From 4fce12053ea8b23b9a58e59e9908638d3dbc8c2d Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Tue, 19 Oct 2021 13:40:56 +0200 Subject: [PATCH] rebase patches on top of Ubuntu-5.13.0-21.21 (generated with debian/scripts/import-upstream-tag) Signed-off-by: Thomas Lamprecht --- ...-accept-an-alternate-timestamp-strin.patch | 2 +- ...ides-for-missing-ACS-capabilities-4..patch | 10 +- ...-default-dynamic-halt-polling-growth.patch | 4 +- ...de-unregister_netdevice-refcount-lea.patch | 2 +- ...ce-host-bridge-contiguous-apertures.patch} | 16 ++-- ...-Coalesce-host-bridge-contiguous-ap.patch} | 4 +- ...ails-with-buffer-overflow-in-strlen.patch} | 0 ...l-panic-during-iterating-over-flush-.patch | 75 --------------- .../kernel/0011-blk-mq-fix-is_flush_rq.patch | 91 ------------------- 9 files changed, 20 insertions(+), 184 deletions(-) rename patches/kernel/{0008-Revert-PCI-Coalesce-host-bridge-contiguous-apertures.patch => 0006-Revert-PCI-Coalesce-host-bridge-contiguous-apertures.patch} (89%) rename patches/kernel/{0009-PCI-Reinstate-PCI-Coalesce-host-bridge-contiguous-ap.patch => 0007-PCI-Reinstate-PCI-Coalesce-host-bridge-contiguous-ap.patch} (97%) rename patches/kernel/{0012-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch => 0008-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch} (100%) delete mode 100644 patches/kernel/0010-blk-mq-fix-kernel-panic-during-iterating-over-flush-.patch delete mode 100644 patches/kernel/0011-blk-mq-fix-is_flush_rq.patch diff --git a/patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch b/patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch index b625b1f..2b6c981 100644 --- a/patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch +++ b/patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch @@ -21,7 +21,7 @@ Signed-off-by: Thomas Lamprecht 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/scripts/mkcompile_h b/scripts/mkcompile_h -index 4ae735039daf..5a1abe7b4169 100755 +index a72b154de7b0..4dd111086466 100755 --- a/scripts/mkcompile_h +++ b/scripts/mkcompile_h @@ -24,10 +24,14 @@ else diff --git a/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch b/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch index 4b80575..370e7bb 100644 --- a/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch +++ b/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch @@ -55,10 +55,10 @@ Signed-off-by: Thomas Lamprecht 2 files changed, 111 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index ee85be64b680..a38a8e44422e 100644 +index 8deb4cd7b133..291885ea26dd 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -3653,6 +3653,15 @@ +@@ -3808,6 +3808,15 @@ Also, it enforces the PCI Local Bus spec rule that those bits should be 0 in system reset events (useful for kexec/kdump cases). @@ -75,10 +75,10 @@ index ee85be64b680..a38a8e44422e 100644 Safety option to keep boot IRQs enabled. This should never be necessary. diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c -index f32e521ade1e..4f3558d0c00a 100644 +index cf71505ab0b9..7f381969e705 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c -@@ -192,6 +192,106 @@ static int __init pci_apply_final_quirks(void) +@@ -193,6 +193,106 @@ static int __init pci_apply_final_quirks(void) } fs_initcall_sync(pci_apply_final_quirks); @@ -185,7 +185,7 @@ index f32e521ade1e..4f3558d0c00a 100644 /* * Decoding should be disabled for a PCI device during BAR sizing to avoid * conflict. But doing so may cause problems on host bridge and perhaps other -@@ -4857,6 +4957,8 @@ static const struct pci_dev_acs_enabled { +@@ -4858,6 +4958,8 @@ static const struct pci_dev_acs_enabled { { PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs }, /* APM X-Gene */ { PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs }, diff --git a/patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch b/patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch index 8854693..fd6190f 100644 --- a/patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch +++ b/patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch @@ -13,10 +13,10 @@ Signed-off-by: Thomas Lamprecht 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 14e6c73a6031..c191c9e50735 100644 +index 1dcc66060a19..c0ca4f494a02 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c -@@ -77,7 +77,7 @@ module_param(halt_poll_ns, uint, 0644); +@@ -78,7 +78,7 @@ module_param(halt_poll_ns, uint, 0644); EXPORT_SYMBOL_GPL(halt_poll_ns); /* Default doubles per-vcpu halt_poll_ns. */ diff --git a/patches/kernel/0005-net-core-downgrade-unregister_netdevice-refcount-lea.patch b/patches/kernel/0005-net-core-downgrade-unregister_netdevice-refcount-lea.patch index 580c8ac..ece8e40 100644 --- a/patches/kernel/0005-net-core-downgrade-unregister_netdevice-refcount-lea.patch +++ b/patches/kernel/0005-net-core-downgrade-unregister_netdevice-refcount-lea.patch @@ -10,7 +10,7 @@ Signed-off-by: Thomas Lamprecht 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/dev.c b/net/core/dev.c -index b91b76890cbc..cb7ffc3e848b 100644 +index 04c4e236952f..3ff0e01f5cbf 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -10517,7 +10517,7 @@ static void netdev_wait_allrefs(struct net_device *dev) diff --git a/patches/kernel/0008-Revert-PCI-Coalesce-host-bridge-contiguous-apertures.patch b/patches/kernel/0006-Revert-PCI-Coalesce-host-bridge-contiguous-apertures.patch similarity index 89% rename from patches/kernel/0008-Revert-PCI-Coalesce-host-bridge-contiguous-apertures.patch rename to patches/kernel/0006-Revert-PCI-Coalesce-host-bridge-contiguous-apertures.patch index 1cd38d8..9b339e4 100644 --- a/patches/kernel/0008-Revert-PCI-Coalesce-host-bridge-contiguous-apertures.patch +++ b/patches/kernel/0006-Revert-PCI-Coalesce-host-bridge-contiguous-apertures.patch @@ -2,6 +2,9 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Mon, 27 Sep 2021 11:28:39 +0200 Subject: [PATCH] Revert "PCI: Coalesce host bridge contiguous apertures" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit This reverts commit ab20e43b20b60f5cc8e2ea3763ffa388158469ac. @@ -12,8 +15,8 @@ Link: https://lore.kernel.org/r/20210709231529.GA3270116@roeck-us.net Signed-off-by: Fabian Grünbichler Signed-off-by: Thomas Lamprecht --- - drivers/pci/probe.c | 52 +++++---------------------------------------- - 1 file changed, 5 insertions(+), 47 deletions(-) + drivers/pci/probe.c | 50 ++++----------------------------------------- + 1 file changed, 4 insertions(+), 46 deletions(-) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c index f6046a16dac1..275204646c68 100644 @@ -89,14 +92,13 @@ index f6046a16dac1..275204646c68 100644 - /* Add initial resources to the bus */ resource_list_for_each_entry_safe(window, n, &resources) { -- offset = window->offset; -- res = window->res; ++ list_move_tail(&window->node, &bridge->windows); + offset = window->offset; + res = window->res; - if (!res->end) - continue; - - list_move_tail(&window->node, &bridge->windows); -+ offset = window->offset; -+ res = window->res; +- list_move_tail(&window->node, &bridge->windows); if (res->flags & IORESOURCE_BUS) pci_bus_insert_busn_res(bus, bus->number, res->end); diff --git a/patches/kernel/0009-PCI-Reinstate-PCI-Coalesce-host-bridge-contiguous-ap.patch b/patches/kernel/0007-PCI-Reinstate-PCI-Coalesce-host-bridge-contiguous-ap.patch similarity index 97% rename from patches/kernel/0009-PCI-Reinstate-PCI-Coalesce-host-bridge-contiguous-ap.patch rename to patches/kernel/0007-PCI-Reinstate-PCI-Coalesce-host-bridge-contiguous-ap.patch index de41df8..cc4bd5f 100644 --- a/patches/kernel/0009-PCI-Reinstate-PCI-Coalesce-host-bridge-contiguous-ap.patch +++ b/patches/kernel/0007-PCI-Reinstate-PCI-Coalesce-host-bridge-contiguous-ap.patch @@ -55,7 +55,7 @@ Signed-off-by: Fabian Grünbichler 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c -index be51670572fa..133f5d2b189d 100644 +index 275204646c68..944c35d87258 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -877,11 +877,11 @@ static void pci_set_bus_msi_domain(struct pci_bus *bus) @@ -73,7 +73,7 @@ index be51670572fa..133f5d2b189d 100644 char addr[64], *fmt; const char *name; int err; -@@ -959,11 +959,34 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge) +@@ -961,11 +961,34 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge) if (nr_node_ids > 1 && pcibus_to_node(bus) == NUMA_NO_NODE) dev_warn(&bus->dev, "Unknown NUMA node; performance will be reduced\n"); diff --git a/patches/kernel/0012-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch b/patches/kernel/0008-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch similarity index 100% rename from patches/kernel/0012-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch rename to patches/kernel/0008-ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch diff --git a/patches/kernel/0010-blk-mq-fix-kernel-panic-during-iterating-over-flush-.patch b/patches/kernel/0010-blk-mq-fix-kernel-panic-during-iterating-over-flush-.patch deleted file mode 100644 index 49f7181..0000000 --- a/patches/kernel/0010-blk-mq-fix-kernel-panic-during-iterating-over-flush-.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Ming Lei -Date: Fri, 10 Sep 2021 14:30:15 +0200 -Subject: [PATCH] blk-mq: fix kernel panic during iterating over flush request - -commit c2da19ed50554ce52ecbad3655c98371fe58599f upstream. - -For fixing use-after-free during iterating over requests, we grabbed -request's refcount before calling ->fn in commit 2e315dc07df0 ("blk-mq: -grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter"). -Turns out this way may cause kernel panic when iterating over one flush -request: - -1) old flush request's tag is just released, and this tag is reused by -one new request, but ->rqs[] isn't updated yet - -2) the flush request can be re-used for submitting one new flush command, -so blk_rq_init() is called at the same time - -3) meantime blk_mq_queue_tag_busy_iter() is called, and old flush request -is retrieved from ->rqs[tag]; when blk_mq_put_rq_ref() is called, -flush_rq->end_io may not be updated yet, so NULL pointer dereference -is triggered in blk_mq_put_rq_ref(). - -Fix the issue by calling refcount_set(&flush_rq->ref, 1) after -flush_rq->end_io is set. So far the only other caller of blk_rq_init() is -scsi_ioctl_reset() in which the request doesn't enter block IO stack and -the request reference count isn't used, so the change is safe. - -Fixes: 2e315dc07df0 ("blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter") -Reported-by: "Blank-Burian, Markus, Dr." -Tested-by: "Blank-Burian, Markus, Dr." -Signed-off-by: Ming Lei -Reviewed-by: Christoph Hellwig -Reviewed-by: John Garry -Link: https://lore.kernel.org/r/20210811142624.618598-1-ming.lei@redhat.com -Signed-off-by: Jens Axboe -Cc: Yi Zhang -Signed-off-by: Greg Kroah-Hartman ---- - block/blk-core.c | 1 - - block/blk-flush.c | 8 ++++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/block/blk-core.c b/block/blk-core.c -index 7663a9b94b80..debdf9b0bf30 100644 ---- a/block/blk-core.c -+++ b/block/blk-core.c -@@ -121,7 +121,6 @@ void blk_rq_init(struct request_queue *q, struct request *rq) - rq->internal_tag = BLK_MQ_NO_TAG; - rq->start_time_ns = ktime_get_ns(); - rq->part = NULL; -- refcount_set(&rq->ref, 1); - blk_crypto_rq_set_defaults(rq); - } - EXPORT_SYMBOL(blk_rq_init); -diff --git a/block/blk-flush.c b/block/blk-flush.c -index e89d007dbf6a..8b11ab3b3762 100644 ---- a/block/blk-flush.c -+++ b/block/blk-flush.c -@@ -329,6 +329,14 @@ static void blk_kick_flush(struct request_queue *q, struct blk_flush_queue *fq, - flush_rq->rq_flags |= RQF_FLUSH_SEQ; - flush_rq->rq_disk = first_rq->rq_disk; - flush_rq->end_io = flush_end_io; -+ /* -+ * Order WRITE ->end_io and WRITE rq->ref, and its pair is the one -+ * implied in refcount_inc_not_zero() called from -+ * blk_mq_find_and_get_req(), which orders WRITE/READ flush_rq->ref -+ * and READ flush_rq->end_io -+ */ -+ smp_wmb(); -+ refcount_set(&flush_rq->ref, 1); - - blk_flush_queue_rq(flush_rq, false); - } diff --git a/patches/kernel/0011-blk-mq-fix-is_flush_rq.patch b/patches/kernel/0011-blk-mq-fix-is_flush_rq.patch deleted file mode 100644 index ef526a3..0000000 --- a/patches/kernel/0011-blk-mq-fix-is_flush_rq.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Ming Lei -Date: Fri, 10 Sep 2021 14:30:16 +0200 -Subject: [PATCH] blk-mq: fix is_flush_rq - -commit a9ed27a764156929efe714033edb3e9023c5f321 upstream. - -is_flush_rq() is called from bt_iter()/bt_tags_iter(), and runs the -following check: - - hctx->fq->flush_rq == req - -but the passed hctx from bt_iter()/bt_tags_iter() may be NULL because: - -1) memory re-order in blk_mq_rq_ctx_init(): - - rq->mq_hctx = data->hctx; - ... - refcount_set(&rq->ref, 1); - -OR - -2) tag re-use and ->rqs[] isn't updated with new request. - -Fix the issue by re-writing is_flush_rq() as: - - return rq->end_io == flush_end_io; - -which turns out simpler to follow and immune to data race since we have -ordered WRITE rq->end_io and refcount_set(&rq->ref, 1). - -Fixes: 2e315dc07df0 ("blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter") -Cc: "Blank-Burian, Markus, Dr." -Cc: Yufen Yu -Signed-off-by: Ming Lei -Link: https://lore.kernel.org/r/20210818010925.607383-1-ming.lei@redhat.com -Signed-off-by: Jens Axboe -Cc: Yi Zhang -Signed-off-by: Greg Kroah-Hartman ---- - block/blk-flush.c | 5 +++++ - block/blk-mq.c | 2 +- - block/blk.h | 6 +----- - 3 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/block/blk-flush.c b/block/blk-flush.c -index 8b11ab3b3762..705ee6c99020 100644 ---- a/block/blk-flush.c -+++ b/block/blk-flush.c -@@ -262,6 +262,11 @@ static void flush_end_io(struct request *flush_rq, blk_status_t error) - spin_unlock_irqrestore(&fq->mq_flush_lock, flags); - } - -+bool is_flush_rq(struct request *rq) -+{ -+ return rq->end_io == flush_end_io; -+} -+ - /** - * blk_kick_flush - consider issuing flush request - * @q: request_queue being kicked -diff --git a/block/blk-mq.c b/block/blk-mq.c -index cb619ec8aaf2..601e40204d06 100644 ---- a/block/blk-mq.c -+++ b/block/blk-mq.c -@@ -937,7 +937,7 @@ static bool blk_mq_req_expired(struct request *rq, unsigned long *next) - - void blk_mq_put_rq_ref(struct request *rq) - { -- if (is_flush_rq(rq, rq->mq_hctx)) -+ if (is_flush_rq(rq)) - rq->end_io(rq, 0); - else if (refcount_dec_and_test(&rq->ref)) - __blk_mq_free_request(rq); -diff --git a/block/blk.h b/block/blk.h -index 7550364c326c..4a4ffd992790 100644 ---- a/block/blk.h -+++ b/block/blk.h -@@ -43,11 +43,7 @@ static inline void __blk_get_queue(struct request_queue *q) - kobject_get(&q->kobj); - } - --static inline bool --is_flush_rq(struct request *req, struct blk_mq_hw_ctx *hctx) --{ -- return hctx->fq->flush_rq == req; --} -+bool is_flush_rq(struct request *req); - - struct blk_flush_queue *blk_alloc_flush_queue(int node, int cmd_size, - gfp_t flags); -- 2.39.2