From d8be49767b0e2efe995d2ac6735f3378c5662291 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 9 Dec 2020 10:03:29 +0100 Subject: [PATCH] 5.9-stable patches added patches: cifs-add-null-check-for-ses-tcon_ipc.patch cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch cifs-fix-potential-use-after-free-in-cifs_echo_request.patch cifs-refactor-create_sd_buf-and-and-avoid-corrupting-the-buffer.patch coredump-fix-core_pattern-parse-error.patch dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch dm-fix-double-rcu-unlock-in-dm_dax_zero_page_range-error-path.patch dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch dm-writecache-advance-the-number-of-arguments-when-reporting-max_age.patch dm-writecache-fix-the-maximum-number-of-arguments.patch drm-amdgpu-vcn3.0-remove-old-dpg-workaround.patch drm-amdgpu-vcn3.0-stall-dpg-when-wptr-rptr-reset.patch drm-i915-gt-limit-frequency-drop-to-rpe-on-parking.patch drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch drm-i915-gt-retain-default-context-state-across-shrinking.patch drm-omap-sdi-fix-bridge-enable-disable.patch ftrace-fix-dynamic_ftrace_with_direct_calls-dependency.patch ftrace-fix-updating-ftrace_fl_tramp.patch gfs2-fix-deadlock-between-gfs2_-create_inode-inode_lookup-and-delete_work_func.patch gfs2-upgrade-shared-glocks-for-atime-updates.patch i2c-imx-check-for-i2sr_ial-after-every-byte.patch i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch i2c-imx-fix-reset-of-i2sr_ial-flag.patch io_uring-fix-recvmsg-setup-with-compat-buf-select.patch kvm-ppc-book3s-hv-xive-fix-vcpu-id-sanity-check.patch powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch ring-buffer-always-check-to-put-back-before-stamp-when-crossing-pages.patch ring-buffer-set-the-right-timestamp-in-the-slow-path-of-__rb_reserve_next.patch ring-buffer-update-write-stamp-with-the-correct-ts.patch s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch scsi-mpt3sas-fix-ioctl-timeout.patch thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch tracing-fix-userstacktrace-option-for-instances.patch x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch --- ...cifs-add-null-check-for-ses-tcon_ipc.patch | 34 ++++ ...s-to-be-restarted-in-__smb_send_rqst.patch | 48 ++++++ ...-use-after-free-in-cifs_echo_request.patch | 51 ++++++ ...-and-and-avoid-corrupting-the-buffer.patch | 159 ++++++++++++++++++ ...oredump-fix-core_pattern-parse-error.patch | 47 ++++++ ...h-rcu-locking-in-dm_blk_report_zones.patch | 37 ++++ ...in-dm_dax_zero_page_range-error-path.patch | 36 ++++ ..._acquires-and-__releases-annotations.patch | 40 +++++ ...-of-arguments-when-reporting-max_age.patch | 33 ++++ ...-fix-the-maximum-number-of-arguments.patch | 34 ++++ ...gpu-vcn3.0-remove-old-dpg-workaround.patch | 47 ++++++ ...cn3.0-stall-dpg-when-wptr-rptr-reset.patch | 82 +++++++++ ...mit-frequency-drop-to-rpe-on-parking.patch | 55 ++++++ ...m-mocs-63-for-cache-eviction-on-gen9.patch | 63 +++++++ ...fault-context-state-across-shrinking.patch | 56 ++++++ ...m-omap-sdi-fix-bridge-enable-disable.patch | 66 ++++++++ ..._ftrace_with_direct_calls-dependency.patch | 35 ++++ .../ftrace-fix-updating-ftrace_fl_tramp.patch | 86 ++++++++++ ...de-inode_lookup-and-delete_work_func.patch | 93 ++++++++++ ...rade-shared-glocks-for-atime-updates.patch | 74 ++++++++ ...-check-for-i2sr_ial-after-every-byte.patch | 46 +++++ ...ndition-if-arbitration-has-been-lost.patch | 69 ++++++++ .../i2c-imx-fix-reset-of-i2sr_ial-flag.patch | 81 +++++++++ ...recvmsg-setup-with-compat-buf-select.patch | 35 ++++ ...k3s-hv-xive-fix-vcpu-id-sanity-check.patch | 101 +++++++++++ ...ption-when-saving-slb-entries-on-mce.patch | 45 +++++ ...s-msi-affinity-to-irq_create_mapping.patch | 54 ++++++ ...ack-before-stamp-when-crossing-pages.patch | 53 ++++++ ...n-the-slow-path-of-__rb_reserve_next.patch | 48 ++++++ ...date-write-stamp-with-the-correct-ts.patch | 39 +++++ ...-cpu-address-in-msi-for-directed-irq.patch | 72 ++++++++ .../scsi-mpt3sas-fix-ioctl-timeout.patch | 42 +++++ queue-5.9/series | 35 ++++ ...fter-free-in-remove_unplugged_switch.patch | 70 ++++++++ ...-userstacktrace-option-for-instances.patch | 71 ++++++++ ...tes-when-looping-over-prefixes.bytes.patch | 123 ++++++++++++++ 36 files changed, 2160 insertions(+) create mode 100644 queue-5.9/cifs-add-null-check-for-ses-tcon_ipc.patch create mode 100644 queue-5.9/cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch create mode 100644 queue-5.9/cifs-fix-potential-use-after-free-in-cifs_echo_request.patch create mode 100644 queue-5.9/cifs-refactor-create_sd_buf-and-and-avoid-corrupting-the-buffer.patch create mode 100644 queue-5.9/coredump-fix-core_pattern-parse-error.patch create mode 100644 queue-5.9/dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch create mode 100644 queue-5.9/dm-fix-double-rcu-unlock-in-dm_dax_zero_page_range-error-path.patch create mode 100644 queue-5.9/dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch create mode 100644 queue-5.9/dm-writecache-advance-the-number-of-arguments-when-reporting-max_age.patch create mode 100644 queue-5.9/dm-writecache-fix-the-maximum-number-of-arguments.patch create mode 100644 queue-5.9/drm-amdgpu-vcn3.0-remove-old-dpg-workaround.patch create mode 100644 queue-5.9/drm-amdgpu-vcn3.0-stall-dpg-when-wptr-rptr-reset.patch create mode 100644 queue-5.9/drm-i915-gt-limit-frequency-drop-to-rpe-on-parking.patch create mode 100644 queue-5.9/drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch create mode 100644 queue-5.9/drm-i915-gt-retain-default-context-state-across-shrinking.patch create mode 100644 queue-5.9/drm-omap-sdi-fix-bridge-enable-disable.patch create mode 100644 queue-5.9/ftrace-fix-dynamic_ftrace_with_direct_calls-dependency.patch create mode 100644 queue-5.9/ftrace-fix-updating-ftrace_fl_tramp.patch create mode 100644 queue-5.9/gfs2-fix-deadlock-between-gfs2_-create_inode-inode_lookup-and-delete_work_func.patch create mode 100644 queue-5.9/gfs2-upgrade-shared-glocks-for-atime-updates.patch create mode 100644 queue-5.9/i2c-imx-check-for-i2sr_ial-after-every-byte.patch create mode 100644 queue-5.9/i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch create mode 100644 queue-5.9/i2c-imx-fix-reset-of-i2sr_ial-flag.patch create mode 100644 queue-5.9/io_uring-fix-recvmsg-setup-with-compat-buf-select.patch create mode 100644 queue-5.9/kvm-ppc-book3s-hv-xive-fix-vcpu-id-sanity-check.patch create mode 100644 queue-5.9/powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch create mode 100644 queue-5.9/powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch create mode 100644 queue-5.9/ring-buffer-always-check-to-put-back-before-stamp-when-crossing-pages.patch create mode 100644 queue-5.9/ring-buffer-set-the-right-timestamp-in-the-slow-path-of-__rb_reserve_next.patch create mode 100644 queue-5.9/ring-buffer-update-write-stamp-with-the-correct-ts.patch create mode 100644 queue-5.9/s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch create mode 100644 queue-5.9/scsi-mpt3sas-fix-ioctl-timeout.patch create mode 100644 queue-5.9/thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch create mode 100644 queue-5.9/tracing-fix-userstacktrace-option-for-instances.patch create mode 100644 queue-5.9/x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch diff --git a/queue-5.9/cifs-add-null-check-for-ses-tcon_ipc.patch b/queue-5.9/cifs-add-null-check-for-ses-tcon_ipc.patch new file mode 100644 index 00000000000..cad11192c43 --- /dev/null +++ b/queue-5.9/cifs-add-null-check-for-ses-tcon_ipc.patch @@ -0,0 +1,34 @@ +From 59463eb88829f646aed13283fd84d02a475334fe Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Thu, 3 Dec 2020 19:46:08 +0100 +Subject: cifs: add NULL check for ses->tcon_ipc + +From: Aurelien Aptel + +commit 59463eb88829f646aed13283fd84d02a475334fe upstream. + +In some scenarios (DFS and BAD_NETWORK_NAME) set_root_set() can be +called with a NULL ses->tcon_ipc. + +Signed-off-by: Aurelien Aptel +Reviewed-by: Paulo Alcantara (SUSE) +CC: Stable +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/connect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -4768,7 +4768,8 @@ static void set_root_ses(struct cifs_sb_ + if (ses) { + spin_lock(&cifs_tcp_ses_lock); + ses->ses_count++; +- ses->tcon_ipc->remap = cifs_remap(cifs_sb); ++ if (ses->tcon_ipc) ++ ses->tcon_ipc->remap = cifs_remap(cifs_sb); + spin_unlock(&cifs_tcp_ses_lock); + } + *root_ses = ses; diff --git a/queue-5.9/cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch b/queue-5.9/cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch new file mode 100644 index 00000000000..949037f1ef2 --- /dev/null +++ b/queue-5.9/cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch @@ -0,0 +1,48 @@ +From 6988a619f5b79e4efadea6e19dcfe75fbcd350b5 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Sat, 28 Nov 2020 15:57:06 -0300 +Subject: cifs: allow syscalls to be restarted in __smb_send_rqst() + +From: Paulo Alcantara + +commit 6988a619f5b79e4efadea6e19dcfe75fbcd350b5 upstream. + +A customer has reported that several files in their multi-threaded app +were left with size of 0 because most of the read(2) calls returned +-EINTR and they assumed no bytes were read. Obviously, they could +have fixed it by simply retrying on -EINTR. + +We noticed that most of the -EINTR on read(2) were due to real-time +signals sent by glibc to process wide credential changes (SIGRT_1), +and its signal handler had been established with SA_RESTART, in which +case those calls could have been automatically restarted by the +kernel. + +Let the kernel decide to whether or not restart the syscalls when +there is a signal pending in __smb_send_rqst() by returning +-ERESTARTSYS. If it can't, it will return -EINTR anyway. + +Signed-off-by: Paulo Alcantara (SUSE) +CC: Stable +Reviewed-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/transport.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -339,8 +339,8 @@ __smb_send_rqst(struct TCP_Server_Info * + return -EAGAIN; + + if (signal_pending(current)) { +- cifs_dbg(FYI, "signal is pending before sending any data\n"); +- return -EINTR; ++ cifs_dbg(FYI, "signal pending before send request\n"); ++ return -ERESTARTSYS; + } + + /* cork the socket */ diff --git a/queue-5.9/cifs-fix-potential-use-after-free-in-cifs_echo_request.patch b/queue-5.9/cifs-fix-potential-use-after-free-in-cifs_echo_request.patch new file mode 100644 index 00000000000..de9129f7969 --- /dev/null +++ b/queue-5.9/cifs-fix-potential-use-after-free-in-cifs_echo_request.patch @@ -0,0 +1,51 @@ +From 212253367dc7b49ed3fc194ce71b0992eacaecf2 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Sat, 28 Nov 2020 16:54:02 -0300 +Subject: cifs: fix potential use-after-free in cifs_echo_request() + +From: Paulo Alcantara + +commit 212253367dc7b49ed3fc194ce71b0992eacaecf2 upstream. + +This patch fixes a potential use-after-free bug in +cifs_echo_request(). + +For instance, + + thread 1 + -------- + cifs_demultiplex_thread() + clean_demultiplex_info() + kfree(server) + + thread 2 (workqueue) + -------- + apic_timer_interrupt() + smp_apic_timer_interrupt() + irq_exit() + __do_softirq() + run_timer_softirq() + call_timer_fn() + cifs_echo_request() <- use-after-free in server ptr + +Signed-off-by: Paulo Alcantara (SUSE) +CC: Stable +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/connect.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -935,6 +935,8 @@ static void clean_demultiplex_info(struc + list_del_init(&server->tcp_ses_list); + spin_unlock(&cifs_tcp_ses_lock); + ++ cancel_delayed_work_sync(&server->echo); ++ + spin_lock(&GlobalMid_Lock); + server->tcpStatus = CifsExiting; + spin_unlock(&GlobalMid_Lock); diff --git a/queue-5.9/cifs-refactor-create_sd_buf-and-and-avoid-corrupting-the-buffer.patch b/queue-5.9/cifs-refactor-create_sd_buf-and-and-avoid-corrupting-the-buffer.patch new file mode 100644 index 00000000000..c8878798177 --- /dev/null +++ b/queue-5.9/cifs-refactor-create_sd_buf-and-and-avoid-corrupting-the-buffer.patch @@ -0,0 +1,159 @@ +From ea64370bcae126a88cd26a16f1abcc23ab2b9a55 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Mon, 30 Nov 2020 11:29:20 +1000 +Subject: cifs: refactor create_sd_buf() and and avoid corrupting the buffer + +From: Ronnie Sahlberg + +commit ea64370bcae126a88cd26a16f1abcc23ab2b9a55 upstream. + +When mounting with "idsfromsid" mount option, Azure +corrupted the owner SIDs due to excessive padding +caused by placing the owner fields at the end of the +security descriptor on create. Placing owners at the +front of the security descriptor (rather than the end) +is also safer, as the number of ACEs (that follow it) +are variable. + +Signed-off-by: Ronnie Sahlberg +Suggested-by: Rohith Surabattula +CC: Stable # v5.8 +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 69 ++++++++++++++++++++++++++++-------------------------- + fs/cifs/smb2pdu.h | 2 - + 2 files changed, 37 insertions(+), 34 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -2237,17 +2237,15 @@ static struct crt_sd_ctxt * + create_sd_buf(umode_t mode, bool set_owner, unsigned int *len) + { + struct crt_sd_ctxt *buf; +- struct cifs_ace *pace; +- unsigned int sdlen, acelen; ++ __u8 *ptr, *aclptr; ++ unsigned int acelen, acl_size, ace_count; + unsigned int owner_offset = 0; + unsigned int group_offset = 0; ++ struct smb3_acl acl; + +- *len = roundup(sizeof(struct crt_sd_ctxt) + (sizeof(struct cifs_ace) * 2), 8); ++ *len = roundup(sizeof(struct crt_sd_ctxt) + (sizeof(struct cifs_ace) * 4), 8); + + if (set_owner) { +- /* offset fields are from beginning of security descriptor not of create context */ +- owner_offset = sizeof(struct smb3_acl) + (sizeof(struct cifs_ace) * 2); +- + /* sizeof(struct owner_group_sids) is already multiple of 8 so no need to round */ + *len += sizeof(struct owner_group_sids); + } +@@ -2256,26 +2254,22 @@ create_sd_buf(umode_t mode, bool set_own + if (buf == NULL) + return buf; + ++ ptr = (__u8 *)&buf[1]; + if (set_owner) { ++ /* offset fields are from beginning of security descriptor not of create context */ ++ owner_offset = ptr - (__u8 *)&buf->sd; + buf->sd.OffsetOwner = cpu_to_le32(owner_offset); +- group_offset = owner_offset + sizeof(struct owner_sid); ++ group_offset = owner_offset + offsetof(struct owner_group_sids, group); + buf->sd.OffsetGroup = cpu_to_le32(group_offset); ++ ++ setup_owner_group_sids(ptr); ++ ptr += sizeof(struct owner_group_sids); + } else { + buf->sd.OffsetOwner = 0; + buf->sd.OffsetGroup = 0; + } + +- sdlen = sizeof(struct smb3_sd) + sizeof(struct smb3_acl) + +- 2 * sizeof(struct cifs_ace); +- if (set_owner) { +- sdlen += sizeof(struct owner_group_sids); +- setup_owner_group_sids(owner_offset + sizeof(struct create_context) + 8 /* name */ +- + (char *)buf); +- } +- +- buf->ccontext.DataOffset = cpu_to_le16(offsetof +- (struct crt_sd_ctxt, sd)); +- buf->ccontext.DataLength = cpu_to_le32(sdlen); ++ buf->ccontext.DataOffset = cpu_to_le16(offsetof(struct crt_sd_ctxt, sd)); + buf->ccontext.NameOffset = cpu_to_le16(offsetof(struct crt_sd_ctxt, Name)); + buf->ccontext.NameLength = cpu_to_le16(4); + /* SMB2_CREATE_SD_BUFFER_TOKEN is "SecD" */ +@@ -2284,6 +2278,7 @@ create_sd_buf(umode_t mode, bool set_own + buf->Name[2] = 'c'; + buf->Name[3] = 'D'; + buf->sd.Revision = 1; /* Must be one see MS-DTYP 2.4.6 */ ++ + /* + * ACL is "self relative" ie ACL is stored in contiguous block of memory + * and "DP" ie the DACL is present +@@ -2291,28 +2286,38 @@ create_sd_buf(umode_t mode, bool set_own + buf->sd.Control = cpu_to_le16(ACL_CONTROL_SR | ACL_CONTROL_DP); + + /* offset owner, group and Sbz1 and SACL are all zero */ +- buf->sd.OffsetDacl = cpu_to_le32(sizeof(struct smb3_sd)); +- buf->acl.AclRevision = ACL_REVISION; /* See 2.4.4.1 of MS-DTYP */ ++ buf->sd.OffsetDacl = cpu_to_le32(ptr - (__u8 *)&buf->sd); ++ /* Ship the ACL for now. we will copy it into buf later. */ ++ aclptr = ptr; ++ ptr += sizeof(struct cifs_acl); + + /* create one ACE to hold the mode embedded in reserved special SID */ +- pace = (struct cifs_ace *)(sizeof(struct crt_sd_ctxt) + (char *)buf); +- acelen = setup_special_mode_ACE(pace, (__u64)mode); ++ acelen = setup_special_mode_ACE((struct cifs_ace *)ptr, (__u64)mode); ++ ptr += acelen; ++ acl_size = acelen + sizeof(struct smb3_acl); ++ ace_count = 1; + + if (set_owner) { + /* we do not need to reallocate buffer to add the two more ACEs. plenty of space */ +- pace = (struct cifs_ace *)(acelen + (sizeof(struct crt_sd_ctxt) + (char *)buf)); +- acelen += setup_special_user_owner_ACE(pace); +- /* it does not appear necessary to add an ACE for the NFS group SID */ +- buf->acl.AceCount = cpu_to_le16(3); +- } else +- buf->acl.AceCount = cpu_to_le16(2); ++ acelen = setup_special_user_owner_ACE((struct cifs_ace *)ptr); ++ ptr += acelen; ++ acl_size += acelen; ++ ace_count += 1; ++ } + + /* and one more ACE to allow access for authenticated users */ +- pace = (struct cifs_ace *)(acelen + (sizeof(struct crt_sd_ctxt) + +- (char *)buf)); +- acelen += setup_authusers_ACE(pace); ++ acelen = setup_authusers_ACE((struct cifs_ace *)ptr); ++ ptr += acelen; ++ acl_size += acelen; ++ ace_count += 1; ++ ++ acl.AclRevision = ACL_REVISION; /* See 2.4.4.1 of MS-DTYP */ ++ acl.AclSize = cpu_to_le16(acl_size); ++ acl.AceCount = cpu_to_le16(ace_count); ++ memcpy(aclptr, &acl, sizeof(struct cifs_acl)); + +- buf->acl.AclSize = cpu_to_le16(sizeof(struct cifs_acl) + acelen); ++ buf->ccontext.DataLength = cpu_to_le32(ptr - (__u8 *)&buf->sd); ++ *len = ptr - (__u8 *)buf; + + return buf; + } +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -900,8 +900,6 @@ struct crt_sd_ctxt { + struct create_context ccontext; + __u8 Name[8]; + struct smb3_sd sd; +- struct smb3_acl acl; +- /* Followed by at least 4 ACEs */ + } __packed; + + diff --git a/queue-5.9/coredump-fix-core_pattern-parse-error.patch b/queue-5.9/coredump-fix-core_pattern-parse-error.patch new file mode 100644 index 00000000000..d61b4bdb758 --- /dev/null +++ b/queue-5.9/coredump-fix-core_pattern-parse-error.patch @@ -0,0 +1,47 @@ +From 2bf509d96d84c3336d08375e8af34d1b85ee71c8 Mon Sep 17 00:00:00 2001 +From: Menglong Dong +Date: Sat, 5 Dec 2020 22:14:42 -0800 +Subject: coredump: fix core_pattern parse error + +From: Menglong Dong + +commit 2bf509d96d84c3336d08375e8af34d1b85ee71c8 upstream. + +'format_corename()' will splite 'core_pattern' on spaces when it is in +pipe mode, and take helper_argv[0] as the path to usermode executable. +It works fine in most cases. + +However, if there is a space between '|' and '/file/path', such as +'| /usr/lib/systemd/systemd-coredump %P %u %g', then helper_argv[0] will +be parsed as '', and users will get a 'Core dump to | disabled'. + +It is not friendly to users, as the pattern above was valid previously. +Fix this by ignoring the spaces between '|' and '/file/path'. + +Fixes: 315c69261dd3 ("coredump: split pipe command whitespace before expanding template") +Signed-off-by: Menglong Dong +Signed-off-by: Andrew Morton +Cc: Paul Wise +Cc: Jakub Wilk [https://bugs.debian.org/924398] +Cc: Neil Horman +Cc: +Link: https://lkml.kernel.org/r/5fb62870.1c69fb81.8ef5d.af76@mx.google.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/coredump.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/coredump.c ++++ b/fs/coredump.c +@@ -229,7 +229,8 @@ static int format_corename(struct core_n + */ + if (ispipe) { + if (isspace(*pat_ptr)) { +- was_space = true; ++ if (cn->used != 0) ++ was_space = true; + pat_ptr++; + continue; + } else if (was_space) { diff --git a/queue-5.9/dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch b/queue-5.9/dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch new file mode 100644 index 00000000000..b95e6637c38 --- /dev/null +++ b/queue-5.9/dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch @@ -0,0 +1,37 @@ +From 89478335718c98557f10470a9bc5c555b9261c4e Mon Sep 17 00:00:00 2001 +From: Sergei Shtepa +Date: Wed, 11 Nov 2020 15:55:46 +0300 +Subject: dm: fix bug with RCU locking in dm_blk_report_zones + +From: Sergei Shtepa + +commit 89478335718c98557f10470a9bc5c555b9261c4e upstream. + +The dm_get_live_table() function makes RCU read lock so +dm_put_live_table() must be called even if dm_table map is not found. + +Fixes: e76239a3748c9 ("block: add a report_zones method") +Cc: stable@vger.kernel.org +Signed-off-by: Sergei Shtepa +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -491,8 +491,10 @@ static int dm_blk_report_zones(struct ge + return -EAGAIN; + + map = dm_get_live_table(md, &srcu_idx); +- if (!map) +- return -EIO; ++ if (!map) { ++ ret = -EIO; ++ goto out; ++ } + + do { + struct dm_target *tgt; diff --git a/queue-5.9/dm-fix-double-rcu-unlock-in-dm_dax_zero_page_range-error-path.patch b/queue-5.9/dm-fix-double-rcu-unlock-in-dm_dax_zero_page_range-error-path.patch new file mode 100644 index 00000000000..afbcb693e2b --- /dev/null +++ b/queue-5.9/dm-fix-double-rcu-unlock-in-dm_dax_zero_page_range-error-path.patch @@ -0,0 +1,36 @@ +From f05c4403db5bba881d4964e731f6da35be46aabd Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Fri, 4 Dec 2020 15:19:27 -0500 +Subject: dm: fix double RCU unlock in dm_dax_zero_page_range() error path + +From: Mike Snitzer + +commit f05c4403db5bba881d4964e731f6da35be46aabd upstream. + +Remove redundant dm_put_live_table() in dm_dax_zero_page_range() error +path to fix sparse warning: +drivers/md/dm.c:1208:9: warning: context imbalance in 'dm_dax_zero_page_range' - unexpected unlock + +Fixes: cdf6cdcd3b99a ("dm,dax: Add dax zero_page_range operation") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1219,11 +1219,9 @@ static int dm_dax_zero_page_range(struct + * ->zero_page_range() is mandatory dax operation. If we are + * here, something is wrong. + */ +- dm_put_live_table(md, srcu_idx); + goto out; + } + ret = ti->type->dax_zero_page_range(ti, pgoff, nr_pages); +- + out: + dm_put_live_table(md, srcu_idx); + diff --git a/queue-5.9/dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch b/queue-5.9/dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch new file mode 100644 index 00000000000..191a7fc2f52 --- /dev/null +++ b/queue-5.9/dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch @@ -0,0 +1,40 @@ +From bde3808bc8c2741ad3d804f84720409aee0c2972 Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Fri, 4 Dec 2020 15:25:18 -0500 +Subject: dm: remove invalid sparse __acquires and __releases annotations + +From: Mike Snitzer + +commit bde3808bc8c2741ad3d804f84720409aee0c2972 upstream. + +Fixes sparse warnings: +drivers/md/dm.c:508:12: warning: context imbalance in 'dm_prepare_ioctl' - wrong count at exit +drivers/md/dm.c:543:13: warning: context imbalance in 'dm_unprepare_ioctl' - wrong count at exit + +Fixes: 971888c46993f ("dm: hold DM table for duration of ioctl rather than use blkdev_get") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -524,7 +524,6 @@ out: + + static int dm_prepare_ioctl(struct mapped_device *md, int *srcu_idx, + struct block_device **bdev) +- __acquires(md->io_barrier) + { + struct dm_target *tgt; + struct dm_table *map; +@@ -558,7 +557,6 @@ retry: + } + + static void dm_unprepare_ioctl(struct mapped_device *md, int srcu_idx) +- __releases(md->io_barrier) + { + dm_put_live_table(md, srcu_idx); + } diff --git a/queue-5.9/dm-writecache-advance-the-number-of-arguments-when-reporting-max_age.patch b/queue-5.9/dm-writecache-advance-the-number-of-arguments-when-reporting-max_age.patch new file mode 100644 index 00000000000..c0e51f06aeb --- /dev/null +++ b/queue-5.9/dm-writecache-advance-the-number-of-arguments-when-reporting-max_age.patch @@ -0,0 +1,33 @@ +From e5d41cbca1b2036362c9e29d705d3a175a01eff8 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 10 Nov 2020 07:44:01 -0500 +Subject: dm writecache: advance the number of arguments when reporting max_age + +From: Mikulas Patocka + +commit e5d41cbca1b2036362c9e29d705d3a175a01eff8 upstream. + +When reporting the "max_age" value the number of arguments must +advance by two. + +Signed-off-by: Mikulas Patocka +Fixes: 3923d4854e18 ("dm writecache: implement gradual cleanup") +Cc: stable@vger.kernel.org # v5.7+ +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-writecache.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -2479,6 +2479,8 @@ static void writecache_status(struct dm_ + extra_args += 2; + if (wc->autocommit_time_set) + extra_args += 2; ++ if (wc->max_age != MAX_AGE_UNSPECIFIED) ++ extra_args += 2; + if (wc->cleaner) + extra_args++; + if (wc->writeback_fua_set) diff --git a/queue-5.9/dm-writecache-fix-the-maximum-number-of-arguments.patch b/queue-5.9/dm-writecache-fix-the-maximum-number-of-arguments.patch new file mode 100644 index 00000000000..7b1d478eb52 --- /dev/null +++ b/queue-5.9/dm-writecache-fix-the-maximum-number-of-arguments.patch @@ -0,0 +1,34 @@ +From 67aa3ec3dbc43d6e34401d9b2a40040ff7bb57af Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 10 Nov 2020 07:45:13 -0500 +Subject: dm writecache: fix the maximum number of arguments + +From: Mikulas Patocka + +commit 67aa3ec3dbc43d6e34401d9b2a40040ff7bb57af upstream. + +Advance the maximum number of arguments to 16. +This fixes issue where certain operations, combined with table +configured args, exceed 10 arguments. + +Signed-off-by: Mikulas Patocka +Fixes: 48debafe4f2f ("dm: add writecache target") +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-writecache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -2041,7 +2041,7 @@ static int writecache_ctr(struct dm_targ + struct wc_memory_superblock s; + + static struct dm_arg _args[] = { +- {0, 10, "Invalid number of feature args"}, ++ {0, 16, "Invalid number of feature args"}, + }; + + as.argc = argc; diff --git a/queue-5.9/drm-amdgpu-vcn3.0-remove-old-dpg-workaround.patch b/queue-5.9/drm-amdgpu-vcn3.0-remove-old-dpg-workaround.patch new file mode 100644 index 00000000000..4f58557fad2 --- /dev/null +++ b/queue-5.9/drm-amdgpu-vcn3.0-remove-old-dpg-workaround.patch @@ -0,0 +1,47 @@ +From efd6d85a18102241538dd1cc257948a0dbe6fae6 Mon Sep 17 00:00:00 2001 +From: Boyuan Zhang +Date: Tue, 19 May 2020 11:38:44 -0400 +Subject: drm/amdgpu/vcn3.0: remove old DPG workaround + +From: Boyuan Zhang + +commit efd6d85a18102241538dd1cc257948a0dbe6fae6 upstream. + +Port from VCN2.5 +SCRATCH2 is used to keep decode wptr as a workaround +which fix a hardware DPG decode wptr update bug for +vcn2.5 beforehand. + +Signed-off-by: Boyuan Zhang +Reviewed-by: James Zhu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 5.9.x +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c +@@ -1587,9 +1587,6 @@ static int vcn_v3_0_pause_dpg_mode(struc + WREG32_SOC15(VCN, inst_idx, mmUVD_RB_RPTR2, lower_32_bits(ring->wptr)); + WREG32_SOC15(VCN, inst_idx, mmUVD_RB_WPTR2, lower_32_bits(ring->wptr)); + +- WREG32_SOC15(VCN, inst_idx, mmUVD_RBC_RB_WPTR, +- RREG32_SOC15(VCN, inst_idx, mmUVD_SCRATCH2) & 0x7FFFFFFF); +- + /* Unstall DPG */ + WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS), + 0, ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK); +@@ -1650,10 +1647,6 @@ static void vcn_v3_0_dec_ring_set_wptr(s + { + struct amdgpu_device *adev = ring->adev; + +- if (adev->pg_flags & AMD_PG_SUPPORT_VCN_DPG) +- WREG32_SOC15(VCN, ring->me, mmUVD_SCRATCH2, +- lower_32_bits(ring->wptr) | 0x80000000); +- + if (ring->use_doorbell) { + adev->wb.wb[ring->wptr_offs] = lower_32_bits(ring->wptr); + WDOORBELL32(ring->doorbell_index, lower_32_bits(ring->wptr)); diff --git a/queue-5.9/drm-amdgpu-vcn3.0-stall-dpg-when-wptr-rptr-reset.patch b/queue-5.9/drm-amdgpu-vcn3.0-stall-dpg-when-wptr-rptr-reset.patch new file mode 100644 index 00000000000..bd8f05dee99 --- /dev/null +++ b/queue-5.9/drm-amdgpu-vcn3.0-stall-dpg-when-wptr-rptr-reset.patch @@ -0,0 +1,82 @@ +From ac2db9488cf21de0be7899c1e5963e5ac0ff351f Mon Sep 17 00:00:00 2001 +From: Boyuan Zhang +Date: Sun, 10 May 2020 15:47:03 -0400 +Subject: drm/amdgpu/vcn3.0: stall DPG when WPTR/RPTR reset + +From: Boyuan Zhang + +commit ac2db9488cf21de0be7899c1e5963e5ac0ff351f upstream. + +Port from VCN2.5 +Add vcn dpg harware synchronization to fix race condition +issue between vcn driver and hardware. + +Signed-off-by: Boyuan Zhang +Reviewed-by: James Zhu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 5.9.x +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c +@@ -1011,6 +1011,11 @@ static int vcn_v3_0_start_dpg_mode(struc + tmp = REG_SET_FIELD(tmp, UVD_RBC_RB_CNTL, RB_RPTR_WR_EN, 1); + WREG32_SOC15(VCN, inst_idx, mmUVD_RBC_RB_CNTL, tmp); + ++ /* Stall DPG before WPTR/RPTR reset */ ++ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS), ++ UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK, ++ ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK); ++ + /* set the write pointer delay */ + WREG32_SOC15(VCN, inst_idx, mmUVD_RBC_RB_WPTR_CNTL, 0); + +@@ -1033,6 +1038,10 @@ static int vcn_v3_0_start_dpg_mode(struc + WREG32_SOC15(VCN, inst_idx, mmUVD_RBC_RB_WPTR, + lower_32_bits(ring->wptr)); + ++ /* Unstall DPG */ ++ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS), ++ 0, ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK); ++ + return 0; + } + +@@ -1556,8 +1565,14 @@ static int vcn_v3_0_pause_dpg_mode(struc + UVD_DPG_PAUSE__NJ_PAUSE_DPG_ACK_MASK, + UVD_DPG_PAUSE__NJ_PAUSE_DPG_ACK_MASK); + ++ /* Stall DPG before WPTR/RPTR reset */ ++ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS), ++ UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK, ++ ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK); ++ + /* Restore */ + ring = &adev->vcn.inst[inst_idx].ring_enc[0]; ++ ring->wptr = 0; + WREG32_SOC15(VCN, inst_idx, mmUVD_RB_BASE_LO, ring->gpu_addr); + WREG32_SOC15(VCN, inst_idx, mmUVD_RB_BASE_HI, upper_32_bits(ring->gpu_addr)); + WREG32_SOC15(VCN, inst_idx, mmUVD_RB_SIZE, ring->ring_size / 4); +@@ -1565,6 +1580,7 @@ static int vcn_v3_0_pause_dpg_mode(struc + WREG32_SOC15(VCN, inst_idx, mmUVD_RB_WPTR, lower_32_bits(ring->wptr)); + + ring = &adev->vcn.inst[inst_idx].ring_enc[1]; ++ ring->wptr = 0; + WREG32_SOC15(VCN, inst_idx, mmUVD_RB_BASE_LO2, ring->gpu_addr); + WREG32_SOC15(VCN, inst_idx, mmUVD_RB_BASE_HI2, upper_32_bits(ring->gpu_addr)); + WREG32_SOC15(VCN, inst_idx, mmUVD_RB_SIZE2, ring->ring_size / 4); +@@ -1574,6 +1590,10 @@ static int vcn_v3_0_pause_dpg_mode(struc + WREG32_SOC15(VCN, inst_idx, mmUVD_RBC_RB_WPTR, + RREG32_SOC15(VCN, inst_idx, mmUVD_SCRATCH2) & 0x7FFFFFFF); + ++ /* Unstall DPG */ ++ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS), ++ 0, ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK); ++ + SOC15_WAIT_ON_RREG(VCN, inst_idx, mmUVD_POWER_STATUS, + UVD_PGFSM_CONFIG__UVDM_UVDU_PWR_ON, UVD_POWER_STATUS__UVD_POWER_STATUS_MASK); + } diff --git a/queue-5.9/drm-i915-gt-limit-frequency-drop-to-rpe-on-parking.patch b/queue-5.9/drm-i915-gt-limit-frequency-drop-to-rpe-on-parking.patch new file mode 100644 index 00000000000..8a3059fa0a3 --- /dev/null +++ b/queue-5.9/drm-i915-gt-limit-frequency-drop-to-rpe-on-parking.patch @@ -0,0 +1,55 @@ +From aff76ab795364569b1cac58c1d0bc7df956e3899 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Tue, 24 Nov 2020 18:35:21 +0000 +Subject: drm/i915/gt: Limit frequency drop to RPe on parking + +From: Chris Wilson + +commit aff76ab795364569b1cac58c1d0bc7df956e3899 upstream. + +We treat idling the GT (intel_rps_park) as a downclock event, and reduce +the frequency we intend to restart the GT with. Since the two workloads +are likely related (e.g. a compositor rendering every 16ms), we want to +carry the frequency and load information from across the idling. +However, we do also need to update the frequencies so that workloads +that run for less than 1ms are autotuned by RPS (otherwise we leave +compositors running at max clocks, draining excess power). Conversely, +if we try to run too slowly, the next workload has to run longer. Since +there is a hysteresis in the power graph, below a certain frequency +running a short workload for longer consumes more energy than running it +slightly higher for less time. The exact balance point is unknown +beforehand, but measurements with 30fps media playback indicate that RPe +is a better choice. + +Reported-by: Edward Baker +Tested-by: Edward Baker +Fixes: 043cd2d14ede ("drm/i915/gt: Leave rps->cur_freq on unpark") +Signed-off-by: Chris Wilson +Cc: Edward Baker +Cc: Andi Shyti +Cc: Lyude Paul +Cc: # v5.8+ +Reviewed-by: Rodrigo Vivi +Reviewed-by: Andi Shyti +Link: https://patchwork.freedesktop.org/patch/msgid/20201124183521.28623-1-chris@chris-wilson.co.uk +(cherry picked from commit f7ed83cc1925f0b8ce2515044d674354035c3af9) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gt/intel_rps.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/i915/gt/intel_rps.c ++++ b/drivers/gpu/drm/i915/gt/intel_rps.c +@@ -882,6 +882,10 @@ void intel_rps_park(struct intel_rps *rp + adj = -2; + rps->last_adj = adj; + rps->cur_freq = max_t(int, rps->cur_freq + adj, rps->min_freq); ++ if (rps->cur_freq < rps->efficient_freq) { ++ rps->cur_freq = rps->efficient_freq; ++ rps->last_adj = 0; ++ } + + GT_TRACE(rps_to_gt(rps), "park:%x\n", rps->cur_freq); + } diff --git a/queue-5.9/drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch b/queue-5.9/drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch new file mode 100644 index 00000000000..7c46dd9bf1d --- /dev/null +++ b/queue-5.9/drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch @@ -0,0 +1,63 @@ +From 777a7717d60ccdc9b84f35074f848d3f746fc3bf Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Thu, 26 Nov 2020 14:08:41 +0000 +Subject: drm/i915/gt: Program mocs:63 for cache eviction on gen9 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Wilson + +commit 777a7717d60ccdc9b84f35074f848d3f746fc3bf upstream. + +Ville noticed that the last mocs entry is used unconditionally by the HW +when it performs cache evictions, and noted that while the value is not +meant to be writable by the driver, we should program it to a reasonable +value nevertheless. + +As it turns out, we can change the value of mocs:63 and the value we +were programming into it would cause hard hangs in conjunction with +atomic operations. + +v2: Add details from bspec about how it is used by HW + +Suggested-by: Ville Syrjälä +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/2707 +Fixes: 3bbaba0ceaa2 ("drm/i915: Added Programming of the MOCS") +Signed-off-by: Chris Wilson +Cc: Ville Syrjälä +Cc: Jason Ekstrand +Cc: # v4.3+ +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20201126140841.1982-1-chris@chris-wilson.co.uk +(cherry picked from commit 977933b5da7c16f39295c4c1d4259a58ece65dbe) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gt/intel_mocs.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/gt/intel_mocs.c ++++ b/drivers/gpu/drm/i915/gt/intel_mocs.c +@@ -131,7 +131,19 @@ static const struct drm_i915_mocs_entry + GEN9_MOCS_ENTRIES, + MOCS_ENTRY(I915_MOCS_CACHED, + LE_3_WB | LE_TC_2_LLC_ELLC | LE_LRUM(3), +- L3_3_WB) ++ L3_3_WB), ++ ++ /* ++ * mocs:63 ++ * - used by the L3 for all of its evictions. ++ * Thus it is expected to allow LLC cacheability to enable coherent ++ * flows to be maintained. ++ * - used to force L3 uncachable cycles. ++ * Thus it is expected to make the surface L3 uncacheable. ++ */ ++ MOCS_ENTRY(63, ++ LE_3_WB | LE_TC_1_LLC | LE_LRUM(3), ++ L3_1_UC) + }; + + /* NOTE: the LE_TGT_CACHE is not used on Broxton */ diff --git a/queue-5.9/drm-i915-gt-retain-default-context-state-across-shrinking.patch b/queue-5.9/drm-i915-gt-retain-default-context-state-across-shrinking.patch new file mode 100644 index 00000000000..a96e7a20a1c --- /dev/null +++ b/queue-5.9/drm-i915-gt-retain-default-context-state-across-shrinking.patch @@ -0,0 +1,56 @@ +From 78b2eb8a1f10f366681acad8d21c974c1f66791a Mon Sep 17 00:00:00 2001 +From: Venkata Ramana Nayana +Date: Fri, 27 Nov 2020 12:07:16 +0000 +Subject: drm/i915/gt: Retain default context state across shrinking + +From: Venkata Ramana Nayana + +commit 78b2eb8a1f10f366681acad8d21c974c1f66791a upstream. + +As we use a shmemfs file to hold the context state, when not in use it +may be swapped out, such as across suspend. Since we wrote into the +shmemfs without marking the pages as dirty, the contents may be dropped +instead of being written back to swap. On re-using the shmemfs file, +such as creating a new context after resume, the contents of that file +were likely garbage and so the new context could then hang the GPU. + +Simply mark the page as being written when copying into the shmemfs +file, and it the new contents will be retained across swapout. + +Fixes: be1cb55a07bf ("drm/i915/gt: Keep a no-frills swappable copy of the default context state") +Cc: Sudeep Dutt +Cc: Matthew Auld +Cc: Tvrtko Ursulin +Cc: Ramalingam C +Signed-off-by: CQ Tang +Signed-off-by: Venkata Ramana Nayana +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +Cc: # v5.8+ +Link: https://patchwork.freedesktop.org/patch/msgid/20201127120718.454037-161-matthew.auld@intel.com +(cherry picked from commit a9d71f76ccfd309f3bd5f7c9b60e91a4decae792) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gt/shmem_utils.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/shmem_utils.c ++++ b/drivers/gpu/drm/i915/gt/shmem_utils.c +@@ -143,10 +143,13 @@ static int __shmem_rw(struct file *file, + return PTR_ERR(page); + + vaddr = kmap(page); +- if (write) ++ if (write) { + memcpy(vaddr + offset_in_page(off), ptr, this); +- else ++ set_page_dirty(page); ++ } else { + memcpy(ptr, vaddr + offset_in_page(off), this); ++ } ++ mark_page_accessed(page); + kunmap(page); + put_page(page); + diff --git a/queue-5.9/drm-omap-sdi-fix-bridge-enable-disable.patch b/queue-5.9/drm-omap-sdi-fix-bridge-enable-disable.patch new file mode 100644 index 00000000000..3ee604c79ea --- /dev/null +++ b/queue-5.9/drm-omap-sdi-fix-bridge-enable-disable.patch @@ -0,0 +1,66 @@ +From fd4e788e971ce763e50762d7b1a0048992949dd0 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Fri, 27 Nov 2020 10:52:41 +0200 +Subject: drm/omap: sdi: fix bridge enable/disable + +From: Tomi Valkeinen + +commit fd4e788e971ce763e50762d7b1a0048992949dd0 upstream. + +When the SDI output was converted to DRM bridge, the atomic versions of +enable and disable funcs were used. This was not intended, as that would +require implementing other atomic funcs too. This leads to: + +WARNING: CPU: 0 PID: 18 at drivers/gpu/drm/drm_bridge.c:708 drm_atomic_helper_commit_modeset_enables+0x134/0x268 + +and display not working. + +Fix this by using the legacy enable/disable funcs. + +Fixes: 8bef8a6d5da81b909a190822b96805a47348146f ("drm/omap: sdi: Register a drm_bridge") +Reported-by: Aaro Koskinen +Signed-off-by: Tomi Valkeinen +Tested-by: Ivaylo Dimitrov +Tested-by: Aaro Koskinen +Reviewed-by: Laurent Pinchart +Cc: stable@vger.kernel.org # v5.7+ +Link: https://patchwork.freedesktop.org/patch/msgid/20201127085241.848461-1-tomi.valkeinen@ti.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/omapdrm/dss/sdi.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/omapdrm/dss/sdi.c ++++ b/drivers/gpu/drm/omapdrm/dss/sdi.c +@@ -195,8 +195,7 @@ static void sdi_bridge_mode_set(struct d + sdi->pixelclock = adjusted_mode->clock * 1000; + } + +-static void sdi_bridge_enable(struct drm_bridge *bridge, +- struct drm_bridge_state *bridge_state) ++static void sdi_bridge_enable(struct drm_bridge *bridge) + { + struct sdi_device *sdi = drm_bridge_to_sdi(bridge); + struct dispc_clock_info dispc_cinfo; +@@ -259,8 +258,7 @@ err_get_dispc: + regulator_disable(sdi->vdds_sdi_reg); + } + +-static void sdi_bridge_disable(struct drm_bridge *bridge, +- struct drm_bridge_state *bridge_state) ++static void sdi_bridge_disable(struct drm_bridge *bridge) + { + struct sdi_device *sdi = drm_bridge_to_sdi(bridge); + +@@ -278,8 +276,8 @@ static const struct drm_bridge_funcs sdi + .mode_valid = sdi_bridge_mode_valid, + .mode_fixup = sdi_bridge_mode_fixup, + .mode_set = sdi_bridge_mode_set, +- .atomic_enable = sdi_bridge_enable, +- .atomic_disable = sdi_bridge_disable, ++ .enable = sdi_bridge_enable, ++ .disable = sdi_bridge_disable, + }; + + static void sdi_bridge_init(struct sdi_device *sdi) diff --git a/queue-5.9/ftrace-fix-dynamic_ftrace_with_direct_calls-dependency.patch b/queue-5.9/ftrace-fix-dynamic_ftrace_with_direct_calls-dependency.patch new file mode 100644 index 00000000000..ba2020d1b0d --- /dev/null +++ b/queue-5.9/ftrace-fix-dynamic_ftrace_with_direct_calls-dependency.patch @@ -0,0 +1,35 @@ +From 49a962c075dfa41c78e34784772329bc8784d217 Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Thu, 26 Nov 2020 23:38:39 +0530 +Subject: ftrace: Fix DYNAMIC_FTRACE_WITH_DIRECT_CALLS dependency + +From: Naveen N. Rao + +commit 49a962c075dfa41c78e34784772329bc8784d217 upstream. + +DYNAMIC_FTRACE_WITH_DIRECT_CALLS should depend on +DYNAMIC_FTRACE_WITH_REGS since we need ftrace_regs_caller(). + +Link: https://lkml.kernel.org/r/fc4b257ea8689a36f086d2389a9ed989496ca63a.1606412433.git.naveen.n.rao@linux.vnet.ibm.com + +Cc: stable@vger.kernel.org +Fixes: 763e34e74bb7d5c ("ftrace: Add register_ftrace_direct()") +Signed-off-by: Naveen N. Rao +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/Kconfig ++++ b/kernel/trace/Kconfig +@@ -202,7 +202,7 @@ config DYNAMIC_FTRACE_WITH_REGS + + config DYNAMIC_FTRACE_WITH_DIRECT_CALLS + def_bool y +- depends on DYNAMIC_FTRACE ++ depends on DYNAMIC_FTRACE_WITH_REGS + depends on HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS + + config FUNCTION_PROFILER diff --git a/queue-5.9/ftrace-fix-updating-ftrace_fl_tramp.patch b/queue-5.9/ftrace-fix-updating-ftrace_fl_tramp.patch new file mode 100644 index 00000000000..27b95b894d2 --- /dev/null +++ b/queue-5.9/ftrace-fix-updating-ftrace_fl_tramp.patch @@ -0,0 +1,86 @@ +From 4c75b0ff4e4bf7a45b5aef9639799719c28d0073 Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Thu, 26 Nov 2020 23:38:38 +0530 +Subject: ftrace: Fix updating FTRACE_FL_TRAMP + +From: Naveen N. Rao + +commit 4c75b0ff4e4bf7a45b5aef9639799719c28d0073 upstream. + +On powerpc, kprobe-direct.tc triggered FTRACE_WARN_ON() in +ftrace_get_addr_new() followed by the below message: + Bad trampoline accounting at: 000000004222522f (wake_up_process+0xc/0x20) (f0000001) + +The set of steps leading to this involved: +- modprobe ftrace-direct-too +- enable_probe +- modprobe ftrace-direct +- rmmod ftrace-direct <-- trigger + +The problem turned out to be that we were not updating flags in the +ftrace record properly. From the above message about the trampoline +accounting being bad, it can be seen that the ftrace record still has +FTRACE_FL_TRAMP set though ftrace-direct module is going away. This +happens because we are checking if any ftrace_ops has the +FTRACE_FL_TRAMP flag set _before_ updating the filter hash. + +The fix for this is to look for any _other_ ftrace_ops that also needs +FTRACE_FL_TRAMP. + +Link: https://lkml.kernel.org/r/56c113aa9c3e10c19144a36d9684c7882bf09af5.1606412433.git.naveen.n.rao@linux.vnet.ibm.com + +Cc: stable@vger.kernel.org +Fixes: a124692b698b0 ("ftrace: Enable trampoline when rec count returns back to one") +Signed-off-by: Naveen N. Rao +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1629,6 +1629,8 @@ static bool test_rec_ops_needs_regs(stru + static struct ftrace_ops * + ftrace_find_tramp_ops_any(struct dyn_ftrace *rec); + static struct ftrace_ops * ++ftrace_find_tramp_ops_any_other(struct dyn_ftrace *rec, struct ftrace_ops *op_exclude); ++static struct ftrace_ops * + ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops); + + static bool __ftrace_hash_rec_update(struct ftrace_ops *ops, +@@ -1778,7 +1780,7 @@ static bool __ftrace_hash_rec_update(str + * to it. + */ + if (ftrace_rec_count(rec) == 1 && +- ftrace_find_tramp_ops_any(rec)) ++ ftrace_find_tramp_ops_any_other(rec, ops)) + rec->flags |= FTRACE_FL_TRAMP; + else + rec->flags &= ~FTRACE_FL_TRAMP; +@@ -2238,6 +2240,24 @@ ftrace_find_tramp_ops_any(struct dyn_ftr + continue; + + if (hash_contains_ip(ip, op->func_hash)) ++ return op; ++ } while_for_each_ftrace_op(op); ++ ++ return NULL; ++} ++ ++static struct ftrace_ops * ++ftrace_find_tramp_ops_any_other(struct dyn_ftrace *rec, struct ftrace_ops *op_exclude) ++{ ++ struct ftrace_ops *op; ++ unsigned long ip = rec->ip; ++ ++ do_for_each_ftrace_op(op, ftrace_ops_list) { ++ ++ if (op == op_exclude || !op->trampoline) ++ continue; ++ ++ if (hash_contains_ip(ip, op->func_hash)) + return op; + } while_for_each_ftrace_op(op); + diff --git a/queue-5.9/gfs2-fix-deadlock-between-gfs2_-create_inode-inode_lookup-and-delete_work_func.patch b/queue-5.9/gfs2-fix-deadlock-between-gfs2_-create_inode-inode_lookup-and-delete_work_func.patch new file mode 100644 index 00000000000..6e9318bfa78 --- /dev/null +++ b/queue-5.9/gfs2-fix-deadlock-between-gfs2_-create_inode-inode_lookup-and-delete_work_func.patch @@ -0,0 +1,93 @@ +From dd0ecf544125639e54056d851e4887dbb94b6d2f Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 30 Nov 2020 16:07:25 +0100 +Subject: gfs2: Fix deadlock between gfs2_{create_inode,inode_lookup} and delete_work_func + +From: Andreas Gruenbacher + +commit dd0ecf544125639e54056d851e4887dbb94b6d2f upstream. + +In gfs2_create_inode and gfs2_inode_lookup, make sure to cancel any pending +delete work before taking the inode glock. Otherwise, gfs2_cancel_delete_work +may block waiting for delete_work_func to complete, and delete_work_func may +block trying to acquire the inode glock in gfs2_inode_lookup. + +Reported-by: Alexander Aring +Fixes: a0e3cc65fa29 ("gfs2: Turn gl_delete into a delayed work") +Cc: stable@vger.kernel.org # v5.8+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/inode.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -150,6 +150,8 @@ struct inode *gfs2_inode_lookup(struct s + error = gfs2_glock_get(sdp, no_addr, &gfs2_iopen_glops, CREATE, &io_gl); + if (unlikely(error)) + goto fail; ++ if (blktype != GFS2_BLKST_UNLINKED) ++ gfs2_cancel_delete_work(io_gl); + + if (type == DT_UNKNOWN || blktype != GFS2_BLKST_FREE) { + /* +@@ -180,8 +182,6 @@ struct inode *gfs2_inode_lookup(struct s + error = gfs2_glock_nq_init(io_gl, LM_ST_SHARED, GL_EXACT, &ip->i_iopen_gh); + if (unlikely(error)) + goto fail; +- if (blktype != GFS2_BLKST_UNLINKED) +- gfs2_cancel_delete_work(ip->i_iopen_gh.gh_gl); + glock_set_object(ip->i_iopen_gh.gh_gl, ip); + gfs2_glock_put(io_gl); + io_gl = NULL; +@@ -725,13 +725,19 @@ static int gfs2_create_inode(struct inod + flush_delayed_work(&ip->i_gl->gl_work); + glock_set_object(ip->i_gl, ip); + +- error = gfs2_glock_nq_init(ip->i_gl, LM_ST_EXCLUSIVE, GL_SKIP, ghs + 1); ++ error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_iopen_glops, CREATE, &io_gl); + if (error) + goto fail_free_inode; ++ gfs2_cancel_delete_work(io_gl); ++ glock_set_object(io_gl, ip); ++ ++ error = gfs2_glock_nq_init(ip->i_gl, LM_ST_EXCLUSIVE, GL_SKIP, ghs + 1); ++ if (error) ++ goto fail_gunlock2; + + error = gfs2_trans_begin(sdp, blocks, 0); + if (error) +- goto fail_free_inode; ++ goto fail_gunlock2; + + if (blocks > 1) { + ip->i_eattr = ip->i_no_addr + 1; +@@ -740,18 +746,12 @@ static int gfs2_create_inode(struct inod + init_dinode(dip, ip, symname); + gfs2_trans_end(sdp); + +- error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_iopen_glops, CREATE, &io_gl); +- if (error) +- goto fail_free_inode; +- + BUG_ON(test_and_set_bit(GLF_INODE_CREATING, &io_gl->gl_flags)); + + error = gfs2_glock_nq_init(io_gl, LM_ST_SHARED, GL_EXACT, &ip->i_iopen_gh); + if (error) + goto fail_gunlock2; + +- gfs2_cancel_delete_work(ip->i_iopen_gh.gh_gl); +- glock_set_object(ip->i_iopen_gh.gh_gl, ip); + gfs2_set_iop(inode); + insert_inode_hash(inode); + +@@ -803,6 +803,7 @@ fail_gunlock3: + gfs2_glock_dq_uninit(&ip->i_iopen_gh); + fail_gunlock2: + clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags); ++ glock_clear_object(io_gl, ip); + gfs2_glock_put(io_gl); + fail_free_inode: + if (ip->i_gl) { diff --git a/queue-5.9/gfs2-upgrade-shared-glocks-for-atime-updates.patch b/queue-5.9/gfs2-upgrade-shared-glocks-for-atime-updates.patch new file mode 100644 index 00000000000..75f310d0ff0 --- /dev/null +++ b/queue-5.9/gfs2-upgrade-shared-glocks-for-atime-updates.patch @@ -0,0 +1,74 @@ +From 82e938bd5382b322ce81e6cb8fd030987f2da022 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Wed, 25 Nov 2020 23:37:18 +0100 +Subject: gfs2: Upgrade shared glocks for atime updates + +From: Andreas Gruenbacher + +commit 82e938bd5382b322ce81e6cb8fd030987f2da022 upstream. + +Commit 20f829999c38 ("gfs2: Rework read and page fault locking") lifted +the glock lock taking from the low-level ->readpage and ->readahead +address space operations to the higher-level ->read_iter file and +->fault vm operations. The glocks are still taken in LM_ST_SHARED mode +only. On filesystems mounted without the noatime option, ->read_iter +sometimes needs to update the atime as well, though. Right now, this +leads to a failed locking mode assertion in gfs2_dirty_inode. + +Fix that by introducing a new update_time inode operation. There, if +the glock is held non-exclusively, upgrade it to an exclusive lock. + +Reported-by: Alexander Aring +Fixes: 20f829999c38 ("gfs2: Rework read and page fault locking") +Cc: stable@vger.kernel.org # v5.8+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/inode.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -2116,6 +2116,25 @@ loff_t gfs2_seek_hole(struct file *file, + return vfs_setpos(file, ret, inode->i_sb->s_maxbytes); + } + ++static int gfs2_update_time(struct inode *inode, struct timespec64 *time, ++ int flags) ++{ ++ struct gfs2_inode *ip = GFS2_I(inode); ++ struct gfs2_glock *gl = ip->i_gl; ++ struct gfs2_holder *gh; ++ int error; ++ ++ gh = gfs2_glock_is_locked_by_me(gl); ++ if (gh && !gfs2_glock_is_held_excl(gl)) { ++ gfs2_glock_dq(gh); ++ gfs2_holder_reinit(LM_ST_EXCLUSIVE, 0, gh); ++ error = gfs2_glock_nq(gh); ++ if (error) ++ return error; ++ } ++ return generic_update_time(inode, time, flags); ++} ++ + const struct inode_operations gfs2_file_iops = { + .permission = gfs2_permission, + .setattr = gfs2_setattr, +@@ -2124,6 +2143,7 @@ const struct inode_operations gfs2_file_ + .fiemap = gfs2_fiemap, + .get_acl = gfs2_get_acl, + .set_acl = gfs2_set_acl, ++ .update_time = gfs2_update_time, + }; + + const struct inode_operations gfs2_dir_iops = { +@@ -2143,6 +2163,7 @@ const struct inode_operations gfs2_dir_i + .fiemap = gfs2_fiemap, + .get_acl = gfs2_get_acl, + .set_acl = gfs2_set_acl, ++ .update_time = gfs2_update_time, + .atomic_open = gfs2_atomic_open, + }; + diff --git a/queue-5.9/i2c-imx-check-for-i2sr_ial-after-every-byte.patch b/queue-5.9/i2c-imx-check-for-i2sr_ial-after-every-byte.patch new file mode 100644 index 00000000000..7a16baa5040 --- /dev/null +++ b/queue-5.9/i2c-imx-check-for-i2sr_ial-after-every-byte.patch @@ -0,0 +1,46 @@ +From 1de67a3dee7a279ebe4d892b359fe3696938ec15 Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Fri, 9 Oct 2020 13:03:19 +0200 +Subject: i2c: imx: Check for I2SR_IAL after every byte + +From: Christian Eggers + +commit 1de67a3dee7a279ebe4d892b359fe3696938ec15 upstream. + +Arbitration Lost (IAL) can happen after every single byte transfer. If +arbitration is lost, the I2C hardware will autonomously switch from +master mode to slave. If a transfer is not aborted in this state, +consecutive transfers will not be executed by the hardware and will +timeout. + +Signed-off-by: Christian Eggers +Tested (not extensively) on Vybrid VF500 (Toradex VF50): +Tested-by: Krzysztof Kozlowski +Acked-by: Oleksij Rempel +Cc: stable@vger.kernel.org +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-imx.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/i2c/busses/i2c-imx.c ++++ b/drivers/i2c/busses/i2c-imx.c +@@ -490,6 +490,16 @@ static int i2c_imx_trx_complete(struct i + dev_dbg(&i2c_imx->adapter.dev, "<%s> Timeout\n", __func__); + return -ETIMEDOUT; + } ++ ++ /* check for arbitration lost */ ++ if (i2c_imx->i2csr & I2SR_IAL) { ++ dev_dbg(&i2c_imx->adapter.dev, "<%s> Arbitration lost\n", __func__); ++ i2c_imx_clear_irq(i2c_imx, I2SR_IAL); ++ ++ i2c_imx->i2csr = 0; ++ return -EAGAIN; ++ } ++ + dev_dbg(&i2c_imx->adapter.dev, "<%s> TRX complete\n", __func__); + i2c_imx->i2csr = 0; + return 0; diff --git a/queue-5.9/i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch b/queue-5.9/i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch new file mode 100644 index 00000000000..97afc1f2dd4 --- /dev/null +++ b/queue-5.9/i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch @@ -0,0 +1,69 @@ +From 61e6fe59ede155881a622f5901551b1cc8748f6a Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Fri, 9 Oct 2020 13:03:20 +0200 +Subject: i2c: imx: Don't generate STOP condition if arbitration has been lost + +From: Christian Eggers + +commit 61e6fe59ede155881a622f5901551b1cc8748f6a upstream. + +If arbitration is lost, the master automatically changes to slave mode. +I2SR_IBB may or may not be reset by hardware. Raising a STOP condition +by resetting I2CR_MSTA has no effect and will not clear I2SR_IBB. + +So calling i2c_imx_bus_busy() is not required and would busy-wait until +timeout. + +Signed-off-by: Christian Eggers +Tested (not extensively) on Vybrid VF500 (Toradex VF50): +Tested-by: Krzysztof Kozlowski +Acked-by: Oleksij Rempel +Cc: stable@vger.kernel.org # Requires trivial backporting, simple remove + # the 3rd argument from the calls to + # i2c_imx_bus_busy(). +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-imx.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-imx.c ++++ b/drivers/i2c/busses/i2c-imx.c +@@ -615,6 +615,8 @@ static void i2c_imx_stop(struct imx_i2c_ + /* Stop I2C transaction */ + dev_dbg(&i2c_imx->adapter.dev, "<%s>\n", __func__); + temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR); ++ if (!(temp & I2CR_MSTA)) ++ i2c_imx->stopped = 1; + temp &= ~(I2CR_MSTA | I2CR_MTX); + if (i2c_imx->dma) + temp &= ~I2CR_DMAEN; +@@ -778,9 +780,12 @@ static int i2c_imx_dma_read(struct imx_i + */ + dev_dbg(dev, "<%s> clear MSTA\n", __func__); + temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR); ++ if (!(temp & I2CR_MSTA)) ++ i2c_imx->stopped = 1; + temp &= ~(I2CR_MSTA | I2CR_MTX); + imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR); +- i2c_imx_bus_busy(i2c_imx, 0, false); ++ if (!i2c_imx->stopped) ++ i2c_imx_bus_busy(i2c_imx, 0, false); + } else { + /* + * For i2c master receiver repeat restart operation like: +@@ -905,9 +910,12 @@ static int i2c_imx_read(struct imx_i2c_s + dev_dbg(&i2c_imx->adapter.dev, + "<%s> clear MSTA\n", __func__); + temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR); ++ if (!(temp & I2CR_MSTA)) ++ i2c_imx->stopped = 1; + temp &= ~(I2CR_MSTA | I2CR_MTX); + imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR); +- i2c_imx_bus_busy(i2c_imx, 0, atomic); ++ if (!i2c_imx->stopped) ++ i2c_imx_bus_busy(i2c_imx, 0, atomic); + } else { + /* + * For i2c master receiver repeat restart operation like: diff --git a/queue-5.9/i2c-imx-fix-reset-of-i2sr_ial-flag.patch b/queue-5.9/i2c-imx-fix-reset-of-i2sr_ial-flag.patch new file mode 100644 index 00000000000..c34a033c070 --- /dev/null +++ b/queue-5.9/i2c-imx-fix-reset-of-i2sr_ial-flag.patch @@ -0,0 +1,81 @@ +From 384a9565f70a876c2e78e58c5ca0bbf0547e4f6d Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Fri, 9 Oct 2020 13:03:18 +0200 +Subject: i2c: imx: Fix reset of I2SR_IAL flag +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian Eggers + +commit 384a9565f70a876c2e78e58c5ca0bbf0547e4f6d upstream. + +According to the "VFxxx Controller Reference Manual" (and the comment +block starting at line 97), Vybrid requires writing a one for clearing +an interrupt flag. Syncing the method for clearing I2SR_IIF in +i2c_imx_isr(). + +Signed-off-by: Christian Eggers +Fixes: 4b775022f6fd ("i2c: imx: add struct to hold more configurable quirks") +Reviewed-by: Uwe Kleine-König +Acked-by: Oleksij Rempel +Cc: stable@vger.kernel.org +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-imx.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/drivers/i2c/busses/i2c-imx.c ++++ b/drivers/i2c/busses/i2c-imx.c +@@ -412,6 +412,19 @@ static void i2c_imx_dma_free(struct imx_ + dma->chan_using = NULL; + } + ++static void i2c_imx_clear_irq(struct imx_i2c_struct *i2c_imx, unsigned int bits) ++{ ++ unsigned int temp; ++ ++ /* ++ * i2sr_clr_opcode is the value to clear all interrupts. Here we want to ++ * clear only , so we write ~i2sr_clr_opcode with just ++ * toggled. This is required because i.MX needs W0C and Vybrid uses W1C. ++ */ ++ temp = ~i2c_imx->hwdata->i2sr_clr_opcode ^ bits; ++ imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2SR); ++} ++ + static int i2c_imx_bus_busy(struct imx_i2c_struct *i2c_imx, int for_busy, bool atomic) + { + unsigned long orig_jiffies = jiffies; +@@ -424,8 +437,7 @@ static int i2c_imx_bus_busy(struct imx_i + + /* check for arbitration lost */ + if (temp & I2SR_IAL) { +- temp &= ~I2SR_IAL; +- imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2SR); ++ i2c_imx_clear_irq(i2c_imx, I2SR_IAL); + return -EAGAIN; + } + +@@ -469,7 +481,7 @@ static int i2c_imx_trx_complete(struct i + */ + readb_poll_timeout_atomic(addr, regval, regval & I2SR_IIF, 5, 1000 + 100); + i2c_imx->i2csr = regval; +- imx_i2c_write_reg(0, i2c_imx, IMX_I2C_I2SR); ++ i2c_imx_clear_irq(i2c_imx, I2SR_IIF | I2SR_IAL); + } else { + wait_event_timeout(i2c_imx->queue, i2c_imx->i2csr & I2SR_IIF, HZ / 10); + } +@@ -623,9 +635,7 @@ static irqreturn_t i2c_imx_isr(int irq, + if (temp & I2SR_IIF) { + /* save status register */ + i2c_imx->i2csr = temp; +- temp &= ~I2SR_IIF; +- temp |= (i2c_imx->hwdata->i2sr_clr_opcode & I2SR_IIF); +- imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2SR); ++ i2c_imx_clear_irq(i2c_imx, I2SR_IIF); + wake_up(&i2c_imx->queue); + return IRQ_HANDLED; + } diff --git a/queue-5.9/io_uring-fix-recvmsg-setup-with-compat-buf-select.patch b/queue-5.9/io_uring-fix-recvmsg-setup-with-compat-buf-select.patch new file mode 100644 index 00000000000..61ac95ad351 --- /dev/null +++ b/queue-5.9/io_uring-fix-recvmsg-setup-with-compat-buf-select.patch @@ -0,0 +1,35 @@ +From 2d280bc8930ba9ed1705cfd548c6c8924949eaf1 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Sun, 29 Nov 2020 18:33:32 +0000 +Subject: io_uring: fix recvmsg setup with compat buf-select + +From: Pavel Begunkov + +commit 2d280bc8930ba9ed1705cfd548c6c8924949eaf1 upstream. + +__io_compat_recvmsg_copy_hdr() with REQ_F_BUFFER_SELECT reads out iov +len but never assigns it to iov/fast_iov, leaving sr->len with garbage. +Hopefully, following io_buffer_select() truncates it to the selected +buffer size, but the value is still may be under what was specified. + +Cc: # 5.7 +Signed-off-by: Pavel Begunkov +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4300,7 +4300,8 @@ static int __io_compat_recvmsg_copy_hdr( + return -EFAULT; + if (clen < 0) + return -EINVAL; +- sr->len = iomsg->iov[0].iov_len; ++ sr->len = clen; ++ iomsg->iov[0].iov_len = clen; + iomsg->iov = NULL; + } else { + ret = compat_import_iovec(READ, uiov, len, UIO_FASTIOV, diff --git a/queue-5.9/kvm-ppc-book3s-hv-xive-fix-vcpu-id-sanity-check.patch b/queue-5.9/kvm-ppc-book3s-hv-xive-fix-vcpu-id-sanity-check.patch new file mode 100644 index 00000000000..19923563543 --- /dev/null +++ b/queue-5.9/kvm-ppc-book3s-hv-xive-fix-vcpu-id-sanity-check.patch @@ -0,0 +1,101 @@ +From f54db39fbe40731c40aefdd3bc26e7d56d668c64 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Mon, 30 Nov 2020 13:19:27 +0100 +Subject: KVM: PPC: Book3S HV: XIVE: Fix vCPU id sanity check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kurz + +commit f54db39fbe40731c40aefdd3bc26e7d56d668c64 upstream. + +Commit 062cfab7069f ("KVM: PPC: Book3S HV: XIVE: Make VP block size +configurable") updated kvmppc_xive_vcpu_id_valid() in a way that +allows userspace to trigger an assertion in skiboot and crash the host: + +[ 696.186248988,3] XIVE[ IC 08 ] eq_blk != vp_blk (0 vs. 1) for target 0x4300008c/0 +[ 696.186314757,0] Assert fail: hw/xive.c:2370:0 +[ 696.186342458,0] Aborting! +xive-kvCPU 0043 Backtrace: + S: 0000000031e2b8f0 R: 0000000030013840 .backtrace+0x48 + S: 0000000031e2b990 R: 000000003001b2d0 ._abort+0x4c + S: 0000000031e2ba10 R: 000000003001b34c .assert_fail+0x34 + S: 0000000031e2ba90 R: 0000000030058984 .xive_eq_for_target.part.20+0xb0 + S: 0000000031e2bb40 R: 0000000030059fdc .xive_setup_silent_gather+0x2c + S: 0000000031e2bc20 R: 000000003005a334 .opal_xive_set_vp_info+0x124 + S: 0000000031e2bd20 R: 00000000300051a4 opal_entry+0x134 + --- OPAL call token: 0x8a caller R1: 0xc000001f28563850 --- + +XIVE maintains the interrupt context state of non-dispatched vCPUs in +an internal VP structure. We allocate a bunch of those on startup to +accommodate all possible vCPUs. Each VP has an id, that we derive from +the vCPU id for efficiency: + +static inline u32 kvmppc_xive_vp(struct kvmppc_xive *xive, u32 server) +{ + return xive->vp_base + kvmppc_pack_vcpu_id(xive->kvm, server); +} + +The KVM XIVE device used to allocate KVM_MAX_VCPUS VPs. This was +limitting the number of concurrent VMs because the VP space is +limited on the HW. Since most of the time, VMs run with a lot less +vCPUs, commit 062cfab7069f ("KVM: PPC: Book3S HV: XIVE: Make VP +block size configurable") gave the possibility for userspace to +tune the size of the VP block through the KVM_DEV_XIVE_NR_SERVERS +attribute. + +The check in kvmppc_pack_vcpu_id() was changed from + + cpu < KVM_MAX_VCPUS * xive->kvm->arch.emul_smt_mode + +to + + cpu < xive->nr_servers * xive->kvm->arch.emul_smt_mode + +The previous check was based on the fact that the VP block had +KVM_MAX_VCPUS entries and that kvmppc_pack_vcpu_id() guarantees +that packed vCPU ids are below KVM_MAX_VCPUS. We've changed the +size of the VP block, but kvmppc_pack_vcpu_id() has nothing to +do with it and it certainly doesn't ensure that the packed vCPU +ids are below xive->nr_servers. kvmppc_xive_vcpu_id_valid() might +thus return true when the VM was configured with a non-standard +VSMT mode, even if the packed vCPU id is higher than what we +expect. We end up using an unallocated VP id, which confuses +OPAL. The assert in OPAL is probably abusive and should be +converted to a regular error that the kernel can handle, but +we shouldn't really use broken VP ids in the first place. + +Fix kvmppc_xive_vcpu_id_valid() so that it checks the packed +vCPU id is below xive->nr_servers, which is explicitly what we +want. + +Fixes: 062cfab7069f ("KVM: PPC: Book3S HV: XIVE: Make VP block size configurable") +Cc: stable@vger.kernel.org # v5.5+ +Signed-off-by: Greg Kurz +Reviewed-by: Cédric Le Goater +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/160673876747.695514.1809676603724514920.stgit@bahia.lan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_xive.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/kvm/book3s_xive.c ++++ b/arch/powerpc/kvm/book3s_xive.c +@@ -1214,12 +1214,9 @@ void kvmppc_xive_cleanup_vcpu(struct kvm + static bool kvmppc_xive_vcpu_id_valid(struct kvmppc_xive *xive, u32 cpu) + { + /* We have a block of xive->nr_servers VPs. We just need to check +- * raw vCPU ids are below the expected limit for this guest's +- * core stride ; kvmppc_pack_vcpu_id() will pack them down to an +- * index that can be safely used to compute a VP id that belongs +- * to the VP block. ++ * packed vCPU ids are below that. + */ +- return cpu < xive->nr_servers * xive->kvm->arch.emul_smt_mode; ++ return kvmppc_pack_vcpu_id(xive->kvm, cpu) < xive->nr_servers; + } + + int kvmppc_xive_compute_vp_id(struct kvmppc_xive *xive, u32 cpu, u32 *vp) diff --git a/queue-5.9/powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch b/queue-5.9/powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch new file mode 100644 index 00000000000..be3014ddc41 --- /dev/null +++ b/queue-5.9/powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch @@ -0,0 +1,45 @@ +From a1ee28117077c3bf24e5ab6324c835eaab629c45 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Sat, 28 Nov 2020 17:07:21 +1000 +Subject: powerpc/64s/powernv: Fix memory corruption when saving SLB entries on MCE + +From: Nicholas Piggin + +commit a1ee28117077c3bf24e5ab6324c835eaab629c45 upstream. + +This can be hit by an HPT guest running on an HPT host and bring down +the host, so it's quite important to fix. + +Fixes: 7290f3b3d3e6 ("powerpc/64s/powernv: machine check dump SLB contents") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Nicholas Piggin +Acked-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201128070728.825934-2-npiggin@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/setup.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/powernv/setup.c ++++ b/arch/powerpc/platforms/powernv/setup.c +@@ -186,11 +186,16 @@ static void __init pnv_init(void) + add_preferred_console("hvc", 0, NULL); + + if (!radix_enabled()) { ++ size_t size = sizeof(struct slb_entry) * mmu_slb_size; + int i; + + /* Allocate per cpu area to save old slb contents during MCE */ +- for_each_possible_cpu(i) +- paca_ptrs[i]->mce_faulty_slbs = memblock_alloc_node(mmu_slb_size, __alignof__(*paca_ptrs[i]->mce_faulty_slbs), cpu_to_node(i)); ++ for_each_possible_cpu(i) { ++ paca_ptrs[i]->mce_faulty_slbs = ++ memblock_alloc_node(size, ++ __alignof__(struct slb_entry), ++ cpu_to_node(i)); ++ } + } + } + diff --git a/queue-5.9/powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch b/queue-5.9/powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch new file mode 100644 index 00000000000..7b8e70c0e79 --- /dev/null +++ b/queue-5.9/powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch @@ -0,0 +1,54 @@ +From 9ea69a55b3b9a71cded9726af591949c1138f235 Mon Sep 17 00:00:00 2001 +From: Laurent Vivier +Date: Thu, 26 Nov 2020 09:28:52 +0100 +Subject: powerpc/pseries: Pass MSI affinity to irq_create_mapping() + +From: Laurent Vivier + +commit 9ea69a55b3b9a71cded9726af591949c1138f235 upstream. + +With virtio multiqueue, normally each queue IRQ is mapped to a CPU. + +Commit 0d9f0a52c8b9f ("virtio_scsi: use virtio IRQ affinity") exposed +an existing shortcoming of the arch code by moving virtio_scsi to +the automatic IRQ affinity assignment. + +The affinity is correctly computed in msi_desc but this is not applied +to the system IRQs. + +It appears the affinity is correctly passed to rtas_setup_msi_irqs() but +lost at this point and never passed to irq_domain_alloc_descs() +(see commit 06ee6d571f0e ("genirq: Add affinity hint to irq allocation")) +because irq_create_mapping() doesn't take an affinity parameter. + +Use the new irq_create_mapping_affinity() function, which allows to forward +the affinity setting from rtas_setup_msi_irqs() to irq_domain_alloc_descs(). + +With this change, the virtqueues are correctly dispatched between the CPUs +on pseries. + +Fixes: e75eafb9b039 ("genirq/msi: Switch to new irq spreading infrastructure") +Signed-off-by: Laurent Vivier +Signed-off-by: Thomas Gleixner +Reviewed-by: Greg Kurz +Acked-by: Michael Ellerman +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20201126082852.1178497-3-lvivier@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/msi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/msi.c ++++ b/arch/powerpc/platforms/pseries/msi.c +@@ -458,7 +458,8 @@ again: + return hwirq; + } + +- virq = irq_create_mapping(NULL, hwirq); ++ virq = irq_create_mapping_affinity(NULL, hwirq, ++ entry->affinity); + + if (!virq) { + pr_debug("rtas_msi: Failed mapping hwirq %d\n", hwirq); diff --git a/queue-5.9/ring-buffer-always-check-to-put-back-before-stamp-when-crossing-pages.patch b/queue-5.9/ring-buffer-always-check-to-put-back-before-stamp-when-crossing-pages.patch new file mode 100644 index 00000000000..bbc3c13fa4a --- /dev/null +++ b/queue-5.9/ring-buffer-always-check-to-put-back-before-stamp-when-crossing-pages.patch @@ -0,0 +1,53 @@ +From 68e10d5ff512b503dcba1246ad5620f32035e135 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Mon, 30 Nov 2020 23:16:03 -0500 +Subject: ring-buffer: Always check to put back before stamp when crossing pages + +From: Steven Rostedt (VMware) + +commit 68e10d5ff512b503dcba1246ad5620f32035e135 upstream. + +The current ring buffer logic checks to see if the updating of the event +buffer was interrupted, and if it is, it will try to fix up the before stamp +with the write stamp to make them equal again. This logic is flawed, because +if it is not interrupted, the two are guaranteed to be different, as the +current event just updated the before stamp before allocation. This +guarantees that the next event (this one or another interrupting one) will +think it interrupted the time updates of a previous event and inject an +absolute time stamp to compensate. + +The correct logic is to always update the timestamps when traversing to a +new sub buffer. + +Cc: stable@vger.kernel.org +Fixes: a389d86f7fd09 ("ring-buffer: Have nested events still record running time stamp") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -3234,14 +3234,12 @@ __rb_reserve_next(struct ring_buffer_per + + /* See if we shot pass the end of this buffer page */ + if (unlikely(write > BUF_PAGE_SIZE)) { +- if (tail != w) { +- /* before and after may now different, fix it up*/ +- b_ok = rb_time_read(&cpu_buffer->before_stamp, &info->before); +- a_ok = rb_time_read(&cpu_buffer->write_stamp, &info->after); +- if (a_ok && b_ok && info->before != info->after) +- (void)rb_time_cmpxchg(&cpu_buffer->before_stamp, +- info->before, info->after); +- } ++ /* before and after may now different, fix it up*/ ++ b_ok = rb_time_read(&cpu_buffer->before_stamp, &info->before); ++ a_ok = rb_time_read(&cpu_buffer->write_stamp, &info->after); ++ if (a_ok && b_ok && info->before != info->after) ++ (void)rb_time_cmpxchg(&cpu_buffer->before_stamp, ++ info->before, info->after); + return rb_move_tail(cpu_buffer, tail, info); + } + diff --git a/queue-5.9/ring-buffer-set-the-right-timestamp-in-the-slow-path-of-__rb_reserve_next.patch b/queue-5.9/ring-buffer-set-the-right-timestamp-in-the-slow-path-of-__rb_reserve_next.patch new file mode 100644 index 00000000000..1f64d619e2c --- /dev/null +++ b/queue-5.9/ring-buffer-set-the-right-timestamp-in-the-slow-path-of-__rb_reserve_next.patch @@ -0,0 +1,48 @@ +From 8785f51a17083eee7c37606079c6447afc6ba102 Mon Sep 17 00:00:00 2001 +From: Andrea Righi +Date: Sat, 28 Nov 2020 10:15:17 +0100 +Subject: ring-buffer: Set the right timestamp in the slow path of __rb_reserve_next() + +From: Andrea Righi + +commit 8785f51a17083eee7c37606079c6447afc6ba102 upstream. + +In the slow path of __rb_reserve_next() a nested event(s) can happen +between evaluating the timestamp delta of the current event and updating +write_stamp via local_cmpxchg(); in this case the delta is not valid +anymore and it should be set to 0 (same timestamp as the interrupting +event), since the event that we are currently processing is not the last +event in the buffer. + +Link: https://lkml.kernel.org/r/X8IVJcp1gRE+FJCJ@xps-13-7390 + +Cc: Ingo Molnar +Cc: Masami Hiramatsu +Cc: stable@vger.kernel.org +Link: https://lwn.net/Articles/831207 +Fixes: a389d86f7fd0 ("ring-buffer: Have nested events still record running time stamp") +Signed-off-by: Andrea Righi +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -3287,11 +3287,11 @@ __rb_reserve_next(struct ring_buffer_per + ts = rb_time_stamp(cpu_buffer->buffer); + barrier(); + /*E*/ if (write == (local_read(&tail_page->write) & RB_WRITE_MASK) && +- info->after < ts) { ++ info->after < ts && ++ rb_time_cmpxchg(&cpu_buffer->write_stamp, ++ info->after, ts)) { + /* Nothing came after this event between C and E */ + info->delta = ts - info->after; +- (void)rb_time_cmpxchg(&cpu_buffer->write_stamp, +- info->after, ts); + info->ts = ts; + } else { + /* diff --git a/queue-5.9/ring-buffer-update-write-stamp-with-the-correct-ts.patch b/queue-5.9/ring-buffer-update-write-stamp-with-the-correct-ts.patch new file mode 100644 index 00000000000..60f2dfea776 --- /dev/null +++ b/queue-5.9/ring-buffer-update-write-stamp-with-the-correct-ts.patch @@ -0,0 +1,39 @@ +From 55ea4cf403800af2ce6b125bc3d853117e0c0456 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Fri, 27 Nov 2020 11:20:58 -0500 +Subject: ring-buffer: Update write stamp with the correct ts + +From: Steven Rostedt (VMware) + +commit 55ea4cf403800af2ce6b125bc3d853117e0c0456 upstream. + +The write stamp, used to calculate deltas between events, was updated with +the stale "ts" value in the "info" structure, and not with the updated "ts" +variable. This caused the deltas between events to be inaccurate, and when +crossing into a new sub buffer, had time go backwards. + +Link: https://lkml.kernel.org/r/20201124223917.795844-1-elavila@google.com + +Cc: stable@vger.kernel.org +Fixes: a389d86f7fd09 ("ring-buffer: Have nested events still record running time stamp") +Reported-by: "J. Avila" +Tested-by: Daniel Mentz +Tested-by: Will McVicker +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -3291,7 +3291,7 @@ __rb_reserve_next(struct ring_buffer_per + /* Nothing came after this event between C and E */ + info->delta = ts - info->after; + (void)rb_time_cmpxchg(&cpu_buffer->write_stamp, +- info->after, info->ts); ++ info->after, ts); + info->ts = ts; + } else { + /* diff --git a/queue-5.9/s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch b/queue-5.9/s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch new file mode 100644 index 00000000000..e61f689443b --- /dev/null +++ b/queue-5.9/s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch @@ -0,0 +1,72 @@ +From a2bd4097b3ec242f4de4924db463a9c94530e03a Mon Sep 17 00:00:00 2001 +From: Alexander Gordeev +Date: Thu, 26 Nov 2020 18:00:37 +0100 +Subject: s390/pci: fix CPU address in MSI for directed IRQ + +From: Alexander Gordeev + +commit a2bd4097b3ec242f4de4924db463a9c94530e03a upstream. + +The directed MSIs are delivered to CPUs whose address is +written to the MSI message address. The current code assumes +that a CPU logical number (as it is seen by the kernel) +is also the CPU address. + +The above assumption is not correct, as the CPU address +is rather the value returned by STAP instruction. That +value does not necessarily match the kernel logical CPU +number. + +Fixes: e979ce7bced2 ("s390/pci: provide support for CPU directed interrupts") +Cc: # v5.2+ +Signed-off-by: Alexander Gordeev +Reviewed-by: Halil Pasic +Reviewed-by: Niklas Schnelle +Signed-off-by: Niklas Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/pci/pci_irq.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/arch/s390/pci/pci_irq.c ++++ b/arch/s390/pci/pci_irq.c +@@ -103,9 +103,10 @@ static int zpci_set_irq_affinity(struct + { + struct msi_desc *entry = irq_get_msi_desc(data->irq); + struct msi_msg msg = entry->msg; ++ int cpu_addr = smp_cpu_get_cpu_address(cpumask_first(dest)); + + msg.address_lo &= 0xff0000ff; +- msg.address_lo |= (cpumask_first(dest) << 8); ++ msg.address_lo |= (cpu_addr << 8); + pci_write_msi_msg(data->irq, &msg); + + return IRQ_SET_MASK_OK; +@@ -238,6 +239,7 @@ int arch_setup_msi_irqs(struct pci_dev * + unsigned long bit; + struct msi_desc *msi; + struct msi_msg msg; ++ int cpu_addr; + int rc, irq; + + zdev->aisb = -1UL; +@@ -287,9 +289,15 @@ int arch_setup_msi_irqs(struct pci_dev * + handle_percpu_irq); + msg.data = hwirq - bit; + if (irq_delivery == DIRECTED) { ++ if (msi->affinity) ++ cpu = cpumask_first(&msi->affinity->mask); ++ else ++ cpu = 0; ++ cpu_addr = smp_cpu_get_cpu_address(cpu); ++ + msg.address_lo = zdev->msi_addr & 0xff0000ff; +- msg.address_lo |= msi->affinity ? +- (cpumask_first(&msi->affinity->mask) << 8) : 0; ++ msg.address_lo |= (cpu_addr << 8); ++ + for_each_possible_cpu(cpu) { + airq_iv_set_data(zpci_ibv[cpu], hwirq, irq); + } diff --git a/queue-5.9/scsi-mpt3sas-fix-ioctl-timeout.patch b/queue-5.9/scsi-mpt3sas-fix-ioctl-timeout.patch new file mode 100644 index 00000000000..f51816a00bc --- /dev/null +++ b/queue-5.9/scsi-mpt3sas-fix-ioctl-timeout.patch @@ -0,0 +1,42 @@ +From 42f687038bcc34aa919e0e4c29b04e4cda3f6a79 Mon Sep 17 00:00:00 2001 +From: Suganath Prabu S +Date: Wed, 25 Nov 2020 15:18:38 +0530 +Subject: scsi: mpt3sas: Fix ioctl timeout + +From: Suganath Prabu S + +commit 42f687038bcc34aa919e0e4c29b04e4cda3f6a79 upstream. + +Commit c1a6c5ac4278 ("scsi: mpt3sas: For NVME device, issue a protocol +level reset") modified the ioctl path 'timeout' variable type to u8 from +unsigned long, limiting the maximum timeout value that the driver can +support to 255 seconds. + +If the management application is requesting a higher value the resulting +timeout will be zero. The operation times out immediately and the ioctl +request fails. + +Change datatype back to unsigned long. + +Link: https://lore.kernel.org/r/20201125094838.4340-1-suganath-prabu.subramani@broadcom.com +Fixes: c1a6c5ac4278 ("scsi: mpt3sas: For NVME device, issue a protocol level reset") +Cc: #v4.18+ +Signed-off-by: Suganath Prabu S +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +@@ -664,7 +664,7 @@ _ctl_do_mpt_command(struct MPT3SAS_ADAPT + Mpi26NVMeEncapsulatedRequest_t *nvme_encap_request = NULL; + struct _pcie_device *pcie_device = NULL; + u16 smid; +- u8 timeout; ++ unsigned long timeout; + u8 issue_reset; + u32 sz, sz_arg; + void *psge; diff --git a/queue-5.9/series b/queue-5.9/series index 0f4ed57419f..fcd3342b8a3 100644 --- a/queue-5.9/series +++ b/queue-5.9/series @@ -14,3 +14,38 @@ alsa-hda-realtek-enable-headset-of-asus-ux482eg-b9400cea-with-alc294.patch alsa-hda-realtek-add-new-codec-supported-for-alc897.patch alsa-hda-realtek-fixed-dell-aio-wrong-sound-tone.patch alsa-hda-generic-add-option-to-enforce-preferred_dacs-pairs.patch +ring-buffer-update-write-stamp-with-the-correct-ts.patch +ring-buffer-set-the-right-timestamp-in-the-slow-path-of-__rb_reserve_next.patch +ring-buffer-always-check-to-put-back-before-stamp-when-crossing-pages.patch +ftrace-fix-updating-ftrace_fl_tramp.patch +ftrace-fix-dynamic_ftrace_with_direct_calls-dependency.patch +cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch +cifs-fix-potential-use-after-free-in-cifs_echo_request.patch +cifs-refactor-create_sd_buf-and-and-avoid-corrupting-the-buffer.patch +cifs-add-null-check-for-ses-tcon_ipc.patch +gfs2-upgrade-shared-glocks-for-atime-updates.patch +gfs2-fix-deadlock-between-gfs2_-create_inode-inode_lookup-and-delete_work_func.patch +s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch +i2c-imx-fix-reset-of-i2sr_ial-flag.patch +i2c-imx-check-for-i2sr_ial-after-every-byte.patch +i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch +tracing-fix-userstacktrace-option-for-instances.patch +thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch +drm-omap-sdi-fix-bridge-enable-disable.patch +drm-amdgpu-vcn3.0-stall-dpg-when-wptr-rptr-reset.patch +drm-amdgpu-vcn3.0-remove-old-dpg-workaround.patch +drm-i915-gt-retain-default-context-state-across-shrinking.patch +drm-i915-gt-limit-frequency-drop-to-rpe-on-parking.patch +drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch +kvm-ppc-book3s-hv-xive-fix-vcpu-id-sanity-check.patch +scsi-mpt3sas-fix-ioctl-timeout.patch +io_uring-fix-recvmsg-setup-with-compat-buf-select.patch +dm-writecache-advance-the-number-of-arguments-when-reporting-max_age.patch +dm-writecache-fix-the-maximum-number-of-arguments.patch +powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch +powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch +dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch +dm-fix-double-rcu-unlock-in-dm_dax_zero_page_range-error-path.patch +dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch +x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch +coredump-fix-core_pattern-parse-error.patch diff --git a/queue-5.9/thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch b/queue-5.9/thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch new file mode 100644 index 00000000000..174728d5a7a --- /dev/null +++ b/queue-5.9/thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch @@ -0,0 +1,70 @@ +From 600c0849cf86b75d86352f59745226273290986a Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 18 Nov 2020 13:08:21 +0200 +Subject: thunderbolt: Fix use-after-free in remove_unplugged_switch() + +From: Mika Westerberg + +commit 600c0849cf86b75d86352f59745226273290986a upstream. + +Paulian reported a crash that happens when a dock is unplugged during +hibernation: + +[78436.228217] thunderbolt 0-1: device disconnected +[78436.228365] BUG: kernel NULL pointer dereference, address: 00000000000001e0 +... +[78436.228397] RIP: 0010:icm_free_unplugged_children+0x109/0x1a0 +... +[78436.228432] Call Trace: +[78436.228439] icm_rescan_work+0x24/0x30 +[78436.228444] process_one_work+0x1a3/0x3a0 +[78436.228449] worker_thread+0x30/0x370 +[78436.228454] ? process_one_work+0x3a0/0x3a0 +[78436.228457] kthread+0x13d/0x160 +[78436.228461] ? kthread_park+0x90/0x90 +[78436.228465] ret_from_fork+0x1f/0x30 + +This happens because remove_unplugged_switch() calls tb_switch_remove() +that releases the memory pointed by sw so the following lines reference +to a memory that might be released already. + +Fix this by saving pointer to the parent device before calling +tb_switch_remove(). + +Reported-by: Paulian Bogdan Marinca +Fixes: 4f7c2e0d8765 ("thunderbolt: Make sure device runtime resume completes before taking domain lock") +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thunderbolt/icm.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/thunderbolt/icm.c ++++ b/drivers/thunderbolt/icm.c +@@ -1973,7 +1973,9 @@ static int complete_rpm(struct device *d + + static void remove_unplugged_switch(struct tb_switch *sw) + { +- pm_runtime_get_sync(sw->dev.parent); ++ struct device *parent = get_device(sw->dev.parent); ++ ++ pm_runtime_get_sync(parent); + + /* + * Signal this and switches below for rpm_complete because +@@ -1984,8 +1986,10 @@ static void remove_unplugged_switch(stru + bus_for_each_dev(&tb_bus_type, &sw->dev, NULL, complete_rpm); + tb_switch_remove(sw); + +- pm_runtime_mark_last_busy(sw->dev.parent); +- pm_runtime_put_autosuspend(sw->dev.parent); ++ pm_runtime_mark_last_busy(parent); ++ pm_runtime_put_autosuspend(parent); ++ ++ put_device(parent); + } + + static void icm_free_unplugged_children(struct tb_switch *sw) diff --git a/queue-5.9/tracing-fix-userstacktrace-option-for-instances.patch b/queue-5.9/tracing-fix-userstacktrace-option-for-instances.patch new file mode 100644 index 00000000000..cc642c34493 --- /dev/null +++ b/queue-5.9/tracing-fix-userstacktrace-option-for-instances.patch @@ -0,0 +1,71 @@ +From bcee5278958802b40ee8b26679155a6d9231783e Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Fri, 4 Dec 2020 16:36:16 -0500 +Subject: tracing: Fix userstacktrace option for instances + +From: Steven Rostedt (VMware) + +commit bcee5278958802b40ee8b26679155a6d9231783e upstream. + +When the instances were able to use their own options, the userstacktrace +option was left hardcoded for the top level. This made the instance +userstacktrace option bascially into a nop, and will confuse users that set +it, but nothing happens (I was confused when it happened to me!) + +Cc: stable@vger.kernel.org +Fixes: 16270145ce6b ("tracing: Add trace options for core options to instances") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -163,7 +163,8 @@ static union trace_eval_map_item *trace_ + #endif /* CONFIG_TRACE_EVAL_MAP_FILE */ + + int tracing_set_tracer(struct trace_array *tr, const char *buf); +-static void ftrace_trace_userstack(struct trace_buffer *buffer, ++static void ftrace_trace_userstack(struct trace_array *tr, ++ struct trace_buffer *buffer, + unsigned long flags, int pc); + + #define MAX_TRACER_SIZE 100 +@@ -2729,7 +2730,7 @@ void trace_buffer_unlock_commit_regs(str + * two. They are not that meaningful. + */ + ftrace_trace_stack(tr, buffer, flags, regs ? 0 : STACK_SKIP, pc, regs); +- ftrace_trace_userstack(buffer, flags, pc); ++ ftrace_trace_userstack(tr, buffer, flags, pc); + } + + /* +@@ -3038,13 +3039,14 @@ EXPORT_SYMBOL_GPL(trace_dump_stack); + static DEFINE_PER_CPU(int, user_stack_count); + + static void +-ftrace_trace_userstack(struct trace_buffer *buffer, unsigned long flags, int pc) ++ftrace_trace_userstack(struct trace_array *tr, ++ struct trace_buffer *buffer, unsigned long flags, int pc) + { + struct trace_event_call *call = &event_user_stack; + struct ring_buffer_event *event; + struct userstack_entry *entry; + +- if (!(global_trace.trace_flags & TRACE_ITER_USERSTACKTRACE)) ++ if (!(tr->trace_flags & TRACE_ITER_USERSTACKTRACE)) + return; + + /* +@@ -3083,7 +3085,8 @@ ftrace_trace_userstack(struct trace_buff + preempt_enable(); + } + #else /* CONFIG_USER_STACKTRACE_SUPPORT */ +-static void ftrace_trace_userstack(struct trace_buffer *buffer, ++static void ftrace_trace_userstack(struct trace_array *tr, ++ struct trace_buffer *buffer, + unsigned long flags, int pc) + { + } diff --git a/queue-5.9/x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch b/queue-5.9/x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch new file mode 100644 index 00000000000..a949134f3c3 --- /dev/null +++ b/queue-5.9/x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch @@ -0,0 +1,123 @@ +From 4e9a5ae8df5b3365183150f6df49e49dece80d8c Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Thu, 3 Dec 2020 13:50:37 +0900 +Subject: x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes + +From: Masami Hiramatsu + +commit 4e9a5ae8df5b3365183150f6df49e49dece80d8c upstream. + +Since insn.prefixes.nbytes can be bigger than the size of +insn.prefixes.bytes[] when a prefix is repeated, the proper check must +be + + insn.prefixes.bytes[i] != 0 and i < 4 + +instead of using insn.prefixes.nbytes. + +Introduce a for_each_insn_prefix() macro for this purpose. Debugged by +Kees Cook . + + [ bp: Massage commit message, sync with the respective header in tools/ + and drop "we". ] + +Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints") +Reported-by: syzbot+9b64b619f10f19d19a7c@syzkaller.appspotmail.com +Signed-off-by: Masami Hiramatsu +Signed-off-by: Borislav Petkov +Reviewed-by: Srikar Dronamraju +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/160697103739.3146288.7437620795200799020.stgit@devnote2 +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/insn.h | 15 +++++++++++++++ + arch/x86/kernel/uprobes.c | 10 ++++++---- + tools/arch/x86/include/asm/insn.h | 15 +++++++++++++++ + 3 files changed, 36 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/insn.h ++++ b/arch/x86/include/asm/insn.h +@@ -201,6 +201,21 @@ static inline int insn_offset_immediate( + return insn_offset_displacement(insn) + insn->displacement.nbytes; + } + ++/** ++ * for_each_insn_prefix() -- Iterate prefixes in the instruction ++ * @insn: Pointer to struct insn. ++ * @idx: Index storage. ++ * @prefix: Prefix byte. ++ * ++ * Iterate prefix bytes of given @insn. Each prefix byte is stored in @prefix ++ * and the index is stored in @idx (note that this @idx is just for a cursor, ++ * do not change it.) ++ * Since prefixes.nbytes can be bigger than 4 if some prefixes ++ * are repeated, it cannot be used for looping over the prefixes. ++ */ ++#define for_each_insn_prefix(insn, idx, prefix) \ ++ for (idx = 0; idx < ARRAY_SIZE(insn->prefixes.bytes) && (prefix = insn->prefixes.bytes[idx]) != 0; idx++) ++ + #define POP_SS_OPCODE 0x1f + #define MOV_SREG_OPCODE 0x8e + +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -255,12 +255,13 @@ static volatile u32 good_2byte_insns[256 + + static bool is_prefix_bad(struct insn *insn) + { ++ insn_byte_t p; + int i; + +- for (i = 0; i < insn->prefixes.nbytes; i++) { ++ for_each_insn_prefix(insn, i, p) { + insn_attr_t attr; + +- attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]); ++ attr = inat_get_opcode_attribute(p); + switch (attr) { + case INAT_MAKE_PREFIX(INAT_PFX_ES): + case INAT_MAKE_PREFIX(INAT_PFX_CS): +@@ -715,6 +716,7 @@ static const struct uprobe_xol_ops push_ + static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn) + { + u8 opc1 = OPCODE1(insn); ++ insn_byte_t p; + int i; + + switch (opc1) { +@@ -746,8 +748,8 @@ static int branch_setup_xol_ops(struct a + * Intel and AMD behavior differ in 64-bit mode: Intel ignores 66 prefix. + * No one uses these insns, reject any branch insns with such prefix. + */ +- for (i = 0; i < insn->prefixes.nbytes; i++) { +- if (insn->prefixes.bytes[i] == 0x66) ++ for_each_insn_prefix(insn, i, p) { ++ if (p == 0x66) + return -ENOTSUPP; + } + +--- a/tools/arch/x86/include/asm/insn.h ++++ b/tools/arch/x86/include/asm/insn.h +@@ -201,6 +201,21 @@ static inline int insn_offset_immediate( + return insn_offset_displacement(insn) + insn->displacement.nbytes; + } + ++/** ++ * for_each_insn_prefix() -- Iterate prefixes in the instruction ++ * @insn: Pointer to struct insn. ++ * @idx: Index storage. ++ * @prefix: Prefix byte. ++ * ++ * Iterate prefix bytes of given @insn. Each prefix byte is stored in @prefix ++ * and the index is stored in @idx (note that this @idx is just for a cursor, ++ * do not change it.) ++ * Since prefixes.nbytes can be bigger than 4 if some prefixes ++ * are repeated, it cannot be used for looping over the prefixes. ++ */ ++#define for_each_insn_prefix(insn, idx, prefix) \ ++ for (idx = 0; idx < ARRAY_SIZE(insn->prefixes.bytes) && (prefix = insn->prefixes.bytes[idx]) != 0; idx++) ++ + #define POP_SS_OPCODE 0x1f + #define MOV_SREG_OPCODE 0x8e + -- 2.47.3