr_unix(direntry, attrs); ++ else ++ rc = cifs_setattr_nounix(direntry, attrs); ++ retries++; ++ } while (is_retryable_error(rc) && retries < 2); + + /* BB: add cifs_setattr_legacy for really old servers */ ++ return rc; + } + + #if 0 +-- +2.27.0 + diff --git a/queue-5.8/clk-ti-clockdomain-fix-static-checker-warning.patch b/queue-5.8/clk-ti-clockdomain-fix-static-checker-warning.patch new file mode 100644 index 00000000000..42ba2d7fce3 --- /dev/null +++ b/queue-5.8/clk-ti-clockdomain-fix-static-checker-warning.patch @@ -0,0 +1,40 @@ +From ebe49df8fcde2384e9096f375a32798b67e51d34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 11:25:59 +0300 +Subject: clk: ti: clockdomain: fix static checker warning + +From: Tero Kristo + +[ Upstream commit b7a7943fe291b983b104bcbd2f16e8e896f56590 ] + +Fix a memory leak induced by not calling clk_put after doing of_clk_get. + +Reported-by: Dan Murphy +Signed-off-by: Tero Kristo +Link: https://lore.kernel.org/r/20200907082600.454-3-t-kristo@ti.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clockdomain.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/ti/clockdomain.c b/drivers/clk/ti/clockdomain.c +index ee56306f79d5f..700b7f44f6716 100644 +--- a/drivers/clk/ti/clockdomain.c ++++ b/drivers/clk/ti/clockdomain.c +@@ -148,10 +148,12 @@ static void __init of_ti_clockdomain_setup(struct device_node *node) + if (!omap2_clk_is_hw_omap(clk_hw)) { + pr_warn("can't setup clkdm for basic clk %s\n", + __clk_get_name(clk)); ++ clk_put(clk); + continue; + } + to_clk_hw_omap(clk_hw)->clkdm_name = clkdm_name; + omap2_init_clk_clkdm(clk_hw); ++ clk_put(clk); + } + } + +-- +2.27.0 + diff --git a/queue-5.8/coresight-make-sysfs-functional-on-topologies-with-p.patch b/queue-5.8/coresight-make-sysfs-functional-on-topologies-with-p.patch new file mode 100644 index 00000000000..a9f81c79138 --- /dev/null +++ b/queue-5.8/coresight-make-sysfs-functional-on-topologies-with-p.patch @@ -0,0 +1,143 @@ +From be286766847c8f8d8d782e795386563594c00656 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:17:35 -0600 +Subject: coresight: Make sysfs functional on topologies with per core sink + +From: Linu Cherian + +[ Upstream commit 6d578258b955fc8888e1bbd9a8fefe7b10065a84 ] + +Coresight driver assumes sink is common across all the ETMs, +and tries to build a path between ETM and the first enabled +sink found using bus based search. This breaks sysFS usage +on implementations that has multiple per core sinks in +enabled state. + +To fix this, coresight_get_enabled_sink API is updated to +do a connection based search starting from the given source, +instead of bus based search. +With sink selection using sysfs depecrated for perf interface, +provision for reset is removed as well in this API. + +Signed-off-by: Linu Cherian +[Fixed indentation problem and removed obsolete comment] +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200916191737.4001561-15-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-priv.h | 3 +- + drivers/hwtracing/coresight/coresight.c | 62 +++++++++----------- + 2 files changed, 29 insertions(+), 36 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-priv.h b/drivers/hwtracing/coresight/coresight-priv.h +index 36c943ae94d52..e383bc72143d8 100644 +--- a/drivers/hwtracing/coresight/coresight-priv.h ++++ b/drivers/hwtracing/coresight/coresight-priv.h +@@ -148,7 +148,8 @@ static inline void coresight_write_reg_pair(void __iomem *addr, u64 val, + void coresight_disable_path(struct list_head *path); + int coresight_enable_path(struct list_head *path, u32 mode, void *sink_data); + struct coresight_device *coresight_get_sink(struct list_head *path); +-struct coresight_device *coresight_get_enabled_sink(bool reset); ++struct coresight_device * ++coresight_get_enabled_sink(struct coresight_device *source); + struct coresight_device *coresight_get_sink_by_id(u32 id); + struct list_head *coresight_build_path(struct coresight_device *csdev, + struct coresight_device *sink); +diff --git a/drivers/hwtracing/coresight/coresight.c b/drivers/hwtracing/coresight/coresight.c +index cf03af09c6ced..a12aeeec5fb7f 100644 +--- a/drivers/hwtracing/coresight/coresight.c ++++ b/drivers/hwtracing/coresight/coresight.c +@@ -540,50 +540,46 @@ struct coresight_device *coresight_get_sink(struct list_head *path) + return csdev; + } + +-static int coresight_enabled_sink(struct device *dev, const void *data) ++static struct coresight_device * ++coresight_find_enabled_sink(struct coresight_device *csdev) + { +- const bool *reset = data; +- struct coresight_device *csdev = to_coresight_device(dev); ++ int i; ++ struct coresight_device *sink; + + if ((csdev->type == CORESIGHT_DEV_TYPE_SINK || + csdev->type == CORESIGHT_DEV_TYPE_LINKSINK) && +- csdev->activated) { +- /* +- * Now that we have a handle on the sink for this session, +- * disable the sysFS "enable_sink" flag so that possible +- * concurrent perf session that wish to use another sink don't +- * trip on it. Doing so has no ramification for the current +- * session. +- */ +- if (*reset) +- csdev->activated = false; ++ csdev->activated) ++ return csdev; + +- return 1; ++ /* ++ * Recursively explore each port found on this element. ++ */ ++ for (i = 0; i < csdev->pdata->nr_outport; i++) { ++ struct coresight_device *child_dev; ++ ++ child_dev = csdev->pdata->conns[i].child_dev; ++ if (child_dev) ++ sink = coresight_find_enabled_sink(child_dev); ++ if (sink) ++ return sink; + } + +- return 0; ++ return NULL; + } + + /** +- * coresight_get_enabled_sink - returns the first enabled sink found on the bus +- * @deactivate: Whether the 'enable_sink' flag should be reset ++ * coresight_get_enabled_sink - returns the first enabled sink using ++ * connection based search starting from the source reference + * +- * When operated from perf the deactivate parameter should be set to 'true'. +- * That way the "enabled_sink" flag of the sink that was selected can be reset, +- * allowing for other concurrent perf sessions to choose a different sink. +- * +- * When operated from sysFS users have full control and as such the deactivate +- * parameter should be set to 'false', hence mandating users to explicitly +- * clear the flag. ++ * @source: Coresight source device reference + */ +-struct coresight_device *coresight_get_enabled_sink(bool deactivate) ++struct coresight_device * ++coresight_get_enabled_sink(struct coresight_device *source) + { +- struct device *dev = NULL; +- +- dev = bus_find_device(&coresight_bustype, NULL, &deactivate, +- coresight_enabled_sink); ++ if (!source) ++ return NULL; + +- return dev ? to_coresight_device(dev) : NULL; ++ return coresight_find_enabled_sink(source); + } + + static int coresight_sink_by_id(struct device *dev, const void *data) +@@ -823,11 +819,7 @@ int coresight_enable(struct coresight_device *csdev) + goto out; + } + +- /* +- * Search for a valid sink for this session but don't reset the +- * "enable_sink" flag in sysFS. Users get to do that explicitly. +- */ +- sink = coresight_get_enabled_sink(false); ++ sink = coresight_get_enabled_sink(csdev); + if (!sink) { + ret = -EINVAL; + goto out; +-- +2.27.0 + diff --git a/queue-5.8/cpufreq-sti-cpufreq-add-stih418-support.patch b/queue-5.8/cpufreq-sti-cpufreq-add-stih418-support.patch new file mode 100644 index 00000000000..85dc3c56f34 --- /dev/null +++ b/queue-5.8/cpufreq-sti-cpufreq-add-stih418-support.patch @@ -0,0 +1,46 @@ +From 31119172576958fe6420887091fe34a18cd1c5c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Aug 2020 08:10:11 +0200 +Subject: cpufreq: sti-cpufreq: add stih418 support + +From: Alain Volmat + +[ Upstream commit 01a163c52039e9426c7d3d3ab16ca261ad622597 ] + +The STiH418 can be controlled the same way as STiH407 & +STiH410 regarding cpufreq. + +Signed-off-by: Alain Volmat +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/sti-cpufreq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/sti-cpufreq.c b/drivers/cpufreq/sti-cpufreq.c +index 8f16bbb164b84..2855b7878a204 100644 +--- a/drivers/cpufreq/sti-cpufreq.c ++++ b/drivers/cpufreq/sti-cpufreq.c +@@ -141,7 +141,8 @@ static const struct reg_field sti_stih407_dvfs_regfields[DVFS_MAX_REGFIELDS] = { + static const struct reg_field *sti_cpufreq_match(void) + { + if (of_machine_is_compatible("st,stih407") || +- of_machine_is_compatible("st,stih410")) ++ of_machine_is_compatible("st,stih410") || ++ of_machine_is_compatible("st,stih418")) + return sti_stih407_dvfs_regfields; + + return NULL; +@@ -258,7 +259,8 @@ static int sti_cpufreq_init(void) + int ret; + + if ((!of_machine_is_compatible("st,stih407")) && +- (!of_machine_is_compatible("st,stih410"))) ++ (!of_machine_is_compatible("st,stih410")) && ++ (!of_machine_is_compatible("st,stih418"))) + return -ENODEV; + + ddata.cpu = get_cpu_device(0); +-- +2.27.0 + diff --git a/queue-5.8/cpuidle-tegra-correctly-handle-result-of-arm_cpuidle.patch b/queue-5.8/cpuidle-tegra-correctly-handle-result-of-arm_cpuidle.patch new file mode 100644 index 00000000000..ada2f23f248 --- /dev/null +++ b/queue-5.8/cpuidle-tegra-correctly-handle-result-of-arm_cpuidle.patch @@ -0,0 +1,135 @@ +From 4a37439adfc543b1cda6bf79860efdbfb66a5d23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 20:35:32 +0300 +Subject: cpuidle: tegra: Correctly handle result of arm_cpuidle_simple_enter() + +From: Dmitry Osipenko + +[ Upstream commit 1170433e6611402b869c583fa1fbfd85106ff066 ] + +The enter() callback of CPUIDLE drivers returns index of the entered idle +state on success or a negative value on failure. The negative value could +any negative value, i.e. it doesn't necessarily needs to be a error code. +That's because CPUIDLE core only cares about the fact of failure and not +about the reason of the enter() failure. + +Like every other enter() callback, the arm_cpuidle_simple_enter() returns +the entered idle-index on success. Unlike some of other drivers, it never +fails. It happened that TEGRA_C1=index=err=0 in the code of cpuidle-tegra +driver, and thus, there is no problem for the cpuidle-tegra driver created +by the typo in the code which assumes that the arm_cpuidle_simple_enter() +returns a error code. + +The arm_cpuidle_simple_enter() also may return a -ENODEV error if CPU_IDLE +is disabled in a kernel's config, but all CPUIDLE drivers are disabled if +CPU_IDLE is disabled, including the cpuidle-tegra driver. So we can't ever +see the error code from arm_cpuidle_simple_enter() today. + +Of course the code may get some changes in the future and then the +typo may transform into a real bug, so let's correct the typo! The +tegra_cpuidle_state_enter() is now changed to make it return the entered +idle-index on success and negative error code on fail, which puts it on +par with the arm_cpuidle_simple_enter(), making code consistent in regards +to the error handling. + +This patch fixes a minor typo in the code, it doesn't fix any bugs. + +Signed-off-by: Dmitry Osipenko +Reviewed-by: Jon Hunter +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/cpuidle-tegra.c | 34 +++++++++++++++++++-------------- + 1 file changed, 20 insertions(+), 14 deletions(-) + +diff --git a/drivers/cpuidle/cpuidle-tegra.c b/drivers/cpuidle/cpuidle-tegra.c +index 150045849d782..30e6816c6737a 100644 +--- a/drivers/cpuidle/cpuidle-tegra.c ++++ b/drivers/cpuidle/cpuidle-tegra.c +@@ -172,7 +172,7 @@ static int tegra_cpuidle_coupled_barrier(struct cpuidle_device *dev) + static int tegra_cpuidle_state_enter(struct cpuidle_device *dev, + int index, unsigned int cpu) + { +- int ret; ++ int err; + + /* + * CC6 state is the "CPU cluster power-off" state. In order to +@@ -183,9 +183,9 @@ static int tegra_cpuidle_state_enter(struct cpuidle_device *dev, + * CPU cores, GIC and L2 cache). + */ + if (index == TEGRA_CC6) { +- ret = tegra_cpuidle_coupled_barrier(dev); +- if (ret) +- return ret; ++ err = tegra_cpuidle_coupled_barrier(dev); ++ if (err) ++ return err; + } + + local_fiq_disable(); +@@ -194,15 +194,15 @@ static int tegra_cpuidle_state_enter(struct cpuidle_device *dev, + + switch (index) { + case TEGRA_C7: +- ret = tegra_cpuidle_c7_enter(); ++ err = tegra_cpuidle_c7_enter(); + break; + + case TEGRA_CC6: +- ret = tegra_cpuidle_cc6_enter(cpu); ++ err = tegra_cpuidle_cc6_enter(cpu); + break; + + default: +- ret = -EINVAL; ++ err = -EINVAL; + break; + } + +@@ -210,7 +210,7 @@ static int tegra_cpuidle_state_enter(struct cpuidle_device *dev, + tegra_pm_clear_cpu_in_lp2(); + local_fiq_enable(); + +- return ret; ++ return err ?: index; + } + + static int tegra_cpuidle_adjust_state_index(int index, unsigned int cpu) +@@ -236,21 +236,27 @@ static int tegra_cpuidle_enter(struct cpuidle_device *dev, + int index) + { + unsigned int cpu = cpu_logical_map(dev->cpu); +- int err; ++ int ret; + + index = tegra_cpuidle_adjust_state_index(index, cpu); + if (dev->states_usage[index].disable) + return -1; + + if (index == TEGRA_C1) +- err = arm_cpuidle_simple_enter(dev, drv, index); ++ ret = arm_cpuidle_simple_enter(dev, drv, index); + else +- err = tegra_cpuidle_state_enter(dev, index, cpu); ++ ret = tegra_cpuidle_state_enter(dev, index, cpu); + +- if (err && (err != -EINTR || index != TEGRA_CC6)) +- pr_err_once("failed to enter state %d err: %d\n", index, err); ++ if (ret < 0) { ++ if (ret != -EINTR || index != TEGRA_CC6) ++ pr_err_once("failed to enter state %d err: %d\n", ++ index, ret); ++ index = -1; ++ } else { ++ index = ret; ++ } + +- return err ? -1 : index; ++ return index; + } + + static void tegra114_enter_s2idle(struct cpuidle_device *dev, +-- +2.27.0 + diff --git a/queue-5.8/drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch b/queue-5.8/drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch new file mode 100644 index 00000000000..8920f6d0134 --- /dev/null +++ b/queue-5.8/drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch @@ -0,0 +1,188 @@ +From e61698607630a3806b6d7abbf6e6ae90d44822a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 05:56:43 -0700 +Subject: drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol + values + +From: Xie He + +[ Upstream commit 8306266c1d51aac9aa7aa907fe99032a58c6382c ] + +The fr_hard_header function is used to prepend the header to skbs before +transmission. It is used in 3 situations: +1) When a control packet is generated internally in this driver; +2) When a user sends an skb on an Ethernet-emulating PVC device; +3) When a user sends an skb on a normal PVC device. + +These 3 situations need to be handled differently by fr_hard_header. +Different headers should be prepended to the skb in different situations. + +Currently fr_hard_header distinguishes these 3 situations using +skb->protocol. For situation 1 and 2, a special skb->protocol value +will be assigned before calling fr_hard_header, so that it can recognize +these 2 situations. All skb->protocol values other than these special ones +are treated by fr_hard_header as situation 3. + +However, it is possible that in situation 3, the user sends an skb with +one of the special skb->protocol values. In this case, fr_hard_header +would incorrectly treat it as situation 1 or 2. + +This patch tries to solve this issue by using skb->dev instead of +skb->protocol to distinguish between these 3 situations. For situation +1, skb->dev would be NULL; for situation 2, skb->dev->type would be +ARPHRD_ETHER; and for situation 3, skb->dev->type would be ARPHRD_DLCI. + +This way fr_hard_header would be able to distinguish these 3 situations +correctly regardless what skb->protocol value the user tries to use in +situation 3. + +Cc: Krzysztof Halasa +Signed-off-by: Xie He +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wan/hdlc_fr.c | 98 ++++++++++++++++++++------------------- + 1 file changed, 51 insertions(+), 47 deletions(-) + +diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c +index d6cfd51613ed8..3a44dad87602d 100644 +--- a/drivers/net/wan/hdlc_fr.c ++++ b/drivers/net/wan/hdlc_fr.c +@@ -273,63 +273,69 @@ static inline struct net_device **get_dev_p(struct pvc_device *pvc, + + static int fr_hard_header(struct sk_buff **skb_p, u16 dlci) + { +- u16 head_len; + struct sk_buff *skb = *skb_p; + +- switch (skb->protocol) { +- case cpu_to_be16(NLPID_CCITT_ANSI_LMI): +- head_len = 4; +- skb_push(skb, head_len); +- skb->data[3] = NLPID_CCITT_ANSI_LMI; +- break; +- +- case cpu_to_be16(NLPID_CISCO_LMI): +- head_len = 4; +- skb_push(skb, head_len); +- skb->data[3] = NLPID_CISCO_LMI; +- break; +- +- case cpu_to_be16(ETH_P_IP): +- head_len = 4; +- skb_push(skb, head_len); +- skb->data[3] = NLPID_IP; +- break; +- +- case cpu_to_be16(ETH_P_IPV6): +- head_len = 4; +- skb_push(skb, head_len); +- skb->data[3] = NLPID_IPV6; +- break; +- +- case cpu_to_be16(ETH_P_802_3): +- head_len = 10; +- if (skb_headroom(skb) < head_len) { +- struct sk_buff *skb2 = skb_realloc_headroom(skb, +- head_len); ++ if (!skb->dev) { /* Control packets */ ++ switch (dlci) { ++ case LMI_CCITT_ANSI_DLCI: ++ skb_push(skb, 4); ++ skb->data[3] = NLPID_CCITT_ANSI_LMI; ++ break; ++ ++ case LMI_CISCO_DLCI: ++ skb_push(skb, 4); ++ skb->data[3] = NLPID_CISCO_LMI; ++ break; ++ ++ default: ++ return -EINVAL; ++ } ++ ++ } else if (skb->dev->type == ARPHRD_DLCI) { ++ switch (skb->protocol) { ++ case htons(ETH_P_IP): ++ skb_push(skb, 4); ++ skb->data[3] = NLPID_IP; ++ break; ++ ++ case htons(ETH_P_IPV6): ++ skb_push(skb, 4); ++ skb->data[3] = NLPID_IPV6; ++ break; ++ ++ default: ++ skb_push(skb, 10); ++ skb->data[3] = FR_PAD; ++ skb->data[4] = NLPID_SNAP; ++ /* OUI 00-00-00 indicates an Ethertype follows */ ++ skb->data[5] = 0x00; ++ skb->data[6] = 0x00; ++ skb->data[7] = 0x00; ++ /* This should be an Ethertype: */ ++ *(__be16 *)(skb->data + 8) = skb->protocol; ++ } ++ ++ } else if (skb->dev->type == ARPHRD_ETHER) { ++ if (skb_headroom(skb) < 10) { ++ struct sk_buff *skb2 = skb_realloc_headroom(skb, 10); + if (!skb2) + return -ENOBUFS; + dev_kfree_skb(skb); + skb = *skb_p = skb2; + } +- skb_push(skb, head_len); ++ skb_push(skb, 10); + skb->data[3] = FR_PAD; + skb->data[4] = NLPID_SNAP; +- skb->data[5] = FR_PAD; ++ /* OUI 00-80-C2 stands for the 802.1 organization */ ++ skb->data[5] = 0x00; + skb->data[6] = 0x80; + skb->data[7] = 0xC2; ++ /* PID 00-07 stands for Ethernet frames without FCS */ + skb->data[8] = 0x00; +- skb->data[9] = 0x07; /* bridged Ethernet frame w/out FCS */ +- break; ++ skb->data[9] = 0x07; + +- default: +- head_len = 10; +- skb_push(skb, head_len); +- skb->data[3] = FR_PAD; +- skb->data[4] = NLPID_SNAP; +- skb->data[5] = FR_PAD; +- skb->data[6] = FR_PAD; +- skb->data[7] = FR_PAD; +- *(__be16*)(skb->data + 8) = skb->protocol; ++ } else { ++ return -EINVAL; + } + + dlci_to_q922(skb->data, dlci); +@@ -425,8 +431,8 @@ static netdev_tx_t pvc_xmit(struct sk_buff *skb, struct net_device *dev) + skb_put(skb, pad); + memset(skb->data + len, 0, pad); + } +- skb->protocol = cpu_to_be16(ETH_P_802_3); + } ++ skb->dev = dev; + if (!fr_hard_header(&skb, pvc->dlci)) { + dev->stats.tx_bytes += skb->len; + dev->stats.tx_packets++; +@@ -494,10 +500,8 @@ static void fr_lmi_send(struct net_device *dev, int fullrep) + memset(skb->data, 0, len); + skb_reserve(skb, 4); + if (lmi == LMI_CISCO) { +- skb->protocol = cpu_to_be16(NLPID_CISCO_LMI); + fr_hard_header(&skb, LMI_CISCO_DLCI); + } else { +- skb->protocol = cpu_to_be16(NLPID_CCITT_ANSI_LMI); + fr_hard_header(&skb, LMI_CCITT_ANSI_DLCI); + } + data = skb_tail_pointer(skb); +-- +2.27.0 + diff --git a/queue-5.8/drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch b/queue-5.8/drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch new file mode 100644 index 00000000000..73329f6e33a --- /dev/null +++ b/queue-5.8/drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch @@ -0,0 +1,62 @@ +From d65f833a95233c2d8f59accde0d47e9a3a208a11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 16:59:02 +0530 +Subject: drivers: watchdog: rdc321x_wdt: Fix race condition bugs + +From: Madhuparna Bhowmik + +[ Upstream commit 4b2e7f99cdd314263c9d172bc17193b8b6bba463 ] + +In rdc321x_wdt_probe(), rdc321x_wdt_device.queue is initialized +after misc_register(), hence if ioctl is called before its +initialization which can call rdc321x_wdt_start() function, +it will see an uninitialized value of rdc321x_wdt_device.queue, +hence initialize it before misc_register(). +Also, rdc321x_wdt_device.default_ticks is accessed in reset() +function called from write callback, thus initialize it before +misc_register(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Madhuparna Bhowmik +Reviewed-by: Guenter Roeck +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20200807112902.28764-1-madhuparnabhowmik10@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/rdc321x_wdt.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/watchdog/rdc321x_wdt.c b/drivers/watchdog/rdc321x_wdt.c +index 57187efeb86f1..f0c94ea51c3e4 100644 +--- a/drivers/watchdog/rdc321x_wdt.c ++++ b/drivers/watchdog/rdc321x_wdt.c +@@ -231,6 +231,8 @@ static int rdc321x_wdt_probe(struct platform_device *pdev) + + rdc321x_wdt_device.sb_pdev = pdata->sb_pdev; + rdc321x_wdt_device.base_reg = r->start; ++ rdc321x_wdt_device.queue = 0; ++ rdc321x_wdt_device.default_ticks = ticks; + + err = misc_register(&rdc321x_wdt_misc); + if (err < 0) { +@@ -245,14 +247,11 @@ static int rdc321x_wdt_probe(struct platform_device *pdev) + rdc321x_wdt_device.base_reg, RDC_WDT_RST); + + init_completion(&rdc321x_wdt_device.stop); +- rdc321x_wdt_device.queue = 0; + + clear_bit(0, &rdc321x_wdt_device.inuse); + + timer_setup(&rdc321x_wdt_device.timer, rdc321x_wdt_trigger, 0); + +- rdc321x_wdt_device.default_ticks = ticks; +- + dev_info(&pdev->dev, "watchdog init success\n"); + + return 0; +-- +2.27.0 + diff --git a/queue-5.8/drm-amd-display-avoid-set-zero-in-the-requested-clk.patch b/queue-5.8/drm-amd-display-avoid-set-zero-in-the-requested-clk.patch new file mode 100644 index 00000000000..78353d1b708 --- /dev/null +++ b/queue-5.8/drm-amd-display-avoid-set-zero-in-the-requested-clk.patch @@ -0,0 +1,55 @@ +From ad10a69a37309b355c2a4bd72c2ffe59038d0051 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 13:57:54 -0400 +Subject: drm/amd/display: Avoid set zero in the requested clk + +From: Rodrigo Siqueira + +[ Upstream commit 2f8be0e516803cc3fd87c1671247896571a5a8fb ] + +[Why] +Sometimes CRTCs can be disabled due to display unplugging or temporarily +transition in the userspace; in these circumstances, DCE tries to set +the minimum clock threshold. When we have this situation, the function +bw_calcs is invoked with number_of_displays set to zero, making DCE set +dispclk_khz and sclk_khz to zero. For these reasons, we have seen some +ATOM bios errors that look like: + +[drm:atom_op_jump [amdgpu]] *ERROR* atombios stuck in loop for more than +5secs aborting +[drm:amdgpu_atom_execute_table_locked [amdgpu]] *ERROR* atombios stuck +executing EA8A (len 761, WS 0, PS 0) @ 0xEABA + +[How] +This error happens due to an attempt to optimize the bandwidth using the +sclk, and the dispclk clock set to zero. Technically we handle this in +the function dce112_set_clock, but we are not considering the case that +this value is set to zero. This commit fixes this issue by ensuring that +we never set a minimum value below the minimum clock threshold. + +Signed-off-by: Rodrigo Siqueira +Reviewed-by: Nicholas Kazlauskas +Acked-by: Eryk Brol +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dce112/dce112_clk_mgr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce112/dce112_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce112/dce112_clk_mgr.c +index d031bd3d30724..807dca8f7d7aa 100644 +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce112/dce112_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce112/dce112_clk_mgr.c +@@ -79,8 +79,7 @@ int dce112_set_clock(struct clk_mgr *clk_mgr_base, int requested_clk_khz) + memset(&dce_clk_params, 0, sizeof(dce_clk_params)); + + /* Make sure requested clock isn't lower than minimum threshold*/ +- if (requested_clk_khz > 0) +- requested_clk_khz = max(requested_clk_khz, ++ requested_clk_khz = max(requested_clk_khz, + clk_mgr_dce->base.dentist_vco_freq_khz / 62); + + dce_clk_params.target_clock_frequency = requested_clk_khz; +-- +2.27.0 + diff --git a/queue-5.8/drm-amd-display-check-clock-table-return.patch b/queue-5.8/drm-amd-display-check-clock-table-return.patch new file mode 100644 index 00000000000..c48c739bdf7 --- /dev/null +++ b/queue-5.8/drm-amd-display-check-clock-table-return.patch @@ -0,0 +1,60 @@ +From 10b903a76a27bd630be775f2fcc43c47132ac4ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:26:07 -0400 +Subject: drm/amd/display: Check clock table return + +From: Rodrigo Siqueira + +[ Upstream commit 4b4f21ff7f5d11bb77e169b306dcbc5b216f5db5 ] + +During the load processes for Renoir, our display code needs to retrieve +the SMU clock and voltage table, however, this operation can fail which +means that we have to check this scenario. Currently, we are not +handling this case properly and as a result, we have seen the following +dmesg log during the boot: + +RIP: 0010:rn_clk_mgr_construct+0x129/0x3d0 [amdgpu] +... +Call Trace: + dc_clk_mgr_create+0x16a/0x1b0 [amdgpu] + dc_create+0x231/0x760 [amdgpu] + +This commit fixes this issue by checking the return status retrieved +from the clock table before try to populate any bandwidth. + +Signed-off-by: Rodrigo Siqueira +Acked-by: Aurabindo Pillai +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c +index 24c5765890fa7..14f21a7307791 100644 +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c +@@ -699,6 +699,7 @@ void rn_clk_mgr_construct( + { + struct dc_debug_options *debug = &ctx->dc->debug; + struct dpm_clocks clock_table = { 0 }; ++ enum pp_smu_status status = 0; + + clk_mgr->base.ctx = ctx; + clk_mgr->base.funcs = &dcn21_funcs; +@@ -751,8 +752,10 @@ void rn_clk_mgr_construct( + clk_mgr->base.bw_params = &rn_bw_params; + + if (pp_smu && pp_smu->rn_funcs.get_dpm_clock_table) { +- pp_smu->rn_funcs.get_dpm_clock_table(&pp_smu->rn_funcs.pp_smu, &clock_table); +- if (ctx->dc_bios && ctx->dc_bios->integrated_info) { ++ status = pp_smu->rn_funcs.get_dpm_clock_table(&pp_smu->rn_funcs.pp_smu, &clock_table); ++ ++ if (status == PP_SMU_RESULT_OK && ++ ctx->dc_bios && ctx->dc_bios->integrated_info) { + rn_clk_mgr_helper_populate_bw_params (clk_mgr->base.bw_params, &clock_table, ctx->dc_bios->integrated_info); + } + } +-- +2.27.0 + diff --git a/queue-5.8/drm-amd-display-hdmi-remote-sink-need-mode-validatio.patch b/queue-5.8/drm-amd-display-hdmi-remote-sink-need-mode-validatio.patch new file mode 100644 index 00000000000..82a9bc7cd70 --- /dev/null +++ b/queue-5.8/drm-amd-display-hdmi-remote-sink-need-mode-validatio.patch @@ -0,0 +1,49 @@ +From 3beb0312e5bd8bcc52dd5b472e906054fe8fbf08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 17:52:43 -0400 +Subject: drm/amd/display: HDMI remote sink need mode validation for Linux + +From: Fangzhi Zuo + +[ Upstream commit 95d620adb48f7728e67d82f56f756e8d451cf8d2 ] + +[Why] +Currently mode validation is bypassed if remote sink exists. That +leads to mode set issue when a BW bottle neck exists in the link path, +e.g., a DP-to-HDMI converter that only supports HDMI 1.4. + +Any invalid mode passed to Linux user space will cause the modeset +failure due to limitation of Linux user space implementation. + +[How] +Mode validation is skipped only if in edid override. For real remote +sink, clock limit check should be done for HDMI remote sink. + +Have HDMI related remote sink going through mode validation to +elimiate modes which pixel clock exceeds BW limitation. + +Signed-off-by: Fangzhi Zuo +Reviewed-by: Hersen Wu +Acked-by: Eryk Brol +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +index 885beb0bcc199..eeb4d01048f32 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +@@ -2439,7 +2439,7 @@ enum dc_status dc_link_validate_mode_timing( + /* A hack to avoid failing any modes for EDID override feature on + * topology change such as lower quality cable for DP or different dongle + */ +- if (link->remote_sinks[0]) ++ if (link->remote_sinks[0] && link->remote_sinks[0]->sink_signal == SIGNAL_TYPE_VIRTUAL) + return DC_OK; + + /* Passive Dongle */ +-- +2.27.0 + diff --git a/queue-5.8/drm-amdgpu-no-sysfs-not-an-error-condition.patch b/queue-5.8/drm-amdgpu-no-sysfs-not-an-error-condition.patch new file mode 100644 index 00000000000..14c50203a71 --- /dev/null +++ b/queue-5.8/drm-amdgpu-no-sysfs-not-an-error-condition.patch @@ -0,0 +1,43 @@ +From c33a780042613da567c5fdbc6d8587ec0d0c72e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:03:50 -0400 +Subject: drm/amdgpu: No sysfs, not an error condition + +From: Luben Tuikov + +[ Upstream commit 5aea5327ea2ddf544cbeff096f45fc2319b0714e ] + +Not being able to create amdgpu sysfs attributes +is not a fatal error warranting not to continue +to try to bring up the display. Thus, if we get +an error trying to create amdgpu sysfs attrs, +report it and continue on to try to bring up +a display. + +Signed-off-by: Luben Tuikov +Acked-by: Slava Abramov +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index a027a8f7b2819..21c56d5b05999 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3275,10 +3275,8 @@ fence_driver_init: + msecs_to_jiffies(AMDGPU_RESUME_MS)); + + r = sysfs_create_files(&adev->dev->kobj, amdgpu_dev_attributes); +- if (r) { ++ if (r) + dev_err(adev->dev, "Could not create amdgpu device attr\n"); +- return r; +- } + + if (IS_ENABLED(CONFIG_PERF_EVENTS)) + r = amdgpu_pmu_init(adev); +-- +2.27.0 + diff --git a/queue-5.8/drm-amdgpu-restore-ras-flags-when-user-resets-eeprom.patch b/queue-5.8/drm-amdgpu-restore-ras-flags-when-user-resets-eeprom.patch new file mode 100644 index 00000000000..b437bbd198c --- /dev/null +++ b/queue-5.8/drm-amdgpu-restore-ras-flags-when-user-resets-eeprom.patch @@ -0,0 +1,52 @@ +From cc384f2fa7a69f1e33027602e00b3c177c5012df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 10:37:01 +0800 +Subject: drm/amdgpu: restore ras flags when user resets eeprom(v2) + +From: Guchun Chen + +[ Upstream commit bf0b91b78f002faa1be1902a75eeb0797f9fbcf3 ] + +RAS flags needs to be cleaned as well when user requires +one clean eeprom. + +v2: RAS flags shall be restored after eeprom reset succeeds. + +Signed-off-by: Guchun Chen +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c +index 3f47f35eedff1..50fc974655f0d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c +@@ -364,12 +364,19 @@ static ssize_t amdgpu_ras_debugfs_ctrl_write(struct file *f, const char __user * + static ssize_t amdgpu_ras_debugfs_eeprom_write(struct file *f, const char __user *buf, + size_t size, loff_t *pos) + { +- struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private; ++ struct amdgpu_device *adev = ++ (struct amdgpu_device *)file_inode(f)->i_private; + int ret; + +- ret = amdgpu_ras_eeprom_reset_table(&adev->psp.ras.ras->eeprom_control); ++ ret = amdgpu_ras_eeprom_reset_table( ++ &(amdgpu_ras_get_context(adev)->eeprom_control)); + +- return ret == 1 ? size : -EIO; ++ if (ret == 1) { ++ amdgpu_ras_get_context(adev)->flags = RAS_DEFAULT_FLAGS; ++ return size; ++ } else { ++ return -EIO; ++ } + } + + static const struct file_operations amdgpu_ras_debugfs_ctrl_ops = { +-- +2.27.0 + diff --git a/queue-5.8/drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch b/queue-5.8/drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch new file mode 100644 index 00000000000..b5828cb6210 --- /dev/null +++ b/queue-5.8/drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch @@ -0,0 +1,67 @@ +From 0b306d1faa8c36cee0f2ea74a90e95eb6003da7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 21:42:34 +0200 +Subject: drm/bridge/synopsys: dsi: add support for non-continuous HS clock + +From: Antonio Borneo + +[ Upstream commit c6d94e37bdbb6dfe7e581e937a915ab58399b8a5 ] + +Current code enables the HS clock when video mode is started or to +send out a HS command, and disables the HS clock to send out a LP +command. This is not what DSI spec specify. + +Enable HS clock either in command and in video mode. +Set automatic HS clock management for panels and devices that +support non-continuous HS clock. + +Signed-off-by: Antonio Borneo +Tested-by: Philippe Cornu +Reviewed-by: Philippe Cornu +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20200701194234.18123-1-yannick.fertre@st.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c +index 5ef0f154aa7bd..1dd57db184c89 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c +@@ -366,7 +366,6 @@ static void dw_mipi_message_config(struct dw_mipi_dsi *dsi, + if (lpm) + val |= CMD_MODE_ALL_LP; + +- dsi_write(dsi, DSI_LPCLK_CTRL, lpm ? 0 : PHY_TXREQUESTCLKHS); + dsi_write(dsi, DSI_CMD_MODE_CFG, val); + } + +@@ -542,16 +541,22 @@ static void dw_mipi_dsi_video_mode_config(struct dw_mipi_dsi *dsi) + static void dw_mipi_dsi_set_mode(struct dw_mipi_dsi *dsi, + unsigned long mode_flags) + { ++ u32 val; ++ + dsi_write(dsi, DSI_PWR_UP, RESET); + + if (mode_flags & MIPI_DSI_MODE_VIDEO) { + dsi_write(dsi, DSI_MODE_CFG, ENABLE_VIDEO_MODE); + dw_mipi_dsi_video_mode_config(dsi); +- dsi_write(dsi, DSI_LPCLK_CTRL, PHY_TXREQUESTCLKHS); + } else { + dsi_write(dsi, DSI_MODE_CFG, ENABLE_CMD_MODE); + } + ++ val = PHY_TXREQUESTCLKHS; ++ if (dsi->mode_flags & MIPI_DSI_CLOCK_NON_CONTINUOUS) ++ val |= AUTO_CLKLANE_CTRL; ++ dsi_write(dsi, DSI_LPCLK_CTRL, val); ++ + dsi_write(dsi, DSI_PWR_UP, POWERUP); + } + +-- +2.27.0 + diff --git a/queue-5.8/drm-bridge_connector-set-default-status-connected-fo.patch b/queue-5.8/drm-bridge_connector-set-default-status-connected-fo.patch new file mode 100644 index 00000000000..8a65de0b554 --- /dev/null +++ b/queue-5.8/drm-bridge_connector-set-default-status-connected-fo.patch @@ -0,0 +1,41 @@ +From 9ddc37df04ac296b5fb9d1d1ffd202c04f947a6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 10:15:22 +0200 +Subject: drm/bridge_connector: Set default status connected for eDP connectors + +From: Enric Balletbo i Serra + +[ Upstream commit c5589b39549d1875bb506da473bf4580c959db8c ] + +In an eDP application, HPD is not required and on most bridge chips +useless. If HPD is not used, we need to set initial status as connected, +otherwise the connector created by the drm_bridge_connector API remains +in an unknown state. + +Reviewed-by: Laurent Pinchart +Acked-by: Sam Ravnborg +Signed-off-by: Enric Balletbo i Serra +Reviewed-by: Bilal Wasim +Tested-by: Bilal Wasim +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200826081526.674866-2-enric.balletbo@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_bridge_connector.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/drm_bridge_connector.c b/drivers/gpu/drm/drm_bridge_connector.c +index c6994fe673f31..a58cbde59c34a 100644 +--- a/drivers/gpu/drm/drm_bridge_connector.c ++++ b/drivers/gpu/drm/drm_bridge_connector.c +@@ -187,6 +187,7 @@ drm_bridge_connector_detect(struct drm_connector *connector, bool force) + case DRM_MODE_CONNECTOR_DPI: + case DRM_MODE_CONNECTOR_LVDS: + case DRM_MODE_CONNECTOR_DSI: ++ case DRM_MODE_CONNECTOR_eDP: + status = connector_status_connected; + break; + default: +-- +2.27.0 + diff --git a/queue-5.8/drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch b/queue-5.8/drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch new file mode 100644 index 00000000000..8b6f2b0e2da --- /dev/null +++ b/queue-5.8/drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch @@ -0,0 +1,60 @@ +From d95016b2c2d396705dbb741c919d0f65b9c82ba2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 17:37:56 +0300 +Subject: drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working + correctly + +From: Nadezda Lutovinova + +[ Upstream commit f688a345f0d7a6df4dd2aeca8e4f3c05e123a0ee ] + +If ge_b850v3_lvds_init() does not allocate memory for ge_b850v3_lvds_ptr, +then a null pointer dereference is accessed. + +The patch adds checking of the return value of ge_b850v3_lvds_init(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Nadezda Lutovinova +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200819143756.30626-1-lutovinova@ispras.ru +Signed-off-by: Sasha Levin +--- + .../gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +index 6200f12a37e69..ab8174831cf40 100644 +--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c ++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +@@ -302,8 +302,12 @@ static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c, + const struct i2c_device_id *id) + { + struct device *dev = &stdp4028_i2c->dev; ++ int ret; ++ ++ ret = ge_b850v3_lvds_init(dev); + +- ge_b850v3_lvds_init(dev); ++ if (ret) ++ return ret; + + ge_b850v3_lvds_ptr->stdp4028_i2c = stdp4028_i2c; + i2c_set_clientdata(stdp4028_i2c, ge_b850v3_lvds_ptr); +@@ -361,8 +365,12 @@ static int stdp2690_ge_b850v3_fw_probe(struct i2c_client *stdp2690_i2c, + const struct i2c_device_id *id) + { + struct device *dev = &stdp2690_i2c->dev; ++ int ret; ++ ++ ret = ge_b850v3_lvds_init(dev); + +- ge_b850v3_lvds_init(dev); ++ if (ret) ++ return ret; + + ge_b850v3_lvds_ptr->stdp2690_i2c = stdp2690_i2c; + i2c_set_clientdata(stdp2690_i2c, ge_b850v3_lvds_ptr); +-- +2.27.0 + diff --git a/queue-5.8/drm-exynos-fix-common-struct-sg_table-related-issues.patch b/queue-5.8/drm-exynos-fix-common-struct-sg_table-related-issues.patch new file mode 100644 index 00000000000..2b5539170f5 --- /dev/null +++ b/queue-5.8/drm-exynos-fix-common-struct-sg_table-related-issues.patch @@ -0,0 +1,72 @@ +From 97b507f245128d0d3a1e6684fa5d146264556544 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 13:08:41 +0200 +Subject: drm: exynos: fix common struct sg_table related issues + +From: Marek Szyprowski + +[ Upstream commit 84404614167b829f7b58189cd24b6c0c74897171 ] + +The Documentation/DMA-API-HOWTO.txt states that the dma_map_sg() function +returns the number of the created entries in the DMA address space. +However the subsequent calls to the dma_sync_sg_for_{device,cpu}() and +dma_unmap_sg must be called with the original number of the entries +passed to the dma_map_sg(). + +struct sg_table is a common structure used for describing a non-contiguous +memory buffer, used commonly in the DRM and graphics subsystems. It +consists of a scatterlist with memory pages and DMA addresses (sgl entry), +as well as the number of scatterlist entries: CPU pages (orig_nents entry) +and DMA mapped pages (nents entry). + +It turned out that it was a common mistake to misuse nents and orig_nents +entries, calling DMA-mapping functions with a wrong number of entries or +ignoring the number of mapped entries returned by the dma_map_sg() +function. + +To avoid such issues, lets use a common dma-mapping wrappers operating +directly on the struct sg_table objects and use scatterlist page +iterators where possible. This, almost always, hides references to the +nents and orig_nents entries, making the code robust, easier to follow +and copy/paste safe. + +Signed-off-by: Marek Szyprowski +Reviewed-by: Andrzej Hajda +Acked-by : Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.c b/drivers/gpu/drm/exynos/exynos_drm_g2d.c +index 03be314271811..967a5cdc120e3 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c +@@ -395,8 +395,8 @@ static void g2d_userptr_put_dma_addr(struct g2d_data *g2d, + return; + + out: +- dma_unmap_sg(to_dma_dev(g2d->drm_dev), g2d_userptr->sgt->sgl, +- g2d_userptr->sgt->nents, DMA_BIDIRECTIONAL); ++ dma_unmap_sgtable(to_dma_dev(g2d->drm_dev), g2d_userptr->sgt, ++ DMA_BIDIRECTIONAL, 0); + + pages = frame_vector_pages(g2d_userptr->vec); + if (!IS_ERR(pages)) { +@@ -511,10 +511,10 @@ static dma_addr_t *g2d_userptr_get_dma_addr(struct g2d_data *g2d, + + g2d_userptr->sgt = sgt; + +- if (!dma_map_sg(to_dma_dev(g2d->drm_dev), sgt->sgl, sgt->nents, +- DMA_BIDIRECTIONAL)) { ++ ret = dma_map_sgtable(to_dma_dev(g2d->drm_dev), sgt, ++ DMA_BIDIRECTIONAL, 0); ++ if (ret) { + DRM_DEV_ERROR(g2d->dev, "failed to map sgt with dma region.\n"); +- ret = -ENOMEM; + goto err_sg_free_table; + } + +-- +2.27.0 + diff --git a/queue-5.8/drm-lima-fix-common-struct-sg_table-related-issues.patch b/queue-5.8/drm-lima-fix-common-struct-sg_table-related-issues.patch new file mode 100644 index 00000000000..2dad8d8d537 --- /dev/null +++ b/queue-5.8/drm-lima-fix-common-struct-sg_table-related-issues.patch @@ -0,0 +1,95 @@ +From 2458994aeaca91801e0b06c284bc911beb99c331 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 13:09:11 +0200 +Subject: drm: lima: fix common struct sg_table related issues + +From: Marek Szyprowski + +[ Upstream commit c3d9c17f486d5c54940487dc31a54ebfdeeb371a ] + +The Documentation/DMA-API-HOWTO.txt states that the dma_map_sg() function +returns the number of the created entries in the DMA address space. +However the subsequent calls to the dma_sync_sg_for_{device,cpu}() and +dma_unmap_sg must be called with the original number of the entries +passed to the dma_map_sg(). + +struct sg_table is a common structure used for describing a non-contiguous +memory buffer, used commonly in the DRM and graphics subsystems. It +consists of a scatterlist with memory pages and DMA addresses (sgl entry), +as well as the number of scatterlist entries: CPU pages (orig_nents entry) +and DMA mapped pages (nents entry). + +It turned out that it was a common mistake to misuse nents and orig_nents +entries, calling DMA-mapping functions with a wrong number of entries or +ignoring the number of mapped entries returned by the dma_map_sg() +function. + +To avoid such issues, lets use a common dma-mapping wrappers operating +directly on the struct sg_table objects and use scatterlist page +iterators where possible. This, almost always, hides references to the +nents and orig_nents entries, making the code robust, easier to follow +and copy/paste safe. + +Signed-off-by: Marek Szyprowski +Reviewed-by: Qiang Yu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/lima/lima_gem.c | 11 ++++++++--- + drivers/gpu/drm/lima/lima_vm.c | 5 ++--- + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/lima/lima_gem.c b/drivers/gpu/drm/lima/lima_gem.c +index 5404e0d668dbb..cda43f6848335 100644 +--- a/drivers/gpu/drm/lima/lima_gem.c ++++ b/drivers/gpu/drm/lima/lima_gem.c +@@ -69,8 +69,7 @@ int lima_heap_alloc(struct lima_bo *bo, struct lima_vm *vm) + return ret; + + if (bo->base.sgt) { +- dma_unmap_sg(dev, bo->base.sgt->sgl, +- bo->base.sgt->nents, DMA_BIDIRECTIONAL); ++ dma_unmap_sgtable(dev, bo->base.sgt, DMA_BIDIRECTIONAL, 0); + sg_free_table(bo->base.sgt); + } else { + bo->base.sgt = kmalloc(sizeof(*bo->base.sgt), GFP_KERNEL); +@@ -80,7 +79,13 @@ int lima_heap_alloc(struct lima_bo *bo, struct lima_vm *vm) + } + } + +- dma_map_sg(dev, sgt.sgl, sgt.nents, DMA_BIDIRECTIONAL); ++ ret = dma_map_sgtable(dev, &sgt, DMA_BIDIRECTIONAL, 0); ++ if (ret) { ++ sg_free_table(&sgt); ++ kfree(bo->base.sgt); ++ bo->base.sgt = NULL; ++ return ret; ++ } + + *bo->base.sgt = sgt; + +diff --git a/drivers/gpu/drm/lima/lima_vm.c b/drivers/gpu/drm/lima/lima_vm.c +index 5b92fb82674a9..2b2739adc7f53 100644 +--- a/drivers/gpu/drm/lima/lima_vm.c ++++ b/drivers/gpu/drm/lima/lima_vm.c +@@ -124,7 +124,7 @@ int lima_vm_bo_add(struct lima_vm *vm, struct lima_bo *bo, bool create) + if (err) + goto err_out1; + +- for_each_sg_dma_page(bo->base.sgt->sgl, &sg_iter, bo->base.sgt->nents, 0) { ++ for_each_sgtable_dma_page(bo->base.sgt, &sg_iter, 0) { + err = lima_vm_map_page(vm, sg_page_iter_dma_address(&sg_iter), + bo_va->node.start + offset); + if (err) +@@ -298,8 +298,7 @@ int lima_vm_map_bo(struct lima_vm *vm, struct lima_bo *bo, int pageoff) + mutex_lock(&vm->lock); + + base = bo_va->node.start + (pageoff << PAGE_SHIFT); +- for_each_sg_dma_page(bo->base.sgt->sgl, &sg_iter, +- bo->base.sgt->nents, pageoff) { ++ for_each_sgtable_dma_page(bo->base.sgt, &sg_iter, pageoff) { + err = lima_vm_map_page(vm, sg_page_iter_dma_address(&sg_iter), + base + offset); + if (err) +-- +2.27.0 + diff --git a/queue-5.8/drm-panfrost-fix-common-struct-sg_table-related-issu.patch b/queue-5.8/drm-panfrost-fix-common-struct-sg_table-related-issu.patch new file mode 100644 index 00000000000..fdeba6ccb0b --- /dev/null +++ b/queue-5.8/drm-panfrost-fix-common-struct-sg_table-related-issu.patch @@ -0,0 +1,85 @@ +From 7e0b9255835797482153375ca22fb905f6296999 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 13:09:35 +0200 +Subject: drm: panfrost: fix common struct sg_table related issues + +From: Marek Szyprowski + +[ Upstream commit 34a4e66faf8b22c8409cbd46839ba5e488b1e6a9 ] + +The Documentation/DMA-API-HOWTO.txt states that the dma_map_sg() function +returns the number of the created entries in the DMA address space. +However the subsequent calls to the dma_sync_sg_for_{device,cpu}() and +dma_unmap_sg must be called with the original number of the entries +passed to the dma_map_sg(). + +struct sg_table is a common structure used for describing a non-contiguous +memory buffer, used commonly in the DRM and graphics subsystems. It +consists of a scatterlist with memory pages and DMA addresses (sgl entry), +as well as the number of scatterlist entries: CPU pages (orig_nents entry) +and DMA mapped pages (nents entry). + +It turned out that it was a common mistake to misuse nents and orig_nents +entries, calling DMA-mapping functions with a wrong number of entries or +ignoring the number of mapped entries returned by the dma_map_sg() +function. + +To avoid such issues, lets use a common dma-mapping wrappers operating +directly on the struct sg_table objects and use scatterlist page +iterators where possible. This, almost always, hides references to the +nents and orig_nents entries, making the code robust, easier to follow +and copy/paste safe. + +Signed-off-by: Marek Szyprowski +Reviewed-by: Steven Price +Reviewed-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_gem.c | 4 ++-- + drivers/gpu/drm/panfrost/panfrost_mmu.c | 7 +++---- + 2 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_gem.c b/drivers/gpu/drm/panfrost/panfrost_gem.c +index 556181ea4a073..2ddad8f36f12f 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_gem.c ++++ b/drivers/gpu/drm/panfrost/panfrost_gem.c +@@ -41,8 +41,8 @@ static void panfrost_gem_free_object(struct drm_gem_object *obj) + + for (i = 0; i < n_sgt; i++) { + if (bo->sgts[i].sgl) { +- dma_unmap_sg(pfdev->dev, bo->sgts[i].sgl, +- bo->sgts[i].nents, DMA_BIDIRECTIONAL); ++ dma_unmap_sgtable(pfdev->dev, &bo->sgts[i], ++ DMA_BIDIRECTIONAL, 0); + sg_free_table(&bo->sgts[i]); + } + } +diff --git a/drivers/gpu/drm/panfrost/panfrost_mmu.c b/drivers/gpu/drm/panfrost/panfrost_mmu.c +index 3c8ae7411c800..40a04acfa0260 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c +@@ -253,7 +253,7 @@ static int mmu_map_sg(struct panfrost_device *pfdev, struct panfrost_mmu *mmu, + struct io_pgtable_ops *ops = mmu->pgtbl_ops; + u64 start_iova = iova; + +- for_each_sg(sgt->sgl, sgl, sgt->nents, count) { ++ for_each_sgtable_dma_sg(sgt, sgl, count) { + unsigned long paddr = sg_dma_address(sgl); + size_t len = sg_dma_len(sgl); + +@@ -517,10 +517,9 @@ static int panfrost_mmu_map_fault_addr(struct panfrost_device *pfdev, int as, + if (ret) + goto err_pages; + +- if (!dma_map_sg(pfdev->dev, sgt->sgl, sgt->nents, DMA_BIDIRECTIONAL)) { +- ret = -EINVAL; ++ ret = dma_map_sgtable(pfdev->dev, sgt, DMA_BIDIRECTIONAL, 0); ++ if (ret) + goto err_map; +- } + + mmu_map_sg(pfdev, bomapping->mmu, addr, + IOMMU_WRITE | IOMMU_READ | IOMMU_NOEXEC, sgt); +-- +2.27.0 + diff --git a/queue-5.8/drm-scheduler-scheduler-priority-fixes-v2.patch b/queue-5.8/drm-scheduler-scheduler-priority-fixes-v2.patch new file mode 100644 index 00000000000..9c685d2322f --- /dev/null +++ b/queue-5.8/drm-scheduler-scheduler-priority-fixes-v2.patch @@ -0,0 +1,199 @@ +From a7d205b42b302bfb4228a6582d57a8cc177bac8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 19:59:58 -0400 +Subject: drm/scheduler: Scheduler priority fixes (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luben Tuikov + +[ Upstream commit e2d732fdb7a9e421720a644580cd6a9400f97f60 ] + +Remove DRM_SCHED_PRIORITY_LOW, as it was used +in only one place. + +Rename and separate by a line +DRM_SCHED_PRIORITY_MAX to DRM_SCHED_PRIORITY_COUNT +as it represents a (total) count of said +priorities and it is used as such in loops +throughout the code. (0-based indexing is the +the count number.) + +Remove redundant word HIGH in priority names, +and rename *KERNEL* to *HIGH*, as it really +means that, high. + +v2: Add back KERNEL and remove SW and HW, + in lieu of a single HIGH between NORMAL and KERNEL. + +Signed-off-by: Luben Tuikov +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 4 ++-- + drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c | 6 +++--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 +- + drivers/gpu/drm/scheduler/sched_main.c | 4 ++-- + include/drm/gpu_scheduler.h | 12 +++++++----- + 8 files changed, 18 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c +index 8842c55d4490b..fc695126b6e75 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c +@@ -46,7 +46,7 @@ const unsigned int amdgpu_ctx_num_entities[AMDGPU_HW_IP_NUM] = { + static int amdgpu_ctx_priority_permit(struct drm_file *filp, + enum drm_sched_priority priority) + { +- if (priority < 0 || priority >= DRM_SCHED_PRIORITY_MAX) ++ if (priority < 0 || priority >= DRM_SCHED_PRIORITY_COUNT) + return -EINVAL; + + /* NORMAL and below are accessible by everyone */ +@@ -65,7 +65,7 @@ static int amdgpu_ctx_priority_permit(struct drm_file *filp, + static enum gfx_pipe_priority amdgpu_ctx_sched_prio_to_compute_prio(enum drm_sched_priority prio) + { + switch (prio) { +- case DRM_SCHED_PRIORITY_HIGH_HW: ++ case DRM_SCHED_PRIORITY_HIGH: + case DRM_SCHED_PRIORITY_KERNEL: + return AMDGPU_GFX_PIPE_PRIO_HIGH; + default: +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c +index 4fb4c3b696876..635a7a21d15b2 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c +@@ -254,7 +254,7 @@ void amdgpu_job_stop_all_jobs_on_sched(struct drm_gpu_scheduler *sched) + int i; + + /* Signal all jobs not yet scheduled */ +- for (i = DRM_SCHED_PRIORITY_MAX - 1; i >= DRM_SCHED_PRIORITY_MIN; i--) { ++ for (i = DRM_SCHED_PRIORITY_COUNT - 1; i >= DRM_SCHED_PRIORITY_MIN; i--) { + struct drm_sched_rq *rq = &sched->sched_rq[i]; + + if (!rq) +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +index 13ea8ebc421c6..6d4fc79bf84aa 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +@@ -267,7 +267,7 @@ int amdgpu_ring_init(struct amdgpu_device *adev, struct amdgpu_ring *ring, + &ring->sched; + } + +- for (i = 0; i < DRM_SCHED_PRIORITY_MAX; ++i) ++ for (i = DRM_SCHED_PRIORITY_MIN; i < DRM_SCHED_PRIORITY_COUNT; ++i) + atomic_set(&ring->num_jobs[i], 0); + + return 0; +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h +index be218754629ab..5f31a33dbd525 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h +@@ -242,7 +242,7 @@ struct amdgpu_ring { + bool has_compute_vm_bug; + bool no_scheduler; + +- atomic_t num_jobs[DRM_SCHED_PRIORITY_MAX]; ++ atomic_t num_jobs[DRM_SCHED_PRIORITY_COUNT]; + struct mutex priority_mutex; + /* protected by priority_mutex */ + int priority; +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c +index c799691dfa848..17661ede94885 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c +@@ -36,14 +36,14 @@ enum drm_sched_priority amdgpu_to_sched_priority(int amdgpu_priority) + { + switch (amdgpu_priority) { + case AMDGPU_CTX_PRIORITY_VERY_HIGH: +- return DRM_SCHED_PRIORITY_HIGH_HW; ++ return DRM_SCHED_PRIORITY_HIGH; + case AMDGPU_CTX_PRIORITY_HIGH: +- return DRM_SCHED_PRIORITY_HIGH_SW; ++ return DRM_SCHED_PRIORITY_HIGH; + case AMDGPU_CTX_PRIORITY_NORMAL: + return DRM_SCHED_PRIORITY_NORMAL; + case AMDGPU_CTX_PRIORITY_LOW: + case AMDGPU_CTX_PRIORITY_VERY_LOW: +- return DRM_SCHED_PRIORITY_LOW; ++ return DRM_SCHED_PRIORITY_MIN; + case AMDGPU_CTX_PRIORITY_UNSET: + return DRM_SCHED_PRIORITY_UNSET; + default: +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +index 9a3267f06376f..d63846f6900d0 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -2065,7 +2065,7 @@ void amdgpu_ttm_set_buffer_funcs_status(struct amdgpu_device *adev, bool enable) + ring = adev->mman.buffer_funcs_ring; + sched = &ring->sched; + r = drm_sched_entity_init(&adev->mman.entity, +- DRM_SCHED_PRIORITY_KERNEL, &sched, ++ DRM_SCHED_PRIORITY_KERNEL, &sched, + 1, NULL); + if (r) { + DRM_ERROR("Failed setting up TTM BO move entity (%d)\n", +diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c +index 2f319102ae9f7..19f381e5e6618 100644 +--- a/drivers/gpu/drm/scheduler/sched_main.c ++++ b/drivers/gpu/drm/scheduler/sched_main.c +@@ -623,7 +623,7 @@ drm_sched_select_entity(struct drm_gpu_scheduler *sched) + return NULL; + + /* Kernel run queue has higher priority than normal run queue*/ +- for (i = DRM_SCHED_PRIORITY_MAX - 1; i >= DRM_SCHED_PRIORITY_MIN; i--) { ++ for (i = DRM_SCHED_PRIORITY_COUNT - 1; i >= DRM_SCHED_PRIORITY_MIN; i--) { + entity = drm_sched_rq_select_entity(&sched->sched_rq[i]); + if (entity) + break; +@@ -851,7 +851,7 @@ int drm_sched_init(struct drm_gpu_scheduler *sched, + sched->name = name; + sched->timeout = timeout; + sched->hang_limit = hang_limit; +- for (i = DRM_SCHED_PRIORITY_MIN; i < DRM_SCHED_PRIORITY_MAX; i++) ++ for (i = DRM_SCHED_PRIORITY_MIN; i < DRM_SCHED_PRIORITY_COUNT; i++) + drm_sched_rq_init(sched, &sched->sched_rq[i]); + + init_waitqueue_head(&sched->wake_up_worker); +diff --git a/include/drm/gpu_scheduler.h b/include/drm/gpu_scheduler.h +index a21b3b92135a6..b30026ccd564b 100644 +--- a/include/drm/gpu_scheduler.h ++++ b/include/drm/gpu_scheduler.h +@@ -33,14 +33,16 @@ + struct drm_gpu_scheduler; + struct drm_sched_rq; + ++/* These are often used as an (initial) index ++ * to an array, and as such should start at 0. ++ */ + enum drm_sched_priority { + DRM_SCHED_PRIORITY_MIN, +- DRM_SCHED_PRIORITY_LOW = DRM_SCHED_PRIORITY_MIN, + DRM_SCHED_PRIORITY_NORMAL, +- DRM_SCHED_PRIORITY_HIGH_SW, +- DRM_SCHED_PRIORITY_HIGH_HW, ++ DRM_SCHED_PRIORITY_HIGH, + DRM_SCHED_PRIORITY_KERNEL, +- DRM_SCHED_PRIORITY_MAX, ++ ++ DRM_SCHED_PRIORITY_COUNT, + DRM_SCHED_PRIORITY_INVALID = -1, + DRM_SCHED_PRIORITY_UNSET = -2 + }; +@@ -274,7 +276,7 @@ struct drm_gpu_scheduler { + uint32_t hw_submission_limit; + long timeout; + const char *name; +- struct drm_sched_rq sched_rq[DRM_SCHED_PRIORITY_MAX]; ++ struct drm_sched_rq sched_rq[DRM_SCHED_PRIORITY_COUNT]; + wait_queue_head_t wake_up_worker; + wait_queue_head_t job_scheduled; + atomic_t hw_rq_count; +-- +2.27.0 + diff --git a/queue-5.8/drm-vkms-avoid-warning-in-vkms_get_vblank_timestamp.patch b/queue-5.8/drm-vkms-avoid-warning-in-vkms_get_vblank_timestamp.patch new file mode 100644 index 00000000000..1dddc8aa570 --- /dev/null +++ b/queue-5.8/drm-vkms-avoid-warning-in-vkms_get_vblank_timestamp.patch @@ -0,0 +1,78 @@ +From c48bb150cbc7a9b2c1c3a35e0e29a0135832c6fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 12:45:53 +0000 +Subject: drm/vkms: avoid warning in vkms_get_vblank_timestamp + +From: Sidong Yang + +[ Upstream commit 05ca530268a9d0ab3547e7b288635e35990a77c4 ] + +This patch avoid the warning in vkms_get_vblank_timestamp when vblanks +aren't enabled. When running igt test kms_cursor_crc just after vkms +module, the warning raised like below. Initial value of vblank time is +zero and hrtimer.node.expires is also zero if vblank aren't enabled +before. vkms module isn't real hardware but just virtual hardware +module. so vkms can't generate a resonable timestamp when hrtimer is +off. it's best to grab the current time. + +[106444.464503] [IGT] kms_cursor_crc: starting subtest pipe-A-cursor-size-change +[106444.471475] WARNING: CPU: 0 PID: 10109 at +vkms_get_vblank_timestamp+0x42/0x50 [vkms] +[106444.471511] CPU: 0 PID: 10109 Comm: kms_cursor_crc Tainted: G W OE +5.9.0-rc1+ #6 +[106444.471514] RIP: 0010:vkms_get_vblank_timestamp+0x42/0x50 [vkms] +[106444.471528] Call Trace: +[106444.471551] drm_get_last_vbltimestamp+0xb9/0xd0 [drm] +[106444.471566] drm_reset_vblank_timestamp+0x63/0xe0 [drm] +[106444.471579] drm_crtc_vblank_on+0x85/0x150 [drm] +[106444.471582] vkms_crtc_atomic_enable+0xe/0x10 [vkms] +[106444.471592] drm_atomic_helper_commit_modeset_enables+0x1db/0x230 +[drm_kms_helper] +[106444.471594] vkms_atomic_commit_tail+0x38/0xc0 [vkms] +[106444.471601] commit_tail+0x97/0x130 [drm_kms_helper] +[106444.471608] drm_atomic_helper_commit+0x117/0x140 [drm_kms_helper] +[106444.471622] drm_atomic_commit+0x4a/0x50 [drm] +[106444.471629] drm_atomic_helper_set_config+0x63/0xb0 [drm_kms_helper] +[106444.471642] drm_mode_setcrtc+0x1d9/0x7b0 [drm] +[106444.471654] ? drm_mode_getcrtc+0x1a0/0x1a0 [drm] +[106444.471666] drm_ioctl_kernel+0xb6/0x100 [drm] +[106444.471677] drm_ioctl+0x3ad/0x470 [drm] +[106444.471688] ? drm_mode_getcrtc+0x1a0/0x1a0 [drm] +[106444.471692] ? tomoyo_file_ioctl+0x19/0x20 +[106444.471694] __x64_sys_ioctl+0x96/0xd0 +[106444.471697] do_syscall_64+0x37/0x80 +[106444.471699] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Cc: Daniel Vetter +Cc: Rodrigo Siqueira +Cc: Haneen Mohammed +Cc: Melissa Wen + +Signed-off-by: Sidong Yang +Reviewed-by: Melissa Wen +Signed-off-by: Rodrigo Siqueira +Link: https://patchwork.freedesktop.org/patch/msgid/20200828124553.2178-1-realwakka@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_crtc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c +index ac85e17428f88..09c012d54d58f 100644 +--- a/drivers/gpu/drm/vkms/vkms_crtc.c ++++ b/drivers/gpu/drm/vkms/vkms_crtc.c +@@ -86,6 +86,11 @@ static bool vkms_get_vblank_timestamp(struct drm_crtc *crtc, + struct vkms_output *output = &vkmsdev->output; + struct drm_vblank_crtc *vblank = &dev->vblank[pipe]; + ++ if (!READ_ONCE(vblank->enabled)) { ++ *vblank_time = ktime_get(); ++ return true; ++ } ++ + *vblank_time = READ_ONCE(output->vblank_hrtimer.node.expires); + + if (WARN_ON(*vblank_time == vblank->time)) +-- +2.27.0 + diff --git a/queue-5.8/ext4-detect-already-used-quota-file-early.patch b/queue-5.8/ext4-detect-already-used-quota-file-early.patch new file mode 100644 index 00000000000..5f9540a7d24 --- /dev/null +++ b/queue-5.8/ext4-detect-already-used-quota-file-early.patch @@ -0,0 +1,48 @@ +From 5b252e1fe032644fa22ff34b08d9fbee3a8b86ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 13:03:30 +0200 +Subject: ext4: Detect already used quota file early + +From: Jan Kara + +[ Upstream commit e0770e91424f694b461141cbc99adf6b23006b60 ] + +When we try to use file already used as a quota file again (for the same +or different quota type), strange things can happen. At the very least +lockdep annotations may be wrong but also inode flags may be wrongly set +/ reset. When the file is used for two quota types at once we can even +corrupt the file and likely crash the kernel. Catch all these cases by +checking whether passed file is already used as quota file and bail +early in that case. + +This fixes occasional generic/219 failure due to lockdep complaint. + +Reviewed-by: Andreas Dilger +Reported-by: Ritesh Harjani +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20201015110330.28716-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 0b38bf29c07e0..04b776501aff8 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5999,6 +5999,11 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, + /* Quotafile not on the same filesystem? */ + if (path->dentry->d_sb != sb) + return -EXDEV; ++ ++ /* Quota already enabled for this file? */ ++ if (IS_NOQUOTA(d_inode(path->dentry))) ++ return -EBUSY; ++ + /* Journaling quota? */ + if (EXT4_SB(sb)->s_qf_names[type]) { + /* Quotafile not in fs root? */ +-- +2.27.0 + diff --git a/queue-5.8/f2fs-add-trace-exit-in-exception-path.patch b/queue-5.8/f2fs-add-trace-exit-in-exception-path.patch new file mode 100644 index 00000000000..7e4157c87db --- /dev/null +++ b/queue-5.8/f2fs-add-trace-exit-in-exception-path.patch @@ -0,0 +1,40 @@ +From ab8598132bd06c9e84a2b2dd4731e2e9b8218eac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 20:45:44 +0800 +Subject: f2fs: add trace exit in exception path + +From: Zhang Qilong + +[ Upstream commit 9b66482282888d02832b7d90239e1cdb18e4b431 ] + +Missing the trace exit in f2fs_sync_dirty_inodes + +Signed-off-by: Zhang Qilong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 2360649302516..95ed2b1373608 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -1047,8 +1047,12 @@ int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type) + get_pages(sbi, is_dir ? + F2FS_DIRTY_DENTS : F2FS_DIRTY_DATA)); + retry: +- if (unlikely(f2fs_cp_error(sbi))) ++ if (unlikely(f2fs_cp_error(sbi))) { ++ trace_f2fs_sync_dirty_inodes_exit(sbi->sb, is_dir, ++ get_pages(sbi, is_dir ? ++ F2FS_DIRTY_DENTS : F2FS_DIRTY_DATA)); + return -EIO; ++ } + + spin_lock(&sbi->inode_lock[type]); + +-- +2.27.0 + diff --git a/queue-5.8/f2fs-allocate-proper-size-memory-for-zstd-decompress.patch b/queue-5.8/f2fs-allocate-proper-size-memory-for-zstd-decompress.patch new file mode 100644 index 00000000000..a62738bd7ff --- /dev/null +++ b/queue-5.8/f2fs-allocate-proper-size-memory-for-zstd-decompress.patch @@ -0,0 +1,86 @@ +From 9089b04902c58235783de815f7b08517794b507e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 15:01:52 +0800 +Subject: f2fs: allocate proper size memory for zstd decompress + +From: Chao Yu + +[ Upstream commit 0e2b7385cb59e566520cfd0a04b4b53bc9461e98 ] + +As 5kft <5kft@5kft.org> reported: + + kworker/u9:3: page allocation failure: order:9, mode:0x40c40(GFP_NOFS|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0 + CPU: 3 PID: 8168 Comm: kworker/u9:3 Tainted: G C 5.8.3-sunxi #trunk + Hardware name: Allwinner sun8i Family + Workqueue: f2fs_post_read_wq f2fs_post_read_work + [] (unwind_backtrace) from [] (show_stack+0x11/0x14) + [] (show_stack) from [] (dump_stack+0x75/0x84) + [] (dump_stack) from [] (warn_alloc+0xa3/0x104) + [] (warn_alloc) from [] (__alloc_pages_nodemask+0xb87/0xc40) + [] (__alloc_pages_nodemask) from [] (kmalloc_order+0x19/0x38) + [] (kmalloc_order) from [] (kmalloc_order_trace+0x19/0x90) + [] (kmalloc_order_trace) from [] (zstd_init_decompress_ctx+0x21/0x88) + [] (zstd_init_decompress_ctx) from [] (f2fs_decompress_pages+0x97/0x228) + [] (f2fs_decompress_pages) from [] (__read_end_io+0xfb/0x130) + [] (__read_end_io) from [] (f2fs_post_read_work+0x61/0x84) + [] (f2fs_post_read_work) from [] (process_one_work+0x15f/0x3b0) + [] (process_one_work) from [] (worker_thread+0xfb/0x3e0) + [] (worker_thread) from [] (kthread+0xeb/0x10c) + [] (kthread) from [] + +zstd may allocate large size memory for {,de}compression, it may cause +file copy failure on low-end device which has very few memory. + +For decompression, let's just allocate proper size memory based on current +file's cluster size instead of max cluster size. + +Reported-by: 5kft <5kft@5kft.org> +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/compress.c | 7 ++++--- + fs/f2fs/f2fs.h | 2 +- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c +index 2390f7943f6c8..47b62099533bd 100644 +--- a/fs/f2fs/compress.c ++++ b/fs/f2fs/compress.c +@@ -375,16 +375,17 @@ static int zstd_init_decompress_ctx(struct decompress_io_ctx *dic) + ZSTD_DStream *stream; + void *workspace; + unsigned int workspace_size; ++ unsigned int max_window_size = ++ MAX_COMPRESS_WINDOW_SIZE(dic->log_cluster_size); + +- workspace_size = ZSTD_DStreamWorkspaceBound(MAX_COMPRESS_WINDOW_SIZE); ++ workspace_size = ZSTD_DStreamWorkspaceBound(max_window_size); + + workspace = f2fs_kvmalloc(F2FS_I_SB(dic->inode), + workspace_size, GFP_NOFS); + if (!workspace) + return -ENOMEM; + +- stream = ZSTD_initDStream(MAX_COMPRESS_WINDOW_SIZE, +- workspace, workspace_size); ++ stream = ZSTD_initDStream(max_window_size, workspace, workspace_size); + if (!stream) { + printk_ratelimited("%sF2FS-fs (%s): %s ZSTD_initDStream failed\n", + KERN_ERR, F2FS_I_SB(dic->inode)->sb->s_id, +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 7d9afd54e9d8f..f03c573e427a5 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1392,7 +1392,7 @@ struct decompress_io_ctx { + #define NULL_CLUSTER ((unsigned int)(~0)) + #define MIN_COMPRESS_LOG_SIZE 2 + #define MAX_COMPRESS_LOG_SIZE 8 +-#define MAX_COMPRESS_WINDOW_SIZE ((PAGE_SIZE) << MAX_COMPRESS_LOG_SIZE) ++#define MAX_COMPRESS_WINDOW_SIZE(log_size) ((PAGE_SIZE) << (log_size)) + + struct f2fs_sb_info { + struct super_block *sb; /* pointer to VFS super block */ +-- +2.27.0 + diff --git a/queue-5.8/f2fs-compress-fix-to-disallow-enabling-compress-on-n.patch b/queue-5.8/f2fs-compress-fix-to-disallow-enabling-compress-on-n.patch new file mode 100644 index 00000000000..30fc6658b5c --- /dev/null +++ b/queue-5.8/f2fs-compress-fix-to-disallow-enabling-compress-on-n.patch @@ -0,0 +1,37 @@ +From 75d13e66cba92d2742a20425a65ea5c6e519356c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 11:03:49 +0800 +Subject: f2fs: compress: fix to disallow enabling compress on non-empty file + +From: Chao Yu + +[ Upstream commit 519a5a2f37b850f4eb86674a10d143088670a390 ] + +Compressed inode and normal inode has different layout, so we should +disallow enabling compress on non-empty file to avoid race condition +during inode .i_addr array parsing and updating. + +Signed-off-by: Chao Yu +[Jaegeuk Kim: Fix missing condition] +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 3268f8dd59bba..408a99fdaaea2 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1837,6 +1837,8 @@ static int f2fs_setflags_common(struct inode *inode, u32 iflags, u32 mask) + if (iflags & F2FS_COMPR_FL) { + if (!f2fs_may_compress(inode)) + return -EINVAL; ++ if (S_ISREG(inode->i_mode) && inode->i_size) ++ return -EINVAL; + + set_compress_context(inode); + } +-- +2.27.0 + diff --git a/queue-5.8/f2fs-do-sanity-check-on-zoned-block-device-path.patch b/queue-5.8/f2fs-do-sanity-check-on-zoned-block-device-path.patch new file mode 100644 index 00000000000..62faf708ee1 --- /dev/null +++ b/queue-5.8/f2fs-do-sanity-check-on-zoned-block-device-path.patch @@ -0,0 +1,62 @@ +From 9b8db412f459034dbfe0b72dce02137ee9b13e50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 20:53:13 +0800 +Subject: f2fs: do sanity check on zoned block device path + +From: Chao Yu + +[ Upstream commit 07eb1d699452de04e9d389ff17fb8fc9e975d7bf ] + +sbi->devs would be initialized only if image enables multiple device +feature or blkzoned feature, if blkzoned feature flag was set by fuzz +in non-blkzoned device, we will suffer below panic: + +get_zone_idx fs/f2fs/segment.c:4892 [inline] +f2fs_usable_zone_blks_in_seg fs/f2fs/segment.c:4943 [inline] +f2fs_usable_blks_in_seg+0x39b/0xa00 fs/f2fs/segment.c:4999 +Call Trace: + check_block_count+0x69/0x4e0 fs/f2fs/segment.h:704 + build_sit_entries fs/f2fs/segment.c:4403 [inline] + f2fs_build_segment_manager+0x51da/0xa370 fs/f2fs/segment.c:5100 + f2fs_fill_super+0x3880/0x6ff0 fs/f2fs/super.c:3684 + mount_bdev+0x32e/0x3f0 fs/super.c:1417 + legacy_get_tree+0x105/0x220 fs/fs_context.c:592 + vfs_get_tree+0x89/0x2f0 fs/super.c:1547 + do_new_mount fs/namespace.c:2896 [inline] + path_mount+0x12ae/0x1e70 fs/namespace.c:3216 + do_mount fs/namespace.c:3229 [inline] + __do_sys_mount fs/namespace.c:3437 [inline] + __se_sys_mount fs/namespace.c:3414 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3414 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + +Add sanity check to inconsistency on factors: blkzoned flag, device +path and device character to avoid above panic. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 0deb839da0a03..28ab6cf26954a 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2782,6 +2782,12 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi, + segment_count, dev_seg_count); + return -EFSCORRUPTED; + } ++ } else { ++ if (__F2FS_HAS_FEATURE(raw_super, F2FS_FEATURE_BLKZONED) && ++ !bdev_is_zoned(sbi->sb->s_bdev)) { ++ f2fs_info(sbi, "Zoned block device path is missing"); ++ return -EFSCORRUPTED; ++ } + } + + if (secs_per_zone > total_sections || !secs_per_zone) { +-- +2.27.0 + diff --git a/queue-5.8/f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch b/queue-5.8/f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch new file mode 100644 index 00000000000..518ca979477 --- /dev/null +++ b/queue-5.8/f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch @@ -0,0 +1,60 @@ +From 337fc6c3f16b857ba587e7bb0c4f82a91607e2e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 09:23:12 +0800 +Subject: f2fs: fix to check segment boundary during SIT page readahead + +From: Chao Yu + +[ Upstream commit 6a257471fa42c8c9c04a875cd3a2a22db148e0f0 ] + +As syzbot reported: + +kernel BUG at fs/f2fs/segment.h:657! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 16220 Comm: syz-executor.0 Not tainted 5.9.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:f2fs_ra_meta_pages+0xa51/0xdc0 fs/f2fs/segment.h:657 +Call Trace: + build_sit_entries fs/f2fs/segment.c:4195 [inline] + f2fs_build_segment_manager+0x4b8a/0xa3c0 fs/f2fs/segment.c:4779 + f2fs_fill_super+0x377d/0x6b80 fs/f2fs/super.c:3633 + mount_bdev+0x32e/0x3f0 fs/super.c:1417 + legacy_get_tree+0x105/0x220 fs/fs_context.c:592 + vfs_get_tree+0x89/0x2f0 fs/super.c:1547 + do_new_mount fs/namespace.c:2875 [inline] + path_mount+0x1387/0x2070 fs/namespace.c:3192 + do_mount fs/namespace.c:3205 [inline] + __do_sys_mount fs/namespace.c:3413 [inline] + __se_sys_mount fs/namespace.c:3390 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +@blkno in f2fs_ra_meta_pages could exceed max segment count, causing panic +in following sanity check in current_sit_addr(), add check condition to +avoid this issue. + +Reported-by: syzbot+3698081bcf0bb2d12174@syzkaller.appspotmail.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 95ed2b1373608..8270e924b9777 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -243,6 +243,8 @@ int f2fs_ra_meta_pages(struct f2fs_sb_info *sbi, block_t start, int nrpages, + blkno * NAT_ENTRY_PER_BLOCK); + break; + case META_SIT: ++ if (unlikely(blkno >= TOTAL_SEGS(sbi))) ++ goto out; + /* get sit block addr */ + fio.new_blkaddr = current_sit_addr(sbi, + blkno * SIT_ENTRY_PER_BLOCK); +-- +2.27.0 + diff --git a/queue-5.8/f2fs-fix-to-set-sbi_need_fsck-flag-for-inconsistent-.patch b/queue-5.8/f2fs-fix-to-set-sbi_need_fsck-flag-for-inconsistent-.patch new file mode 100644 index 00000000000..c4561fe962a --- /dev/null +++ b/queue-5.8/f2fs-fix-to-set-sbi_need_fsck-flag-for-inconsistent-.patch @@ -0,0 +1,51 @@ +From 7edf966532be48f336a6e0a93a02136d3be825f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 10:40:48 +0800 +Subject: f2fs: fix to set SBI_NEED_FSCK flag for inconsistent inode + +From: Chao Yu + +[ Upstream commit d662fad143c0470ad7f46ea7b02da539f613d7d7 ] + +If compressed inode has inconsistent fields on i_compress_algorithm, +i_compr_blocks and i_log_cluster_size, we missed to set SBI_NEED_FSCK +to notice fsck to repair the inode, fix it. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 1e014535c2530..085d436785a41 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -299,6 +299,7 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) + F2FS_FITS_IN_INODE(ri, fi->i_extra_isize, + i_log_cluster_size)) { + if (ri->i_compress_algorithm >= COMPRESS_MAX) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); + f2fs_warn(sbi, "%s: inode (ino=%lx) has unsupported " + "compress algorithm: %u, run fsck to fix", + __func__, inode->i_ino, +@@ -307,6 +308,7 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) + } + if (le64_to_cpu(ri->i_compr_blocks) > + SECTOR_TO_BLOCK(inode->i_blocks)) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); + f2fs_warn(sbi, "%s: inode (ino=%lx) has inconsistent " + "i_compr_blocks:%llu, i_blocks:%llu, run fsck to fix", + __func__, inode->i_ino, +@@ -316,6 +318,7 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) + } + if (ri->i_log_cluster_size < MIN_COMPRESS_LOG_SIZE || + ri->i_log_cluster_size > MAX_COMPRESS_LOG_SIZE) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); + f2fs_warn(sbi, "%s: inode (ino=%lx) has unsupported " + "log cluster size: %u, run fsck to fix", + __func__, inode->i_ino, +-- +2.27.0 + diff --git a/queue-5.8/f2fs-fix-uninit-value-in-f2fs_lookup.patch b/queue-5.8/f2fs-fix-uninit-value-in-f2fs_lookup.patch new file mode 100644 index 00000000000..b075c44d15f --- /dev/null +++ b/queue-5.8/f2fs-fix-uninit-value-in-f2fs_lookup.patch @@ -0,0 +1,81 @@ +From 9918113781e020941e11275b4f35990d191f8155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 09:22:50 +0800 +Subject: f2fs: fix uninit-value in f2fs_lookup + +From: Chao Yu + +[ Upstream commit 6d7ab88a98c1b7a47c228f8ffb4f44d631eaf284 ] + +As syzbot reported: + +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219 + f2fs_lookup+0xe05/0x1a80 fs/f2fs/namei.c:503 + lookup_open fs/namei.c:3082 [inline] + open_last_lookups fs/namei.c:3177 [inline] + path_openat+0x2729/0x6a90 fs/namei.c:3365 + do_filp_open+0x2b8/0x710 fs/namei.c:3395 + do_sys_openat2+0xa88/0x1140 fs/open.c:1168 + do_sys_open fs/open.c:1184 [inline] + __do_compat_sys_openat fs/open.c:1242 [inline] + __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240 + __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240 + do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] + __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139 + do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 + do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +In f2fs_lookup(), @res_page could be used before being initialized, +because in __f2fs_find_entry(), once F2FS_I(dir)->i_current_depth was +been fuzzed to zero, then @res_page will never be initialized, causing +this kmsan warning, relocating @res_page initialization place to fix +this bug. + +Reported-by: syzbot+0eac6f0bbd558fd866d7@syzkaller.appspotmail.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/dir.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c +index d35976785e8c5..961d41fb84a57 100644 +--- a/fs/f2fs/dir.c ++++ b/fs/f2fs/dir.c +@@ -357,16 +357,15 @@ struct f2fs_dir_entry *__f2fs_find_entry(struct inode *dir, + unsigned int max_depth; + unsigned int level; + ++ *res_page = NULL; ++ + if (f2fs_has_inline_dentry(dir)) { +- *res_page = NULL; + de = f2fs_find_in_inline_dir(dir, fname, res_page); + goto out; + } + +- if (npages == 0) { +- *res_page = NULL; ++ if (npages == 0) + goto out; +- } + + max_depth = F2FS_I(dir)->i_current_depth; + if (unlikely(max_depth > MAX_DIR_HASH_DEPTH)) { +@@ -377,7 +376,6 @@ struct f2fs_dir_entry *__f2fs_find_entry(struct inode *dir, + } + + for (level = 0; level < max_depth; level++) { +- *res_page = NULL; + de = find_in_level(dir, level, fname, res_page); + if (de || IS_ERR(*res_page)) + break; +-- +2.27.0 + diff --git a/queue-5.8/f2fs-handle-errors-of-f2fs_get_meta_page_nofail.patch b/queue-5.8/f2fs-handle-errors-of-f2fs_get_meta_page_nofail.patch new file mode 100644 index 00000000000..6b5dcd693d8 --- /dev/null +++ b/queue-5.8/f2fs-handle-errors-of-f2fs_get_meta_page_nofail.patch @@ -0,0 +1,131 @@ +From 3ea64b367d0b663e61e576484615e67cf8418363 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 14:17:35 -0700 +Subject: f2fs: handle errors of f2fs_get_meta_page_nofail + +From: Jaegeuk Kim + +[ Upstream commit 86f33603f8c51537265ff7ac0320638fd2cbdb1b ] + +First problem is we hit BUG_ON() in f2fs_get_sum_page given EIO on +f2fs_get_meta_page_nofail(). + +Quick fix was not to give any error with infinite loop, but syzbot caught +a case where it goes to that loop from fuzzed image. In turned out we abused +f2fs_get_meta_page_nofail() like in the below call stack. + +- f2fs_fill_super + - f2fs_build_segment_manager + - build_sit_entries + - get_current_sit_page + +INFO: task syz-executor178:6870 can't die for more than 143 seconds. +task:syz-executor178 state:R + stack:26960 pid: 6870 ppid: 6869 flags:0x00004006 +Call Trace: + +Showing all locks held in the system: +1 lock held by khungtaskd/1179: + #0: ffffffff8a554da0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6242 +1 lock held by systemd-journal/3920: +1 lock held by in:imklog/6769: + #0: ffff88809eebc130 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:930 +1 lock held by syz-executor178/6870: + #0: ffff8880925120e0 (&type->s_umount_key#47/1){+.+.}-{3:3}, at: alloc_super+0x201/0xaf0 fs/super.c:229 + +Actually, we didn't have to use _nofail in this case, since we could return +error to mount(2) already with the error handler. + +As a result, this patch tries to 1) remove _nofail callers as much as possible, +2) deal with error case in last remaining caller, f2fs_get_sum_page(). + +Reported-by: syzbot+ee250ac8137be41d7b13@syzkaller.appspotmail.com +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 2 +- + fs/f2fs/f2fs.h | 2 +- + fs/f2fs/node.c | 2 +- + fs/f2fs/segment.c | 12 +++++++++--- + 4 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 8270e924b9777..83acd51bea13d 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -107,7 +107,7 @@ struct page *f2fs_get_meta_page(struct f2fs_sb_info *sbi, pgoff_t index) + return __get_meta_page(sbi, index, true); + } + +-struct page *f2fs_get_meta_page_nofail(struct f2fs_sb_info *sbi, pgoff_t index) ++struct page *f2fs_get_meta_page_retry(struct f2fs_sb_info *sbi, pgoff_t index) + { + struct page *page; + int count = 0; +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index f03c573e427a5..3713d1c453592 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3377,7 +3377,7 @@ enum rw_hint f2fs_io_type_to_rw_hint(struct f2fs_sb_info *sbi, + void f2fs_stop_checkpoint(struct f2fs_sb_info *sbi, bool end_io); + struct page *f2fs_grab_meta_page(struct f2fs_sb_info *sbi, pgoff_t index); + struct page *f2fs_get_meta_page(struct f2fs_sb_info *sbi, pgoff_t index); +-struct page *f2fs_get_meta_page_nofail(struct f2fs_sb_info *sbi, pgoff_t index); ++struct page *f2fs_get_meta_page_retry(struct f2fs_sb_info *sbi, pgoff_t index); + struct page *f2fs_get_tmp_page(struct f2fs_sb_info *sbi, pgoff_t index); + bool f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi, + block_t blkaddr, int type); +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index 0fde35611df18..6196117923bca 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -109,7 +109,7 @@ static void clear_node_page_dirty(struct page *page) + + static struct page *get_current_nat_page(struct f2fs_sb_info *sbi, nid_t nid) + { +- return f2fs_get_meta_page_nofail(sbi, current_nat_addr(sbi, nid)); ++ return f2fs_get_meta_page(sbi, current_nat_addr(sbi, nid)); + } + + static struct page *get_next_nat_page(struct f2fs_sb_info *sbi, nid_t nid) +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 196f315035118..f41b475aa4aad 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -2318,7 +2318,9 @@ int f2fs_npages_for_summary_flush(struct f2fs_sb_info *sbi, bool for_ra) + */ + struct page *f2fs_get_sum_page(struct f2fs_sb_info *sbi, unsigned int segno) + { +- return f2fs_get_meta_page_nofail(sbi, GET_SUM_BLOCK(sbi, segno)); ++ if (unlikely(f2fs_cp_error(sbi))) ++ return ERR_PTR(-EIO); ++ return f2fs_get_meta_page_retry(sbi, GET_SUM_BLOCK(sbi, segno)); + } + + void f2fs_update_meta_page(struct f2fs_sb_info *sbi, +@@ -2590,7 +2592,11 @@ static void change_curseg(struct f2fs_sb_info *sbi, int type) + __next_free_blkoff(sbi, curseg, 0); + + sum_page = f2fs_get_sum_page(sbi, new_segno); +- f2fs_bug_on(sbi, IS_ERR(sum_page)); ++ if (IS_ERR(sum_page)) { ++ /* GC won't be able to use stale summary pages by cp_error */ ++ memset(curseg->sum_blk, 0, SUM_ENTRY_SIZE); ++ return; ++ } + sum_node = (struct f2fs_summary_block *)page_address(sum_page); + memcpy(curseg->sum_blk, sum_node, SUM_ENTRY_SIZE); + f2fs_put_page(sum_page, 1); +@@ -3759,7 +3765,7 @@ int f2fs_lookup_journal_in_cursum(struct f2fs_journal *journal, int type, + static struct page *get_current_sit_page(struct f2fs_sb_info *sbi, + unsigned int segno) + { +- return f2fs_get_meta_page_nofail(sbi, current_sit_addr(sbi, segno)); ++ return f2fs_get_meta_page(sbi, current_sit_addr(sbi, segno)); + } + + static struct page *get_next_sit_page(struct f2fs_sb_info *sbi, +-- +2.27.0 + diff --git a/queue-5.8/firmware-arm_scmi-add-missing-rx-size-re-initialisat.patch b/queue-5.8/firmware-arm_scmi-add-missing-rx-size-re-initialisat.patch new file mode 100644 index 00000000000..5247c23dfc9 --- /dev/null +++ b/queue-5.8/firmware-arm_scmi-add-missing-rx-size-re-initialisat.patch @@ -0,0 +1,124 @@ +From 80e618fc707e253b50a244687a94f4a74ec4799b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 14:26:24 +0100 +Subject: firmware: arm_scmi: Add missing Rx size re-initialisation + +From: Sudeep Holla + +[ Upstream commit 9724722fde8f9bbd2b87340f00b9300c9284001e ] + +Few commands provide the list of description partially and require +to be called consecutively until all the descriptors are fetched +completely. In such cases, we don't release the buffers and reuse +them for consecutive transmits. + +However, currently we don't reset the Rx size which will be set as +per the response for the last transmit. This may result in incorrect +response size being interpretted as the firmware may repond with size +greater than the one set but we read only upto the size set by previous +response. + +Let us reset the receive buffer size to max possible in such cases as +we don't know the exact size of the response. + +Link: https://lore.kernel.org/r/20201012141746.32575-1-sudeep.holla@arm.com +Fixes: b6f20ff8bd94 ("firmware: arm_scmi: add common infrastructure and support for base protocol") +Reported-by: Etienne Carriere +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/base.c | 2 ++ + drivers/firmware/arm_scmi/clock.c | 2 ++ + drivers/firmware/arm_scmi/common.h | 2 ++ + drivers/firmware/arm_scmi/driver.c | 8 ++++++++ + drivers/firmware/arm_scmi/perf.c | 2 ++ + drivers/firmware/arm_scmi/sensors.c | 2 ++ + 6 files changed, 18 insertions(+) + +diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c +index ce7d9203e41b7..a41066e8811d0 100644 +--- a/drivers/firmware/arm_scmi/base.c ++++ b/drivers/firmware/arm_scmi/base.c +@@ -180,6 +180,8 @@ static int scmi_base_implementation_list_get(const struct scmi_handle *handle, + protocols_imp[tot_num_ret + loop] = *(list + loop); + + tot_num_ret += loop_num_ret; ++ ++ scmi_reset_rx_to_maxsz(handle, t); + } while (loop_num_ret); + + scmi_xfer_put(handle, t); +diff --git a/drivers/firmware/arm_scmi/clock.c b/drivers/firmware/arm_scmi/clock.c +index 4c2227662b261..ccc06c25a280a 100644 +--- a/drivers/firmware/arm_scmi/clock.c ++++ b/drivers/firmware/arm_scmi/clock.c +@@ -178,6 +178,8 @@ scmi_clock_describe_rates_get(const struct scmi_handle *handle, u32 clk_id, + } + + tot_rate_cnt += num_returned; ++ ++ scmi_reset_rx_to_maxsz(handle, t); + /* + * check for both returned and remaining to avoid infinite + * loop due to buggy firmware +diff --git a/drivers/firmware/arm_scmi/common.h b/drivers/firmware/arm_scmi/common.h +index 31fe5a22a0112..319c94101bb22 100644 +--- a/drivers/firmware/arm_scmi/common.h ++++ b/drivers/firmware/arm_scmi/common.h +@@ -145,6 +145,8 @@ int scmi_do_xfer_with_response(const struct scmi_handle *h, + struct scmi_xfer *xfer); + int scmi_xfer_get_init(const struct scmi_handle *h, u8 msg_id, u8 prot_id, + size_t tx_size, size_t rx_size, struct scmi_xfer **p); ++void scmi_reset_rx_to_maxsz(const struct scmi_handle *handle, ++ struct scmi_xfer *xfer); + int scmi_handle_put(const struct scmi_handle *handle); + struct scmi_handle *scmi_handle_get(struct device *dev); + void scmi_set_handle(struct scmi_device *scmi_dev); +diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c +index 7483cacf63f97..60e06c607d0d0 100644 +--- a/drivers/firmware/arm_scmi/driver.c ++++ b/drivers/firmware/arm_scmi/driver.c +@@ -398,6 +398,14 @@ int scmi_do_xfer(const struct scmi_handle *handle, struct scmi_xfer *xfer) + return ret; + } + ++void scmi_reset_rx_to_maxsz(const struct scmi_handle *handle, ++ struct scmi_xfer *xfer) ++{ ++ struct scmi_info *info = handle_to_scmi_info(handle); ++ ++ xfer->rx.len = info->desc->max_msg_size; ++} ++ + #define SCMI_MAX_RESPONSE_TIMEOUT (2 * MSEC_PER_SEC) + + /** +diff --git a/drivers/firmware/arm_scmi/perf.c b/drivers/firmware/arm_scmi/perf.c +index eadc171e254b8..f95f013606c10 100644 +--- a/drivers/firmware/arm_scmi/perf.c ++++ b/drivers/firmware/arm_scmi/perf.c +@@ -287,6 +287,8 @@ scmi_perf_describe_levels_get(const struct scmi_handle *handle, u32 domain, + } + + tot_opp_cnt += num_returned; ++ ++ scmi_reset_rx_to_maxsz(handle, t); + /* + * check for both returned and remaining to avoid infinite + * loop due to buggy firmware +diff --git a/drivers/firmware/arm_scmi/sensors.c b/drivers/firmware/arm_scmi/sensors.c +index db1b1ab303da6..de0382ed00696 100644 +--- a/drivers/firmware/arm_scmi/sensors.c ++++ b/drivers/firmware/arm_scmi/sensors.c +@@ -159,6 +159,8 @@ static int scmi_sensor_description_get(const struct scmi_handle *handle, + } + + desc_index += num_returned; ++ ++ scmi_reset_rx_to_maxsz(handle, t); + /* + * check for both returned and remaining to avoid infinite + * loop due to buggy firmware +-- +2.27.0 + diff --git a/queue-5.8/firmware-arm_scmi-expand-smc-hvc-message-pool-to-mor.patch b/queue-5.8/firmware-arm_scmi-expand-smc-hvc-message-pool-to-mor.patch new file mode 100644 index 00000000000..95ef338a69a --- /dev/null +++ b/queue-5.8/firmware-arm_scmi-expand-smc-hvc-message-pool-to-mor.patch @@ -0,0 +1,44 @@ +From 89ca671d223945026fba7114d23697bba8b41cb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 16:37:21 +0200 +Subject: firmware: arm_scmi: Expand SMC/HVC message pool to more than one + +From: Etienne Carriere + +[ Upstream commit 7adb2c8aaaa6a387af7140e57004beba2c04a4c6 ] + +SMC/HVC can transmit only one message at the time as the shared memory +needs to be protected and the calls are synchronous. + +However, in order to allow multiple threads to send SCMI messages +simultaneously, we need a larger poll of memory. + +Let us just use value of 20 to keep it in sync mailbox transport +implementation. Any other value must work perfectly. + +Link: https://lore.kernel.org/r/20201008143722.21888-4-etienne.carriere@linaro.org +Fixes: 1dc6558062da ("firmware: arm_scmi: Add smc/hvc transport") +Cc: Peng Fan +Signed-off-by: Etienne Carriere +[sudeep.holla: reworded the commit message to indicate the practicality] +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/smc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/arm_scmi/smc.c b/drivers/firmware/arm_scmi/smc.c +index 49bc4b0e84285..7882e2b66badf 100644 +--- a/drivers/firmware/arm_scmi/smc.c ++++ b/drivers/firmware/arm_scmi/smc.c +@@ -148,6 +148,6 @@ static struct scmi_transport_ops scmi_smc_ops = { + const struct scmi_desc scmi_smc_desc = { + .ops = &scmi_smc_ops, + .max_rx_timeout_ms = 30, +- .max_msg = 1, ++ .max_msg = 20, + .max_msg_size = 128, + }; +-- +2.27.0 + diff --git a/queue-5.8/firmware-arm_scmi-fix-arch_cold_reset.patch b/queue-5.8/firmware-arm_scmi-fix-arch_cold_reset.patch new file mode 100644 index 00000000000..d5c373f1c44 --- /dev/null +++ b/queue-5.8/firmware-arm_scmi-fix-arch_cold_reset.patch @@ -0,0 +1,39 @@ +From 94089b2789fdad4686e0dab78728e398e1b8c1f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 16:37:22 +0200 +Subject: firmware: arm_scmi: Fix ARCH_COLD_RESET + +From: Etienne Carriere + +[ Upstream commit 45b9e04d5ba0b043783dfe2b19bb728e712cb32e ] + +The defination for ARCH_COLD_RESET is wrong. Let us fix it according to +the SCMI specification. + +Link: https://lore.kernel.org/r/20201008143722.21888-5-etienne.carriere@linaro.org +Fixes: 95a15d80aa0d ("firmware: arm_scmi: Add RESET protocol in SCMI v2.0") +Signed-off-by: Etienne Carriere +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/reset.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/reset.c b/drivers/firmware/arm_scmi/reset.c +index de73054554f32..f3c25e847b2b7 100644 +--- a/drivers/firmware/arm_scmi/reset.c ++++ b/drivers/firmware/arm_scmi/reset.c +@@ -35,9 +35,7 @@ struct scmi_msg_reset_domain_reset { + #define EXPLICIT_RESET_ASSERT BIT(1) + #define ASYNCHRONOUS_RESET BIT(2) + __le32 reset_state; +-#define ARCH_RESET_TYPE BIT(31) +-#define COLD_RESET_STATE BIT(0) +-#define ARCH_COLD_RESET (ARCH_RESET_TYPE | COLD_RESET_STATE) ++#define ARCH_COLD_RESET 0 + }; + + struct reset_dom_info { +-- +2.27.0 + diff --git a/queue-5.8/firmware-arm_scmi-move-scmi-bus-init-and-exit-calls-.patch b/queue-5.8/firmware-arm_scmi-move-scmi-bus-init-and-exit-calls-.patch new file mode 100644 index 00000000000..a37e80b0306 --- /dev/null +++ b/queue-5.8/firmware-arm_scmi-move-scmi-bus-init-and-exit-calls-.patch @@ -0,0 +1,98 @@ +From d86a8ee0214c4cfd329e56731e113e7077d63f1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 12:00:04 +0100 +Subject: firmware: arm_scmi: Move scmi bus init and exit calls into the driver + +From: Sudeep Holla + +[ Upstream commit 5a2f0a0bdf201e2183904b6217f9c74774c961a8 ] + +In preparation to enable building scmi as a single module, let us move +the scmi bus {de-,}initialisation call into the driver. + +The main reason for this is to keep it simple instead of maintaining +it as separate modules and dealing with all possible initcall races +and deferred probe handling. We can move it as separate modules if +needed in future. + +Link: https://lore.kernel.org/r/20200907195046.56615-3-sudeep.holla@arm.com +Tested-by: Cristian Marussi +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/bus.c | 6 ++---- + drivers/firmware/arm_scmi/common.h | 3 +++ + drivers/firmware/arm_scmi/driver.c | 16 +++++++++++++++- + 3 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/bus.c b/drivers/firmware/arm_scmi/bus.c +index db55c43a2cbda..1377ec76a45db 100644 +--- a/drivers/firmware/arm_scmi/bus.c ++++ b/drivers/firmware/arm_scmi/bus.c +@@ -230,7 +230,7 @@ static void scmi_devices_unregister(void) + bus_for_each_dev(&scmi_bus_type, NULL, NULL, __scmi_devices_unregister); + } + +-static int __init scmi_bus_init(void) ++int __init scmi_bus_init(void) + { + int retval; + +@@ -240,12 +240,10 @@ static int __init scmi_bus_init(void) + + return retval; + } +-subsys_initcall(scmi_bus_init); + +-static void __exit scmi_bus_exit(void) ++void __exit scmi_bus_exit(void) + { + scmi_devices_unregister(); + bus_unregister(&scmi_bus_type); + ida_destroy(&scmi_bus_id); + } +-module_exit(scmi_bus_exit); +diff --git a/drivers/firmware/arm_scmi/common.h b/drivers/firmware/arm_scmi/common.h +index 319c94101bb22..c4a213b30f3b5 100644 +--- a/drivers/firmware/arm_scmi/common.h ++++ b/drivers/firmware/arm_scmi/common.h +@@ -156,6 +156,9 @@ void scmi_setup_protocol_implemented(const struct scmi_handle *handle, + + int scmi_base_protocol_init(struct scmi_handle *h); + ++int __init scmi_bus_init(void); ++void __exit scmi_bus_exit(void); ++ + /* SCMI Transport */ + /** + * struct scmi_chan_info - Structure representing a SCMI channel information +diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c +index 60e06c607d0d0..2800a5a02081a 100644 +--- a/drivers/firmware/arm_scmi/driver.c ++++ b/drivers/firmware/arm_scmi/driver.c +@@ -927,7 +927,21 @@ static struct platform_driver scmi_driver = { + .remove = scmi_remove, + }; + +-module_platform_driver(scmi_driver); ++static int __init scmi_driver_init(void) ++{ ++ scmi_bus_init(); ++ ++ return platform_driver_register(&scmi_driver); ++} ++module_init(scmi_driver_init); ++ ++static void __exit scmi_driver_exit(void) ++{ ++ scmi_bus_exit(); ++ ++ platform_driver_unregister(&scmi_driver); ++} ++module_exit(scmi_driver_exit); + + MODULE_ALIAS("platform: arm-scmi"); + MODULE_AUTHOR("Sudeep Holla "); +-- +2.27.0 + diff --git a/queue-5.8/futex-fix-incorrect-should_fail_futex-handling.patch b/queue-5.8/futex-fix-incorrect-should_fail_futex-handling.patch new file mode 100644 index 00000000000..a3b9f25e2de --- /dev/null +++ b/queue-5.8/futex-fix-incorrect-should_fail_futex-handling.patch @@ -0,0 +1,49 @@ +From 215c2392742ed40623cf248bcc9159602cee0599 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Sep 2020 02:08:58 +0200 +Subject: futex: Fix incorrect should_fail_futex() handling + +From: Mateusz Nosek + +[ Upstream commit 921c7ebd1337d1a46783d7e15a850e12aed2eaa0 ] + +If should_futex_fail() returns true in futex_wake_pi(), then the 'ret' +variable is set to -EFAULT and then immediately overwritten. So the failure +injection is non-functional. + +Fix it by actually leaving the function and returning -EFAULT. + +The Fixes tag is kinda blury because the initial commit which introduced +failure injection was already sloppy, but the below mentioned commit broke +it completely. + +[ tglx: Massaged changelog ] + +Fixes: 6b4f4bc9cb22 ("locking/futex: Allow low-level atomic operations to return -EAGAIN") +Signed-off-by: Mateusz Nosek +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20200927000858.24219-1-mateusznosek0@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/futex.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/futex.c b/kernel/futex.c +index e646661f62827..f85b086e42644 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1523,8 +1523,10 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_pi_state *pi_ + */ + newval = FUTEX_WAITERS | task_pid_vnr(new_owner); + +- if (unlikely(should_fail_futex(true))) ++ if (unlikely(should_fail_futex(true))) { + ret = -EFAULT; ++ goto out_unlock; ++ } + + ret = cmpxchg_futex_value_locked(&curval, uaddr, uval, newval); + if (!ret && (curval != uval)) { +-- +2.27.0 + diff --git a/queue-5.8/gfs2-add-validation-checks-for-size-of-superblock.patch b/queue-5.8/gfs2-add-validation-checks-for-size-of-superblock.patch new file mode 100644 index 00000000000..d222d9bd716 --- /dev/null +++ b/queue-5.8/gfs2-add-validation-checks-for-size-of-superblock.patch @@ -0,0 +1,62 @@ +From 6b7a8f9f2397d51fbfc7d80c246fa66b3c23bb4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 22:01:09 +0530 +Subject: gfs2: add validation checks for size of superblock + +From: Anant Thazhemadam + +[ Upstream commit 0ddc5154b24c96f20e94d653b0a814438de6032b ] + +In gfs2_check_sb(), no validation checks are performed with regards to +the size of the superblock. +syzkaller detected a slab-out-of-bounds bug that was primarily caused +because the block size for a superblock was set to zero. +A valid size for a superblock is a power of 2 between 512 and PAGE_SIZE. +Performing validation checks and ensuring that the size of the superblock +is valid fixes this bug. + +Reported-by: syzbot+af90d47a37376844e731@syzkaller.appspotmail.com +Tested-by: syzbot+af90d47a37376844e731@syzkaller.appspotmail.com +Suggested-by: Andrew Price +Signed-off-by: Anant Thazhemadam +[Minor code reordering.] +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/ops_fstype.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c +index 5bd602a290f72..03c33fc03c055 100644 +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -169,15 +169,19 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int silent) + return -EINVAL; + } + +- /* If format numbers match exactly, we're done. */ +- +- if (sb->sb_fs_format == GFS2_FORMAT_FS && +- sb->sb_multihost_format == GFS2_FORMAT_MULTI) +- return 0; ++ if (sb->sb_fs_format != GFS2_FORMAT_FS || ++ sb->sb_multihost_format != GFS2_FORMAT_MULTI) { ++ fs_warn(sdp, "Unknown on-disk format, unable to mount\n"); ++ return -EINVAL; ++ } + +- fs_warn(sdp, "Unknown on-disk format, unable to mount\n"); ++ if (sb->sb_bsize < 512 || sb->sb_bsize > PAGE_SIZE || ++ (sb->sb_bsize & (sb->sb_bsize - 1))) { ++ pr_warn("Invalid superblock size\n"); ++ return -EINVAL; ++ } + +- return -EINVAL; ++ return 0; + } + + static void end_bio_io_page(struct bio *bio) +-- +2.27.0 + diff --git a/queue-5.8/gfs2-call-truncate_inode_pages_final-for-address-spa.patch b/queue-5.8/gfs2-call-truncate_inode_pages_final-for-address-spa.patch new file mode 100644 index 00000000000..40673588196 --- /dev/null +++ b/queue-5.8/gfs2-call-truncate_inode_pages_final-for-address-spa.patch @@ -0,0 +1,42 @@ +From eab354369c43941df791095b71e811a81fdff6ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 11:06:23 -0500 +Subject: gfs2: call truncate_inode_pages_final for address space glocks + +From: Bob Peterson + +[ Upstream commit ee1e2c773e4f4ce2213f9d77cc703b669ca6fa3f ] + +Before this patch, we were not calling truncate_inode_pages_final for the +address space for glocks, which left the possibility of a leak. We now +take care of the problem instead of complaining, and we do it during +glock tear-down.. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index f92876f4f37a1..d8194479b8328 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -270,7 +270,12 @@ static void __gfs2_glock_put(struct gfs2_glock *gl) + gfs2_glock_remove_from_lru(gl); + spin_unlock(&gl->gl_lockref.lock); + GLOCK_BUG_ON(gl, !list_empty(&gl->gl_holders)); +- GLOCK_BUG_ON(gl, mapping && mapping->nrpages && !gfs2_withdrawn(sdp)); ++ if (mapping) { ++ truncate_inode_pages_final(mapping); ++ if (!gfs2_withdrawn(sdp)) ++ GLOCK_BUG_ON(gl, mapping->nrpages || ++ mapping->nrexceptional); ++ } + trace_gfs2_glock_put(gl); + sdp->sd_lockstruct.ls_ops->lm_put_lock(gl); + } +-- +2.27.0 + diff --git a/queue-5.8/gfs2-fix-null-pointer-dereference-in-gfs2_rgrp_dump.patch b/queue-5.8/gfs2-fix-null-pointer-dereference-in-gfs2_rgrp_dump.patch new file mode 100644 index 00000000000..47db3e9c6cf --- /dev/null +++ b/queue-5.8/gfs2-fix-null-pointer-dereference-in-gfs2_rgrp_dump.patch @@ -0,0 +1,127 @@ +From c0c9cdcbd7216d91f03fa414b14e9927de43881b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 12:30:58 +0100 +Subject: gfs2: Fix NULL pointer dereference in gfs2_rgrp_dump + +From: Andrew Price + +[ Upstream commit 0e539ca1bbbe85a86549c97a30a765ada4a09df9 ] + +When an rindex entry is found to be corrupt, compute_bitstructs() calls +gfs2_consist_rgrpd() which calls gfs2_rgrp_dump() like this: + + gfs2_rgrp_dump(NULL, rgd->rd_gl, fs_id_buf); + +gfs2_rgrp_dump then dereferences the gl without checking it and we get + + BUG: KASAN: null-ptr-deref in gfs2_rgrp_dump+0x28/0x280 + +because there's no rgrp glock involved while reading the rindex on mount. + +Fix this by changing gfs2_rgrp_dump to take an rgrp argument. + +Reported-by: syzbot+43fa87986bdd31df9de6@syzkaller.appspotmail.com +Signed-off-by: Andrew Price +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glops.c | 11 ++++++++++- + fs/gfs2/rgrp.c | 9 +++------ + fs/gfs2/rgrp.h | 2 +- + fs/gfs2/util.c | 2 +- + 4 files changed, 15 insertions(+), 9 deletions(-) + +diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c +index de1d5f1d9ff85..c2c90747d79b5 100644 +--- a/fs/gfs2/glops.c ++++ b/fs/gfs2/glops.c +@@ -227,6 +227,15 @@ static void rgrp_go_inval(struct gfs2_glock *gl, int flags) + rgd->rd_flags &= ~GFS2_RDF_UPTODATE; + } + ++static void gfs2_rgrp_go_dump(struct seq_file *seq, struct gfs2_glock *gl, ++ const char *fs_id_buf) ++{ ++ struct gfs2_rgrpd *rgd = gfs2_glock2rgrp(gl); ++ ++ if (rgd) ++ gfs2_rgrp_dump(seq, rgd, fs_id_buf); ++} ++ + static struct gfs2_inode *gfs2_glock2inode(struct gfs2_glock *gl) + { + struct gfs2_inode *ip; +@@ -712,7 +721,7 @@ const struct gfs2_glock_operations gfs2_rgrp_glops = { + .go_sync = rgrp_go_sync, + .go_inval = rgrp_go_inval, + .go_lock = gfs2_rgrp_go_lock, +- .go_dump = gfs2_rgrp_dump, ++ .go_dump = gfs2_rgrp_go_dump, + .go_type = LM_TYPE_RGRP, + .go_flags = GLOF_LVB, + }; +diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c +index 074f228ea8390..1bba5a9d45fa3 100644 +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -2209,20 +2209,17 @@ static void rgblk_free(struct gfs2_sbd *sdp, struct gfs2_rgrpd *rgd, + /** + * gfs2_rgrp_dump - print out an rgrp + * @seq: The iterator +- * @gl: The glock in question ++ * @rgd: The rgrp in question + * @fs_id_buf: pointer to file system id (if requested) + * + */ + +-void gfs2_rgrp_dump(struct seq_file *seq, struct gfs2_glock *gl, ++void gfs2_rgrp_dump(struct seq_file *seq, struct gfs2_rgrpd *rgd, + const char *fs_id_buf) + { +- struct gfs2_rgrpd *rgd = gl->gl_object; + struct gfs2_blkreserv *trs; + const struct rb_node *n; + +- if (rgd == NULL) +- return; + gfs2_print_dbg(seq, "%s R: n:%llu f:%02x b:%u/%u i:%u r:%u e:%u\n", + fs_id_buf, + (unsigned long long)rgd->rd_addr, rgd->rd_flags, +@@ -2253,7 +2250,7 @@ static void gfs2_rgrp_error(struct gfs2_rgrpd *rgd) + (unsigned long long)rgd->rd_addr); + fs_warn(sdp, "umount on all nodes and run fsck.gfs2 to fix the error\n"); + sprintf(fs_id_buf, "fsid=%s: ", sdp->sd_fsname); +- gfs2_rgrp_dump(NULL, rgd->rd_gl, fs_id_buf); ++ gfs2_rgrp_dump(NULL, rgd, fs_id_buf); + rgd->rd_flags |= GFS2_RDF_ERROR; + } + +diff --git a/fs/gfs2/rgrp.h b/fs/gfs2/rgrp.h +index a1d7e14fc55b9..9a587ada51eda 100644 +--- a/fs/gfs2/rgrp.h ++++ b/fs/gfs2/rgrp.h +@@ -67,7 +67,7 @@ extern void gfs2_rlist_add(struct gfs2_inode *ip, struct gfs2_rgrp_list *rlist, + extern void gfs2_rlist_alloc(struct gfs2_rgrp_list *rlist); + extern void gfs2_rlist_free(struct gfs2_rgrp_list *rlist); + extern u64 gfs2_ri_total(struct gfs2_sbd *sdp); +-extern void gfs2_rgrp_dump(struct seq_file *seq, struct gfs2_glock *gl, ++extern void gfs2_rgrp_dump(struct seq_file *seq, struct gfs2_rgrpd *rgd, + const char *fs_id_buf); + extern int gfs2_rgrp_send_discards(struct gfs2_sbd *sdp, u64 offset, + struct buffer_head *bh, +diff --git a/fs/gfs2/util.c b/fs/gfs2/util.c +index 1cd0328cae20a..0fba3bf641890 100644 +--- a/fs/gfs2/util.c ++++ b/fs/gfs2/util.c +@@ -419,7 +419,7 @@ void gfs2_consist_rgrpd_i(struct gfs2_rgrpd *rgd, + char fs_id_buf[sizeof(sdp->sd_fsname) + 7]; + + sprintf(fs_id_buf, "fsid=%s: ", sdp->sd_fsname); +- gfs2_rgrp_dump(NULL, rgd->rd_gl, fs_id_buf); ++ gfs2_rgrp_dump(NULL, rgd, fs_id_buf); + gfs2_lm(sdp, + "fatal: filesystem consistency error\n" + " RG = %llu\n" +-- +2.27.0 + diff --git a/queue-5.8/gfs2-use-after-free-in-sysfs-deregistration.patch b/queue-5.8/gfs2-use-after-free-in-sysfs-deregistration.patch new file mode 100644 index 00000000000..a9def0cbadc --- /dev/null +++ b/queue-5.8/gfs2-use-after-free-in-sysfs-deregistration.patch @@ -0,0 +1,189 @@ +From e93718cbace670c3d805e52ee3c2fac8ce3544e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 14:13:09 +0100 +Subject: gfs2: use-after-free in sysfs deregistration + +From: Jamie Iles + +[ Upstream commit c2a04b02c060c4858762edce4674d5cba3e5a96f ] + +syzkaller found the following splat with CONFIG_DEBUG_KOBJECT_RELEASE=y: + + Read of size 1 at addr ffff000028e896b8 by task kworker/1:2/228 + + CPU: 1 PID: 228 Comm: kworker/1:2 Tainted: G S 5.9.0-rc8+ #101 + Hardware name: linux,dummy-virt (DT) + Workqueue: events kobject_delayed_cleanup + Call trace: + dump_backtrace+0x0/0x4d8 + show_stack+0x34/0x48 + dump_stack+0x174/0x1f8 + print_address_description.constprop.0+0x5c/0x550 + kasan_report+0x13c/0x1c0 + __asan_report_load1_noabort+0x34/0x60 + memcmp+0xd0/0xd8 + gfs2_uevent+0xc4/0x188 + kobject_uevent_env+0x54c/0x1240 + kobject_uevent+0x2c/0x40 + __kobject_del+0x190/0x1d8 + kobject_delayed_cleanup+0x2bc/0x3b8 + process_one_work+0x96c/0x18c0 + worker_thread+0x3f0/0xc30 + kthread+0x390/0x498 + ret_from_fork+0x10/0x18 + + Allocated by task 1110: + kasan_save_stack+0x28/0x58 + __kasan_kmalloc.isra.0+0xc8/0xe8 + kasan_kmalloc+0x10/0x20 + kmem_cache_alloc_trace+0x1d8/0x2f0 + alloc_super+0x64/0x8c0 + sget_fc+0x110/0x620 + get_tree_bdev+0x190/0x648 + gfs2_get_tree+0x50/0x228 + vfs_get_tree+0x84/0x2e8 + path_mount+0x1134/0x1da8 + do_mount+0x124/0x138 + __arm64_sys_mount+0x164/0x238 + el0_svc_common.constprop.0+0x15c/0x598 + do_el0_svc+0x60/0x150 + el0_svc+0x34/0xb0 + el0_sync_handler+0xc8/0x5b4 + el0_sync+0x15c/0x180 + + Freed by task 228: + kasan_save_stack+0x28/0x58 + kasan_set_track+0x28/0x40 + kasan_set_free_info+0x24/0x48 + __kasan_slab_free+0x118/0x190 + kasan_slab_free+0x14/0x20 + slab_free_freelist_hook+0x6c/0x210 + kfree+0x13c/0x460 + +Use the same pattern as f2fs + ext4 where the kobject destruction must +complete before allowing the FS itself to be freed. This means that we +need an explicit free_sbd in the callers. + +Cc: Bob Peterson +Cc: Andreas Gruenbacher +Signed-off-by: Jamie Iles +[Also go to fail_free when init_names fails.] +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/incore.h | 1 + + fs/gfs2/ops_fstype.c | 22 +++++----------------- + fs/gfs2/super.c | 1 + + fs/gfs2/sys.c | 5 ++++- + 4 files changed, 11 insertions(+), 18 deletions(-) + +diff --git a/fs/gfs2/incore.h b/fs/gfs2/incore.h +index ca2ec02436ec7..387e99d6eda9e 100644 +--- a/fs/gfs2/incore.h ++++ b/fs/gfs2/incore.h +@@ -705,6 +705,7 @@ struct gfs2_sbd { + struct super_block *sd_vfs; + struct gfs2_pcpu_lkstats __percpu *sd_lkstats; + struct kobject sd_kobj; ++ struct completion sd_kobj_unregister; + unsigned long sd_flags; /* SDF_... */ + struct gfs2_sb_host sd_sb; + +diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c +index 6d18d2c91add2..5bd602a290f72 100644 +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -1062,26 +1062,14 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc) + } + + error = init_names(sdp, silent); +- if (error) { +- /* In this case, we haven't initialized sysfs, so we have to +- manually free the sdp. */ +- free_sbd(sdp); +- sb->s_fs_info = NULL; +- return error; +- } ++ if (error) ++ goto fail_free; + + snprintf(sdp->sd_fsname, sizeof(sdp->sd_fsname), "%s", sdp->sd_table_name); + + error = gfs2_sys_fs_add(sdp); +- /* +- * If we hit an error here, gfs2_sys_fs_add will have called function +- * kobject_put which causes the sysfs usage count to go to zero, which +- * causes sysfs to call function gfs2_sbd_release, which frees sdp. +- * Subsequent error paths here will call gfs2_sys_fs_del, which also +- * kobject_put to free sdp. +- */ + if (error) +- return error; ++ goto fail_free; + + gfs2_create_debugfs_file(sdp); + +@@ -1179,9 +1167,9 @@ fail_lm: + gfs2_lm_unmount(sdp); + fail_debug: + gfs2_delete_debugfs_file(sdp); +- /* gfs2_sys_fs_del must be the last thing we do, since it causes +- * sysfs to call function gfs2_sbd_release, which frees sdp. */ + gfs2_sys_fs_del(sdp); ++fail_free: ++ free_sbd(sdp); + sb->s_fs_info = NULL; + return error; + } +diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c +index 47d0ae158b699..1f26f1610cba9 100644 +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -735,6 +735,7 @@ restart: + + /* At this point, we're through participating in the lockspace */ + gfs2_sys_fs_del(sdp); ++ free_sbd(sdp); + } + + /** +diff --git a/fs/gfs2/sys.c b/fs/gfs2/sys.c +index d28c41bd69b05..c3e72dba7418a 100644 +--- a/fs/gfs2/sys.c ++++ b/fs/gfs2/sys.c +@@ -303,7 +303,7 @@ static void gfs2_sbd_release(struct kobject *kobj) + { + struct gfs2_sbd *sdp = container_of(kobj, struct gfs2_sbd, sd_kobj); + +- free_sbd(sdp); ++ complete(&sdp->sd_kobj_unregister); + } + + static struct kobj_type gfs2_ktype = { +@@ -655,6 +655,7 @@ int gfs2_sys_fs_add(struct gfs2_sbd *sdp) + sprintf(ro, "RDONLY=%d", sb_rdonly(sb)); + sprintf(spectator, "SPECTATOR=%d", sdp->sd_args.ar_spectator ? 1 : 0); + ++ init_completion(&sdp->sd_kobj_unregister); + sdp->sd_kobj.kset = gfs2_kset; + error = kobject_init_and_add(&sdp->sd_kobj, &gfs2_ktype, NULL, + "%s", sdp->sd_table_name); +@@ -685,6 +686,7 @@ fail_tune: + fail_reg: + fs_err(sdp, "error %d adding sysfs files\n", error); + kobject_put(&sdp->sd_kobj); ++ wait_for_completion(&sdp->sd_kobj_unregister); + sb->s_fs_info = NULL; + return error; + } +@@ -695,6 +697,7 @@ void gfs2_sys_fs_del(struct gfs2_sbd *sdp) + sysfs_remove_group(&sdp->sd_kobj, &tune_group); + sysfs_remove_group(&sdp->sd_kobj, &lock_module_group); + kobject_put(&sdp->sd_kobj); ++ wait_for_completion(&sdp->sd_kobj_unregister); + } + + static int gfs2_uevent(struct kset *kset, struct kobject *kobj, +-- +2.27.0 + diff --git a/queue-5.8/habanalabs-remove-security-from-arb_mst_quiet-regist.patch b/queue-5.8/habanalabs-remove-security-from-arb_mst_quiet-regist.patch new file mode 100644 index 00000000000..1d2f215c9d2 --- /dev/null +++ b/queue-5.8/habanalabs-remove-security-from-arb_mst_quiet-regist.patch @@ -0,0 +1,208 @@ +From cf6c553441747e11ee189e7a6f1fca393aaa8c05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Aug 2020 09:41:32 +0300 +Subject: habanalabs: remove security from ARB_MST_QUIET register + +From: farah kassabri + +[ Upstream commit acd330c141b4c49f468f00719ebc944656061eac ] + +Allow user application to write to this register in order +to be able to configure the quiet period of the QMAN between grants. + +Signed-off-by: farah kassabri +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +--- + .../misc/habanalabs/gaudi/gaudi_security.c | 55 +++++++------------ + 1 file changed, 19 insertions(+), 36 deletions(-) + +diff --git a/drivers/misc/habanalabs/gaudi/gaudi_security.c b/drivers/misc/habanalabs/gaudi/gaudi_security.c +index 6a351e31fa6af..efec4b7057048 100644 +--- a/drivers/misc/habanalabs/gaudi/gaudi_security.c ++++ b/drivers/misc/habanalabs/gaudi/gaudi_security.c +@@ -832,8 +832,7 @@ static void gaudi_init_mme_protection_bits(struct hl_device *hdev) + PROT_BITS_OFFS; + word_offset = ((mmMME0_QM_ARB_MST_CHOISE_PUSH_OFST_23 & + PROT_BITS_OFFS) >> 7) << 2; +- mask = 1 << ((mmMME0_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmMME0_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmMME0_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmMME0_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmMME0_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmMME0_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -1312,8 +1311,7 @@ static void gaudi_init_mme_protection_bits(struct hl_device *hdev) + PROT_BITS_OFFS; + word_offset = ((mmMME2_QM_ARB_MST_CHOISE_PUSH_OFST_23 & + PROT_BITS_OFFS) >> 7) << 2; +- mask = 1 << ((mmMME2_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmMME2_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmMME2_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmMME2_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmMME2_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmMME2_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -1791,8 +1789,7 @@ static void gaudi_init_dma_protection_bits(struct hl_device *hdev) + word_offset = + ((mmDMA0_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) >> 7) + << 2; +- mask = 1 << ((mmDMA0_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmDMA0_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmDMA0_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmDMA0_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmDMA0_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmDMA0_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -2187,8 +2184,7 @@ static void gaudi_init_dma_protection_bits(struct hl_device *hdev) + word_offset = + ((mmDMA1_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) >> 7) + << 2; +- mask = 1 << ((mmDMA1_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmDMA1_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmDMA1_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmDMA1_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmDMA1_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmDMA1_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -2583,8 +2579,7 @@ static void gaudi_init_dma_protection_bits(struct hl_device *hdev) + word_offset = + ((mmDMA2_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) >> 7) + << 2; +- mask = 1 << ((mmDMA2_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmDMA2_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmDMA2_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmDMA2_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmDMA2_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmDMA2_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -2979,8 +2974,7 @@ static void gaudi_init_dma_protection_bits(struct hl_device *hdev) + word_offset = + ((mmDMA3_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) >> 7) + << 2; +- mask = 1 << ((mmDMA3_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmDMA3_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmDMA3_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmDMA3_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmDMA3_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmDMA3_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -3375,8 +3369,7 @@ static void gaudi_init_dma_protection_bits(struct hl_device *hdev) + word_offset = + ((mmDMA4_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) >> 7) + << 2; +- mask = 1 << ((mmDMA4_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmDMA4_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmDMA4_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmDMA4_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmDMA4_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmDMA4_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -3771,8 +3764,7 @@ static void gaudi_init_dma_protection_bits(struct hl_device *hdev) + word_offset = + ((mmDMA5_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) >> 7) + << 2; +- mask = 1 << ((mmDMA5_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmDMA5_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmDMA5_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmDMA5_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmDMA5_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmDMA5_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -4167,8 +4159,8 @@ static void gaudi_init_dma_protection_bits(struct hl_device *hdev) + word_offset = + ((mmDMA6_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) >> 7) + << 2; +- mask = 1 << ((mmDMA6_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmDMA6_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ ++ mask = 1 << ((mmDMA6_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmDMA6_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmDMA6_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmDMA6_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -4563,8 +4555,7 @@ static void gaudi_init_dma_protection_bits(struct hl_device *hdev) + word_offset = + ((mmDMA7_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) >> 7) + << 2; +- mask = 1 << ((mmDMA7_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmDMA7_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmDMA7_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmDMA7_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmDMA7_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmDMA7_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -5492,8 +5483,7 @@ static void gaudi_init_tpc_protection_bits(struct hl_device *hdev) + + word_offset = ((mmTPC0_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) + >> 7) << 2; +- mask = 1 << ((mmTPC0_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmTPC0_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmTPC0_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmTPC0_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmTPC0_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmTPC0_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -5948,8 +5938,7 @@ static void gaudi_init_tpc_protection_bits(struct hl_device *hdev) + + word_offset = ((mmTPC1_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) + >> 7) << 2; +- mask = 1 << ((mmTPC1_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmTPC1_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmTPC1_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmTPC1_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmTPC1_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmTPC1_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -6403,8 +6392,7 @@ static void gaudi_init_tpc_protection_bits(struct hl_device *hdev) + PROT_BITS_OFFS; + word_offset = ((mmTPC2_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) + >> 7) << 2; +- mask = 1 << ((mmTPC2_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmTPC2_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmTPC2_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmTPC2_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmTPC2_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmTPC2_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -6858,8 +6846,7 @@ static void gaudi_init_tpc_protection_bits(struct hl_device *hdev) + PROT_BITS_OFFS; + word_offset = ((mmTPC3_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) + >> 7) << 2; +- mask = 1 << ((mmTPC3_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmTPC3_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmTPC3_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmTPC3_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmTPC3_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmTPC3_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -7313,8 +7300,7 @@ static void gaudi_init_tpc_protection_bits(struct hl_device *hdev) + PROT_BITS_OFFS; + word_offset = ((mmTPC4_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) + >> 7) << 2; +- mask = 1 << ((mmTPC4_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmTPC4_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmTPC4_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmTPC4_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmTPC4_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmTPC4_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -7768,8 +7754,7 @@ static void gaudi_init_tpc_protection_bits(struct hl_device *hdev) + PROT_BITS_OFFS; + word_offset = ((mmTPC5_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) + >> 7) << 2; +- mask = 1 << ((mmTPC5_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmTPC5_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmTPC5_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmTPC5_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmTPC5_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmTPC5_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -8224,8 +8209,7 @@ static void gaudi_init_tpc_protection_bits(struct hl_device *hdev) + + word_offset = ((mmTPC6_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) + >> 7) << 2; +- mask = 1 << ((mmTPC6_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmTPC6_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmTPC6_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmTPC6_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmTPC6_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmTPC6_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +@@ -8682,8 +8666,7 @@ static void gaudi_init_tpc_protection_bits(struct hl_device *hdev) + PROT_BITS_OFFS; + word_offset = ((mmTPC7_QM_ARB_MST_CHOISE_PUSH_OFST_23 & PROT_BITS_OFFS) + >> 7) << 2; +- mask = 1 << ((mmTPC7_QM_ARB_MST_QUIET_PER & 0x7F) >> 2); +- mask |= 1 << ((mmTPC7_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); ++ mask = 1 << ((mmTPC7_QM_ARB_SLV_CHOISE_WDT & 0x7F) >> 2); + mask |= 1 << ((mmTPC7_QM_ARB_MSG_MAX_INFLIGHT & 0x7F) >> 2); + mask |= 1 << ((mmTPC7_QM_ARB_MSG_AWUSER_31_11 & 0x7F) >> 2); + mask |= 1 << ((mmTPC7_QM_ARB_MSG_AWUSER_SEC_PROP & 0x7F) >> 2); +-- +2.27.0 + diff --git a/queue-5.8/handle-status_io_timeout-gracefully.patch b/queue-5.8/handle-status_io_timeout-gracefully.patch new file mode 100644 index 00000000000..7b2d37350dc --- /dev/null +++ b/queue-5.8/handle-status_io_timeout-gracefully.patch @@ -0,0 +1,153 @@ +From 527d4d3327031c53744984aadea90c9d786be5c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 05:37:28 +0000 +Subject: Handle STATUS_IO_TIMEOUT gracefully + +From: Rohith Surabattula + +[ Upstream commit 8e670f77c4a55013db6d23b962f9bf6673a5e7b6 ] + +Currently STATUS_IO_TIMEOUT is not treated as retriable error. +It is currently mapped to ETIMEDOUT and returned to userspace +for most system calls. STATUS_IO_TIMEOUT is returned by server +in case of unavailability or throttling errors. + +This patch will map the STATUS_IO_TIMEOUT to EAGAIN, so that it +can be retried. Also, added a check to drop the connection to +not overload the server in case of ongoing unavailability. + +Signed-off-by: Rohith Surabattula +Reviewed-by: Aurelien Aptel +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsglob.h | 2 ++ + fs/cifs/connect.c | 15 ++++++++++++++- + fs/cifs/smb2maperror.c | 2 +- + fs/cifs/smb2ops.c | 15 +++++++++++++++ + 4 files changed, 32 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index fad37d61910aa..c330028fd1702 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -510,6 +510,8 @@ struct smb_version_operations { + struct fiemap_extent_info *, u64, u64); + /* version specific llseek implementation */ + loff_t (*llseek)(struct file *, struct cifs_tcon *, loff_t, int); ++ /* Check for STATUS_IO_TIMEOUT */ ++ bool (*is_status_io_timeout)(char *buf); + }; + + struct smb_version_values { +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index f4ecc13b02c0a..301151dbeffa6 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -69,6 +69,9 @@ extern bool disable_legacy_dialects; + #define TLINK_ERROR_EXPIRE (1 * HZ) + #define TLINK_IDLE_EXPIRE (600 * HZ) + ++/* Drop the connection to not overload the server */ ++#define NUM_STATUS_IO_TIMEOUT 5 ++ + enum { + /* Mount options that take no arguments */ + Opt_user_xattr, Opt_nouser_xattr, +@@ -1116,7 +1119,7 @@ cifs_demultiplex_thread(void *p) + struct task_struct *task_to_wake = NULL; + struct mid_q_entry *mids[MAX_COMPOUND]; + char *bufs[MAX_COMPOUND]; +- unsigned int noreclaim_flag; ++ unsigned int noreclaim_flag, num_io_timeout = 0; + + noreclaim_flag = memalloc_noreclaim_save(); + cifs_dbg(FYI, "Demultiplex PID: %d\n", task_pid_nr(current)); +@@ -1212,6 +1215,16 @@ next_pdu: + continue; + } + ++ if (server->ops->is_status_io_timeout && ++ server->ops->is_status_io_timeout(buf)) { ++ num_io_timeout++; ++ if (num_io_timeout > NUM_STATUS_IO_TIMEOUT) { ++ cifs_reconnect(server); ++ num_io_timeout = 0; ++ continue; ++ } ++ } ++ + server->lstrp = jiffies; + + for (i = 0; i < num_mids; i++) { +diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c +index 7fde3775cb574..b004cf87692a7 100644 +--- a/fs/cifs/smb2maperror.c ++++ b/fs/cifs/smb2maperror.c +@@ -488,7 +488,7 @@ static const struct status_to_posix_error smb2_error_map_table[] = { + {STATUS_PIPE_CONNECTED, -EIO, "STATUS_PIPE_CONNECTED"}, + {STATUS_PIPE_LISTENING, -EIO, "STATUS_PIPE_LISTENING"}, + {STATUS_INVALID_READ_MODE, -EIO, "STATUS_INVALID_READ_MODE"}, +- {STATUS_IO_TIMEOUT, -ETIMEDOUT, "STATUS_IO_TIMEOUT"}, ++ {STATUS_IO_TIMEOUT, -EAGAIN, "STATUS_IO_TIMEOUT"}, + {STATUS_FILE_FORCED_CLOSED, -EIO, "STATUS_FILE_FORCED_CLOSED"}, + {STATUS_PROFILING_NOT_STARTED, -EIO, "STATUS_PROFILING_NOT_STARTED"}, + {STATUS_PROFILING_NOT_STOPPED, -EIO, "STATUS_PROFILING_NOT_STOPPED"}, +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 09e1cd320ee56..e2e53652193e6 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -2346,6 +2346,17 @@ smb2_is_session_expired(char *buf) + return true; + } + ++static bool ++smb2_is_status_io_timeout(char *buf) ++{ ++ struct smb2_sync_hdr *shdr = (struct smb2_sync_hdr *)buf; ++ ++ if (shdr->Status == STATUS_IO_TIMEOUT) ++ return true; ++ else ++ return false; ++} ++ + static int + smb2_oplock_response(struct cifs_tcon *tcon, struct cifs_fid *fid, + struct cifsInodeInfo *cinode) +@@ -4816,6 +4827,7 @@ struct smb_version_operations smb20_operations = { + .make_node = smb2_make_node, + .fiemap = smb3_fiemap, + .llseek = smb3_llseek, ++ .is_status_io_timeout = smb2_is_status_io_timeout, + }; + + struct smb_version_operations smb21_operations = { +@@ -4916,6 +4928,7 @@ struct smb_version_operations smb21_operations = { + .make_node = smb2_make_node, + .fiemap = smb3_fiemap, + .llseek = smb3_llseek, ++ .is_status_io_timeout = smb2_is_status_io_timeout, + }; + + struct smb_version_operations smb30_operations = { +@@ -5026,6 +5039,7 @@ struct smb_version_operations smb30_operations = { + .make_node = smb2_make_node, + .fiemap = smb3_fiemap, + .llseek = smb3_llseek, ++ .is_status_io_timeout = smb2_is_status_io_timeout, + }; + + struct smb_version_operations smb311_operations = { +@@ -5137,6 +5151,7 @@ struct smb_version_operations smb311_operations = { + .make_node = smb2_make_node, + .fiemap = smb3_fiemap, + .llseek = smb3_llseek, ++ .is_status_io_timeout = smb2_is_status_io_timeout, + }; + + struct smb_version_values smb20_values = { +-- +2.27.0 + diff --git a/queue-5.8/ia64-kprobes-use-generic-kretprobe-trampoline-handle.patch b/queue-5.8/ia64-kprobes-use-generic-kretprobe-trampoline-handle.patch new file mode 100644 index 00000000000..59e8c1ea183 --- /dev/null +++ b/queue-5.8/ia64-kprobes-use-generic-kretprobe-trampoline-handle.patch @@ -0,0 +1,120 @@ +From 9da8c9d3e954bbccee3cc051eea7d4f3978689a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Aug 2020 22:01:09 +0900 +Subject: ia64: kprobes: Use generic kretprobe trampoline handler + +From: Masami Hiramatsu + +[ Upstream commit e792ff804f49720ce003b3e4c618b5d996256a18 ] + +Use the generic kretprobe trampoline handler. Don't use +framepointer verification. + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/159870606883.1229682.12331813108378725668.stgit@devnote2 +Signed-off-by: Sasha Levin +--- + arch/ia64/kernel/kprobes.c | 77 +------------------------------------- + 1 file changed, 2 insertions(+), 75 deletions(-) + +diff --git a/arch/ia64/kernel/kprobes.c b/arch/ia64/kernel/kprobes.c +index 7a7df944d7986..fc1ff8a4d7de6 100644 +--- a/arch/ia64/kernel/kprobes.c ++++ b/arch/ia64/kernel/kprobes.c +@@ -396,83 +396,9 @@ static void kretprobe_trampoline(void) + { + } + +-/* +- * At this point the target function has been tricked into +- * returning into our trampoline. Lookup the associated instance +- * and then: +- * - call the handler function +- * - cleanup by marking the instance as unused +- * - long jump back to the original return address +- */ + int __kprobes trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs) + { +- struct kretprobe_instance *ri = NULL; +- struct hlist_head *head, empty_rp; +- struct hlist_node *tmp; +- unsigned long flags, orig_ret_address = 0; +- unsigned long trampoline_address = +- ((struct fnptr *)kretprobe_trampoline)->ip; +- +- INIT_HLIST_HEAD(&empty_rp); +- kretprobe_hash_lock(current, &head, &flags); +- +- /* +- * It is possible to have multiple instances associated with a given +- * task either because an multiple functions in the call path +- * have a return probe installed on them, and/or more than one return +- * return probe was registered for a target function. +- * +- * We can handle this because: +- * - instances are always inserted at the head of the list +- * - when multiple return probes are registered for the same +- * function, the first instance's ret_addr will point to the +- * real return address, and all the rest will point to +- * kretprobe_trampoline +- */ +- hlist_for_each_entry_safe(ri, tmp, head, hlist) { +- if (ri->task != current) +- /* another task is sharing our hash bucket */ +- continue; +- +- orig_ret_address = (unsigned long)ri->ret_addr; +- if (orig_ret_address != trampoline_address) +- /* +- * This is the real return address. Any other +- * instances associated with this task are for +- * other calls deeper on the call stack +- */ +- break; +- } +- +- regs->cr_iip = orig_ret_address; +- +- hlist_for_each_entry_safe(ri, tmp, head, hlist) { +- if (ri->task != current) +- /* another task is sharing our hash bucket */ +- continue; +- +- if (ri->rp && ri->rp->handler) +- ri->rp->handler(ri, regs); +- +- orig_ret_address = (unsigned long)ri->ret_addr; +- recycle_rp_inst(ri, &empty_rp); +- +- if (orig_ret_address != trampoline_address) +- /* +- * This is the real return address. Any other +- * instances associated with this task are for +- * other calls deeper on the call stack +- */ +- break; +- } +- kretprobe_assert(ri, orig_ret_address, trampoline_address); +- +- kretprobe_hash_unlock(current, &flags); +- +- hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { +- hlist_del(&ri->hlist); +- kfree(ri); +- } ++ regs->cr_iip = __kretprobe_trampoline_handler(regs, kretprobe_trampoline, NULL); + /* + * By returning a non-zero value, we are telling + * kprobe_handler() that we don't want the post_handler +@@ -485,6 +411,7 @@ void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri, + struct pt_regs *regs) + { + ri->ret_addr = (kprobe_opcode_t *)regs->b0; ++ ri->fp = NULL; + + /* Replace the return addr with trampoline addr */ + regs->b0 = ((struct fnptr *)kretprobe_trampoline)->ip; +-- +2.27.0 + diff --git a/queue-5.8/interconnect-qcom-sdm845-enable-keepalive-for-the-mm.patch b/queue-5.8/interconnect-qcom-sdm845-enable-keepalive-for-the-mm.patch new file mode 100644 index 00000000000..ff70fc29927 --- /dev/null +++ b/queue-5.8/interconnect-qcom-sdm845-enable-keepalive-for-the-mm.patch @@ -0,0 +1,52 @@ +From 7ace1d3c2b93352eb3a502263c67c0e5d1cb7f01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 22:40:34 +0300 +Subject: interconnect: qcom: sdm845: Enable keepalive for the MM1 BCM + +From: Georgi Djakov + +[ Upstream commit 5be1805dc3961ce0465bcb0beab85fe8580af08d ] + +After enabling interconnect scaling for display on the db845c board, +in certain configurations the board hangs, while the following errors +are observed on the console: + + Error sending AMC RPMH requests (-110) + qcom_rpmh TCS Busy, retrying RPMH message send: addr=0x50000 + qcom_rpmh TCS Busy, retrying RPMH message send: addr=0x50000 + qcom_rpmh TCS Busy, retrying RPMH message send: addr=0x50000 + ... + +In this specific case, the above is related to one of the sequencers +being stuck, while client drivers are returning from probe and trying +to disable the currently unused clock and interconnect resources. +Generally we want to keep the multimedia NoC enabled like the rest of +the NoCs, so let's set the keepalive flag on it too. + +Fixes: aae57773fbe0 ("interconnect: qcom: sdm845: Split qnodes into their respective NoCs") +Reported-by: Amit Pundir +Reviewed-by: Mike Tipton +Tested-by: John Stultz +Link: https://lore.kernel.org/r/20201012194034.26944-1-georgi.djakov@linaro.org +Signed-off-by: Georgi Djakov +Signed-off-by: Sasha Levin +--- + drivers/interconnect/qcom/sdm845.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/interconnect/qcom/sdm845.c b/drivers/interconnect/qcom/sdm845.c +index f6c7b969520d0..86f08c0f4c41b 100644 +--- a/drivers/interconnect/qcom/sdm845.c ++++ b/drivers/interconnect/qcom/sdm845.c +@@ -151,7 +151,7 @@ DEFINE_QBCM(bcm_mc0, "MC0", true, &ebi); + DEFINE_QBCM(bcm_sh0, "SH0", true, &qns_llcc); + DEFINE_QBCM(bcm_mm0, "MM0", false, &qns_mem_noc_hf); + DEFINE_QBCM(bcm_sh1, "SH1", false, &qns_apps_io); +-DEFINE_QBCM(bcm_mm1, "MM1", false, &qxm_camnoc_hf0_uncomp, &qxm_camnoc_hf1_uncomp, &qxm_camnoc_sf_uncomp, &qxm_camnoc_hf0, &qxm_camnoc_hf1, &qxm_mdp0, &qxm_mdp1); ++DEFINE_QBCM(bcm_mm1, "MM1", true, &qxm_camnoc_hf0_uncomp, &qxm_camnoc_hf1_uncomp, &qxm_camnoc_sf_uncomp, &qxm_camnoc_hf0, &qxm_camnoc_hf1, &qxm_mdp0, &qxm_mdp1); + DEFINE_QBCM(bcm_sh2, "SH2", false, &qns_memnoc_snoc); + DEFINE_QBCM(bcm_mm2, "MM2", false, &qns2_mem_noc); + DEFINE_QBCM(bcm_sh3, "SH3", false, &acm_tcu); +-- +2.27.0 + diff --git a/queue-5.8/kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch b/queue-5.8/kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch new file mode 100644 index 00000000000..e96f386a147 --- /dev/null +++ b/queue-5.8/kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch @@ -0,0 +1,70 @@ +From 4639ea1873f85a54d27a8097fe0c4e3fac618a3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 15:14:38 -0700 +Subject: kgdb: Make "kgdbcon" work properly with "kgdb_earlycon" + +From: Douglas Anderson + +[ Upstream commit b18b099e04f450cdc77bec72acefcde7042bd1f3 ] + +On my system the kernel processes the "kgdb_earlycon" parameter before +the "kgdbcon" parameter. When we setup "kgdb_earlycon" we'll end up +in kgdb_register_callbacks() and "kgdb_use_con" won't have been set +yet so we'll never get around to starting "kgdbcon". Let's remedy +this by detecting that the IO module was already registered when +setting "kgdb_use_con" and registering the console then. + +As part of this, to avoid pre-declaring things, move the handling of +the "kgdbcon" further down in the file. + +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20200630151422.1.I4aa062751ff5e281f5116655c976dff545c09a46@changeid +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/debug_core.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c +index 9e5934780f414..03d5b17347da1 100644 +--- a/kernel/debug/debug_core.c ++++ b/kernel/debug/debug_core.c +@@ -94,14 +94,6 @@ int dbg_switch_cpu; + /* Use kdb or gdbserver mode */ + int dbg_kdb_mode = 1; + +-static int __init opt_kgdb_con(char *str) +-{ +- kgdb_use_con = 1; +- return 0; +-} +- +-early_param("kgdbcon", opt_kgdb_con); +- + module_param(kgdb_use_con, int, 0644); + module_param(kgdbreboot, int, 0644); + +@@ -920,6 +912,20 @@ static struct console kgdbcons = { + .index = -1, + }; + ++static int __init opt_kgdb_con(char *str) ++{ ++ kgdb_use_con = 1; ++ ++ if (kgdb_io_module_registered && !kgdb_con_registered) { ++ register_console(&kgdbcons); ++ kgdb_con_registered = 1; ++ } ++ ++ return 0; ++} ++ ++early_param("kgdbcon", opt_kgdb_con); ++ + #ifdef CONFIG_MAGIC_SYSRQ + static void sysrq_handle_dbg(int key) + { +-- +2.27.0 + diff --git a/queue-5.8/kvm-ppc-book3s-hv-do-not-allocate-hpt-for-a-nested-g.patch b/queue-5.8/kvm-ppc-book3s-hv-do-not-allocate-hpt-for-a-nested-g.patch new file mode 100644 index 00000000000..8443f49525e --- /dev/null +++ b/queue-5.8/kvm-ppc-book3s-hv-do-not-allocate-hpt-for-a-nested-g.patch @@ -0,0 +1,101 @@ +From 18aa8528310264185c5d9f7c48e2a36a4288d967 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 01:16:07 -0300 +Subject: KVM: PPC: Book3S HV: Do not allocate HPT for a nested guest + +From: Fabiano Rosas + +[ Upstream commit 05e6295dc7de859c9d56334805485c4d20bebf25 ] + +The current nested KVM code does not support HPT guests. This is +informed/enforced in some ways: + +- Hosts < P9 will not be able to enable the nested HV feature; + +- The nested hypervisor MMU capabilities will not contain + KVM_CAP_PPC_MMU_HASH_V3; + +- QEMU reflects the MMU capabilities in the + 'ibm,arch-vec-5-platform-support' device-tree property; + +- The nested guest, at 'prom_parse_mmu_model' ignores the + 'disable_radix' kernel command line option if HPT is not supported; + +- The KVM_PPC_CONFIGURE_V3_MMU ioctl will fail if trying to use HPT. + +There is, however, still a way to start a HPT guest by using +max-compat-cpu=power8 at the QEMU machine options. This leads to the +guest being set to use hash after QEMU calls the KVM_PPC_ALLOCATE_HTAB +ioctl. + +With the guest set to hash, the nested hypervisor goes through the +entry path that has no knowledge of nesting (kvmppc_run_vcpu) and +crashes when it tries to execute an hypervisor-privileged (mtspr +HDEC) instruction at __kvmppc_vcore_entry: + +root@L1:~ $ qemu-system-ppc64 -machine pseries,max-cpu-compat=power8 ... + + +[ 538.543303] CPU: 83 PID: 25185 Comm: CPU 0/KVM Not tainted 5.9.0-rc4 #1 +[ 538.543355] NIP: c00800000753f388 LR: c00800000753f368 CTR: c0000000001e5ec0 +[ 538.543417] REGS: c0000013e91e33b0 TRAP: 0700 Not tainted (5.9.0-rc4) +[ 538.543470] MSR: 8000000002843033 CR: 22422882 XER: 20040000 +[ 538.543546] CFAR: c00800000753f4b0 IRQMASK: 3 + GPR00: c0080000075397a0 c0000013e91e3640 c00800000755e600 0000000080000000 + GPR04: 0000000000000000 c0000013eab19800 c000001394de0000 00000043a054db72 + GPR08: 00000000003b1652 0000000000000000 0000000000000000 c0080000075502e0 + GPR12: c0000000001e5ec0 c0000007ffa74200 c0000013eab19800 0000000000000008 + GPR16: 0000000000000000 c00000139676c6c0 c000000001d23948 c0000013e91e38b8 + GPR20: 0000000000000053 0000000000000000 0000000000000001 0000000000000000 + GPR24: 0000000000000001 0000000000000001 0000000000000000 0000000000000001 + GPR28: 0000000000000001 0000000000000053 c0000013eab19800 0000000000000001 +[ 538.544067] NIP [c00800000753f388] __kvmppc_vcore_entry+0x90/0x104 [kvm_hv] +[ 538.544121] LR [c00800000753f368] __kvmppc_vcore_entry+0x70/0x104 [kvm_hv] +[ 538.544173] Call Trace: +[ 538.544196] [c0000013e91e3640] [c0000013e91e3680] 0xc0000013e91e3680 (unreliable) +[ 538.544260] [c0000013e91e3820] [c0080000075397a0] kvmppc_run_core+0xbc8/0x19d0 [kvm_hv] +[ 538.544325] [c0000013e91e39e0] [c00800000753d99c] kvmppc_vcpu_run_hv+0x404/0xc00 [kvm_hv] +[ 538.544394] [c0000013e91e3ad0] [c0080000072da4fc] kvmppc_vcpu_run+0x34/0x48 [kvm] +[ 538.544472] [c0000013e91e3af0] [c0080000072d61b8] kvm_arch_vcpu_ioctl_run+0x310/0x420 [kvm] +[ 538.544539] [c0000013e91e3b80] [c0080000072c7450] kvm_vcpu_ioctl+0x298/0x778 [kvm] +[ 538.544605] [c0000013e91e3ce0] [c0000000004b8c2c] sys_ioctl+0x1dc/0xc90 +[ 538.544662] [c0000013e91e3dc0] [c00000000002f9a4] system_call_exception+0xe4/0x1c0 +[ 538.544726] [c0000013e91e3e20] [c00000000000d140] system_call_common+0xf0/0x27c +[ 538.544787] Instruction dump: +[ 538.544821] f86d1098 60000000 60000000 48000099 e8ad0fe8 e8c500a0 e9264140 75290002 +[ 538.544886] 7d1602a6 7cec42a6 40820008 7d0807b4 <7d164ba6> 7d083a14 f90d10a0 480104fd +[ 538.544953] ---[ end trace 74423e2b948c2e0c ]--- + +This patch makes the KVM_PPC_ALLOCATE_HTAB ioctl fail when running in +the nested hypervisor, causing QEMU to abort. + +Reported-by: Satheesh Rajendran +Signed-off-by: Fabiano Rosas +Reviewed-by: Greg Kurz +Reviewed-by: David Gibson +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 1928b86d6e6b5..51e8353310c2e 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -5214,6 +5214,12 @@ static long kvm_arch_vm_ioctl_hv(struct file *filp, + case KVM_PPC_ALLOCATE_HTAB: { + u32 htab_order; + ++ /* If we're a nested hypervisor, we currently only support radix */ ++ if (kvmhv_on_pseries()) { ++ r = -EOPNOTSUPP; ++ break; ++ } ++ + r = -EFAULT; + if (get_user(htab_order, (u32 __user *)argp)) + break; +-- +2.27.0 + diff --git a/queue-5.8/mac80211-add-missing-queue-hash-initialization-to-80.patch b/queue-5.8/mac80211-add-missing-queue-hash-initialization-to-80.patch new file mode 100644 index 00000000000..a2e6dbdc8e0 --- /dev/null +++ b/queue-5.8/mac80211-add-missing-queue-hash-initialization-to-80.patch @@ -0,0 +1,39 @@ +From f07edd1cb21db0f9e0d1d385c89f6a060cf52995 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 14:36:49 +0200 +Subject: mac80211: add missing queue/hash initialization to 802.3 xmit + +From: Felix Fietkau + +[ Upstream commit 5f8d69eaab1915df97f4f2aca89ea16abdd092d5 ] + +Fixes AQL for encap-offloaded tx + +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20200908123702.88454-2-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 3529d13680682..28758a5b5e888 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -4212,6 +4212,12 @@ static void ieee80211_8023_xmit(struct ieee80211_sub_if_data *sdata, + if (is_zero_ether_addr(ra)) + goto out_free; + ++ if (local->ops->wake_tx_queue) { ++ u16 queue = __ieee80211_select_queue(sdata, sta, skb); ++ skb_set_queue_mapping(skb, queue); ++ skb_get_hash(skb); ++ } ++ + multicast = is_multicast_ether_addr(ra); + + if (sta) +-- +2.27.0 + diff --git a/queue-5.8/md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch b/queue-5.8/md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch new file mode 100644 index 00000000000..0e80bf50ded --- /dev/null +++ b/queue-5.8/md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch @@ -0,0 +1,53 @@ +From f3efd6819c9199c89f7e5a6e3db409a9dda3b9af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Oct 2020 00:00:24 +0800 +Subject: md/bitmap: md_bitmap_get_counter returns wrong blocks + +From: Zhao Heming + +[ Upstream commit d837f7277f56e70d82b3a4a037d744854e62f387 ] + +md_bitmap_get_counter() has code: + +``` + if (bitmap->bp[page].hijacked || + bitmap->bp[page].map == NULL) + csize = ((sector_t)1) << (bitmap->chunkshift + + PAGE_COUNTER_SHIFT - 1); +``` + +The minus 1 is wrong, this branch should report 2048 bits of space. +With "-1" action, this only report 1024 bit of space. + +This bug code returns wrong blocks, but it doesn't inflence bitmap logic: +1. Most callers focus this function return value (the counter of offset), + not the parameter blocks. +2. The bug is only triggered when hijacked is true or map is NULL. + the hijacked true condition is very rare. + the "map == null" only true when array is creating or resizing. +3. Even the caller gets wrong blocks, current code makes caller just to + call md_bitmap_get_counter() one more time. + +Signed-off-by: Zhao Heming +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index 19b2601be3c5e..4d019389676b5 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -1367,7 +1367,7 @@ __acquires(bitmap->lock) + if (bitmap->bp[page].hijacked || + bitmap->bp[page].map == NULL) + csize = ((sector_t)1) << (bitmap->chunkshift + +- PAGE_COUNTER_SHIFT - 1); ++ PAGE_COUNTER_SHIFT); + else + csize = ((sector_t)1) << bitmap->chunkshift; + *blocks = csize - (offset & (csize - 1)); +-- +2.27.0 + diff --git a/queue-5.8/media-imx274-fix-frame-interval-handling.patch b/queue-5.8/media-imx274-fix-frame-interval-handling.patch new file mode 100644 index 00000000000..347511233b8 --- /dev/null +++ b/queue-5.8/media-imx274-fix-frame-interval-handling.patch @@ -0,0 +1,54 @@ +From 7f32798b5d93aae97c90a340feb85ea02b691331 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jul 2020 11:20:32 +0200 +Subject: media: imx274: fix frame interval handling + +From: Hans Verkuil + +[ Upstream commit 49b20d981d723fae5a93843c617af2b2c23611ec ] + +1) the numerator and/or denominator might be 0, in that case + fall back to the default frame interval. This is per the spec + and this caused a v4l2-compliance failure. + +2) the updated frame interval wasn't returned in the s_frame_interval + subdev op. + +Signed-off-by: Hans Verkuil +Reviewed-by: Luca Ceresoli +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/imx274.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/i2c/imx274.c b/drivers/media/i2c/imx274.c +index 6011cec5e351d..e6aa9f32b6a83 100644 +--- a/drivers/media/i2c/imx274.c ++++ b/drivers/media/i2c/imx274.c +@@ -1235,6 +1235,8 @@ static int imx274_s_frame_interval(struct v4l2_subdev *sd, + ret = imx274_set_frame_interval(imx274, fi->interval); + + if (!ret) { ++ fi->interval = imx274->frame_interval; ++ + /* + * exposure time range is decided by frame interval + * need to update it after frame interval changes +@@ -1730,9 +1732,9 @@ static int imx274_set_frame_interval(struct stimx274 *priv, + __func__, frame_interval.numerator, + frame_interval.denominator); + +- if (frame_interval.numerator == 0) { +- err = -EINVAL; +- goto fail; ++ if (frame_interval.numerator == 0 || frame_interval.denominator == 0) { ++ frame_interval.denominator = IMX274_DEF_FRAME_RATE; ++ frame_interval.numerator = 1; + } + + req_frame_rate = (u32)(frame_interval.denominator +-- +2.27.0 + diff --git a/queue-5.8/media-platform-improve-queue-set-up-flow-for-bug-fix.patch b/queue-5.8/media-platform-improve-queue-set-up-flow-for-bug-fix.patch new file mode 100644 index 00000000000..b97aa395808 --- /dev/null +++ b/queue-5.8/media-platform-improve-queue-set-up-flow-for-bug-fix.patch @@ -0,0 +1,41 @@ +From 3b0e7b0aed255991dd481d9925650435ba9d970f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 09:11:35 +0200 +Subject: media: platform: Improve queue set up flow for bug fixing + +From: Xia Jiang + +[ Upstream commit 5095a6413a0cf896ab468009b6142cb0fe617e66 ] + +Add checking created buffer size follow in mtk_jpeg_queue_setup(). + +Reviewed-by: Tomasz Figa +Signed-off-by: Xia Jiang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +index f82a81a3bdee2..c4b16dc2c0161 100644 +--- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c ++++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +@@ -571,6 +571,13 @@ static int mtk_jpeg_queue_setup(struct vb2_queue *q, + if (!q_data) + return -EINVAL; + ++ if (*num_planes) { ++ for (i = 0; i < *num_planes; i++) ++ if (sizes[i] < q_data->sizeimage[i]) ++ return -EINVAL; ++ return 0; ++ } ++ + *num_planes = q_data->fmt->colplanes; + for (i = 0; i < q_data->fmt->colplanes; i++) { + sizes[i] = q_data->sizeimage[i]; +-- +2.27.0 + diff --git a/queue-5.8/media-tw5864-check-status-of-tw5864_frameinterval_ge.patch b/queue-5.8/media-tw5864-check-status-of-tw5864_frameinterval_ge.patch new file mode 100644 index 00000000000..579f7b092c2 --- /dev/null +++ b/queue-5.8/media-tw5864-check-status-of-tw5864_frameinterval_ge.patch @@ -0,0 +1,63 @@ +From e8dad49d1d81480c73d5cb05081ab434013ecb96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 21:25:18 +0200 +Subject: media: tw5864: check status of tw5864_frameinterval_get + +From: Tom Rix + +[ Upstream commit 780d815dcc9b34d93ae69385a8465c38d423ff0f ] + +clang static analysis reports this problem + +tw5864-video.c:773:32: warning: The left expression of the compound + assignment is an uninitialized value. + The computed value will also be garbage + fintv->stepwise.max.numerator *= std_max_fps; + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ + +stepwise.max is set with frameinterval, which comes from + + ret = tw5864_frameinterval_get(input, &frameinterval); + fintv->stepwise.step = frameinterval; + fintv->stepwise.min = frameinterval; + fintv->stepwise.max = frameinterval; + fintv->stepwise.max.numerator *= std_max_fps; + +When tw5864_frameinterval_get() fails, frameinterval is not +set. So check the status and fix another similar problem. + +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/tw5864/tw5864-video.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/media/pci/tw5864/tw5864-video.c b/drivers/media/pci/tw5864/tw5864-video.c +index ec1e06da7e4fb..a65114e7ca346 100644 +--- a/drivers/media/pci/tw5864/tw5864-video.c ++++ b/drivers/media/pci/tw5864/tw5864-video.c +@@ -767,6 +767,9 @@ static int tw5864_enum_frameintervals(struct file *file, void *priv, + fintv->type = V4L2_FRMIVAL_TYPE_STEPWISE; + + ret = tw5864_frameinterval_get(input, &frameinterval); ++ if (ret) ++ return ret; ++ + fintv->stepwise.step = frameinterval; + fintv->stepwise.min = frameinterval; + fintv->stepwise.max = frameinterval; +@@ -785,6 +788,9 @@ static int tw5864_g_parm(struct file *file, void *priv, + cp->capability = V4L2_CAP_TIMEPERFRAME; + + ret = tw5864_frameinterval_get(input, &cp->timeperframe); ++ if (ret) ++ return ret; ++ + cp->timeperframe.numerator *= input->frame_interval; + cp->capturemode = 0; + cp->readbuffers = 2; +-- +2.27.0 + diff --git a/queue-5.8/media-uvcvideo-fix-dereference-of-out-of-bound-list-.patch b/queue-5.8/media-uvcvideo-fix-dereference-of-out-of-bound-list-.patch new file mode 100644 index 00000000000..0343537fdec --- /dev/null +++ b/queue-5.8/media-uvcvideo-fix-dereference-of-out-of-bound-list-.patch @@ -0,0 +1,75 @@ +From f5d8ecac93359eb414f14411a9be2a21c3d46717 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 10:35:30 +0200 +Subject: media: uvcvideo: Fix dereference of out-of-bound list iterator + +From: Daniel W. S. Almeida + +[ Upstream commit f875bcc375c738bf2f599ff2e1c5b918dbd07c45 ] + +Fixes the following coccinelle report: + +drivers/media/usb/uvc/uvc_ctrl.c:1860:5-11: +ERROR: invalid reference to the index variable of the iterator on line 1854 + +by adding a boolean variable to check if the loop has found the + +Found using - Coccinelle (http://coccinelle.lip6.fr) + +[Replace cursor variable with bool found] + +Signed-off-by: Daniel W. S. Almeida +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_ctrl.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c +index a30a8a731eda8..c13ed95cb06fe 100644 +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -1848,30 +1848,35 @@ int uvc_xu_ctrl_query(struct uvc_video_chain *chain, + { + struct uvc_entity *entity; + struct uvc_control *ctrl; +- unsigned int i, found = 0; ++ unsigned int i; ++ bool found; + u32 reqflags; + u16 size; + u8 *data = NULL; + int ret; + + /* Find the extension unit. */ ++ found = false; + list_for_each_entry(entity, &chain->entities, chain) { + if (UVC_ENTITY_TYPE(entity) == UVC_VC_EXTENSION_UNIT && +- entity->id == xqry->unit) ++ entity->id == xqry->unit) { ++ found = true; + break; ++ } + } + +- if (entity->id != xqry->unit) { ++ if (!found) { + uvc_trace(UVC_TRACE_CONTROL, "Extension unit %u not found.\n", + xqry->unit); + return -ENOENT; + } + + /* Find the control and perform delayed initialization if needed. */ ++ found = false; + for (i = 0; i < entity->ncontrols; ++i) { + ctrl = &entity->controls[i]; + if (ctrl->index == xqry->selector - 1) { +- found = 1; ++ found = true; + break; + } + } +-- +2.27.0 + diff --git a/queue-5.8/media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch b/queue-5.8/media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch new file mode 100644 index 00000000000..ebfe1e3ece4 --- /dev/null +++ b/queue-5.8/media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch @@ -0,0 +1,117 @@ +From 96a97df82579befb67636c441725617682c3129c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 12:47:16 +0200 +Subject: media: videodev2.h: RGB BT2020 and HSV are always full range + +From: Hans Verkuil + +[ Upstream commit b305dfe2e93434b12d438434461b709641f62af4 ] + +The default RGB quantization range for BT.2020 is full range (just as for +all the other RGB pixel encodings), not limited range. + +Update the V4L2_MAP_QUANTIZATION_DEFAULT macro and documentation +accordingly. + +Also mention that HSV is always full range and cannot be limited range. + +When RGB BT2020 was introduced in V4L2 it was not clear whether it should +be limited or full range, but full range is the right (and consistent) +choice. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../media/v4l/colorspaces-defs.rst | 9 ++++----- + .../media/v4l/colorspaces-details.rst | 5 ++--- + include/uapi/linux/videodev2.h | 17 ++++++++--------- + 3 files changed, 14 insertions(+), 17 deletions(-) + +diff --git a/Documentation/userspace-api/media/v4l/colorspaces-defs.rst b/Documentation/userspace-api/media/v4l/colorspaces-defs.rst +index 01404e1f609a7..4089f426258d6 100644 +--- a/Documentation/userspace-api/media/v4l/colorspaces-defs.rst ++++ b/Documentation/userspace-api/media/v4l/colorspaces-defs.rst +@@ -36,8 +36,7 @@ whole range, 0-255, dividing the angular value by 1.41. The enum + :c:type:`v4l2_hsv_encoding` specifies which encoding is used. + + .. note:: The default R'G'B' quantization is full range for all +- colorspaces except for BT.2020 which uses limited range R'G'B' +- quantization. ++ colorspaces. HSV formats are always full range. + + .. tabularcolumns:: |p{6.7cm}|p{10.8cm}| + +@@ -169,8 +168,8 @@ whole range, 0-255, dividing the angular value by 1.41. The enum + - Details + * - ``V4L2_QUANTIZATION_DEFAULT`` + - Use the default quantization encoding as defined by the +- colorspace. This is always full range for R'G'B' (except for the +- BT.2020 colorspace) and HSV. It is usually limited range for Y'CbCr. ++ colorspace. This is always full range for R'G'B' and HSV. ++ It is usually limited range for Y'CbCr. + * - ``V4L2_QUANTIZATION_FULL_RANGE`` + - Use the full range quantization encoding. I.e. the range [0…1] is + mapped to [0…255] (with possible clipping to [1…254] to avoid the +@@ -180,4 +179,4 @@ whole range, 0-255, dividing the angular value by 1.41. The enum + * - ``V4L2_QUANTIZATION_LIM_RANGE`` + - Use the limited range quantization encoding. I.e. the range [0…1] + is mapped to [16…235]. Cb and Cr are mapped from [-0.5…0.5] to +- [16…240]. ++ [16…240]. Limited Range cannot be used with HSV. +diff --git a/Documentation/userspace-api/media/v4l/colorspaces-details.rst b/Documentation/userspace-api/media/v4l/colorspaces-details.rst +index 79ed6f4f76eb3..fd9ddda4e0256 100644 +--- a/Documentation/userspace-api/media/v4l/colorspaces-details.rst ++++ b/Documentation/userspace-api/media/v4l/colorspaces-details.rst +@@ -377,9 +377,8 @@ Colorspace BT.2020 (V4L2_COLORSPACE_BT2020) + The :ref:`itu2020` standard defines the colorspace used by Ultra-high + definition television (UHDTV). The default transfer function is + ``V4L2_XFER_FUNC_709``. The default Y'CbCr encoding is +-``V4L2_YCBCR_ENC_BT2020``. The default R'G'B' quantization is limited +-range (!), and so is the default Y'CbCr quantization. The chromaticities +-of the primary colors and the white reference are: ++``V4L2_YCBCR_ENC_BT2020``. The default Y'CbCr quantization is limited range. ++The chromaticities of the primary colors and the white reference are: + + + +diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h +index c3a1cf1c507f5..dd2f95c32e730 100644 +--- a/include/uapi/linux/videodev2.h ++++ b/include/uapi/linux/videodev2.h +@@ -371,9 +371,9 @@ enum v4l2_hsv_encoding { + + enum v4l2_quantization { + /* +- * The default for R'G'B' quantization is always full range, except +- * for the BT2020 colorspace. For Y'CbCr the quantization is always +- * limited range, except for COLORSPACE_JPEG: this is full range. ++ * The default for R'G'B' quantization is always full range. ++ * For Y'CbCr the quantization is always limited range, except ++ * for COLORSPACE_JPEG: this is full range. + */ + V4L2_QUANTIZATION_DEFAULT = 0, + V4L2_QUANTIZATION_FULL_RANGE = 1, +@@ -382,14 +382,13 @@ enum v4l2_quantization { + + /* + * Determine how QUANTIZATION_DEFAULT should map to a proper quantization. +- * This depends on whether the image is RGB or not, the colorspace and the +- * Y'CbCr encoding. ++ * This depends on whether the image is RGB or not, the colorspace. ++ * The Y'CbCr encoding is not used anymore, but is still there for backwards ++ * compatibility. + */ + #define V4L2_MAP_QUANTIZATION_DEFAULT(is_rgb_or_hsv, colsp, ycbcr_enc) \ +- (((is_rgb_or_hsv) && (colsp) == V4L2_COLORSPACE_BT2020) ? \ +- V4L2_QUANTIZATION_LIM_RANGE : \ +- (((is_rgb_or_hsv) || (colsp) == V4L2_COLORSPACE_JPEG) ? \ +- V4L2_QUANTIZATION_FULL_RANGE : V4L2_QUANTIZATION_LIM_RANGE)) ++ (((is_rgb_or_hsv) || (colsp) == V4L2_COLORSPACE_JPEG) ? \ ++ V4L2_QUANTIZATION_FULL_RANGE : V4L2_QUANTIZATION_LIM_RANGE) + + /* + * Deprecated names for opRGB colorspace (IEC 61966-2-5) +-- +2.27.0 + diff --git a/queue-5.8/memory-emif-remove-bogus-debugfs-error-handling.patch b/queue-5.8/memory-emif-remove-bogus-debugfs-error-handling.patch new file mode 100644 index 00000000000..3d5cf50b47d --- /dev/null +++ b/queue-5.8/memory-emif-remove-bogus-debugfs-error-handling.patch @@ -0,0 +1,75 @@ +From dc63906baedf4c45305e2355c90888dc2621d7d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 14:37:59 +0300 +Subject: memory: emif: Remove bogus debugfs error handling + +From: Dan Carpenter + +[ Upstream commit fd22781648080cc400772b3c68aa6b059d2d5420 ] + +Callers are generally not supposed to check the return values from +debugfs functions. Debugfs functions never return NULL so this error +handling will never trigger. (Historically debugfs functions used to +return a mix of NULL and error pointers but it was eventually deemed too +complicated for something which wasn't intended to be used in normal +situations). + +Delete all the error handling. + +Signed-off-by: Dan Carpenter +Acked-by: Santosh Shilimkar +Link: https://lore.kernel.org/r/20200826113759.GF393664@mwanda +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/emif.c | 33 +++++---------------------------- + 1 file changed, 5 insertions(+), 28 deletions(-) + +diff --git a/drivers/memory/emif.c b/drivers/memory/emif.c +index 9d9127bf2a590..74d69c761cfca 100644 +--- a/drivers/memory/emif.c ++++ b/drivers/memory/emif.c +@@ -163,35 +163,12 @@ static const struct file_operations emif_mr4_fops = { + + static int __init_or_module emif_debugfs_init(struct emif_data *emif) + { +- struct dentry *dentry; +- int ret; +- +- dentry = debugfs_create_dir(dev_name(emif->dev), NULL); +- if (!dentry) { +- ret = -ENOMEM; +- goto err0; +- } +- emif->debugfs_root = dentry; +- +- dentry = debugfs_create_file("regcache_dump", S_IRUGO, +- emif->debugfs_root, emif, &emif_regdump_fops); +- if (!dentry) { +- ret = -ENOMEM; +- goto err1; +- } +- +- dentry = debugfs_create_file("mr4", S_IRUGO, +- emif->debugfs_root, emif, &emif_mr4_fops); +- if (!dentry) { +- ret = -ENOMEM; +- goto err1; +- } +- ++ emif->debugfs_root = debugfs_create_dir(dev_name(emif->dev), NULL); ++ debugfs_create_file("regcache_dump", S_IRUGO, emif->debugfs_root, emif, ++ &emif_regdump_fops); ++ debugfs_create_file("mr4", S_IRUGO, emif->debugfs_root, emif, ++ &emif_mr4_fops); + return 0; +-err1: +- debugfs_remove_recursive(emif->debugfs_root); +-err0: +- return ret; + } + + static void __exit emif_debugfs_exit(struct emif_data *emif) +-- +2.27.0 + diff --git a/queue-5.8/misc-fastrpc-fix-common-struct-sg_table-related-issu.patch b/queue-5.8/misc-fastrpc-fix-common-struct-sg_table-related-issu.patch new file mode 100644 index 00000000000..8e814296a16 --- /dev/null +++ b/queue-5.8/misc-fastrpc-fix-common-struct-sg_table-related-issu.patch @@ -0,0 +1,65 @@ +From 3a72b978550feaa5a36887f631a3b1f8b6d886f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 08:33:12 +0200 +Subject: misc: fastrpc: fix common struct sg_table related issues + +From: Marek Szyprowski + +[ Upstream commit 7cd7edb89437457ec36ffdbb970cc314d00c4aba ] + +The Documentation/DMA-API-HOWTO.txt states that the dma_map_sg() function +returns the number of the created entries in the DMA address space. +However the subsequent calls to the dma_sync_sg_for_{device,cpu}() and +dma_unmap_sg must be called with the original number of the entries +passed to the dma_map_sg(). + +struct sg_table is a common structure used for describing a non-contiguous +memory buffer, used commonly in the DRM and graphics subsystems. It +consists of a scatterlist with memory pages and DMA addresses (sgl entry), +as well as the number of scatterlist entries: CPU pages (orig_nents entry) +and DMA mapped pages (nents entry). + +It turned out that it was a common mistake to misuse nents and orig_nents +entries, calling DMA-mapping functions with a wrong number of entries or +ignoring the number of mapped entries returned by the dma_map_sg() +function. + +To avoid such issues, lets use a common dma-mapping wrappers operating +directly on the struct sg_table objects and use scatterlist page +iterators where possible. This, almost always, hides references to the +nents and orig_nents entries, making the code robust, easier to follow +and copy/paste safe. + +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20200826063316.23486-29-m.szyprowski@samsung.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/fastrpc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c +index 7939c55daceb2..9d68677493163 100644 +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -518,7 +518,7 @@ fastrpc_map_dma_buf(struct dma_buf_attachment *attachment, + + table = &a->sgt; + +- if (!dma_map_sg(attachment->dev, table->sgl, table->nents, dir)) ++ if (!dma_map_sgtable(attachment->dev, table, dir, 0)) + return ERR_PTR(-ENOMEM); + + return table; +@@ -528,7 +528,7 @@ static void fastrpc_unmap_dma_buf(struct dma_buf_attachment *attach, + struct sg_table *table, + enum dma_data_direction dir) + { +- dma_unmap_sg(attach->dev, table->sgl, table->nents, dir); ++ dma_unmap_sgtable(attach->dev, table, dir, 0); + } + + static void fastrpc_release(struct dma_buf *dmabuf) +-- +2.27.0 + diff --git a/queue-5.8/mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch b/queue-5.8/mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch new file mode 100644 index 00000000000..71d1201692b --- /dev/null +++ b/queue-5.8/mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch @@ -0,0 +1,166 @@ +From f51520172e7c10c1975c1fc80bcd69d04625362e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Oct 2020 16:37:33 +0300 +Subject: mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() + +From: Amit Cohen + +[ Upstream commit 0daf2bf5a2dcf33d446b76360908f109816e2e21 ] + +Each EMAD transaction stores the skb used to issue the EMAD request +('trans->tx_skb') so that the request could be retried in case of a +timeout. The skb can be freed when a corresponding response is received +or as part of the retry logic (e.g., failed retransmit, exceeded maximum +number of retries). + +The two tasks (i.e., response processing and retransmits) are +synchronized by the atomic 'trans->active' field which ensures that +responses to inactive transactions are ignored. + +In case of a failed retransmit the transaction is finished and all of +its resources are freed. However, the current code does not mark it as +inactive. Syzkaller was able to hit a race condition in which a +concurrent response is processed while the transaction's resources are +being freed, resulting in a use-after-free [1]. + +Fix the issue by making sure to mark the transaction as inactive after a +failed retransmit and free its resources only if a concurrent task did +not already do that. + +[1] +BUG: KASAN: use-after-free in consume_skb+0x30/0x370 +net/core/skbuff.c:833 +Read of size 4 at addr ffff88804f570494 by task syz-executor.0/1004 + +CPU: 0 PID: 1004 Comm: syz-executor.0 Not tainted 5.8.0-rc7+ #68 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xf6/0x16e lib/dump_stack.c:118 + print_address_description.constprop.0+0x1c/0x250 +mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + check_memory_region_inline mm/kasan/generic.c:186 [inline] + check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192 + instrument_atomic_read include/linux/instrumented.h:56 [inline] + atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] + refcount_read include/linux/refcount.h:147 [inline] + skb_unref include/linux/skbuff.h:1044 [inline] + consume_skb+0x30/0x370 net/core/skbuff.c:833 + mlxsw_emad_trans_finish+0x64/0x1c0 drivers/net/ethernet/mellanox/mlxsw/core.c:592 + mlxsw_emad_process_response drivers/net/ethernet/mellanox/mlxsw/core.c:651 [inline] + mlxsw_emad_rx_listener_func+0x5c9/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:672 + mlxsw_core_skb_receive+0x4df/0x770 drivers/net/ethernet/mellanox/mlxsw/core.c:2063 + mlxsw_pci_cqe_rdq_handle drivers/net/ethernet/mellanox/mlxsw/pci.c:595 [inline] + mlxsw_pci_cq_tasklet+0x12a6/0x2520 drivers/net/ethernet/mellanox/mlxsw/pci.c:651 + tasklet_action_common.isra.0+0x13f/0x3e0 kernel/softirq.c:550 + __do_softirq+0x223/0x964 kernel/softirq.c:292 + asm_call_on_stack+0x12/0x20 arch/x86/entry/entry_64.S:711 + +Allocated by task 1006: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc mm/kasan/common.c:494 [inline] + __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:467 + slab_post_alloc_hook mm/slab.h:586 [inline] + slab_alloc_node mm/slub.c:2824 [inline] + slab_alloc mm/slub.c:2832 [inline] + kmem_cache_alloc+0xcd/0x2e0 mm/slub.c:2837 + __build_skb+0x21/0x60 net/core/skbuff.c:311 + __netdev_alloc_skb+0x1e2/0x360 net/core/skbuff.c:464 + netdev_alloc_skb include/linux/skbuff.h:2810 [inline] + mlxsw_emad_alloc drivers/net/ethernet/mellanox/mlxsw/core.c:756 [inline] + mlxsw_emad_reg_access drivers/net/ethernet/mellanox/mlxsw/core.c:787 [inline] + mlxsw_core_reg_access_emad+0x1ab/0x1420 drivers/net/ethernet/mellanox/mlxsw/core.c:1817 + mlxsw_reg_trans_query+0x39/0x50 drivers/net/ethernet/mellanox/mlxsw/core.c:1831 + mlxsw_sp_sb_pm_occ_clear drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c:260 [inline] + mlxsw_sp_sb_occ_max_clear+0xbff/0x10a0 drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c:1365 + mlxsw_devlink_sb_occ_max_clear+0x76/0xb0 drivers/net/ethernet/mellanox/mlxsw/core.c:1037 + devlink_nl_cmd_sb_occ_max_clear_doit+0x1ec/0x280 net/core/devlink.c:1765 + genl_family_rcv_msg_doit net/netlink/genetlink.c:669 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:714 [inline] + genl_rcv_msg+0x617/0x980 net/netlink/genetlink.c:731 + netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2470 + genl_rcv+0x24/0x40 net/netlink/genetlink.c:742 + netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] + netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1330 + netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0x150/0x190 net/socket.c:671 + ____sys_sendmsg+0x6d8/0x840 net/socket.c:2359 + ___sys_sendmsg+0xff/0x170 net/socket.c:2413 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2446 + do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:384 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 73: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + kasan_set_free_info mm/kasan/common.c:316 [inline] + __kasan_slab_free+0x12c/0x170 mm/kasan/common.c:455 + slab_free_hook mm/slub.c:1474 [inline] + slab_free_freelist_hook mm/slub.c:1507 [inline] + slab_free mm/slub.c:3072 [inline] + kmem_cache_free+0xbe/0x380 mm/slub.c:3088 + kfree_skbmem net/core/skbuff.c:622 [inline] + kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:616 + __kfree_skb net/core/skbuff.c:679 [inline] + consume_skb net/core/skbuff.c:837 [inline] + consume_skb+0xe1/0x370 net/core/skbuff.c:831 + mlxsw_emad_trans_finish+0x64/0x1c0 drivers/net/ethernet/mellanox/mlxsw/core.c:592 + mlxsw_emad_transmit_retry.isra.0+0x9d/0xc0 drivers/net/ethernet/mellanox/mlxsw/core.c:613 + mlxsw_emad_trans_timeout_work+0x43/0x50 drivers/net/ethernet/mellanox/mlxsw/core.c:625 + process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269 + worker_thread+0x9e/0x1050 kernel/workqueue.c:2415 + kthread+0x355/0x470 kernel/kthread.c:291 + ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293 + +The buggy address belongs to the object at ffff88804f5703c0 + which belongs to the cache skbuff_head_cache of size 224 +The buggy address is located 212 bytes inside of + 224-byte region [ffff88804f5703c0, ffff88804f5704a0) +The buggy address belongs to the page: +page:ffffea00013d5c00 refcount:1 mapcount:0 mapping:0000000000000000 +index:0x0 +flags: 0x100000000000200(slab) +raw: 0100000000000200 dead000000000100 dead000000000122 ffff88806c625400 +raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88804f570380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff88804f570400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88804f570480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88804f570500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88804f570580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc + +Fixes: caf7297e7ab5f ("mlxsw: core: Introduce support for asynchronous EMAD register access") +Signed-off-by: Amit Cohen +Reviewed-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index 42726fdf5a3af..cf25817e60148 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -607,6 +607,9 @@ static void mlxsw_emad_transmit_retry(struct mlxsw_core *mlxsw_core, + err = mlxsw_emad_transmit(trans->core, trans); + if (err == 0) + return; ++ ++ if (!atomic_dec_and_test(&trans->active)) ++ return; + } else { + err = -EIO; + } +-- +2.27.0 + diff --git a/queue-5.8/mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tl.patch b/queue-5.8/mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tl.patch new file mode 100644 index 00000000000..e51d2f81670 --- /dev/null +++ b/queue-5.8/mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tl.patch @@ -0,0 +1,116 @@ +From cf8a80214baeb2a6dc196ea16e26dc9b8fe2c194 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:52:16 +1000 +Subject: mm: fix exec activate_mm vs TLB shootdown and lazy tlb switching race + +From: Nicholas Piggin + +[ Upstream commit d53c3dfb23c45f7d4f910c3a3ca84bf0a99c6143 ] + +Reading and modifying current->mm and current->active_mm and switching +mm should be done with irqs off, to prevent races seeing an intermediate +state. + +This is similar to commit 38cf307c1f20 ("mm: fix kthread_use_mm() vs TLB +invalidate"). At exec-time when the new mm is activated, the old one +should usually be single-threaded and no longer used, unless something +else is holding an mm_users reference (which may be possible). + +Absent other mm_users, there is also a race with preemption and lazy tlb +switching. Consider the kernel_execve case where the current thread is +using a lazy tlb active mm: + + call_usermodehelper() + kernel_execve() + old_mm = current->mm; + active_mm = current->active_mm; + *** preempt *** --------------------> schedule() + prev->active_mm = NULL; + mmdrop(prev active_mm); + ... + <-------------------- schedule() + current->mm = mm; + current->active_mm = mm; + if (!old_mm) + mmdrop(active_mm); + +If we switch back to the kernel thread from a different mm, there is a +double free of the old active_mm, and a missing free of the new one. + +Closing this race only requires interrupts to be disabled while ->mm +and ->active_mm are being switched, but the TLB problem requires also +holding interrupts off over activate_mm. Unfortunately not all archs +can do that yet, e.g., arm defers the switch if irqs are disabled and +expects finish_arch_post_lock_switch() to be called to complete the +flush; um takes a blocking lock in activate_mm(). + +So as a first step, disable interrupts across the mm/active_mm updates +to close the lazy tlb preempt race, and provide an arch option to +extend that to activate_mm which allows architectures doing IPI based +TLB shootdowns to close the second race. + +This is a bit ugly, but in the interest of fixing the bug and backporting +before all architectures are converted this is a compromise. + +Signed-off-by: Nicholas Piggin +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200914045219.3736466-2-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/Kconfig | 7 +++++++ + fs/exec.c | 17 +++++++++++++++-- + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/arch/Kconfig b/arch/Kconfig +index 8cc35dc556c72..2fb97d79e7693 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -411,6 +411,13 @@ config MMU_GATHER_NO_GATHER + bool + depends on MMU_GATHER_TABLE_FREE + ++config ARCH_WANT_IRQS_OFF_ACTIVATE_MM ++ bool ++ help ++ Temporary select until all architectures can be converted to have ++ irqs disabled over activate_mm. Architectures that do IPI based TLB ++ shootdowns should enable this. ++ + config ARCH_HAVE_NMI_SAFE_CMPXCHG + bool + +diff --git a/fs/exec.c b/fs/exec.c +index 78976a3260c6a..cd94a6f6b7447 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1104,11 +1104,24 @@ static int exec_mmap(struct mm_struct *mm) + } + + task_lock(tsk); +- active_mm = tsk->active_mm; + membarrier_exec_mmap(mm); +- tsk->mm = mm; ++ ++ local_irq_disable(); ++ active_mm = tsk->active_mm; + tsk->active_mm = mm; ++ tsk->mm = mm; ++ /* ++ * This prevents preemption while active_mm is being loaded and ++ * it and mm are being updated, which could cause problems for ++ * lazy tlb mm refcounting when these are updated by context ++ * switches. Not all architectures can handle irqs off over ++ * activate_mm yet. ++ */ ++ if (!IS_ENABLED(CONFIG_ARCH_WANT_IRQS_OFF_ACTIVATE_MM)) ++ local_irq_enable(); + activate_mm(active_mm, mm); ++ if (IS_ENABLED(CONFIG_ARCH_WANT_IRQS_OFF_ACTIVATE_MM)) ++ local_irq_enable(); + tsk->mm->vmacache_seqnum = 0; + vmacache_flush(tsk); + task_unlock(tsk); +-- +2.27.0 + diff --git a/queue-5.8/mmc-via-sdmmc-fix-data-race-bug.patch b/queue-5.8/mmc-via-sdmmc-fix-data-race-bug.patch new file mode 100644 index 00000000000..6bf08c6b839 --- /dev/null +++ b/queue-5.8/mmc-via-sdmmc-fix-data-race-bug.patch @@ -0,0 +1,48 @@ +From 85e162fcdb887c584e773993251b9eb6132ceba0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 11:45:28 +0530 +Subject: mmc: via-sdmmc: Fix data race bug + +From: Madhuparna Bhowmik + +[ Upstream commit 87d7ad089b318b4f319bf57f1daa64eb6d1d10ad ] + +via_save_pcictrlreg() should be called with host->lock held +as it writes to pm_pcictrl_reg, otherwise there can be a race +condition between via_sd_suspend() and via_sdc_card_detect(). +The same pattern is used in the function via_reset_pcictrl() +as well, where via_save_pcictrlreg() is called with host->lock +held. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Madhuparna Bhowmik +Link: https://lore.kernel.org/r/20200822061528.7035-1-madhuparnabhowmik10@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/via-sdmmc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c +index ef95bce508890..e4d8126cd4e5b 100644 +--- a/drivers/mmc/host/via-sdmmc.c ++++ b/drivers/mmc/host/via-sdmmc.c +@@ -1259,11 +1259,14 @@ static void via_init_sdc_pm(struct via_crdr_mmc_host *host) + static int via_sd_suspend(struct pci_dev *pcidev, pm_message_t state) + { + struct via_crdr_mmc_host *host; ++ unsigned long flags; + + host = pci_get_drvdata(pcidev); + ++ spin_lock_irqsave(&host->lock, flags); + via_save_pcictrlreg(host); + via_save_sdcreg(host); ++ spin_unlock_irqrestore(&host->lock, flags); + + pci_save_state(pcidev); + pci_enable_wake(pcidev, pci_choose_state(pcidev, state), 0); +-- +2.27.0 + diff --git a/queue-5.8/nbd-make-the-config-put-is-called-before-the-notifyi.patch b/queue-5.8/nbd-make-the-config-put-is-called-before-the-notifyi.patch new file mode 100644 index 00000000000..08f24ec925b --- /dev/null +++ b/queue-5.8/nbd-make-the-config-put-is-called-before-the-notifyi.patch @@ -0,0 +1,43 @@ +From aee7118933e5b9cbd42c036908d25f5fbc1c6a23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 22:45:14 -0400 +Subject: nbd: make the config put is called before the notifying the waiter + +From: Xiubo Li + +[ Upstream commit 87aac3a80af5cbad93e63250e8a1e19095ba0d30 ] + +There has one race case for ceph's rbd-nbd tool. When do mapping +it may fail with EBUSY from ioctl(nbd, NBD_DO_IT), but actually +the nbd device has already unmaped. + +It dues to if just after the wake_up(), the recv_work() is scheduled +out and defers calling the nbd_config_put(), though the map process +has exited the "nbd->recv_task" is not cleared. + +Signed-off-by: Xiubo Li +Reviewed-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index bc9dc1f847e19..955b754fd5555 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -798,9 +798,9 @@ static void recv_work(struct work_struct *work) + + blk_mq_complete_request(blk_mq_rq_from_pdu(cmd)); + } ++ nbd_config_put(nbd); + atomic_dec(&config->recv_threads); + wake_up(&config->recv_wq); +- nbd_config_put(nbd); + kfree(args); + } + +-- +2.27.0 + diff --git a/queue-5.8/net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch b/queue-5.8/net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch new file mode 100644 index 00000000000..4177dd09d8e --- /dev/null +++ b/queue-5.8/net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch @@ -0,0 +1,45 @@ +From 0adf0a0e35d67e054ad48da6e7bff50477f40045 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 09:54:04 +0530 +Subject: net: 9p: initialize sun_server.sun_path to have addr's value only + when addr is valid + +From: Anant Thazhemadam + +[ Upstream commit 7ca1db21ef8e0e6725b4d25deed1ca196f7efb28 ] + +In p9_fd_create_unix, checking is performed to see if the addr (passed +as an argument) is NULL or not. +However, no check is performed to see if addr is a valid address, i.e., +it doesn't entirely consist of only 0's. +The initialization of sun_server.sun_path to be equal to this faulty +addr value leads to an uninitialized variable, as detected by KMSAN. +Checking for this (faulty addr) and returning a negative error number +appropriately, resolves this issue. + +Link: http://lkml.kernel.org/r/20201012042404.2508-1-anant.thazhemadam@gmail.com +Reported-by: syzbot+75d51fe5bf4ebe988518@syzkaller.appspotmail.com +Tested-by: syzbot+75d51fe5bf4ebe988518@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index 12ecacf0c55fb..60eb9a2b209be 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -1023,7 +1023,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args) + + csocket = NULL; + +- if (addr == NULL) ++ if (!addr || !strlen(addr)) + return -EINVAL; + + if (strlen(addr) >= UNIX_PATH_MAX) { +-- +2.27.0 + diff --git a/queue-5.8/nfc-s3fwrn5-add-missing-crypto_hash-dependency.patch b/queue-5.8/nfc-s3fwrn5-add-missing-crypto_hash-dependency.patch new file mode 100644 index 00000000000..870b51023d2 --- /dev/null +++ b/queue-5.8/nfc-s3fwrn5-add-missing-crypto_hash-dependency.patch @@ -0,0 +1,37 @@ +From 14e0d308e0c5f4df886d4123fe5f2f6e4d5efde2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 18:12:16 +0200 +Subject: nfc: s3fwrn5: Add missing CRYPTO_HASH dependency + +From: Krzysztof Kozlowski + +[ Upstream commit 4aa62c62d4c41d71b2bda5ed01b78961829ee93c ] + +The driver uses crypto hash functions so it needs to select CRYPTO_HASH. +This fixes build errors: + + arc-linux-ld: drivers/nfc/s3fwrn5/firmware.o: in function `s3fwrn5_fw_download': + firmware.c:(.text+0x152): undefined reference to `crypto_alloc_shash' + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/s3fwrn5/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nfc/s3fwrn5/Kconfig b/drivers/nfc/s3fwrn5/Kconfig +index af9d18690afeb..3f8b6da582803 100644 +--- a/drivers/nfc/s3fwrn5/Kconfig ++++ b/drivers/nfc/s3fwrn5/Kconfig +@@ -2,6 +2,7 @@ + config NFC_S3FWRN5 + tristate + select CRYPTO ++ select CRYPTO_HASH + help + Core driver for Samsung S3FWRN5 NFC chip. Contains core utilities + of chip. It's intended to be used by PHYs to avoid duplicating lots +-- +2.27.0 + diff --git a/queue-5.8/nfs4-fix-oops-when-copy_file_range-is-attempted-with.patch b/queue-5.8/nfs4-fix-oops-when-copy_file_range-is-attempted-with.patch new file mode 100644 index 00000000000..af4bd899bba --- /dev/null +++ b/queue-5.8/nfs4-fix-oops-when-copy_file_range-is-attempted-with.patch @@ -0,0 +1,62 @@ +From 3a2c8294feaa610b418762b75734724c1a3fad2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Aug 2020 12:11:47 -0400 +Subject: NFS4: Fix oops when copy_file_range is attempted with NFS4.0 source + +From: Dave Wysochanski + +[ Upstream commit d8a6ad913c286d4763ae20b14c02fe6f39d7cd9f ] + +The following oops is seen during xfstest/565 when the 'test' +(source of the copy) is NFS4.0 and 'scratch' (destination) is NFS4.2 +[ 59.692458] run fstests generic/565 at 2020-08-01 05:50:35 +[ 60.613588] BUG: kernel NULL pointer dereference, address: 0000000000000008 +[ 60.624970] #PF: supervisor read access in kernel mode +[ 60.627671] #PF: error_code(0x0000) - not-present page +[ 60.630347] PGD 0 P4D 0 +[ 60.631853] Oops: 0000 [#1] SMP PTI +[ 60.634086] CPU: 6 PID: 2828 Comm: xfs_io Kdump: loaded Not tainted 5.8.0-rc3 #1 +[ 60.637676] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +[ 60.639901] RIP: 0010:nfs4_check_serverowner_major_id+0x5/0x30 [nfsv4] +[ 60.642719] Code: 89 ff e8 3e b3 b8 e1 e9 71 fe ff ff 41 bc da d8 ff ff e9 c3 fe ff ff e8 e9 9d 08 e2 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 <8b> 57 08 31 c0 3b 56 08 75 12 48 83 c6 0c 48 83 c7 0c e8 c4 97 bb +[ 60.652629] RSP: 0018:ffffc265417f7e10 EFLAGS: 00010287 +[ 60.655379] RAX: ffffa0664b066400 RBX: 0000000000000000 RCX: 0000000000000001 +[ 60.658754] RDX: ffffa066725fb000 RSI: ffffa066725fd000 RDI: 0000000000000000 +[ 60.662292] RBP: 0000000000020000 R08: 0000000000020000 R09: 0000000000000000 +[ 60.666189] R10: 0000000000000003 R11: 0000000000000000 R12: ffffa06648258d00 +[ 60.669914] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa06648258100 +[ 60.673645] FS: 00007faa9fb35800(0000) GS:ffffa06677d80000(0000) knlGS:0000000000000000 +[ 60.677698] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 60.680773] CR2: 0000000000000008 CR3: 0000000203f14000 CR4: 00000000000406e0 +[ 60.684476] Call Trace: +[ 60.685809] nfs4_copy_file_range+0xfc/0x230 [nfsv4] +[ 60.688704] vfs_copy_file_range+0x2ee/0x310 +[ 60.691104] __x64_sys_copy_file_range+0xd6/0x210 +[ 60.693527] do_syscall_64+0x4d/0x90 +[ 60.695512] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 60.698006] RIP: 0033:0x7faa9febc1bd + +Signed-off-by: Dave Wysochanski +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c +index a339707654673..af84787aa0631 100644 +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -145,7 +145,8 @@ static ssize_t __nfs4_copy_file_range(struct file *file_in, loff_t pos_in, + /* Only offload copy if superblock is the same */ + if (file_in->f_op != &nfs4_file_operations) + return -EXDEV; +- if (!nfs_server_capable(file_inode(file_out), NFS_CAP_COPY)) ++ if (!nfs_server_capable(file_inode(file_out), NFS_CAP_COPY) || ++ !nfs_server_capable(file_inode(file_in), NFS_CAP_COPY)) + return -EOPNOTSUPP; + if (file_inode(file_in) == file_inode(file_out)) + return -EOPNOTSUPP; +-- +2.27.0 + diff --git a/queue-5.8/nfsd-rename-delegation-related-tracepoints-to-make-t.patch b/queue-5.8/nfsd-rename-delegation-related-tracepoints-to-make-t.patch new file mode 100644 index 00000000000..5d0187de71d --- /dev/null +++ b/queue-5.8/nfsd-rename-delegation-related-tracepoints-to-make-t.patch @@ -0,0 +1,76 @@ +From 6e47dd3013bf09f780f32d405403e544554db91e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 15:02:55 +0800 +Subject: nfsd: rename delegation related tracepoints to make them less + confusing + +From: Hou Tao + +[ Upstream commit 3caf91757ced158e6c4a44d8b105bd7b3e1767d8 ] + +Now when a read delegation is given, two delegation related traces +will be printed: + + nfsd_deleg_open: client 5f45b854:e6058001 stateid 00000030:00000001 + nfsd_deleg_none: client 5f45b854:e6058001 stateid 0000002f:00000001 + +Although the intention is to let developers know two stateid are +returned, the traces are confusing about whether or not a read delegation +is handled out. So renaming trace_nfsd_deleg_none() to trace_nfsd_open() +and trace_nfsd_deleg_open() to trace_nfsd_deleg_read() to make +the intension clearer. + +The patched traces will be: + + nfsd_deleg_read: client 5f48a967:b55b21cd stateid 00000003:00000001 + nfsd_open: client 5f48a967:b55b21cd stateid 00000002:00000001 + +Suggested-by: Chuck Lever +Signed-off-by: Hou Tao +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4state.c | 4 ++-- + fs/nfsd/trace.h | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index cea682ce8aa12..2d568d0e55f78 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -5100,7 +5100,7 @@ nfs4_open_delegation(struct svc_fh *fh, struct nfsd4_open *open, + + memcpy(&open->op_delegate_stateid, &dp->dl_stid.sc_stateid, sizeof(dp->dl_stid.sc_stateid)); + +- trace_nfsd_deleg_open(&dp->dl_stid.sc_stateid); ++ trace_nfsd_deleg_read(&dp->dl_stid.sc_stateid); + open->op_delegate_type = NFS4_OPEN_DELEGATE_READ; + nfs4_put_stid(&dp->dl_stid); + return; +@@ -5217,7 +5217,7 @@ nfsd4_process_open2(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nf + nfs4_open_delegation(current_fh, open, stp); + nodeleg: + status = nfs_ok; +- trace_nfsd_deleg_none(&stp->st_stid.sc_stateid); ++ trace_nfsd_open(&stp->st_stid.sc_stateid); + out: + /* 4.1 client trying to upgrade/downgrade delegation? */ + if (open->op_delegate_type == NFS4_OPEN_DELEGATE_NONE && dp && +diff --git a/fs/nfsd/trace.h b/fs/nfsd/trace.h +index 1861db1bdc670..99bf07800cd09 100644 +--- a/fs/nfsd/trace.h ++++ b/fs/nfsd/trace.h +@@ -289,8 +289,8 @@ DEFINE_STATEID_EVENT(layout_recall_done); + DEFINE_STATEID_EVENT(layout_recall_fail); + DEFINE_STATEID_EVENT(layout_recall_release); + +-DEFINE_STATEID_EVENT(deleg_open); +-DEFINE_STATEID_EVENT(deleg_none); ++DEFINE_STATEID_EVENT(open); ++DEFINE_STATEID_EVENT(deleg_read); + DEFINE_STATEID_EVENT(deleg_break); + DEFINE_STATEID_EVENT(deleg_recall); + +-- +2.27.0 + diff --git a/queue-5.8/nvme-rdma-fix-crash-when-connect-rejected.patch b/queue-5.8/nvme-rdma-fix-crash-when-connect-rejected.patch new file mode 100644 index 00000000000..4e58c407572 --- /dev/null +++ b/queue-5.8/nvme-rdma-fix-crash-when-connect-rejected.patch @@ -0,0 +1,47 @@ +From f610db9590e9bbad8bdf73a77141d62b7befef1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 16:10:40 +0800 +Subject: nvme-rdma: fix crash when connect rejected + +From: Chao Leng + +[ Upstream commit 43efdb8e870ee0f58633fd579aa5b5185bf5d39e ] + +A crash can happened when a connect is rejected. The host establishes +the connection after received ConnectReply, and then continues to send +the fabrics Connect command. If the controller does not receive the +ReadyToUse capsule, host may receive a ConnectReject reply. + +Call nvme_rdma_destroy_queue_ib after the host received the +RDMA_CM_EVENT_REJECTED event. Then when the fabrics Connect command +times out, nvme_rdma_timeout calls nvme_rdma_complete_rq to fail the +request. A crash happenes due to use after free in +nvme_rdma_complete_rq. + +nvme_rdma_destroy_queue_ib is redundant when handling the +RDMA_CM_EVENT_REJECTED event as nvme_rdma_destroy_queue_ib is already +called in connection failure handler. + +Signed-off-by: Chao Leng +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 4a0bc8927048a..99f627b0053f7 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1900,7 +1900,6 @@ static int nvme_rdma_cm_handler(struct rdma_cm_id *cm_id, + complete(&queue->cm_done); + return 0; + case RDMA_CM_EVENT_REJECTED: +- nvme_rdma_destroy_queue_ib(queue); + cm_error = nvme_rdma_conn_rejected(queue, ev); + break; + case RDMA_CM_EVENT_ROUTE_ERROR: +-- +2.27.0 + diff --git a/queue-5.8/octeontx2-af-fix-ld-custom-ltype-aliasing.patch b/queue-5.8/octeontx2-af-fix-ld-custom-ltype-aliasing.patch new file mode 100644 index 00000000000..3af2c4c6122 --- /dev/null +++ b/queue-5.8/octeontx2-af-fix-ld-custom-ltype-aliasing.patch @@ -0,0 +1,51 @@ +From 2f2b2e73234715506d6caf92c88cdab4232021b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 11:28:14 +0200 +Subject: octeontx2-af: fix LD CUSTOM LTYPE aliasing + +From: Stanislaw Kardach + +[ Upstream commit 450f0b978870c384dd81d1176088536555f3170e ] + +Since LD contains LTYPE definitions tweaked toward efficient +NIX_AF_RX_FLOW_KEY_ALG(0..31)_FIELD(0..4) usage, the original location +of NPC_LT_LD_CUSTOM0/1 was aliased with MPLS_IN_* definitions. +Moving custom frame to value 6 and 7 removes the aliasing at the cost of +custom frames being also considered when TCP/UDP RSS algo is configured. + +However since the goal of CUSTOM frames is to classify them to a +separate set of RQs, this cost is acceptable. + +Signed-off-by: Stanislaw Kardach +Acked-by: Sunil Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/npc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/npc.h b/drivers/net/ethernet/marvell/octeontx2/af/npc.h +index 3803af9231c68..c0ff5f70aa431 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/npc.h ++++ b/drivers/net/ethernet/marvell/octeontx2/af/npc.h +@@ -77,6 +77,8 @@ enum npc_kpu_ld_ltype { + NPC_LT_LD_ICMP, + NPC_LT_LD_SCTP, + NPC_LT_LD_ICMP6, ++ NPC_LT_LD_CUSTOM0, ++ NPC_LT_LD_CUSTOM1, + NPC_LT_LD_IGMP = 8, + NPC_LT_LD_ESP, + NPC_LT_LD_AH, +@@ -85,8 +87,6 @@ enum npc_kpu_ld_ltype { + NPC_LT_LD_NSH, + NPC_LT_LD_TU_MPLS_IN_NSH, + NPC_LT_LD_TU_MPLS_IN_IP, +- NPC_LT_LD_CUSTOM0 = 0xE, +- NPC_LT_LD_CUSTOM1 = 0xF, + }; + + enum npc_kpu_le_ltype { +-- +2.27.0 + diff --git a/queue-5.8/pci-acpi-add-ampere-altra-soc-mcfg-quirk.patch b/queue-5.8/pci-acpi-add-ampere-altra-soc-mcfg-quirk.patch new file mode 100644 index 00000000000..cfa9b02a164 --- /dev/null +++ b/queue-5.8/pci-acpi-add-ampere-altra-soc-mcfg-quirk.patch @@ -0,0 +1,87 @@ +From a8e26f7a743b7c9507d5cfe844b12fa76225740f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 14:57:34 -0700 +Subject: PCI/ACPI: Add Ampere Altra SOC MCFG quirk + +From: Tuan Phan + +[ Upstream commit 877c1a5f79c6984bbe3f2924234c08e2f4f1acd5 ] + +Ampere Altra SOC supports only 32-bit ECAM reads. Add an MCFG quirk for +the platform. + +Link: https://lore.kernel.org/r/1596751055-12316-1-git-send-email-tuanphan@os.amperecomputing.com +Signed-off-by: Tuan Phan +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/acpi/pci_mcfg.c | 20 ++++++++++++++++++++ + drivers/pci/ecam.c | 10 ++++++++++ + include/linux/pci-ecam.h | 1 + + 3 files changed, 31 insertions(+) + +diff --git a/drivers/acpi/pci_mcfg.c b/drivers/acpi/pci_mcfg.c +index 54b36b7ad47d9..e526571e0ebdb 100644 +--- a/drivers/acpi/pci_mcfg.c ++++ b/drivers/acpi/pci_mcfg.c +@@ -142,6 +142,26 @@ static struct mcfg_fixup mcfg_quirks[] = { + XGENE_V2_ECAM_MCFG(4, 0), + XGENE_V2_ECAM_MCFG(4, 1), + XGENE_V2_ECAM_MCFG(4, 2), ++ ++#define ALTRA_ECAM_QUIRK(rev, seg) \ ++ { "Ampere", "Altra ", rev, seg, MCFG_BUS_ANY, &pci_32b_read_ops } ++ ++ ALTRA_ECAM_QUIRK(1, 0), ++ ALTRA_ECAM_QUIRK(1, 1), ++ ALTRA_ECAM_QUIRK(1, 2), ++ ALTRA_ECAM_QUIRK(1, 3), ++ ALTRA_ECAM_QUIRK(1, 4), ++ ALTRA_ECAM_QUIRK(1, 5), ++ ALTRA_ECAM_QUIRK(1, 6), ++ ALTRA_ECAM_QUIRK(1, 7), ++ ALTRA_ECAM_QUIRK(1, 8), ++ ALTRA_ECAM_QUIRK(1, 9), ++ ALTRA_ECAM_QUIRK(1, 10), ++ ALTRA_ECAM_QUIRK(1, 11), ++ ALTRA_ECAM_QUIRK(1, 12), ++ ALTRA_ECAM_QUIRK(1, 13), ++ ALTRA_ECAM_QUIRK(1, 14), ++ ALTRA_ECAM_QUIRK(1, 15), + }; + + static char mcfg_oem_id[ACPI_OEM_ID_SIZE]; +diff --git a/drivers/pci/ecam.c b/drivers/pci/ecam.c +index 8f065a42fc1a2..b54d32a316693 100644 +--- a/drivers/pci/ecam.c ++++ b/drivers/pci/ecam.c +@@ -168,4 +168,14 @@ const struct pci_ecam_ops pci_32b_ops = { + .write = pci_generic_config_write32, + } + }; ++ ++/* ECAM ops for 32-bit read only (non-compliant) */ ++const struct pci_ecam_ops pci_32b_read_ops = { ++ .bus_shift = 20, ++ .pci_ops = { ++ .map_bus = pci_ecam_map_bus, ++ .read = pci_generic_config_read32, ++ .write = pci_generic_config_write, ++ } ++}; + #endif +diff --git a/include/linux/pci-ecam.h b/include/linux/pci-ecam.h +index 1af5cb02ef7f9..033ce74f02e81 100644 +--- a/include/linux/pci-ecam.h ++++ b/include/linux/pci-ecam.h +@@ -51,6 +51,7 @@ extern const struct pci_ecam_ops pci_generic_ecam_ops; + + #if defined(CONFIG_ACPI) && defined(CONFIG_PCI_QUIRKS) + extern const struct pci_ecam_ops pci_32b_ops; /* 32-bit accesses only */ ++extern const struct pci_ecam_ops pci_32b_read_ops; /* 32-bit read only */ + extern const struct pci_ecam_ops hisi_pcie_ops; /* HiSilicon */ + extern const struct pci_ecam_ops thunder_pem_ecam_ops; /* Cavium ThunderX 1.x & 2.x */ + extern const struct pci_ecam_ops pci_thunder_ecam_ops; /* Cavium ThunderX 1.x */ +-- +2.27.0 + diff --git a/queue-5.8/power-supply-bq27xxx-report-not-charging-on-all-type.patch b/queue-5.8/power-supply-bq27xxx-report-not-charging-on-all-type.patch new file mode 100644 index 00000000000..92de93a5a6e --- /dev/null +++ b/queue-5.8/power-supply-bq27xxx-report-not-charging-on-all-type.patch @@ -0,0 +1,55 @@ +From defb1331d8add7475539c503e7b498be80cf014a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 16:04:14 +0200 +Subject: power: supply: bq27xxx: report "not charging" on all types + +From: Krzysztof Kozlowski + +[ Upstream commit 7bf738ba110722b63e9dc8af760d3fb2aef25593 ] + +Commit 6f24ff97e323 ("power: supply: bq27xxx_battery: Add the +BQ27Z561 Battery monitor") and commit d74534c27775 ("power: +bq27xxx_battery: Add support for additional bq27xxx family devices") +added support for new device types by copying most of the code and +adding necessary quirks. + +However they did not copy the code in bq27xxx_battery_status() +responsible for returning POWER_SUPPLY_STATUS_NOT_CHARGING. + +Unify the bq27xxx_battery_status() so for all types when charger is +supplied, it will return "not charging" status. + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c +index 942c92127b6d5..6b6a507a401ba 100644 +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1678,8 +1678,6 @@ static int bq27xxx_battery_status(struct bq27xxx_device_info *di, + status = POWER_SUPPLY_STATUS_FULL; + else if (di->cache.flags & BQ27000_FLAG_CHGS) + status = POWER_SUPPLY_STATUS_CHARGING; +- else if (power_supply_am_i_supplied(di->bat) > 0) +- status = POWER_SUPPLY_STATUS_NOT_CHARGING; + else + status = POWER_SUPPLY_STATUS_DISCHARGING; + } else { +@@ -1691,6 +1689,10 @@ static int bq27xxx_battery_status(struct bq27xxx_device_info *di, + status = POWER_SUPPLY_STATUS_CHARGING; + } + ++ if ((status == POWER_SUPPLY_STATUS_DISCHARGING) && ++ (power_supply_am_i_supplied(di->bat) > 0)) ++ status = POWER_SUPPLY_STATUS_NOT_CHARGING; ++ + val->intval = status; + + return 0; +-- +2.27.0 + diff --git a/queue-5.8/power-supply-test_power-add-missing-newlines-when-pr.patch b/queue-5.8/power-supply-test_power-add-missing-newlines-when-pr.patch new file mode 100644 index 00000000000..5967bed0b15 --- /dev/null +++ b/queue-5.8/power-supply-test_power-add-missing-newlines-when-pr.patch @@ -0,0 +1,84 @@ +From ad7ecd29778b739adef653a2c31d231ca8f6cf7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 14:09:58 +0800 +Subject: power: supply: test_power: add missing newlines when printing + parameters by sysfs + +From: Xiongfeng Wang + +[ Upstream commit c07fa6c1631333f02750cf59f22b615d768b4d8f ] + +When I cat some module parameters by sysfs, it displays as follows. +It's better to add a newline for easy reading. + +root@syzkaller:~# cd /sys/module/test_power/parameters/ +root@syzkaller:/sys/module/test_power/parameters# cat ac_online +onroot@syzkaller:/sys/module/test_power/parameters# cat battery_present +trueroot@syzkaller:/sys/module/test_power/parameters# cat battery_health +goodroot@syzkaller:/sys/module/test_power/parameters# cat battery_status +dischargingroot@syzkaller:/sys/module/test_power/parameters# cat battery_technology +LIONroot@syzkaller:/sys/module/test_power/parameters# cat usb_online +onroot@syzkaller:/sys/module/test_power/parameters# + +Signed-off-by: Xiongfeng Wang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/test_power.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/power/supply/test_power.c b/drivers/power/supply/test_power.c +index b3c05ff05783f..1bdce430246af 100644 +--- a/drivers/power/supply/test_power.c ++++ b/drivers/power/supply/test_power.c +@@ -353,6 +353,7 @@ static int param_set_ac_online(const char *key, const struct kernel_param *kp) + static int param_get_ac_online(char *buffer, const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_ac_online, ac_online, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -366,6 +367,7 @@ static int param_set_usb_online(const char *key, const struct kernel_param *kp) + static int param_get_usb_online(char *buffer, const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_ac_online, usb_online, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -380,6 +382,7 @@ static int param_set_battery_status(const char *key, + static int param_get_battery_status(char *buffer, const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_status, battery_status, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -394,6 +397,7 @@ static int param_set_battery_health(const char *key, + static int param_get_battery_health(char *buffer, const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_health, battery_health, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -409,6 +413,7 @@ static int param_get_battery_present(char *buffer, + const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_present, battery_present, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -426,6 +431,7 @@ static int param_get_battery_technology(char *buffer, + { + strcpy(buffer, + map_get_key(map_technology, battery_technology, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +-- +2.27.0 + diff --git a/queue-5.8/powerpc-64s-handle-isa-v3.1-local-copy-paste-context.patch b/queue-5.8/powerpc-64s-handle-isa-v3.1-local-copy-paste-context.patch new file mode 100644 index 00000000000..8be96db9e77 --- /dev/null +++ b/queue-5.8/powerpc-64s-handle-isa-v3.1-local-copy-paste-context.patch @@ -0,0 +1,100 @@ +From 2dae7ba6595c41935135ead3cf3ca6fcd381957a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 17:55:35 +1000 +Subject: powerpc/64s: handle ISA v3.1 local copy-paste context switches + +From: Nicholas Piggin + +[ Upstream commit dc462267d2d7aacffc3c1d99b02d7a7c59db7c66 ] + +The ISA v3.1 the copy-paste facility has a new memory move functionality +which allows the copy buffer to be pasted to domestic memory (RAM) as +opposed to foreign memory (accelerator). + +This means the POWER9 trick of avoiding the cp_abort on context switch if +the process had not mapped foreign memory does not work on POWER10. Do the +cp_abort unconditionally there. + +KVM must also cp_abort on guest exit to prevent copy buffer state leaking +between contexts. + +Signed-off-by: Nicholas Piggin +Acked-by: Paul Mackerras +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200825075535.224536-1-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/process.c | 16 +++++++++------- + arch/powerpc/kvm/book3s_hv.c | 7 +++++++ + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 8 ++++++++ + 3 files changed, 24 insertions(+), 7 deletions(-) + +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c +index 4650b9bb217fb..fcae69ac9acaa 100644 +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -1231,15 +1231,17 @@ struct task_struct *__switch_to(struct task_struct *prev, + restore_math(current->thread.regs); + + /* +- * The copy-paste buffer can only store into foreign real +- * addresses, so unprivileged processes can not see the +- * data or use it in any way unless they have foreign real +- * mappings. If the new process has the foreign real address +- * mappings, we must issue a cp_abort to clear any state and +- * prevent snooping, corruption or a covert channel. ++ * On POWER9 the copy-paste buffer can only paste into ++ * foreign real addresses, so unprivileged processes can not ++ * see the data or use it in any way unless they have ++ * foreign real mappings. If the new process has the foreign ++ * real address mappings, we must issue a cp_abort to clear ++ * any state and prevent snooping, corruption or a covert ++ * channel. ISA v3.1 supports paste into local memory. + */ + if (current->mm && +- atomic_read(¤t->mm->context.vas_windows)) ++ (cpu_has_feature(CPU_FTR_ARCH_31) || ++ atomic_read(¤t->mm->context.vas_windows))) + asm volatile(PPC_CP_ABORT); + } + #endif /* CONFIG_PPC_BOOK3S_64 */ +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 6bf66649ab92f..1928b86d6e6b5 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -3485,6 +3485,13 @@ static int kvmhv_load_hv_regs_and_go(struct kvm_vcpu *vcpu, u64 time_limit, + */ + asm volatile("eieio; tlbsync; ptesync"); + ++ /* ++ * cp_abort is required if the processor supports local copy-paste ++ * to clear the copy buffer that was under control of the guest. ++ */ ++ if (cpu_has_feature(CPU_FTR_ARCH_31)) ++ asm volatile(PPC_CP_ABORT); ++ + mtspr(SPRN_LPID, vcpu->kvm->arch.host_lpid); /* restore host LPID */ + isync(); + +diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +index 71943892c81c6..092ef0ee29753 100644 +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -1830,6 +1830,14 @@ END_FTR_SECTION_IFSET(CPU_FTR_P9_RADIX_PREFETCH_BUG) + 2: + #endif /* CONFIG_PPC_RADIX_MMU */ + ++ /* ++ * cp_abort is required if the processor supports local copy-paste ++ * to clear the copy buffer that was under control of the guest. ++ */ ++BEGIN_FTR_SECTION ++ PPC_CP_ABORT ++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_31) ++ + /* + * POWER7/POWER8 guest -> host partition switch code. + * We don't have to lock against tlbies but we do +-- +2.27.0 + diff --git a/queue-5.8/powerpc-powernv-smp-fix-spurious-dbg-warning.patch b/queue-5.8/powerpc-powernv-smp-fix-spurious-dbg-warning.patch new file mode 100644 index 00000000000..9a5daf978b9 --- /dev/null +++ b/queue-5.8/powerpc-powernv-smp-fix-spurious-dbg-warning.patch @@ -0,0 +1,55 @@ +From 30573715b8d75413fe7f42e4bdf066e67bcf843a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Aug 2020 10:54:05 +1000 +Subject: powerpc/powernv/smp: Fix spurious DBG() warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oliver O'Halloran + +[ Upstream commit f6bac19cf65c5be21d14a0c9684c8f560f2096dd ] + +When building with W=1 we get the following warning: + + arch/powerpc/platforms/powernv/smp.c: In function ‘pnv_smp_cpu_kill_self’: + arch/powerpc/platforms/powernv/smp.c:276:16: error: suggest braces around + empty body in an ‘if’ statement [-Werror=empty-body] + 276 | cpu, srr1); + | ^ + cc1: all warnings being treated as errors + +The full context is this block: + + if (srr1 && !generic_check_cpu_restart(cpu)) + DBG("CPU%d Unexpected exit while offline srr1=%lx!\n", + cpu, srr1); + +When building with DEBUG undefined DBG() expands to nothing and GCC emits +the warning due to the lack of braces around an empty statement. + +Signed-off-by: Oliver O'Halloran +Reviewed-by: Joel Stanley +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200804005410.146094-2-oohall@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/powernv/smp.c b/arch/powerpc/platforms/powernv/smp.c +index b2ba3e95bda73..bbf361f23ae86 100644 +--- a/arch/powerpc/platforms/powernv/smp.c ++++ b/arch/powerpc/platforms/powernv/smp.c +@@ -43,7 +43,7 @@ + #include + #define DBG(fmt...) udbg_printf(fmt) + #else +-#define DBG(fmt...) ++#define DBG(fmt...) do { } while (0) + #endif + + static void pnv_smp_setup_cpu(int cpu) +-- +2.27.0 + diff --git a/queue-5.8/powerpc-select-arch_want_irqs_off_activate_mm.patch b/queue-5.8/powerpc-select-arch_want_irqs_off_activate_mm.patch new file mode 100644 index 00000000000..0acc75c3a9f --- /dev/null +++ b/queue-5.8/powerpc-select-arch_want_irqs_off_activate_mm.patch @@ -0,0 +1,50 @@ +From d51bf00a052dca8bae28b19b91c97ce5198c1f72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:52:17 +1000 +Subject: powerpc: select ARCH_WANT_IRQS_OFF_ACTIVATE_MM + +From: Nicholas Piggin + +[ Upstream commit 66acd46080bd9e5ad2be4b0eb1d498d5145d058e ] + +powerpc uses IPIs in some situations to switch a kernel thread away +from a lazy tlb mm, which is subject to the TLB flushing race +described in the changelog introducing ARCH_WANT_IRQS_OFF_ACTIVATE_MM. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200914045219.3736466-3-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 1 + + arch/powerpc/include/asm/mmu_context.h | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index cf78ad7ff0b7c..376007f88d328 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -146,6 +146,7 @@ config PPC + select ARCH_USE_BUILTIN_BSWAP + select ARCH_USE_CMPXCHG_LOCKREF if PPC64 + select ARCH_WANT_IPC_PARSE_VERSION ++ select ARCH_WANT_IRQS_OFF_ACTIVATE_MM + select ARCH_WEAK_RELEASE_ACQUIRE + select BINFMT_ELF + select BUILDTIME_TABLE_SORT +diff --git a/arch/powerpc/include/asm/mmu_context.h b/arch/powerpc/include/asm/mmu_context.h +index 1a474f6b1992a..6cb10c7a52025 100644 +--- a/arch/powerpc/include/asm/mmu_context.h ++++ b/arch/powerpc/include/asm/mmu_context.h +@@ -246,7 +246,7 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + */ + static inline void activate_mm(struct mm_struct *prev, struct mm_struct *next) + { +- switch_mm(prev, next, current); ++ switch_mm_irqs_off(prev, next, current); + } + + /* We don't currently use enter_lazy_tlb() for anything */ +-- +2.27.0 + diff --git a/queue-5.8/powerpc-watchpoint-ptrace-fix-sethwdebug-when-config.patch b/queue-5.8/powerpc-watchpoint-ptrace-fix-sethwdebug-when-config.patch new file mode 100644 index 00000000000..27f263371f7 --- /dev/null +++ b/queue-5.8/powerpc-watchpoint-ptrace-fix-sethwdebug-when-config.patch @@ -0,0 +1,45 @@ +From b064bd81a1e6f7a3cee5f7bd3184db5d7a542a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 09:59:40 +0530 +Subject: powerpc/watchpoint/ptrace: Fix SETHWDEBUG when + CONFIG_HAVE_HW_BREAKPOINT=N + +From: Ravi Bangoria + +[ Upstream commit 9b6b7c680cc20971444d9f836e49fc98848bcd0a ] + +When kernel is compiled with CONFIG_HAVE_HW_BREAKPOINT=N, user can +still create watchpoint using PPC_PTRACE_SETHWDEBUG, with limited +functionalities. But, such watchpoints are never firing because of +the missing privilege settings. Fix that. + +It's safe to set HW_BRK_TYPE_PRIV_ALL because we don't really leak +any kernel address in signal info. Setting HW_BRK_TYPE_PRIV_ALL will +also help to find scenarios when kernel accesses user memory. + +Reported-by: Pedro Miraglia Franco de Carvalho +Suggested-by: Pedro Miraglia Franco de Carvalho +Signed-off-by: Ravi Bangoria +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200902042945.129369-4-ravi.bangoria@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/ptrace/ptrace-noadv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/ptrace/ptrace-noadv.c b/arch/powerpc/kernel/ptrace/ptrace-noadv.c +index 8bd8d8de5c40b..a570782e954be 100644 +--- a/arch/powerpc/kernel/ptrace/ptrace-noadv.c ++++ b/arch/powerpc/kernel/ptrace/ptrace-noadv.c +@@ -217,7 +217,7 @@ long ppc_set_hwdebug(struct task_struct *child, struct ppc_hw_breakpoint *bp_inf + return -EIO; + + brk.address = ALIGN_DOWN(bp_info->addr, HW_BREAKPOINT_SIZE); +- brk.type = HW_BRK_TYPE_TRANSLATE; ++ brk.type = HW_BRK_TYPE_TRANSLATE | HW_BRK_TYPE_PRIV_ALL; + brk.len = DABR_MAX_LEN; + brk.hw_len = DABR_MAX_LEN; + if (bp_info->trigger_type & PPC_BREAKPOINT_TRIGGER_READ) +-- +2.27.0 + diff --git a/queue-5.8/printk-reduce-log_buf_shift-range-for-h8300.patch b/queue-5.8/printk-reduce-log_buf_shift-range-for-h8300.patch new file mode 100644 index 00000000000..19b830d73fb --- /dev/null +++ b/queue-5.8/printk-reduce-log_buf_shift-range-for-h8300.patch @@ -0,0 +1,42 @@ +From 47e11634f333f7f7c3c9b0f24afd584a590e93ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 09:37:22 +0206 +Subject: printk: reduce LOG_BUF_SHIFT range for H8300 + +From: John Ogness + +[ Upstream commit 550c10d28d21bd82a8bb48debbb27e6ed53262f6 ] + +The .bss section for the h8300 is relatively small. A value of +CONFIG_LOG_BUF_SHIFT that is larger than 19 will create a static +printk ringbuffer that is too large. Limit the range appropriately +for the H8300. + +Reported-by: kernel test robot +Signed-off-by: John Ogness +Reviewed-by: Sergey Senozhatsky +Acked-by: Steven Rostedt (VMware) +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20200812073122.25412-1-john.ogness@linutronix.de +Signed-off-by: Sasha Levin +--- + init/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 0498af567f706..5e68928c131b8 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -654,7 +654,8 @@ config IKHEADERS + + config LOG_BUF_SHIFT + int "Kernel log buffer size (16 => 64KB, 17 => 128KB)" +- range 12 25 ++ range 12 25 if !H8300 ++ range 12 19 if H8300 + default 17 + depends on PRINTK + help +-- +2.27.0 + diff --git a/queue-5.8/rdma-core-change-how-failing-destroy-is-handled-duri.patch b/queue-5.8/rdma-core-change-how-failing-destroy-is-handled-duri.patch new file mode 100644 index 00000000000..24bae8adad1 --- /dev/null +++ b/queue-5.8/rdma-core-change-how-failing-destroy-is-handled-duri.patch @@ -0,0 +1,96 @@ +From 38eea2be2e7170ddc5834948aae015089c4b1199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 11:17:08 +0300 +Subject: RDMA/core: Change how failing destroy is handled during uobj abort + +From: Jason Gunthorpe + +[ Upstream commit f553246f7f794675da1794ae7ee07d1f35e561ae ] + +Currently it triggers a WARN_ON and then goes ahead and destroys the +uobject anyhow, leaking any driver memory. + +The only place that leaks driver memory should be during FD close() in +uverbs_destroy_ufile_hw(). + +Drivers are only allowed to fail destroy uobjects if they guarantee +destroy will eventually succeed. uverbs_destroy_ufile_hw() provides the +loop to give the driver that chance. + +Link: https://lore.kernel.org/r/20200902081708.746631-1-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/rdma_core.c | 30 ++++++++++++++--------------- + include/rdma/ib_verbs.h | 5 ----- + 2 files changed, 15 insertions(+), 20 deletions(-) + +diff --git a/drivers/infiniband/core/rdma_core.c b/drivers/infiniband/core/rdma_core.c +index 6d3ed7c6e19eb..3962da54ffbf4 100644 +--- a/drivers/infiniband/core/rdma_core.c ++++ b/drivers/infiniband/core/rdma_core.c +@@ -130,17 +130,6 @@ static int uverbs_destroy_uobject(struct ib_uobject *uobj, + lockdep_assert_held(&ufile->hw_destroy_rwsem); + assert_uverbs_usecnt(uobj, UVERBS_LOOKUP_WRITE); + +- if (reason == RDMA_REMOVE_ABORT_HWOBJ) { +- reason = RDMA_REMOVE_ABORT; +- ret = uobj->uapi_object->type_class->destroy_hw(uobj, reason, +- attrs); +- /* +- * Drivers are not permitted to ignore RDMA_REMOVE_ABORT, see +- * ib_is_destroy_retryable, cleanup_retryable == false here. +- */ +- WARN_ON(ret); +- } +- + if (reason == RDMA_REMOVE_ABORT) { + WARN_ON(!list_empty(&uobj->list)); + WARN_ON(!uobj->context); +@@ -674,11 +663,22 @@ void rdma_alloc_abort_uobject(struct ib_uobject *uobj, + bool hw_obj_valid) + { + struct ib_uverbs_file *ufile = uobj->ufile; ++ int ret; ++ ++ if (hw_obj_valid) { ++ ret = uobj->uapi_object->type_class->destroy_hw( ++ uobj, RDMA_REMOVE_ABORT, attrs); ++ /* ++ * If the driver couldn't destroy the object then go ahead and ++ * commit it. Leaking objects that can't be destroyed is only ++ * done during FD close after the driver has a few more tries to ++ * destroy it. ++ */ ++ if (WARN_ON(ret)) ++ return rdma_alloc_commit_uobject(uobj, attrs); ++ } + +- uverbs_destroy_uobject(uobj, +- hw_obj_valid ? RDMA_REMOVE_ABORT_HWOBJ : +- RDMA_REMOVE_ABORT, +- attrs); ++ uverbs_destroy_uobject(uobj, RDMA_REMOVE_ABORT, attrs); + + /* Matches the down_read in rdma_alloc_begin_uobject */ + up_read(&ufile->hw_destroy_rwsem); +diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h +index d7809f203715f..1c09e4c46df94 100644 +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -1489,11 +1489,6 @@ enum rdma_remove_reason { + RDMA_REMOVE_DRIVER_REMOVE, + /* uobj is being cleaned-up before being committed */ + RDMA_REMOVE_ABORT, +- /* +- * uobj has been fully created, with the uobj->object set, but is being +- * cleaned up before being comitted +- */ +- RDMA_REMOVE_ABORT_HWOBJ, + }; + + struct ib_rdmacg_object { +-- +2.27.0 + diff --git a/queue-5.8/rdma-mlx5-fix-devlink-deadlock-on-net-namespace-dele.patch b/queue-5.8/rdma-mlx5-fix-devlink-deadlock-on-net-namespace-dele.patch new file mode 100644 index 00000000000..a222bd1a007 --- /dev/null +++ b/queue-5.8/rdma-mlx5-fix-devlink-deadlock-on-net-namespace-dele.patch @@ -0,0 +1,126 @@ +From 06fb4f0353614dd6b2d06ec597af9ea3252e38a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 15:43:59 +0200 +Subject: RDMA/mlx5: Fix devlink deadlock on net namespace deletion + +From: Parav Pandit + +[ Upstream commit fbdd0049d98d44914fc57d4b91f867f4996c787b ] + +When a mlx5 core devlink instance is reloaded in different net namespace, +its associated IB device is deleted and recreated. + +Example sequence is: +$ ip netns add foo +$ devlink dev reload pci/0000:00:08.0 netns foo +$ ip netns del foo + +mlx5 IB device needs to attach and detach the netdevice to it through the +netdev notifier chain during load and unload sequence. A below call graph +of the unload flow. + +cleanup_net() + down_read(&pernet_ops_rwsem); <- first sem acquired + ops_pre_exit_list() + pre_exit() + devlink_pernet_pre_exit() + devlink_reload() + mlx5_devlink_reload_down() + mlx5_unload_one() + [...] + mlx5_ib_remove() + mlx5_ib_unbind_slave_port() + mlx5_remove_netdev_notifier() + unregister_netdevice_notifier() + down_write(&pernet_ops_rwsem);<- recurrsive lock + +Hence, when net namespace is deleted, mlx5 reload results in deadlock. + +When deadlock occurs, devlink mutex is also held. This not only deadlocks +the mlx5 device under reload, but all the processes which attempt to +access unrelated devlink devices are deadlocked. + +Hence, fix this by mlx5 ib driver to register for per net netdev notifier +instead of global one, which operats on the net namespace without holding +the pernet_ops_rwsem. + +Fixes: 4383cfcc65e7 ("net/mlx5: Add devlink reload") +Link: https://lore.kernel.org/r/20201026134359.23150-1-parav@nvidia.com +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 6 ++++-- + .../net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 5 ----- + include/linux/mlx5/driver.h | 18 ++++++++++++++++++ + 3 files changed, 22 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 1f4aa2647a6f3..5891236c52283 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -5291,7 +5291,8 @@ static int mlx5_add_netdev_notifier(struct mlx5_ib_dev *dev, u8 port_num) + int err; + + dev->port[port_num].roce.nb.notifier_call = mlx5_netdev_event; +- err = register_netdevice_notifier(&dev->port[port_num].roce.nb); ++ err = register_netdevice_notifier_net(mlx5_core_net(dev->mdev), ++ &dev->port[port_num].roce.nb); + if (err) { + dev->port[port_num].roce.nb.notifier_call = NULL; + return err; +@@ -5303,7 +5304,8 @@ static int mlx5_add_netdev_notifier(struct mlx5_ib_dev *dev, u8 port_num) + static void mlx5_remove_netdev_notifier(struct mlx5_ib_dev *dev, u8 port_num) + { + if (dev->port[port_num].roce.nb.notifier_call) { +- unregister_netdevice_notifier(&dev->port[port_num].roce.nb); ++ unregister_netdevice_notifier_net(mlx5_core_net(dev->mdev), ++ &dev->port[port_num].roce.nb); + dev->port[port_num].roce.nb.notifier_call = NULL; + } + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h b/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h +index 249539247e2e7..b99d469e4e645 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h +@@ -84,9 +84,4 @@ int mlx5_create_encryption_key(struct mlx5_core_dev *mdev, + void *key, u32 sz_bytes, u32 *p_key_id); + void mlx5_destroy_encryption_key(struct mlx5_core_dev *mdev, u32 key_id); + +-static inline struct net *mlx5_core_net(struct mlx5_core_dev *dev) +-{ +- return devlink_net(priv_to_devlink(dev)); +-} +- + #endif +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 484cd8ba869c5..badfe21080bb9 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -1206,4 +1206,22 @@ static inline bool mlx5_is_roce_enabled(struct mlx5_core_dev *dev) + return val.vbool; + } + ++/** ++ * mlx5_core_net - Provide net namespace of the mlx5_core_dev ++ * @dev: mlx5 core device ++ * ++ * mlx5_core_net() returns the net namespace of mlx5 core device. ++ * This can be called only in below described limited context. ++ * (a) When a devlink instance for mlx5_core is registered and ++ * when devlink reload operation is disabled. ++ * or ++ * (b) during devlink reload reload_down() and reload_up callbacks ++ * where it is ensured that devlink instance's net namespace is ++ * stable. ++ */ ++static inline struct net *mlx5_core_net(struct mlx5_core_dev *dev) ++{ ++ return devlink_net(priv_to_devlink(dev)); ++} ++ + #endif /* MLX5_DRIVER_H */ +-- +2.27.0 + diff --git a/queue-5.8/rdma-qedr-fix-memory-leak-in-iwarp-cm.patch b/queue-5.8/rdma-qedr-fix-memory-leak-in-iwarp-cm.patch new file mode 100644 index 00000000000..a97d113c5c2 --- /dev/null +++ b/queue-5.8/rdma-qedr-fix-memory-leak-in-iwarp-cm.patch @@ -0,0 +1,37 @@ +From 61c635764d81e4023c93ce950b21e4503f795336 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 11:50:08 +0000 +Subject: RDMA/qedr: Fix memory leak in iWARP CM + +From: Alok Prasad + +[ Upstream commit a2267f8a52eea9096861affd463f691be0f0e8c9 ] + +Fixes memory leak in iWARP CM + +Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions") +Link: https://lore.kernel.org/r/20201021115008.28138-1-palok@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Igor Russkikh +Signed-off-by: Alok Prasad +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/qedr_iw_cm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c +index c7169d2c69e5b..c4bc58736e489 100644 +--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c ++++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c +@@ -727,6 +727,7 @@ int qedr_iw_destroy_listen(struct iw_cm_id *cm_id) + listener->qed_handle); + + cm_id->rem_ref(cm_id); ++ kfree(listener); + return rc; + } + +-- +2.27.0 + diff --git a/queue-5.8/riscv-define-at_vector_size_arch-for-arch_dlinfo.patch b/queue-5.8/riscv-define-at_vector_size_arch-for-arch_dlinfo.patch new file mode 100644 index 00000000000..11af319d168 --- /dev/null +++ b/queue-5.8/riscv-define-at_vector_size_arch-for-arch_dlinfo.patch @@ -0,0 +1,38 @@ +From b190718a29b1806910e3042e44649a3f7fa32d64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Aug 2020 15:33:49 +0800 +Subject: riscv: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO + +From: Zong Li + +[ Upstream commit b5fca7c55f9fbab5ad732c3bce00f31af6ba5cfa ] + +AT_VECTOR_SIZE_ARCH should be defined with the maximum number of +NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined +for RISC-V at all even though ARCH_DLINFO will contain one NEW_AUX_ENT +for the VDSO address. + +Signed-off-by: Zong Li +Reviewed-by: Palmer Dabbelt +Reviewed-by: Pekka Enberg +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/uapi/asm/auxvec.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/riscv/include/uapi/asm/auxvec.h b/arch/riscv/include/uapi/asm/auxvec.h +index d86cb17bbabe6..22e0ae8884061 100644 +--- a/arch/riscv/include/uapi/asm/auxvec.h ++++ b/arch/riscv/include/uapi/asm/auxvec.h +@@ -10,4 +10,7 @@ + /* vDSO location */ + #define AT_SYSINFO_EHDR 33 + ++/* entries in ARCH_DLINFO */ ++#define AT_VECTOR_SIZE_ARCH 1 ++ + #endif /* _UAPI_ASM_RISCV_AUXVEC_H */ +-- +2.27.0 + diff --git a/queue-5.8/rpmsg-glink-use-complete_all-for-open-states.patch b/queue-5.8/rpmsg-glink-use-complete_all-for-open-states.patch new file mode 100644 index 00000000000..59bc27eccd6 --- /dev/null +++ b/queue-5.8/rpmsg-glink-use-complete_all-for-open-states.patch @@ -0,0 +1,57 @@ +From 6c64e9b14f844d278f32d9653e80a73bc95c1ff4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 22:15:18 +0530 +Subject: rpmsg: glink: Use complete_all for open states + +From: Chris Lew + +[ Upstream commit 4fcdaf6e28d11e2f3820d54dd23cd12a47ddd44e ] + +The open_req and open_ack completion variables are the state variables +to represet a remote channel as open. Use complete_all so there are no +races with waiters and using completion_done. + +Signed-off-by: Chris Lew +Signed-off-by: Arun Kumar Neelakantam +Signed-off-by: Deepak Kumar Singh +Link: https://lore.kernel.org/r/1593017121-7953-2-git-send-email-deesin@codeaurora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_glink_native.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c +index 1995f5b3ea677..d5114abcde197 100644 +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -970,7 +970,7 @@ static int qcom_glink_rx_open_ack(struct qcom_glink *glink, unsigned int lcid) + return -EINVAL; + } + +- complete(&channel->open_ack); ++ complete_all(&channel->open_ack); + + return 0; + } +@@ -1178,7 +1178,7 @@ static int qcom_glink_announce_create(struct rpmsg_device *rpdev) + __be32 *val = defaults; + int size; + +- if (glink->intentless) ++ if (glink->intentless || !completion_done(&channel->open_ack)) + return 0; + + prop = of_find_property(np, "qcom,intents", NULL); +@@ -1413,7 +1413,7 @@ static int qcom_glink_rx_open(struct qcom_glink *glink, unsigned int rcid, + channel->rcid = ret; + spin_unlock_irqrestore(&glink->idr_lock, flags); + +- complete(&channel->open_req); ++ complete_all(&channel->open_req); + + if (create_device) { + rpdev = kzalloc(sizeof(*rpdev), GFP_KERNEL); +-- +2.27.0 + diff --git a/queue-5.8/s390-startup-avoid-save_area_sync-overflow.patch b/queue-5.8/s390-startup-avoid-save_area_sync-overflow.patch new file mode 100644 index 00000000000..0526f8c46c9 --- /dev/null +++ b/queue-5.8/s390-startup-avoid-save_area_sync-overflow.patch @@ -0,0 +1,62 @@ +From 04f057f681f5f53c27aeb3c6734b173bf0ace3d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 19:07:04 +0200 +Subject: s390/startup: avoid save_area_sync overflow + +From: Vasily Gorbik + +[ Upstream commit 2835c2ea95d50625108e47a459e1a47f6be836ce ] + +Currently we overflow save_area_sync and write over +save_area_async. Although this is not a real problem make +startup_pgm_check_handler consistent with late pgm check handler and +store [%r0,%r7] directly into gpregs_save_area. + +Reviewed-by: Sven Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/boot/head.S | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/arch/s390/boot/head.S b/arch/s390/boot/head.S +index dae10961d0724..1a2c2b1ed9649 100644 +--- a/arch/s390/boot/head.S ++++ b/arch/s390/boot/head.S +@@ -360,22 +360,23 @@ ENTRY(startup_kdump) + # the save area and does disabled wait with a faulty address. + # + ENTRY(startup_pgm_check_handler) +- stmg %r0,%r15,__LC_SAVE_AREA_SYNC +- la %r1,4095 +- stctg %c0,%c15,__LC_CREGS_SAVE_AREA-4095(%r1) +- mvc __LC_GPREGS_SAVE_AREA-4095(128,%r1),__LC_SAVE_AREA_SYNC +- mvc __LC_PSW_SAVE_AREA-4095(16,%r1),__LC_PGM_OLD_PSW ++ stmg %r8,%r15,__LC_SAVE_AREA_SYNC ++ la %r8,4095 ++ stctg %c0,%c15,__LC_CREGS_SAVE_AREA-4095(%r8) ++ stmg %r0,%r7,__LC_GPREGS_SAVE_AREA-4095(%r8) ++ mvc __LC_GPREGS_SAVE_AREA-4095+64(64,%r8),__LC_SAVE_AREA_SYNC ++ mvc __LC_PSW_SAVE_AREA-4095(16,%r8),__LC_PGM_OLD_PSW + mvc __LC_RETURN_PSW(16),__LC_PGM_OLD_PSW + ni __LC_RETURN_PSW,0xfc # remove IO and EX bits + ni __LC_RETURN_PSW+1,0xfb # remove MCHK bit + oi __LC_RETURN_PSW+1,0x2 # set wait state bit +- larl %r2,.Lold_psw_disabled_wait +- stg %r2,__LC_PGM_NEW_PSW+8 +- l %r15,.Ldump_info_stack-.Lold_psw_disabled_wait(%r2) ++ larl %r9,.Lold_psw_disabled_wait ++ stg %r9,__LC_PGM_NEW_PSW+8 ++ l %r15,.Ldump_info_stack-.Lold_psw_disabled_wait(%r9) + brasl %r14,print_pgm_check_info + .Lold_psw_disabled_wait: +- la %r1,4095 +- lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1) ++ la %r8,4095 ++ lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r8) + lpswe __LC_RETURN_PSW # disabled wait + .Ldump_info_stack: + .long 0x5000 + PAGE_SIZE - STACK_FRAME_OVERHEAD +-- +2.27.0 + diff --git a/queue-5.8/samples-bpf-fix-possible-deadlock-in-xdpsock.patch b/queue-5.8/samples-bpf-fix-possible-deadlock-in-xdpsock.patch new file mode 100644 index 00000000000..8c6709f3b20 --- /dev/null +++ b/queue-5.8/samples-bpf-fix-possible-deadlock-in-xdpsock.patch @@ -0,0 +1,41 @@ +From 0181c51960565985c066a115340d9a5272df5d7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 10:31:05 +0200 +Subject: samples/bpf: Fix possible deadlock in xdpsock + +From: Magnus Karlsson + +[ Upstream commit 5a2a0dd88f0f267ac5953acd81050ae43a82201f ] + +Fix a possible deadlock in the l2fwd application in xdpsock that can +occur when there is no space in the Tx ring. There are two ways to get +the kernel to consume entries in the Tx ring: calling sendto() to make +it send packets and freeing entries from the completion ring, as the +kernel will not send a packet if there is no space for it to add a +completion entry in the completion ring. The Tx loop in l2fwd only +used to call sendto(). This patches adds cleaning the completion ring +in that loop. + +Signed-off-by: Magnus Karlsson +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/1599726666-8431-3-git-send-email-magnus.karlsson@gmail.com +Signed-off-by: Sasha Levin +--- + samples/bpf/xdpsock_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/samples/bpf/xdpsock_user.c b/samples/bpf/xdpsock_user.c +index 0151bb0b2fc71..8ba91be67c85a 100644 +--- a/samples/bpf/xdpsock_user.c ++++ b/samples/bpf/xdpsock_user.c +@@ -1028,6 +1028,7 @@ static void l2fwd(struct xsk_socket_info *xsk, struct pollfd *fds) + while (ret != rcvd) { + if (ret < 0) + exit_with_error(-ret); ++ complete_tx_l2fwd(xsk, fds); + if (xsk_ring_prod__needs_wakeup(&xsk->tx)) + kick_tx(xsk); + ret = xsk_ring_prod__reserve(&xsk->tx, rcvd, &idx_tx); +-- +2.27.0 + diff --git a/queue-5.8/scsi-core-clean-up-allocation-and-freeing-of-sgtable.patch b/queue-5.8/scsi-core-clean-up-allocation-and-freeing-of-sgtable.patch new file mode 100644 index 00000000000..51e0cc18bdd --- /dev/null +++ b/queue-5.8/scsi-core-clean-up-allocation-and-freeing-of-sgtable.patch @@ -0,0 +1,265 @@ +From 49fdc78fc3bd1883fb3199a2b54d0ff476745a4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Oct 2020 10:41:28 +0200 +Subject: scsi: core: Clean up allocation and freeing of sgtables + +From: Christoph Hellwig + +[ Upstream commit 7007e9dd56767a95de0947b3f7599bcc2f21687f ] + +Rename scsi_init_io() to scsi_alloc_sgtables(), and ensure callers call +scsi_free_sgtables() to cleanup failures close to scsi_init_io() instead of +leaking it down the generic I/O submission path. + +Link: https://lore.kernel.org/r/20201005084130.143273-9-hch@lst.de +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_lib.c | 22 ++++++++-------------- + drivers/scsi/sd.c | 27 +++++++++++++++------------ + drivers/scsi/sr.c | 16 ++++++---------- + include/scsi/scsi_cmnd.h | 3 ++- + 4 files changed, 31 insertions(+), 37 deletions(-) + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index ae620dada8ce5..ba8fafd24f4bd 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -531,7 +531,7 @@ static void scsi_uninit_cmd(struct scsi_cmnd *cmd) + } + } + +-static void scsi_free_sgtables(struct scsi_cmnd *cmd) ++void scsi_free_sgtables(struct scsi_cmnd *cmd) + { + if (cmd->sdb.table.nents) + sg_free_table_chained(&cmd->sdb.table, +@@ -540,6 +540,7 @@ static void scsi_free_sgtables(struct scsi_cmnd *cmd) + sg_free_table_chained(&cmd->prot_sdb->table, + SCSI_INLINE_PROT_SG_CNT); + } ++EXPORT_SYMBOL_GPL(scsi_free_sgtables); + + static void scsi_mq_uninit_cmd(struct scsi_cmnd *cmd) + { +@@ -967,7 +968,7 @@ static inline bool scsi_cmd_needs_dma_drain(struct scsi_device *sdev, + } + + /** +- * scsi_init_io - SCSI I/O initialization function. ++ * scsi_alloc_sgtables - allocate S/G tables for a command + * @cmd: command descriptor we wish to initialize + * + * Returns: +@@ -975,7 +976,7 @@ static inline bool scsi_cmd_needs_dma_drain(struct scsi_device *sdev, + * * BLK_STS_RESOURCE - if the failure is retryable + * * BLK_STS_IOERR - if the failure is fatal + */ +-blk_status_t scsi_init_io(struct scsi_cmnd *cmd) ++blk_status_t scsi_alloc_sgtables(struct scsi_cmnd *cmd) + { + struct scsi_device *sdev = cmd->device; + struct request *rq = cmd->request; +@@ -1067,7 +1068,7 @@ out_free_sgtables: + scsi_free_sgtables(cmd); + return ret; + } +-EXPORT_SYMBOL(scsi_init_io); ++EXPORT_SYMBOL(scsi_alloc_sgtables); + + /** + * scsi_initialize_rq - initialize struct scsi_cmnd partially +@@ -1155,7 +1156,7 @@ static blk_status_t scsi_setup_scsi_cmnd(struct scsi_device *sdev, + * submit a request without an attached bio. + */ + if (req->bio) { +- blk_status_t ret = scsi_init_io(cmd); ++ blk_status_t ret = scsi_alloc_sgtables(cmd); + if (unlikely(ret != BLK_STS_OK)) + return ret; + } else { +@@ -1195,7 +1196,6 @@ static blk_status_t scsi_setup_cmnd(struct scsi_device *sdev, + struct request *req) + { + struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(req); +- blk_status_t ret; + + if (!blk_rq_bytes(req)) + cmd->sc_data_direction = DMA_NONE; +@@ -1205,14 +1205,8 @@ static blk_status_t scsi_setup_cmnd(struct scsi_device *sdev, + cmd->sc_data_direction = DMA_FROM_DEVICE; + + if (blk_rq_is_scsi(req)) +- ret = scsi_setup_scsi_cmnd(sdev, req); +- else +- ret = scsi_setup_fs_cmnd(sdev, req); +- +- if (ret != BLK_STS_OK) +- scsi_free_sgtables(cmd); +- +- return ret; ++ return scsi_setup_scsi_cmnd(sdev, req); ++ return scsi_setup_fs_cmnd(sdev, req); + } + + static blk_status_t +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 4b2117cb84837..c0c422ad305bc 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -866,7 +866,7 @@ static blk_status_t sd_setup_unmap_cmnd(struct scsi_cmnd *cmd) + cmd->transfersize = data_len; + rq->timeout = SD_TIMEOUT; + +- return scsi_init_io(cmd); ++ return scsi_alloc_sgtables(cmd); + } + + static blk_status_t sd_setup_write_same16_cmnd(struct scsi_cmnd *cmd, +@@ -897,7 +897,7 @@ static blk_status_t sd_setup_write_same16_cmnd(struct scsi_cmnd *cmd, + cmd->transfersize = data_len; + rq->timeout = unmap ? SD_TIMEOUT : SD_WRITE_SAME_TIMEOUT; + +- return scsi_init_io(cmd); ++ return scsi_alloc_sgtables(cmd); + } + + static blk_status_t sd_setup_write_same10_cmnd(struct scsi_cmnd *cmd, +@@ -928,7 +928,7 @@ static blk_status_t sd_setup_write_same10_cmnd(struct scsi_cmnd *cmd, + cmd->transfersize = data_len; + rq->timeout = unmap ? SD_TIMEOUT : SD_WRITE_SAME_TIMEOUT; + +- return scsi_init_io(cmd); ++ return scsi_alloc_sgtables(cmd); + } + + static blk_status_t sd_setup_write_zeroes_cmnd(struct scsi_cmnd *cmd) +@@ -1069,7 +1069,7 @@ static blk_status_t sd_setup_write_same_cmnd(struct scsi_cmnd *cmd) + * knows how much to actually write. + */ + rq->__data_len = sdp->sector_size; +- ret = scsi_init_io(cmd); ++ ret = scsi_alloc_sgtables(cmd); + rq->__data_len = blk_rq_bytes(rq); + + return ret; +@@ -1187,23 +1187,24 @@ static blk_status_t sd_setup_read_write_cmnd(struct scsi_cmnd *cmd) + unsigned int dif; + bool dix; + +- ret = scsi_init_io(cmd); ++ ret = scsi_alloc_sgtables(cmd); + if (ret != BLK_STS_OK) + return ret; + ++ ret = BLK_STS_IOERR; + if (!scsi_device_online(sdp) || sdp->changed) { + scmd_printk(KERN_ERR, cmd, "device offline or changed\n"); +- return BLK_STS_IOERR; ++ goto fail; + } + + if (blk_rq_pos(rq) + blk_rq_sectors(rq) > get_capacity(rq->rq_disk)) { + scmd_printk(KERN_ERR, cmd, "access beyond end of device\n"); +- return BLK_STS_IOERR; ++ goto fail; + } + + if ((blk_rq_pos(rq) & mask) || (blk_rq_sectors(rq) & mask)) { + scmd_printk(KERN_ERR, cmd, "request not aligned to the logical block size\n"); +- return BLK_STS_IOERR; ++ goto fail; + } + + /* +@@ -1225,7 +1226,7 @@ static blk_status_t sd_setup_read_write_cmnd(struct scsi_cmnd *cmd) + if (req_op(rq) == REQ_OP_ZONE_APPEND) { + ret = sd_zbc_prepare_zone_append(cmd, &lba, nr_blocks); + if (ret) +- return ret; ++ goto fail; + } + + fua = rq->cmd_flags & REQ_FUA ? 0x8 : 0; +@@ -1253,7 +1254,7 @@ static blk_status_t sd_setup_read_write_cmnd(struct scsi_cmnd *cmd) + } + + if (unlikely(ret != BLK_STS_OK)) +- return ret; ++ goto fail; + + /* + * We shouldn't disconnect in the middle of a sector, so with a dumb +@@ -1277,10 +1278,12 @@ static blk_status_t sd_setup_read_write_cmnd(struct scsi_cmnd *cmd) + blk_rq_sectors(rq))); + + /* +- * This indicates that the command is ready from our end to be +- * queued. ++ * This indicates that the command is ready from our end to be queued. + */ + return BLK_STS_OK; ++fail: ++ scsi_free_sgtables(cmd); ++ return ret; + } + + static blk_status_t sd_init_command(struct scsi_cmnd *cmd) +diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c +index 0c4aa4665a2f9..b74dfd8dc1165 100644 +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -392,15 +392,11 @@ static blk_status_t sr_init_command(struct scsi_cmnd *SCpnt) + struct request *rq = SCpnt->request; + blk_status_t ret; + +- ret = scsi_init_io(SCpnt); ++ ret = scsi_alloc_sgtables(SCpnt); + if (ret != BLK_STS_OK) +- goto out; ++ return ret; + cd = scsi_cd(rq->rq_disk); + +- /* from here on until we're complete, any goto out +- * is used for a killable error condition */ +- ret = BLK_STS_IOERR; +- + SCSI_LOG_HLQUEUE(1, scmd_printk(KERN_INFO, SCpnt, + "Doing sr request, block = %d\n", block)); + +@@ -509,12 +505,12 @@ static blk_status_t sr_init_command(struct scsi_cmnd *SCpnt) + SCpnt->allowed = MAX_RETRIES; + + /* +- * This indicates that the command is ready from our end to be +- * queued. ++ * This indicates that the command is ready from our end to be queued. + */ +- ret = BLK_STS_OK; ++ return BLK_STS_OK; + out: +- return ret; ++ scsi_free_sgtables(SCpnt); ++ return BLK_STS_IOERR; + } + + static int sr_block_open(struct block_device *bdev, fmode_t mode) +diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h +index e76bac4d14c51..69ade4fb71aab 100644 +--- a/include/scsi/scsi_cmnd.h ++++ b/include/scsi/scsi_cmnd.h +@@ -165,7 +165,8 @@ extern void *scsi_kmap_atomic_sg(struct scatterlist *sg, int sg_count, + size_t *offset, size_t *len); + extern void scsi_kunmap_atomic_sg(void *virt); + +-extern blk_status_t scsi_init_io(struct scsi_cmnd *cmd); ++blk_status_t scsi_alloc_sgtables(struct scsi_cmnd *cmd); ++void scsi_free_sgtables(struct scsi_cmnd *cmd); + + #ifdef CONFIG_SCSI_DMA + extern int scsi_dma_map(struct scsi_cmnd *cmd); +-- +2.27.0 + diff --git a/queue-5.8/selftests-bpf-define-string-const-as-global-for-test.patch b/queue-5.8/selftests-bpf-define-string-const-as-global-for-test.patch new file mode 100644 index 00000000000..145b40038c1 --- /dev/null +++ b/queue-5.8/selftests-bpf-define-string-const-as-global-for-test.patch @@ -0,0 +1,57 @@ +From 7ffef01fe48cc0d3f909346ed42a659ea1ddb21c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 13:27:18 -0700 +Subject: selftests/bpf: Define string const as global for test_sysctl_prog.c + +From: Yonghong Song + +[ Upstream commit 6e057fc15a2da4ee03eb1fa6889cf687e690106e ] + +When tweaking llvm optimizations, I found that selftest build failed +with the following error: + libbpf: elf: skipping unrecognized data section(6) .rodata.str1.1 + libbpf: prog 'sysctl_tcp_mem': bad map relo against '.L__const.is_tcp_mem.tcp_mem_name' + in section '.rodata.str1.1' + Error: failed to open BPF object file: Relocation failed + make: *** [/work/net-next/tools/testing/selftests/bpf/test_sysctl_prog.skel.h] Error 255 + make: *** Deleting file `/work/net-next/tools/testing/selftests/bpf/test_sysctl_prog.skel.h' + +The local string constant "tcp_mem_name" is put into '.rodata.str1.1' section +which libbpf cannot handle. Using untweaked upstream llvm, "tcp_mem_name" +is completely inlined after loop unrolling. + +Commit 7fb5eefd7639 ("selftests/bpf: Fix test_sysctl_loop{1, 2} +failure due to clang change") solved a similar problem by defining +the string const as a global. Let us do the same here +for test_sysctl_prog.c so it can weather future potential llvm changes. + +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20200910202718.956042-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/test_sysctl_prog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/progs/test_sysctl_prog.c b/tools/testing/selftests/bpf/progs/test_sysctl_prog.c +index 50525235380e8..5489823c83fc2 100644 +--- a/tools/testing/selftests/bpf/progs/test_sysctl_prog.c ++++ b/tools/testing/selftests/bpf/progs/test_sysctl_prog.c +@@ -19,11 +19,11 @@ + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + #endif + ++const char tcp_mem_name[] = "net/ipv4/tcp_mem"; + static __always_inline int is_tcp_mem(struct bpf_sysctl *ctx) + { +- char tcp_mem_name[] = "net/ipv4/tcp_mem"; + unsigned char i; +- char name[64]; ++ char name[sizeof(tcp_mem_name)]; + int ret; + + memset(name, 0, sizeof(name)); +-- +2.27.0 + diff --git a/queue-5.8/selftests-x86-fsgsbase-reap-a-forgotten-child.patch b/queue-5.8/selftests-x86-fsgsbase-reap-a-forgotten-child.patch new file mode 100644 index 00000000000..acd1485fdb7 --- /dev/null +++ b/queue-5.8/selftests-x86-fsgsbase-reap-a-forgotten-child.patch @@ -0,0 +1,36 @@ +From 7edd2327eca73bce003842d02b686ecff9473634 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 10:00:45 -0700 +Subject: selftests/x86/fsgsbase: Reap a forgotten child + +From: Andy Lutomirski + +[ Upstream commit ab2dd173330a3f07142e68cd65682205036cd00f ] + +The ptrace() test forgot to reap its child. Reap it. + +Signed-off-by: Andy Lutomirski +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/e7700a503f30e79ab35a63103938a19893dbeff2.1598461151.git.luto@kernel.org +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/x86/fsgsbase.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/testing/selftests/x86/fsgsbase.c b/tools/testing/selftests/x86/fsgsbase.c +index 15a329da59fa3..5f3aea210e018 100644 +--- a/tools/testing/selftests/x86/fsgsbase.c ++++ b/tools/testing/selftests/x86/fsgsbase.c +@@ -499,6 +499,9 @@ static void test_ptrace_write_gsbase(void) + + END: + ptrace(PTRACE_CONT, child, NULL, NULL); ++ wait(&status); ++ if (!WIFEXITED(status)) ++ printf("[WARN]\tChild didn't exit cleanly.\n"); + } + + int main() +-- +2.27.0 + diff --git a/queue-5.8/selinux-access-policycaps-with-read_once-write_once.patch b/queue-5.8/selinux-access-policycaps-with-read_once-write_once.patch new file mode 100644 index 00000000000..29ff1e337fa --- /dev/null +++ b/queue-5.8/selinux-access-policycaps-with-read_once-write_once.patch @@ -0,0 +1,99 @@ +From 851612e0bc5aa160c8d9fb56740b023c624a902c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 10:28:05 -0400 +Subject: selinux: access policycaps with READ_ONCE/WRITE_ONCE + +From: Stephen Smalley + +[ Upstream commit e8ba53d0023a76ba0f50e6ee3e6288c5442f9d33 ] + +Use READ_ONCE/WRITE_ONCE for all accesses to the +selinux_state.policycaps booleans to prevent compiler +mischief. + +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/include/security.h | 14 +++++++------- + security/selinux/ss/services.c | 3 ++- + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h +index b0e02cfe3ce14..8a432f646967e 100644 +--- a/security/selinux/include/security.h ++++ b/security/selinux/include/security.h +@@ -177,49 +177,49 @@ static inline bool selinux_policycap_netpeer(void) + { + struct selinux_state *state = &selinux_state; + +- return state->policycap[POLICYDB_CAPABILITY_NETPEER]; ++ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_NETPEER]); + } + + static inline bool selinux_policycap_openperm(void) + { + struct selinux_state *state = &selinux_state; + +- return state->policycap[POLICYDB_CAPABILITY_OPENPERM]; ++ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_OPENPERM]); + } + + static inline bool selinux_policycap_extsockclass(void) + { + struct selinux_state *state = &selinux_state; + +- return state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS]; ++ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS]); + } + + static inline bool selinux_policycap_alwaysnetwork(void) + { + struct selinux_state *state = &selinux_state; + +- return state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK]; ++ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK]); + } + + static inline bool selinux_policycap_cgroupseclabel(void) + { + struct selinux_state *state = &selinux_state; + +- return state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL]; ++ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL]); + } + + static inline bool selinux_policycap_nnp_nosuid_transition(void) + { + struct selinux_state *state = &selinux_state; + +- return state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION]; ++ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION]); + } + + static inline bool selinux_policycap_genfs_seclabel_symlinks(void) + { + struct selinux_state *state = &selinux_state; + +- return state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]; ++ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]); + } + + int security_mls_enabled(struct selinux_state *state); +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c +index ef0afd878bfca..04d1afe01838b 100644 +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -2103,7 +2103,8 @@ static void security_load_policycaps(struct selinux_state *state) + struct ebitmap_node *node; + + for (i = 0; i < ARRAY_SIZE(state->policycap); i++) +- state->policycap[i] = ebitmap_get_bit(&p->policycaps, i); ++ WRITE_ONCE(state->policycap[i], ++ ebitmap_get_bit(&p->policycaps, i)); + + for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) + pr_info("SELinux: policy capability %s=%d\n", +-- +2.27.0 + diff --git a/queue-5.8/series b/queue-5.8/series new file mode 100644 index 00000000000..5e23522377a --- /dev/null +++ b/queue-5.8/series @@ -0,0 +1,149 @@ +firmware-arm_scmi-fix-arch_cold_reset.patch +firmware-arm_scmi-expand-smc-hvc-message-pool-to-mor.patch +tee-client-uuid-skip-ree-kernel-login-method-as-well.patch +firmware-arm_scmi-add-missing-rx-size-re-initialisat.patch +x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch +x86-alternative-don-t-call-text_poke-in-lazy-tlb-mod.patch +rdma-mlx5-fix-devlink-deadlock-on-net-namespace-dele.patch +mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch +tracing-synthetic-events-replace-buggy-strcat-with-s.patch +afs-fix-a-use-after-free-in-afs_xattr_get_acl.patch +afs-fix-afs_launder_page-to-not-clear-pg_writeback.patch +rdma-qedr-fix-memory-leak-in-iwarp-cm.patch +ata-sata_nv-fix-retrieving-of-active-qcs.patch +arm64-efi-increase-efi-pe-coff-header-padding-to-64-.patch +afs-fix-to-take-ref-on-page-when-pg_private-is-set.patch +afs-fix-page-leak-on-afs_write_begin-failure.patch +afs-fix-where-page-private-is-set-during-write.patch +afs-wrap-page-private-manipulations-in-inline-functi.patch +afs-alter-dirty-range-encoding-in-page-private.patch +afs-fix-dirty-region-encoding-on-ppc32-with-64k-page.patch +interconnect-qcom-sdm845-enable-keepalive-for-the-mm.patch +usb-host-ehci-tegra-fix-error-handling-in-tegra_ehci.patch +futex-fix-incorrect-should_fail_futex-handling.patch +powerpc-powernv-smp-fix-spurious-dbg-warning.patch +rdma-core-change-how-failing-destroy-is-handled-duri.patch +f2fs-allocate-proper-size-memory-for-zstd-decompress.patch +powerpc-watchpoint-ptrace-fix-sethwdebug-when-config.patch +mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tl.patch +powerpc-select-arch_want_irqs_off_activate_mm.patch +sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch +f2fs-add-trace-exit-in-exception-path.patch +f2fs-do-sanity-check-on-zoned-block-device-path.patch +f2fs-fix-uninit-value-in-f2fs_lookup.patch +f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch +s390-startup-avoid-save_area_sync-overflow.patch +f2fs-compress-fix-to-disallow-enabling-compress-on-n.patch +um-change-sigio_spinlock-to-a-mutex.patch +f2fs-handle-errors-of-f2fs_get_meta_page_nofail.patch +afs-don-t-assert-on-unpurgeable-server-records.patch +powerpc-64s-handle-isa-v3.1-local-copy-paste-context.patch +arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch +nfs4-fix-oops-when-copy_file_range-is-attempted-with.patch +xfs-set-xfs_buf-type-flag-when-growing-summary-bitma.patch +xfs-set-xfs_buf-s-b_ops-member-when-zeroing-bitmap-s.patch +xfs-log-new-intent-items-created-as-part-of-finishin.patch +power-supply-bq27xxx-report-not-charging-on-all-type.patch +xfs-change-the-order-in-which-child-and-parent-defer.patch +xfs-fix-realtime-bitmap-summary-file-truncation-when.patch +ath10k-fix-retry-packets-update-in-station-dump.patch +x86-kaslr-initialize-mem_limit-to-the-real-maximum-a.patch +drm-amdgpu-restore-ras-flags-when-user-resets-eeprom.patch +video-fbdev-pvr2fb-initialize-variables.patch +ath10k-start-recovery-process-when-payload-length-ex.patch +ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch +drm-scheduler-scheduler-priority-fixes-v2.patch +drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch +asoc-sof-fix-a-runtime-pm-issue-in-sof-when-hdmi-cod.patch +selftests-x86-fsgsbase-reap-a-forgotten-child.patch +drm-bridge_connector-set-default-status-connected-fo.patch +media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch +misc-fastrpc-fix-common-struct-sg_table-related-issu.patch +media-platform-improve-queue-set-up-flow-for-bug-fix.patch +usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch +media-tw5864-check-status-of-tw5864_frameinterval_ge.patch +drm-vkms-avoid-warning-in-vkms_get_vblank_timestamp.patch +media-imx274-fix-frame-interval-handling.patch +mmc-via-sdmmc-fix-data-race-bug.patch +drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch +brcmfmac-increase-f2-watermark-for-bcm4329.patch +arm64-topology-stop-using-mpidr-for-topology-informa.patch +printk-reduce-log_buf_shift-range-for-h8300.patch +ia64-kprobes-use-generic-kretprobe-trampoline-handle.patch +kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch +bpf-permit-map_ptr-arithmetic-with-opcode-add-and-of.patch +drm-exynos-fix-common-struct-sg_table-related-issues.patch +xen-gntdev-fix-common-struct-sg_table-related-issues.patch +drm-lima-fix-common-struct-sg_table-related-issues.patch +drm-panfrost-fix-common-struct-sg_table-related-issu.patch +media-uvcvideo-fix-dereference-of-out-of-bound-list-.patch +nfc-s3fwrn5-add-missing-crypto_hash-dependency.patch +selftests-bpf-define-string-const-as-global-for-test.patch +selinux-access-policycaps-with-read_once-write_once.patch +samples-bpf-fix-possible-deadlock-in-xdpsock.patch +drm-amd-display-check-clock-table-return.patch +riscv-define-at_vector_size_arch-for-arch_dlinfo.patch +cpufreq-sti-cpufreq-add-stih418-support.patch +usb-adutux-fix-debugging.patch +uio-free-uio-id-after-uio-file-node-is-freed.patch +coresight-make-sysfs-functional-on-topologies-with-p.patch +drm-amdgpu-no-sysfs-not-an-error-condition.patch +mac80211-add-missing-queue-hash-initialization-to-80.patch +usb-xhci-omit-duplicate-actions-when-suspending-a-ru.patch +sunrpc-mitigate-cond_resched-in-xprt_transmit.patch +cpuidle-tegra-correctly-handle-result-of-arm_cpuidle.patch +arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch +can-flexcan-disable-clocks-during-stop-mode.patch +habanalabs-remove-security-from-arb_mst_quiet-regist.patch +xfs-don-t-free-rt-blocks-when-we-re-doing-a-remap-bu.patch +xfs-avoid-lr-buffer-overrun-due-to-crafted-h_len.patch +acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch +octeontx2-af-fix-ld-custom-ltype-aliasing.patch +brcmfmac-fix-warning-message-after-dongle-setup-fail.patch +ath11k-use-gfp_atomic-instead-of-gfp_kernel-in-ath11.patch +ath11k-fix-warning-caused-by-lockdep_assert_held.patch +ath11k-change-to-disable-softirqs-for-ath11k_regd_up.patch +drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch +usb-dwc3-core-do-not-queue-work-if-dr_mode-is-not-us.patch +bus-mhi-core-abort-suspends-due-to-outgoing-pending-.patch +bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch +acpi-hmat-fix-handling-of-changes-from-acpi-6.2-to-a.patch +power-supply-test_power-add-missing-newlines-when-pr.patch +drm-amd-display-hdmi-remote-sink-need-mode-validatio.patch +drm-amd-display-avoid-set-zero-in-the-requested-clk.patch +arc-dts-fix-the-errors-detected-by-dtbs_check.patch +block-consider-only-dispatched-requests-for-inflight.patch +btrfs-fix-replace-of-seed-device.patch +md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch +f2fs-fix-to-set-sbi_need_fsck-flag-for-inconsistent-.patch +bnxt_en-log-unknown-link-speed-appropriately.patch +rpmsg-glink-use-complete_all-for-open-states.patch +pci-acpi-add-ampere-altra-soc-mcfg-quirk.patch +clk-ti-clockdomain-fix-static-checker-warning.patch +nfsd-rename-delegation-related-tracepoints-to-make-t.patch +asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch +net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch +ceph-encode-inodes-parent-d_name-in-cap-reconnect-me.patch +drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch +ext4-detect-already-used-quota-file-early.patch +kvm-ppc-book3s-hv-do-not-allocate-hpt-for-a-nested-g.patch +scsi-core-clean-up-allocation-and-freeing-of-sgtable.patch +gfs2-call-truncate_inode_pages_final-for-address-spa.patch +gfs2-fix-null-pointer-dereference-in-gfs2_rgrp_dump.patch +gfs2-use-after-free-in-sysfs-deregistration.patch +gfs2-add-validation-checks-for-size-of-superblock.patch +handle-status_io_timeout-gracefully.patch +cifs-handle-eintr-in-cifs_setattr.patch +arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch +arm-dts-omap4-fix-sgx-clock-rate-for-4430.patch +memory-emif-remove-bogus-debugfs-error-handling.patch +arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch +arm-dts-s5pv210-move-fixed-clocks-under-root-node.patch +arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch +arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch +arm-dts-s5pv210-align-spi-gpio-node-name-with-dtsche.patch +soc-qcom-rpmh-rsc-sleep-waiting-for-tcs-slots-to-be-.patch +firmware-arm_scmi-move-scmi-bus-init-and-exit-calls-.patch +nbd-make-the-config-put-is-called-before-the-notifyi.patch +sgl_alloc_order-fix-memory-leak.patch +nvme-rdma-fix-crash-when-connect-rejected.patch diff --git a/queue-5.8/sgl_alloc_order-fix-memory-leak.patch b/queue-5.8/sgl_alloc_order-fix-memory-leak.patch new file mode 100644 index 00000000000..281a5052a7b --- /dev/null +++ b/queue-5.8/sgl_alloc_order-fix-memory-leak.patch @@ -0,0 +1,42 @@ +From 3e6a4d594686d76b1c4a4b29949f9d3433b5c344 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 14:57:35 -0400 +Subject: sgl_alloc_order: fix memory leak + +From: Douglas Gilbert + +[ Upstream commit b2a182a40278bc5849730e66bca01a762188ed86 ] + +sgl_alloc_order() can fail when 'length' is large on a memory +constrained system. When order > 0 it will potentially be +making several multi-page allocations with the later ones more +likely to fail than the earlier one. So it is important that +sgl_alloc_order() frees up any pages it has obtained before +returning NULL. In the case when order > 0 it calls the wrong +free page function and leaks. In testing the leak was +sufficient to bring down my 8 GiB laptop with OOM. + +Reviewed-by: Bart Van Assche +Signed-off-by: Douglas Gilbert +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + lib/scatterlist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/scatterlist.c b/lib/scatterlist.c +index 5d63a8857f361..c448642e0f786 100644 +--- a/lib/scatterlist.c ++++ b/lib/scatterlist.c +@@ -514,7 +514,7 @@ struct scatterlist *sgl_alloc_order(unsigned long long length, + elem_len = min_t(u64, length, PAGE_SIZE << order); + page = alloc_pages(gfp, order); + if (!page) { +- sgl_free(sgl); ++ sgl_free_order(sgl, order); + return NULL; + } + +-- +2.27.0 + diff --git a/queue-5.8/soc-qcom-rpmh-rsc-sleep-waiting-for-tcs-slots-to-be-.patch b/queue-5.8/soc-qcom-rpmh-rsc-sleep-waiting-for-tcs-slots-to-be-.patch new file mode 100644 index 00000000000..2d2ff6cb538 --- /dev/null +++ b/queue-5.8/soc-qcom-rpmh-rsc-sleep-waiting-for-tcs-slots-to-be-.patch @@ -0,0 +1,293 @@ +From 89cfa15b896ec95680a45ca5f4de247b9bc740a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 14:17:11 -0700 +Subject: soc: qcom: rpmh-rsc: Sleep waiting for tcs slots to be free + +From: Stephen Boyd + +[ Upstream commit 2bc20f3c8487bd5bc4dd9ad2c06d2ba05fd4e838 ] + +The busy loop in rpmh_rsc_send_data() is written with the assumption +that the udelay will be preempted by the tcs_tx_done() irq handler when +the TCS slots are all full. This doesn't hold true when the calling +thread is an irqthread and the tcs_tx_done() irq is also an irqthread. +That's because kernel irqthreads are SCHED_FIFO and thus need to +voluntarily give up priority by calling into the scheduler so that other +threads can run. + +I see RCU stalls when I boot with irqthreads on the kernel commandline +because the modem remoteproc driver is trying to send an rpmh async +message from an irqthread that needs to give up the CPU for the rpmh +irqthread to run and clear out tcs slots. + + rcu: INFO: rcu_preempt self-detected stall on CPU + rcu: 0-....: (1 GPs behind) idle=402/1/0x4000000000000002 softirq=2108/2109 fqs=4920 + (t=21016 jiffies g=2933 q=590) + Task dump for CPU 0: + irq/11-smp2p R running task 0 148 2 0x00000028 + Call trace: + dump_backtrace+0x0/0x154 + show_stack+0x20/0x2c + sched_show_task+0xfc/0x108 + dump_cpu_task+0x44/0x50 + rcu_dump_cpu_stacks+0xa4/0xf8 + rcu_sched_clock_irq+0x7dc/0xaa8 + update_process_times+0x30/0x54 + tick_sched_handle+0x50/0x64 + tick_sched_timer+0x4c/0x8c + __hrtimer_run_queues+0x21c/0x36c + hrtimer_interrupt+0xf0/0x22c + arch_timer_handler_phys+0x40/0x50 + handle_percpu_devid_irq+0x114/0x25c + __handle_domain_irq+0x84/0xc4 + gic_handle_irq+0xd0/0x178 + el1_irq+0xbc/0x180 + save_return_addr+0x18/0x28 + return_address+0x54/0x88 + preempt_count_sub+0x40/0x88 + _raw_spin_unlock_irqrestore+0x4c/0x6c + ___ratelimit+0xd0/0x128 + rpmh_rsc_send_data+0x24c/0x378 + __rpmh_write+0x1b0/0x208 + rpmh_write_async+0x90/0xbc + rpmhpd_send_corner+0x60/0x8c + rpmhpd_aggregate_corner+0x8c/0x124 + rpmhpd_set_performance_state+0x8c/0xbc + _genpd_set_performance_state+0xdc/0x1b8 + dev_pm_genpd_set_performance_state+0xb8/0xf8 + q6v5_pds_disable+0x34/0x60 [qcom_q6v5_mss] + qcom_msa_handover+0x38/0x44 [qcom_q6v5_mss] + q6v5_handover_interrupt+0x24/0x3c [qcom_q6v5] + handle_nested_irq+0xd0/0x138 + qcom_smp2p_intr+0x188/0x200 + irq_thread_fn+0x2c/0x70 + irq_thread+0xfc/0x14c + kthread+0x11c/0x12c + ret_from_fork+0x10/0x18 + +This busy loop naturally lends itself to using a wait queue so that each +thread that tries to send a message will sleep waiting on the waitqueue +and only be woken up when a free slot is available. This should make +things more predictable too because the scheduler will be able to sleep +tasks that are waiting on a free tcs instead of the busy loop we +currently have today. + +Reviewed-by: Maulik Shah +Reviewed-by: Douglas Anderson +Tested-by: Stanimir Varbanov +Cc: Douglas Anderson +Cc: Maulik Shah +Cc: Lina Iyer +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20200724211711.810009-1-sboyd@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/rpmh-internal.h | 4 ++ + drivers/soc/qcom/rpmh-rsc.c | 115 +++++++++++++++---------------- + 2 files changed, 58 insertions(+), 61 deletions(-) + +diff --git a/drivers/soc/qcom/rpmh-internal.h b/drivers/soc/qcom/rpmh-internal.h +index ef60e790a750a..344ba687c13be 100644 +--- a/drivers/soc/qcom/rpmh-internal.h ++++ b/drivers/soc/qcom/rpmh-internal.h +@@ -8,6 +8,7 @@ + #define __RPM_INTERNAL_H__ + + #include ++#include + #include + + #define TCS_TYPE_NR 4 +@@ -106,6 +107,8 @@ struct rpmh_ctrlr { + * @lock: Synchronize state of the controller. If RPMH's cache + * lock will also be held, the order is: drv->lock then + * cache_lock. ++ * @tcs_wait: Wait queue used to wait for @tcs_in_use to free up a ++ * slot + * @client: Handle to the DRV's client. + */ + struct rsc_drv { +@@ -118,6 +121,7 @@ struct rsc_drv { + struct tcs_group tcs[TCS_TYPE_NR]; + DECLARE_BITMAP(tcs_in_use, MAX_TCS_NR); + spinlock_t lock; ++ wait_queue_head_t tcs_wait; + struct rpmh_ctrlr client; + }; + +diff --git a/drivers/soc/qcom/rpmh-rsc.c b/drivers/soc/qcom/rpmh-rsc.c +index ae66757825813..a297911afe571 100644 +--- a/drivers/soc/qcom/rpmh-rsc.c ++++ b/drivers/soc/qcom/rpmh-rsc.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -453,6 +454,7 @@ skip: + if (!drv->tcs[ACTIVE_TCS].num_tcs) + enable_tcs_irq(drv, i, false); + spin_unlock(&drv->lock); ++ wake_up(&drv->tcs_wait); + if (req) + rpmh_tx_done(req, err); + } +@@ -571,73 +573,34 @@ static int find_free_tcs(struct tcs_group *tcs) + } + + /** +- * tcs_write() - Store messages into a TCS right now, or return -EBUSY. ++ * claim_tcs_for_req() - Claim a tcs in the given tcs_group; only for active. + * @drv: The controller. ++ * @tcs: The tcs_group used for ACTIVE_ONLY transfers. + * @msg: The data to be sent. + * +- * Grabs a TCS for ACTIVE_ONLY transfers and writes the messages to it. ++ * Claims a tcs in the given tcs_group while making sure that no existing cmd ++ * is in flight that would conflict with the one in @msg. + * +- * If there are no free TCSes for ACTIVE_ONLY transfers or if a command for +- * the same address is already transferring returns -EBUSY which means the +- * client should retry shortly. ++ * Context: Must be called with the drv->lock held since that protects ++ * tcs_in_use. + * +- * Return: 0 on success, -EBUSY if client should retry, or an error. +- * Client should have interrupts enabled for a bit before retrying. ++ * Return: The id of the claimed tcs or -EBUSY if a matching msg is in flight ++ * or the tcs_group is full. + */ +-static int tcs_write(struct rsc_drv *drv, const struct tcs_request *msg) ++static int claim_tcs_for_req(struct rsc_drv *drv, struct tcs_group *tcs, ++ const struct tcs_request *msg) + { +- struct tcs_group *tcs; +- int tcs_id; +- unsigned long flags; + int ret; + +- tcs = get_tcs_for_msg(drv, msg); +- if (IS_ERR(tcs)) +- return PTR_ERR(tcs); +- +- spin_lock_irqsave(&drv->lock, flags); + /* + * The h/w does not like if we send a request to the same address, + * when one is already in-flight or being processed. + */ + ret = check_for_req_inflight(drv, tcs, msg); + if (ret) +- goto unlock; +- +- ret = find_free_tcs(tcs); +- if (ret < 0) +- goto unlock; +- tcs_id = ret; +- +- tcs->req[tcs_id - tcs->offset] = msg; +- set_bit(tcs_id, drv->tcs_in_use); +- if (msg->state == RPMH_ACTIVE_ONLY_STATE && tcs->type != ACTIVE_TCS) { +- /* +- * Clear previously programmed WAKE commands in selected +- * repurposed TCS to avoid triggering them. tcs->slots will be +- * cleaned from rpmh_flush() by invoking rpmh_rsc_invalidate() +- */ +- write_tcs_reg_sync(drv, RSC_DRV_CMD_ENABLE, tcs_id, 0); +- write_tcs_reg_sync(drv, RSC_DRV_CMD_WAIT_FOR_CMPL, tcs_id, 0); +- enable_tcs_irq(drv, tcs_id, true); +- } +- spin_unlock_irqrestore(&drv->lock, flags); +- +- /* +- * These two can be done after the lock is released because: +- * - We marked "tcs_in_use" under lock. +- * - Once "tcs_in_use" has been marked nobody else could be writing +- * to these registers until the interrupt goes off. +- * - The interrupt can't go off until we trigger w/ the last line +- * of __tcs_set_trigger() below. +- */ +- __tcs_buffer_write(drv, tcs_id, 0, msg); +- __tcs_set_trigger(drv, tcs_id, true); ++ return ret; + +- return 0; +-unlock: +- spin_unlock_irqrestore(&drv->lock, flags); +- return ret; ++ return find_free_tcs(tcs); + } + + /** +@@ -664,18 +627,47 @@ unlock: + */ + int rpmh_rsc_send_data(struct rsc_drv *drv, const struct tcs_request *msg) + { +- int ret; ++ struct tcs_group *tcs; ++ int tcs_id; ++ unsigned long flags; + +- do { +- ret = tcs_write(drv, msg); +- if (ret == -EBUSY) { +- pr_info_ratelimited("TCS Busy, retrying RPMH message send: addr=%#x\n", +- msg->cmds[0].addr); +- udelay(10); +- } +- } while (ret == -EBUSY); ++ tcs = get_tcs_for_msg(drv, msg); ++ if (IS_ERR(tcs)) ++ return PTR_ERR(tcs); + +- return ret; ++ spin_lock_irqsave(&drv->lock, flags); ++ ++ /* Wait forever for a free tcs. It better be there eventually! */ ++ wait_event_lock_irq(drv->tcs_wait, ++ (tcs_id = claim_tcs_for_req(drv, tcs, msg)) >= 0, ++ drv->lock); ++ ++ tcs->req[tcs_id - tcs->offset] = msg; ++ set_bit(tcs_id, drv->tcs_in_use); ++ if (msg->state == RPMH_ACTIVE_ONLY_STATE && tcs->type != ACTIVE_TCS) { ++ /* ++ * Clear previously programmed WAKE commands in selected ++ * repurposed TCS to avoid triggering them. tcs->slots will be ++ * cleaned from rpmh_flush() by invoking rpmh_rsc_invalidate() ++ */ ++ write_tcs_reg_sync(drv, RSC_DRV_CMD_ENABLE, tcs_id, 0); ++ write_tcs_reg_sync(drv, RSC_DRV_CMD_WAIT_FOR_CMPL, tcs_id, 0); ++ enable_tcs_irq(drv, tcs_id, true); ++ } ++ spin_unlock_irqrestore(&drv->lock, flags); ++ ++ /* ++ * These two can be done after the lock is released because: ++ * - We marked "tcs_in_use" under lock. ++ * - Once "tcs_in_use" has been marked nobody else could be writing ++ * to these registers until the interrupt goes off. ++ * - The interrupt can't go off until we trigger w/ the last line ++ * of __tcs_set_trigger() below. ++ */ ++ __tcs_buffer_write(drv, tcs_id, 0, msg); ++ __tcs_set_trigger(drv, tcs_id, true); ++ ++ return 0; + } + + /** +@@ -983,6 +975,7 @@ static int rpmh_rsc_probe(struct platform_device *pdev) + return ret; + + spin_lock_init(&drv->lock); ++ init_waitqueue_head(&drv->tcs_wait); + bitmap_zero(drv->tcs_in_use, MAX_TCS_NR); + + irq = platform_get_irq(pdev, drv->id); +-- +2.27.0 + diff --git a/queue-5.8/sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch b/queue-5.8/sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch new file mode 100644 index 00000000000..9f158c001cf --- /dev/null +++ b/queue-5.8/sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch @@ -0,0 +1,179 @@ +From d309704a5f6ae53be7adf090f69b39741f8790f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:52:18 +1000 +Subject: sparc64: remove mm_cpumask clearing to fix kthread_use_mm race + +From: Nicholas Piggin + +[ Upstream commit bafb056ce27940c9994ea905336aa8f27b4f7275 ] + +The de facto (and apparently uncommented) standard for using an mm had, +thanks to this code in sparc if nothing else, been that you must have a +reference on mm_users *and that reference must have been obtained with +mmget()*, i.e., from a thread with a reference to mm_users that had used +the mm. + +The introduction of mmget_not_zero() in commit d2005e3f41d4 +("userfaultfd: don't pin the user memory in userfaultfd_file_create()") +allowed mm_count holders to aoperate on user mappings asynchronously +from the actual threads using the mm, but they were not to load those +mappings into their TLB (i.e., walking vmas and page tables is okay, +kthread_use_mm() is not). + +io_uring 2b188cc1bb857 ("Add io_uring IO interface") added code which +does a kthread_use_mm() from a mmget_not_zero() refcount. + +The problem with this is code which previously assumed mm == current->mm +and mm->mm_users == 1 implies the mm will remain single-threaded at +least until this thread creates another mm_users reference, has now +broken. + +arch/sparc/kernel/smp_64.c: + + if (atomic_read(&mm->mm_users) == 1) { + cpumask_copy(mm_cpumask(mm), cpumask_of(cpu)); + goto local_flush_and_out; + } + +vs fs/io_uring.c + + if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL) || + !mmget_not_zero(ctx->sqo_mm))) + return -EFAULT; + kthread_use_mm(ctx->sqo_mm); + +mmget_not_zero() could come in right after the mm_users == 1 test, then +kthread_use_mm() which sets its CPU in the mm_cpumask. That update could +be lost if cpumask_copy() occurs afterward. + +I propose we fix this by allowing mmget_not_zero() to be a first-class +reference, and not have this obscure undocumented and unchecked +restriction. + +The basic fix for sparc64 is to remove its mm_cpumask clearing code. The +optimisation could be effectively restored by sending IPIs to mm_cpumask +members and having them remove themselves from mm_cpumask. This is more +tricky so I leave it as an exercise for someone with a sparc64 SMP. +powerpc has a (currently similarly broken) example. + +Signed-off-by: Nicholas Piggin +Acked-by: David S. Miller +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200914045219.3736466-4-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/smp_64.c | 65 ++++++++------------------------------ + 1 file changed, 14 insertions(+), 51 deletions(-) + +diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c +index 0085e28bf019a..d88467758ee87 100644 +--- a/arch/sparc/kernel/smp_64.c ++++ b/arch/sparc/kernel/smp_64.c +@@ -1038,38 +1038,9 @@ void smp_fetch_global_pmu(void) + * are flush_tlb_*() routines, and these run after flush_cache_*() + * which performs the flushw. + * +- * The SMP TLB coherency scheme we use works as follows: +- * +- * 1) mm->cpu_vm_mask is a bit mask of which cpus an address +- * space has (potentially) executed on, this is the heuristic +- * we use to avoid doing cross calls. +- * +- * Also, for flushing from kswapd and also for clones, we +- * use cpu_vm_mask as the list of cpus to make run the TLB. +- * +- * 2) TLB context numbers are shared globally across all processors +- * in the system, this allows us to play several games to avoid +- * cross calls. +- * +- * One invariant is that when a cpu switches to a process, and +- * that processes tsk->active_mm->cpu_vm_mask does not have the +- * current cpu's bit set, that tlb context is flushed locally. +- * +- * If the address space is non-shared (ie. mm->count == 1) we avoid +- * cross calls when we want to flush the currently running process's +- * tlb state. This is done by clearing all cpu bits except the current +- * processor's in current->mm->cpu_vm_mask and performing the +- * flush locally only. This will force any subsequent cpus which run +- * this task to flush the context from the local tlb if the process +- * migrates to another cpu (again). +- * +- * 3) For shared address spaces (threads) and swapping we bite the +- * bullet for most cases and perform the cross call (but only to +- * the cpus listed in cpu_vm_mask). +- * +- * The performance gain from "optimizing" away the cross call for threads is +- * questionable (in theory the big win for threads is the massive sharing of +- * address space state across processors). ++ * mm->cpu_vm_mask is a bit mask of which cpus an address ++ * space has (potentially) executed on, this is the heuristic ++ * we use to limit cross calls. + */ + + /* This currently is only used by the hugetlb arch pre-fault +@@ -1079,18 +1050,13 @@ void smp_fetch_global_pmu(void) + void smp_flush_tlb_mm(struct mm_struct *mm) + { + u32 ctx = CTX_HWBITS(mm->context); +- int cpu = get_cpu(); + +- if (atomic_read(&mm->mm_users) == 1) { +- cpumask_copy(mm_cpumask(mm), cpumask_of(cpu)); +- goto local_flush_and_out; +- } ++ get_cpu(); + + smp_cross_call_masked(&xcall_flush_tlb_mm, + ctx, 0, 0, + mm_cpumask(mm)); + +-local_flush_and_out: + __flush_tlb_mm(ctx, SECONDARY_CONTEXT); + + put_cpu(); +@@ -1113,17 +1079,15 @@ void smp_flush_tlb_pending(struct mm_struct *mm, unsigned long nr, unsigned long + { + u32 ctx = CTX_HWBITS(mm->context); + struct tlb_pending_info info; +- int cpu = get_cpu(); ++ ++ get_cpu(); + + info.ctx = ctx; + info.nr = nr; + info.vaddrs = vaddrs; + +- if (mm == current->mm && atomic_read(&mm->mm_users) == 1) +- cpumask_copy(mm_cpumask(mm), cpumask_of(cpu)); +- else +- smp_call_function_many(mm_cpumask(mm), tlb_pending_func, +- &info, 1); ++ smp_call_function_many(mm_cpumask(mm), tlb_pending_func, ++ &info, 1); + + __flush_tlb_pending(ctx, nr, vaddrs); + +@@ -1133,14 +1097,13 @@ void smp_flush_tlb_pending(struct mm_struct *mm, unsigned long nr, unsigned long + void smp_flush_tlb_page(struct mm_struct *mm, unsigned long vaddr) + { + unsigned long context = CTX_HWBITS(mm->context); +- int cpu = get_cpu(); + +- if (mm == current->mm && atomic_read(&mm->mm_users) == 1) +- cpumask_copy(mm_cpumask(mm), cpumask_of(cpu)); +- else +- smp_cross_call_masked(&xcall_flush_tlb_page, +- context, vaddr, 0, +- mm_cpumask(mm)); ++ get_cpu(); ++ ++ smp_cross_call_masked(&xcall_flush_tlb_page, ++ context, vaddr, 0, ++ mm_cpumask(mm)); ++ + __flush_tlb_page(context, vaddr); + + put_cpu(); +-- +2.27.0 + diff --git a/queue-5.8/sunrpc-mitigate-cond_resched-in-xprt_transmit.patch b/queue-5.8/sunrpc-mitigate-cond_resched-in-xprt_transmit.patch new file mode 100644 index 00000000000..0da44c8d45c --- /dev/null +++ b/queue-5.8/sunrpc-mitigate-cond_resched-in-xprt_transmit.patch @@ -0,0 +1,55 @@ +From 5a9d1dabf52d85a385c6b5cea751ab335332919b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 16:09:53 -0400 +Subject: SUNRPC: Mitigate cond_resched() in xprt_transmit() + +From: Chuck Lever + +[ Upstream commit 6f9f17287e78e5049931af2037b15b26d134a32a ] + +The original purpose of this expensive call is to prevent a long +queue of requests from blocking other work. + +The cond_resched() call is unnecessary after just a single send +operation. + +For longer queues, instead of invoking the kernel scheduler, simply +release the transport send lock and return to the RPC scheduler. + +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c +index d5cc5db9dbf39..b44099958c8bb 100644 +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -1511,10 +1511,13 @@ xprt_transmit(struct rpc_task *task) + { + struct rpc_rqst *next, *req = task->tk_rqstp; + struct rpc_xprt *xprt = req->rq_xprt; +- int status; ++ int counter, status; + + spin_lock(&xprt->queue_lock); ++ counter = 0; + while (!list_empty(&xprt->xmit_queue)) { ++ if (++counter == 20) ++ break; + next = list_first_entry(&xprt->xmit_queue, + struct rpc_rqst, rq_xmit); + xprt_pin_rqst(next); +@@ -1522,7 +1525,6 @@ xprt_transmit(struct rpc_task *task) + status = xprt_request_transmit(next, task); + if (status == -EBADMSG && next != req) + status = 0; +- cond_resched(); + spin_lock(&xprt->queue_lock); + xprt_unpin_rqst(next); + if (status == 0) { +-- +2.27.0 + diff --git a/queue-5.8/tee-client-uuid-skip-ree-kernel-login-method-as-well.patch b/queue-5.8/tee-client-uuid-skip-ree-kernel-login-method-as-well.patch new file mode 100644 index 00000000000..455fcb2190a --- /dev/null +++ b/queue-5.8/tee-client-uuid-skip-ree-kernel-login-method-as-well.patch @@ -0,0 +1,38 @@ +From 8e9928235f6d41e25bc34a48747ae9550215a7cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 19:10:22 +0530 +Subject: tee: client UUID: Skip REE kernel login method as well + +From: Sumit Garg + +[ Upstream commit 722939528a37aa0cb22d441e2045c0cf53e78fb0 ] + +Since the addition of session's client UUID generation via commit [1], +login via REE kernel method was disallowed. So fix that via passing +nill UUID in case of TEE_IOCTL_LOGIN_REE_KERNEL method as well. + +Fixes: e33bcbab16d1 ("tee: add support for session's client UUID generation") [1] +Signed-off-by: Sumit Garg +Signed-off-by: Jens Wiklander +Signed-off-by: Sasha Levin +--- + drivers/tee/tee_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c +index 64637e09a0953..2f6199ebf7698 100644 +--- a/drivers/tee/tee_core.c ++++ b/drivers/tee/tee_core.c +@@ -200,7 +200,8 @@ int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method, + int name_len; + int rc; + +- if (connection_method == TEE_IOCTL_LOGIN_PUBLIC) { ++ if (connection_method == TEE_IOCTL_LOGIN_PUBLIC || ++ connection_method == TEE_IOCTL_LOGIN_REE_KERNEL) { + /* Nil UUID to be passed to TEE environment */ + uuid_copy(uuid, &uuid_null); + return 0; +-- +2.27.0 + diff --git a/queue-5.8/tracing-synthetic-events-replace-buggy-strcat-with-s.patch b/queue-5.8/tracing-synthetic-events-replace-buggy-strcat-with-s.patch new file mode 100644 index 00000000000..4d928c6b415 --- /dev/null +++ b/queue-5.8/tracing-synthetic-events-replace-buggy-strcat-with-s.patch @@ -0,0 +1,125 @@ +From c3a293dfe54ef6255036997e5384287b8297b44b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Nov 2020 12:35:33 -0500 +Subject: tracing, synthetic events: Replace buggy strcat() with seq_buf + operations + +[ Upstream commit 761a8c58db6bc884994b28cd6d9707b467d680c1 ] + +There was a memory corruption bug happening while running the synthetic +event selftests: + + kmemleak: Cannot insert 0xffff8c196fa2afe5 into the object search tree (overlaps existing) + CPU: 5 PID: 6866 Comm: ftracetest Tainted: G W 5.9.0-rc5-test+ #577 + Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016 + Call Trace: + dump_stack+0x8d/0xc0 + create_object.cold+0x3b/0x60 + slab_post_alloc_hook+0x57/0x510 + ? tracing_map_init+0x178/0x340 + __kmalloc+0x1b1/0x390 + tracing_map_init+0x178/0x340 + event_hist_trigger_func+0x523/0xa40 + trigger_process_regex+0xc5/0x110 + event_trigger_write+0x71/0xd0 + vfs_write+0xca/0x210 + ksys_write+0x70/0xf0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7fef0a63a487 + Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 + RSP: 002b:00007fff76f18398 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 0000000000000039 RCX: 00007fef0a63a487 + RDX: 0000000000000039 RSI: 000055eb3b26d690 RDI: 0000000000000001 + RBP: 000055eb3b26d690 R08: 000000000000000a R09: 0000000000000038 + R10: 000055eb3b2cdb80 R11: 0000000000000246 R12: 0000000000000039 + R13: 00007fef0a70b500 R14: 0000000000000039 R15: 00007fef0a70b700 + kmemleak: Kernel memory leak detector disabled + kmemleak: Object 0xffff8c196fa2afe0 (size 8): + kmemleak: comm "ftracetest", pid 6866, jiffies 4295082531 + kmemleak: min_count = 1 + kmemleak: count = 0 + kmemleak: flags = 0x1 + kmemleak: checksum = 0 + kmemleak: backtrace: + __kmalloc+0x1b1/0x390 + tracing_map_init+0x1be/0x340 + event_hist_trigger_func+0x523/0xa40 + trigger_process_regex+0xc5/0x110 + event_trigger_write+0x71/0xd0 + vfs_write+0xca/0x210 + ksys_write+0x70/0xf0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The cause came down to a use of strcat() that was adding an string that was +shorten, but the strcat() did not take that into account. + +strcat() is extremely dangerous as it does not care how big the buffer is. +Replace it with seq_buf operations that prevent the buffer from being +overwritten if what is being written is bigger than the buffer. + +Fixes: 10819e25799a ("tracing: Handle synthetic event array field type checking correctly") +Reviewed-by: Tom Zanussi +Tested-by: Tom Zanussi +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_synth.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c +index c8892156db341..65e8c27141c02 100644 +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -465,6 +465,7 @@ static struct synth_field *parse_synth_field(int argc, const char **argv, + struct synth_field *field; + const char *prefix = NULL, *field_type = argv[0], *field_name, *array; + int len, ret = 0; ++ struct seq_buf s; + ssize_t size; + + if (field_type[0] == ';') +@@ -503,13 +504,9 @@ static struct synth_field *parse_synth_field(int argc, const char **argv, + field_type++; + len = strlen(field_type) + 1; + +- if (array) { +- int l = strlen(array); ++ if (array) ++ len += strlen(array); + +- if (l && array[l - 1] == ';') +- l--; +- len += l; +- } + if (prefix) + len += strlen(prefix); + +@@ -518,14 +515,18 @@ static struct synth_field *parse_synth_field(int argc, const char **argv, + ret = -ENOMEM; + goto free; + } ++ seq_buf_init(&s, field->type, len); + if (prefix) +- strcat(field->type, prefix); +- strcat(field->type, field_type); ++ seq_buf_puts(&s, prefix); ++ seq_buf_puts(&s, field_type); + if (array) { +- strcat(field->type, array); +- if (field->type[len - 1] == ';') +- field->type[len - 1] = '\0'; ++ seq_buf_puts(&s, array); ++ if (s.buffer[s.len - 1] == ';') ++ s.len--; + } ++ if (WARN_ON_ONCE(!seq_buf_buffer_left(&s))) ++ goto free; ++ s.buffer[s.len] = '\0'; + + size = synth_field_size(field->type); + if (size <= 0) { +-- +2.27.0 + diff --git a/queue-5.8/uio-free-uio-id-after-uio-file-node-is-freed.patch b/queue-5.8/uio-free-uio-id-after-uio-file-node-is-freed.patch new file mode 100644 index 00000000000..e7c91ebdee0 --- /dev/null +++ b/queue-5.8/uio-free-uio-id-after-uio-file-node-is-freed.patch @@ -0,0 +1,85 @@ +From 16d235b365b253bb0aa6f582c2e05a09877c10de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 11:26:41 +0800 +Subject: uio: free uio id after uio file node is freed + +From: Lang Dai + +[ Upstream commit 8fd0e2a6df262539eaa28b0a2364cca10d1dc662 ] + +uio_register_device() do two things. +1) get an uio id from a global pool, e.g. the id is +2) create file nodes like /sys/class/uio/uio + +uio_unregister_device() do two things. +1) free the uio id and return it to the global pool +2) free the file node /sys/class/uio/uio + +There is a situation is that one worker is calling uio_unregister_device(), +and another worker is calling uio_register_device(). +If the two workers are X and Y, they go as below sequence, +1) X free the uio id +2) Y get an uio id +3) Y create file node /sys/class/uio/uio +4) X free the file note /sys/class/uio/uio +Then it will failed at the 3rd step and cause the phenomenon we saw as it +is creating a duplicated file node. + +Failure reports as follows: +sysfs: cannot create duplicate filename '/class/uio/uio10' +Call Trace: + sysfs_do_create_link_sd.isra.2+0x9e/0xb0 + sysfs_create_link+0x25/0x40 + device_add+0x2c4/0x640 + __uio_register_device+0x1c5/0x576 [uio] + adf_uio_init_bundle_dev+0x231/0x280 [intel_qat] + adf_uio_register+0x1c0/0x340 [intel_qat] + adf_dev_start+0x202/0x370 [intel_qat] + adf_dev_start_async+0x40/0xa0 [intel_qat] + process_one_work+0x14d/0x410 + worker_thread+0x4b/0x460 + kthread+0x105/0x140 + ? process_one_work+0x410/0x410 + ? kthread_bind+0x40/0x40 + ret_from_fork+0x1f/0x40 + Code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef + e8 ec c4 ff ff 4c 89 e2 48 89 de 48 c7 c7 e8 b4 ee b4 e8 6a d4 d7 + ff <0f> 0b 48 89 df e8 20 fa f3 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84 +---[ end trace a7531c1ed5269e84 ]--- + c6xxvf b002:00:00.0: Failed to register UIO devices + c6xxvf b002:00:00.0: Failed to register UIO devices + +Signed-off-by: Lang Dai + +Link: https://lore.kernel.org/r/1600054002-17722-1-git-send-email-lang.dai@intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/uio/uio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c +index 73efb80815db8..6dca744e39e95 100644 +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -1048,8 +1048,6 @@ void uio_unregister_device(struct uio_info *info) + + idev = info->uio_dev; + +- uio_free_minor(idev); +- + mutex_lock(&idev->info_lock); + uio_dev_del_attributes(idev); + +@@ -1064,6 +1062,8 @@ void uio_unregister_device(struct uio_info *info) + + device_unregister(&idev->dev); + ++ uio_free_minor(idev); ++ + return; + } + EXPORT_SYMBOL_GPL(uio_unregister_device); +-- +2.27.0 + diff --git a/queue-5.8/um-change-sigio_spinlock-to-a-mutex.patch b/queue-5.8/um-change-sigio_spinlock-to-a-mutex.patch new file mode 100644 index 00000000000..3341b81ab3a --- /dev/null +++ b/queue-5.8/um-change-sigio_spinlock-to-a-mutex.patch @@ -0,0 +1,78 @@ +From 9dd3831aed4e1375d7c1a17ec2be16a62c0f7ae4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 13:23:17 +0200 +Subject: um: change sigio_spinlock to a mutex + +From: Johannes Berg + +[ Upstream commit f2d05059e15af3f70502074f4e3a504530af504a ] + +Lockdep complains at boot: + +============================= +[ BUG: Invalid wait context ] +5.7.0-05093-g46d91ecd597b #98 Not tainted +----------------------------- +swapper/1 is trying to lock: +0000000060931b98 (&desc[i].request_mutex){+.+.}-{3:3}, at: __setup_irq+0x11d/0x623 +other info that might help us debug this: +context-{4:4} +1 lock held by swapper/1: + #0: 000000006074fed8 (sigio_spinlock){+.+.}-{2:2}, at: sigio_lock+0x1a/0x1c +stack backtrace: +CPU: 0 PID: 1 Comm: swapper Not tainted 5.7.0-05093-g46d91ecd597b #98 +Stack: + 7fa4fab0 6028dfd1 0000002a 6008bea5 + 7fa50700 7fa50040 7fa4fac0 6028e016 + 7fa4fb50 6007f6da 60959c18 00000000 +Call Trace: + [<60023a0e>] show_stack+0x13b/0x155 + [<6028e016>] dump_stack+0x2a/0x2c + [<6007f6da>] __lock_acquire+0x515/0x15f2 + [<6007eb50>] lock_acquire+0x245/0x273 + [<6050d9f1>] __mutex_lock+0xbd/0x325 + [<6050dc76>] mutex_lock_nested+0x1d/0x1f + [<6008e27e>] __setup_irq+0x11d/0x623 + [<6008e8ed>] request_threaded_irq+0x169/0x1a6 + [<60021eb0>] um_request_irq+0x1ee/0x24b + [<600234ee>] write_sigio_irq+0x3b/0x76 + [<600383ca>] sigio_broken+0x146/0x2e4 + [<60020bd8>] do_one_initcall+0xde/0x281 + +Because we hold sigio_spinlock and then get into requesting +an interrupt with a mutex. + +Change the spinlock to a mutex to avoid that. + +Signed-off-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/kernel/sigio.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/um/kernel/sigio.c b/arch/um/kernel/sigio.c +index 10c99e058fcae..d1cffc2a7f212 100644 +--- a/arch/um/kernel/sigio.c ++++ b/arch/um/kernel/sigio.c +@@ -35,14 +35,14 @@ int write_sigio_irq(int fd) + } + + /* These are called from os-Linux/sigio.c to protect its pollfds arrays. */ +-static DEFINE_SPINLOCK(sigio_spinlock); ++static DEFINE_MUTEX(sigio_mutex); + + void sigio_lock(void) + { +- spin_lock(&sigio_spinlock); ++ mutex_lock(&sigio_mutex); + } + + void sigio_unlock(void) + { +- spin_unlock(&sigio_spinlock); ++ mutex_unlock(&sigio_mutex); + } +-- +2.27.0 + diff --git a/queue-5.8/usb-adutux-fix-debugging.patch b/queue-5.8/usb-adutux-fix-debugging.patch new file mode 100644 index 00000000000..a2dbce6c615 --- /dev/null +++ b/queue-5.8/usb-adutux-fix-debugging.patch @@ -0,0 +1,35 @@ +From 676048d316041a64e249e9652a634c9ce59a50ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 13:26:00 +0200 +Subject: USB: adutux: fix debugging + +From: Oliver Neukum + +[ Upstream commit c56150c1bc8da5524831b1dac2eec3c67b89f587 ] + +Handling for removal of the controller was missing at one place. +Add it. + +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20200917112600.26508-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/adutux.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/misc/adutux.c b/drivers/usb/misc/adutux.c +index d8d157c4c271d..96495fcd952aa 100644 +--- a/drivers/usb/misc/adutux.c ++++ b/drivers/usb/misc/adutux.c +@@ -209,6 +209,7 @@ static void adu_interrupt_out_callback(struct urb *urb) + + if (status != 0) { + if ((status != -ENOENT) && ++ (status != -ESHUTDOWN) && + (status != -ECONNRESET)) { + dev_dbg(&dev->udev->dev, + "%s :nonzero status received: %d\n", __func__, +-- +2.27.0 + diff --git a/queue-5.8/usb-dwc3-core-do-not-queue-work-if-dr_mode-is-not-us.patch b/queue-5.8/usb-dwc3-core-do-not-queue-work-if-dr_mode-is-not-us.patch new file mode 100644 index 00000000000..6188531f0e0 --- /dev/null +++ b/queue-5.8/usb-dwc3-core-do-not-queue-work-if-dr_mode-is-not-us.patch @@ -0,0 +1,89 @@ +From d5a36a4dcf41e03cb243bac53b8f0bcbb63ae1c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jul 2020 11:17:39 +0800 +Subject: usb: dwc3: core: do not queue work if dr_mode is not USB_DR_MODE_OTG + +From: Li Jun + +[ Upstream commit dc336b19e82d0454ea60270cd18fbb4749e162f6 ] + +Do not try to queue a drd work if dr_mode is not USB_DR_MODE_OTG +because the work is not inited, this may be triggered by user try +to change mode file of debugfs on a single role port, which will +cause below kernel dump: +[ 60.115529] ------------[ cut here ]------------ +[ 60.120166] WARNING: CPU: 1 PID: 627 at kernel/workqueue.c:1473 +__queue_work+0x46c/0x520 +[ 60.128254] Modules linked in: +[ 60.131313] CPU: 1 PID: 627 Comm: sh Not tainted +5.7.0-rc4-00022-g914a586-dirty #135 +[ 60.139054] Hardware name: NXP i.MX8MQ EVK (DT) +[ 60.143585] pstate: a0000085 (NzCv daIf -PAN -UAO) +[ 60.148376] pc : __queue_work+0x46c/0x520 +[ 60.152385] lr : __queue_work+0x314/0x520 +[ 60.156393] sp : ffff8000124ebc40 +[ 60.159705] x29: ffff8000124ebc40 x28: ffff800011808018 +[ 60.165018] x27: ffff800011819ef8 x26: ffff800011d39980 +[ 60.170331] x25: ffff800011808018 x24: 0000000000000100 +[ 60.175643] x23: 0000000000000013 x22: 0000000000000001 +[ 60.180955] x21: ffff0000b7c08e00 x20: ffff0000b6c31080 +[ 60.186267] x19: ffff0000bb99bc00 x18: 0000000000000000 +[ 60.191579] x17: 0000000000000000 x16: 0000000000000000 +[ 60.196891] x15: 0000000000000000 x14: 0000000000000000 +[ 60.202202] x13: 0000000000000000 x12: 0000000000000000 +[ 60.207515] x11: 0000000000000000 x10: 0000000000000040 +[ 60.212827] x9 : ffff800011d55460 x8 : ffff800011d55458 +[ 60.218138] x7 : ffff0000b7800028 x6 : 0000000000000000 +[ 60.223450] x5 : ffff0000b7800000 x4 : 0000000000000000 +[ 60.228762] x3 : ffff0000bb997cc0 x2 : 0000000000000001 +[ 60.234074] x1 : 0000000000000000 x0 : ffff0000b6c31088 +[ 60.239386] Call trace: +[ 60.241834] __queue_work+0x46c/0x520 +[ 60.245496] queue_work_on+0x6c/0x90 +[ 60.249075] dwc3_set_mode+0x48/0x58 +[ 60.252651] dwc3_mode_write+0xf8/0x150 +[ 60.256489] full_proxy_write+0x5c/0xa8 +[ 60.260327] __vfs_write+0x18/0x40 +[ 60.263729] vfs_write+0xdc/0x1c8 +[ 60.267045] ksys_write+0x68/0xf0 +[ 60.270360] __arm64_sys_write+0x18/0x20 +[ 60.274286] el0_svc_common.constprop.0+0x68/0x160 +[ 60.279077] do_el0_svc+0x20/0x80 +[ 60.282394] el0_sync_handler+0x10c/0x178 +[ 60.286403] el0_sync+0x140/0x180 +[ 60.289716] ---[ end trace 70b155582e2b7988 ]--- + +Signed-off-by: Li Jun +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 928a85b0d1cdd..88846fd9bc6aa 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -121,9 +121,6 @@ static void __dwc3_set_mode(struct work_struct *work) + int ret; + u32 reg; + +- if (dwc->dr_mode != USB_DR_MODE_OTG) +- return; +- + pm_runtime_get_sync(dwc->dev); + + if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_OTG) +@@ -209,6 +206,9 @@ void dwc3_set_mode(struct dwc3 *dwc, u32 mode) + { + unsigned long flags; + ++ if (dwc->dr_mode != USB_DR_MODE_OTG) ++ return; ++ + spin_lock_irqsave(&dwc->lock, flags); + dwc->desired_dr_role = mode; + spin_unlock_irqrestore(&dwc->lock, flags); +-- +2.27.0 + diff --git a/queue-5.8/usb-host-ehci-tegra-fix-error-handling-in-tegra_ehci.patch b/queue-5.8/usb-host-ehci-tegra-fix-error-handling-in-tegra_ehci.patch new file mode 100644 index 00000000000..7bf6181cc64 --- /dev/null +++ b/queue-5.8/usb-host-ehci-tegra-fix-error-handling-in-tegra_ehci.patch @@ -0,0 +1,42 @@ +From 2df6a0ad965cadc149e06916540c6a1dc0909200 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 17:06:57 +0800 +Subject: usb: host: ehci-tegra: Fix error handling in tegra_ehci_probe() + +From: Tang Bin + +[ Upstream commit 32d174d2d5eb318c34ff36771adefabdf227c186 ] + +If the function platform_get_irq() failed, the negative value +returned will not be detected here. So fix error handling in +tegra_ehci_probe(). + +Fixes: 79ad3b5add4a ("usb: host: Add EHCI driver for NVIDIA Tegra SoCs") +Acked-by: Alan Stern +Acked-by: Thierry Reding +Signed-off-by: Tang Bin +Link: https://lore.kernel.org/r/20201026090657.49988-1-tangbin@cmss.chinamobile.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-tegra.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/ehci-tegra.c b/drivers/usb/host/ehci-tegra.c +index e077b2ca53c51..869d9c4de5fcd 100644 +--- a/drivers/usb/host/ehci-tegra.c ++++ b/drivers/usb/host/ehci-tegra.c +@@ -479,8 +479,8 @@ static int tegra_ehci_probe(struct platform_device *pdev) + u_phy->otg->host = hcd_to_bus(hcd); + + irq = platform_get_irq(pdev, 0); +- if (!irq) { +- err = -ENODEV; ++ if (irq < 0) { ++ err = irq; + goto cleanup_phy; + } + +-- +2.27.0 + diff --git a/queue-5.8/usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch b/queue-5.8/usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch new file mode 100644 index 00000000000..1bd3ac75c48 --- /dev/null +++ b/queue-5.8/usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch @@ -0,0 +1,80 @@ +From 6046f7ed1e5a3894b6edf57822a78345893acba0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:38:27 -0700 +Subject: usb: typec: tcpm: During PR_SWAP, source caps should be sent only + after tSwapSourceStart + +From: Badhri Jagan Sridharan + +[ Upstream commit 6bbe2a90a0bb4af8dd99c3565e907fe9b5e7fd88 ] + +The patch addresses the compliance test failures while running +TD.PD.CP.E3, TD.PD.CP.E4, TD.PD.CP.E5 of the "Deterministic PD +Compliance MOI" test plan published in https://www.usb.org/usbc. +For a product to be Type-C compliant, it's expected that these tests +are run on usb.org certified Type-C compliance tester as mentioned in +https://www.usb.org/usbc. + +The purpose of the tests TD.PD.CP.E3, TD.PD.CP.E4, TD.PD.CP.E5 is to +verify the PR_SWAP response of the device. While doing so, the test +asserts that Source Capabilities message is NOT received from the test +device within tSwapSourceStart min (20 ms) from the time the last bit +of GoodCRC corresponding to the RS_RDY message sent by the UUT was +sent. If it does then the test fails. + +This is in line with the requirements from the USB Power Delivery +Specification Revision 3.0, Version 1.2: +"6.6.8.1 SwapSourceStartTimer +The SwapSourceStartTimer Shall be used by the new Source, after a +Power Role Swap or Fast Role Swap, to ensure that it does not send +Source_Capabilities Message before the new Sink is ready to receive +the +Source_Capabilities Message. The new Source Shall Not send the +Source_Capabilities Message earlier than tSwapSourceStart after the +last bit of the EOP of GoodCRC Message sent in response to the PS_RDY +Message sent by the new Source indicating that its power supply is +ready." + +The patch makes sure that TCPM does not send the Source_Capabilities +Message within tSwapSourceStart(20ms) by transitioning into +SRC_STARTUP only after tSwapSourceStart(20ms). + +Signed-off-by: Badhri Jagan Sridharan +Reviewed-by: Guenter Roeck +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20200817183828.1895015-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/tcpm/tcpm.c | 2 +- + include/linux/usb/pd.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c +index b2111fe6d140a..53a601438156e 100644 +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -3522,7 +3522,7 @@ static void run_state_machine(struct tcpm_port *port) + */ + tcpm_set_pwr_role(port, TYPEC_SOURCE); + tcpm_pd_send_control(port, PD_CTRL_PS_RDY); +- tcpm_set_state(port, SRC_STARTUP, 0); ++ tcpm_set_state(port, SRC_STARTUP, PD_T_SWAP_SRC_START); + break; + + case VCONN_SWAP_ACCEPT: +diff --git a/include/linux/usb/pd.h b/include/linux/usb/pd.h +index a665d7f211424..c4b1b83da49b3 100644 +--- a/include/linux/usb/pd.h ++++ b/include/linux/usb/pd.h +@@ -473,6 +473,7 @@ static inline unsigned int rdo_max_power(u32 rdo) + #define PD_T_ERROR_RECOVERY 100 /* minimum 25 is insufficient */ + #define PD_T_SRCSWAPSTDBY 625 /* Maximum of 650ms */ + #define PD_T_NEWSRC 250 /* Maximum of 275ms */ ++#define PD_T_SWAP_SRC_START 20 /* Minimum of 20ms */ + + #define PD_T_DRP_TRY 100 /* 75 - 150 ms */ + #define PD_T_DRP_TRYWAIT 600 /* 400 - 800 ms */ +-- +2.27.0 + diff --git a/queue-5.8/usb-xhci-omit-duplicate-actions-when-suspending-a-ru.patch b/queue-5.8/usb-xhci-omit-duplicate-actions-when-suspending-a-ru.patch new file mode 100644 index 00000000000..a55f322d1c5 --- /dev/null +++ b/queue-5.8/usb-xhci-omit-duplicate-actions-when-suspending-a-ru.patch @@ -0,0 +1,58 @@ +From 037add16b71b3f0617040516655466875318295f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 16:17:49 +0300 +Subject: usb: xhci: omit duplicate actions when suspending a runtime suspended + host. + +From: Peter Chen + +[ Upstream commit 18a367e8947d72dd91b6fc401e88a2952c6363f7 ] + +If the xhci-plat.c is the platform driver, after the runtime pm is +enabled, the xhci_suspend is called if nothing is connected on +the port. When the system goes to suspend, it will call xhci_suspend again +if USB wakeup is enabled. + +Since the runtime suspend wakeup setting is not always the same as +system suspend wakeup setting, eg, at runtime suspend we always need +wakeup if the controller is in low power mode; but at system suspend, +we may not need wakeup. So, we move the judgement after changing +wakeup setting. + +[commit message rewording -Mathias] + +Reviewed-by: Jun Li +Signed-off-by: Peter Chen +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20200918131752.16488-8-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index f665da34a8f73..5975eef98cce2 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -982,12 +982,15 @@ int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup) + xhci->shared_hcd->state != HC_STATE_SUSPENDED) + return -EINVAL; + +- xhci_dbc_suspend(xhci); +- + /* Clear root port wake on bits if wakeup not allowed. */ + if (!do_wakeup) + xhci_disable_port_wake_on_bits(xhci); + ++ if (!HCD_HW_ACCESSIBLE(hcd)) ++ return 0; ++ ++ xhci_dbc_suspend(xhci); ++ + /* Don't poll the roothubs on bus suspend. */ + xhci_dbg(xhci, "%s: stopping port polling.\n", __func__); + clear_bit(HCD_FLAG_POLL_RH, &hcd->flags); +-- +2.27.0 + diff --git a/queue-5.8/video-fbdev-pvr2fb-initialize-variables.patch b/queue-5.8/video-fbdev-pvr2fb-initialize-variables.patch new file mode 100644 index 00000000000..18dc33f4119 --- /dev/null +++ b/queue-5.8/video-fbdev-pvr2fb-initialize-variables.patch @@ -0,0 +1,49 @@ +From cda3499f85e68f4cf00b9d345f3065b75c50601e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 12:18:45 -0700 +Subject: video: fbdev: pvr2fb: initialize variables + +From: Tom Rix + +[ Upstream commit 8e1ba47c60bcd325fdd097cd76054639155e5d2e ] + +clang static analysis reports this repesentative error + +pvr2fb.c:1049:2: warning: 1st function call argument + is an uninitialized value [core.CallAndMessage] + if (*cable_arg) + ^~~~~~~~~~~~~~~ + +Problem is that cable_arg depends on the input loop to +set the cable_arg[0]. If it does not, then some random +value from the stack is used. + +A similar problem exists for output_arg. + +So initialize cable_arg and output_arg. + +Signed-off-by: Tom Rix +Acked-by: Arnd Bergmann +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200720191845.20115-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pvr2fb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/pvr2fb.c b/drivers/video/fbdev/pvr2fb.c +index f18d457175d90..2f045c356882a 100644 +--- a/drivers/video/fbdev/pvr2fb.c ++++ b/drivers/video/fbdev/pvr2fb.c +@@ -1016,6 +1016,8 @@ static int __init pvr2fb_setup(char *options) + if (!options || !*options) + return 0; + ++ cable_arg[0] = output_arg[0] = 0; ++ + while ((this_opt = strsep(&options, ","))) { + if (!*this_opt) + continue; +-- +2.27.0 + diff --git a/queue-5.8/x86-alternative-don-t-call-text_poke-in-lazy-tlb-mod.patch b/queue-5.8/x86-alternative-don-t-call-text_poke-in-lazy-tlb-mod.patch new file mode 100644 index 00000000000..6843f3ba591 --- /dev/null +++ b/queue-5.8/x86-alternative-don-t-call-text_poke-in-lazy-tlb-mod.patch @@ -0,0 +1,60 @@ +From 317ece10baf600b3073ebc6b9d2ec0de1518a944 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 16:42:25 +0200 +Subject: x86/alternative: Don't call text_poke() in lazy TLB mode + +From: Juergen Gross + +[ Upstream commit abee7c494d8c41bb388839bccc47e06247f0d7de ] + +When running in lazy TLB mode the currently active page tables might +be the ones of a previous process, e.g. when running a kernel thread. + +This can be problematic in case kernel code is being modified via +text_poke() in a kernel thread, and on another processor exit_mmap() +is active for the process which was running on the first cpu before +the kernel thread. + +As text_poke() is using a temporary address space and the former +address space (obtained via cpu_tlbstate.loaded_mm) is restored +afterwards, there is a race possible in case the cpu on which +exit_mmap() is running wants to make sure there are no stale +references to that address space on any cpu active (this e.g. is +required when running as a Xen PV guest, where this problem has been +observed and analyzed). + +In order to avoid that, drop off TLB lazy mode before switching to the +temporary address space. + +Fixes: cefa929c034eb5d ("x86/mm: Introduce temporary mm structs") +Signed-off-by: Juergen Gross +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20201009144225.12019-1-jgross@suse.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/alternative.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c +index 8fd39ff74a499..71cb6ff3a3696 100644 +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -804,6 +804,15 @@ static inline temp_mm_state_t use_temporary_mm(struct mm_struct *mm) + temp_mm_state_t temp_state; + + lockdep_assert_irqs_disabled(); ++ ++ /* ++ * Make sure not to be in TLB lazy mode, as otherwise we'll end up ++ * with a stale address space WITHOUT being in lazy mode after ++ * restoring the previous mm. ++ */ ++ if (this_cpu_read(cpu_tlbstate.is_lazy)) ++ leave_mm(smp_processor_id()); ++ + temp_state.mm = this_cpu_read(cpu_tlbstate.loaded_mm); + switch_mm_irqs_off(NULL, mm, current); + +-- +2.27.0 + diff --git a/queue-5.8/x86-kaslr-initialize-mem_limit-to-the-real-maximum-a.patch b/queue-5.8/x86-kaslr-initialize-mem_limit-to-the-real-maximum-a.patch new file mode 100644 index 00000000000..dcb06b575ea --- /dev/null +++ b/queue-5.8/x86-kaslr-initialize-mem_limit-to-the-real-maximum-a.patch @@ -0,0 +1,158 @@ +From f96c9ae579b013fc96d808f6788a96d89f8bb2f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 19:07:57 -0400 +Subject: x86/kaslr: Initialize mem_limit to the real maximum address + +From: Arvind Sankar + +[ Upstream commit 451286940d95778e83fa7f97006316d995b4c4a8 ] + +On 64-bit, the kernel must be placed below MAXMEM (64TiB with 4-level +paging or 4PiB with 5-level paging). This is currently not enforced by +KASLR, which thus implicitly relies on physical memory being limited to +less than 64TiB. + +On 32-bit, the limit is KERNEL_IMAGE_SIZE (512MiB). This is enforced by +special checks in __process_mem_region(). + +Initialize mem_limit to the maximum (depending on architecture), instead +of ULLONG_MAX, and make sure the command-line arguments can only +decrease it. This makes the enforcement explicit on 64-bit, and +eliminates the 32-bit specific checks to keep the kernel below 512M. + +Check upfront to make sure the minimum address is below the limit before +doing any work. + +Signed-off-by: Arvind Sankar +Signed-off-by: Ingo Molnar +Acked-by: Kees Cook +Link: https://lore.kernel.org/r/20200727230801.3468620-5-nivedita@alum.mit.edu +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/kaslr.c | 41 +++++++++++++++++--------------- + 1 file changed, 22 insertions(+), 19 deletions(-) + +diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c +index d7408af557386..b59592273c329 100644 +--- a/arch/x86/boot/compressed/kaslr.c ++++ b/arch/x86/boot/compressed/kaslr.c +@@ -94,8 +94,11 @@ static unsigned long get_boot_seed(void) + static bool memmap_too_large; + + +-/* Store memory limit specified by "mem=nn[KMG]" or "memmap=nn[KMG]" */ +-static unsigned long long mem_limit = ULLONG_MAX; ++/* ++ * Store memory limit: MAXMEM on 64-bit and KERNEL_IMAGE_SIZE on 32-bit. ++ * It may be reduced by "mem=nn[KMG]" or "memmap=nn[KMG]" command line options. ++ */ ++static unsigned long long mem_limit; + + /* Number of immovable memory regions */ + static int num_immovable_mem; +@@ -221,7 +224,7 @@ static void mem_avoid_memmap(enum parse_mode mode, char *str) + + if (start == 0) { + /* Store the specified memory limit if size > 0 */ +- if (size > 0) ++ if (size > 0 && size < mem_limit) + mem_limit = size; + + continue; +@@ -309,7 +312,8 @@ static void handle_mem_options(void) + if (mem_size == 0) + goto out; + +- mem_limit = mem_size; ++ if (mem_size < mem_limit) ++ mem_limit = mem_size; + } else if (!strcmp(param, "efi_fake_mem")) { + mem_avoid_memmap(PARSE_EFI, val); + } +@@ -321,7 +325,9 @@ out: + } + + /* +- * In theory, KASLR can put the kernel anywhere in the range of [16M, 64T). ++ * In theory, KASLR can put the kernel anywhere in the range of [16M, MAXMEM) ++ * on 64-bit, and [16M, KERNEL_IMAGE_SIZE) on 32-bit. ++ * + * The mem_avoid array is used to store the ranges that need to be avoided + * when KASLR searches for an appropriate random address. We must avoid any + * regions that are unsafe to overlap with during decompression, and other +@@ -621,10 +627,6 @@ static void __process_mem_region(struct mem_vector *entry, + unsigned long start_orig, end; + struct mem_vector cur_entry; + +- /* On 32-bit, ignore entries entirely above our maximum. */ +- if (IS_ENABLED(CONFIG_X86_32) && entry->start >= KERNEL_IMAGE_SIZE) +- return; +- + /* Ignore entries entirely below our minimum. */ + if (entry->start + entry->size < minimum) + return; +@@ -657,11 +659,6 @@ static void __process_mem_region(struct mem_vector *entry, + /* Reduce size by any delta from the original address. */ + region.size -= region.start - start_orig; + +- /* On 32-bit, reduce region size to fit within max size. */ +- if (IS_ENABLED(CONFIG_X86_32) && +- region.start + region.size > KERNEL_IMAGE_SIZE) +- region.size = KERNEL_IMAGE_SIZE - region.start; +- + /* Return if region can't contain decompressed kernel */ + if (region.size < image_size) + return; +@@ -846,15 +843,16 @@ static void process_e820_entries(unsigned long minimum, + static unsigned long find_random_phys_addr(unsigned long minimum, + unsigned long image_size) + { ++ /* Bail out early if it's impossible to succeed. */ ++ if (minimum + image_size > mem_limit) ++ return 0; ++ + /* Check if we had too many memmaps. */ + if (memmap_too_large) { + debug_putstr("Aborted memory entries scan (more than 4 memmap= args)!\n"); + return 0; + } + +- /* Make sure minimum is aligned. */ +- minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN); +- + if (process_efi_entries(minimum, image_size)) + return slots_fetch_random(); + +@@ -867,8 +865,6 @@ static unsigned long find_random_virt_addr(unsigned long minimum, + { + unsigned long slots, random_addr; + +- /* Make sure minimum is aligned. */ +- minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN); + /* Align image_size for easy slot calculations. */ + image_size = ALIGN(image_size, CONFIG_PHYSICAL_ALIGN); + +@@ -915,6 +911,11 @@ void choose_random_location(unsigned long input, + /* Prepare to add new identity pagetables on demand. */ + initialize_identity_maps(); + ++ if (IS_ENABLED(CONFIG_X86_32)) ++ mem_limit = KERNEL_IMAGE_SIZE; ++ else ++ mem_limit = MAXMEM; ++ + /* Record the various known unsafe memory ranges. */ + mem_avoid_init(input, input_size, *output); + +@@ -924,6 +925,8 @@ void choose_random_location(unsigned long input, + * location: + */ + min_addr = min(*output, 512UL << 20); ++ /* Make sure minimum is aligned. */ ++ min_addr = ALIGN(min_addr, CONFIG_PHYSICAL_ALIGN); + + /* Walk available memory entries to find a random address. */ + random_addr = find_random_phys_addr(min_addr, output_size); +-- +2.27.0 + diff --git a/queue-5.8/x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch b/queue-5.8/x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch new file mode 100644 index 00000000000..fbf10946cb2 --- /dev/null +++ b/queue-5.8/x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch @@ -0,0 +1,145 @@ +From d0876d3a5d32daadf9b6e5131652348262708a6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 07:30:51 +0200 +Subject: x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC + 10 compiled kernels + +From: Jiri Slaby + +[ Upstream commit f2ac57a4c49d40409c21c82d23b5706df9b438af ] + +GCC 10 optimizes the scheduler code differently than its predecessors. + +When CONFIG_DEBUG_SECTION_MISMATCH=y, the Makefile forces GCC not +to inline some functions (-fno-inline-functions-called-once). Before GCC +10, "no-inlined" __schedule() starts with the usual prologue: + + push %bp + mov %sp, %bp + +So the ORC unwinder simply picks stack pointer from %bp and +unwinds from __schedule() just perfectly: + + $ cat /proc/1/stack + [<0>] ep_poll+0x3e9/0x450 + [<0>] do_epoll_wait+0xaa/0xc0 + [<0>] __x64_sys_epoll_wait+0x1a/0x20 + [<0>] do_syscall_64+0x33/0x40 + [<0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +But now, with GCC 10, there is no %bp prologue in __schedule(): + + $ cat /proc/1/stack + + +The ORC entry of the point in __schedule() is: + + sp:sp+88 bp:last_sp-48 type:call end:0 + +In this case, nobody subtracts sizeof "struct inactive_task_frame" in +__unwind_start(). The struct is put on the stack by __switch_to_asm() and +only then __switch_to_asm() stores %sp to task->thread.sp. But we start +unwinding from a point in __schedule() (stored in frame->ret_addr by +'call') and not in __switch_to_asm(). + +So for these example values in __unwind_start(): + + sp=ffff94b50001fdc8 bp=ffff8e1f41d29340 ip=__schedule+0x1f0 + +The stack is: + + ffff94b50001fdc8: ffff8e1f41578000 # struct inactive_task_frame + ffff94b50001fdd0: 0000000000000000 + ffff94b50001fdd8: ffff8e1f41d29340 + ffff94b50001fde0: ffff8e1f41611d40 # ... + ffff94b50001fde8: ffffffff93c41920 # bx + ffff94b50001fdf0: ffff8e1f41d29340 # bp + ffff94b50001fdf8: ffffffff9376cad0 # ret_addr (and end of the struct) + +0xffffffff9376cad0 is __schedule+0x1f0 (after the call to +__switch_to_asm). Now follow those 88 bytes from the ORC entry (sp+88). +The entry is correct, __schedule() really pushes 48 bytes (8*7) + 32 bytes +via subq to store some local values (like 4U below). So to unwind, look +at the offset 88-sizeof(long) = 0x50 from here: + + ffff94b50001fe00: ffff8e1f41578618 + ffff94b50001fe08: 00000cc000000255 + ffff94b50001fe10: 0000000500000004 + ffff94b50001fe18: 7793fab6956b2d00 # NOTE (see below) + ffff94b50001fe20: ffff8e1f41578000 + ffff94b50001fe28: ffff8e1f41578000 + ffff94b50001fe30: ffff8e1f41578000 + ffff94b50001fe38: ffff8e1f41578000 + ffff94b50001fe40: ffff94b50001fed8 + ffff94b50001fe48: ffff8e1f41577ff0 + ffff94b50001fe50: ffffffff9376cf12 + +Here ^^^^^^^^^^^^^^^^ is the correct ret addr from +__schedule(). It translates to schedule+0x42 (insn after a call to +__schedule()). + +BUT, unwind_next_frame() tries to take the address starting from +0xffff94b50001fdc8. That is exactly from thread.sp+88-sizeof(long) = +0xffff94b50001fdc8+88-8 = 0xffff94b50001fe18, which is garbage marked as +NOTE above. So this quits the unwinding as 7793fab6956b2d00 is obviously +not a kernel address. + +There was a fix to skip 'struct inactive_task_frame' in +unwind_get_return_address_ptr in the following commit: + + 187b96db5ca7 ("x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks") + +But we need to skip the struct already in the unwinder proper. So +subtract the size (increase the stack pointer) of the structure in +__unwind_start() directly. This allows for removal of the code added by +commit 187b96db5ca7 completely, as the address is now at +'(unsigned long *)state->sp - 1', the same as in the generic case. + +[ mingo: Cleaned up the changelog a bit, for better readability. ] + +Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder") +Bug: https://bugzilla.suse.com/show_bug.cgi?id=1176907 +Signed-off-by: Jiri Slaby +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20201014053051.24199-1-jslaby@suse.cz +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/unwind_orc.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c +index ec88bbe08a328..4a96aa3de7d8a 100644 +--- a/arch/x86/kernel/unwind_orc.c ++++ b/arch/x86/kernel/unwind_orc.c +@@ -320,19 +320,12 @@ EXPORT_SYMBOL_GPL(unwind_get_return_address); + + unsigned long *unwind_get_return_address_ptr(struct unwind_state *state) + { +- struct task_struct *task = state->task; +- + if (unwind_done(state)) + return NULL; + + if (state->regs) + return &state->regs->ip; + +- if (task != current && state->sp == task->thread.sp) { +- struct inactive_task_frame *frame = (void *)task->thread.sp; +- return &frame->ret_addr; +- } +- + if (state->sp) + return (unsigned long *)state->sp - 1; + +@@ -662,7 +655,7 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task, + } else { + struct inactive_task_frame *frame = (void *)task->thread.sp; + +- state->sp = task->thread.sp; ++ state->sp = task->thread.sp + sizeof(*frame); + state->bp = READ_ONCE_NOCHECK(frame->bp); + state->ip = READ_ONCE_NOCHECK(frame->ret_addr); + state->signal = (void *)state->ip == ret_from_fork; +-- +2.27.0 + diff --git a/queue-5.8/xen-gntdev-fix-common-struct-sg_table-related-issues.patch b/queue-5.8/xen-gntdev-fix-common-struct-sg_table-related-issues.patch new file mode 100644 index 00000000000..d9f2d8bbea2 --- /dev/null +++ b/queue-5.8/xen-gntdev-fix-common-struct-sg_table-related-issues.patch @@ -0,0 +1,80 @@ +From 2390b043f495758c264d1cc43d3dbe4e0c8da7dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 16:07:13 +0200 +Subject: xen: gntdev: fix common struct sg_table related issues + +From: Marek Szyprowski + +[ Upstream commit d1749eb1ab85e04e58c29e58900e3abebbdd6e82 ] + +The Documentation/DMA-API-HOWTO.txt states that the dma_map_sg() function +returns the number of the created entries in the DMA address space. +However the subsequent calls to the dma_sync_sg_for_{device,cpu}() and +dma_unmap_sg must be called with the original number of the entries +passed to the dma_map_sg(). + +struct sg_table is a common structure used for describing a non-contiguous +memory buffer, used commonly in the DRM and graphics subsystems. It +consists of a scatterlist with memory pages and DMA addresses (sgl entry), +as well as the number of scatterlist entries: CPU pages (orig_nents entry) +and DMA mapped pages (nents entry). + +It turned out that it was a common mistake to misuse nents and orig_nents +entries, calling DMA-mapping functions with a wrong number of entries or +ignoring the number of mapped entries returned by the dma_map_sg() +function. + +To avoid such issues, lets use a common dma-mapping wrappers operating +directly on the struct sg_table objects and use scatterlist page +iterators where possible. This, almost always, hides references to the +nents and orig_nents entries, making the code robust, easier to follow +and copy/paste safe. + +Signed-off-by: Marek Szyprowski +Acked-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/gntdev-dmabuf.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/xen/gntdev-dmabuf.c b/drivers/xen/gntdev-dmabuf.c +index b1b6eebafd5de..4c13cbc99896a 100644 +--- a/drivers/xen/gntdev-dmabuf.c ++++ b/drivers/xen/gntdev-dmabuf.c +@@ -247,10 +247,9 @@ static void dmabuf_exp_ops_detach(struct dma_buf *dma_buf, + + if (sgt) { + if (gntdev_dmabuf_attach->dir != DMA_NONE) +- dma_unmap_sg_attrs(attach->dev, sgt->sgl, +- sgt->nents, +- gntdev_dmabuf_attach->dir, +- DMA_ATTR_SKIP_CPU_SYNC); ++ dma_unmap_sgtable(attach->dev, sgt, ++ gntdev_dmabuf_attach->dir, ++ DMA_ATTR_SKIP_CPU_SYNC); + sg_free_table(sgt); + } + +@@ -288,8 +287,8 @@ dmabuf_exp_ops_map_dma_buf(struct dma_buf_attachment *attach, + sgt = dmabuf_pages_to_sgt(gntdev_dmabuf->pages, + gntdev_dmabuf->nr_pages); + if (!IS_ERR(sgt)) { +- if (!dma_map_sg_attrs(attach->dev, sgt->sgl, sgt->nents, dir, +- DMA_ATTR_SKIP_CPU_SYNC)) { ++ if (dma_map_sgtable(attach->dev, sgt, dir, ++ DMA_ATTR_SKIP_CPU_SYNC)) { + sg_free_table(sgt); + kfree(sgt); + sgt = ERR_PTR(-ENOMEM); +@@ -633,7 +632,7 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_priv *priv, struct device *dev, + + /* Now convert sgt to array of pages and check for page validity. */ + i = 0; +- for_each_sg_page(sgt->sgl, &sg_iter, sgt->nents, 0) { ++ for_each_sgtable_page(sgt, &sg_iter, 0) { + struct page *page = sg_page_iter_page(&sg_iter); + /* + * Check if page is valid: this can happen if we are given +-- +2.27.0 + diff --git a/queue-5.8/xfs-avoid-lr-buffer-overrun-due-to-crafted-h_len.patch b/queue-5.8/xfs-avoid-lr-buffer-overrun-due-to-crafted-h_len.patch new file mode 100644 index 00000000000..e132442b555 --- /dev/null +++ b/queue-5.8/xfs-avoid-lr-buffer-overrun-due-to-crafted-h_len.patch @@ -0,0 +1,119 @@ +From 1dcbb0045d831988b067a03204d09ceba7ec54fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 09:41:06 -0700 +Subject: xfs: avoid LR buffer overrun due to crafted h_len + +From: Gao Xiang + +[ Upstream commit f692d09e9c8fd0f5557c2e87f796a16dd95222b8 ] + +Currently, crafted h_len has been blocked for the log +header of the tail block in commit a70f9fe52daa ("xfs: +detect and handle invalid iclog size set by mkfs"). + +However, each log record could still have crafted h_len +and cause log record buffer overrun. So let's check +h_len vs buffer size for each log record as well. + +Signed-off-by: Gao Xiang +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Reviewed-by: Brian Foster +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_log_recover.c | 39 +++++++++++++++++++-------------------- + 1 file changed, 19 insertions(+), 20 deletions(-) + +diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c +index ec015df55b77a..e862f9137bf6e 100644 +--- a/fs/xfs/xfs_log_recover.c ++++ b/fs/xfs/xfs_log_recover.c +@@ -2905,7 +2905,8 @@ STATIC int + xlog_valid_rec_header( + struct xlog *log, + struct xlog_rec_header *rhead, +- xfs_daddr_t blkno) ++ xfs_daddr_t blkno, ++ int bufsize) + { + int hlen; + +@@ -2921,10 +2922,14 @@ xlog_valid_rec_header( + return -EFSCORRUPTED; + } + +- /* LR body must have data or it wouldn't have been written */ ++ /* ++ * LR body must have data (or it wouldn't have been written) ++ * and h_len must not be greater than LR buffer size. ++ */ + hlen = be32_to_cpu(rhead->h_len); +- if (XFS_IS_CORRUPT(log->l_mp, hlen <= 0 || hlen > INT_MAX)) ++ if (XFS_IS_CORRUPT(log->l_mp, hlen <= 0 || hlen > bufsize)) + return -EFSCORRUPTED; ++ + if (XFS_IS_CORRUPT(log->l_mp, + blkno > log->l_logBBsize || blkno > INT_MAX)) + return -EFSCORRUPTED; +@@ -2985,9 +2990,6 @@ xlog_do_recovery_pass( + goto bread_err1; + + rhead = (xlog_rec_header_t *)offset; +- error = xlog_valid_rec_header(log, rhead, tail_blk); +- if (error) +- goto bread_err1; + + /* + * xfsprogs has a bug where record length is based on lsunit but +@@ -3002,21 +3004,18 @@ xlog_do_recovery_pass( + */ + h_size = be32_to_cpu(rhead->h_size); + h_len = be32_to_cpu(rhead->h_len); +- if (h_len > h_size) { +- if (h_len <= log->l_mp->m_logbsize && +- be32_to_cpu(rhead->h_num_logops) == 1) { +- xfs_warn(log->l_mp, ++ if (h_len > h_size && h_len <= log->l_mp->m_logbsize && ++ rhead->h_num_logops == cpu_to_be32(1)) { ++ xfs_warn(log->l_mp, + "invalid iclog size (%d bytes), using lsunit (%d bytes)", +- h_size, log->l_mp->m_logbsize); +- h_size = log->l_mp->m_logbsize; +- } else { +- XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, +- log->l_mp); +- error = -EFSCORRUPTED; +- goto bread_err1; +- } ++ h_size, log->l_mp->m_logbsize); ++ h_size = log->l_mp->m_logbsize; + } + ++ error = xlog_valid_rec_header(log, rhead, tail_blk, h_size); ++ if (error) ++ goto bread_err1; ++ + if ((be32_to_cpu(rhead->h_version) & XLOG_VERSION_2) && + (h_size > XLOG_HEADER_CYCLE_SIZE)) { + hblks = h_size / XLOG_HEADER_CYCLE_SIZE; +@@ -3097,7 +3096,7 @@ xlog_do_recovery_pass( + } + rhead = (xlog_rec_header_t *)offset; + error = xlog_valid_rec_header(log, rhead, +- split_hblks ? blk_no : 0); ++ split_hblks ? blk_no : 0, h_size); + if (error) + goto bread_err2; + +@@ -3178,7 +3177,7 @@ xlog_do_recovery_pass( + goto bread_err2; + + rhead = (xlog_rec_header_t *)offset; +- error = xlog_valid_rec_header(log, rhead, blk_no); ++ error = xlog_valid_rec_header(log, rhead, blk_no, h_size); + if (error) + goto bread_err2; + +-- +2.27.0 + diff --git a/queue-5.8/xfs-change-the-order-in-which-child-and-parent-defer.patch b/queue-5.8/xfs-change-the-order-in-which-child-and-parent-defer.patch new file mode 100644 index 00000000000..5dabc70f524 --- /dev/null +++ b/queue-5.8/xfs-change-the-order-in-which-child-and-parent-defer.patch @@ -0,0 +1,218 @@ +From 9f5985efaabad6aa92fd0d9ddafe0b8229922939 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 17:39:51 -0700 +Subject: xfs: change the order in which child and parent defer ops are + finished + +From: Darrick J. Wong + +[ Upstream commit 27dada070d59c28a441f1907d2cec891b17dcb26 ] + +The defer ops code has been finishing items in the wrong order -- if a +top level defer op creates items A and B, and finishing item A creates +more defer ops A1 and A2, we'll put the new items on the end of the +chain and process them in the order A B A1 A2. This is kind of weird, +since it's convenient for programmers to be able to think of A and B as +an ordered sequence where all the sub-tasks for A must finish before we +move on to B, e.g. A A1 A2 D. + +Right now, our log intent items are not so complex that this matters, +but this will become important for the atomic extent swapping patchset. +In order to maintain correct reference counting of extents, we have to +unmap and remap extents in that order, and we want to complete that work +before moving on to the next range that the user wants to swap. This +patch fixes defer ops to satsify that requirement. + +The primary symptom of the incorrect order was noticed in an early +performance analysis of the atomic extent swap code. An astonishingly +large number of deferred work items accumulated when userspace requested +an atomic update of two very fragmented files. The cause of this was +traced to the same ordering bug in the inner loop of +xfs_defer_finish_noroll. + +If the ->finish_item method of a deferred operation queues new deferred +operations, those new deferred ops are appended to the tail of the +pending work list. To illustrate, say that a caller creates a +transaction t0 with four deferred operations D0-D3. The first thing +defer ops does is roll the transaction to t1, leaving us with: + +t1: D0(t0), D1(t0), D2(t0), D3(t0) + +Let's say that finishing each of D0-D3 will create two new deferred ops. +After finish D0 and roll, we'll have the following chain: + +t2: D1(t0), D2(t0), D3(t0), d4(t1), d5(t1) + +d4 and d5 were logged to t1. Notice that while we're about to start +work on D1, we haven't actually completed all the work implied by D0 +being finished. So far we've been careful (or lucky) to structure the +dfops callers such that D1 doesn't depend on d4 or d5 being finished, +but this is a potential logic bomb. + +There's a second problem lurking. Let's see what happens as we finish +D1-D3: + +t3: D2(t0), D3(t0), d4(t1), d5(t1), d6(t2), d7(t2) +t4: D3(t0), d4(t1), d5(t1), d6(t2), d7(t2), d8(t3), d9(t3) +t5: d4(t1), d5(t1), d6(t2), d7(t2), d8(t3), d9(t3), d10(t4), d11(t4) + +Let's say that d4-d11 are simple work items that don't queue any other +operations, which means that we can complete each d4 and roll to t6: + +t6: d5(t1), d6(t2), d7(t2), d8(t3), d9(t3), d10(t4), d11(t4) +t7: d6(t2), d7(t2), d8(t3), d9(t3), d10(t4), d11(t4) +... +t11: d10(t4), d11(t4) +t12: d11(t4) + + +When we try to roll to transaction #12, we're holding defer op d11, +which we logged way back in t4. This means that the tail of the log is +pinned at t4. If the log is very small or there are a lot of other +threads updating metadata, this means that we might have wrapped the log +and cannot get roll to t11 because there isn't enough space left before +we'd run into t4. + +Let's shift back to the original failure. I mentioned before that I +discovered this flaw while developing the atomic file update code. In +that scenario, we have a defer op (D0) that finds a range of file blocks +to remap, creates a handful of new defer ops to do that, and then asks +to be continued with however much work remains. + +So, D0 is the original swapext deferred op. The first thing defer ops +does is rolls to t1: + +t1: D0(t0) + +We try to finish D0, logging d1 and d2 in the process, but can't get all +the work done. We log a done item and a new intent item for the work +that D0 still has to do, and roll to t2: + +t2: D0'(t1), d1(t1), d2(t1) + +We roll and try to finish D0', but still can't get all the work done, so +we log a done item and a new intent item for it, requeue D0 a second +time, and roll to t3: + +t3: D0''(t2), d1(t1), d2(t1), d3(t2), d4(t2) + +If it takes 48 more rolls to complete D0, then we'll finally dispense +with D0 in t50: + +t50: D(t49), d1(t1), ..., d102(t50) + +We then try to roll again to get a chain like this: + +t51: d1(t1), d2(t1), ..., d101(t50), d102(t50) +... +t152: d102(t50) + + +Notice that in rolling to transaction #51, we're holding on to a log +intent item for d1 that was logged in transaction #1. This means that +the tail of the log is pinned at t1. If the log is very small or there +are a lot of other threads updating metadata, this means that we might +have wrapped the log and cannot roll to t51 because there isn't enough +space left before we'd run into t1. This is of course problem #2 again. + +But notice the third problem with this scenario: we have 102 defer ops +tied to this transaction! Each of these items are backed by pinned +kernel memory, which means that we risk OOM if the chains get too long. + +Yikes. Problem #1 is a subtle logic bomb that could hit someone in the +future; problem #2 applies (rarely) to the current upstream, and problem +#3 applies to work under development. + +This is not how incremental deferred operations were supposed to work. +The dfops design of logging in the same transaction an intent-done item +and a new intent item for the work remaining was to make it so that we +only have to juggle enough deferred work items to finish that one small +piece of work. Deferred log item recovery will find that first +unfinished work item and restart it, no matter how many other intent +items might follow it in the log. Therefore, it's ok to put the new +intents at the start of the dfops chain. + +For the first example, the chains look like this: + +t2: d4(t1), d5(t1), D1(t0), D2(t0), D3(t0) +t3: d5(t1), D1(t0), D2(t0), D3(t0) +... +t9: d9(t7), D3(t0) +t10: D3(t0) +t11: d10(t10), d11(t10) +t12: d11(t10) + +For the second example, the chains look like this: + +t1: D0(t0) +t2: d1(t1), d2(t1), D0'(t1) +t3: d2(t1), D0'(t1) +t4: D0'(t1) +t5: d1(t4), d2(t4), D0''(t4) +... +t148: D0<50 primes>(t147) +t149: d101(t148), d102(t148) +t150: d102(t148) + + +This actually sucks more for pinning the log tail (we try to roll to t10 +while holding an intent item that was logged in t1) but we've solved +problem #1. We've also reduced the maximum chain length from: + + sum(all the new items) + nr_original_items + +to: + + max(new items that each original item creates) + nr_original_items + +This solves problem #3 by sharply reducing the number of defer ops that +can be attached to a transaction at any given time. The change makes +the problem of log tail pinning worse, but is improvement we need to +solve problem #2. Actually solving #2, however, is left to the next +patch. + +Note that a subsequent analysis of some hard-to-trigger reflink and COW +livelocks on extremely fragmented filesystems (or systems running a lot +of IO threads) showed the same symptoms -- uncomfortably large numbers +of incore deferred work items and occasional stalls in the transaction +grant code while waiting for log reservations. I think this patch and +the next one will also solve these problems. + +As originally written, the code used list_splice_tail_init instead of +list_splice_init, so change that, and leave a short comment explaining +our actions. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Dave Chinner +Reviewed-by: Brian Foster +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_defer.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/fs/xfs/libxfs/xfs_defer.c b/fs/xfs/libxfs/xfs_defer.c +index 29e9762f3b77c..4959d8a32b606 100644 +--- a/fs/xfs/libxfs/xfs_defer.c ++++ b/fs/xfs/libxfs/xfs_defer.c +@@ -430,8 +430,17 @@ xfs_defer_finish_noroll( + + /* Until we run out of pending work to finish... */ + while (!list_empty(&dop_pending) || !list_empty(&(*tp)->t_dfops)) { ++ /* ++ * Deferred items that are created in the process of finishing ++ * other deferred work items should be queued at the head of ++ * the pending list, which puts them ahead of the deferred work ++ * that was created by the caller. This keeps the number of ++ * pending work items to a minimum, which decreases the amount ++ * of time that any one intent item can stick around in memory, ++ * pinning the log tail. ++ */ + xfs_defer_create_intents(*tp); +- list_splice_tail_init(&(*tp)->t_dfops, &dop_pending); ++ list_splice_init(&(*tp)->t_dfops, &dop_pending); + + error = xfs_defer_trans_roll(tp); + if (error) +-- +2.27.0 + diff --git a/queue-5.8/xfs-don-t-free-rt-blocks-when-we-re-doing-a-remap-bu.patch b/queue-5.8/xfs-don-t-free-rt-blocks-when-we-re-doing-a-remap-bu.patch new file mode 100644 index 00000000000..7114ce8372c --- /dev/null +++ b/queue-5.8/xfs-don-t-free-rt-blocks-when-we-re-doing-a-remap-bu.patch @@ -0,0 +1,63 @@ +From 8e043a3e310f0fa601a2b4de177bd44f86e1cbc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 09:15:08 -0700 +Subject: xfs: don't free rt blocks when we're doing a REMAP bunmapi call + +From: Darrick J. Wong + +[ Upstream commit 8df0fa39bdd86ca81a8d706a6ed9d33cc65ca625 ] + +When callers pass XFS_BMAPI_REMAP into xfs_bunmapi, they want the extent +to be unmapped from the given file fork without the extent being freed. +We do this for non-rt files, but we forgot to do this for realtime +files. So far this isn't a big deal since nobody makes a bunmapi call +to a rt file with the REMAP flag set, but don't leave a logic bomb. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Reviewed-by: Dave Chinner +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_bmap.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c +index aa784404964a0..5800773213493 100644 +--- a/fs/xfs/libxfs/xfs_bmap.c ++++ b/fs/xfs/libxfs/xfs_bmap.c +@@ -5042,20 +5042,25 @@ xfs_bmap_del_extent_real( + + flags = XFS_ILOG_CORE; + if (whichfork == XFS_DATA_FORK && XFS_IS_REALTIME_INODE(ip)) { +- xfs_fsblock_t bno; + xfs_filblks_t len; + xfs_extlen_t mod; + +- bno = div_u64_rem(del->br_startblock, mp->m_sb.sb_rextsize, +- &mod); +- ASSERT(mod == 0); + len = div_u64_rem(del->br_blockcount, mp->m_sb.sb_rextsize, + &mod); + ASSERT(mod == 0); + +- error = xfs_rtfree_extent(tp, bno, (xfs_extlen_t)len); +- if (error) +- goto done; ++ if (!(bflags & XFS_BMAPI_REMAP)) { ++ xfs_fsblock_t bno; ++ ++ bno = div_u64_rem(del->br_startblock, ++ mp->m_sb.sb_rextsize, &mod); ++ ASSERT(mod == 0); ++ ++ error = xfs_rtfree_extent(tp, bno, (xfs_extlen_t)len); ++ if (error) ++ goto done; ++ } ++ + do_fx = 0; + nblks = len * mp->m_sb.sb_rextsize; + qfield = XFS_TRANS_DQ_RTBCOUNT; +-- +2.27.0 + diff --git a/queue-5.8/xfs-fix-realtime-bitmap-summary-file-truncation-when.patch b/queue-5.8/xfs-fix-realtime-bitmap-summary-file-truncation-when.patch new file mode 100644 index 00000000000..cd2e97d38fd --- /dev/null +++ b/queue-5.8/xfs-fix-realtime-bitmap-summary-file-truncation-when.patch @@ -0,0 +1,70 @@ +From 4e54f456f282b907006a9d2518d2d1828c7b4068 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 13:55:16 -0700 +Subject: xfs: fix realtime bitmap/summary file truncation when growing rt + volume + +From: Darrick J. Wong + +[ Upstream commit f4c32e87de7d66074d5612567c5eac7325024428 ] + +The realtime bitmap and summary files are regular files that are hidden +away from the directory tree. Since they're regular files, inode +inactivation will try to purge what it thinks are speculative +preallocations beyond the incore size of the file. Unfortunately, +xfs_growfs_rt forgets to update the incore size when it resizes the +inodes, with the result that inactivating the rt inodes at unmount time +will cause their contents to be truncated. + +Fix this by updating the incore size when we change the ondisk size as +part of updating the superblock. Note that we don't do this when we're +allocating blocks to the rt inodes because we actually want those blocks +to get purged if the growfs fails. + +This fixes corruption complaints from the online rtsummary checker when +running xfs/233. Since that test requires rmap, one can also trigger +this by growing an rt volume, cycling the mount, and creating rt files. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Chandan Babu R +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_rtalloc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c +index 0753b1dfd0750..be01bfbc3ad93 100644 +--- a/fs/xfs/xfs_rtalloc.c ++++ b/fs/xfs/xfs_rtalloc.c +@@ -1027,10 +1027,13 @@ xfs_growfs_rt( + xfs_ilock(mp->m_rbmip, XFS_ILOCK_EXCL); + xfs_trans_ijoin(tp, mp->m_rbmip, XFS_ILOCK_EXCL); + /* +- * Update the bitmap inode's size. ++ * Update the bitmap inode's size ondisk and incore. We need ++ * to update the incore size so that inode inactivation won't ++ * punch what it thinks are "posteof" blocks. + */ + mp->m_rbmip->i_d.di_size = + nsbp->sb_rbmblocks * nsbp->sb_blocksize; ++ i_size_write(VFS_I(mp->m_rbmip), mp->m_rbmip->i_d.di_size); + xfs_trans_log_inode(tp, mp->m_rbmip, XFS_ILOG_CORE); + /* + * Get the summary inode into the transaction. +@@ -1038,9 +1041,12 @@ xfs_growfs_rt( + xfs_ilock(mp->m_rsumip, XFS_ILOCK_EXCL); + xfs_trans_ijoin(tp, mp->m_rsumip, XFS_ILOCK_EXCL); + /* +- * Update the summary inode's size. ++ * Update the summary inode's size. We need to update the ++ * incore size so that inode inactivation won't punch what it ++ * thinks are "posteof" blocks. + */ + mp->m_rsumip->i_d.di_size = nmp->m_rsumsize; ++ i_size_write(VFS_I(mp->m_rsumip), mp->m_rsumip->i_d.di_size); + xfs_trans_log_inode(tp, mp->m_rsumip, XFS_ILOG_CORE); + /* + * Copy summary data from old to new sizes. +-- +2.27.0 + diff --git a/queue-5.8/xfs-log-new-intent-items-created-as-part-of-finishin.patch b/queue-5.8/xfs-log-new-intent-items-created-as-part-of-finishin.patch new file mode 100644 index 00000000000..5667b8ab897 --- /dev/null +++ b/queue-5.8/xfs-log-new-intent-items-created-as-part-of-finishin.patch @@ -0,0 +1,134 @@ +From 10e909b0fcf1f171d7d9d95be551474259d1d048 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 09:15:09 -0700 +Subject: xfs: log new intent items created as part of finishing recovered + intent items + +From: Darrick J. Wong + +[ Upstream commit 93293bcbde93567efaf4e6bcd58cad270e1fcbf5 ] + +During a code inspection, I found a serious bug in the log intent item +recovery code when an intent item cannot complete all the work and +decides to requeue itself to get that done. When this happens, the +item recovery creates a new incore deferred op representing the +remaining work and attaches it to the transaction that it allocated. At +the end of _item_recover, it moves the entire chain of deferred ops to +the dummy parent_tp that xlog_recover_process_intents passed to it, but +fail to log a new intent item for the remaining work before committing +the transaction for the single unit of work. + +xlog_finish_defer_ops logs those new intent items once recovery has +finished dealing with the intent items that it recovered, but this isn't +sufficient. If the log is forced to disk after a recovered log item +decides to requeue itself and the system goes down before we call +xlog_finish_defer_ops, the second log recovery will never see the new +intent item and therefore has no idea that there was more work to do. +It will finish recovery leaving the filesystem in a corrupted state. + +The same logic applies to /any/ deferred ops added during intent item +recovery, not just the one handling the remaining work. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Reviewed-by: Dave Chinner +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_defer.c | 26 ++++++++++++++++++++++++-- + fs/xfs/libxfs/xfs_defer.h | 6 ++++++ + fs/xfs/xfs_bmap_item.c | 2 +- + fs/xfs/xfs_refcount_item.c | 2 +- + 4 files changed, 32 insertions(+), 4 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_defer.c b/fs/xfs/libxfs/xfs_defer.c +index d8f586256add7..29e9762f3b77c 100644 +--- a/fs/xfs/libxfs/xfs_defer.c ++++ b/fs/xfs/libxfs/xfs_defer.c +@@ -186,8 +186,9 @@ xfs_defer_create_intent( + { + const struct xfs_defer_op_type *ops = defer_op_types[dfp->dfp_type]; + +- dfp->dfp_intent = ops->create_intent(tp, &dfp->dfp_work, +- dfp->dfp_count, sort); ++ if (!dfp->dfp_intent) ++ dfp->dfp_intent = ops->create_intent(tp, &dfp->dfp_work, ++ dfp->dfp_count, sort); + } + + /* +@@ -390,6 +391,7 @@ xfs_defer_finish_one( + list_add(li, &dfp->dfp_work); + dfp->dfp_count++; + dfp->dfp_done = NULL; ++ dfp->dfp_intent = NULL; + xfs_defer_create_intent(tp, dfp, false); + } + +@@ -552,3 +554,23 @@ xfs_defer_move( + + xfs_defer_reset(stp); + } ++ ++/* ++ * Prepare a chain of fresh deferred ops work items to be completed later. Log ++ * recovery requires the ability to put off until later the actual finishing ++ * work so that it can process unfinished items recovered from the log in ++ * correct order. ++ * ++ * Create and log intent items for all the work that we're capturing so that we ++ * can be assured that the items will get replayed if the system goes down ++ * before log recovery gets a chance to finish the work it put off. Then we ++ * move the chain from stp to dtp. ++ */ ++void ++xfs_defer_capture( ++ struct xfs_trans *dtp, ++ struct xfs_trans *stp) ++{ ++ xfs_defer_create_intents(stp); ++ xfs_defer_move(dtp, stp); ++} +diff --git a/fs/xfs/libxfs/xfs_defer.h b/fs/xfs/libxfs/xfs_defer.h +index 6b2ca580f2b06..3164199162b61 100644 +--- a/fs/xfs/libxfs/xfs_defer.h ++++ b/fs/xfs/libxfs/xfs_defer.h +@@ -63,4 +63,10 @@ extern const struct xfs_defer_op_type xfs_rmap_update_defer_type; + extern const struct xfs_defer_op_type xfs_extent_free_defer_type; + extern const struct xfs_defer_op_type xfs_agfl_free_defer_type; + ++/* ++ * Functions to capture a chain of deferred operations and continue them later. ++ * This doesn't normally happen except log recovery. ++ */ ++void xfs_defer_capture(struct xfs_trans *dtp, struct xfs_trans *stp); ++ + #endif /* __XFS_DEFER_H__ */ +diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c +index 6736c5ab188f2..98e18472e28e6 100644 +--- a/fs/xfs/xfs_bmap_item.c ++++ b/fs/xfs/xfs_bmap_item.c +@@ -534,7 +534,7 @@ xfs_bui_item_recover( + xfs_bmap_unmap_extent(tp, ip, &irec); + } + +- xfs_defer_move(parent_tp, tp); ++ xfs_defer_capture(parent_tp, tp); + error = xfs_trans_commit(tp); + xfs_iunlock(ip, XFS_ILOCK_EXCL); + xfs_irele(ip); +diff --git a/fs/xfs/xfs_refcount_item.c b/fs/xfs/xfs_refcount_item.c +index c81639891e298..1b2a58b305f25 100644 +--- a/fs/xfs/xfs_refcount_item.c ++++ b/fs/xfs/xfs_refcount_item.c +@@ -554,7 +554,7 @@ xfs_cui_item_recover( + } + + xfs_refcount_finish_one_cleanup(tp, rcur, error); +- xfs_defer_move(parent_tp, tp); ++ xfs_defer_capture(parent_tp, tp); + error = xfs_trans_commit(tp); + return error; + +-- +2.27.0 + diff --git a/queue-5.8/xfs-set-xfs_buf-s-b_ops-member-when-zeroing-bitmap-s.patch b/queue-5.8/xfs-set-xfs_buf-s-b_ops-member-when-zeroing-bitmap-s.patch new file mode 100644 index 00000000000..1a778a3e0ec --- /dev/null +++ b/queue-5.8/xfs-set-xfs_buf-s-b_ops-member-when-zeroing-bitmap-s.patch @@ -0,0 +1,90 @@ +From 0128bdffafd99a2f8fd76b67a81ba61cf3eb3a13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 11:12:08 -0700 +Subject: xfs: Set xfs_buf's b_ops member when zeroing bitmap/summary files + +From: Chandan Babu R + +[ Upstream commit c54e14d155f5fdbac73a8cd4bd2678cb252149dc ] + +In xfs_growfs_rt(), we enlarge bitmap and summary files by allocating +new blocks for both files. For each of the new blocks allocated, we +allocate an xfs_buf, zero the payload, log the contents and commit the +transaction. Hence these buffers will eventually find themselves +appended to list at xfs_ail->ail_buf_list. + +Later, xfs_growfs_rt() loops across all of the new blocks belonging to +the bitmap inode to set the bitmap values to 1. In doing so, it +allocates a new transaction and invokes the following sequence of +functions, + - xfs_rtfree_range() + - xfs_rtmodify_range() + - xfs_rtbuf_get() + We pass '&xfs_rtbuf_ops' as the ops pointer to xfs_trans_read_buf(). + - xfs_trans_read_buf() + We find the xfs_buf of interest in per-ag hash table, invoke + xfs_buf_reverify() which ends up assigning '&xfs_rtbuf_ops' to + xfs_buf->b_ops. + +On the other hand, if xfs_growfs_rt_alloc() had allocated a few blocks +for the bitmap inode and returned with an error, all the xfs_bufs +corresponding to the new bitmap blocks that have been allocated would +continue to be on xfs_ail->ail_buf_list list without ever having a +non-NULL value assigned to their b_ops members. An AIL flush operation +would then trigger the following warning message to be printed on the +console, + + XFS (loop0): _xfs_buf_ioapply: no buf ops on daddr 0x58 len 8 + 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + CPU: 3 PID: 449 Comm: xfsaild/loop0 Not tainted 5.8.0-rc4-chandan-00038-g4d8c2b9de9ab-dirty #37 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 + Call Trace: + dump_stack+0x57/0x70 + _xfs_buf_ioapply+0x37c/0x3b0 + ? xfs_rw_bdev+0x1e0/0x1e0 + ? xfs_buf_delwri_submit_buffers+0xd4/0x210 + __xfs_buf_submit+0x6d/0x1f0 + xfs_buf_delwri_submit_buffers+0xd4/0x210 + xfsaild+0x2c8/0x9e0 + ? __switch_to_asm+0x42/0x70 + ? xfs_trans_ail_cursor_first+0x80/0x80 + kthread+0xfe/0x140 + ? kthread_park+0x90/0x90 + ret_from_fork+0x22/0x30 + +This message indicates that the xfs_buf had its b_ops member set to +NULL. + +This commit fixes the issue by assigning "&xfs_rtbuf_ops" to b_ops +member of each of the xfs_bufs logged by xfs_growfs_rt_alloc(). + +Signed-off-by: Chandan Babu R +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_rtalloc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c +index 912f96a248f25..0753b1dfd0750 100644 +--- a/fs/xfs/xfs_rtalloc.c ++++ b/fs/xfs/xfs_rtalloc.c +@@ -849,6 +849,7 @@ xfs_growfs_rt_alloc( + goto out_trans_cancel; + + xfs_trans_buf_set_type(tp, bp, buf_type); ++ bp->b_ops = &xfs_rtbuf_ops; + memset(bp->b_addr, 0, mp->m_sb.sb_blocksize); + xfs_trans_log_buf(tp, bp, 0, mp->m_sb.sb_blocksize - 1); + /* +-- +2.27.0 + diff --git a/queue-5.8/xfs-set-xfs_buf-type-flag-when-growing-summary-bitma.patch b/queue-5.8/xfs-set-xfs_buf-type-flag-when-growing-summary-bitma.patch new file mode 100644 index 00000000000..7fe1de14a84 --- /dev/null +++ b/queue-5.8/xfs-set-xfs_buf-type-flag-when-growing-summary-bitma.patch @@ -0,0 +1,85 @@ +From d4a19eeafc99b8658a2988d701234907da930f31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 20:50:42 -0700 +Subject: xfs: Set xfs_buf type flag when growing summary/bitmap files + +From: Chandan Babu R + +[ Upstream commit 72cc95132a93293dcd0b6f68353f4741591c9aeb ] + +The following sequence of commands, + + mkfs.xfs -f -m reflink=0 -r rtdev=/dev/loop1,size=10M /dev/loop0 + mount -o rtdev=/dev/loop1 /dev/loop0 /mnt + xfs_growfs /mnt + +... causes the following call trace to be printed on the console, + +XFS: Assertion failed: (bip->bli_flags & XFS_BLI_STALE) || (xfs_blft_from_flags(&bip->__bli_format) > XFS_BLFT_UNKNOWN_BUF && xfs_blft_from_flags(&bip->__bli_format) < XFS_BLFT_MAX_BUF), file: fs/xfs/xfs_buf_item.c, line: 331 +Call Trace: + xfs_buf_item_format+0x632/0x680 + ? kmem_alloc_large+0x29/0x90 + ? kmem_alloc+0x70/0x120 + ? xfs_log_commit_cil+0x132/0x940 + xfs_log_commit_cil+0x26f/0x940 + ? xfs_buf_item_init+0x1ad/0x240 + ? xfs_growfs_rt_alloc+0x1fc/0x280 + __xfs_trans_commit+0xac/0x370 + xfs_growfs_rt_alloc+0x1fc/0x280 + xfs_growfs_rt+0x1a0/0x5e0 + xfs_file_ioctl+0x3fd/0xc70 + ? selinux_file_ioctl+0x174/0x220 + ksys_ioctl+0x87/0xc0 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x3e/0x70 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +This occurs because the buffer being formatted has the value of +XFS_BLFT_UNKNOWN_BUF assigned to the 'type' subfield of +bip->bli_formats->blf_flags. + +This commit fixes the issue by assigning one of XFS_BLFT_RTSUMMARY_BUF +and XFS_BLFT_RTBITMAP_BUF to the 'type' subfield of +bip->bli_formats->blf_flags before committing the corresponding +transaction. + +Reviewed-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Chandan Babu R +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_rtalloc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c +index 86994d7f7cba3..912f96a248f25 100644 +--- a/fs/xfs/xfs_rtalloc.c ++++ b/fs/xfs/xfs_rtalloc.c +@@ -778,8 +778,14 @@ xfs_growfs_rt_alloc( + struct xfs_bmbt_irec map; /* block map output */ + int nmap; /* number of block maps */ + int resblks; /* space reservation */ ++ enum xfs_blft buf_type; + struct xfs_trans *tp; + ++ if (ip == mp->m_rsumip) ++ buf_type = XFS_BLFT_RTSUMMARY_BUF; ++ else ++ buf_type = XFS_BLFT_RTBITMAP_BUF; ++ + /* + * Allocate space to the file, as necessary. + */ +@@ -841,6 +847,8 @@ xfs_growfs_rt_alloc( + mp->m_bsize, 0, &bp); + if (error) + goto out_trans_cancel; ++ ++ xfs_trans_buf_set_type(tp, bp, buf_type); + memset(bp->b_addr, 0, mp->m_sb.sb_blocksize); + xfs_trans_log_buf(tp, bp, 0, mp->m_sb.sb_blocksize - 1); + /* +-- +2.27.0 + -- 2.47.3