--- /dev/null
+From 2a44048280114e00f48b67637e90f005b2fe79e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jan 2023 11:34:18 -0700
+Subject: ACPI: NFIT: fix a potential deadlock during NFIT teardown
+
+From: Vishal Verma <vishal.l.verma@intel.com>
+
+[ Upstream commit fb6df4366f86dd252bfa3049edffa52d17e7b895 ]
+
+Lockdep reports that acpi_nfit_shutdown() may deadlock against an
+opportune acpi_nfit_scrub(). acpi_nfit_scrub () is run from inside a
+'work' and therefore has already acquired workqueue-internal locks. It
+also acquiires acpi_desc->init_mutex. acpi_nfit_shutdown() first
+acquires init_mutex, and was subsequently attempting to cancel any
+pending workqueue items. This reversed locking order causes a potential
+deadlock:
+
+ ======================================================
+ WARNING: possible circular locking dependency detected
+ 6.2.0-rc3 #116 Tainted: G O N
+ ------------------------------------------------------
+ libndctl/1958 is trying to acquire lock:
+ ffff888129b461c0 ((work_completion)(&(&acpi_desc->dwork)->work)){+.+.}-{0:0}, at: __flush_work+0x43/0x450
+
+ but task is already holding lock:
+ ffff888129b460e8 (&acpi_desc->init_mutex){+.+.}-{3:3}, at: acpi_nfit_shutdown+0x87/0xd0 [nfit]
+
+ which lock already depends on the new lock.
+
+ ...
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&acpi_desc->init_mutex);
+ lock((work_completion)(&(&acpi_desc->dwork)->work));
+ lock(&acpi_desc->init_mutex);
+ lock((work_completion)(&(&acpi_desc->dwork)->work));
+
+ *** DEADLOCK ***
+
+Since the workqueue manipulation is protected by its own internal locking,
+the cancellation of pending work doesn't need to be done under
+acpi_desc->init_mutex. Move cancel_delayed_work_sync() outside the
+init_mutex to fix the deadlock. Any work that starts after
+acpi_nfit_shutdown() drops the lock will see ARS_CANCEL, and the
+cancel_delayed_work_sync() will safely flush it out.
+
+Reported-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
+Link: https://lore.kernel.org/r/20230112-acpi_nfit_lockdep-v1-1-660be4dd10be@intel.com
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/nfit/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
+index 58a756ca14d85..c2863eec0f241 100644
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -3442,8 +3442,8 @@ void acpi_nfit_shutdown(void *data)
+
+ mutex_lock(&acpi_desc->init_mutex);
+ set_bit(ARS_CANCEL, &acpi_desc->scrub_flags);
+- cancel_delayed_work_sync(&acpi_desc->dwork);
+ mutex_unlock(&acpi_desc->init_mutex);
++ cancel_delayed_work_sync(&acpi_desc->dwork);
+
+ /*
+ * Bounce the nvdimm bus lock to make sure any in-flight
+--
+2.39.0
+
--- /dev/null
+From e500483687c19a26ea583815944139410b250e45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Dec 2022 21:17:32 +0100
+Subject: ARM: dts: rockchip: add power-domains property to dp node on rk3288
+
+From: Johan Jonker <jbx6244@gmail.com>
+
+[ Upstream commit 80422339a75088322b4d3884bd12fa0fe5d11050 ]
+
+The clocks in the Rockchip rk3288 DisplayPort node are
+included in the power-domain@RK3288_PD_VIO logic, but the
+power-domains property in the dp node is missing, so fix it.
+
+Signed-off-by: Johan Jonker <jbx6244@gmail.com>
+Link: https://lore.kernel.org/r/dab85bfb-9f55-86a1-5cd5-7388c43e0ec5@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3288.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi
+index e442bf7427ae1..402b5e0fd616c 100644
+--- a/arch/arm/boot/dts/rk3288.dtsi
++++ b/arch/arm/boot/dts/rk3288.dtsi
+@@ -1172,6 +1172,7 @@ edp: dp@ff970000 {
+ clock-names = "dp", "pclk";
+ phys = <&edp_phy>;
+ phy-names = "dp";
++ power-domains = <&power RK3288_PD_VIO>;
+ resets = <&cru SRST_EDP>;
+ reset-names = "dp";
+ rockchip,grf = <&grf>;
+--
+2.39.0
+
--- /dev/null
+From 91b51e5f59c9a956b1f36d07481ca381f19cdf0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jan 2023 20:32:10 +0100
+Subject: btrfs: send: limit number of clones and allocated memory size
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 33e17b3f5ab74af12aca58c515bc8424ff69a343 ]
+
+The arg->clone_sources_count is u64 and can trigger a warning when a
+huge value is passed from user space and a huge array is allocated.
+Limit the allocated memory to 8MiB (can be increased if needed), which
+in turn limits the number of clone sources to 8M / sizeof(struct
+clone_root) = 8M / 40 = 209715. Real world number of clones is from
+tens to hundreds, so this is future proof.
+
+Reported-by: syzbot+4376a9a073770c173269@syzkaller.appspotmail.com
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index 80d248e88761d..1f535cd990d3c 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -6826,10 +6826,10 @@ long btrfs_ioctl_send(struct file *mnt_file, struct btrfs_ioctl_send_args *arg)
+ /*
+ * Check that we don't overflow at later allocations, we request
+ * clone_sources_count + 1 items, and compare to unsigned long inside
+- * access_ok.
++ * access_ok. Also set an upper limit for allocation size so this can't
++ * easily exhaust memory. Max number of clone sources is about 200K.
+ */
+- if (arg->clone_sources_count >
+- ULONG_MAX / sizeof(struct clone_root) - 1) {
++ if (arg->clone_sources_count > SZ_8M / sizeof(struct clone_root)) {
+ ret = -EINVAL;
+ goto out;
+ }
+--
+2.39.0
+
--- /dev/null
+From 61518542d974a999dc321b0c78b6b5a1f374e50a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 14:04:08 -0500
+Subject: IB/hfi1: Assign npages earlier
+
+From: Dean Luick <dean.luick@cornelisnetworks.com>
+
+[ Upstream commit f9c47b2caa7ffc903ec950b454b59c209afe3182 ]
+
+Improve code clarity and enable earlier use of
+tidbuf->npages by moving its assignment to
+structure creation time.
+
+Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/167329104884.1472990.4639750192433251493.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+index dab823aac95e1..2619a7a9f27cf 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -215,16 +215,11 @@ static void unpin_rcv_pages(struct hfi1_filedata *fd,
+ static int pin_rcv_pages(struct hfi1_filedata *fd, struct tid_user_buf *tidbuf)
+ {
+ int pinned;
+- unsigned int npages;
++ unsigned int npages = tidbuf->npages;
+ unsigned long vaddr = tidbuf->vaddr;
+ struct page **pages = NULL;
+ struct hfi1_devdata *dd = fd->uctxt->dd;
+
+- /* Get the number of pages the user buffer spans */
+- npages = num_user_pages(vaddr, tidbuf->length);
+- if (!npages)
+- return -EINVAL;
+-
+ if (npages > fd->uctxt->expected_count) {
+ dd_dev_err(dd, "Expected buffer too big\n");
+ return -EINVAL;
+@@ -258,7 +253,6 @@ static int pin_rcv_pages(struct hfi1_filedata *fd, struct tid_user_buf *tidbuf)
+ return pinned;
+ }
+ tidbuf->pages = pages;
+- tidbuf->npages = npages;
+ fd->tid_n_pinned += pinned;
+ return pinned;
+ }
+@@ -334,6 +328,7 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+
+ tidbuf->vaddr = tinfo->vaddr;
+ tidbuf->length = tinfo->length;
++ tidbuf->npages = num_user_pages(tidbuf->vaddr, tidbuf->length);
+ tidbuf->psets = kcalloc(uctxt->expected_count, sizeof(*tidbuf->psets),
+ GFP_KERNEL);
+ if (!tidbuf->psets) {
+--
+2.39.0
+
--- /dev/null
+arm-dts-rockchip-add-power-domains-property-to-dp-no.patch
+acpi-nfit-fix-a-potential-deadlock-during-nfit-teard.patch
+btrfs-send-limit-number-of-clones-and-allocated-memo.patch
+ib-hfi1-assign-npages-earlier.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
