--- /dev/null
+From 2e7be9db125a0bf940c5d65eb5c40d8700f738b5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= <davispuh@gmail.com>
+Date: Sat, 5 Feb 2022 20:48:23 +0200
+Subject: btrfs: send: in case of IO error log it
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dāvis Mosāns <davispuh@gmail.com>
+
+commit 2e7be9db125a0bf940c5d65eb5c40d8700f738b5 upstream.
+
+Currently if we get IO error while doing send then we abort without
+logging information about which file caused issue. So log it to help
+with debugging.
+
+CC: stable@vger.kernel.org # 4.9+
+Signed-off-by: Dāvis Mosāns <davispuh@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/send.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -5006,6 +5006,10 @@ static int put_file_data(struct send_ctx
+ lock_page(page);
+ if (!PageUptodate(page)) {
+ unlock_page(page);
++ btrfs_err(fs_info,
++ "send: IO error at offset %llu for inode %llu root %llu",
++ page_offset(page), sctx->cur_ino,
++ sctx->send_root->root_key.objectid);
+ put_page(page);
+ ret = -EIO;
+ break;
--- /dev/null
+From 921ca574cd382142add8b12d0a7117f495510de5 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Sun, 6 Dec 2020 15:47:31 +0100
+Subject: can: isotp: add SF_BROADCAST support for functional addressing
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 921ca574cd382142add8b12d0a7117f495510de5 upstream.
+
+When CAN_ISOTP_SF_BROADCAST is set in the CAN_ISOTP_OPTS flags the CAN_ISOTP
+socket is switched into functional addressing mode, where only single frame
+(SF) protocol data units can be send on the specified CAN interface and the
+given tp.tx_id after bind().
+
+In opposite to normal and extended addressing this socket does not register a
+CAN-ID for reception which would be needed for a 1-to-1 ISOTP connection with a
+segmented bi-directional data transfer.
+
+Sending SFs on this socket is therefore a TX-only 'broadcast' operation.
+
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Thomas Wagner <thwa1@web.de>
+Link: https://lore.kernel.org/r/20201206144731.4609-1-socketcan@hartkopp.net
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/can/isotp.h | 2 -
+ net/can/isotp.c | 50 +++++++++++++++++++++++++++++------------
+ 2 files changed, 37 insertions(+), 15 deletions(-)
+
+--- a/include/uapi/linux/can/isotp.h
++++ b/include/uapi/linux/can/isotp.h
+@@ -135,7 +135,7 @@ struct can_isotp_ll_options {
+ #define CAN_ISOTP_FORCE_RXSTMIN 0x100 /* ignore CFs depending on rx stmin */
+ #define CAN_ISOTP_RX_EXT_ADDR 0x200 /* different rx extended addressing */
+ #define CAN_ISOTP_WAIT_TX_DONE 0x400 /* wait for tx completion */
+-
++#define CAN_ISOTP_SF_BROADCAST 0x800 /* 1-to-N functional addressing */
+
+ /* default values */
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -888,6 +888,16 @@ static int isotp_sendmsg(struct socket *
+ goto err_out_drop;
+ }
+
++ /* take care of a potential SF_DL ESC offset for TX_DL > 8 */
++ off = (so->tx.ll_dl > CAN_MAX_DLEN) ? 1 : 0;
++
++ /* does the given data fit into a single frame for SF_BROADCAST? */
++ if ((so->opt.flags & CAN_ISOTP_SF_BROADCAST) &&
++ (size > so->tx.ll_dl - SF_PCI_SZ4 - ae - off)) {
++ err = -EINVAL;
++ goto err_out_drop;
++ }
++
+ err = memcpy_from_msg(so->tx.buf, msg, size);
+ if (err < 0)
+ goto err_out_drop;
+@@ -915,9 +925,6 @@ static int isotp_sendmsg(struct socket *
+ cf = (struct canfd_frame *)skb->data;
+ skb_put_zero(skb, so->ll.mtu);
+
+- /* take care of a potential SF_DL ESC offset for TX_DL > 8 */
+- off = (so->tx.ll_dl > CAN_MAX_DLEN) ? 1 : 0;
+-
+ /* check for single frame transmission depending on TX_DL */
+ if (size <= so->tx.ll_dl - SF_PCI_SZ4 - ae - off) {
+ /* The message size generally fits into a SingleFrame - good.
+@@ -1057,7 +1064,7 @@ static int isotp_release(struct socket *
+ lock_sock(sk);
+
+ /* remove current filters & unregister */
+- if (so->bound) {
++ if (so->bound && (!(so->opt.flags & CAN_ISOTP_SF_BROADCAST))) {
+ if (so->ifindex) {
+ struct net_device *dev;
+
+@@ -1097,15 +1104,12 @@ static int isotp_bind(struct socket *soc
+ struct net_device *dev;
+ int err = 0;
+ int notify_enetdown = 0;
++ int do_rx_reg = 1;
+
+ if (len < ISOTP_MIN_NAMELEN)
+ return -EINVAL;
+
+- if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id)
+- return -EADDRNOTAVAIL;
+-
+- if ((addr->can_addr.tp.rx_id | addr->can_addr.tp.tx_id) &
+- (CAN_ERR_FLAG | CAN_RTR_FLAG))
++ if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
+ return -EADDRNOTAVAIL;
+
+ if (!addr->can_ifindex)
+@@ -1113,6 +1117,23 @@ static int isotp_bind(struct socket *soc
+
+ lock_sock(sk);
+
++ /* do not register frame reception for functional addressing */
++ if (so->opt.flags & CAN_ISOTP_SF_BROADCAST)
++ do_rx_reg = 0;
++
++ /* do not validate rx address for functional addressing */
++ if (do_rx_reg) {
++ if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) {
++ err = -EADDRNOTAVAIL;
++ goto out;
++ }
++
++ if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) {
++ err = -EADDRNOTAVAIL;
++ goto out;
++ }
++ }
++
+ if (so->bound && addr->can_ifindex == so->ifindex &&
+ addr->can_addr.tp.rx_id == so->rxid &&
+ addr->can_addr.tp.tx_id == so->txid)
+@@ -1138,13 +1159,14 @@ static int isotp_bind(struct socket *soc
+
+ ifindex = dev->ifindex;
+
+- can_rx_register(net, dev, addr->can_addr.tp.rx_id,
+- SINGLE_MASK(addr->can_addr.tp.rx_id), isotp_rcv, sk,
+- "isotp", sk);
++ if (do_rx_reg)
++ can_rx_register(net, dev, addr->can_addr.tp.rx_id,
++ SINGLE_MASK(addr->can_addr.tp.rx_id),
++ isotp_rcv, sk, "isotp", sk);
+
+ dev_put(dev);
+
+- if (so->bound) {
++ if (so->bound && do_rx_reg) {
+ /* unregister old filter */
+ if (so->ifindex) {
+ dev = dev_get_by_index(net, so->ifindex);
+@@ -1357,7 +1379,7 @@ static void isotp_notify(struct isotp_so
+ case NETDEV_UNREGISTER:
+ lock_sock(sk);
+ /* remove current filters & unregister */
+- if (so->bound)
++ if (so->bound && (!(so->opt.flags & CAN_ISOTP_SF_BROADCAST)))
+ can_rx_unregister(dev_net(dev), dev, so->rxid,
+ SINGLE_MASK(so->rxid),
+ isotp_rcv, sk);
--- /dev/null
+From 2b17c400aeb44daf041627722581ade527bb3c1d Mon Sep 17 00:00:00 2001
+From: Norbert Slusarek <nslusarek@gmx.net>
+Date: Wed, 12 May 2021 00:43:54 +0200
+Subject: can: isotp: prevent race between isotp_bind() and isotp_setsockopt()
+
+From: Norbert Slusarek <nslusarek@gmx.net>
+
+commit 2b17c400aeb44daf041627722581ade527bb3c1d upstream.
+
+A race condition was found in isotp_setsockopt() which allows to
+change socket options after the socket was bound.
+For the specific case of SF_BROADCAST support, this might lead to possible
+use-after-free because can_rx_unregister() is not called.
+
+Checking for the flag under the socket lock in isotp_bind() and taking
+the lock in isotp_setsockopt() fixes the issue.
+
+Fixes: 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional addressing")
+Link: https://lore.kernel.org/r/trinity-e6ae9efa-9afb-4326-84c0-f3609b9b8168-1620773528307@3c-app-gmx-bs06
+Reported-by: Norbert Slusarek <nslusarek@gmx.net>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -1193,16 +1193,13 @@ static int isotp_getname(struct socket *
+ return ISOTP_MIN_NAMELEN;
+ }
+
+-static int isotp_setsockopt(struct socket *sock, int level, int optname,
++static int isotp_setsockopt_locked(struct socket *sock, int level, int optname,
+ sockptr_t optval, unsigned int optlen)
+ {
+ struct sock *sk = sock->sk;
+ struct isotp_sock *so = isotp_sk(sk);
+ int ret = 0;
+
+- if (level != SOL_CAN_ISOTP)
+- return -EINVAL;
+-
+ if (so->bound)
+ return -EISCONN;
+
+@@ -1277,6 +1274,22 @@ static int isotp_setsockopt(struct socke
+ return ret;
+ }
+
++static int isotp_setsockopt(struct socket *sock, int level, int optname,
++ sockptr_t optval, unsigned int optlen)
++
++{
++ struct sock *sk = sock->sk;
++ int ret;
++
++ if (level != SOL_CAN_ISOTP)
++ return -EINVAL;
++
++ lock_sock(sk);
++ ret = isotp_setsockopt_locked(sock, level, optname, optval, optlen);
++ release_sock(sk);
++ return ret;
++}
++
+ static int isotp_getsockopt(struct socket *sock, int level, int optname,
+ char __user *optval, int __user *optlen)
+ {
--- /dev/null
+From 4cdd2450bf739bada353e82d27b00db9af8c3001 Mon Sep 17 00:00:00 2001
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Thu, 25 Feb 2021 14:54:59 +1000
+Subject: drm/nouveau/pmu/gm200-: use alternate falcon reset sequence
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+commit 4cdd2450bf739bada353e82d27b00db9af8c3001 upstream.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Reviewed-by: Karol Herbst <kherbst@redhat.com>
+Signed-off-by: Karol Herbst <kherbst@redhat.com>
+Link: https://gitlab.freedesktop.org/drm/nouveau/-/merge_requests/10
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/falcon/base.c | 8 ++++--
+ drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gm200.c | 31 +++++++++++++++++++++++-
+ drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gm20b.c | 2 -
+ drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gp102.c | 2 -
+ drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gp10b.c | 2 -
+ drivers/gpu/drm/nouveau/nvkm/subdev/pmu/priv.h | 2 +
+ 6 files changed, 41 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/falcon/base.c
++++ b/drivers/gpu/drm/nouveau/nvkm/falcon/base.c
+@@ -119,8 +119,12 @@ nvkm_falcon_disable(struct nvkm_falcon *
+ int
+ nvkm_falcon_reset(struct nvkm_falcon *falcon)
+ {
+- nvkm_falcon_disable(falcon);
+- return nvkm_falcon_enable(falcon);
++ if (!falcon->func->reset) {
++ nvkm_falcon_disable(falcon);
++ return nvkm_falcon_enable(falcon);
++ }
++
++ return falcon->func->reset(falcon);
+ }
+
+ int
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gm200.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gm200.c
+@@ -23,9 +23,38 @@
+ */
+ #include "priv.h"
+
++static int
++gm200_pmu_flcn_reset(struct nvkm_falcon *falcon)
++{
++ struct nvkm_pmu *pmu = container_of(falcon, typeof(*pmu), falcon);
++
++ nvkm_falcon_wr32(falcon, 0x014, 0x0000ffff);
++ pmu->func->reset(pmu);
++ return nvkm_falcon_enable(falcon);
++}
++
++const struct nvkm_falcon_func
++gm200_pmu_flcn = {
++ .debug = 0xc08,
++ .fbif = 0xe00,
++ .load_imem = nvkm_falcon_v1_load_imem,
++ .load_dmem = nvkm_falcon_v1_load_dmem,
++ .read_dmem = nvkm_falcon_v1_read_dmem,
++ .bind_context = nvkm_falcon_v1_bind_context,
++ .wait_for_halt = nvkm_falcon_v1_wait_for_halt,
++ .clear_interrupt = nvkm_falcon_v1_clear_interrupt,
++ .set_start_addr = nvkm_falcon_v1_set_start_addr,
++ .start = nvkm_falcon_v1_start,
++ .enable = nvkm_falcon_v1_enable,
++ .disable = nvkm_falcon_v1_disable,
++ .reset = gm200_pmu_flcn_reset,
++ .cmdq = { 0x4a0, 0x4b0, 4 },
++ .msgq = { 0x4c8, 0x4cc, 0 },
++};
++
+ static const struct nvkm_pmu_func
+ gm200_pmu = {
+- .flcn = >215_pmu_flcn,
++ .flcn = &gm200_pmu_flcn,
+ .enabled = gf100_pmu_enabled,
+ .reset = gf100_pmu_reset,
+ };
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gm20b.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gm20b.c
+@@ -211,7 +211,7 @@ gm20b_pmu_recv(struct nvkm_pmu *pmu)
+
+ static const struct nvkm_pmu_func
+ gm20b_pmu = {
+- .flcn = >215_pmu_flcn,
++ .flcn = &gm200_pmu_flcn,
+ .enabled = gf100_pmu_enabled,
+ .intr = gt215_pmu_intr,
+ .recv = gm20b_pmu_recv,
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gp102.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gp102.c
+@@ -39,7 +39,7 @@ gp102_pmu_enabled(struct nvkm_pmu *pmu)
+
+ static const struct nvkm_pmu_func
+ gp102_pmu = {
+- .flcn = >215_pmu_flcn,
++ .flcn = &gm200_pmu_flcn,
+ .enabled = gp102_pmu_enabled,
+ .reset = gp102_pmu_reset,
+ };
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gp10b.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gp10b.c
+@@ -78,7 +78,7 @@ gp10b_pmu_acr = {
+
+ static const struct nvkm_pmu_func
+ gp10b_pmu = {
+- .flcn = >215_pmu_flcn,
++ .flcn = &gm200_pmu_flcn,
+ .enabled = gf100_pmu_enabled,
+ .intr = gt215_pmu_intr,
+ .recv = gm20b_pmu_recv,
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/priv.h
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/priv.h
+@@ -44,6 +44,8 @@ void gf100_pmu_reset(struct nvkm_pmu *);
+
+ void gk110_pmu_pgob(struct nvkm_pmu *, bool);
+
++extern const struct nvkm_falcon_func gm200_pmu_flcn;
++
+ void gm20b_pmu_acr_bld_patch(struct nvkm_acr *, u32, s64);
+ void gm20b_pmu_acr_bld_write(struct nvkm_acr *, u32, struct nvkm_acr_lsfw *);
+ int gm20b_pmu_acr_boot(struct nvkm_falcon *);
--- /dev/null
+From e386dfc56f837da66d00a078e5314bc8382fab83 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 10 Dec 2021 14:00:15 -0800
+Subject: fget: clarify and improve __fget_files() implementation
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e386dfc56f837da66d00a078e5314bc8382fab83 upstream.
+
+Commit 054aa8d439b9 ("fget: check that the fd still exists after getting
+a ref to it") fixed a race with getting a reference to a file just as it
+was being closed. It was a fairly minimal patch, and I didn't think
+re-checking the file pointer lookup would be a measurable overhead,
+since it was all right there and cached.
+
+But I was wrong, as pointed out by the kernel test robot.
+
+The 'poll2' case of the will-it-scale.per_thread_ops benchmark regressed
+quite noticeably. Admittedly it seems to be a very artificial test:
+doing "poll()" system calls on regular files in a very tight loop in
+multiple threads.
+
+That means that basically all the time is spent just looking up file
+descriptors without ever doing anything useful with them (not that doing
+'poll()' on a regular file is useful to begin with). And as a result it
+shows the extra "re-check fd" cost as a sore thumb.
+
+Happily, the regression is fixable by just writing the code to loook up
+the fd to be better and clearer. There's still a cost to verify the
+file pointer, but now it's basically in the noise even for that
+benchmark that does nothing else - and the code is more understandable
+and has better comments too.
+
+[ Side note: this patch is also a classic case of one that looks very
+ messy with the default greedy Myers diff - it's much more legible with
+ either the patience of histogram diff algorithm ]
+
+Link: https://lore.kernel.org/lkml/20211210053743.GA36420@xsang-OptiPlex-9020/
+Link: https://lore.kernel.org/lkml/20211213083154.GA20853@linux.intel.com/
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Tested-by: Carel Si <beibei.si@intel.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/file.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 56 insertions(+), 16 deletions(-)
+
+--- a/fs/file.c
++++ b/fs/file.c
+@@ -817,28 +817,68 @@ void do_close_on_exec(struct files_struc
+ spin_unlock(&files->file_lock);
+ }
+
+-static struct file *__fget_files(struct files_struct *files, unsigned int fd,
+- fmode_t mask, unsigned int refs)
++static inline struct file *__fget_files_rcu(struct files_struct *files,
++ unsigned int fd, fmode_t mask, unsigned int refs)
+ {
+- struct file *file;
++ for (;;) {
++ struct file *file;
++ struct fdtable *fdt = rcu_dereference_raw(files->fdt);
++ struct file __rcu **fdentry;
+
+- rcu_read_lock();
+-loop:
+- file = fcheck_files(files, fd);
+- if (file) {
+- /* File object ref couldn't be taken.
+- * dup2() atomicity guarantee is the reason
+- * we loop to catch the new file (or NULL pointer)
++ if (unlikely(fd >= fdt->max_fds))
++ return NULL;
++
++ fdentry = fdt->fd + array_index_nospec(fd, fdt->max_fds);
++ file = rcu_dereference_raw(*fdentry);
++ if (unlikely(!file))
++ return NULL;
++
++ if (unlikely(file->f_mode & mask))
++ return NULL;
++
++ /*
++ * Ok, we have a file pointer. However, because we do
++ * this all locklessly under RCU, we may be racing with
++ * that file being closed.
++ *
++ * Such a race can take two forms:
++ *
++ * (a) the file ref already went down to zero,
++ * and get_file_rcu_many() fails. Just try
++ * again:
+ */
+- if (file->f_mode & mask)
+- file = NULL;
+- else if (!get_file_rcu_many(file, refs))
+- goto loop;
+- else if (__fcheck_files(files, fd) != file) {
++ if (unlikely(!get_file_rcu_many(file, refs)))
++ continue;
++
++ /*
++ * (b) the file table entry has changed under us.
++ * Note that we don't need to re-check the 'fdt->fd'
++ * pointer having changed, because it always goes
++ * hand-in-hand with 'fdt'.
++ *
++ * If so, we need to put our refs and try again.
++ */
++ if (unlikely(rcu_dereference_raw(files->fdt) != fdt) ||
++ unlikely(rcu_dereference_raw(*fdentry) != file)) {
+ fput_many(file, refs);
+- goto loop;
++ continue;
+ }
++
++ /*
++ * Ok, we have a ref to the file, and checked that it
++ * still exists.
++ */
++ return file;
+ }
++}
++
++static struct file *__fget_files(struct files_struct *files, unsigned int fd,
++ fmode_t mask, unsigned int refs)
++{
++ struct file *file;
++
++ rcu_read_lock();
++ file = __fget_files_rcu(files, fd, mask, refs);
+ rcu_read_unlock();
+
+ return file;
--- /dev/null
+From 24d7275ce2791829953ed4e72f68277ceb2571c6 Mon Sep 17 00:00:00 2001
+From: Yang Shi <shy828301@gmail.com>
+Date: Fri, 11 Feb 2022 16:32:26 -0800
+Subject: fs/proc: task_mmu.c: don't read mapcount for migration entry
+
+From: Yang Shi <shy828301@gmail.com>
+
+commit 24d7275ce2791829953ed4e72f68277ceb2571c6 upstream.
+
+The syzbot reported the below BUG:
+
+ kernel BUG at include/linux/page-flags.h:785!
+ invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+ CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline]
+ RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744
+ Call Trace:
+ page_mapcount include/linux/mm.h:837 [inline]
+ smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466
+ smaps_pte_entry fs/proc/task_mmu.c:538 [inline]
+ smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601
+ walk_pmd_range mm/pagewalk.c:128 [inline]
+ walk_pud_range mm/pagewalk.c:205 [inline]
+ walk_p4d_range mm/pagewalk.c:240 [inline]
+ walk_pgd_range mm/pagewalk.c:277 [inline]
+ __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379
+ walk_page_vma+0x277/0x350 mm/pagewalk.c:530
+ smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768
+ smap_gather_stats fs/proc/task_mmu.c:741 [inline]
+ show_smap+0xc6/0x440 fs/proc/task_mmu.c:822
+ seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272
+ seq_read+0x3e0/0x5b0 fs/seq_file.c:162
+ vfs_read+0x1b5/0x600 fs/read_write.c:479
+ ksys_read+0x12d/0x250 fs/read_write.c:619
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The reproducer was trying to read /proc/$PID/smaps when calling
+MADV_FREE at the mean time. MADV_FREE may split THPs if it is called
+for partial THP. It may trigger the below race:
+
+ CPU A CPU B
+ ----- -----
+ smaps walk: MADV_FREE:
+ page_mapcount()
+ PageCompound()
+ split_huge_page()
+ page = compound_head(page)
+ PageDoubleMap(page)
+
+When calling PageDoubleMap() this page is not a tail page of THP anymore
+so the BUG is triggered.
+
+This could be fixed by elevated refcount of the page before calling
+mapcount, but that would prevent it from counting migration entries, and
+it seems overkilling because the race just could happen when PMD is
+split so all PTE entries of tail pages are actually migration entries,
+and smaps_account() does treat migration entries as mapcount == 1 as
+Kirill pointed out.
+
+Add a new parameter for smaps_account() to tell this entry is migration
+entry then skip calling page_mapcount(). Don't skip getting mapcount
+for device private entries since they do track references with mapcount.
+
+Pagemap also has the similar issue although it was not reported. Fixed
+it as well.
+
+[shy828301@gmail.com: v4]
+ Link: https://lkml.kernel.org/r/20220203182641.824731-1-shy828301@gmail.com
+[nathan@kernel.org: avoid unused variable warning in pagemap_pmd_range()]
+ Link: https://lkml.kernel.org/r/20220207171049.1102239-1-nathan@kernel.org
+Link: https://lkml.kernel.org/r/20220120202805.3369-1-shy828301@gmail.com
+Fixes: e9b61f19858a ("thp: reintroduce split_huge_page()")
+Signed-off-by: Yang Shi <shy828301@gmail.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reported-by: syzbot+1f52b3a18d5633fa7f82@syzkaller.appspotmail.com
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/task_mmu.c | 43 ++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 32 insertions(+), 11 deletions(-)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -430,7 +430,8 @@ static void smaps_page_accumulate(struct
+ }
+
+ static void smaps_account(struct mem_size_stats *mss, struct page *page,
+- bool compound, bool young, bool dirty, bool locked)
++ bool compound, bool young, bool dirty, bool locked,
++ bool migration)
+ {
+ int i, nr = compound ? compound_nr(page) : 1;
+ unsigned long size = nr * PAGE_SIZE;
+@@ -457,8 +458,15 @@ static void smaps_account(struct mem_siz
+ * page_count(page) == 1 guarantees the page is mapped exactly once.
+ * If any subpage of the compound page mapped with PTE it would elevate
+ * page_count().
++ *
++ * The page_mapcount() is called to get a snapshot of the mapcount.
++ * Without holding the page lock this snapshot can be slightly wrong as
++ * we cannot always read the mapcount atomically. It is not safe to
++ * call page_mapcount() even with PTL held if the page is not mapped,
++ * especially for migration entries. Treat regular migration entries
++ * as mapcount == 1.
+ */
+- if (page_count(page) == 1) {
++ if ((page_count(page) == 1) || migration) {
+ smaps_page_accumulate(mss, page, size, size << PSS_SHIFT, dirty,
+ locked, true);
+ return;
+@@ -495,6 +503,7 @@ static void smaps_pte_entry(pte_t *pte,
+ struct vm_area_struct *vma = walk->vma;
+ bool locked = !!(vma->vm_flags & VM_LOCKED);
+ struct page *page = NULL;
++ bool migration = false;
+
+ if (pte_present(*pte)) {
+ page = vm_normal_page(vma, addr, *pte);
+@@ -514,9 +523,10 @@ static void smaps_pte_entry(pte_t *pte,
+ } else {
+ mss->swap_pss += (u64)PAGE_SIZE << PSS_SHIFT;
+ }
+- } else if (is_migration_entry(swpent))
++ } else if (is_migration_entry(swpent)) {
++ migration = true;
+ page = migration_entry_to_page(swpent);
+- else if (is_device_private_entry(swpent))
++ } else if (is_device_private_entry(swpent))
+ page = device_private_entry_to_page(swpent);
+ } else if (unlikely(IS_ENABLED(CONFIG_SHMEM) && mss->check_shmem_swap
+ && pte_none(*pte))) {
+@@ -530,7 +540,8 @@ static void smaps_pte_entry(pte_t *pte,
+ if (!page)
+ return;
+
+- smaps_account(mss, page, false, pte_young(*pte), pte_dirty(*pte), locked);
++ smaps_account(mss, page, false, pte_young(*pte), pte_dirty(*pte),
++ locked, migration);
+ }
+
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
+@@ -541,6 +552,7 @@ static void smaps_pmd_entry(pmd_t *pmd,
+ struct vm_area_struct *vma = walk->vma;
+ bool locked = !!(vma->vm_flags & VM_LOCKED);
+ struct page *page = NULL;
++ bool migration = false;
+
+ if (pmd_present(*pmd)) {
+ /* FOLL_DUMP will return -EFAULT on huge zero page */
+@@ -548,8 +560,10 @@ static void smaps_pmd_entry(pmd_t *pmd,
+ } else if (unlikely(thp_migration_supported() && is_swap_pmd(*pmd))) {
+ swp_entry_t entry = pmd_to_swp_entry(*pmd);
+
+- if (is_migration_entry(entry))
++ if (is_migration_entry(entry)) {
++ migration = true;
+ page = migration_entry_to_page(entry);
++ }
+ }
+ if (IS_ERR_OR_NULL(page))
+ return;
+@@ -561,7 +575,9 @@ static void smaps_pmd_entry(pmd_t *pmd,
+ /* pass */;
+ else
+ mss->file_thp += HPAGE_PMD_SIZE;
+- smaps_account(mss, page, true, pmd_young(*pmd), pmd_dirty(*pmd), locked);
++
++ smaps_account(mss, page, true, pmd_young(*pmd), pmd_dirty(*pmd),
++ locked, migration);
+ }
+ #else
+ static void smaps_pmd_entry(pmd_t *pmd, unsigned long addr,
+@@ -1366,6 +1382,7 @@ static pagemap_entry_t pte_to_pagemap_en
+ {
+ u64 frame = 0, flags = 0;
+ struct page *page = NULL;
++ bool migration = false;
+
+ if (pte_present(pte)) {
+ if (pm->show_pfn)
+@@ -1383,8 +1400,10 @@ static pagemap_entry_t pte_to_pagemap_en
+ frame = swp_type(entry) |
+ (swp_offset(entry) << MAX_SWAPFILES_SHIFT);
+ flags |= PM_SWAP;
+- if (is_migration_entry(entry))
++ if (is_migration_entry(entry)) {
++ migration = true;
+ page = migration_entry_to_page(entry);
++ }
+
+ if (is_device_private_entry(entry))
+ page = device_private_entry_to_page(entry);
+@@ -1392,7 +1411,7 @@ static pagemap_entry_t pte_to_pagemap_en
+
+ if (page && !PageAnon(page))
+ flags |= PM_FILE;
+- if (page && page_mapcount(page) == 1)
++ if (page && !migration && page_mapcount(page) == 1)
+ flags |= PM_MMAP_EXCLUSIVE;
+ if (vma->vm_flags & VM_SOFTDIRTY)
+ flags |= PM_SOFT_DIRTY;
+@@ -1408,8 +1427,9 @@ static int pagemap_pmd_range(pmd_t *pmdp
+ spinlock_t *ptl;
+ pte_t *pte, *orig_pte;
+ int err = 0;
+-
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
++ bool migration = false;
++
+ ptl = pmd_trans_huge_lock(pmdp, vma);
+ if (ptl) {
+ u64 flags = 0, frame = 0;
+@@ -1444,11 +1464,12 @@ static int pagemap_pmd_range(pmd_t *pmdp
+ if (pmd_swp_soft_dirty(pmd))
+ flags |= PM_SOFT_DIRTY;
+ VM_BUG_ON(!is_pmd_migration_entry(pmd));
++ migration = is_migration_entry(entry);
+ page = migration_entry_to_page(entry);
+ }
+ #endif
+
+- if (page && page_mapcount(page) == 1)
++ if (page && !migration && page_mapcount(page) == 1)
+ flags |= PM_MMAP_EXCLUSIVE;
+
+ for (; addr != end; addr += PAGE_SIZE) {
--- /dev/null
+From fd5dd6acd8f823ea804f76d3af64fa1be9d5fb78 Mon Sep 17 00:00:00 2001
+From: Sergio Costas <rastersoft@gmail.com>
+Date: Fri, 4 Feb 2022 10:01:17 +0100
+Subject: HID:Add support for UGTABLET WP5540
+
+From: Sergio Costas <rastersoft@gmail.com>
+
+commit fd5dd6acd8f823ea804f76d3af64fa1be9d5fb78 upstream.
+
+This patch adds support for the UGTABLET WP5540 digitizer tablet
+devices. Without it, the pen moves the cursor, but neither the
+buttons nor the tap sensor in the tip do work.
+
+Signed-off-by: Sergio Costas <rastersoft@gmail.com>
+Link: https://lore.kernel.org/r/63dece1d-91ca-1b1b-d90d-335be66896be@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1318,6 +1318,7 @@
+ #define USB_VENDOR_ID_UGTIZER 0x2179
+ #define USB_DEVICE_ID_UGTIZER_TABLET_GP0610 0x0053
+ #define USB_DEVICE_ID_UGTIZER_TABLET_GT5040 0x0077
++#define USB_DEVICE_ID_UGTIZER_TABLET_WP5540 0x0004
+
+ #define USB_VENDOR_ID_VIEWSONIC 0x0543
+ #define USB_DEVICE_ID_VIEWSONIC_PD1011 0xe621
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -187,6 +187,7 @@ static const struct hid_device_id hid_qu
+ { HID_USB_DEVICE(USB_VENDOR_ID_TURBOX, USB_DEVICE_ID_TURBOX_KEYBOARD), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_UCLOGIC, USB_DEVICE_ID_UCLOGIC_TABLET_KNA5), HID_QUIRK_MULTI_INPUT },
+ { HID_USB_DEVICE(USB_VENDOR_ID_UCLOGIC, USB_DEVICE_ID_UCLOGIC_TABLET_TWA60), HID_QUIRK_MULTI_INPUT },
++ { HID_USB_DEVICE(USB_VENDOR_ID_UGTIZER, USB_DEVICE_ID_UGTIZER_TABLET_WP5540), HID_QUIRK_MULTI_INPUT },
+ { HID_USB_DEVICE(USB_VENDOR_ID_WALTOP, USB_DEVICE_ID_WALTOP_MEDIA_TABLET_10_6_INCH), HID_QUIRK_MULTI_INPUT },
+ { HID_USB_DEVICE(USB_VENDOR_ID_WALTOP, USB_DEVICE_ID_WALTOP_MEDIA_TABLET_14_1_INCH), HID_QUIRK_MULTI_INPUT },
+ { HID_USB_DEVICE(USB_VENDOR_ID_WALTOP, USB_DEVICE_ID_WALTOP_SIRIUS_BATTERY_FREE_TABLET), HID_QUIRK_MULTI_INPUT },
--- /dev/null
+From 80d47f5de5e311cbc0d01ebb6ee684e8f4c196c6 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 17 Feb 2022 08:57:47 -0800
+Subject: mm: don't try to NUMA-migrate COW pages that have other uses
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 80d47f5de5e311cbc0d01ebb6ee684e8f4c196c6 upstream.
+
+Oded Gabbay reports that enabling NUMA balancing causes corruption with
+his Gaudi accelerator test load:
+
+ "All the details are in the bug, but the bottom line is that somehow,
+ this patch causes corruption when the numa balancing feature is
+ enabled AND we don't use process affinity AND we use GUP to pin pages
+ so our accelerator can DMA to/from system memory.
+
+ Either disabling numa balancing, using process affinity to bind to
+ specific numa-node or reverting this patch causes the bug to
+ disappear"
+
+and Oded bisected the issue to commit 09854ba94c6a ("mm: do_wp_page()
+simplification").
+
+Now, the NUMA balancing shouldn't actually be changing the writability
+of a page, and as such shouldn't matter for COW. But it appears it
+does. Suspicious.
+
+However, regardless of that, the condition for enabling NUMA faults in
+change_pte_range() is nonsensical. It uses "page_mapcount(page)" to
+decide if a COW page should be NUMA-protected or not, and that makes
+absolutely no sense.
+
+The number of mappings a page has is irrelevant: not only does GUP get a
+reference to a page as in Oded's case, but the other mappings migth be
+paged out and the only reference to them would be in the page count.
+
+Since we should never try to NUMA-balance a page that we can't move
+anyway due to other references, just fix the code to use 'page_count()'.
+Oded confirms that that fixes his issue.
+
+Now, this does imply that something in NUMA balancing ends up changing
+page protections (other than the obvious one of making the page
+inaccessible to get the NUMA faulting information). Otherwise the COW
+simplification wouldn't matter - since doing the GUP on the page would
+make sure it's writable.
+
+The cause of that permission change would be good to figure out too,
+since it clearly results in spurious COW events - but fixing the
+nonsensical test that just happened to work before is obviously the
+CorrectThing(tm) to do regardless.
+
+Fixes: 09854ba94c6a ("mm: do_wp_page() simplification")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215616
+Link: https://lore.kernel.org/all/CAFCwf10eNmwq2wD71xjUhqkvv5+_pJMR1nPug2RqNDcFT4H86Q@mail.gmail.com/
+Reported-and-tested-by: Oded Gabbay <oded.gabbay@gmail.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Peter Xu <peterx@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mprotect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/mprotect.c
++++ b/mm/mprotect.c
+@@ -94,7 +94,7 @@ static unsigned long change_pte_range(st
+
+ /* Also skip shared copy-on-write pages */
+ if (is_cow_mapping(vma->vm_flags) &&
+- page_mapcount(page) != 1)
++ page_count(page) != 1)
+ continue;
+
+ /*
--- /dev/null
+From 0764db9b49c932b89ee4d9e3236dff4bb07b4a66 Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <guro@fb.com>
+Date: Fri, 11 Feb 2022 16:32:32 -0800
+Subject: mm: memcg: synchronize objcg lists with a dedicated spinlock
+
+From: Roman Gushchin <guro@fb.com>
+
+commit 0764db9b49c932b89ee4d9e3236dff4bb07b4a66 upstream.
+
+Alexander reported a circular lock dependency revealed by the mmap1 ltp
+test:
+
+ LOCKDEP_CIRCULAR (suite: ltp, case: mtest06 (mmap1))
+ WARNING: possible circular locking dependency detected
+ 5.17.0-20220113.rc0.git0.f2211f194038.300.fc35.s390x+debug #1 Not tainted
+ ------------------------------------------------------
+ mmap1/202299 is trying to acquire lock:
+ 00000001892c0188 (css_set_lock){..-.}-{2:2}, at: obj_cgroup_release+0x4a/0xe0
+ but task is already holding lock:
+ 00000000ca3b3818 (&sighand->siglock){-.-.}-{2:2}, at: force_sig_info_to_task+0x38/0x180
+ which lock already depends on the new lock.
+ the existing dependency chain (in reverse order) is:
+ -> #1 (&sighand->siglock){-.-.}-{2:2}:
+ __lock_acquire+0x604/0xbd8
+ lock_acquire.part.0+0xe2/0x238
+ lock_acquire+0xb0/0x200
+ _raw_spin_lock_irqsave+0x6a/0xd8
+ __lock_task_sighand+0x90/0x190
+ cgroup_freeze_task+0x2e/0x90
+ cgroup_migrate_execute+0x11c/0x608
+ cgroup_update_dfl_csses+0x246/0x270
+ cgroup_subtree_control_write+0x238/0x518
+ kernfs_fop_write_iter+0x13e/0x1e0
+ new_sync_write+0x100/0x190
+ vfs_write+0x22c/0x2d8
+ ksys_write+0x6c/0xf8
+ __do_syscall+0x1da/0x208
+ system_call+0x82/0xb0
+ -> #0 (css_set_lock){..-.}-{2:2}:
+ check_prev_add+0xe0/0xed8
+ validate_chain+0x736/0xb20
+ __lock_acquire+0x604/0xbd8
+ lock_acquire.part.0+0xe2/0x238
+ lock_acquire+0xb0/0x200
+ _raw_spin_lock_irqsave+0x6a/0xd8
+ obj_cgroup_release+0x4a/0xe0
+ percpu_ref_put_many.constprop.0+0x150/0x168
+ drain_obj_stock+0x94/0xe8
+ refill_obj_stock+0x94/0x278
+ obj_cgroup_charge+0x164/0x1d8
+ kmem_cache_alloc+0xac/0x528
+ __sigqueue_alloc+0x150/0x308
+ __send_signal+0x260/0x550
+ send_signal+0x7e/0x348
+ force_sig_info_to_task+0x104/0x180
+ force_sig_fault+0x48/0x58
+ __do_pgm_check+0x120/0x1f0
+ pgm_check_handler+0x11e/0x180
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+ CPU0 CPU1
+ ---- ----
+ lock(&sighand->siglock);
+ lock(css_set_lock);
+ lock(&sighand->siglock);
+ lock(css_set_lock);
+ *** DEADLOCK ***
+ 2 locks held by mmap1/202299:
+ #0: 00000000ca3b3818 (&sighand->siglock){-.-.}-{2:2}, at: force_sig_info_to_task+0x38/0x180
+ #1: 00000001892ad560 (rcu_read_lock){....}-{1:2}, at: percpu_ref_put_many.constprop.0+0x0/0x168
+ stack backtrace:
+ CPU: 15 PID: 202299 Comm: mmap1 Not tainted 5.17.0-20220113.rc0.git0.f2211f194038.300.fc35.s390x+debug #1
+ Hardware name: IBM 3906 M04 704 (LPAR)
+ Call Trace:
+ dump_stack_lvl+0x76/0x98
+ check_noncircular+0x136/0x158
+ check_prev_add+0xe0/0xed8
+ validate_chain+0x736/0xb20
+ __lock_acquire+0x604/0xbd8
+ lock_acquire.part.0+0xe2/0x238
+ lock_acquire+0xb0/0x200
+ _raw_spin_lock_irqsave+0x6a/0xd8
+ obj_cgroup_release+0x4a/0xe0
+ percpu_ref_put_many.constprop.0+0x150/0x168
+ drain_obj_stock+0x94/0xe8
+ refill_obj_stock+0x94/0x278
+ obj_cgroup_charge+0x164/0x1d8
+ kmem_cache_alloc+0xac/0x528
+ __sigqueue_alloc+0x150/0x308
+ __send_signal+0x260/0x550
+ send_signal+0x7e/0x348
+ force_sig_info_to_task+0x104/0x180
+ force_sig_fault+0x48/0x58
+ __do_pgm_check+0x120/0x1f0
+ pgm_check_handler+0x11e/0x180
+ INFO: lockdep is turned off.
+
+In this example a slab allocation from __send_signal() caused a
+refilling and draining of a percpu objcg stock, resulted in a releasing
+of another non-related objcg. Objcg release path requires taking the
+css_set_lock, which is used to synchronize objcg lists.
+
+This can create a circular dependency with the sighandler lock, which is
+taken with the locked css_set_lock by the freezer code (to freeze a
+task).
+
+In general it seems that using css_set_lock to synchronize objcg lists
+makes any slab allocations and deallocation with the locked css_set_lock
+and any intervened locks risky.
+
+To fix the problem and make the code more robust let's stop using
+css_set_lock to synchronize objcg lists and use a new dedicated spinlock
+instead.
+
+Link: https://lkml.kernel.org/r/Yfm1IHmoGdyUR81T@carbon.dhcp.thefacebook.com
+Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Reported-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Tested-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Reviewed-by: Waiman Long <longman@redhat.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Jeremy Linton <jeremy.linton@arm.com>
+Tested-by: Jeremy Linton <jeremy.linton@arm.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/memcontrol.h | 5 +++--
+ mm/memcontrol.c | 10 +++++-----
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/include/linux/memcontrol.h
++++ b/include/linux/memcontrol.h
+@@ -197,7 +197,7 @@ struct obj_cgroup {
+ struct mem_cgroup *memcg;
+ atomic_t nr_charged_bytes;
+ union {
+- struct list_head list;
++ struct list_head list; /* protected by objcg_lock */
+ struct rcu_head rcu;
+ };
+ };
+@@ -300,7 +300,8 @@ struct mem_cgroup {
+ int kmemcg_id;
+ enum memcg_kmem_state kmem_state;
+ struct obj_cgroup __rcu *objcg;
+- struct list_head objcg_list; /* list of inherited objcgs */
++ /* list of inherited objcgs, protected by objcg_lock */
++ struct list_head objcg_list;
+ #endif
+
+ MEMCG_PADDING(_pad2_);
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -250,7 +250,7 @@ struct cgroup_subsys_state *vmpressure_t
+ }
+
+ #ifdef CONFIG_MEMCG_KMEM
+-extern spinlock_t css_set_lock;
++static DEFINE_SPINLOCK(objcg_lock);
+
+ static void obj_cgroup_release(struct percpu_ref *ref)
+ {
+@@ -284,13 +284,13 @@ static void obj_cgroup_release(struct pe
+ WARN_ON_ONCE(nr_bytes & (PAGE_SIZE - 1));
+ nr_pages = nr_bytes >> PAGE_SHIFT;
+
+- spin_lock_irqsave(&css_set_lock, flags);
++ spin_lock_irqsave(&objcg_lock, flags);
+ memcg = obj_cgroup_memcg(objcg);
+ if (nr_pages)
+ __memcg_kmem_uncharge(memcg, nr_pages);
+ list_del(&objcg->list);
+ mem_cgroup_put(memcg);
+- spin_unlock_irqrestore(&css_set_lock, flags);
++ spin_unlock_irqrestore(&objcg_lock, flags);
+
+ percpu_ref_exit(ref);
+ kfree_rcu(objcg, rcu);
+@@ -322,7 +322,7 @@ static void memcg_reparent_objcgs(struct
+
+ objcg = rcu_replace_pointer(memcg->objcg, NULL, true);
+
+- spin_lock_irq(&css_set_lock);
++ spin_lock_irq(&objcg_lock);
+
+ /* Move active objcg to the parent's list */
+ xchg(&objcg->memcg, parent);
+@@ -337,7 +337,7 @@ static void memcg_reparent_objcgs(struct
+ }
+ list_splice(&memcg->objcg_list, &parent->objcg_list);
+
+- spin_unlock_irq(&css_set_lock);
++ spin_unlock_irq(&objcg_lock);
+
+ percpu_ref_kill(&objcg->refcnt);
+ }
--- /dev/null
+From 54309fde1a352ad2674ebba004a79f7d20b9f037 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20L=C3=B6hle?= <CLoehle@hyperstone.com>
+Date: Fri, 4 Feb 2022 15:11:37 +0000
+Subject: mmc: block: fix read single on recovery logic
+
+From: Christian Löhle <CLoehle@hyperstone.com>
+
+commit 54309fde1a352ad2674ebba004a79f7d20b9f037 upstream.
+
+On reads with MMC_READ_MULTIPLE_BLOCK that fail,
+the recovery handler will use MMC_READ_SINGLE_BLOCK for
+each of the blocks, up to MMC_READ_SINGLE_RETRIES times each.
+The logic for this is fixed to never report unsuccessful reads
+as success to the block layer.
+
+On command error with retries remaining, blk_update_request was
+called with whatever value error was set last to.
+In case it was last set to BLK_STS_OK (default), the read will be
+reported as success, even though there was no data read from the device.
+This could happen on a CRC mismatch for the response,
+a card rejecting the command (e.g. again due to a CRC mismatch).
+In case it was last set to BLK_STS_IOERR, the error is reported correctly,
+but no retries will be attempted.
+
+Fixes: 81196976ed946c ("mmc: block: Add blk-mq support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Loehle <cloehle@hyperstone.com>
+Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/bc706a6ab08c4fe2834ba0c05a804672@hyperstone.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -1642,31 +1642,31 @@ static void mmc_blk_read_single(struct m
+ struct mmc_card *card = mq->card;
+ struct mmc_host *host = card->host;
+ blk_status_t error = BLK_STS_OK;
+- int retries = 0;
+
+ do {
+ u32 status;
+ int err;
++ int retries = 0;
+
+- mmc_blk_rw_rq_prep(mqrq, card, 1, mq);
++ while (retries++ <= MMC_READ_SINGLE_RETRIES) {
++ mmc_blk_rw_rq_prep(mqrq, card, 1, mq);
+
+- mmc_wait_for_req(host, mrq);
++ mmc_wait_for_req(host, mrq);
+
+- err = mmc_send_status(card, &status);
+- if (err)
+- goto error_exit;
+-
+- if (!mmc_host_is_spi(host) &&
+- !mmc_ready_for_data(status)) {
+- err = mmc_blk_fix_state(card, req);
++ err = mmc_send_status(card, &status);
+ if (err)
+ goto error_exit;
+- }
+
+- if (mrq->cmd->error && retries++ < MMC_READ_SINGLE_RETRIES)
+- continue;
++ if (!mmc_host_is_spi(host) &&
++ !mmc_ready_for_data(status)) {
++ err = mmc_blk_fix_state(card, req);
++ if (err)
++ goto error_exit;
++ }
+
+- retries = 0;
++ if (!mrq->cmd->error)
++ break;
++ }
+
+ if (mrq->cmd->error ||
+ mrq->data->error ||
--- /dev/null
+From 18a1d5e1945385d9b5adc3fe11427ce4a9d2826e Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Mon, 7 Feb 2022 17:16:39 +0200
+Subject: parisc: Add ioread64_lo_hi() and iowrite64_lo_hi()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 18a1d5e1945385d9b5adc3fe11427ce4a9d2826e upstream.
+
+It's a followup to the previous commit f15309d7ad5d ("parisc: Add
+ioread64_hi_lo() and iowrite64_hi_lo()") which does only half of
+the job. Add the rest, so we won't get a new kernel test robot
+reports.
+
+Fixes: f15309d7ad5d ("parisc: Add ioread64_hi_lo() and iowrite64_hi_lo()")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/lib/iomap.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/arch/parisc/lib/iomap.c
++++ b/arch/parisc/lib/iomap.c
+@@ -346,6 +346,16 @@ u64 ioread64be(const void __iomem *addr)
+ return *((u64 *)addr);
+ }
+
++u64 ioread64_lo_hi(const void __iomem *addr)
++{
++ u32 low, high;
++
++ low = ioread32(addr);
++ high = ioread32(addr + sizeof(u32));
++
++ return low + ((u64)high << 32);
++}
++
+ u64 ioread64_hi_lo(const void __iomem *addr)
+ {
+ u32 low, high;
+@@ -419,6 +429,12 @@ void iowrite64be(u64 datum, void __iomem
+ }
+ }
+
++void iowrite64_lo_hi(u64 val, void __iomem *addr)
++{
++ iowrite32(val, addr);
++ iowrite32(val >> 32, addr + sizeof(u32));
++}
++
+ void iowrite64_hi_lo(u64 val, void __iomem *addr)
+ {
+ iowrite32(val >> 32, addr + sizeof(u32));
+@@ -527,6 +543,7 @@ EXPORT_SYMBOL(ioread32);
+ EXPORT_SYMBOL(ioread32be);
+ EXPORT_SYMBOL(ioread64);
+ EXPORT_SYMBOL(ioread64be);
++EXPORT_SYMBOL(ioread64_lo_hi);
+ EXPORT_SYMBOL(ioread64_hi_lo);
+ EXPORT_SYMBOL(iowrite8);
+ EXPORT_SYMBOL(iowrite16);
+@@ -535,6 +552,7 @@ EXPORT_SYMBOL(iowrite32);
+ EXPORT_SYMBOL(iowrite32be);
+ EXPORT_SYMBOL(iowrite64);
+ EXPORT_SYMBOL(iowrite64be);
++EXPORT_SYMBOL(iowrite64_lo_hi);
+ EXPORT_SYMBOL(iowrite64_hi_lo);
+ EXPORT_SYMBOL(ioread8_rep);
+ EXPORT_SYMBOL(ioread16_rep);
--- /dev/null
+From 9129886b88185962538180625ca8051362b01327 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Sat, 22 Jan 2022 18:19:49 +0000
+Subject: parisc: Drop __init from map_pages declaration
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 9129886b88185962538180625ca8051362b01327 upstream.
+
+With huge kernel pages, we randomly eat a SPARC in map_pages(). This
+is fixed by dropping __init from the declaration.
+
+However, map_pages references the __init routine memblock_alloc_try_nid
+via memblock_alloc. Thus, it needs to be marked with __ref.
+
+memblock_alloc is only called before the kernel text is set to readonly.
+
+The __ref on free_initmem is no longer needed.
+
+Comment regarding map_pages being in the init section is removed.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Cc: stable@vger.kernel.org # v5.4+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/mm/init.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/arch/parisc/mm/init.c
++++ b/arch/parisc/mm/init.c
+@@ -346,9 +346,9 @@ static void __init setup_bootmem(void)
+
+ static bool kernel_set_to_readonly;
+
+-static void __init map_pages(unsigned long start_vaddr,
+- unsigned long start_paddr, unsigned long size,
+- pgprot_t pgprot, int force)
++static void __ref map_pages(unsigned long start_vaddr,
++ unsigned long start_paddr, unsigned long size,
++ pgprot_t pgprot, int force)
+ {
+ pmd_t *pmd;
+ pte_t *pg_table;
+@@ -458,7 +458,7 @@ void __init set_kernel_text_rw(int enabl
+ flush_tlb_all();
+ }
+
+-void __ref free_initmem(void)
++void free_initmem(void)
+ {
+ unsigned long init_begin = (unsigned long)__init_begin;
+ unsigned long init_end = (unsigned long)__init_end;
+@@ -472,7 +472,6 @@ void __ref free_initmem(void)
+ /* The init text pages are marked R-X. We have to
+ * flush the icache and mark them RW-
+ *
+- * This is tricky, because map_pages is in the init section.
+ * Do a dummy remap of the data section first (the data
+ * section is already PAGE_KERNEL) to pull in the TLB entries
+ * for map_kernel */
--- /dev/null
+From b7d6f44a0fa716a82969725516dc0b16bc7cd514 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Wed, 26 Jan 2022 20:39:05 +0000
+Subject: parisc: Fix data TLB miss in sba_unmap_sg
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit b7d6f44a0fa716a82969725516dc0b16bc7cd514 upstream.
+
+Rolf Eike Beer reported the following bug:
+
+[1274934.746891] Bad Address (null pointer deref?): Code=15 (Data TLB miss fault) at addr 0000004140000018
+[1274934.746891] CPU: 3 PID: 5549 Comm: cmake Not tainted 5.15.4-gentoo-parisc64 #4
+[1274934.746891] Hardware name: 9000/785/C8000
+[1274934.746891]
+[1274934.746891] YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
+[1274934.746891] PSW: 00001000000001001111111000001110 Not tainted
+[1274934.746891] r00-03 000000ff0804fe0e 0000000040bc9bc0 00000000406760e4 0000004140000000
+[1274934.746891] r04-07 0000000040b693c0 0000004140000000 000000004a2b08b0 0000000000000001
+[1274934.746891] r08-11 0000000041f98810 0000000000000000 000000004a0a7000 0000000000000001
+[1274934.746891] r12-15 0000000040bddbc0 0000000040c0cbc0 0000000040bddbc0 0000000040bddbc0
+[1274934.746891] r16-19 0000000040bde3c0 0000000040bddbc0 0000000040bde3c0 0000000000000007
+[1274934.746891] r20-23 0000000000000006 000000004a368950 0000000000000000 0000000000000001
+[1274934.746891] r24-27 0000000000001fff 000000000800000e 000000004a1710f0 0000000040b693c0
+[1274934.746891] r28-31 0000000000000001 0000000041f988b0 0000000041f98840 000000004a171118
+[1274934.746891] sr00-03 00000000066e5800 0000000000000000 0000000000000000 00000000066e5800
+[1274934.746891] sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+[1274934.746891]
+[1274934.746891] IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000406760e8 00000000406760ec
+[1274934.746891] IIR: 48780030 ISR: 0000000000000000 IOR: 0000004140000018
+[1274934.746891] CPU: 3 CR30: 00000040e3a9c000 CR31: ffffffffffffffff
+[1274934.746891] ORIG_R28: 0000000040acdd58
+[1274934.746891] IAOQ[0]: sba_unmap_sg+0xb0/0x118
+[1274934.746891] IAOQ[1]: sba_unmap_sg+0xb4/0x118
+[1274934.746891] RP(r2): sba_unmap_sg+0xac/0x118
+[1274934.746891] Backtrace:
+[1274934.746891] [<00000000402740cc>] dma_unmap_sg_attrs+0x6c/0x70
+[1274934.746891] [<000000004074d6bc>] scsi_dma_unmap+0x54/0x60
+[1274934.746891] [<00000000407a3488>] mptscsih_io_done+0x150/0xd70
+[1274934.746891] [<0000000040798600>] mpt_interrupt+0x168/0xa68
+[1274934.746891] [<0000000040255a48>] __handle_irq_event_percpu+0xc8/0x278
+[1274934.746891] [<0000000040255c34>] handle_irq_event_percpu+0x3c/0xd8
+[1274934.746891] [<000000004025ecb4>] handle_percpu_irq+0xb4/0xf0
+[1274934.746891] [<00000000402548e0>] generic_handle_irq+0x50/0x70
+[1274934.746891] [<000000004019a254>] call_on_stack+0x18/0x24
+[1274934.746891]
+[1274934.746891] Kernel panic - not syncing: Bad Address (null pointer deref?)
+
+The bug is caused by overrunning the sglist and incorrectly testing
+sg_dma_len(sglist) before nents. Normally this doesn't cause a crash,
+but in this case sglist crossed a page boundary. This occurs in the
+following code:
+
+ while (sg_dma_len(sglist) && nents--) {
+
+The fix is simply to test nents first and move the decrement of nents
+into the loop.
+
+Reported-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/parisc/sba_iommu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/parisc/sba_iommu.c
++++ b/drivers/parisc/sba_iommu.c
+@@ -1047,7 +1047,7 @@ sba_unmap_sg(struct device *dev, struct
+ spin_unlock_irqrestore(&ioc->res_lock, flags);
+ #endif
+
+- while (sg_dma_len(sglist) && nents--) {
++ while (nents && sg_dma_len(sglist)) {
+
+ sba_unmap_page(dev, sg_dma_address(sglist), sg_dma_len(sglist),
+ direction, 0);
+@@ -1056,6 +1056,7 @@ sba_unmap_sg(struct device *dev, struct
+ ioc->usingle_calls--; /* kluge since call is unmap_sg() */
+ #endif
+ ++sglist;
++ nents--;
+ }
+
+ DBG_RUN_SG("%s() DONE (nents %d)\n", __func__, nents);
--- /dev/null
+From d7da660cab47183cded65e11b64497d0f56c6edf Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Thu, 27 Jan 2022 22:33:41 +0000
+Subject: parisc: Fix sglist access in ccio-dma.c
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit d7da660cab47183cded65e11b64497d0f56c6edf upstream.
+
+This patch implements the same bug fix to ccio-dma.c as to sba_iommu.c.
+It ensures that only the allocated entries of the sglist are accessed.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/parisc/ccio-dma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/parisc/ccio-dma.c
++++ b/drivers/parisc/ccio-dma.c
+@@ -1003,7 +1003,7 @@ ccio_unmap_sg(struct device *dev, struct
+ ioc->usg_calls++;
+ #endif
+
+- while(sg_dma_len(sglist) && nents--) {
++ while (nents && sg_dma_len(sglist)) {
+
+ #ifdef CCIO_COLLECT_STATS
+ ioc->usg_pages += sg_dma_len(sglist) >> PAGE_SHIFT;
+@@ -1011,6 +1011,7 @@ ccio_unmap_sg(struct device *dev, struct
+ ccio_unmap_page(dev, sg_dma_address(sglist),
+ sg_dma_len(sglist), direction, 0);
+ ++sglist;
++ nents--;
+ }
+
+ DBG_RUN_SG("%s() DONE (nents %d)\n", __func__, nents);
--- /dev/null
+From 3149efcdf2c6314420c418dfc94de53bfd076b1f Mon Sep 17 00:00:00 2001
+From: Long Li <longli@microsoft.com>
+Date: Wed, 26 Jan 2022 17:43:34 -0800
+Subject: PCI: hv: Fix NUMA node assignment when kernel boots with custom NUMA topology
+
+From: Long Li <longli@microsoft.com>
+
+commit 3149efcdf2c6314420c418dfc94de53bfd076b1f upstream.
+
+When kernel boots with a NUMA topology with some NUMA nodes offline, the PCI
+driver should only set an online NUMA node on the device. This can happen
+during KDUMP where some NUMA nodes are not made online by the KDUMP kernel.
+
+This patch also fixes the case where kernel is booting with "numa=off".
+
+Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2")
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Tested-by: Purna Pavan Chandra Aekkaladevi <paekkaladevi@microsoft.com>
+Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Link: https://lore.kernel.org/r/1643247814-15184-1-git-send-email-longli@linuxonhyperv.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pci-hyperv.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -1841,8 +1841,17 @@ static void hv_pci_assign_numa_node(stru
+ if (!hv_dev)
+ continue;
+
+- if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY)
+- set_dev_node(&dev->dev, hv_dev->desc.virtual_numa_node);
++ if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY &&
++ hv_dev->desc.virtual_numa_node < num_possible_nodes())
++ /*
++ * The kernel may boot with some NUMA nodes offline
++ * (e.g. in a KDUMP kernel) or with NUMA disabled via
++ * "numa=off". In those cases, adjust the host provided
++ * NUMA node to a valid NUMA node used by the kernel.
++ */
++ set_dev_node(&dev->dev,
++ numa_map_to_online_node(
++ hv_dev->desc.virtual_numa_node));
+
+ put_pcichild(hv_dev);
+ }
--- /dev/null
+From bfb3aa735f82c8d98b32a669934ee7d6b346264d Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@kernel.org>
+Date: Fri, 30 Oct 2020 13:11:24 -0700
+Subject: rcu: Do not report strict GPs for outgoing CPUs
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+commit bfb3aa735f82c8d98b32a669934ee7d6b346264d upstream.
+
+An outgoing CPU is marked offline in a stop-machine handler and most
+of that CPU's services stop at that point, including IRQ work queues.
+However, that CPU must take another pass through the scheduler and through
+a number of CPU-hotplug notifiers, many of which contain RCU readers.
+In the past, these readers were not a problem because the outgoing CPU
+has interrupts disabled, so that rcu_read_unlock_special() would not
+be invoked, and thus RCU would never attempt to queue IRQ work on the
+outgoing CPU.
+
+This changed with the advent of the CONFIG_RCU_STRICT_GRACE_PERIOD
+Kconfig option, in which rcu_read_unlock_special() is invoked upon exit
+from almost all RCU read-side critical sections. Worse yet, because
+interrupts are disabled, rcu_read_unlock_special() cannot immediately
+report a quiescent state and will therefore attempt to defer this
+reporting, for example, by queueing IRQ work. Which fails with a splat
+because the CPU is already marked as being offline.
+
+But it turns out that there is no need to report this quiescent state
+because rcu_report_dead() will do this job shortly after the outgoing
+CPU makes its final dive into the idle loop. This commit therefore
+makes rcu_read_unlock_special() refrain from queuing IRQ work onto
+outgoing CPUs.
+
+Fixes: 44bad5b3cca2 ("rcu: Do full report for .need_qs for strict GPs")
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Cc: Jann Horn <jannh@google.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/rcu/tree_plugin.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -628,7 +628,7 @@ static void rcu_read_unlock_special(stru
+ set_tsk_need_resched(current);
+ set_preempt_need_resched();
+ if (IS_ENABLED(CONFIG_IRQ_WORK) && irqs_were_disabled &&
+- !rdp->defer_qs_iw_pending && exp) {
++ !rdp->defer_qs_iw_pending && exp && cpu_online(rdp->cpu)) {
+ // Get scheduler to re-evaluate and call hooks.
+ // If !IRQ_WORK, FQS scan will eventually IPI.
+ init_irq_work(&rdp->defer_qs_iw,
--- /dev/null
+From dd4589eee99db8f61f7b8f7df1531cad3f74a64d Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 4 Feb 2022 21:41:55 +0000
+Subject: Revert "svm: Add warning message for AVIC IPI invalid target"
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit dd4589eee99db8f61f7b8f7df1531cad3f74a64d upstream.
+
+Remove a WARN on an "AVIC IPI invalid target" exit, the WARN is trivial
+to trigger from guest as it will fail on any destination APIC ID that
+doesn't exist from the guest's perspective.
+
+Don't bother recording anything in the kernel log, the common tracepoint
+for kvm_avic_incomplete_ipi() is sufficient for debugging.
+
+This reverts commit 37ef0c4414c9743ba7f1af4392f0a27a99649f2a.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20220204214205.3306634-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/avic.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/x86/kvm/svm/avic.c
++++ b/arch/x86/kvm/svm/avic.c
+@@ -344,8 +344,6 @@ int avic_incomplete_ipi_interception(str
+ break;
+ }
+ case AVIC_IPI_FAILURE_INVALID_TARGET:
+- WARN_ONCE(1, "Invalid IPI target: index=%u, vcpu=%d, icr=%#0x:%#0x\n",
+- index, svm->vcpu.vcpu_id, icrh, icrl);
+ break;
+ case AVIC_IPI_FAILURE_INVALID_BACKING_PAGE:
+ WARN_ONCE(1, "Invalid backing page\n");
--- /dev/null
+From efe1dc571a5b808baa26682eef16561be2e356fd Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 21 Sep 2021 07:30:08 -0700
+Subject: scsi: lpfc: Fix mailbox command failure during driver initialization
+
+From: James Smart <jsmart2021@gmail.com>
+
+commit efe1dc571a5b808baa26682eef16561be2e356fd upstream.
+
+Contention for the mailbox interface may occur during driver initialization
+(immediately after a function reset), between mailbox commands initiated
+via ioctl (bsg) and those driver requested by the driver.
+
+After setting SLI_ACTIVE flag for a port, there is a window in which the
+driver will allow an ioctl to be initiated while the adapter is
+initializing and issuing mailbox commands via polling. The polling logic
+then gets confused.
+
+Correct by having thread setting SLI_ACTIVE spot an active mailbox command
+and allow it complete before proceeding.
+
+Link: https://lore.kernel.org/r/20210921143008.64212-1-jsmart2021@gmail.com
+Co-developed-by: Nigel Kirkland <nkirkland2304@gmail.com>
+Signed-off-by: Nigel Kirkland <nkirkland2304@gmail.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -7372,6 +7372,7 @@ lpfc_sli4_hba_setup(struct lpfc_hba *phb
+ struct lpfc_vport *vport = phba->pport;
+ struct lpfc_dmabuf *mp;
+ struct lpfc_rqb *rqbp;
++ u32 flg;
+
+ /* Perform a PCI function reset to start from clean */
+ rc = lpfc_pci_function_reset(phba);
+@@ -7385,7 +7386,17 @@ lpfc_sli4_hba_setup(struct lpfc_hba *phb
+ else {
+ spin_lock_irq(&phba->hbalock);
+ phba->sli.sli_flag |= LPFC_SLI_ACTIVE;
++ flg = phba->sli.sli_flag;
+ spin_unlock_irq(&phba->hbalock);
++ /* Allow a little time after setting SLI_ACTIVE for any polled
++ * MBX commands to complete via BSG.
++ */
++ for (i = 0; i < 50 && (flg & LPFC_SLI_MBOX_ACTIVE); i++) {
++ msleep(20);
++ spin_lock_irq(&phba->hbalock);
++ flg = phba->sli.sli_flag;
++ spin_unlock_irq(&phba->hbalock);
++ }
+ }
+
+ lpfc_sli4_dip(phba);
+@@ -8922,7 +8933,7 @@ lpfc_sli_issue_mbox_s4(struct lpfc_hba *
+ "(%d):2541 Mailbox command x%x "
+ "(x%x/x%x) failure: "
+ "mqe_sta: x%x mcqe_sta: x%x/x%x "
+- "Data: x%x x%x\n,",
++ "Data: x%x x%x\n",
+ mboxq->vport ? mboxq->vport->vpi : 0,
+ mboxq->u.mb.mbxCommand,
+ lpfc_sli_config_mbox_subsys_get(phba,
+@@ -8956,7 +8967,7 @@ lpfc_sli_issue_mbox_s4(struct lpfc_hba *
+ "(%d):2597 Sync Mailbox command "
+ "x%x (x%x/x%x) failure: "
+ "mqe_sta: x%x mcqe_sta: x%x/x%x "
+- "Data: x%x x%x\n,",
++ "Data: x%x x%x\n",
+ mboxq->vport ? mboxq->vport->vpi : 0,
+ mboxq->u.mb.mbxCommand,
+ lpfc_sli_config_mbox_subsys_get(phba,
--- /dev/null
+From 6e8793674bb0d1135ca0e5c9f7e16fecbf815926 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Mon, 14 Feb 2022 10:00:19 -0800
+Subject: serial: parisc: GSC: fix build when IOSAPIC is not set
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 6e8793674bb0d1135ca0e5c9f7e16fecbf815926 upstream.
+
+There is a build error when using a kernel .config file from
+'kernel test robot' for a different build problem:
+
+hppa64-linux-ld: drivers/tty/serial/8250/8250_gsc.o: in function `.LC3':
+(.data.rel.ro+0x18): undefined reference to `iosapic_serial_irq'
+
+when:
+ CONFIG_GSC=y
+ CONFIG_SERIO_GSCPS2=y
+ CONFIG_SERIAL_8250_GSC=y
+ CONFIG_PCI is not set
+ and hence PCI_LBA is not set.
+ IOSAPIC depends on PCI_LBA, so IOSAPIC is not set/enabled.
+
+Make the use of iosapic_serial_irq() conditional to fix the build error.
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-parisc@vger.kernel.org
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-serial@vger.kernel.org
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Cc: Johan Hovold <johan@kernel.org>
+Suggested-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_gsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_gsc.c
++++ b/drivers/tty/serial/8250/8250_gsc.c
+@@ -26,7 +26,7 @@ static int __init serial_init_chip(struc
+ unsigned long address;
+ int err;
+
+-#ifdef CONFIG_64BIT
++#if defined(CONFIG_64BIT) && defined(CONFIG_IOSAPIC)
+ if (!dev->irq && (dev->id.sversion == 0xad))
+ dev->irq = iosapic_serial_irq(dev);
+ #endif
--- /dev/null
+drm-nouveau-pmu-gm200-use-alternate-falcon-reset-sequence.patch
+mm-memcg-synchronize-objcg-lists-with-a-dedicated-spinlock.patch
+rcu-do-not-report-strict-gps-for-outgoing-cpus.patch
+fget-clarify-and-improve-__fget_files-implementation.patch
+fs-proc-task_mmu.c-don-t-read-mapcount-for-migration-entry.patch
+can-isotp-prevent-race-between-isotp_bind-and-isotp_setsockopt.patch
+can-isotp-add-sf_broadcast-support-for-functional-addressing.patch
+scsi-lpfc-fix-mailbox-command-failure-during-driver-initialization.patch
+hid-add-support-for-ugtablet-wp5540.patch
+revert-svm-add-warning-message-for-avic-ipi-invalid-target.patch
+serial-parisc-gsc-fix-build-when-iosapic-is-not-set.patch
+parisc-drop-__init-from-map_pages-declaration.patch
+parisc-fix-data-tlb-miss-in-sba_unmap_sg.patch
+parisc-fix-sglist-access-in-ccio-dma.c.patch
+mmc-block-fix-read-single-on-recovery-logic.patch
+mm-don-t-try-to-numa-migrate-cow-pages-that-have-other-uses.patch
+pci-hv-fix-numa-node-assignment-when-kernel-boots-with-custom-numa-topology.patch
+parisc-add-ioread64_lo_hi-and-iowrite64_lo_hi.patch
+btrfs-send-in-case-of-io-error-log-it.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
