From 3ccc57b0b8226264541e4740c069329c22967871 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 1 Mar 2021 14:00:16 +0100 Subject: [PATCH] 5.11-stable patches added patches: arm64-extend-workaround-for-erratum-1024718-to-all-versions-of-cortex-a55.patch arm64-kexec_file-fix-memory-leakage-in-create_dtb-when-fdt_open_into-fails.patch arm64-module-set-plt-section-addresses-to-0x0.patch arm64-spectre-prevent-lockdep-splat-on-v4-mitigation-enable-path.patch arm64-uprobe-return-eopnotsupp-for-aarch32-instruction-probing.patch coresight-etm4x-handle-accesses-to-trcstallctlr.patch fs-affs-release-old-buffer-head-on-error-path.patch hugetlb-fix-copy_huge_page_from_user-contig-page-struct-assumption.patch hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch iommu-arm-smmu-qcom-fix-mask-extraction-for-bootloader-programmed-smrs.patch kvm-nsvm-fix-running-nested-guests-when-npt-0.patch mailbox-arm_mhuv2-skip-calling-kfree-with-invalid-pointer.patch mm-compaction-make-fast_isolate_freepages-stay-within-zone.patch mm-memcontrol-fix-get_active_memcg-return-value.patch mm-memcontrol-fix-swap-undercounting-in-cgroup2.patch mm-vmscan-restore-zone_reclaim_mode-abi.patch mtd-spi-nor-core-add-erase-size-check-for-erase-command-initialization.patch mtd-spi-nor-core-fix-erase-type-discovery-for-overlaid-region.patch mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch mtd-spi-nor-sfdp-fix-last-erase-region-marking.patch mtd-spi-nor-sfdp-fix-wrong-erase-type-bitmask-for-overlaid-region.patch riscv-disable-ksan_sanitize-for-vdso.patch seq_file-document-how-per-entry-resources-are-managed.patch watchdog-mei_wdt-request-stop-on-unregister.patch watchdog-qcom-remove-incorrect-usage-of-qcom_wdt_enable_irq.patch x86-fix-seq_file-iteration-for-pat-memtype.c.patch --- ...024718-to-all-versions-of-cortex-a55.patch | 52 +++++++++ ...-create_dtb-when-fdt_open_into-fails.patch | 36 +++++++ ...ule-set-plt-section-addresses-to-0x0.patch | 39 +++++++ ...p-splat-on-v4-mitigation-enable-path.patch | 88 +++++++++++++++ ...supp-for-aarch32-instruction-probing.patch | 38 +++++++ ...tm4x-handle-accesses-to-trcstallctlr.patch | 73 +++++++++++++ ...elease-old-buffer-head-on-error-path.patch | 35 ++++++ ...m_user-contig-page-struct-assumption.patch | 67 ++++++++++++ ...e_page-contig-page-struct-assumption.patch | 68 ++++++++++++ ...ction-for-bootloader-programmed-smrs.patch | 51 +++++++++ ...fix-running-nested-guests-when-npt-0.patch | 61 +++++++++++ ...p-calling-kfree-with-invalid-pointer.patch | 37 +++++++ ...t_isolate_freepages-stay-within-zone.patch | 101 ++++++++++++++++++ ...ol-fix-get_active_memcg-return-value.patch | 49 +++++++++ ...ol-fix-swap-undercounting-in-cgroup2.patch | 79 ++++++++++++++ ...vmscan-restore-zone_reclaim_mode-abi.patch | 96 +++++++++++++++++ ...eck-for-erase-command-initialization.patch | 35 ++++++ ...e-type-discovery-for-overlaid-region.patch | 50 +++++++++ ...-sfc-put-child-node-np-on-error-path.patch | 36 +++++++ ...r-sfdp-fix-last-erase-region-marking.patch | 42 ++++++++ ...ase-type-bitmask-for-overlaid-region.patch | 35 ++++++ ...riscv-disable-ksan_sanitize-for-vdso.patch | 43 ++++++++ ...-how-per-entry-resources-are-managed.patch | 83 ++++++++++++++ queue-5.11/series | 26 +++++ ...g-mei_wdt-request-stop-on-unregister.patch | 43 ++++++++ ...correct-usage-of-qcom_wdt_enable_irq.patch | 66 ++++++++++++ ...seq_file-iteration-for-pat-memtype.c.patch | 68 ++++++++++++ 27 files changed, 1497 insertions(+) create mode 100644 queue-5.11/arm64-extend-workaround-for-erratum-1024718-to-all-versions-of-cortex-a55.patch create mode 100644 queue-5.11/arm64-kexec_file-fix-memory-leakage-in-create_dtb-when-fdt_open_into-fails.patch create mode 100644 queue-5.11/arm64-module-set-plt-section-addresses-to-0x0.patch create mode 100644 queue-5.11/arm64-spectre-prevent-lockdep-splat-on-v4-mitigation-enable-path.patch create mode 100644 queue-5.11/arm64-uprobe-return-eopnotsupp-for-aarch32-instruction-probing.patch create mode 100644 queue-5.11/coresight-etm4x-handle-accesses-to-trcstallctlr.patch create mode 100644 queue-5.11/fs-affs-release-old-buffer-head-on-error-path.patch create mode 100644 queue-5.11/hugetlb-fix-copy_huge_page_from_user-contig-page-struct-assumption.patch create mode 100644 queue-5.11/hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch create mode 100644 queue-5.11/iommu-arm-smmu-qcom-fix-mask-extraction-for-bootloader-programmed-smrs.patch create mode 100644 queue-5.11/kvm-nsvm-fix-running-nested-guests-when-npt-0.patch create mode 100644 queue-5.11/mailbox-arm_mhuv2-skip-calling-kfree-with-invalid-pointer.patch create mode 100644 queue-5.11/mm-compaction-make-fast_isolate_freepages-stay-within-zone.patch create mode 100644 queue-5.11/mm-memcontrol-fix-get_active_memcg-return-value.patch create mode 100644 queue-5.11/mm-memcontrol-fix-swap-undercounting-in-cgroup2.patch create mode 100644 queue-5.11/mm-vmscan-restore-zone_reclaim_mode-abi.patch create mode 100644 queue-5.11/mtd-spi-nor-core-add-erase-size-check-for-erase-command-initialization.patch create mode 100644 queue-5.11/mtd-spi-nor-core-fix-erase-type-discovery-for-overlaid-region.patch create mode 100644 queue-5.11/mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch create mode 100644 queue-5.11/mtd-spi-nor-sfdp-fix-last-erase-region-marking.patch create mode 100644 queue-5.11/mtd-spi-nor-sfdp-fix-wrong-erase-type-bitmask-for-overlaid-region.patch create mode 100644 queue-5.11/riscv-disable-ksan_sanitize-for-vdso.patch create mode 100644 queue-5.11/seq_file-document-how-per-entry-resources-are-managed.patch create mode 100644 queue-5.11/watchdog-mei_wdt-request-stop-on-unregister.patch create mode 100644 queue-5.11/watchdog-qcom-remove-incorrect-usage-of-qcom_wdt_enable_irq.patch create mode 100644 queue-5.11/x86-fix-seq_file-iteration-for-pat-memtype.c.patch diff --git a/queue-5.11/arm64-extend-workaround-for-erratum-1024718-to-all-versions-of-cortex-a55.patch b/queue-5.11/arm64-extend-workaround-for-erratum-1024718-to-all-versions-of-cortex-a55.patch new file mode 100644 index 00000000000..ecf3d3c2b42 --- /dev/null +++ b/queue-5.11/arm64-extend-workaround-for-erratum-1024718-to-all-versions-of-cortex-a55.patch @@ -0,0 +1,52 @@ +From c0b15c25d25171db4b70cc0b7dbc1130ee94017d Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Wed, 3 Feb 2021 23:00:57 +0000 +Subject: arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55 + +From: Suzuki K Poulose + +commit c0b15c25d25171db4b70cc0b7dbc1130ee94017d upstream. + +The erratum 1024718 affects Cortex-A55 r0p0 to r2p0. However +we apply the work around for r0p0 - r1p0. Unfortunately this +won't be fixed for the future revisions for the CPU. Thus +extend the work around for all versions of A55, to cover +for r2p0 and any future revisions. + +Cc: stable@vger.kernel.org +Cc: Catalin Marinas +Cc: Will Deacon +Cc: James Morse +Cc: Kunihiko Hayashi +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20210203230057.3961239-1-suzuki.poulose@arm.com +[will: Update Kconfig help text] +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/Kconfig | 2 +- + arch/arm64/kernel/cpufeature.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -522,7 +522,7 @@ config ARM64_ERRATUM_1024718 + help + This option adds a workaround for ARM Cortex-A55 Erratum 1024718. + +- Affected Cortex-A55 cores (r0p0, r0p1, r1p0) could cause incorrect ++ Affected Cortex-A55 cores (all revisions) could cause incorrect + update of the hardware dirty bit when the DBM/AP bits are updated + without a break-before-make. The workaround is to disable the usage + of hardware DBM locally on the affected cores. CPUs not affected by +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -1455,7 +1455,7 @@ static bool cpu_has_broken_dbm(void) + /* List of CPUs which have broken DBM support. */ + static const struct midr_range cpus[] = { + #ifdef CONFIG_ARM64_ERRATUM_1024718 +- MIDR_RANGE(MIDR_CORTEX_A55, 0, 0, 1, 0), // A55 r0p0 -r1p0 ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A55), + /* Kryo4xx Silver (rdpe => r1p0) */ + MIDR_REV(MIDR_QCOM_KRYO_4XX_SILVER, 0xd, 0xe), + #endif diff --git a/queue-5.11/arm64-kexec_file-fix-memory-leakage-in-create_dtb-when-fdt_open_into-fails.patch b/queue-5.11/arm64-kexec_file-fix-memory-leakage-in-create_dtb-when-fdt_open_into-fails.patch new file mode 100644 index 00000000000..3eb84e752bd --- /dev/null +++ b/queue-5.11/arm64-kexec_file-fix-memory-leakage-in-create_dtb-when-fdt_open_into-fails.patch @@ -0,0 +1,36 @@ +From 656d1d58d8e0958d372db86c24f0b2ea36f50888 Mon Sep 17 00:00:00 2001 +From: qiuguorui1 +Date: Thu, 18 Feb 2021 20:59:00 +0800 +Subject: arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails + +From: qiuguorui1 + +commit 656d1d58d8e0958d372db86c24f0b2ea36f50888 upstream. + +in function create_dtb(), if fdt_open_into() fails, we need to vfree +buf before return. + +Fixes: 52b2a8af7436 ("arm64: kexec_file: load initrd and device-tree") +Cc: stable@vger.kernel.org # v5.0 +Signed-off-by: qiuguorui1 +Link: https://lore.kernel.org/r/20210218125900.6810-1-qiuguorui1@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/machine_kexec_file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/machine_kexec_file.c ++++ b/arch/arm64/kernel/machine_kexec_file.c +@@ -182,8 +182,10 @@ static int create_dtb(struct kimage *ima + + /* duplicate a device tree blob */ + ret = fdt_open_into(initial_boot_params, buf, buf_size); +- if (ret) ++ if (ret) { ++ vfree(buf); + return -EINVAL; ++ } + + ret = setup_dtb(image, initrd_load_addr, initrd_len, + cmdline, buf); diff --git a/queue-5.11/arm64-module-set-plt-section-addresses-to-0x0.patch b/queue-5.11/arm64-module-set-plt-section-addresses-to-0x0.patch new file mode 100644 index 00000000000..7f41a94a9e2 --- /dev/null +++ b/queue-5.11/arm64-module-set-plt-section-addresses-to-0x0.patch @@ -0,0 +1,39 @@ +From f5c6d0fcf90ce07ee0d686d465b19b247ebd5ed7 Mon Sep 17 00:00:00 2001 +From: Shaoying Xu +Date: Tue, 16 Feb 2021 18:32:34 +0000 +Subject: arm64 module: set plt* section addresses to 0x0 + +From: Shaoying Xu + +commit f5c6d0fcf90ce07ee0d686d465b19b247ebd5ed7 upstream. + +These plt* and .text.ftrace_trampoline sections specified for arm64 have +non-zero addressses. Non-zero section addresses in a relocatable ELF would +confuse GDB when it tries to compute the section offsets and it ends up +printing wrong symbol addresses. Therefore, set them to zero, which mirrors +the change in commit 5d8591bc0fba ("module: set ksymtab/kcrctab* section +addresses to 0x0"). + +Reported-by: Frank van der Linden +Signed-off-by: Shaoying Xu +Cc: +Link: https://lore.kernel.org/r/20210216183234.GA23876@amazon.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/module.lds.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/include/asm/module.lds.h ++++ b/arch/arm64/include/asm/module.lds.h +@@ -1,7 +1,7 @@ + #ifdef CONFIG_ARM64_MODULE_PLTS + SECTIONS { +- .plt (NOLOAD) : { BYTE(0) } +- .init.plt (NOLOAD) : { BYTE(0) } +- .text.ftrace_trampoline (NOLOAD) : { BYTE(0) } ++ .plt 0 (NOLOAD) : { BYTE(0) } ++ .init.plt 0 (NOLOAD) : { BYTE(0) } ++ .text.ftrace_trampoline 0 (NOLOAD) : { BYTE(0) } + } + #endif diff --git a/queue-5.11/arm64-spectre-prevent-lockdep-splat-on-v4-mitigation-enable-path.patch b/queue-5.11/arm64-spectre-prevent-lockdep-splat-on-v4-mitigation-enable-path.patch new file mode 100644 index 00000000000..d451cc9e309 --- /dev/null +++ b/queue-5.11/arm64-spectre-prevent-lockdep-splat-on-v4-mitigation-enable-path.patch @@ -0,0 +1,88 @@ +From a2c42bbabbe260b7626d8459093631a6e16ee0ee Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 18 Feb 2021 14:03:46 +0000 +Subject: arm64: spectre: Prevent lockdep splat on v4 mitigation enable path + +From: Will Deacon + +commit a2c42bbabbe260b7626d8459093631a6e16ee0ee upstream. + +The Spectre-v4 workaround is re-configured when resuming from suspend, +as the firmware may have re-enabled the mitigation despite the user +previously asking for it to be disabled. + +Enabling or disabling the workaround can result in an undefined +instruction exception on CPUs which implement PSTATE.SSBS but only allow +it to be configured by adjusting the SPSR on exception return. We handle +this by installing an 'undef hook' which effectively emulates the access. + +Installing this hook requires us to take a couple of spinlocks both to +avoid corrupting the internal list of hooks but also to ensure that we +don't run into an unhandled exception. Unfortunately, when resuming from +suspend, we haven't yet called rcu_idle_exit() and so lockdep gets angry +about "suspicious RCU usage". In doing so, it tries to print a warning, +which leads it to get even more suspicious, this time about itself: + + | rcu_scheduler_active = 2, debug_locks = 1 + | RCU used illegally from extended quiescent state! + | 1 lock held by swapper/0: + | #0: (logbuf_lock){-.-.}-{2:2}, at: vprintk_emit+0x88/0x198 + | + | Call trace: + | dump_backtrace+0x0/0x1d8 + | show_stack+0x18/0x24 + | dump_stack+0xe0/0x17c + | lockdep_rcu_suspicious+0x11c/0x134 + | trace_lock_release+0xa0/0x160 + | lock_release+0x3c/0x290 + | _raw_spin_unlock+0x44/0x80 + | vprintk_emit+0xbc/0x198 + | vprintk_default+0x44/0x6c + | vprintk_func+0x1f4/0x1fc + | printk+0x54/0x7c + | lockdep_rcu_suspicious+0x30/0x134 + | trace_lock_acquire+0xa0/0x188 + | lock_acquire+0x50/0x2fc + | _raw_spin_lock+0x68/0x80 + | spectre_v4_enable_mitigation+0xa8/0x30c + | __cpu_suspend_exit+0xd4/0x1a8 + | cpu_suspend+0xa0/0x104 + | psci_cpu_suspend_enter+0x3c/0x5c + | psci_enter_idle_state+0x44/0x74 + | cpuidle_enter_state+0x148/0x2f8 + | cpuidle_enter+0x38/0x50 + | do_idle+0x1f0/0x2b4 + +Prevent these splats by running __cpu_suspend_exit() with RCU watching. + +Cc: Mark Rutland +Cc: Lorenzo Pieralisi +Cc: Peter Zijlstra +Cc: Boqun Feng +Cc: Marc Zyngier +Cc: Saravana Kannan +Suggested-by: "Paul E . McKenney" +Reported-by: Sami Tolvanen +Fixes: c28762070ca6 ("arm64: Rewrite Spectre-v4 mitigation code") +Cc: +Acked-by: Paul E. McKenney +Acked-by: Marc Zyngier +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20210218140346.5224-1-will@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/suspend.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/suspend.c ++++ b/arch/arm64/kernel/suspend.c +@@ -119,7 +119,7 @@ int cpu_suspend(unsigned long arg, int ( + if (!ret) + ret = -EOPNOTSUPP; + } else { +- __cpu_suspend_exit(); ++ RCU_NONIDLE(__cpu_suspend_exit()); + } + + unpause_graph_tracing(); diff --git a/queue-5.11/arm64-uprobe-return-eopnotsupp-for-aarch32-instruction-probing.patch b/queue-5.11/arm64-uprobe-return-eopnotsupp-for-aarch32-instruction-probing.patch new file mode 100644 index 00000000000..bc270e64b0d --- /dev/null +++ b/queue-5.11/arm64-uprobe-return-eopnotsupp-for-aarch32-instruction-probing.patch @@ -0,0 +1,38 @@ +From d47422d953e258ad587b5edf2274eb95d08bdc7d Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Tue, 23 Feb 2021 16:25:34 +0800 +Subject: arm64: uprobe: Return EOPNOTSUPP for AARCH32 instruction probing + +From: He Zhe + +commit d47422d953e258ad587b5edf2274eb95d08bdc7d upstream. + +As stated in linux/errno.h, ENOTSUPP should never be seen by user programs. +When we set up uprobe with 32-bit perf and arm64 kernel, we would see the +following vague error without useful hint. + +The sys_perf_event_open() syscall returned with 524 (INTERNAL ERROR: +strerror_r(524, [buf], 128)=22) + +Use EOPNOTSUPP instead to indicate such cases. + +Signed-off-by: He Zhe +Link: https://lore.kernel.org/r/20210223082535.48730-1-zhe.he@windriver.com +Cc: +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/probes/uprobes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/probes/uprobes.c ++++ b/arch/arm64/kernel/probes/uprobes.c +@@ -38,7 +38,7 @@ int arch_uprobe_analyze_insn(struct arch + + /* TODO: Currently we do not support AARCH32 instruction probing */ + if (mm->context.flags & MMCF_AARCH32) +- return -ENOTSUPP; ++ return -EOPNOTSUPP; + else if (!IS_ALIGNED(addr, AARCH64_INSN_SIZE)) + return -EINVAL; + diff --git a/queue-5.11/coresight-etm4x-handle-accesses-to-trcstallctlr.patch b/queue-5.11/coresight-etm4x-handle-accesses-to-trcstallctlr.patch new file mode 100644 index 00000000000..edbfe1bcd98 --- /dev/null +++ b/queue-5.11/coresight-etm4x-handle-accesses-to-trcstallctlr.patch @@ -0,0 +1,73 @@ +From f72896063396b0cb205cbf0fd76ec6ab3ca11c8a Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Mon, 1 Feb 2021 11:13:51 -0700 +Subject: coresight: etm4x: Handle accesses to TRCSTALLCTLR + +From: Suzuki K Poulose + +commit f72896063396b0cb205cbf0fd76ec6ab3ca11c8a upstream. + +TRCSTALLCTLR register is only implemented if + + TRCIDR3.STALLCTL == 0b1 + +Make sure the driver touches the register only it is implemented. + +Link: https://lore.kernel.org/r/20210127184617.3684379-1-suzuki.poulose@arm.com +Cc: stable@vger.kernel.org +Cc: Mathieu Poirier +Cc: Mike Leach +Cc: Leo Yan +Signed-off-by: Suzuki K Poulose +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20210201181351.1475223-32-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/coresight/coresight-etm4x-core.c | 9 ++++++--- + drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 2 +- + 2 files changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c +@@ -226,7 +226,8 @@ static int etm4_enable_hw(struct etmv4_d + writel_relaxed(0x0, drvdata->base + TRCAUXCTLR); + writel_relaxed(config->eventctrl0, drvdata->base + TRCEVENTCTL0R); + writel_relaxed(config->eventctrl1, drvdata->base + TRCEVENTCTL1R); +- writel_relaxed(config->stall_ctrl, drvdata->base + TRCSTALLCTLR); ++ if (drvdata->stallctl) ++ writel_relaxed(config->stall_ctrl, drvdata->base + TRCSTALLCTLR); + writel_relaxed(config->ts_ctrl, drvdata->base + TRCTSCTLR); + writel_relaxed(config->syncfreq, drvdata->base + TRCSYNCPR); + writel_relaxed(config->ccctlr, drvdata->base + TRCCCCTLR); +@@ -1288,7 +1289,8 @@ static int etm4_cpu_save(struct etmv4_dr + state->trcauxctlr = readl(drvdata->base + TRCAUXCTLR); + state->trceventctl0r = readl(drvdata->base + TRCEVENTCTL0R); + state->trceventctl1r = readl(drvdata->base + TRCEVENTCTL1R); +- state->trcstallctlr = readl(drvdata->base + TRCSTALLCTLR); ++ if (drvdata->stallctl) ++ state->trcstallctlr = readl(drvdata->base + TRCSTALLCTLR); + state->trctsctlr = readl(drvdata->base + TRCTSCTLR); + state->trcsyncpr = readl(drvdata->base + TRCSYNCPR); + state->trcccctlr = readl(drvdata->base + TRCCCCTLR); +@@ -1398,7 +1400,8 @@ static void etm4_cpu_restore(struct etmv + writel_relaxed(state->trcauxctlr, drvdata->base + TRCAUXCTLR); + writel_relaxed(state->trceventctl0r, drvdata->base + TRCEVENTCTL0R); + writel_relaxed(state->trceventctl1r, drvdata->base + TRCEVENTCTL1R); +- writel_relaxed(state->trcstallctlr, drvdata->base + TRCSTALLCTLR); ++ if (drvdata->stallctl) ++ writel_relaxed(state->trcstallctlr, drvdata->base + TRCSTALLCTLR); + writel_relaxed(state->trctsctlr, drvdata->base + TRCTSCTLR); + writel_relaxed(state->trcsyncpr, drvdata->base + TRCSYNCPR); + writel_relaxed(state->trcccctlr, drvdata->base + TRCCCCTLR); +--- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c +@@ -389,7 +389,7 @@ static ssize_t mode_store(struct device + config->eventctrl1 &= ~BIT(12); + + /* bit[8], Instruction stall bit */ +- if (config->mode & ETM_MODE_ISTALL_EN) ++ if ((config->mode & ETM_MODE_ISTALL_EN) && (drvdata->stallctl == true)) + config->stall_ctrl |= BIT(8); + else + config->stall_ctrl &= ~BIT(8); diff --git a/queue-5.11/fs-affs-release-old-buffer-head-on-error-path.patch b/queue-5.11/fs-affs-release-old-buffer-head-on-error-path.patch new file mode 100644 index 00000000000..891d03d79c3 --- /dev/null +++ b/queue-5.11/fs-affs-release-old-buffer-head-on-error-path.patch @@ -0,0 +1,35 @@ +From 70779b897395b330ba5a47bed84f94178da599f9 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Wed, 20 Jan 2021 00:51:13 -0800 +Subject: fs/affs: release old buffer head on error path + +From: Pan Bian + +commit 70779b897395b330ba5a47bed84f94178da599f9 upstream. + +The reference count of the old buffer head should be decremented on path +that fails to get the new buffer head. + +Fixes: 6b4657667ba0 ("fs/affs: add rename exchange") +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Pan Bian +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/affs/namei.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/affs/namei.c ++++ b/fs/affs/namei.c +@@ -460,8 +460,10 @@ affs_xrename(struct inode *old_dir, stru + return -EIO; + + bh_new = affs_bread(sb, d_inode(new_dentry)->i_ino); +- if (!bh_new) ++ if (!bh_new) { ++ affs_brelse(bh_old); + return -EIO; ++ } + + /* Remove old header from its parent directory. */ + affs_lock_dir(old_dir); diff --git a/queue-5.11/hugetlb-fix-copy_huge_page_from_user-contig-page-struct-assumption.patch b/queue-5.11/hugetlb-fix-copy_huge_page_from_user-contig-page-struct-assumption.patch new file mode 100644 index 00000000000..581eeb12d28 --- /dev/null +++ b/queue-5.11/hugetlb-fix-copy_huge_page_from_user-contig-page-struct-assumption.patch @@ -0,0 +1,67 @@ +From 3272cfc2525b3a2810a59312d7a1e6f04a0ca3ef Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Wed, 24 Feb 2021 12:07:54 -0800 +Subject: hugetlb: fix copy_huge_page_from_user contig page struct assumption + +From: Mike Kravetz + +commit 3272cfc2525b3a2810a59312d7a1e6f04a0ca3ef upstream. + +page structs are not guaranteed to be contiguous for gigantic pages. The +routine copy_huge_page_from_user can encounter gigantic pages, yet it +assumes page structs are contiguous when copying pages from user space. + +Since page structs for the target gigantic page are not contiguous, the +data copied from user space could overwrite other pages not associated +with the gigantic page and cause data corruption. + +Non-contiguous page structs are generally not an issue. However, they can +exist with a specific kernel configuration and hotplug operations. For +example: Configure the kernel with CONFIG_SPARSEMEM and +!CONFIG_SPARSEMEM_VMEMMAP. Then, hotplug add memory for the area where +the gigantic page will be allocated. + +Link: https://lkml.kernel.org/r/20210217184926.33567-2-mike.kravetz@oracle.com +Fixes: 8fb5debc5fcd ("userfaultfd: hugetlbfs: add hugetlb_mcopy_atomic_pte for userfaultfd support") +Signed-off-by: Mike Kravetz +Cc: Zi Yan +Cc: Davidlohr Bueso +Cc: "Kirill A . Shutemov" +Cc: Andrea Arcangeli +Cc: Matthew Wilcox +Cc: Oscar Salvador +Cc: Joao Martins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -5204,17 +5204,19 @@ long copy_huge_page_from_user(struct pag + void *page_kaddr; + unsigned long i, rc = 0; + unsigned long ret_val = pages_per_huge_page * PAGE_SIZE; ++ struct page *subpage = dst_page; + +- for (i = 0; i < pages_per_huge_page; i++) { ++ for (i = 0; i < pages_per_huge_page; ++ i++, subpage = mem_map_next(subpage, dst_page, i)) { + if (allow_pagefault) +- page_kaddr = kmap(dst_page + i); ++ page_kaddr = kmap(subpage); + else +- page_kaddr = kmap_atomic(dst_page + i); ++ page_kaddr = kmap_atomic(subpage); + rc = copy_from_user(page_kaddr, + (const void __user *)(src + i * PAGE_SIZE), + PAGE_SIZE); + if (allow_pagefault) +- kunmap(dst_page + i); ++ kunmap(subpage); + else + kunmap_atomic(page_kaddr); + diff --git a/queue-5.11/hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch b/queue-5.11/hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch new file mode 100644 index 00000000000..9a6817de2e4 --- /dev/null +++ b/queue-5.11/hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch @@ -0,0 +1,68 @@ +From dbfee5aee7e54f83d96ceb8e3e80717fac62ad63 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Wed, 24 Feb 2021 12:07:50 -0800 +Subject: hugetlb: fix update_and_free_page contig page struct assumption +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mike Kravetz + +commit dbfee5aee7e54f83d96ceb8e3e80717fac62ad63 upstream. + +page structs are not guaranteed to be contiguous for gigantic pages. The +routine update_and_free_page can encounter a gigantic page, yet it assumes +page structs are contiguous when setting page flags in subpages. + +If update_and_free_page encounters non-contiguous page structs, we can see +“BUG: Bad page state in process …” errors. + +Non-contiguous page structs are generally not an issue. However, they can +exist with a specific kernel configuration and hotplug operations. For +example: Configure the kernel with CONFIG_SPARSEMEM and +!CONFIG_SPARSEMEM_VMEMMAP. Then, hotplug add memory for the area where +the gigantic page will be allocated. Zi Yan outlined steps to reproduce +here [1]. + +[1] https://lore.kernel.org/linux-mm/16F7C58B-4D79-41C5-9B64-A1A1628F4AF2@nvidia.com/ + +Link: https://lkml.kernel.org/r/20210217184926.33567-1-mike.kravetz@oracle.com +Fixes: 944d9fec8d7a ("hugetlb: add support for gigantic page allocation at runtime") +Signed-off-by: Zi Yan +Signed-off-by: Mike Kravetz +Cc: Zi Yan +Cc: Davidlohr Bueso +Cc: "Kirill A . Shutemov" +Cc: Andrea Arcangeli +Cc: Matthew Wilcox +Cc: Oscar Salvador +Cc: Joao Martins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -1312,14 +1312,16 @@ static inline void destroy_compound_giga + static void update_and_free_page(struct hstate *h, struct page *page) + { + int i; ++ struct page *subpage = page; + + if (hstate_is_gigantic(h) && !gigantic_page_runtime_supported()) + return; + + h->nr_huge_pages--; + h->nr_huge_pages_node[page_to_nid(page)]--; +- for (i = 0; i < pages_per_huge_page(h); i++) { +- page[i].flags &= ~(1 << PG_locked | 1 << PG_error | ++ for (i = 0; i < pages_per_huge_page(h); ++ i++, subpage = mem_map_next(subpage, page, i)) { ++ subpage->flags &= ~(1 << PG_locked | 1 << PG_error | + 1 << PG_referenced | 1 << PG_dirty | + 1 << PG_active | 1 << PG_private | + 1 << PG_writeback); diff --git a/queue-5.11/iommu-arm-smmu-qcom-fix-mask-extraction-for-bootloader-programmed-smrs.patch b/queue-5.11/iommu-arm-smmu-qcom-fix-mask-extraction-for-bootloader-programmed-smrs.patch new file mode 100644 index 00000000000..e8fad2d6c36 --- /dev/null +++ b/queue-5.11/iommu-arm-smmu-qcom-fix-mask-extraction-for-bootloader-programmed-smrs.patch @@ -0,0 +1,51 @@ +From dead723e6f049e9fb6b05e5b93456982798ea961 Mon Sep 17 00:00:00 2001 +From: "Isaac J. Manjarres" +Date: Mon, 25 Jan 2021 13:52:25 -0800 +Subject: iommu/arm-smmu-qcom: Fix mask extraction for bootloader programmed SMRs + +From: Isaac J. Manjarres + +commit dead723e6f049e9fb6b05e5b93456982798ea961 upstream. + +When extracting the mask for a SMR that was programmed by the +bootloader, the SMR's valid bit is also extracted and is treated +as part of the mask, which is not correct. Consider the scenario +where an SMMU master whose context is determined by a bootloader +programmed SMR is removed (omitting parts of device/driver core): + +->iommu_release_device() + -> arm_smmu_release_device() + -> arm_smmu_master_free_smes() + -> arm_smmu_free_sme() /* Assume that the SME is now free */ + -> arm_smmu_write_sme() + -> arm_smmu_write_smr() /* Construct SMR value using mask and SID */ + +Since the valid bit was considered as part of the mask, the SMR will +be programmed as valid. + +Fix the SMR mask extraction step for bootloader programmed SMRs +by masking out the valid bit when we know that we're already +working with a valid SMR. + +Fixes: 07a7f2caaa5a ("iommu/arm-smmu-qcom: Read back stream mappings") +Signed-off-by: Isaac J. Manjarres +Cc: stable@vger.kernel.org +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/1611611545-19055-1-git-send-email-isaacm@codeaurora.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +@@ -206,6 +206,8 @@ static int qcom_smmu_cfg_probe(struct ar + smr = arm_smmu_gr0_read(smmu, ARM_SMMU_GR0_SMR(i)); + + if (FIELD_GET(ARM_SMMU_SMR_VALID, smr)) { ++ /* Ignore valid bit for SMR mask extraction. */ ++ smr &= ~ARM_SMMU_SMR_VALID; + smmu->smrs[i].id = FIELD_GET(ARM_SMMU_SMR_ID, smr); + smmu->smrs[i].mask = FIELD_GET(ARM_SMMU_SMR_MASK, smr); + smmu->smrs[i].valid = true; diff --git a/queue-5.11/kvm-nsvm-fix-running-nested-guests-when-npt-0.patch b/queue-5.11/kvm-nsvm-fix-running-nested-guests-when-npt-0.patch new file mode 100644 index 00000000000..106902d52c6 --- /dev/null +++ b/queue-5.11/kvm-nsvm-fix-running-nested-guests-when-npt-0.patch @@ -0,0 +1,61 @@ +From a04aead144fd938c2d9869eb187e5b9ea0009bae Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 18 Feb 2021 07:16:59 -0500 +Subject: KVM: nSVM: fix running nested guests when npt=0 + +From: Paolo Bonzini + +commit a04aead144fd938c2d9869eb187e5b9ea0009bae upstream. + +In case of npt=0 on host, nSVM needs the same .inject_page_fault tweak +as VMX has, to make sure that shadow mmu faults are injected as vmexits. + +It is not clear why this is needed at all, but for now keep the same +code as VMX and we'll fix it for both. + +Based on a patch by Maxim Levitsky . + +Fixes: 7c86663b68ba ("KVM: nSVM: inject exceptions via svm_check_nested_events") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/nested.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/arch/x86/kvm/svm/nested.c ++++ b/arch/x86/kvm/svm/nested.c +@@ -51,6 +51,23 @@ static void nested_svm_inject_npf_exit(s + nested_svm_vmexit(svm); + } + ++static void svm_inject_page_fault_nested(struct kvm_vcpu *vcpu, struct x86_exception *fault) ++{ ++ struct vcpu_svm *svm = to_svm(vcpu); ++ WARN_ON(!is_guest_mode(vcpu)); ++ ++ if (vmcb_is_intercept(&svm->nested.ctl, INTERCEPT_EXCEPTION_OFFSET + PF_VECTOR) && ++ !svm->nested.nested_run_pending) { ++ svm->vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + PF_VECTOR; ++ svm->vmcb->control.exit_code_hi = 0; ++ svm->vmcb->control.exit_info_1 = fault->error_code; ++ svm->vmcb->control.exit_info_2 = fault->address; ++ nested_svm_vmexit(svm); ++ } else { ++ kvm_inject_page_fault(vcpu, fault); ++ } ++} ++ + static u64 nested_svm_get_tdp_pdptr(struct kvm_vcpu *vcpu, int index) + { + struct vcpu_svm *svm = to_svm(vcpu); +@@ -446,6 +463,9 @@ int enter_svm_guest_mode(struct vcpu_svm + if (ret) + return ret; + ++ if (!npt_enabled) ++ svm->vcpu.arch.mmu->inject_page_fault = svm_inject_page_fault_nested; ++ + svm_set_gif(svm, true); + + return 0; diff --git a/queue-5.11/mailbox-arm_mhuv2-skip-calling-kfree-with-invalid-pointer.patch b/queue-5.11/mailbox-arm_mhuv2-skip-calling-kfree-with-invalid-pointer.patch new file mode 100644 index 00000000000..c2471134cca --- /dev/null +++ b/queue-5.11/mailbox-arm_mhuv2-skip-calling-kfree-with-invalid-pointer.patch @@ -0,0 +1,37 @@ +From 6b50df2b8c208a04d44b8df5b7baaf668ceb8fc3 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Mon, 22 Feb 2021 12:48:06 +0530 +Subject: mailbox: arm_mhuv2: Skip calling kfree() with invalid pointer + +From: Viresh Kumar + +commit 6b50df2b8c208a04d44b8df5b7baaf668ceb8fc3 upstream. + +It is possible that 'data' passed to kfree() is set to a error value +instead of allocated space. Make sure it doesn't get called with invalid +pointer. + +Fixes: 5a6338cce9f4 ("mailbox: arm_mhuv2: Add driver") +Cc: v5.11 # v5.11 +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Viresh Kumar +Signed-off-by: Jassi Brar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mailbox/arm_mhuv2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mailbox/arm_mhuv2.c ++++ b/drivers/mailbox/arm_mhuv2.c +@@ -699,7 +699,9 @@ static irqreturn_t mhuv2_receiver_interr + ret = IRQ_HANDLED; + } + +- kfree(data); ++ if (!IS_ERR(data)) ++ kfree(data); ++ + return ret; + } + diff --git a/queue-5.11/mm-compaction-make-fast_isolate_freepages-stay-within-zone.patch b/queue-5.11/mm-compaction-make-fast_isolate_freepages-stay-within-zone.patch new file mode 100644 index 00000000000..deecf3b07f0 --- /dev/null +++ b/queue-5.11/mm-compaction-make-fast_isolate_freepages-stay-within-zone.patch @@ -0,0 +1,101 @@ +From 6e2b7044c199229a3d20cefbd3184968238c4184 Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Wed, 24 Feb 2021 12:09:39 -0800 +Subject: mm, compaction: make fast_isolate_freepages() stay within zone + +From: Vlastimil Babka + +commit 6e2b7044c199229a3d20cefbd3184968238c4184 upstream. + +Compaction always operates on pages from a single given zone when +isolating both pages to migrate and freepages. Pageblock boundaries are +intersected with zone boundaries to be safe in case zone starts or ends in +the middle of pageblock. The use of pageblock_pfn_to_page() protects +against non-contiguous pageblocks. + +The functions fast_isolate_freepages() and fast_isolate_around() don't +currently protect the fast freepage isolation thoroughly enough against +these corner cases, and can result in freepage isolation operate outside +of zone boundaries: + + - in fast_isolate_freepages() if we get a pfn from the first pageblock + of a zone that starts in the middle of that pageblock, 'highest' can + be a pfn outside of the zone. + + If we fail to isolate anything in this function, we may then call + fast_isolate_around() on a pfn outside of the zone and there + effectively do a set_pageblock_skip(page_to_pfn(highest)) which may + currently hit a VM_BUG_ON() in some configurations + + - fast_isolate_around() checks only the zone end boundary and not + beginning, nor that the pageblock is contiguous (with + pageblock_pfn_to_page()) so it's possible that we end up calling + isolate_freepages_block() on a range of pfn's from two different + zones and end up e.g. isolating freepages under the wrong zone's + lock. + +This patch should fix the above issues. + +Link: https://lkml.kernel.org/r/20210217173300.6394-1-vbabka@suse.cz +Fixes: 5a811889de10 ("mm, compaction: use free lists to quickly locate a migration target") +Signed-off-by: Vlastimil Babka +Acked-by: David Rientjes +Acked-by: Mel Gorman +Cc: Andrea Arcangeli +Cc: David Hildenbrand +Cc: Michal Hocko +Cc: Mike Rapoport +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/compaction.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/mm/compaction.c ++++ b/mm/compaction.c +@@ -1288,7 +1288,7 @@ static void + fast_isolate_around(struct compact_control *cc, unsigned long pfn, unsigned long nr_isolated) + { + unsigned long start_pfn, end_pfn; +- struct page *page = pfn_to_page(pfn); ++ struct page *page; + + /* Do not search around if there are enough pages already */ + if (cc->nr_freepages >= cc->nr_migratepages) +@@ -1299,8 +1299,12 @@ fast_isolate_around(struct compact_contr + return; + + /* Pageblock boundaries */ +- start_pfn = pageblock_start_pfn(pfn); +- end_pfn = min(pageblock_end_pfn(pfn), zone_end_pfn(cc->zone)) - 1; ++ start_pfn = max(pageblock_start_pfn(pfn), cc->zone->zone_start_pfn); ++ end_pfn = min(pageblock_end_pfn(pfn), zone_end_pfn(cc->zone)); ++ ++ page = pageblock_pfn_to_page(start_pfn, end_pfn, cc->zone); ++ if (!page) ++ return; + + /* Scan before */ + if (start_pfn != pfn) { +@@ -1402,7 +1406,8 @@ fast_isolate_freepages(struct compact_co + pfn = page_to_pfn(freepage); + + if (pfn >= highest) +- highest = pageblock_start_pfn(pfn); ++ highest = max(pageblock_start_pfn(pfn), ++ cc->zone->zone_start_pfn); + + if (pfn >= low_pfn) { + cc->fast_search_fail = 0; +@@ -1472,7 +1477,8 @@ fast_isolate_freepages(struct compact_co + } else { + if (cc->direct_compaction && pfn_valid(min_pfn)) { + page = pageblock_pfn_to_page(min_pfn, +- pageblock_end_pfn(min_pfn), ++ min(pageblock_end_pfn(min_pfn), ++ zone_end_pfn(cc->zone)), + cc->zone); + cc->free_pfn = min_pfn; + } diff --git a/queue-5.11/mm-memcontrol-fix-get_active_memcg-return-value.patch b/queue-5.11/mm-memcontrol-fix-get_active_memcg-return-value.patch new file mode 100644 index 00000000000..0ff7fb3efe9 --- /dev/null +++ b/queue-5.11/mm-memcontrol-fix-get_active_memcg-return-value.patch @@ -0,0 +1,49 @@ +From 1685bde6b9af55923180a76152036c7fb7176db0 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Wed, 24 Feb 2021 12:04:22 -0800 +Subject: mm: memcontrol: fix get_active_memcg return value + +From: Muchun Song + +commit 1685bde6b9af55923180a76152036c7fb7176db0 upstream. + +We use a global percpu int_active_memcg variable to store the remote memcg +when we are in the interrupt context. But get_active_memcg always return +the current->active_memcg or root_mem_cgroup. The remote memcg (set in +the interrupt context) is ignored. This is not what we want. So fix it. + +Link: https://lkml.kernel.org/r/20210223091101.42150-1-songmuchun@bytedance.com +Fixes: 37d5985c003d ("mm: kmem: prepare remote memcg charging infra for interrupt contexts") +Signed-off-by: Muchun Song +Reviewed-by: Shakeel Butt +Reviewed-by: Roman Gushchin +Cc: Johannes Weiner +Cc: Michal Hocko +Cc: Vladimir Davydov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -1080,13 +1080,9 @@ static __always_inline struct mem_cgroup + + rcu_read_lock(); + memcg = active_memcg(); +- if (memcg) { +- /* current->active_memcg must hold a ref. */ +- if (WARN_ON_ONCE(!css_tryget(&memcg->css))) +- memcg = root_mem_cgroup; +- else +- memcg = current->active_memcg; +- } ++ /* remote memcg must hold a ref. */ ++ if (memcg && WARN_ON_ONCE(!css_tryget(&memcg->css))) ++ memcg = root_mem_cgroup; + rcu_read_unlock(); + + return memcg; diff --git a/queue-5.11/mm-memcontrol-fix-swap-undercounting-in-cgroup2.patch b/queue-5.11/mm-memcontrol-fix-swap-undercounting-in-cgroup2.patch new file mode 100644 index 00000000000..15e03212b81 --- /dev/null +++ b/queue-5.11/mm-memcontrol-fix-swap-undercounting-in-cgroup2.patch @@ -0,0 +1,79 @@ +From cae3af62b33aa931427a0f211e04347b22180b36 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Wed, 24 Feb 2021 12:04:19 -0800 +Subject: mm: memcontrol: fix swap undercounting in cgroup2 + +From: Muchun Song + +commit cae3af62b33aa931427a0f211e04347b22180b36 upstream. + +When pages are swapped in, the VM may retain the swap copy to avoid +repeated writes in the future. It's also retained if shared pages are +faulted back in some processes, but not in others. During that time we +have an in-memory copy of the page, as well as an on-swap copy. Cgroup1 +and cgroup2 handle these overlapping lifetimes slightly differently due to +the nature of how they account memory and swap: + +Cgroup1 has a unified memory+swap counter that tracks a data page +regardless whether it's in-core or swapped out. On swapin, we transfer +the charge from the swap entry to the newly allocated swapcache page, even +though the swap entry might stick around for a while. That's why we have +a mem_cgroup_uncharge_swap() call inside mem_cgroup_charge(). + +Cgroup2 tracks memory and swap as separate, independent resources and thus +has split memory and swap counters. On swapin, we charge the newly +allocated swapcache page as memory, while the swap slot in turn must +remain charged to the swap counter as long as its allocated too. + +The cgroup2 logic was broken by commit 2d1c498072de ("mm: memcontrol: make +swap tracking an integral part of memory control"), because it +accidentally removed the do_memsw_account() check in the branch inside +mem_cgroup_uncharge() that was supposed to tell the difference between the +charge transfer in cgroup1 and the separate counters in cgroup2. + +As a result, cgroup2 currently undercounts retained swap to varying +degrees: swap slots are cached up to 50% of the configured limit or total +available swap space; partially faulted back shared pages are only limited +by physical capacity. This in turn allows cgroups to significantly +overconsume their alloted swap space. + +Add the do_memsw_account() check back to fix this problem. + +Link: https://lkml.kernel.org/r/20210217153237.92484-1-songmuchun@bytedance.com +Fixes: 2d1c498072de ("mm: memcontrol: make swap tracking an integral part of memory control") +Signed-off-by: Muchun Song +Acked-by: Johannes Weiner +Reviewed-by: Shakeel Butt +Acked-by: Michal Hocko +Cc: Vladimir Davydov +Cc: [5.8+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -6758,7 +6758,19 @@ int mem_cgroup_charge(struct page *page, + memcg_check_events(memcg, page); + local_irq_enable(); + +- if (PageSwapCache(page)) { ++ /* ++ * Cgroup1's unified memory+swap counter has been charged with the ++ * new swapcache page, finish the transfer by uncharging the swap ++ * slot. The swap slot would also get uncharged when it dies, but ++ * it can stick around indefinitely and we'd count the page twice ++ * the entire time. ++ * ++ * Cgroup2 has separate resource counters for memory and swap, ++ * so this is a non-issue here. Memory and swap charge lifetimes ++ * correspond 1:1 to page and swap slot lifetimes: we charge the ++ * page to memory here, and uncharge swap when the slot is freed. ++ */ ++ if (do_memsw_account() && PageSwapCache(page)) { + swp_entry_t entry = { .val = page_private(page) }; + /* + * The swap entry might not get freed for a long time, diff --git a/queue-5.11/mm-vmscan-restore-zone_reclaim_mode-abi.patch b/queue-5.11/mm-vmscan-restore-zone_reclaim_mode-abi.patch new file mode 100644 index 00000000000..15a220b5987 --- /dev/null +++ b/queue-5.11/mm-vmscan-restore-zone_reclaim_mode-abi.patch @@ -0,0 +1,96 @@ +From 519983645a9f2ec339cabfa0c6ef7b09be985dd0 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Wed, 24 Feb 2021 12:09:15 -0800 +Subject: mm/vmscan: restore zone_reclaim_mode ABI + +From: Dave Hansen + +commit 519983645a9f2ec339cabfa0c6ef7b09be985dd0 upstream. + +I went to go add a new RECLAIM_* mode for the zone_reclaim_mode sysctl. +Like a good kernel developer, I also went to go update the +documentation. I noticed that the bits in the documentation didn't +match the bits in the #defines. + +The VM never explicitly checks the RECLAIM_ZONE bit. The bit is, +however implicitly checked when checking 'node_reclaim_mode==0'. The +RECLAIM_ZONE #define was removed in a cleanup. That, by itself is fine. + +But, when the bit was removed (bit 0) the _other_ bit locations also got +changed. That's not OK because the bit values are documented to mean +one specific thing. Users surely do not expect the meaning to change +from kernel to kernel. + +The end result is that if someone had a script that did: + + sysctl vm.zone_reclaim_mode=1 + +it would have gone from enabling node reclaim for clean unmapped pages +to writing out pages during node reclaim after the commit in question. +That's not great. + +Put the bits back the way they were and add a comment so something like +this is a bit harder to do again. Update the documentation to make it +clear that the first bit is ignored. + +Link: https://lkml.kernel.org/r/20210219172555.FF0CDF23@viggo.jf.intel.com +Signed-off-by: Dave Hansen +Fixes: 648b5cf368e0 ("mm/vmscan: remove unused RECLAIM_OFF/RECLAIM_ZONE") +Reviewed-by: Ben Widawsky +Reviewed-by: Oscar Salvador +Acked-by: David Rientjes +Acked-by: Christoph Lameter +Cc: Alex Shi +Cc: Daniel Wagner +Cc: "Tobin C. Harding" +Cc: Christoph Lameter +Cc: Andrew Morton +Cc: Huang Ying +Cc: Dan Williams +Cc: Qian Cai +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/sysctl/vm.rst | 10 +++++----- + mm/vmscan.c | 9 +++++++-- + 2 files changed, 12 insertions(+), 7 deletions(-) + +--- a/Documentation/admin-guide/sysctl/vm.rst ++++ b/Documentation/admin-guide/sysctl/vm.rst +@@ -983,11 +983,11 @@ that benefit from having their data cach + left disabled as the caching effect is likely to be more important than + data locality. + +-zone_reclaim may be enabled if it's known that the workload is partitioned +-such that each partition fits within a NUMA node and that accessing remote +-memory would cause a measurable performance reduction. The page allocator +-will then reclaim easily reusable pages (those page cache pages that are +-currently not used) before allocating off node pages. ++Consider enabling one or more zone_reclaim mode bits if it's known that the ++workload is partitioned such that each partition fits within a NUMA node ++and that accessing remote memory would cause a measurable performance ++reduction. The page allocator will take additional actions before ++allocating off node pages. + + Allowing zone reclaim to write out pages stops processes that are + writing large amounts of data from dirtying pages on other nodes. Zone +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -4095,8 +4095,13 @@ module_init(kswapd_init) + */ + int node_reclaim_mode __read_mostly; + +-#define RECLAIM_WRITE (1<<0) /* Writeout pages during reclaim */ +-#define RECLAIM_UNMAP (1<<1) /* Unmap pages during reclaim */ ++/* ++ * These bit locations are exposed in the vm.zone_reclaim_mode sysctl ++ * ABI. New bits are OK, but existing bits can never change. ++ */ ++#define RECLAIM_ZONE (1<<0) /* Run shrink_inactive_list on the zone */ ++#define RECLAIM_WRITE (1<<1) /* Writeout pages during reclaim */ ++#define RECLAIM_UNMAP (1<<2) /* Unmap pages during reclaim */ + + /* + * Priority for NODE_RECLAIM. This determines the fraction of pages diff --git a/queue-5.11/mtd-spi-nor-core-add-erase-size-check-for-erase-command-initialization.patch b/queue-5.11/mtd-spi-nor-core-add-erase-size-check-for-erase-command-initialization.patch new file mode 100644 index 00000000000..cc1676a0149 --- /dev/null +++ b/queue-5.11/mtd-spi-nor-core-add-erase-size-check-for-erase-command-initialization.patch @@ -0,0 +1,35 @@ +From 58fa22f68fcaff20ce4d08a6adffa64f65ccd37d Mon Sep 17 00:00:00 2001 +From: Takahiro Kuwano +Date: Fri, 2 Oct 2020 14:18:02 +0900 +Subject: mtd: spi-nor: core: Add erase size check for erase command initialization + +From: Takahiro Kuwano + +commit 58fa22f68fcaff20ce4d08a6adffa64f65ccd37d upstream. + +Even if erase type is same as previous region, erase size can be different +if the previous region is overlaid region. Since 'region->size' is assigned +to 'cmd->size' for overlaid region, comparing 'erase->size' and 'cmd->size' +can detect previous overlaid region. + +Fixes: 5390a8df769e ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories") +Cc: stable@vger.kernel.org +Signed-off-by: Takahiro Kuwano +[ta: Add Fixes tag and Cc to stable] +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/13d47e8d8991b8a7fd8cc7b9e2a5319c56df35cc.1601612872.git.Takahiro.Kuwano@infineon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -1516,6 +1516,7 @@ static int spi_nor_init_erase_cmd_list(s + goto destroy_erase_cmd_list; + + if (prev_erase != erase || ++ erase->size != cmd->size || + region->offset & SNOR_OVERLAID_REGION) { + cmd = spi_nor_init_erase_cmd(region, erase); + if (IS_ERR(cmd)) { diff --git a/queue-5.11/mtd-spi-nor-core-fix-erase-type-discovery-for-overlaid-region.patch b/queue-5.11/mtd-spi-nor-core-fix-erase-type-discovery-for-overlaid-region.patch new file mode 100644 index 00000000000..afbd704a80b --- /dev/null +++ b/queue-5.11/mtd-spi-nor-core-fix-erase-type-discovery-for-overlaid-region.patch @@ -0,0 +1,50 @@ +From 969b276718de37dfe66fce3a5633f611e8cd58fd Mon Sep 17 00:00:00 2001 +From: Takahiro Kuwano +Date: Fri, 2 Oct 2020 14:18:01 +0900 +Subject: mtd: spi-nor: core: Fix erase type discovery for overlaid region + +From: Takahiro Kuwano + +commit 969b276718de37dfe66fce3a5633f611e8cd58fd upstream. + +In case of overlaid regions in which their biggest erase size command +overpasses in size the region's size, only the non-overlaid portion of +the sector gets erased. For example, if a Sector Erase command is applied +to a 256-kB range that is overlaid by 4-kB sectors, the overlaid 4-kB +sectors are not affected by the erase. +For overlaid regions, 'region->size' is assigned to 'cmd->size' later in +spi_nor_init_erase_cmd(), so 'erase->size' can be greater than 'len'. + +Fixes: 5390a8df769e ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories") +Cc: stable@vger.kernel.org +Signed-off-by: Takahiro Kuwano +[ta: Update commit description, add Fixes tag and Cc to stable] +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/fa5d8b944a5cca488ac54ba37c95e775ac2deb34.1601612872.git.Takahiro.Kuwano@infineon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/core.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -1364,14 +1364,15 @@ spi_nor_find_best_erase_type(const struc + + erase = &map->erase_type[i]; + ++ /* Alignment is not mandatory for overlaid regions */ ++ if (region->offset & SNOR_OVERLAID_REGION && ++ region->size <= len) ++ return erase; ++ + /* Don't erase more than what the user has asked for. */ + if (erase->size > len) + continue; + +- /* Alignment is not mandatory for overlaid regions */ +- if (region->offset & SNOR_OVERLAID_REGION) +- return erase; +- + spi_nor_div_by_erase_size(erase, addr, &rem); + if (rem) + continue; diff --git a/queue-5.11/mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch b/queue-5.11/mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch new file mode 100644 index 00000000000..8d956028ef9 --- /dev/null +++ b/queue-5.11/mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch @@ -0,0 +1,36 @@ +From fe6653460ee7a7dbe0cd5fd322992af862ce5ab0 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 21 Jan 2021 01:18:47 -0800 +Subject: mtd: spi-nor: hisi-sfc: Put child node np on error path + +From: Pan Bian + +commit fe6653460ee7a7dbe0cd5fd322992af862ce5ab0 upstream. + +Put the child node np when it fails to get or register device. + +Fixes: e523f11141bd ("mtd: spi-nor: add hisilicon spi-nor flash controller driver") +Cc: stable@vger.kernel.org +Signed-off-by: Pan Bian +[ta: Add Fixes tag and Cc stable] +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20210121091847.85362-1-bianpan2016@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/controllers/hisi-sfc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/controllers/hisi-sfc.c ++++ b/drivers/mtd/spi-nor/controllers/hisi-sfc.c +@@ -399,8 +399,10 @@ static int hisi_spi_nor_register_all(str + + for_each_available_child_of_node(dev->of_node, np) { + ret = hisi_spi_nor_register(np, host); +- if (ret) ++ if (ret) { ++ of_node_put(np); + goto fail; ++ } + + if (host->num_chip == HIFMC_MAX_CHIP_NUM) { + dev_warn(dev, "Flash device number exceeds the maximum chipselect number\n"); diff --git a/queue-5.11/mtd-spi-nor-sfdp-fix-last-erase-region-marking.patch b/queue-5.11/mtd-spi-nor-sfdp-fix-last-erase-region-marking.patch new file mode 100644 index 00000000000..8f36cccf306 --- /dev/null +++ b/queue-5.11/mtd-spi-nor-sfdp-fix-last-erase-region-marking.patch @@ -0,0 +1,42 @@ +From 9166f4af32db74e1544a2149aef231ff24515ea3 Mon Sep 17 00:00:00 2001 +From: Takahiro Kuwano +Date: Fri, 2 Oct 2020 14:18:00 +0900 +Subject: mtd: spi-nor: sfdp: Fix last erase region marking + +From: Takahiro Kuwano + +commit 9166f4af32db74e1544a2149aef231ff24515ea3 upstream. + +The place of spi_nor_region_mark_end() must be moved, because 'i' is +re-used for the index of erase[]. + +Fixes: b038e8e3be72 ("mtd: spi-nor: parse SFDP Sector Map Parameter Table") +Cc: stable@vger.kernel.org +Signed-off-by: Takahiro Kuwano +[ta: Add Fixes tag and Cc to stable] +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/02ce8d84b7989ebee33382f6494df53778dd508e.1601612872.git.Takahiro.Kuwano@infineon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/sfdp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/mtd/spi-nor/sfdp.c ++++ b/drivers/mtd/spi-nor/sfdp.c +@@ -858,6 +858,7 @@ spi_nor_init_non_uniform_erase_map(struc + offset = (region[i].offset & ~SNOR_ERASE_FLAGS_MASK) + + region[i].size; + } ++ spi_nor_region_mark_end(®ion[i - 1]); + + save_uniform_erase_type = map->uniform_erase_type; + map->uniform_erase_type = spi_nor_sort_erase_mask(map, +@@ -881,8 +882,6 @@ spi_nor_init_non_uniform_erase_map(struc + if (!(regions_erase_type & BIT(erase[i].idx))) + spi_nor_set_erase_type(&erase[i], 0, 0xFF); + +- spi_nor_region_mark_end(®ion[i - 1]); +- + return 0; + } + diff --git a/queue-5.11/mtd-spi-nor-sfdp-fix-wrong-erase-type-bitmask-for-overlaid-region.patch b/queue-5.11/mtd-spi-nor-sfdp-fix-wrong-erase-type-bitmask-for-overlaid-region.patch new file mode 100644 index 00000000000..9b8d82a552c --- /dev/null +++ b/queue-5.11/mtd-spi-nor-sfdp-fix-wrong-erase-type-bitmask-for-overlaid-region.patch @@ -0,0 +1,35 @@ +From abdf5a5ef9652bad4d58058bc22ddf23543ba3e1 Mon Sep 17 00:00:00 2001 +From: Takahiro Kuwano +Date: Fri, 2 Oct 2020 14:17:59 +0900 +Subject: mtd: spi-nor: sfdp: Fix wrong erase type bitmask for overlaid region + +From: Takahiro Kuwano + +commit abdf5a5ef9652bad4d58058bc22ddf23543ba3e1 upstream. + +At the time spi_nor_region_check_overlay() is called, the erase types are +sorted in ascending order of erase size. The 'erase_type' should be masked +with 'BIT(erase[i].idx)' instead of 'BIT(i)'. + +Fixes: b038e8e3be72 ("mtd: spi-nor: parse SFDP Sector Map Parameter Table") +Cc: stable@vger.kernel.org +Signed-off-by: Takahiro Kuwano +[ta: Add Fixes tag and Cc to stable] +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/fd90c40d5b626a1319a78fc2bcee79a8871d4d57.1601612872.git.Takahiro.Kuwano@infineon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/sfdp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/sfdp.c ++++ b/drivers/mtd/spi-nor/sfdp.c +@@ -788,7 +788,7 @@ spi_nor_region_check_overlay(struct spi_ + int i; + + for (i = 0; i < SNOR_ERASE_TYPE_MAX; i++) { +- if (!(erase_type & BIT(i))) ++ if (!(erase[i].size && erase_type & BIT(erase[i].idx))) + continue; + if (region->size & erase[i].size_mask) { + spi_nor_region_mark_overlay(region); diff --git a/queue-5.11/riscv-disable-ksan_sanitize-for-vdso.patch b/queue-5.11/riscv-disable-ksan_sanitize-for-vdso.patch new file mode 100644 index 00000000000..bed0bfc298f --- /dev/null +++ b/queue-5.11/riscv-disable-ksan_sanitize-for-vdso.patch @@ -0,0 +1,43 @@ +From f3d60f2a25e4417e1676161fe42115de3e3f98a2 Mon Sep 17 00:00:00 2001 +From: Tobias Klauser +Date: Tue, 16 Feb 2021 18:33:05 +0100 +Subject: riscv: Disable KSAN_SANITIZE for vDSO + +From: Tobias Klauser + +commit f3d60f2a25e4417e1676161fe42115de3e3f98a2 upstream. + +We use the generic C VDSO implementations of a handful of clock-related +functions. When kasan is enabled this results in asan stub calls that +are unlikely to be resolved by userspace, this just disables KASAN +when building the VDSO. + +Verified the fix on a kernel with KASAN enabled using vDSO selftests. + +Link: https://lore.kernel.org/lkml/CACT4Y+ZNJBnkKHXUf=tm_yuowvZvHwN=0rmJ=7J+xFd+9r_6pQ@mail.gmail.com/ +Tested-by: Tobias Klauser +Signed-off-by: Tobias Klauser +Tested-by: Dmitry Vyukov +[Palmer: commit text] +Fixes: ad5d1122b82f ("riscv: use vDSO common flow to reduce the latency of the time-related functions") +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/vdso/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/riscv/kernel/vdso/Makefile ++++ b/arch/riscv/kernel/vdso/Makefile +@@ -32,9 +32,10 @@ CPPFLAGS_vdso.lds += -P -C -U$(ARCH) + # Disable -pg to prevent insert call site + CFLAGS_REMOVE_vgettimeofday.o = $(CC_FLAGS_FTRACE) -Os + +-# Disable gcov profiling for VDSO code ++# Disable profiling and instrumentation for VDSO code + GCOV_PROFILE := n + KCOV_INSTRUMENT := n ++KASAN_SANITIZE := n + + # Force dependency + $(obj)/vdso.o: $(obj)/vdso.so diff --git a/queue-5.11/seq_file-document-how-per-entry-resources-are-managed.patch b/queue-5.11/seq_file-document-how-per-entry-resources-are-managed.patch new file mode 100644 index 00000000000..b8a40490404 --- /dev/null +++ b/queue-5.11/seq_file-document-how-per-entry-resources-are-managed.patch @@ -0,0 +1,83 @@ +From b3656d8227f4c45812c6b40815d8f4e446ed372a Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Thu, 25 Feb 2021 17:22:25 -0800 +Subject: seq_file: document how per-entry resources are managed. + +From: NeilBrown + +commit b3656d8227f4c45812c6b40815d8f4e446ed372a upstream. + +Patch series "Fix some seq_file users that were recently broken". + +A recent change to seq_file broke some users which were using seq_file +in a non-"standard" way ... though the "standard" isn't documented, so +they can be excused. The result is a possible leak - of memory in one +case, of references to a 'transport' in the other. + +These three patches: + 1/ document and explain the problem + 2/ fix the problem user in x86 + 3/ fix the problem user in net/sctp + +This patch (of 3): + +Users of seq_file will sometimes find it convenient to take a resource, +such as a lock or memory allocation, in the ->start or ->next operations. +These are per-entry resources, distinct from per-session resources which +are taken in ->start and released in ->stop. + +The preferred management of these is release the resource on the +subsequent call to ->next or ->stop. + +However prior to Commit 1f4aace60b0e ("fs/seq_file.c: simplify seq_file +iteration code and interface") it happened that ->show would always be +called after ->start or ->next, and a few users chose to release the +resource in ->show. + +This is no longer reliable. Since the mentioned commit, ->next will +always come after a successful ->show (to ensure m->index is updated +correctly), so the original ordering cannot be maintained. + +This patch updates the documentation to clearly state the required +behaviour. Other patches will fix the few problematic users. + +[akpm@linux-foundation.org: fix typo, per Willy] + +Link: https://lkml.kernel.org/r/161248518659.21478.2484341937387294998.stgit@noble1 +Link: https://lkml.kernel.org/r/161248539020.21478.3147971477400875336.stgit@noble1 +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") +Signed-off-by: NeilBrown +Cc: Xin Long +Cc: Alexander Viro +Cc: Jonathan Corbet +Cc: Ingo Molnar +Cc: Dave Hansen +Cc: Andy Lutomirski +Cc: Peter Zijlstra +Cc: Vlad Yasevich +Cc: Neil Horman +Cc: Marcelo Ricardo Leitner +Cc: "David S. Miller" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/filesystems/seq_file.rst | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/Documentation/filesystems/seq_file.rst ++++ b/Documentation/filesystems/seq_file.rst +@@ -217,6 +217,12 @@ between the calls to start() and stop(), + is a reasonable thing to do. The seq_file code will also avoid taking any + other locks while the iterator is active. + ++The iterater value returned by start() or next() is guaranteed to be ++passed to a subsequent next() or stop() call. This allows resources ++such as locks that were taken to be reliably released. There is *no* ++guarantee that the iterator will be passed to show(), though in practice ++it often will be. ++ + + Formatted output + ================ diff --git a/queue-5.11/series b/queue-5.11/series index 2a592d53c9b..6a5905518fc 100644 --- a/queue-5.11/series +++ b/queue-5.11/series @@ -679,3 +679,29 @@ rcu-nocb-trigger-self-ipi-on-late-deferred-wake-up-before-user-resume.patch entry-explicitly-flush-pending-rcuog-wakeup-before-last-rescheduling-point.patch entry-kvm-explicitly-flush-pending-rcuog-wakeup-before-last-rescheduling-point.patch kprobes-fix-to-delay-the-kprobes-jump-optimization.patch +arm64-extend-workaround-for-erratum-1024718-to-all-versions-of-cortex-a55.patch +iommu-arm-smmu-qcom-fix-mask-extraction-for-bootloader-programmed-smrs.patch +mailbox-arm_mhuv2-skip-calling-kfree-with-invalid-pointer.patch +arm64-kexec_file-fix-memory-leakage-in-create_dtb-when-fdt_open_into-fails.patch +arm64-uprobe-return-eopnotsupp-for-aarch32-instruction-probing.patch +arm64-module-set-plt-section-addresses-to-0x0.patch +arm64-spectre-prevent-lockdep-splat-on-v4-mitigation-enable-path.patch +riscv-disable-ksan_sanitize-for-vdso.patch +watchdog-qcom-remove-incorrect-usage-of-qcom_wdt_enable_irq.patch +watchdog-mei_wdt-request-stop-on-unregister.patch +coresight-etm4x-handle-accesses-to-trcstallctlr.patch +mtd-spi-nor-sfdp-fix-last-erase-region-marking.patch +mtd-spi-nor-sfdp-fix-wrong-erase-type-bitmask-for-overlaid-region.patch +mtd-spi-nor-core-fix-erase-type-discovery-for-overlaid-region.patch +mtd-spi-nor-core-add-erase-size-check-for-erase-command-initialization.patch +mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch +fs-affs-release-old-buffer-head-on-error-path.patch +seq_file-document-how-per-entry-resources-are-managed.patch +x86-fix-seq_file-iteration-for-pat-memtype.c.patch +mm-memcontrol-fix-swap-undercounting-in-cgroup2.patch +mm-memcontrol-fix-get_active_memcg-return-value.patch +hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch +hugetlb-fix-copy_huge_page_from_user-contig-page-struct-assumption.patch +mm-vmscan-restore-zone_reclaim_mode-abi.patch +mm-compaction-make-fast_isolate_freepages-stay-within-zone.patch +kvm-nsvm-fix-running-nested-guests-when-npt-0.patch diff --git a/queue-5.11/watchdog-mei_wdt-request-stop-on-unregister.patch b/queue-5.11/watchdog-mei_wdt-request-stop-on-unregister.patch new file mode 100644 index 00000000000..c83fb0bfaac --- /dev/null +++ b/queue-5.11/watchdog-mei_wdt-request-stop-on-unregister.patch @@ -0,0 +1,43 @@ +From 740c0a57b8f1e36301218bf549f3c9cc833a60be Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Sun, 24 Jan 2021 13:49:38 +0200 +Subject: watchdog: mei_wdt: request stop on unregister + +From: Alexander Usyskin + +commit 740c0a57b8f1e36301218bf549f3c9cc833a60be upstream. + +The MEI bus has a special behavior on suspend it destroys +all the attached devices, this is due to the fact that also +firmware context is not persistent across power flows. + +If watchdog on MEI bus is ticking before suspending the firmware +times out and reports that the OS is missing watchdog tick. +Send the stop command to the firmware on watchdog unregistered +to eliminate the false event on suspend. +This does not make the things worse from the user-space perspective +as a user-space should re-open watchdog device after +suspending before this patch. + +Cc: +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20210124114938.373885-1-tomas.winkler@intel.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/mei_wdt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/watchdog/mei_wdt.c ++++ b/drivers/watchdog/mei_wdt.c +@@ -382,6 +382,7 @@ static int mei_wdt_register(struct mei_w + + watchdog_set_drvdata(&wdt->wdd, wdt); + watchdog_stop_on_reboot(&wdt->wdd); ++ watchdog_stop_on_unregister(&wdt->wdd); + + ret = watchdog_register_device(&wdt->wdd); + if (ret) diff --git a/queue-5.11/watchdog-qcom-remove-incorrect-usage-of-qcom_wdt_enable_irq.patch b/queue-5.11/watchdog-qcom-remove-incorrect-usage-of-qcom_wdt_enable_irq.patch new file mode 100644 index 00000000000..92ab46d3422 --- /dev/null +++ b/queue-5.11/watchdog-qcom-remove-incorrect-usage-of-qcom_wdt_enable_irq.patch @@ -0,0 +1,66 @@ +From a4f3407c41605d14f09e490045d0609990cd5d94 Mon Sep 17 00:00:00 2001 +From: Sai Prakash Ranjan +Date: Tue, 26 Jan 2021 20:32:41 +0530 +Subject: watchdog: qcom: Remove incorrect usage of QCOM_WDT_ENABLE_IRQ + +From: Sai Prakash Ranjan + +commit a4f3407c41605d14f09e490045d0609990cd5d94 upstream. + +As per register documentation, QCOM_WDT_ENABLE_IRQ which is BIT(1) +of watchdog control register is wakeup interrupt enable bit and +not related to bark interrupt at all, BIT(0) is used for that. +So remove incorrect usage of this bit when supporting bark irq for +pre-timeout notification. Currently with this bit set and bark +interrupt specified, pre-timeout notification and/or watchdog +reset/bite does not occur. + +Fixes: 36375491a439 ("watchdog: qcom: support pre-timeout when the bark irq is available") +Cc: stable@vger.kernel.org +Signed-off-by: Sai Prakash Ranjan +Reviewed-by: Guenter Roeck +Reviewed-by: Stephen Boyd +Link: https://lore.kernel.org/r/20210126150241.10009-1-saiprakash.ranjan@codeaurora.org +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/qcom-wdt.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +--- a/drivers/watchdog/qcom-wdt.c ++++ b/drivers/watchdog/qcom-wdt.c +@@ -22,7 +22,6 @@ enum wdt_reg { + }; + + #define QCOM_WDT_ENABLE BIT(0) +-#define QCOM_WDT_ENABLE_IRQ BIT(1) + + static const u32 reg_offset_data_apcs_tmr[] = { + [WDT_RST] = 0x38, +@@ -63,16 +62,6 @@ struct qcom_wdt *to_qcom_wdt(struct watc + return container_of(wdd, struct qcom_wdt, wdd); + } + +-static inline int qcom_get_enable(struct watchdog_device *wdd) +-{ +- int enable = QCOM_WDT_ENABLE; +- +- if (wdd->pretimeout) +- enable |= QCOM_WDT_ENABLE_IRQ; +- +- return enable; +-} +- + static irqreturn_t qcom_wdt_isr(int irq, void *arg) + { + struct watchdog_device *wdd = arg; +@@ -91,7 +80,7 @@ static int qcom_wdt_start(struct watchdo + writel(1, wdt_addr(wdt, WDT_RST)); + writel(bark * wdt->rate, wdt_addr(wdt, WDT_BARK_TIME)); + writel(wdd->timeout * wdt->rate, wdt_addr(wdt, WDT_BITE_TIME)); +- writel(qcom_get_enable(wdd), wdt_addr(wdt, WDT_EN)); ++ writel(QCOM_WDT_ENABLE, wdt_addr(wdt, WDT_EN)); + return 0; + } + diff --git a/queue-5.11/x86-fix-seq_file-iteration-for-pat-memtype.c.patch b/queue-5.11/x86-fix-seq_file-iteration-for-pat-memtype.c.patch new file mode 100644 index 00000000000..46b591dd5c1 --- /dev/null +++ b/queue-5.11/x86-fix-seq_file-iteration-for-pat-memtype.c.patch @@ -0,0 +1,68 @@ +From 3d2fc4c082448e9c05792f9b2a11c1d5db408b85 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Thu, 25 Feb 2021 17:22:29 -0800 +Subject: x86: fix seq_file iteration for pat/memtype.c + +From: NeilBrown + +commit 3d2fc4c082448e9c05792f9b2a11c1d5db408b85 upstream. + +The memtype seq_file iterator allocates a buffer in the ->start and ->next +functions and frees it in the ->show function. The preferred handling for +such resources is to free them in the subsequent ->next or ->stop function +call. + +Since Commit 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration +code and interface") there is no guarantee that ->show will be called +after ->next, so this function can now leak memory. + +So move the freeing of the buffer to ->next and ->stop. + +Link: https://lkml.kernel.org/r/161248539022.21478.13874455485854739066.stgit@noble1 +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") +Signed-off-by: NeilBrown +Cc: Xin Long +Cc: Alexander Viro +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: "David S. Miller" +Cc: Ingo Molnar +Cc: Jonathan Corbet +Cc: Marcelo Ricardo Leitner +Cc: Neil Horman +Cc: Peter Zijlstra +Cc: Vlad Yasevich +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pat/memtype.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/pat/memtype.c ++++ b/arch/x86/mm/pat/memtype.c +@@ -1164,12 +1164,14 @@ static void *memtype_seq_start(struct se + + static void *memtype_seq_next(struct seq_file *seq, void *v, loff_t *pos) + { ++ kfree(v); + ++*pos; + return memtype_get_idx(*pos); + } + + static void memtype_seq_stop(struct seq_file *seq, void *v) + { ++ kfree(v); + } + + static int memtype_seq_show(struct seq_file *seq, void *v) +@@ -1181,8 +1183,6 @@ static int memtype_seq_show(struct seq_f + entry_print->end, + cattr_name(entry_print->type)); + +- kfree(entry_print); +- + return 0; + } + -- 2.47.3