From c311f36b044af27e370d0bcece7dd8db0ea15570 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 20 Mar 2021 12:50:46 +0100 Subject: [PATCH] 5.11-stable patches added patches: afs-fix-accessing-yfs-xattrs-on-a-non-yfs-server.patch afs-stop-listxattr-from-listing-afs.-attributes.patch alsa-usb-audio-fix-unintentional-sign-extension-issue.patch asoc-codecs-wcd934x-add-a-sanity-check-in-set-channel-map.patch asoc-fsl_ssi-fix-tdm-slot-setup-for-i2s-mode.patch asoc-intel-bytcr_rt5640-fix-hp-pavilion-x2-10-p0xx-ovcd-current-threshold.patch asoc-qcom-lpass-cpu-fix-lpass-dai-ids-parse.patch asoc-qcom-sdm845-fix-array-out-of-bounds-access.patch asoc-qcom-sdm845-fix-array-out-of-range-on-rx-slim-channels.patch asoc-simple-card-utils-do-not-handle-device-clock.patch asoc-sof-intel-fix-wrong-poll-bits-in-dsp-power-down.patch asoc-sof-intel-unregister-dmic-device-on-probe-error.patch i915-perf-start-hrtimer-only-if-sampling-the-oa-buffer.patch iommu-tegra-smmu-make-tegra_smmu_probe_device-to-handle-all-iommu-phandles.patch nfsd-don-t-abort-copies-early.patch nfsd-don-t-keep-looking-up-unhashed-files-in-the-nfsd-file-cache.patch nfsd-fix-dest-to-src-mount-in-inter-server-copy.patch nfsd-repair-misuse-of-sv_lock-in-5.10.16-rt30.patch nvme-fix-write-zeroes-limitations.patch nvme-tcp-fix-a-null-deref-when-receiving-a-0-length-r2t-pdu.patch nvme-tcp-fix-misuse-of-__smp_processor_id-with-preemption-enabled.patch nvme-tcp-fix-possible-hang-when-failing-to-set-io-queues.patch nvmet-don-t-check-iosqes-iocqes-for-discovery-controllers.patch sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch svcrdma-disable-timeouts-on-rdma-backchannel.patch vfio-iommu_api-should-be-selected.patch vhost_vdpa-fix-the-missing-irq_bypass_unregister_producer-invocation.patch --- ...ssing-yfs-xattrs-on-a-non-yfs-server.patch | 111 +++++++++++++ ...stxattr-from-listing-afs.-attributes.patch | 133 +++++++++++++++ ...x-unintentional-sign-extension-issue.patch | 46 ++++++ ...dd-a-sanity-check-in-set-channel-map.patch | 40 +++++ ..._ssi-fix-tdm-slot-setup-for-i2s-mode.patch | 49 ++++++ ...on-x2-10-p0xx-ovcd-current-threshold.patch | 43 +++++ ...om-lpass-cpu-fix-lpass-dai-ids-parse.patch | 33 ++++ ...dm845-fix-array-out-of-bounds-access.patch | 42 +++++ ...ray-out-of-range-on-rx-slim-channels.patch | 35 ++++ ...ard-utils-do-not-handle-device-clock.patch | 56 +++++++ ...ix-wrong-poll-bits-in-dsp-power-down.patch | 35 ++++ ...nregister-dmic-device-on-probe-error.patch | 34 ++++ ...timer-only-if-sampling-the-oa-buffer.patch | 101 ++++++++++++ ..._device-to-handle-all-iommu-phandles.patch | 52 ++++++ .../nfsd-don-t-abort-copies-early.patch | 34 ++++ ...nhashed-files-in-the-nfsd-file-cache.patch | 33 ++++ ...st-to-src-mount-in-inter-server-copy.patch | 33 ++++ ...ir-misuse-of-sv_lock-in-5.10.16-rt30.patch | 152 ++++++++++++++++++ .../nvme-fix-write-zeroes-limitations.patch | 78 +++++++++ ...ef-when-receiving-a-0-length-r2t-pdu.patch | 39 +++++ ...processor_id-with-preemption-enabled.patch | 35 ++++ ...e-hang-when-failing-to-set-io-queues.patch | 39 +++++ ...qes-iocqes-for-discovery-controllers.patch | 57 +++++++ queue-5.11/series | 27 ++++ ...x-refcount-leak-for-rpc-auth-modules.patch | 53 ++++++ ...disable-timeouts-on-rdma-backchannel.patch | 38 +++++ .../vfio-iommu_api-should-be-selected.patch | 35 ++++ ...ypass_unregister_producer-invocation.patch | 55 +++++++ 28 files changed, 1518 insertions(+) create mode 100644 queue-5.11/afs-fix-accessing-yfs-xattrs-on-a-non-yfs-server.patch create mode 100644 queue-5.11/afs-stop-listxattr-from-listing-afs.-attributes.patch create mode 100644 queue-5.11/alsa-usb-audio-fix-unintentional-sign-extension-issue.patch create mode 100644 queue-5.11/asoc-codecs-wcd934x-add-a-sanity-check-in-set-channel-map.patch create mode 100644 queue-5.11/asoc-fsl_ssi-fix-tdm-slot-setup-for-i2s-mode.patch create mode 100644 queue-5.11/asoc-intel-bytcr_rt5640-fix-hp-pavilion-x2-10-p0xx-ovcd-current-threshold.patch create mode 100644 queue-5.11/asoc-qcom-lpass-cpu-fix-lpass-dai-ids-parse.patch create mode 100644 queue-5.11/asoc-qcom-sdm845-fix-array-out-of-bounds-access.patch create mode 100644 queue-5.11/asoc-qcom-sdm845-fix-array-out-of-range-on-rx-slim-channels.patch create mode 100644 queue-5.11/asoc-simple-card-utils-do-not-handle-device-clock.patch create mode 100644 queue-5.11/asoc-sof-intel-fix-wrong-poll-bits-in-dsp-power-down.patch create mode 100644 queue-5.11/asoc-sof-intel-unregister-dmic-device-on-probe-error.patch create mode 100644 queue-5.11/i915-perf-start-hrtimer-only-if-sampling-the-oa-buffer.patch create mode 100644 queue-5.11/iommu-tegra-smmu-make-tegra_smmu_probe_device-to-handle-all-iommu-phandles.patch create mode 100644 queue-5.11/nfsd-don-t-abort-copies-early.patch create mode 100644 queue-5.11/nfsd-don-t-keep-looking-up-unhashed-files-in-the-nfsd-file-cache.patch create mode 100644 queue-5.11/nfsd-fix-dest-to-src-mount-in-inter-server-copy.patch create mode 100644 queue-5.11/nfsd-repair-misuse-of-sv_lock-in-5.10.16-rt30.patch create mode 100644 queue-5.11/nvme-fix-write-zeroes-limitations.patch create mode 100644 queue-5.11/nvme-tcp-fix-a-null-deref-when-receiving-a-0-length-r2t-pdu.patch create mode 100644 queue-5.11/nvme-tcp-fix-misuse-of-__smp_processor_id-with-preemption-enabled.patch create mode 100644 queue-5.11/nvme-tcp-fix-possible-hang-when-failing-to-set-io-queues.patch create mode 100644 queue-5.11/nvmet-don-t-check-iosqes-iocqes-for-discovery-controllers.patch create mode 100644 queue-5.11/sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch create mode 100644 queue-5.11/svcrdma-disable-timeouts-on-rdma-backchannel.patch create mode 100644 queue-5.11/vfio-iommu_api-should-be-selected.patch create mode 100644 queue-5.11/vhost_vdpa-fix-the-missing-irq_bypass_unregister_producer-invocation.patch diff --git a/queue-5.11/afs-fix-accessing-yfs-xattrs-on-a-non-yfs-server.patch b/queue-5.11/afs-fix-accessing-yfs-xattrs-on-a-non-yfs-server.patch new file mode 100644 index 00000000000..139ee694187 --- /dev/null +++ b/queue-5.11/afs-fix-accessing-yfs-xattrs-on-a-non-yfs-server.patch @@ -0,0 +1,111 @@ +From 64fcbb6158ecc684d84c64424830a9c37c77c5b9 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 2 Mar 2021 10:26:45 +0000 +Subject: afs: Fix accessing YFS xattrs on a non-YFS server + +From: David Howells + +commit 64fcbb6158ecc684d84c64424830a9c37c77c5b9 upstream. + +If someone attempts to access YFS-related xattrs (e.g. afs.yfs.acl) on a +file on a non-YFS AFS server (such as OpenAFS), then the kernel will jump +to a NULL function pointer because the afs_fetch_acl_operation descriptor +doesn't point to a function for issuing an operation on a non-YFS +server[1]. + +Fix this by making afs_wait_for_operation() check that the issue_afs_rpc +method is set before jumping to it and setting -ENOTSUPP if not. This fix +also covers other potential operations that also only exist on YFS servers. + +afs_xattr_get/set_yfs() then need to translate -ENOTSUPP to -ENODATA as the +former error is internal to the kernel. + +The bug shows up as an oops like the following: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + [...] + Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. + [...] + Call Trace: + afs_wait_for_operation+0x83/0x1b0 [kafs] + afs_xattr_get_yfs+0xe6/0x270 [kafs] + __vfs_getxattr+0x59/0x80 + vfs_getxattr+0x11c/0x140 + getxattr+0x181/0x250 + ? __check_object_size+0x13f/0x150 + ? __fput+0x16d/0x250 + __x64_sys_fgetxattr+0x64/0xb0 + do_syscall_64+0x49/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7fb120a9defe + +This was triggered with "cp -a" which attempts to copy xattrs, including +afs ones, but is easier to reproduce with getfattr, e.g.: + + getfattr -d -m ".*" /afs/openafs.org/ + +Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept") +Reported-by: Gaja Sophie Peters +Signed-off-by: David Howells +Tested-by: Gaja Sophie Peters +Reviewed-by: Marc Dionne +Reviewed-by: Jeffrey Altman +cc: linux-afs@lists.infradead.org +Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003498.html [1] +Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003566.html # v1 +Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003572.html # v2 +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/fs_operation.c | 7 +++++-- + fs/afs/xattr.c | 8 +++++++- + 2 files changed, 12 insertions(+), 3 deletions(-) + +--- a/fs/afs/fs_operation.c ++++ b/fs/afs/fs_operation.c +@@ -181,10 +181,13 @@ void afs_wait_for_operation(struct afs_o + if (test_bit(AFS_SERVER_FL_IS_YFS, &op->server->flags) && + op->ops->issue_yfs_rpc) + op->ops->issue_yfs_rpc(op); +- else ++ else if (op->ops->issue_afs_rpc) + op->ops->issue_afs_rpc(op); ++ else ++ op->ac.error = -ENOTSUPP; + +- op->error = afs_wait_for_call_to_complete(op->call, &op->ac); ++ if (op->call) ++ op->error = afs_wait_for_call_to_complete(op->call, &op->ac); + } + + switch (op->error) { +--- a/fs/afs/xattr.c ++++ b/fs/afs/xattr.c +@@ -230,6 +230,8 @@ static int afs_xattr_get_yfs(const struc + else + ret = -ERANGE; + } ++ } else if (ret == -ENOTSUPP) { ++ ret = -ENODATA; + } + + error_yacl: +@@ -254,6 +256,7 @@ static int afs_xattr_set_yfs(const struc + { + struct afs_operation *op; + struct afs_vnode *vnode = AFS_FS_I(inode); ++ int ret; + + if (flags == XATTR_CREATE || + strcmp(name, "acl") != 0) +@@ -268,7 +271,10 @@ static int afs_xattr_set_yfs(const struc + return afs_put_operation(op); + + op->ops = &yfs_store_opaque_acl2_operation; +- return afs_do_sync_operation(op); ++ ret = afs_do_sync_operation(op); ++ if (ret == -ENOTSUPP) ++ ret = -ENODATA; ++ return ret; + } + + static const struct xattr_handler afs_xattr_yfs_handler = { diff --git a/queue-5.11/afs-stop-listxattr-from-listing-afs.-attributes.patch b/queue-5.11/afs-stop-listxattr-from-listing-afs.-attributes.patch new file mode 100644 index 00000000000..39cd0765b7e --- /dev/null +++ b/queue-5.11/afs-stop-listxattr-from-listing-afs.-attributes.patch @@ -0,0 +1,133 @@ +From a7889c6320b9200e3fe415238f546db677310fa9 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 9 Mar 2021 08:27:39 +0000 +Subject: afs: Stop listxattr() from listing "afs.*" attributes + +From: David Howells + +commit a7889c6320b9200e3fe415238f546db677310fa9 upstream. + +afs_listxattr() lists all the available special afs xattrs (i.e. those in +the "afs.*" space), no matter what type of server we're dealing with. But +OpenAFS servers, for example, cannot deal with some of the extra-capable +attributes that AuriStor (YFS) servers provide. Unfortunately, the +presence of the afs.yfs.* attributes causes errors[1] for anything that +tries to read them if the server is of the wrong type. + +Fix the problem by removing afs_listxattr() so that none of the special +xattrs are listed (AFS doesn't support xattrs). It does mean, however, +that getfattr won't list them, though they can still be accessed with +getxattr() and setxattr(). + +This can be tested with something like: + + getfattr -d -m ".*" /afs/example.com/path/to/file + +With this change, none of the afs.* attributes should be visible. + +Changes: +ver #2: + - Hide all of the afs.* xattrs, not just the ACL ones. + +Fixes: ae46578b963f ("afs: Get YFS ACLs and information through xattrs") +Reported-by: Gaja Sophie Peters +Signed-off-by: David Howells +Tested-by: Gaja Sophie Peters +Reviewed-by: Jeffrey Altman +Reviewed-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003502.html [1] +Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003567.html # v1 +Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003573.html # v2 +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/dir.c | 1 - + fs/afs/file.c | 1 - + fs/afs/inode.c | 1 - + fs/afs/internal.h | 1 - + fs/afs/mntpt.c | 1 - + fs/afs/xattr.c | 23 ----------------------- + 6 files changed, 28 deletions(-) + +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -69,7 +69,6 @@ const struct inode_operations afs_dir_in + .permission = afs_permission, + .getattr = afs_getattr, + .setattr = afs_setattr, +- .listxattr = afs_listxattr, + }; + + const struct address_space_operations afs_dir_aops = { +--- a/fs/afs/file.c ++++ b/fs/afs/file.c +@@ -43,7 +43,6 @@ const struct inode_operations afs_file_i + .getattr = afs_getattr, + .setattr = afs_setattr, + .permission = afs_permission, +- .listxattr = afs_listxattr, + }; + + const struct address_space_operations afs_fs_aops = { +--- a/fs/afs/inode.c ++++ b/fs/afs/inode.c +@@ -27,7 +27,6 @@ + + static const struct inode_operations afs_symlink_inode_operations = { + .get_link = page_get_link, +- .listxattr = afs_listxattr, + }; + + static noinline void dump_vnode(struct afs_vnode *vnode, struct afs_vnode *parent_vnode) +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -1508,7 +1508,6 @@ extern int afs_launder_page(struct page + * xattr.c + */ + extern const struct xattr_handler *afs_xattr_handlers[]; +-extern ssize_t afs_listxattr(struct dentry *, char *, size_t); + + /* + * yfsclient.c +--- a/fs/afs/mntpt.c ++++ b/fs/afs/mntpt.c +@@ -32,7 +32,6 @@ const struct inode_operations afs_mntpt_ + .lookup = afs_mntpt_lookup, + .readlink = page_readlink, + .getattr = afs_getattr, +- .listxattr = afs_listxattr, + }; + + const struct inode_operations afs_autocell_inode_operations = { +--- a/fs/afs/xattr.c ++++ b/fs/afs/xattr.c +@@ -11,29 +11,6 @@ + #include + #include "internal.h" + +-static const char afs_xattr_list[] = +- "afs.acl\0" +- "afs.cell\0" +- "afs.fid\0" +- "afs.volume\0" +- "afs.yfs.acl\0" +- "afs.yfs.acl_inherited\0" +- "afs.yfs.acl_num_cleaned\0" +- "afs.yfs.vol_acl"; +- +-/* +- * Retrieve a list of the supported xattrs. +- */ +-ssize_t afs_listxattr(struct dentry *dentry, char *buffer, size_t size) +-{ +- if (size == 0) +- return sizeof(afs_xattr_list); +- if (size < sizeof(afs_xattr_list)) +- return -ERANGE; +- memcpy(buffer, afs_xattr_list, sizeof(afs_xattr_list)); +- return sizeof(afs_xattr_list); +-} +- + /* + * Deal with the result of a successful fetch ACL operation. + */ diff --git a/queue-5.11/alsa-usb-audio-fix-unintentional-sign-extension-issue.patch b/queue-5.11/alsa-usb-audio-fix-unintentional-sign-extension-issue.patch new file mode 100644 index 00000000000..a7cb1f957a3 --- /dev/null +++ b/queue-5.11/alsa-usb-audio-fix-unintentional-sign-extension-issue.patch @@ -0,0 +1,46 @@ +From 50b1affc891cbc103a2334ce909a026e25f4c84d Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 18 Mar 2021 13:20:08 +0000 +Subject: ALSA: usb-audio: Fix unintentional sign extension issue + +From: Colin Ian King + +commit 50b1affc891cbc103a2334ce909a026e25f4c84d upstream. + +The shifting of the u8 integer device by 24 bits to the left will +be promoted to a 32 bit signed int and then sign-extended to a +64 bit unsigned long. In the event that the top bit of device is +set then all then all the upper 32 bits of the unsigned long will +end up as also being set because of the sign-extension. Fix this +by casting device to an unsigned long before the shift. + +Addresses-Coverity: ("Unintended sign extension") +Fixes: a07df82c7990 ("ALSA: usb-audio: Add DJM750 to Pioneer mixer quirk") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20210318132008.15266-1-colin.king@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_quirks.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -2883,7 +2883,7 @@ static int snd_djm_controls_put(struct s + u8 group = (private_value & SND_DJM_GROUP_MASK) >> SND_DJM_GROUP_SHIFT; + u16 value = elem->value.enumerated.item[0]; + +- kctl->private_value = ((device << SND_DJM_DEVICE_SHIFT) | ++ kctl->private_value = (((unsigned long)device << SND_DJM_DEVICE_SHIFT) | + (group << SND_DJM_GROUP_SHIFT) | + value); + +@@ -2921,7 +2921,7 @@ static int snd_djm_controls_create(struc + value = device->controls[i].default_value; + knew.name = device->controls[i].name; + knew.private_value = ( +- (device_idx << SND_DJM_DEVICE_SHIFT) | ++ ((unsigned long)device_idx << SND_DJM_DEVICE_SHIFT) | + (i << SND_DJM_GROUP_SHIFT) | + value); + err = snd_djm_controls_update(mixer, device_idx, i, value); diff --git a/queue-5.11/asoc-codecs-wcd934x-add-a-sanity-check-in-set-channel-map.patch b/queue-5.11/asoc-codecs-wcd934x-add-a-sanity-check-in-set-channel-map.patch new file mode 100644 index 00000000000..9b140799ef0 --- /dev/null +++ b/queue-5.11/asoc-codecs-wcd934x-add-a-sanity-check-in-set-channel-map.patch @@ -0,0 +1,40 @@ +From 3bb4852d598f0275ed5996a059df55be7318ac2f Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Tue, 9 Mar 2021 14:21:29 +0000 +Subject: ASoC: codecs: wcd934x: add a sanity check in set channel map + +From: Srinivas Kandagatla + +commit 3bb4852d598f0275ed5996a059df55be7318ac2f upstream. + +set channel map can be passed with a channel maps, however if +the number of channels that are passed are more than the actual +supported channels then we would be accessing array out of bounds. + +So add a sanity check to validate these numbers! + +Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") +Reported-by: John Stultz +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20210309142129.14182-4-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd934x.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -1873,6 +1873,12 @@ static int wcd934x_set_channel_map(struc + + wcd = snd_soc_component_get_drvdata(dai->component); + ++ if (tx_num > WCD934X_TX_MAX || rx_num > WCD934X_RX_MAX) { ++ dev_err(wcd->dev, "Invalid tx %d or rx %d channel count\n", ++ tx_num, rx_num); ++ return -EINVAL; ++ } ++ + if (!tx_slot || !rx_slot) { + dev_err(wcd->dev, "Invalid tx_slot=%p, rx_slot=%p\n", + tx_slot, rx_slot); diff --git a/queue-5.11/asoc-fsl_ssi-fix-tdm-slot-setup-for-i2s-mode.patch b/queue-5.11/asoc-fsl_ssi-fix-tdm-slot-setup-for-i2s-mode.patch new file mode 100644 index 00000000000..dca1023b8b9 --- /dev/null +++ b/queue-5.11/asoc-fsl_ssi-fix-tdm-slot-setup-for-i2s-mode.patch @@ -0,0 +1,49 @@ +From 87263968516fb9507d6215d53f44052627fae8d8 Mon Sep 17 00:00:00 2001 +From: Alexander Shiyan +Date: Tue, 16 Feb 2021 14:42:21 +0300 +Subject: ASoC: fsl_ssi: Fix TDM slot setup for I2S mode + +From: Alexander Shiyan + +commit 87263968516fb9507d6215d53f44052627fae8d8 upstream. + +When using the driver in I2S TDM mode, the _fsl_ssi_set_dai_fmt() +function rewrites the number of slots previously set by the +fsl_ssi_set_dai_tdm_slot() function to 2 by default. +To fix this, let's use the saved slot count value or, if TDM +is not used and the slot count is not set, proceed as before. + +Fixes: 4f14f5c11db1 ("ASoC: fsl_ssi: Fix number of words per frame for I2S-slave mode") +Signed-off-by: Alexander Shiyan +Acked-by: Nicolin Chen +Link: https://lore.kernel.org/r/20210216114221.26635-1-shc_work@mail.ru +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_ssi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/soc/fsl/fsl_ssi.c ++++ b/sound/soc/fsl/fsl_ssi.c +@@ -878,6 +878,7 @@ static int fsl_ssi_hw_free(struct snd_pc + static int _fsl_ssi_set_dai_fmt(struct fsl_ssi *ssi, unsigned int fmt) + { + u32 strcr = 0, scr = 0, stcr, srcr, mask; ++ unsigned int slots; + + ssi->dai_fmt = fmt; + +@@ -909,10 +910,11 @@ static int _fsl_ssi_set_dai_fmt(struct f + return -EINVAL; + } + ++ slots = ssi->slots ? : 2; + regmap_update_bits(ssi->regs, REG_SSI_STCCR, +- SSI_SxCCR_DC_MASK, SSI_SxCCR_DC(2)); ++ SSI_SxCCR_DC_MASK, SSI_SxCCR_DC(slots)); + regmap_update_bits(ssi->regs, REG_SSI_SRCCR, +- SSI_SxCCR_DC_MASK, SSI_SxCCR_DC(2)); ++ SSI_SxCCR_DC_MASK, SSI_SxCCR_DC(slots)); + + /* Data on rising edge of bclk, frame low, 1clk before data */ + strcr |= SSI_STCR_TFSI | SSI_STCR_TSCKP | SSI_STCR_TEFS; diff --git a/queue-5.11/asoc-intel-bytcr_rt5640-fix-hp-pavilion-x2-10-p0xx-ovcd-current-threshold.patch b/queue-5.11/asoc-intel-bytcr_rt5640-fix-hp-pavilion-x2-10-p0xx-ovcd-current-threshold.patch new file mode 100644 index 00000000000..ef1f209a14d --- /dev/null +++ b/queue-5.11/asoc-intel-bytcr_rt5640-fix-hp-pavilion-x2-10-p0xx-ovcd-current-threshold.patch @@ -0,0 +1,43 @@ +From ca08ddfd961d2a17208d9182e0ee5791b39bd8bf Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 24 Feb 2021 11:50:52 +0100 +Subject: ASoC: Intel: bytcr_rt5640: Fix HP Pavilion x2 10-p0XX OVCD current threshold + +From: Hans de Goede + +commit ca08ddfd961d2a17208d9182e0ee5791b39bd8bf upstream. + +When I added the quirk for the "HP Pavilion x2 10-p0XX" I copied the +byt_rt5640_quirk_table[] entry for the HP Pavilion x2 10-k0XX / 10-n0XX +models since these use almost the same settings. + +While doing this I accidentally also copied and kept the non-standard +OVCD_TH_1500UA setting used on those models. This too low threshold is +causing headsets to often be seen as headphones (without a headset-mic) +and when correctly identified it is causing ghost play/pause +button-presses to get detected. + +Correct the HP Pavilion x2 10-p0XX quirk to use the default OVCD_TH_2000UA +setting, fixing these problems. + +Fixes: fbdae7d6d04d ("ASoC: Intel: bytcr_rt5640: Fix HP Pavilion x2 Detachable quirks") +Signed-off-by: Hans de Goede +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210224105052.42116-1-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/boards/bytcr_rt5640.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -577,7 +577,7 @@ static const struct dmi_system_id byt_rt + }, + .driver_data = (void *)(BYT_RT5640_DMIC1_MAP | + BYT_RT5640_JD_SRC_JD1_IN4P | +- BYT_RT5640_OVCD_TH_1500UA | ++ BYT_RT5640_OVCD_TH_2000UA | + BYT_RT5640_OVCD_SF_0P75 | + BYT_RT5640_MCLK_EN), + }, diff --git a/queue-5.11/asoc-qcom-lpass-cpu-fix-lpass-dai-ids-parse.patch b/queue-5.11/asoc-qcom-lpass-cpu-fix-lpass-dai-ids-parse.patch new file mode 100644 index 00000000000..7af0002a6ad --- /dev/null +++ b/queue-5.11/asoc-qcom-lpass-cpu-fix-lpass-dai-ids-parse.patch @@ -0,0 +1,33 @@ +From 9922f50f7178496e709d3d064920b5031f0d9061 Mon Sep 17 00:00:00 2001 +From: Srinivasa Rao Mandadapu +Date: Thu, 11 Mar 2021 21:15:57 +0530 +Subject: ASoC: qcom: lpass-cpu: Fix lpass dai ids parse + +From: Srinivasa Rao Mandadapu + +commit 9922f50f7178496e709d3d064920b5031f0d9061 upstream. + +The max boundary check while parsing dai ids makes +sound card registration fail after common up dai ids. + +Fixes: cd3484f7f138 ("ASoC: qcom: Fix broken support to MI2S TERTIARY and QUATERNARY") + +Signed-off-by: Srinivasa Rao Mandadapu +Link: https://lore.kernel.org/r/20210311154557.24978-1-srivasam@codeaurora.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/lpass-cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/qcom/lpass-cpu.c ++++ b/sound/soc/qcom/lpass-cpu.c +@@ -737,7 +737,7 @@ static void of_lpass_cpu_parse_dai_data( + + for_each_child_of_node(dev->of_node, node) { + ret = of_property_read_u32(node, "reg", &id); +- if (ret || id < 0 || id >= data->variant->num_dai) { ++ if (ret || id < 0) { + dev_err(dev, "valid dai id not found: %d\n", ret); + continue; + } diff --git a/queue-5.11/asoc-qcom-sdm845-fix-array-out-of-bounds-access.patch b/queue-5.11/asoc-qcom-sdm845-fix-array-out-of-bounds-access.patch new file mode 100644 index 00000000000..185a46e57ee --- /dev/null +++ b/queue-5.11/asoc-qcom-sdm845-fix-array-out-of-bounds-access.patch @@ -0,0 +1,42 @@ +From 1c668e1c0a0f74472469cd514f40c9012b324c31 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Tue, 9 Mar 2021 14:21:27 +0000 +Subject: ASoC: qcom: sdm845: Fix array out of bounds access + +From: Srinivas Kandagatla + +commit 1c668e1c0a0f74472469cd514f40c9012b324c31 upstream. + +Static analysis Coverity had detected a potential array out-of-bounds +write issue due to the fact that MAX AFE port Id was set to 16 instead +of using AFE_PORT_MAX macro. + +Fix this by properly using AFE_PORT_MAX macro. + +Fixes: 1b93a8843147 ("ASoC: qcom: sdm845: handle soundwire stream") +Reported-by: John Stultz +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20210309142129.14182-2-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/sdm845.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/sdm845.c ++++ b/sound/soc/qcom/sdm845.c +@@ -33,12 +33,12 @@ + struct sdm845_snd_data { + struct snd_soc_jack jack; + bool jack_setup; +- bool stream_prepared[SLIM_MAX_RX_PORTS]; ++ bool stream_prepared[AFE_PORT_MAX]; + struct snd_soc_card *card; + uint32_t pri_mi2s_clk_count; + uint32_t sec_mi2s_clk_count; + uint32_t quat_tdm_clk_count; +- struct sdw_stream_runtime *sruntime[SLIM_MAX_RX_PORTS]; ++ struct sdw_stream_runtime *sruntime[AFE_PORT_MAX]; + }; + + static unsigned int tdm_slot_offset[8] = {0, 4, 8, 12, 16, 20, 24, 28}; diff --git a/queue-5.11/asoc-qcom-sdm845-fix-array-out-of-range-on-rx-slim-channels.patch b/queue-5.11/asoc-qcom-sdm845-fix-array-out-of-range-on-rx-slim-channels.patch new file mode 100644 index 00000000000..16e23868fe1 --- /dev/null +++ b/queue-5.11/asoc-qcom-sdm845-fix-array-out-of-range-on-rx-slim-channels.patch @@ -0,0 +1,35 @@ +From 4800fe6ea1022eb240215b1743d2541adad8efc7 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Tue, 9 Mar 2021 14:21:28 +0000 +Subject: ASoC: qcom: sdm845: Fix array out of range on rx slim channels + +From: Srinivas Kandagatla + +commit 4800fe6ea1022eb240215b1743d2541adad8efc7 upstream. + +WCD934x has only 13 RX SLIM ports however we are setting it as 16 +in set_channel_map, this will lead to array out of bounds error! + +Orignally caught by enabling USBAN array out of bounds check: + +Fixes: 5caf64c633a3 ("ASoC: qcom: sdm845: add support to DB845c and Lenovo Yoga") +Reported-by: John Stultz +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20210309142129.14182-3-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/sdm845.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/qcom/sdm845.c ++++ b/sound/soc/qcom/sdm845.c +@@ -27,7 +27,7 @@ + #define SPK_TDM_RX_MASK 0x03 + #define NUM_TDM_SLOTS 8 + #define SLIM_MAX_TX_PORTS 16 +-#define SLIM_MAX_RX_PORTS 16 ++#define SLIM_MAX_RX_PORTS 13 + #define WCD934X_DEFAULT_MCLK_RATE 9600000 + + struct sdm845_snd_data { diff --git a/queue-5.11/asoc-simple-card-utils-do-not-handle-device-clock.patch b/queue-5.11/asoc-simple-card-utils-do-not-handle-device-clock.patch new file mode 100644 index 00000000000..63073744385 --- /dev/null +++ b/queue-5.11/asoc-simple-card-utils-do-not-handle-device-clock.patch @@ -0,0 +1,56 @@ +From 8ca88d53351cc58d535b2bfc7386835378fb0db2 Mon Sep 17 00:00:00 2001 +From: Sameer Pujar +Date: Mon, 15 Mar 2021 23:01:31 +0530 +Subject: ASoC: simple-card-utils: Do not handle device clock + +From: Sameer Pujar + +commit 8ca88d53351cc58d535b2bfc7386835378fb0db2 upstream. + +This reverts commit 1e30f642cf29 ("ASoC: simple-card-utils: Fix device +module clock"). The original patch ended up breaking following platform, +which depends on set_sysclk() to configure internal PLL on wm8904 codec +and expects simple-card-utils to not update the MCLK rate. + - "arch/arm64/boot/dts/freescale/fsl-ls1028a-kontron-sl28-var3-ads2.dts" + +It would be best if codec takes care of setting MCLK clock via DAI +set_sysclk() callback. + +Reported-by: Michael Walle +Suggested-by: Mark Brown +Suggested-by: Michael Walle +Fixes: 1e30f642cf29 ("ASoC: simple-card-utils: Fix device module clock") +Signed-off-by: Sameer Pujar +Tested-by: Michael Walle +Link: https://lore.kernel.org/r/1615829492-8972-2-git-send-email-spujar@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/generic/simple-card-utils.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/sound/soc/generic/simple-card-utils.c ++++ b/sound/soc/generic/simple-card-utils.c +@@ -172,15 +172,16 @@ int asoc_simple_parse_clk(struct device + * or device's module clock. + */ + clk = devm_get_clk_from_child(dev, node, NULL); +- if (IS_ERR(clk)) +- clk = devm_get_clk_from_child(dev, dlc->of_node, NULL); +- + if (!IS_ERR(clk)) { +- simple_dai->clk = clk; + simple_dai->sysclk = clk_get_rate(clk); +- } else if (!of_property_read_u32(node, "system-clock-frequency", +- &val)) { ++ ++ simple_dai->clk = clk; ++ } else if (!of_property_read_u32(node, "system-clock-frequency", &val)) { + simple_dai->sysclk = val; ++ } else { ++ clk = devm_get_clk_from_child(dev, dlc->of_node, NULL); ++ if (!IS_ERR(clk)) ++ simple_dai->sysclk = clk_get_rate(clk); + } + + if (of_property_read_bool(node, "system-clock-direction-out")) diff --git a/queue-5.11/asoc-sof-intel-fix-wrong-poll-bits-in-dsp-power-down.patch b/queue-5.11/asoc-sof-intel-fix-wrong-poll-bits-in-dsp-power-down.patch new file mode 100644 index 00000000000..008c5bc024f --- /dev/null +++ b/queue-5.11/asoc-sof-intel-fix-wrong-poll-bits-in-dsp-power-down.patch @@ -0,0 +1,35 @@ +From fd8299181995093948ec6ca75432e797b4a39143 Mon Sep 17 00:00:00 2001 +From: Pan Xiuli +Date: Mon, 8 Mar 2021 18:41:27 -0600 +Subject: ASoC: SOF: intel: fix wrong poll bits in dsp power down + +From: Pan Xiuli + +commit fd8299181995093948ec6ca75432e797b4a39143 upstream. + +The ADSPCS_SPA is Set Power Active bit. To check if DSP is powered +down, we need to check ADSPCS_CPA, the Current Power Active bit. + +Fixes: 747503b1813a3 ("ASoC: SOF: Intel: Add Intel specific HDA DSP HW operations") +Reviewed-by: Rander Wang +Reviewed-by: Ranjani Sridharan +Signed-off-by: Pan Xiuli +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210309004127.4940-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/intel/hda-dsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/sof/intel/hda-dsp.c ++++ b/sound/soc/sof/intel/hda-dsp.c +@@ -207,7 +207,7 @@ int hda_dsp_core_power_down(struct snd_s + + ret = snd_sof_dsp_read_poll_timeout(sdev, HDA_DSP_BAR, + HDA_DSP_REG_ADSPCS, adspcs, +- !(adspcs & HDA_DSP_ADSPCS_SPA_MASK(core_mask)), ++ !(adspcs & HDA_DSP_ADSPCS_CPA_MASK(core_mask)), + HDA_DSP_REG_POLL_INTERVAL_US, + HDA_DSP_PD_TIMEOUT * USEC_PER_MSEC); + if (ret < 0) diff --git a/queue-5.11/asoc-sof-intel-unregister-dmic-device-on-probe-error.patch b/queue-5.11/asoc-sof-intel-unregister-dmic-device-on-probe-error.patch new file mode 100644 index 00000000000..bc4417a7837 --- /dev/null +++ b/queue-5.11/asoc-sof-intel-unregister-dmic-device-on-probe-error.patch @@ -0,0 +1,34 @@ +From 5bb0ecddb2a7f638d65e457f3da9fa334c967b14 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Mon, 1 Mar 2021 18:34:10 -0600 +Subject: ASoC: SOF: Intel: unregister DMIC device on probe error + +From: Pierre-Louis Bossart + +commit 5bb0ecddb2a7f638d65e457f3da9fa334c967b14 upstream. + +We only unregister the platform device during the .remove operation, +but if the probe fails we will never reach this sequence. + +Suggested-by: Bard Liao +Fixes: dd96daca6c83e ("ASoC: SOF: Intel: Add APL/CNL HW DSP support") +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Reviewed-by: Guennadi Liakhovetski +Link: https://lore.kernel.org/r/20210302003410.1178535-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/intel/hda.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/sof/intel/hda.c ++++ b/sound/soc/sof/intel/hda.c +@@ -896,6 +896,7 @@ free_streams: + /* dsp_unmap: not currently used */ + iounmap(sdev->bar[HDA_DSP_BAR]); + hdac_bus_unmap: ++ platform_device_unregister(hdev->dmic_dev); + iounmap(bus->remap_addr); + hda_codec_i915_exit(sdev); + err: diff --git a/queue-5.11/i915-perf-start-hrtimer-only-if-sampling-the-oa-buffer.patch b/queue-5.11/i915-perf-start-hrtimer-only-if-sampling-the-oa-buffer.patch new file mode 100644 index 00000000000..03a02b62bdc --- /dev/null +++ b/queue-5.11/i915-perf-start-hrtimer-only-if-sampling-the-oa-buffer.patch @@ -0,0 +1,101 @@ +From 6a77c6bb7260bd5000f95df454d9f8cdb1af7132 Mon Sep 17 00:00:00 2001 +From: Umesh Nerlige Ramappa +Date: Fri, 5 Mar 2021 13:09:47 -0800 +Subject: i915/perf: Start hrtimer only if sampling the OA buffer + +From: Umesh Nerlige Ramappa + +commit 6a77c6bb7260bd5000f95df454d9f8cdb1af7132 upstream. + +SAMPLE_OA parameter enables sampling of OA buffer and results in a call +to init the OA buffer which initializes the OA unit head/tail pointers. +The OA_EXPONENT parameter controls the periodicity of the OA reports in +the OA buffer and results in starting a hrtimer. + +Before gen12, all use cases required the use of the OA buffer and i915 +enforced this setting when vetting out the parameters passed. In these +platforms the hrtimer was enabled if OA_EXPONENT was passed. This worked +fine since it was implied that SAMPLE_OA is always passed. + +With gen12, this changed. Users can use perf without enabling the OA +buffer as in OAR use cases. While an OAR use case should ideally not +start the hrtimer, we see that passing an OA_EXPONENT parameter will +start the hrtimer even though SAMPLE_OA is not specified. This results +in an uninitialized OA buffer, so the head/tail pointers used to track +the buffer are zero. + +This itself does not fail, but if we ran a use-case that SAMPLED the OA +buffer previously, then the OA_TAIL register is still pointing to an old +value. When the timer callback runs, it ends up calculating a +wrong/large number of available reports. Since we do a spinlock_irq_save +and start processing a large number of reports, NMI watchdog fires and +causes a crash. + +Start the timer only if SAMPLE_OA is specified. + +v2: +- Drop SAMPLE OA check when appending samples (Ashutosh) +- Prevent read if OA buffer is not being sampled + +Fixes: 00a7f0d7155c ("drm/i915/tgl: Add perf support on TGL") +Signed-off-by: Umesh Nerlige Ramappa +Reviewed-by: Ashutosh Dixit +Signed-off-by: Lionel Landwerlin +Link: https://patchwork.freedesktop.org/patch/msgid/20210305210947.58751-1-umesh.nerlige.ramappa@intel.com +(cherry picked from commit be0bdd67fda9468156c733976688f6487d0c42f7) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/i915_perf.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_perf.c ++++ b/drivers/gpu/drm/i915/i915_perf.c +@@ -600,7 +600,6 @@ static int append_oa_sample(struct i915_ + { + int report_size = stream->oa_buffer.format_size; + struct drm_i915_perf_record_header header; +- u32 sample_flags = stream->sample_flags; + + header.type = DRM_I915_PERF_RECORD_SAMPLE; + header.pad = 0; +@@ -614,10 +613,8 @@ static int append_oa_sample(struct i915_ + return -EFAULT; + buf += sizeof(header); + +- if (sample_flags & SAMPLE_OA_REPORT) { +- if (copy_to_user(buf, report, report_size)) +- return -EFAULT; +- } ++ if (copy_to_user(buf, report, report_size)) ++ return -EFAULT; + + (*offset) += header.size; + +@@ -2678,7 +2675,7 @@ static void i915_oa_stream_enable(struct + + stream->perf->ops.oa_enable(stream); + +- if (stream->periodic) ++ if (stream->sample_flags & SAMPLE_OA_REPORT) + hrtimer_start(&stream->poll_check_timer, + ns_to_ktime(stream->poll_oa_period), + HRTIMER_MODE_REL_PINNED); +@@ -2741,7 +2738,7 @@ static void i915_oa_stream_disable(struc + { + stream->perf->ops.oa_disable(stream); + +- if (stream->periodic) ++ if (stream->sample_flags & SAMPLE_OA_REPORT) + hrtimer_cancel(&stream->poll_check_timer); + } + +@@ -3024,7 +3021,7 @@ static ssize_t i915_perf_read(struct fil + * disabled stream as an error. In particular it might otherwise lead + * to a deadlock for blocking file descriptors... + */ +- if (!stream->enabled) ++ if (!stream->enabled || !(stream->sample_flags & SAMPLE_OA_REPORT)) + return -EIO; + + if (!(file->f_flags & O_NONBLOCK)) { diff --git a/queue-5.11/iommu-tegra-smmu-make-tegra_smmu_probe_device-to-handle-all-iommu-phandles.patch b/queue-5.11/iommu-tegra-smmu-make-tegra_smmu_probe_device-to-handle-all-iommu-phandles.patch new file mode 100644 index 00000000000..f054667763c --- /dev/null +++ b/queue-5.11/iommu-tegra-smmu-make-tegra_smmu_probe_device-to-handle-all-iommu-phandles.patch @@ -0,0 +1,52 @@ +From 8dfd0fa6ecdc5e2099a57d485b7ce237abc6c7a0 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Fri, 12 Mar 2021 18:54:39 +0300 +Subject: iommu/tegra-smmu: Make tegra_smmu_probe_device() to handle all IOMMU phandles + +From: Dmitry Osipenko + +commit 8dfd0fa6ecdc5e2099a57d485b7ce237abc6c7a0 upstream. + +The tegra_smmu_probe_device() handles only the first IOMMU device-tree +phandle, skipping the rest. Devices like 3D module on Tegra30 have +multiple IOMMU phandles, one for each h/w block, and thus, only one +IOMMU phandle is added to fwspec for the 3D module, breaking GPU. +Previously this problem was masked by tegra_smmu_attach_dev() which +didn't use the fwspec, but parsed the DT by itself. The previous commit +to tegra-smmu driver partially reverted changes that caused problems for +T124 and now we have tegra_smmu_attach_dev() that uses the fwspec and +the old-buggy variant of tegra_smmu_probe_device() which skips secondary +IOMMUs. + +Make tegra_smmu_probe_device() not to skip the secondary IOMMUs. This +fixes a partially attached IOMMU of the 3D module on Tegra30 and now GPU +works properly once again. + +Fixes: 765a9d1d02b2 ("iommu/tegra-smmu: Fix mc errors on tegra124-nyan") +Signed-off-by: Dmitry Osipenko +Tested-by: Nicolin Chen +Link: https://lore.kernel.org/r/20210312155439.18477-1-digetx@gmail.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/tegra-smmu.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/iommu/tegra-smmu.c ++++ b/drivers/iommu/tegra-smmu.c +@@ -849,12 +849,11 @@ static struct iommu_device *tegra_smmu_p + smmu = tegra_smmu_find(args.np); + if (smmu) { + err = tegra_smmu_configure(smmu, dev, &args); +- of_node_put(args.np); + +- if (err < 0) ++ if (err < 0) { ++ of_node_put(args.np); + return ERR_PTR(err); +- +- break; ++ } + } + + of_node_put(args.np); diff --git a/queue-5.11/nfsd-don-t-abort-copies-early.patch b/queue-5.11/nfsd-don-t-abort-copies-early.patch new file mode 100644 index 00000000000..a5d457d3c2e --- /dev/null +++ b/queue-5.11/nfsd-don-t-abort-copies-early.patch @@ -0,0 +1,34 @@ +From bfdd89f232aa2de5a4b3fc985cba894148b830a8 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Wed, 24 Feb 2021 13:39:50 -0500 +Subject: nfsd: don't abort copies early + +From: J. Bruce Fields + +commit bfdd89f232aa2de5a4b3fc985cba894148b830a8 upstream. + +The typical result of the backwards comparison here is that the source +server in a server-to-server copy will return BAD_STATEID within a few +seconds of the copy starting, instead of giving the copy a full lease +period, so the copy_file_range() call will end up unnecessarily +returning a short read. + +Fixes: 624322f1adc5 "NFSD add COPY_NOTIFY operation" +Signed-off-by: J. Bruce Fields +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -5372,7 +5372,7 @@ nfs4_laundromat(struct nfsd_net *nn) + idr_for_each_entry(&nn->s2s_cp_stateids, cps_t, i) { + cps = container_of(cps_t, struct nfs4_cpntf_state, cp_stateid); + if (cps->cp_stateid.sc_type == NFS4_COPYNOTIFY_STID && +- cps->cpntf_time > cutoff) ++ cps->cpntf_time < cutoff) + _free_cpntf_state_locked(nn, cps); + } + spin_unlock(&nn->s2s_cp_lock); diff --git a/queue-5.11/nfsd-don-t-keep-looking-up-unhashed-files-in-the-nfsd-file-cache.patch b/queue-5.11/nfsd-don-t-keep-looking-up-unhashed-files-in-the-nfsd-file-cache.patch new file mode 100644 index 00000000000..1cc9e696726 --- /dev/null +++ b/queue-5.11/nfsd-don-t-keep-looking-up-unhashed-files-in-the-nfsd-file-cache.patch @@ -0,0 +1,33 @@ +From d30881f573e565ebb5dbb50b31ed6106b5c81328 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 18 Feb 2021 21:02:07 -0500 +Subject: nfsd: Don't keep looking up unhashed files in the nfsd file cache + +From: Trond Myklebust + +commit d30881f573e565ebb5dbb50b31ed6106b5c81328 upstream. + +If a file is unhashed, then we're going to reject it anyway and retry, +so make sure we skip it when we're doing the RCU lockless lookup. +This avoids a number of unnecessary nfserr_jukebox returns from +nfsd_file_acquire() + +Fixes: 65294c1f2c5e ("nfsd: add a new struct file caching facility to nfsd") +Signed-off-by: Trond Myklebust +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/filecache.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/nfsd/filecache.c ++++ b/fs/nfsd/filecache.c +@@ -898,6 +898,8 @@ nfsd_file_find_locked(struct inode *inod + continue; + if (!nfsd_match_cred(nf->nf_cred, current_cred())) + continue; ++ if (!test_bit(NFSD_FILE_HASHED, &nf->nf_flags)) ++ continue; + if (nfsd_file_get(nf) != NULL) + return nf; + } diff --git a/queue-5.11/nfsd-fix-dest-to-src-mount-in-inter-server-copy.patch b/queue-5.11/nfsd-fix-dest-to-src-mount-in-inter-server-copy.patch new file mode 100644 index 00000000000..3e442554a55 --- /dev/null +++ b/queue-5.11/nfsd-fix-dest-to-src-mount-in-inter-server-copy.patch @@ -0,0 +1,33 @@ +From 614c9750173e412663728215152cc6d12bcb3425 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Tue, 9 Mar 2021 09:41:14 -0500 +Subject: NFSD: fix dest to src mount in inter-server COPY + +From: Olga Kornievskaia + +commit 614c9750173e412663728215152cc6d12bcb3425 upstream. + +A cleanup of the inter SSC copy needs to call fput() of the source +file handle to make sure that file structure is freed as well as +drop the reference on the superblock to unmount the source server. + +Fixes: 36e1e5ba90fb ("NFSD: Fix use-after-free warning when doing inter-server copy") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Chuck Lever +Tested-by: Dai Ngo +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1304,7 +1304,7 @@ nfsd4_cleanup_inter_ssc(struct vfsmount + struct nfsd_file *dst) + { + nfs42_ssc_close(src->nf_file); +- /* 'src' is freed by nfsd4_do_async_copy */ ++ fput(src->nf_file); + nfsd_file_put(dst); + mntput(ss_mnt); + } diff --git a/queue-5.11/nfsd-repair-misuse-of-sv_lock-in-5.10.16-rt30.patch b/queue-5.11/nfsd-repair-misuse-of-sv_lock-in-5.10.16-rt30.patch new file mode 100644 index 00000000000..3da0ca7d05c --- /dev/null +++ b/queue-5.11/nfsd-repair-misuse-of-sv_lock-in-5.10.16-rt30.patch @@ -0,0 +1,152 @@ +From c7de87ff9dac5f396f62d584f3908f80ddc0e07b Mon Sep 17 00:00:00 2001 +From: Joe Korty +Date: Fri, 26 Feb 2021 09:38:20 -0500 +Subject: NFSD: Repair misuse of sv_lock in 5.10.16-rt30. + +From: Joe Korty + +commit c7de87ff9dac5f396f62d584f3908f80ddc0e07b upstream. + +[ This problem is in mainline, but only rt has the chops to be +able to detect it. ] + +Lockdep reports a circular lock dependency between serv->sv_lock and +softirq_ctl.lock on system shutdown, when using a kernel built with +CONFIG_PREEMPT_RT=y, and a nfs mount exists. + +This is due to the definition of spin_lock_bh on rt: + + local_bh_disable(); + rt_spin_lock(lock); + +which forces a softirq_ctl.lock -> serv->sv_lock dependency. This is +not a problem as long as _every_ lock of serv->sv_lock is a: + + spin_lock_bh(&serv->sv_lock); + +but there is one of the form: + + spin_lock(&serv->sv_lock); + +This is what is causing the circular dependency splat. The spin_lock() +grabs the lock without first grabbing softirq_ctl.lock via local_bh_disable. +If later on in the critical region, someone does a local_bh_disable, we +get a serv->sv_lock -> softirq_ctrl.lock dependency established. Deadlock. + +Fix is to make serv->sv_lock be locked with spin_lock_bh everywhere, no +exceptions. + +[ OK ] Stopped target NFS client services. + Stopping Logout off all iSCSI sessions on shutdown... + Stopping NFS server and services... +[ 109.442380] +[ 109.442385] ====================================================== +[ 109.442386] WARNING: possible circular locking dependency detected +[ 109.442387] 5.10.16-rt30 #1 Not tainted +[ 109.442389] ------------------------------------------------------ +[ 109.442390] nfsd/1032 is trying to acquire lock: +[ 109.442392] ffff994237617f60 ((softirq_ctrl.lock).lock){+.+.}-{2:2}, at: __local_bh_disable_ip+0xd9/0x270 +[ 109.442405] +[ 109.442405] but task is already holding lock: +[ 109.442406] ffff994245cb00b0 (&serv->sv_lock){+.+.}-{0:0}, at: svc_close_list+0x1f/0x90 +[ 109.442415] +[ 109.442415] which lock already depends on the new lock. +[ 109.442415] +[ 109.442416] +[ 109.442416] the existing dependency chain (in reverse order) is: +[ 109.442417] +[ 109.442417] -> #1 (&serv->sv_lock){+.+.}-{0:0}: +[ 109.442421] rt_spin_lock+0x2b/0xc0 +[ 109.442428] svc_add_new_perm_xprt+0x42/0xa0 +[ 109.442430] svc_addsock+0x135/0x220 +[ 109.442434] write_ports+0x4b3/0x620 +[ 109.442438] nfsctl_transaction_write+0x45/0x80 +[ 109.442440] vfs_write+0xff/0x420 +[ 109.442444] ksys_write+0x4f/0xc0 +[ 109.442446] do_syscall_64+0x33/0x40 +[ 109.442450] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 109.442454] +[ 109.442454] -> #0 ((softirq_ctrl.lock).lock){+.+.}-{2:2}: +[ 109.442457] __lock_acquire+0x1264/0x20b0 +[ 109.442463] lock_acquire+0xc2/0x400 +[ 109.442466] rt_spin_lock+0x2b/0xc0 +[ 109.442469] __local_bh_disable_ip+0xd9/0x270 +[ 109.442471] svc_xprt_do_enqueue+0xc0/0x4d0 +[ 109.442474] svc_close_list+0x60/0x90 +[ 109.442476] svc_close_net+0x49/0x1a0 +[ 109.442478] svc_shutdown_net+0x12/0x40 +[ 109.442480] nfsd_destroy+0xc5/0x180 +[ 109.442482] nfsd+0x1bc/0x270 +[ 109.442483] kthread+0x194/0x1b0 +[ 109.442487] ret_from_fork+0x22/0x30 +[ 109.442492] +[ 109.442492] other info that might help us debug this: +[ 109.442492] +[ 109.442493] Possible unsafe locking scenario: +[ 109.442493] +[ 109.442493] CPU0 CPU1 +[ 109.442494] ---- ---- +[ 109.442495] lock(&serv->sv_lock); +[ 109.442496] lock((softirq_ctrl.lock).lock); +[ 109.442498] lock(&serv->sv_lock); +[ 109.442499] lock((softirq_ctrl.lock).lock); +[ 109.442501] +[ 109.442501] *** DEADLOCK *** +[ 109.442501] +[ 109.442501] 3 locks held by nfsd/1032: +[ 109.442503] #0: ffffffff93b49258 (nfsd_mutex){+.+.}-{3:3}, at: nfsd+0x19a/0x270 +[ 109.442508] #1: ffff994245cb00b0 (&serv->sv_lock){+.+.}-{0:0}, at: svc_close_list+0x1f/0x90 +[ 109.442512] #2: ffffffff93a81b20 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0x5/0xc0 +[ 109.442518] +[ 109.442518] stack backtrace: +[ 109.442519] CPU: 0 PID: 1032 Comm: nfsd Not tainted 5.10.16-rt30 #1 +[ 109.442522] Hardware name: Supermicro X9DRL-3F/iF/X9DRL-3F/iF, BIOS 3.2 09/22/2015 +[ 109.442524] Call Trace: +[ 109.442527] dump_stack+0x77/0x97 +[ 109.442533] check_noncircular+0xdc/0xf0 +[ 109.442546] __lock_acquire+0x1264/0x20b0 +[ 109.442553] lock_acquire+0xc2/0x400 +[ 109.442564] rt_spin_lock+0x2b/0xc0 +[ 109.442570] __local_bh_disable_ip+0xd9/0x270 +[ 109.442573] svc_xprt_do_enqueue+0xc0/0x4d0 +[ 109.442577] svc_close_list+0x60/0x90 +[ 109.442581] svc_close_net+0x49/0x1a0 +[ 109.442585] svc_shutdown_net+0x12/0x40 +[ 109.442588] nfsd_destroy+0xc5/0x180 +[ 109.442590] nfsd+0x1bc/0x270 +[ 109.442595] kthread+0x194/0x1b0 +[ 109.442600] ret_from_fork+0x22/0x30 +[ 109.518225] nfsd: last server has exited, flushing export cache +[ OK ] Stopped NFSv4 ID-name mapping service. +[ OK ] Stopped GSSAPI Proxy Daemon. +[ OK ] Stopped NFS Mount Daemon. +[ OK ] Stopped NFS status monitor for NFSv2/3 locking.. + +Fixes: 719f8bcc883e ("svcrpc: fix xpt_list traversal locking on shutdown") +Signed-off-by: Joe Korty +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/svc_xprt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -1060,7 +1060,7 @@ static int svc_close_list(struct svc_ser + struct svc_xprt *xprt; + int ret = 0; + +- spin_lock(&serv->sv_lock); ++ spin_lock_bh(&serv->sv_lock); + list_for_each_entry(xprt, xprt_list, xpt_list) { + if (xprt->xpt_net != net) + continue; +@@ -1068,7 +1068,7 @@ static int svc_close_list(struct svc_ser + set_bit(XPT_CLOSE, &xprt->xpt_flags); + svc_xprt_enqueue(xprt); + } +- spin_unlock(&serv->sv_lock); ++ spin_unlock_bh(&serv->sv_lock); + return ret; + } + diff --git a/queue-5.11/nvme-fix-write-zeroes-limitations.patch b/queue-5.11/nvme-fix-write-zeroes-limitations.patch new file mode 100644 index 00000000000..1bcad99dac6 --- /dev/null +++ b/queue-5.11/nvme-fix-write-zeroes-limitations.patch @@ -0,0 +1,78 @@ +From b94e8cd2e6a94fc7563529ddc82726a7e77e04de Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Mon, 15 Mar 2021 10:32:07 +0100 +Subject: nvme: fix Write Zeroes limitations + +From: Christoph Hellwig + +commit b94e8cd2e6a94fc7563529ddc82726a7e77e04de upstream. + +We voluntarily limit the Write Zeroes sizes to the MDTS value provided by +the hardware, but currently get the units wrong, so fix that. + +Fixes: 6e02318eaea5 ("nvme: add support for the Write Zeroes command") +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Tested-by: Klaus Jensen +Reviewed-by: Klaus Jensen +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Himanshu Madhani +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 38 +++++++++++++------------------------- + 1 file changed, 13 insertions(+), 25 deletions(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1948,30 +1948,18 @@ static void nvme_config_discard(struct g + blk_queue_max_write_zeroes_sectors(queue, UINT_MAX); + } + +-static void nvme_config_write_zeroes(struct gendisk *disk, struct nvme_ns *ns) +-{ +- u64 max_blocks; +- +- if (!(ns->ctrl->oncs & NVME_CTRL_ONCS_WRITE_ZEROES) || +- (ns->ctrl->quirks & NVME_QUIRK_DISABLE_WRITE_ZEROES)) +- return; +- /* +- * Even though NVMe spec explicitly states that MDTS is not +- * applicable to the write-zeroes:- "The restriction does not apply to +- * commands that do not transfer data between the host and the +- * controller (e.g., Write Uncorrectable ro Write Zeroes command).". +- * In order to be more cautious use controller's max_hw_sectors value +- * to configure the maximum sectors for the write-zeroes which is +- * configured based on the controller's MDTS field in the +- * nvme_init_identify() if available. +- */ +- if (ns->ctrl->max_hw_sectors == UINT_MAX) +- max_blocks = (u64)USHRT_MAX + 1; +- else +- max_blocks = ns->ctrl->max_hw_sectors + 1; +- +- blk_queue_max_write_zeroes_sectors(disk->queue, +- nvme_lba_to_sect(ns, max_blocks)); ++/* ++ * Even though NVMe spec explicitly states that MDTS is not applicable to the ++ * write-zeroes, we are cautious and limit the size to the controllers ++ * max_hw_sectors value, which is based on the MDTS field and possibly other ++ * limiting factors. ++ */ ++static void nvme_config_write_zeroes(struct request_queue *q, ++ struct nvme_ctrl *ctrl) ++{ ++ if ((ctrl->oncs & NVME_CTRL_ONCS_WRITE_ZEROES) && ++ !(ctrl->quirks & NVME_QUIRK_DISABLE_WRITE_ZEROES)) ++ blk_queue_max_write_zeroes_sectors(q, ctrl->max_hw_sectors); + } + + static bool nvme_ns_ids_valid(struct nvme_ns_ids *ids) +@@ -2143,7 +2131,7 @@ static void nvme_update_disk_info(struct + set_capacity_and_notify(disk, capacity); + + nvme_config_discard(disk, ns); +- nvme_config_write_zeroes(disk, ns); ++ nvme_config_write_zeroes(disk->queue, ns->ctrl); + + if ((id->nsattr & NVME_NS_ATTR_RO) || + test_bit(NVME_NS_FORCE_RO, &ns->flags)) diff --git a/queue-5.11/nvme-tcp-fix-a-null-deref-when-receiving-a-0-length-r2t-pdu.patch b/queue-5.11/nvme-tcp-fix-a-null-deref-when-receiving-a-0-length-r2t-pdu.patch new file mode 100644 index 00000000000..05c1deca3c2 --- /dev/null +++ b/queue-5.11/nvme-tcp-fix-a-null-deref-when-receiving-a-0-length-r2t-pdu.patch @@ -0,0 +1,39 @@ +From fd0823f405090f9f410fc3e3ff7efb52e7b486fa Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Mon, 15 Mar 2021 14:08:11 -0700 +Subject: nvme-tcp: fix a NULL deref when receiving a 0-length r2t PDU + +From: Sagi Grimberg + +commit fd0823f405090f9f410fc3e3ff7efb52e7b486fa upstream. + +When the controller sends us a 0-length r2t PDU we should not attempt to +try to set up a h2cdata PDU but rather conclude that this is a buggy +controller (forward progress is not possible) and simply fail it +immediately. + +Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver") +Reported-by: Belanger, Martin +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/tcp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -568,6 +568,13 @@ static int nvme_tcp_setup_h2c_data_pdu(s + req->pdu_len = le32_to_cpu(pdu->r2t_length); + req->pdu_sent = 0; + ++ if (unlikely(!req->pdu_len)) { ++ dev_err(queue->ctrl->ctrl.device, ++ "req %d r2t len is %u, probably a bug...\n", ++ rq->tag, req->pdu_len); ++ return -EPROTO; ++ } ++ + if (unlikely(req->data_sent + req->pdu_len > req->data_len)) { + dev_err(queue->ctrl->ctrl.device, + "req %d r2t len %u exceeded data len %u (%zu sent)\n", diff --git a/queue-5.11/nvme-tcp-fix-misuse-of-__smp_processor_id-with-preemption-enabled.patch b/queue-5.11/nvme-tcp-fix-misuse-of-__smp_processor_id-with-preemption-enabled.patch new file mode 100644 index 00000000000..2e93d6eabb5 --- /dev/null +++ b/queue-5.11/nvme-tcp-fix-misuse-of-__smp_processor_id-with-preemption-enabled.patch @@ -0,0 +1,35 @@ +From bb83337058a7000644cdeffc67361d2473534756 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Mon, 15 Mar 2021 13:53:47 -0700 +Subject: nvme-tcp: fix misuse of __smp_processor_id with preemption enabled + +From: Sagi Grimberg + +commit bb83337058a7000644cdeffc67361d2473534756 upstream. + +For our pure advisory use-case, we only rely on this call as a hint, so +fix the warning complaints of using the smp_processor_id variants with +preemption enabled. + +Fixes: db5ad6b7f8cd ("nvme-tcp: try to send request in queue_rq context") +Fixes: ada831772188 ("nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT") +Signed-off-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Tested-by: Yi Zhang +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -287,7 +287,7 @@ static inline void nvme_tcp_queue_reques + * directly, otherwise queue io_work. Also, only do that if we + * are on the same cpu, so we don't introduce contention. + */ +- if (queue->io_cpu == __smp_processor_id() && ++ if (queue->io_cpu == raw_smp_processor_id() && + sync && empty && mutex_trylock(&queue->send_mutex)) { + queue->more_requests = !last; + nvme_tcp_send_all(queue); diff --git a/queue-5.11/nvme-tcp-fix-possible-hang-when-failing-to-set-io-queues.patch b/queue-5.11/nvme-tcp-fix-possible-hang-when-failing-to-set-io-queues.patch new file mode 100644 index 00000000000..b824a43ce2d --- /dev/null +++ b/queue-5.11/nvme-tcp-fix-possible-hang-when-failing-to-set-io-queues.patch @@ -0,0 +1,39 @@ +From 72f572428b83d0bc7028e7c4326d1a5f45205e44 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Mon, 15 Mar 2021 14:04:26 -0700 +Subject: nvme-tcp: fix possible hang when failing to set io queues + +From: Sagi Grimberg + +commit 72f572428b83d0bc7028e7c4326d1a5f45205e44 upstream. + +We only setup io queues for nvme controllers, and it makes absolutely no +sense to allow a controller (re)connect without any I/O queues. If we +happen to fail setting the queue count for any reason, we should not +allow this to be a successful reconnect as I/O has no chance in going +through. Instead just fail and schedule another reconnect. + +Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver") +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/tcp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1748,8 +1748,11 @@ static int nvme_tcp_alloc_io_queues(stru + return ret; + + ctrl->queue_count = nr_io_queues + 1; +- if (ctrl->queue_count < 2) +- return 0; ++ if (ctrl->queue_count < 2) { ++ dev_err(ctrl->device, ++ "unable to set any I/O queues\n"); ++ return -ENOMEM; ++ } + + dev_info(ctrl->device, + "creating %d I/O queues.\n", nr_io_queues); diff --git a/queue-5.11/nvmet-don-t-check-iosqes-iocqes-for-discovery-controllers.patch b/queue-5.11/nvmet-don-t-check-iosqes-iocqes-for-discovery-controllers.patch new file mode 100644 index 00000000000..491d92ee150 --- /dev/null +++ b/queue-5.11/nvmet-don-t-check-iosqes-iocqes-for-discovery-controllers.patch @@ -0,0 +1,57 @@ +From d218a8a3003e84ab136e69a4e30dd4ec7dab2d22 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Mon, 15 Mar 2021 15:34:51 -0700 +Subject: nvmet: don't check iosqes,iocqes for discovery controllers + +From: Sagi Grimberg + +commit d218a8a3003e84ab136e69a4e30dd4ec7dab2d22 upstream. + +From the base spec, Figure 78: + + "Controller Configuration, these fields are defined as parameters to + configure an "I/O Controller (IOC)" and not to configure a "Discovery + Controller (DC). + + ... + If the controller does not support I/O queues, then this field shall + be read-only with a value of 0h + +Just perform this check for I/O controllers. + +Fixes: a07b4970f464 ("nvmet: add a generic NVMe target") +Reported-by: Belanger, Martin +Signed-off-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/core.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -1107,9 +1107,20 @@ static void nvmet_start_ctrl(struct nvme + { + lockdep_assert_held(&ctrl->lock); + +- if (nvmet_cc_iosqes(ctrl->cc) != NVME_NVM_IOSQES || +- nvmet_cc_iocqes(ctrl->cc) != NVME_NVM_IOCQES || +- nvmet_cc_mps(ctrl->cc) != 0 || ++ /* ++ * Only I/O controllers should verify iosqes,iocqes. ++ * Strictly speaking, the spec says a discovery controller ++ * should verify iosqes,iocqes are zeroed, however that ++ * would break backwards compatibility, so don't enforce it. ++ */ ++ if (ctrl->subsys->type != NVME_NQN_DISC && ++ (nvmet_cc_iosqes(ctrl->cc) != NVME_NVM_IOSQES || ++ nvmet_cc_iocqes(ctrl->cc) != NVME_NVM_IOCQES)) { ++ ctrl->csts = NVME_CSTS_CFS; ++ return; ++ } ++ ++ if (nvmet_cc_mps(ctrl->cc) != 0 || + nvmet_cc_ams(ctrl->cc) != 0 || + nvmet_cc_css(ctrl->cc) != 0) { + ctrl->csts = NVME_CSTS_CFS; diff --git a/queue-5.11/series b/queue-5.11/series index fce24db276f..27c6733e8f6 100644 --- a/queue-5.11/series +++ b/queue-5.11/series @@ -26,3 +26,30 @@ drm-amd-display-remove-mpc-gamut-remap-logic-for-dcn30.patch iommu-amd-don-t-call-early_amd_iommu_init-when-amd-iommu-is-disabled.patch iommu-amd-keep-track-of-amd_iommu_irq_remap-state.patch iommu-amd-move-stoney-ridge-check-to-detect_ivrs.patch +asoc-fsl_ssi-fix-tdm-slot-setup-for-i2s-mode.patch +asoc-intel-bytcr_rt5640-fix-hp-pavilion-x2-10-p0xx-ovcd-current-threshold.patch +asoc-sof-intel-unregister-dmic-device-on-probe-error.patch +asoc-sof-intel-fix-wrong-poll-bits-in-dsp-power-down.patch +asoc-qcom-sdm845-fix-array-out-of-bounds-access.patch +asoc-qcom-sdm845-fix-array-out-of-range-on-rx-slim-channels.patch +asoc-codecs-wcd934x-add-a-sanity-check-in-set-channel-map.patch +asoc-qcom-lpass-cpu-fix-lpass-dai-ids-parse.patch +asoc-simple-card-utils-do-not-handle-device-clock.patch +afs-fix-accessing-yfs-xattrs-on-a-non-yfs-server.patch +afs-stop-listxattr-from-listing-afs.-attributes.patch +alsa-usb-audio-fix-unintentional-sign-extension-issue.patch +nvme-fix-write-zeroes-limitations.patch +nvme-tcp-fix-misuse-of-__smp_processor_id-with-preemption-enabled.patch +nvme-tcp-fix-possible-hang-when-failing-to-set-io-queues.patch +nvme-tcp-fix-a-null-deref-when-receiving-a-0-length-r2t-pdu.patch +nvmet-don-t-check-iosqes-iocqes-for-discovery-controllers.patch +nfsd-don-t-keep-looking-up-unhashed-files-in-the-nfsd-file-cache.patch +nfsd-don-t-abort-copies-early.patch +nfsd-repair-misuse-of-sv_lock-in-5.10.16-rt30.patch +nfsd-fix-dest-to-src-mount-in-inter-server-copy.patch +svcrdma-disable-timeouts-on-rdma-backchannel.patch +vfio-iommu_api-should-be-selected.patch +vhost_vdpa-fix-the-missing-irq_bypass_unregister_producer-invocation.patch +sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch +i915-perf-start-hrtimer-only-if-sampling-the-oa-buffer.patch +iommu-tegra-smmu-make-tegra_smmu_probe_device-to-handle-all-iommu-phandles.patch diff --git a/queue-5.11/sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch b/queue-5.11/sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch new file mode 100644 index 00000000000..4f732f3642b --- /dev/null +++ b/queue-5.11/sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch @@ -0,0 +1,53 @@ +From f1442d6349a2e7bb7a6134791bdc26cb776c79af Mon Sep 17 00:00:00 2001 +From: Daniel Kobras +Date: Sat, 27 Feb 2021 00:04:37 +0100 +Subject: sunrpc: fix refcount leak for rpc auth modules + +From: Daniel Kobras + +commit f1442d6349a2e7bb7a6134791bdc26cb776c79af upstream. + +If an auth module's accept op returns SVC_CLOSE, svc_process_common() +enters a call path that does not call svc_authorise() before leaving the +function, and thus leaks a reference on the auth module's refcount. Hence, +make sure calls to svc_authenticate() and svc_authorise() are paired for +all call paths, to make sure rpc auth modules can be unloaded. + +Signed-off-by: Daniel Kobras +Fixes: 4d712ef1db05 ("svcauth_gss: Close connection when dropping an incoming message") +Link: https://lore.kernel.org/linux-nfs/3F1B347F-B809-478F-A1E9-0BE98E22B0F0@oracle.com/T/#t +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/svc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -1413,7 +1413,7 @@ svc_process_common(struct svc_rqst *rqst + + sendit: + if (svc_authorise(rqstp)) +- goto close; ++ goto close_xprt; + return 1; /* Caller can now send it */ + + release_dropit: +@@ -1425,6 +1425,8 @@ release_dropit: + return 0; + + close: ++ svc_authorise(rqstp); ++close_xprt: + if (rqstp->rq_xprt && test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags)) + svc_close_xprt(rqstp->rq_xprt); + dprintk("svc: svc_process close\n"); +@@ -1433,7 +1435,7 @@ release_dropit: + err_short_len: + svc_printk(rqstp, "short len %zd, dropping request\n", + argv->iov_len); +- goto close; ++ goto close_xprt; + + err_bad_rpc: + serv->sv_stats->rpcbadfmt++; diff --git a/queue-5.11/svcrdma-disable-timeouts-on-rdma-backchannel.patch b/queue-5.11/svcrdma-disable-timeouts-on-rdma-backchannel.patch new file mode 100644 index 00000000000..000084f1e77 --- /dev/null +++ b/queue-5.11/svcrdma-disable-timeouts-on-rdma-backchannel.patch @@ -0,0 +1,38 @@ +From 6820bf77864d5894ff67b5c00d7dba8f92011e3d Mon Sep 17 00:00:00 2001 +From: Timo Rothenpieler +Date: Tue, 23 Feb 2021 00:36:19 +0100 +Subject: svcrdma: disable timeouts on rdma backchannel + +From: Timo Rothenpieler + +commit 6820bf77864d5894ff67b5c00d7dba8f92011e3d upstream. + +This brings it in line with the regular tcp backchannel, which also has +all those timeouts disabled. + +Prevents the backchannel from timing out, getting some async operations +like server side copying getting stuck indefinitely on the client side. + +Signed-off-by: Timo Rothenpieler +Fixes: 5d252f90a800 ("svcrdma: Add class for RDMA backwards direction transport") +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtrdma/svc_rdma_backchannel.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c +@@ -252,9 +252,9 @@ xprt_setup_rdma_bc(struct xprt_create *a + xprt->timeout = &xprt_rdma_bc_timeout; + xprt_set_bound(xprt); + xprt_set_connected(xprt); +- xprt->bind_timeout = RPCRDMA_BIND_TO; +- xprt->reestablish_timeout = RPCRDMA_INIT_REEST_TO; +- xprt->idle_timeout = RPCRDMA_IDLE_DISC_TO; ++ xprt->bind_timeout = 0; ++ xprt->reestablish_timeout = 0; ++ xprt->idle_timeout = 0; + + xprt->prot = XPRT_TRANSPORT_BC_RDMA; + xprt->ops = &xprt_rdma_bc_procs; diff --git a/queue-5.11/vfio-iommu_api-should-be-selected.patch b/queue-5.11/vfio-iommu_api-should-be-selected.patch new file mode 100644 index 00000000000..3e414060c24 --- /dev/null +++ b/queue-5.11/vfio-iommu_api-should-be-selected.patch @@ -0,0 +1,35 @@ +From 179209fa12709a3df8888c323b37315da2683c24 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 23 Feb 2021 15:17:46 -0400 +Subject: vfio: IOMMU_API should be selected + +From: Jason Gunthorpe + +commit 179209fa12709a3df8888c323b37315da2683c24 upstream. + +As IOMMU_API is a kconfig without a description (eg does not show in the +menu) the correct operator is select not 'depends on'. Using 'depends on' +for this kind of symbol means VFIO is not selectable unless some other +random kconfig has already enabled IOMMU_API for it. + +Fixes: cba3345cc494 ("vfio: VFIO core") +Signed-off-by: Jason Gunthorpe +Message-Id: <1-v1-df057e0f92c3+91-vfio_arm_compile_test_jgg@nvidia.com> +Reviewed-by: Eric Auger +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vfio/Kconfig ++++ b/drivers/vfio/Kconfig +@@ -21,7 +21,7 @@ config VFIO_VIRQFD + + menuconfig VFIO + tristate "VFIO Non-Privileged userspace driver framework" +- depends on IOMMU_API ++ select IOMMU_API + select VFIO_IOMMU_TYPE1 if (X86 || S390 || ARM || ARM64) + help + VFIO provides a framework for secure userspace device drivers. diff --git a/queue-5.11/vhost_vdpa-fix-the-missing-irq_bypass_unregister_producer-invocation.patch b/queue-5.11/vhost_vdpa-fix-the-missing-irq_bypass_unregister_producer-invocation.patch new file mode 100644 index 00000000000..0f8b31f6e86 --- /dev/null +++ b/queue-5.11/vhost_vdpa-fix-the-missing-irq_bypass_unregister_producer-invocation.patch @@ -0,0 +1,55 @@ +From 4c050286bb202cffd5467c1cba982dff391d62e1 Mon Sep 17 00:00:00 2001 +From: Gautam Dawar +Date: Wed, 24 Feb 2021 17:18:45 +0530 +Subject: vhost_vdpa: fix the missing irq_bypass_unregister_producer() invocation + +From: Gautam Dawar + +commit 4c050286bb202cffd5467c1cba982dff391d62e1 upstream. + +When qemu with vhost-vdpa netdevice is run for the first time, +it works well. But after the VM is powered off, the next qemu run +causes kernel panic due to a NULL pointer dereference in +irq_bypass_register_producer(). + +When the VM is powered off, vhost_vdpa_clean_irq() misses on calling +irq_bypass_unregister_producer() for irq 0 because of the existing check. + +This leaves stale producer nodes, which are reset in +vhost_vring_call_reset() when vhost_dev_init() is invoked during the +second qemu run. + +As the node member of struct irq_bypass_producer is also initialized +to zero, traversal on the producers list causes crash due to NULL +pointer dereference. + +Fixes: 2cf1ba9a4d15c ("vhost_vdpa: implement IRQ offloading in vhost_vdpa") +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=211711 +Signed-off-by: Gautam Dawar +Acked-by: Jason Wang +Link: https://lore.kernel.org/r/20210224114845.104173-1-gdawar.xilinx@gmail.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vdpa.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/vhost/vdpa.c ++++ b/drivers/vhost/vdpa.c +@@ -906,14 +906,10 @@ err: + + static void vhost_vdpa_clean_irq(struct vhost_vdpa *v) + { +- struct vhost_virtqueue *vq; + int i; + +- for (i = 0; i < v->nvqs; i++) { +- vq = &v->vqs[i]; +- if (vq->call_ctx.producer.irq) +- irq_bypass_unregister_producer(&vq->call_ctx.producer); +- } ++ for (i = 0; i < v->nvqs; i++) ++ vhost_vdpa_unsetup_vq_irq(v, i); + } + + static int vhost_vdpa_release(struct inode *inode, struct file *filep) -- 2.47.3