--- /dev/null
+From a0bebe2b2d06195878043e2dc1a32648c00f3d44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 22:00:33 -0700
+Subject: alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to
+ volatile
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 35a3f4ef0ab543daa1725b0c963eb8c05e3376f8 ]
+
+Some drivers pass a pointer to volatile data to virt_to_bus() and
+virt_to_phys(), and that works fine. One exception is alpha. This
+results in a number of compile errors such as
+
+ drivers/net/wan/lmc/lmc_main.c: In function 'lmc_softreset':
+ drivers/net/wan/lmc/lmc_main.c:1782:50: error:
+ passing argument 1 of 'virt_to_bus' discards 'volatile'
+ qualifier from pointer target type
+
+ drivers/atm/ambassador.c: In function 'do_loader_command':
+ drivers/atm/ambassador.c:1747:58: error:
+ passing argument 1 of 'virt_to_bus' discards 'volatile'
+ qualifier from pointer target type
+
+Declare the parameter of virt_to_phys and virt_to_bus as pointer to
+volatile to fix the problem.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/alpha/include/asm/io.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h
+index 9995bed6e92e..204c4fb69ee1 100644
+--- a/arch/alpha/include/asm/io.h
++++ b/arch/alpha/include/asm/io.h
+@@ -61,7 +61,7 @@ extern inline void set_hae(unsigned long new_hae)
+ * Change virtual addresses to physical addresses and vv.
+ */
+ #ifdef USE_48_BIT_KSEG
+-static inline unsigned long virt_to_phys(void *address)
++static inline unsigned long virt_to_phys(volatile void *address)
+ {
+ return (unsigned long)address - IDENT_ADDR;
+ }
+@@ -71,7 +71,7 @@ static inline void * phys_to_virt(unsigned long address)
+ return (void *) (address + IDENT_ADDR);
+ }
+ #else
+-static inline unsigned long virt_to_phys(void *address)
++static inline unsigned long virt_to_phys(volatile void *address)
+ {
+ unsigned long phys = (unsigned long)address;
+
+@@ -112,7 +112,7 @@ static inline dma_addr_t __deprecated isa_page_to_bus(struct page *page)
+ extern unsigned long __direct_map_base;
+ extern unsigned long __direct_map_size;
+
+-static inline unsigned long __deprecated virt_to_bus(void *address)
++static inline unsigned long __deprecated virt_to_bus(volatile void *address)
+ {
+ unsigned long phys = virt_to_phys(address);
+ unsigned long bus = phys + __direct_map_base;
+--
+2.33.0
+
--- /dev/null
+From 0dbe9d901f77ac037bf4abe224ad196c076a688a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 17:44:02 +0800
+Subject: arm64: Mark __stack_chk_guard as __ro_after_init
+
+From: Dan Li <ashimida@linux.alibaba.com>
+
+[ Upstream commit 9fcb2e93f41c07a400885325e7dbdfceba6efaec ]
+
+__stack_chk_guard is setup once while init stage and never changed
+after that.
+
+Although the modification of this variable at runtime will usually
+cause the kernel to crash (so does the attacker), it should be marked
+as __ro_after_init, and it should not affect performance if it is
+placed in the ro_after_init section.
+
+Signed-off-by: Dan Li <ashimida@linux.alibaba.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/1631612642-102881-1-git-send-email-ashimida@linux.alibaba.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/process.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
+index 2ff327651ebe..dac14125f8a2 100644
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -61,7 +61,7 @@
+
+ #ifdef CONFIG_CC_STACKPROTECTOR
+ #include <linux/stackprotector.h>
+-unsigned long __stack_chk_guard __read_mostly;
++unsigned long __stack_chk_guard __ro_after_init;
+ EXPORT_SYMBOL(__stack_chk_guard);
+ #endif
+
+--
+2.33.0
+
--- /dev/null
+From a693a79a393b9915ad8119f4437b372d6aa735c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Sep 2021 21:49:21 +0800
+Subject: blktrace: Fix uaf in blk_trace access after removing by sysfs
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 5afedf670caf30a2b5a52da96eb7eac7dee6a9c9 ]
+
+There is an use-after-free problem triggered by following process:
+
+ P1(sda) P2(sdb)
+ echo 0 > /sys/block/sdb/trace/enable
+ blk_trace_remove_queue
+ synchronize_rcu
+ blk_trace_free
+ relay_close
+rcu_read_lock
+__blk_add_trace
+ trace_note_tsk
+ (Iterate running_trace_list)
+ relay_close_buf
+ relay_destroy_buf
+ kfree(buf)
+ trace_note(sdb's bt)
+ relay_reserve
+ buf->offset <- nullptr deference (use-after-free) !!!
+rcu_read_unlock
+
+[ 502.714379] BUG: kernel NULL pointer dereference, address:
+0000000000000010
+[ 502.715260] #PF: supervisor read access in kernel mode
+[ 502.715903] #PF: error_code(0x0000) - not-present page
+[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0
+[ 502.717252] Oops: 0000 [#1] SMP
+[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360
+[ 502.732872] Call Trace:
+[ 502.733193] __blk_add_trace.cold+0x137/0x1a3
+[ 502.733734] blk_add_trace_rq+0x7b/0xd0
+[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0
+[ 502.734755] blk_mq_start_request+0xde/0x1b0
+[ 502.735287] scsi_queue_rq+0x528/0x1140
+...
+[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0
+[ 502.747501] sg_ioctl+0x466/0x1100
+
+Reproduce method:
+ ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
+ ioctl(/dev/sda, BLKTRACESTART)
+ ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
+ ioctl(/dev/sdb, BLKTRACESTART)
+
+ echo 0 > /sys/block/sdb/trace/enable &
+ // Add delay(mdelay/msleep) before kernel enters blk_trace_free()
+
+ ioctl$SG_IO(/dev/sda, SG_IO, ...)
+ // Enters trace_note_tsk() after blk_trace_free() returned
+ // Use mdelay in rcu region rather than msleep(which may schedule out)
+
+Remove blk_trace from running_list before calling blk_trace_free() by
+sysfs if blk_trace is at Blktrace_running state.
+
+Fixes: c71a896154119f ("blktrace: add ftrace plugin")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/blktrace.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
+index b06011b22185..0b22bf622397 100644
+--- a/kernel/trace/blktrace.c
++++ b/kernel/trace/blktrace.c
+@@ -1679,6 +1679,14 @@ static int blk_trace_remove_queue(struct request_queue *q)
+ if (bt == NULL)
+ return -EINVAL;
+
++ if (bt->trace_state == Blktrace_running) {
++ bt->trace_state = Blktrace_stopped;
++ spin_lock_irq(&running_trace_lock);
++ list_del_init(&bt->running_list);
++ spin_unlock_irq(&running_trace_lock);
++ relay_flush(bt->rchan);
++ }
++
+ put_probe_ref();
+ synchronize_rcu();
+ blk_trace_free(bt);
+--
+2.33.0
+
--- /dev/null
+From 574dd22f3b99219c990379e6ae93758bbec4f9bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 20:52:24 -0700
+Subject: compiler.h: Introduce absolute_pointer macro
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit f6b5f1a56987de837f8e25cd560847106b8632a8 ]
+
+absolute_pointer() disassociates a pointer from its originating symbol
+type and context. Use it to prevent compiler warnings/errors such as
+
+ drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe':
+ arch/m68k/include/asm/string.h:72:25: error:
+ '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread]
+
+Such warnings may be reported by gcc 11.x for string and memory
+operations on fixed addresses.
+
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compiler.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/compiler.h b/include/linux/compiler.h
+index 3b6e6522e0ec..d29b68379223 100644
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -152,6 +152,8 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
+ (typeof(ptr)) (__ptr + (off)); })
+ #endif
+
++#define absolute_pointer(val) RELOC_HIDE((void *)(val), 0)
++
+ #ifndef OPTIMIZER_HIDE_VAR
+ #define OPTIMIZER_HIDE_VAR(var) barrier()
+ #endif
+--
+2.33.0
+
--- /dev/null
+From 0f622661905b2c6eb056738b4c213d9be1eb0747 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 10:20:55 +0800
+Subject: irqchip/gic-v3-its: Fix potential VPE leak on error
+
+From: Kaige Fu <kaige.fu@linux.alibaba.com>
+
+[ Upstream commit 280bef512933b2dda01d681d8cbe499b98fc5bdd ]
+
+In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error,
+there is an off-by-one in the number of VPEs to be freed.
+
+Fix it by simply passing the number of VPEs allocated, which is the
+index of the loop iterating over the VPEs.
+
+Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown")
+Signed-off-by: Kaige Fu <kaige.fu@linux.alibaba.com>
+[maz: fixed commit message]
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/d9e36dee512e63670287ed9eff884a5d8d6d27f2.1631672311.git.kaige.fu@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index 1d2267c6d31a..85b4610e6dc4 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -2730,7 +2730,7 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
+
+ if (err) {
+ if (i > 0)
+- its_vpe_irq_domain_free(domain, virq, i - 1);
++ its_vpe_irq_domain_free(domain, virq, i);
+
+ its_lpi_free_chunks(bitmap, base, nr_ids);
+ its_free_prop_table(vprop_page);
+--
+2.33.0
+
--- /dev/null
+From 357993f03339a2b0b13a287c227546eebdaa06e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 23:07:29 -0700
+Subject: m68k: Double cast io functions to unsigned long
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit b1a89856fbf63fffde6a4771d8f1ac21df549e50 ]
+
+m68k builds fail widely with errors such as
+
+arch/m68k/include/asm/raw_io.h:20:19: error:
+ cast to pointer from integer of different size
+arch/m68k/include/asm/raw_io.h:30:32: error:
+ cast to pointer from integer of different size [-Werror=int-to-p
+
+On m68k, io functions are defined as macros. The problem is seen if the
+macro parameter variable size differs from the size of a pointer. Cast
+the parameter of all io macros to unsigned long before casting it to
+a pointer to fix the problem.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20210907060729.2391992-1-linux@roeck-us.net
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/raw_io.h | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/m68k/include/asm/raw_io.h b/arch/m68k/include/asm/raw_io.h
+index 05e940c29b54..cbfff90c2a69 100644
+--- a/arch/m68k/include/asm/raw_io.h
++++ b/arch/m68k/include/asm/raw_io.h
+@@ -31,21 +31,21 @@ extern void __iounmap(void *addr, unsigned long size);
+ * two accesses to memory, which may be undesirable for some devices.
+ */
+ #define in_8(addr) \
+- ({ u8 __v = (*(__force volatile u8 *) (addr)); __v; })
++ ({ u8 __v = (*(__force volatile u8 *) (unsigned long)(addr)); __v; })
+ #define in_be16(addr) \
+- ({ u16 __v = (*(__force volatile u16 *) (addr)); __v; })
++ ({ u16 __v = (*(__force volatile u16 *) (unsigned long)(addr)); __v; })
+ #define in_be32(addr) \
+- ({ u32 __v = (*(__force volatile u32 *) (addr)); __v; })
++ ({ u32 __v = (*(__force volatile u32 *) (unsigned long)(addr)); __v; })
+ #define in_le16(addr) \
+- ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (addr)); __v; })
++ ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (unsigned long)(addr)); __v; })
+ #define in_le32(addr) \
+- ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (addr)); __v; })
++ ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (unsigned long)(addr)); __v; })
+
+-#define out_8(addr,b) (void)((*(__force volatile u8 *) (addr)) = (b))
+-#define out_be16(addr,w) (void)((*(__force volatile u16 *) (addr)) = (w))
+-#define out_be32(addr,l) (void)((*(__force volatile u32 *) (addr)) = (l))
+-#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (addr)) = cpu_to_le16(w))
+-#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (addr)) = cpu_to_le32(l))
++#define out_8(addr,b) (void)((*(__force volatile u8 *) (unsigned long)(addr)) = (b))
++#define out_be16(addr,w) (void)((*(__force volatile u16 *) (unsigned long)(addr)) = (w))
++#define out_be32(addr,l) (void)((*(__force volatile u32 *) (unsigned long)(addr)) = (l))
++#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (unsigned long)(addr)) = cpu_to_le16(w))
++#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (unsigned long)(addr)) = cpu_to_le32(l))
+
+ #define raw_inb in_8
+ #define raw_inw in_be16
+--
+2.33.0
+
--- /dev/null
+From 8444cd6ff605b473b375d7afbab5dec5d8de3e2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 13:38:29 +0200
+Subject: md: fix a lock order reversal in md_alloc
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 7df835a32a8bedf7ce88efcfa7c9b245b52ff139 ]
+
+Commit b0140891a8cea3 ("md: Fix race when creating a new md device.")
+not only moved assigning mddev->gendisk before calling add_disk, which
+fixes the races described in the commit log, but also added a
+mddev->open_mutex critical section over add_disk and creation of the
+md kobj. Adding a kobject after add_disk is racy vs deleting the gendisk
+right after adding it, but md already prevents against that by holding
+a mddev->active reference.
+
+On the other hand taking this lock added a lock order reversal with what
+is not disk->open_mutex (used to be bdev->bd_mutex when the commit was
+added) for partition devices, which need that lock for the internal open
+for the partition scan, and a recent commit also takes it for
+non-partitioned devices, leading to further lockdep splatter.
+
+Fixes: b0140891a8ce ("md: Fix race when creating a new md device.")
+Fixes: d62633873590 ("block: support delayed holder registration")
+Reported-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Tested-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com
+Reviewed-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 0af9aa187ce5..5e8706a66c31 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5375,10 +5375,6 @@ static int md_alloc(dev_t dev, char *name)
+ */
+ disk->flags |= GENHD_FL_EXT_DEVT;
+ mddev->gendisk = disk;
+- /* As soon as we call add_disk(), another thread could get
+- * through to md_open, so make sure it doesn't get too far
+- */
+- mutex_lock(&mddev->open_mutex);
+ add_disk(disk);
+
+ error = kobject_init_and_add(&mddev->kobj, &md_ktype,
+@@ -5394,7 +5390,6 @@ static int md_alloc(dev_t dev, char *name)
+ if (mddev->kobj.sd &&
+ sysfs_create_group(&mddev->kobj, &md_bitmap_group))
+ pr_debug("pointless warning\n");
+- mutex_unlock(&mddev->open_mutex);
+ abort:
+ mutex_unlock(&disks_mutex);
+ if (!error && mddev->kobj.sd) {
+--
+2.33.0
+
--- /dev/null
+From 5aa2f8cf19fab9463dea457a7af28d6da7b7d302 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 20:57:43 -0700
+Subject: net: 6pack: Fix tx timeout and slot time
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 3c0d2a46c0141913dc6fd126c57d0615677d946e ]
+
+tx timeout and slot time are currently specified in units of HZ. On
+Alpha, HZ is defined as 1024. When building alpha:allmodconfig, this
+results in the following error message.
+
+ drivers/net/hamradio/6pack.c: In function 'sixpack_open':
+ drivers/net/hamradio/6pack.c:71:41: error:
+ unsigned conversion from 'int' to 'unsigned char'
+ changes value from '256' to '0'
+
+In the 6PACK protocol, tx timeout is specified in units of 10 ms and
+transmitted over the wire:
+
+ https://www.linux-ax25.org/wiki/6PACK
+
+Defining a value dependent on HZ doesn't really make sense, and
+presumably comes from the (very historical) situation where HZ was
+originally 100.
+
+Note that the SIXP_SLOTTIME use explicitly is about 10ms granularity:
+
+ mod_timer(&sp->tx_t, jiffies + ((when + 1) * HZ) / 100);
+
+and the SIXP_TXDELAY walue is sent as a byte over the wire.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/6pack.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
+index 231eaef29266..7e430300818e 100644
+--- a/drivers/net/hamradio/6pack.c
++++ b/drivers/net/hamradio/6pack.c
+@@ -68,9 +68,9 @@
+ #define SIXP_DAMA_OFF 0
+
+ /* default level 2 parameters */
+-#define SIXP_TXDELAY (HZ/4) /* in 1 s */
++#define SIXP_TXDELAY 25 /* 250 ms */
+ #define SIXP_PERSIST 50 /* in 256ths */
+-#define SIXP_SLOTTIME (HZ/10) /* in 1 s */
++#define SIXP_SLOTTIME 10 /* 100 ms */
+ #define SIXP_INIT_RESYNC_TIMEOUT (3*HZ/2) /* in 1 s */
+ #define SIXP_RESYNC_TIMEOUT 5*HZ /* in 1 s */
+
+--
+2.33.0
+
--- /dev/null
+From 63ca47add95cfb4e62d546d1f3640ec63bacd1cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 20:52:25 -0700
+Subject: net: i825xx: Use absolute_pointer for memcpy from fixed memory
+ location
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit dff2d13114f0beec448da9b3716204eb34b0cf41 ]
+
+gcc 11.x reports the following compiler warning/error.
+
+ drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe':
+ arch/m68k/include/asm/string.h:72:25: error:
+ '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread]
+
+Use absolute_pointer() to work around the problem.
+
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/i825xx/82596.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/i825xx/82596.c b/drivers/net/ethernet/i825xx/82596.c
+index d719668a6684..8efcec305fc5 100644
+--- a/drivers/net/ethernet/i825xx/82596.c
++++ b/drivers/net/ethernet/i825xx/82596.c
+@@ -1155,7 +1155,7 @@ struct net_device * __init i82596_probe(int unit)
+ err = -ENODEV;
+ goto out;
+ }
+- memcpy(eth_addr, (void *) 0xfffc1f2c, ETH_ALEN); /* YUCK! Get addr from NOVRAM */
++ memcpy(eth_addr, absolute_pointer(0xfffc1f2c), ETH_ALEN); /* YUCK! Get addr from NOVRAM */
+ dev->base_addr = MVME_I596_BASE;
+ dev->irq = (unsigned) MVME16x_IRQ_I596;
+ goto found;
+--
+2.33.0
+
--- /dev/null
+From 294116b670d093da8a469ac5fa2ec8cb5c0e78e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 12:02:32 -0700
+Subject: net: macb: fix use after free on rmmod
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit d82d5303c4c539db86588ffb5dc5b26c3f1513e8 ]
+
+plat_dev->dev->platform_data is released by platform_device_unregister(),
+use of pclk and hclk is a use-after-free. Since device unregister won't
+need a clk device we adjust the function call sequence to fix this issue.
+
+[ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]
+[ 31.275563] Freed by task 306:
+[ 30.276782] platform_device_release+0x25/0x80
+
+Suggested-by: Nicolas Ferre <Nicolas.Ferre@microchip.com>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c
+index 248a8fc45069..f06fddf9919b 100644
+--- a/drivers/net/ethernet/cadence/macb_pci.c
++++ b/drivers/net/ethernet/cadence/macb_pci.c
+@@ -123,9 +123,9 @@ static void macb_remove(struct pci_dev *pdev)
+ struct platform_device *plat_dev = pci_get_drvdata(pdev);
+ struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev);
+
+- platform_device_unregister(plat_dev);
+ clk_unregister(plat_data->pclk);
+ clk_unregister(plat_data->hclk);
++ platform_device_unregister(plat_dev);
+ }
+
+ static const struct pci_device_id dev_id_table[] = {
+--
+2.33.0
+
--- /dev/null
+From dcca319afb7b8b2b90c7877c19ef6d773a17997a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Sep 2021 21:55:34 +0200
+Subject: net: stmmac: allow CSR clock of 300MHz
+
+From: Jesper Nilsson <jesper.nilsson@axis.com>
+
+[ Upstream commit 08dad2f4d541fcfe5e7bfda72cc6314bbfd2802f ]
+
+The Synopsys Ethernet IP uses the CSR clock as a base clock for MDC.
+The divisor used is set in the MAC_MDIO_Address register field CR
+(Clock Rate)
+
+The divisor is there to change the CSR clock into a clock that falls
+below the IEEE 802.3 specified max frequency of 2.5MHz.
+
+If the CSR clock is 300MHz, the code falls back to using the reset
+value in the MAC_MDIO_Address register, as described in the comment
+above this code.
+
+However, 300MHz is actually an allowed value and the proper divider
+can be estimated quite easily (it's just 1Hz difference!)
+
+A CSR frequency of 300MHz with the maximum clock rate value of 0x5
+(STMMAC_CSR_250_300M, a divisor of 124) gives somewhere around
+~2.42MHz which is below the IEEE 802.3 specified maximum.
+
+For the ARTPEC-8 SoC, the CSR clock is this problematic 300MHz,
+and unfortunately, the reset-value of the MAC_MDIO_Address CR field
+is 0x0.
+
+This leads to a clock rate of zero and a divisor of 42, and gives an
+MDC frequency of ~7.14MHz.
+
+Allow CSR clock of 300MHz by making the comparison inclusive.
+
+Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index a7b30f060536..2be2b3055904 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -232,7 +232,7 @@ static void stmmac_clk_csr_set(struct stmmac_priv *priv)
+ priv->clk_csr = STMMAC_CSR_100_150M;
+ else if ((clk_rate >= CSR_F_150M) && (clk_rate < CSR_F_250M))
+ priv->clk_csr = STMMAC_CSR_150_250M;
+- else if ((clk_rate >= CSR_F_250M) && (clk_rate < CSR_F_300M))
++ else if ((clk_rate >= CSR_F_250M) && (clk_rate <= CSR_F_300M))
+ priv->clk_csr = STMMAC_CSR_250_300M;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 0dab18f556d93b2c6fcab37a2c9259139f0305c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 08:35:42 +0200
+Subject: parisc: Use absolute_pointer() to define PAGE0
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 90cc7bed1ed19f869ae7221a6b41887fe762a6a3 ]
+
+Use absolute_pointer() wrapper for PAGE0 to avoid this compiler warning:
+
+ arch/parisc/kernel/setup.c: In function 'start_parisc':
+ error: '__builtin_memcmp_eq' specified bound 8 exceeds source size 0
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Co-Developed-by: Guenter Roeck <linux@roeck-us.net>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/include/asm/page.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/parisc/include/asm/page.h b/arch/parisc/include/asm/page.h
+index af00fe9bf846..c631a8fd856a 100644
+--- a/arch/parisc/include/asm/page.h
++++ b/arch/parisc/include/asm/page.h
+@@ -179,7 +179,7 @@ extern int npmem_ranges;
+ #include <asm-generic/getorder.h>
+ #include <asm/pdc.h>
+
+-#define PAGE0 ((struct zeropage *)__PAGE_OFFSET)
++#define PAGE0 ((struct zeropage *)absolute_pointer(__PAGE_OFFSET))
+
+ /* DEFINITION OF THE ZERO-PAGE (PAG0) */
+ /* based on work by Jason Eckhardt (jason@equator.com) */
+--
+2.33.0
+
--- /dev/null
+From 0e90f324773da96d53085b43fce1c31d15119134 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 13:56:37 -0700
+Subject: qnx4: avoid stringop-overread errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit b7213ffa0e585feb1aee3e7173e965e66ee0abaa ]
+
+The qnx4 directory entries are 64-byte blocks that have different
+contents depending on the a status byte that is in the last byte of the
+block.
+
+In particular, a directory entry can be either a "link info" entry with
+a 48-byte name and pointers to the real inode information, or an "inode
+entry" with a smaller 16-byte name and the full inode information.
+
+But the code was written to always just treat the directory name as if
+it was part of that "inode entry", and just extend the name to the
+longer case if the status byte said it was a link entry.
+
+That work just fine and gives the right results, but now that gcc is
+tracking data structure accesses much more, the code can trigger a
+compiler error about using up to 48 bytes (the long name) in a structure
+that only has that shorter name in it:
+
+ fs/qnx4/dir.c: In function ‘qnx4_readdir’:
+ fs/qnx4/dir.c:51:32: error: ‘strnlen’ specified bound 48 exceeds source size 16 [-Werror=stringop-overread]
+ 51 | size = strnlen(de->di_fname, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from fs/qnx4/qnx4.h:3,
+ from fs/qnx4/dir.c:16:
+ include/uapi/linux/qnx4_fs.h:45:25: note: source object declared here
+ 45 | char di_fname[QNX4_SHORT_NAME_MAX];
+ | ^~~~~~~~
+
+which is because the source code doesn't really make this whole "one of
+two different types" explicit.
+
+Fix this by introducing a very explicit union of the two types, and
+basically explaining to the compiler what is really going on.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/qnx4/dir.c | 51 ++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 34 insertions(+), 17 deletions(-)
+
+diff --git a/fs/qnx4/dir.c b/fs/qnx4/dir.c
+index a6ee23aadd28..2a66844b7ff8 100644
+--- a/fs/qnx4/dir.c
++++ b/fs/qnx4/dir.c
+@@ -15,13 +15,27 @@
+ #include <linux/buffer_head.h>
+ #include "qnx4.h"
+
++/*
++ * A qnx4 directory entry is an inode entry or link info
++ * depending on the status field in the last byte. The
++ * first byte is where the name start either way, and a
++ * zero means it's empty.
++ */
++union qnx4_directory_entry {
++ struct {
++ char de_name;
++ char de_pad[62];
++ char de_status;
++ };
++ struct qnx4_inode_entry inode;
++ struct qnx4_link_info link;
++};
++
+ static int qnx4_readdir(struct file *file, struct dir_context *ctx)
+ {
+ struct inode *inode = file_inode(file);
+ unsigned int offset;
+ struct buffer_head *bh;
+- struct qnx4_inode_entry *de;
+- struct qnx4_link_info *le;
+ unsigned long blknum;
+ int ix, ino;
+ int size;
+@@ -38,27 +52,30 @@ static int qnx4_readdir(struct file *file, struct dir_context *ctx)
+ }
+ ix = (ctx->pos >> QNX4_DIR_ENTRY_SIZE_BITS) % QNX4_INODES_PER_BLOCK;
+ for (; ix < QNX4_INODES_PER_BLOCK; ix++, ctx->pos += QNX4_DIR_ENTRY_SIZE) {
++ union qnx4_directory_entry *de;
++ const char *name;
++
+ offset = ix * QNX4_DIR_ENTRY_SIZE;
+- de = (struct qnx4_inode_entry *) (bh->b_data + offset);
+- if (!de->di_fname[0])
++ de = (union qnx4_directory_entry *) (bh->b_data + offset);
++
++ if (!de->de_name)
+ continue;
+- if (!(de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK)))
++ if (!(de->de_status & (QNX4_FILE_USED|QNX4_FILE_LINK)))
+ continue;
+- if (!(de->di_status & QNX4_FILE_LINK))
+- size = QNX4_SHORT_NAME_MAX;
+- else
+- size = QNX4_NAME_MAX;
+- size = strnlen(de->di_fname, size);
+- QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, de->di_fname));
+- if (!(de->di_status & QNX4_FILE_LINK))
++ if (!(de->de_status & QNX4_FILE_LINK)) {
++ size = sizeof(de->inode.di_fname);
++ name = de->inode.di_fname;
+ ino = blknum * QNX4_INODES_PER_BLOCK + ix - 1;
+- else {
+- le = (struct qnx4_link_info*)de;
+- ino = ( le32_to_cpu(le->dl_inode_blk) - 1 ) *
++ } else {
++ size = sizeof(de->link.dl_fname);
++ name = de->link.dl_fname;
++ ino = ( le32_to_cpu(de->link.dl_inode_blk) - 1 ) *
+ QNX4_INODES_PER_BLOCK +
+- le->dl_inode_ndx;
++ de->link.dl_inode_ndx;
+ }
+- if (!dir_emit(ctx, de->di_fname, size, ino, DT_UNKNOWN)) {
++ size = strnlen(name, size);
++ QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, name));
++ if (!dir_emit(ctx, name, size, ino, DT_UNKNOWN)) {
+ brelse(bh);
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From 766d7f83ece33016b79150141e0ff588976f9c36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 16:53:36 +0800
+Subject: scsi: iscsi: Adjust iface sysfs attr detection
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 4e28550829258f7dab97383acaa477bd724c0ff4 ]
+
+ISCSI_NET_PARAM_IFACE_ENABLE belongs to enum iscsi_net_param instead of
+iscsi_iface_param so move it to ISCSI_NET_PARAM. Otherwise, when we call
+into the driver, we might not match and return that we don't want attr
+visible in sysfs. Found in code review.
+
+Link: https://lore.kernel.org/r/20210901085336.2264295-1-libaokun1@huawei.com
+Fixes: e746f3451ec7 ("scsi: iscsi: Fix iface sysfs attr detection")
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index 064c941e5483..d276d84c0f7a 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -429,9 +429,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ struct iscsi_transport *t = iface->transport;
+ int param = -1;
+
+- if (attr == &dev_attr_iface_enabled.attr)
+- param = ISCSI_NET_PARAM_IFACE_ENABLE;
+- else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr)
++ if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr)
+ param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO;
+ else if (attr == &dev_attr_iface_header_digest.attr)
+ param = ISCSI_IFACE_PARAM_HDRDGST_EN;
+@@ -471,7 +469,9 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ if (param != -1)
+ return t->attr_is_visible(ISCSI_IFACE_PARAM, param);
+
+- if (attr == &dev_attr_iface_vlan_id.attr)
++ if (attr == &dev_attr_iface_enabled.attr)
++ param = ISCSI_NET_PARAM_IFACE_ENABLE;
++ else if (attr == &dev_attr_iface_vlan_id.attr)
+ param = ISCSI_NET_PARAM_VLAN_ID;
+ else if (attr == &dev_attr_iface_vlan_priority.attr)
+ param = ISCSI_NET_PARAM_VLAN_PRIORITY;
+--
+2.33.0
+
net-hso-fix-muxed-tty-registration.patch
bnxt_en-fix-tx-timeout-when-tx-ring-size-is-set-to-t.patch
net-mlx4_en-don-t-allow-arfs-for-encapsulated-packet.patch
+scsi-iscsi-adjust-iface-sysfs-attr-detection.patch
+thermal-core-potential-buffer-overflow-in-thermal_bu.patch
+irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch
+md-fix-a-lock-order-reversal-in-md_alloc.patch
+blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch
+net-macb-fix-use-after-free-on-rmmod.patch
+net-stmmac-allow-csr-clock-of-300mhz.patch
+m68k-double-cast-io-functions-to-unsigned-long.patch
+xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch
+compiler.h-introduce-absolute_pointer-macro.patch
+net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch
+sparc-avoid-stringop-overread-errors.patch
+qnx4-avoid-stringop-overread-errors.patch
+parisc-use-absolute_pointer-to-define-page0.patch
+arm64-mark-__stack_chk_guard-as-__ro_after_init.patch
+alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch
+net-6pack-fix-tx-timeout-and-slot-time.patch
+spi-fix-tegra20-build-with-config_pm-n.patch
--- /dev/null
+From b683c3d6c1757c28c9f3746cc18581f24b94f206 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 16:06:04 -0700
+Subject: sparc: avoid stringop-overread errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit fc7c028dcdbfe981bca75d2a7b95f363eb691ef3 ]
+
+The sparc mdesc code does pointer games with 'struct mdesc_hdr', but
+didn't describe to the compiler how that header is then followed by the
+data that the header describes.
+
+As a result, gcc is now unhappy since it does stricter pointer range
+tracking, and doesn't understand about how these things work. This
+results in various errors like:
+
+ arch/sparc/kernel/mdesc.c: In function ‘mdesc_node_by_name’:
+ arch/sparc/kernel/mdesc.c:647:22: error: ‘strcmp’ reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread]
+ 647 | if (!strcmp(names + ep[ret].name_offset, name))
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+which are easily avoided by just describing 'struct mdesc_hdr' better,
+and making the node_block() helper function look into that unsized
+data[] that follows the header.
+
+This makes the sparc64 build happy again at least for my cross-compiler
+version (gcc version 11.2.1).
+
+Link: https://lore.kernel.org/lkml/CAHk-=wi4NW3NC0xWykkw=6LnjQD6D_rtRtxY9g8gQAJXtQMi8A@mail.gmail.com/
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/kernel/mdesc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c
+index 8f24f3d60b8c..bfc30439a41d 100644
+--- a/arch/sparc/kernel/mdesc.c
++++ b/arch/sparc/kernel/mdesc.c
+@@ -38,6 +38,7 @@ struct mdesc_hdr {
+ u32 node_sz; /* node block size */
+ u32 name_sz; /* name block size */
+ u32 data_sz; /* data block size */
++ char data[];
+ } __attribute__((aligned(16)));
+
+ struct mdesc_elem {
+@@ -611,7 +612,7 @@ EXPORT_SYMBOL(mdesc_get_node_info);
+
+ static struct mdesc_elem *node_block(struct mdesc_hdr *mdesc)
+ {
+- return (struct mdesc_elem *) (mdesc + 1);
++ return (struct mdesc_elem *) mdesc->data;
+ }
+
+ static void *name_block(struct mdesc_hdr *mdesc)
+--
+2.33.0
+
--- /dev/null
+From 2d2b665b55a32b1f64a34c9b8b941897c0602bd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Sep 2021 10:05:06 -0700
+Subject: spi: Fix tegra20 build with CONFIG_PM=n
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit efafec27c5658ed987e720130772f8933c685e87 ]
+
+Without CONFIG_PM enabled, the SET_RUNTIME_PM_OPS() macro ends up being
+empty, and the only use of tegra_slink_runtime_{resume,suspend} goes
+away, resulting in
+
+ drivers/spi/spi-tegra20-slink.c:1200:12: error: ‘tegra_slink_runtime_resume’ defined but not used [-Werror=unused-function]
+ 1200 | static int tegra_slink_runtime_resume(struct device *dev)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~
+ drivers/spi/spi-tegra20-slink.c:1188:12: error: ‘tegra_slink_runtime_suspend’ defined but not used [-Werror=unused-function]
+ 1188 | static int tegra_slink_runtime_suspend(struct device *dev)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+mark the functions __maybe_unused to make the build happy.
+
+This hits the alpha allmodconfig build (and others).
+
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra20-slink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra20-slink.c b/drivers/spi/spi-tegra20-slink.c
+index c39bfcbda5f2..1548f7b738c1 100644
+--- a/drivers/spi/spi-tegra20-slink.c
++++ b/drivers/spi/spi-tegra20-slink.c
+@@ -1210,7 +1210,7 @@ static int tegra_slink_resume(struct device *dev)
+ }
+ #endif
+
+-static int tegra_slink_runtime_suspend(struct device *dev)
++static int __maybe_unused tegra_slink_runtime_suspend(struct device *dev)
+ {
+ struct spi_master *master = dev_get_drvdata(dev);
+ struct tegra_slink_data *tspi = spi_master_get_devdata(master);
+@@ -1222,7 +1222,7 @@ static int tegra_slink_runtime_suspend(struct device *dev)
+ return 0;
+ }
+
+-static int tegra_slink_runtime_resume(struct device *dev)
++static int __maybe_unused tegra_slink_runtime_resume(struct device *dev)
+ {
+ struct spi_master *master = dev_get_drvdata(dev);
+ struct tegra_slink_data *tspi = spi_master_get_devdata(master);
+--
+2.33.0
+
--- /dev/null
+From fc2d6f5c143f62e73320b509086506f336534d76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 16:13:42 +0300
+Subject: thermal/core: Potential buffer overflow in
+ thermal_build_list_of_policies()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 1bb30b20b49773369c299d4d6c65227201328663 ]
+
+After printing the list of thermal governors, then this function prints
+a newline character. The problem is that "size" has not been updated
+after printing the last governor. This means that it can write one
+character (the NUL terminator) beyond the end of the buffer.
+
+Get rid of the "size" variable and just use "PAGE_SIZE - count" directly.
+
+Fixes: 1b4f48494eb2 ("thermal: core: group functions related to governor handling")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20210916131342.GB25094@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_core.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index 2db83b555e59..94820f25a15f 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -231,15 +231,14 @@ int thermal_build_list_of_policies(char *buf)
+ {
+ struct thermal_governor *pos;
+ ssize_t count = 0;
+- ssize_t size = PAGE_SIZE;
+
+ mutex_lock(&thermal_governor_lock);
+
+ list_for_each_entry(pos, &thermal_governor_list, governor_list) {
+- size = PAGE_SIZE - count;
+- count += scnprintf(buf + count, size, "%s ", pos->name);
++ count += scnprintf(buf + count, PAGE_SIZE - count, "%s ",
++ pos->name);
+ }
+- count += scnprintf(buf + count, size, "\n");
++ count += scnprintf(buf + count, PAGE_SIZE - count, "\n");
+
+ mutex_unlock(&thermal_governor_lock);
+
+--
+2.33.0
+
--- /dev/null
+From a58e20f1ccdc415f567ead17db3c4515f4436001 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Aug 2021 14:32:06 +0200
+Subject: xen/balloon: use a kernel thread instead a workqueue
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 8480ed9c2bbd56fc86524998e5f2e3e22f5038f6 ]
+
+Today the Xen ballooning is done via delayed work in a workqueue. This
+might result in workqueue hangups being reported in case of large
+amounts of memory are being ballooned in one go (here 16GB):
+
+BUG: workqueue lockup - pool cpus=6 node=0 flags=0x0 nice=0 stuck for 64s!
+Showing busy workqueues and worker pools:
+workqueue events: flags=0x0
+ pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=2/256 refcnt=3
+ in-flight: 229:balloon_process
+ pending: cache_reap
+workqueue events_freezable_power_: flags=0x84
+ pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
+ pending: disk_events_workfn
+workqueue mm_percpu_wq: flags=0x8
+ pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
+ pending: vmstat_update
+pool 12: cpus=6 node=0 flags=0x0 nice=0 hung=64s workers=3 idle: 2222 43
+
+This can easily be avoided by using a dedicated kernel thread for doing
+the ballooning work.
+
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/r/20210827123206.15429-1-jgross@suse.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/balloon.c | 62 +++++++++++++++++++++++++++++++------------
+ 1 file changed, 45 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index a8e0836dffd4..b9abe3ef2188 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -43,6 +43,8 @@
+ #include <linux/sched.h>
+ #include <linux/cred.h>
+ #include <linux/errno.h>
++#include <linux/freezer.h>
++#include <linux/kthread.h>
+ #include <linux/mm.h>
+ #include <linux/bootmem.h>
+ #include <linux/pagemap.h>
+@@ -119,7 +121,7 @@ static struct ctl_table xen_root[] = {
+ #define EXTENT_ORDER (fls(XEN_PFN_PER_PAGE) - 1)
+
+ /*
+- * balloon_process() state:
++ * balloon_thread() state:
+ *
+ * BP_DONE: done or nothing to do,
+ * BP_WAIT: wait to be rescheduled,
+@@ -134,6 +136,8 @@ enum bp_state {
+ BP_ECANCELED
+ };
+
++/* Main waiting point for xen-balloon thread. */
++static DECLARE_WAIT_QUEUE_HEAD(balloon_thread_wq);
+
+ static DEFINE_MUTEX(balloon_mutex);
+
+@@ -148,10 +152,6 @@ static xen_pfn_t frame_list[PAGE_SIZE / sizeof(xen_pfn_t)];
+ static LIST_HEAD(ballooned_pages);
+ static DECLARE_WAIT_QUEUE_HEAD(balloon_wq);
+
+-/* Main work function, always executed in process context. */
+-static void balloon_process(struct work_struct *work);
+-static DECLARE_DELAYED_WORK(balloon_worker, balloon_process);
+-
+ /* When ballooning out (allocating memory to return to Xen) we don't really
+ want the kernel to try too hard since that can trigger the oom killer. */
+ #define GFP_BALLOON \
+@@ -389,7 +389,7 @@ static void xen_online_page(struct page *page)
+ static int xen_memory_notifier(struct notifier_block *nb, unsigned long val, void *v)
+ {
+ if (val == MEM_ONLINE)
+- schedule_delayed_work(&balloon_worker, 0);
++ wake_up(&balloon_thread_wq);
+
+ return NOTIFY_OK;
+ }
+@@ -571,18 +571,43 @@ static enum bp_state decrease_reservation(unsigned long nr_pages, gfp_t gfp)
+ }
+
+ /*
+- * As this is a work item it is guaranteed to run as a single instance only.
++ * Stop waiting if either state is not BP_EAGAIN and ballooning action is
++ * needed, or if the credit has changed while state is BP_EAGAIN.
++ */
++static bool balloon_thread_cond(enum bp_state state, long credit)
++{
++ if (state != BP_EAGAIN)
++ credit = 0;
++
++ return current_credit() != credit || kthread_should_stop();
++}
++
++/*
++ * As this is a kthread it is guaranteed to run as a single instance only.
+ * We may of course race updates of the target counts (which are protected
+ * by the balloon lock), or with changes to the Xen hard limit, but we will
+ * recover from these in time.
+ */
+-static void balloon_process(struct work_struct *work)
++static int balloon_thread(void *unused)
+ {
+ enum bp_state state = BP_DONE;
+ long credit;
++ unsigned long timeout;
++
++ set_freezable();
++ for (;;) {
++ if (state == BP_EAGAIN)
++ timeout = balloon_stats.schedule_delay * HZ;
++ else
++ timeout = 3600 * HZ;
++ credit = current_credit();
+
++ wait_event_interruptible_timeout(balloon_thread_wq,
++ balloon_thread_cond(state, credit), timeout);
++
++ if (kthread_should_stop())
++ return 0;
+
+- do {
+ mutex_lock(&balloon_mutex);
+
+ credit = current_credit();
+@@ -609,12 +634,7 @@ static void balloon_process(struct work_struct *work)
+ mutex_unlock(&balloon_mutex);
+
+ cond_resched();
+-
+- } while (credit && state == BP_DONE);
+-
+- /* Schedule more work if there is some still to be done. */
+- if (state == BP_EAGAIN)
+- schedule_delayed_work(&balloon_worker, balloon_stats.schedule_delay * HZ);
++ }
+ }
+
+ /* Resets the Xen limit, sets new target, and kicks off processing. */
+@@ -622,7 +642,7 @@ void balloon_set_new_target(unsigned long target)
+ {
+ /* No need for lock. Not read-modify-write updates. */
+ balloon_stats.target_pages = target;
+- schedule_delayed_work(&balloon_worker, 0);
++ wake_up(&balloon_thread_wq);
+ }
+ EXPORT_SYMBOL_GPL(balloon_set_new_target);
+
+@@ -727,7 +747,7 @@ void free_xenballooned_pages(int nr_pages, struct page **pages)
+
+ /* The balloon may be too large now. Shrink it if needed. */
+ if (current_credit())
+- schedule_delayed_work(&balloon_worker, 0);
++ wake_up(&balloon_thread_wq);
+
+ mutex_unlock(&balloon_mutex);
+ }
+@@ -761,6 +781,8 @@ static void __init balloon_add_region(unsigned long start_pfn,
+
+ static int __init balloon_init(void)
+ {
++ struct task_struct *task;
++
+ if (!xen_domain())
+ return -ENODEV;
+
+@@ -804,6 +826,12 @@ static int __init balloon_init(void)
+ }
+ #endif
+
++ task = kthread_run(balloon_thread, NULL, "xen-balloon");
++ if (IS_ERR(task)) {
++ pr_err("xen-balloon thread could not be started, ballooning will not work!\n");
++ return PTR_ERR(task);
++ }
++
+ /* Init the xen-balloon driver. */
+ xen_balloon_init();
+
+--
+2.33.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
