Fixes for 5.10

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.10/configfs-fix-a-race-in-configfs_-un-register_subsyst.patch b/queue-5.10/configfs-fix-a-race-in-configfs_-un-register_subsyst.patch
new file mode 100644 (file)
index 0000000..9096997
--- /dev/null
+++ b/queue-5.10/configfs-fix-a-race-in-configfs_-un-register_subsyst.patch
@@ -0,0 +1,98 @@
+From 93fb4b67e12d81a7a09a6fc8fdf15c490447696b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Feb 2022 15:10:30 +0800
+Subject: configfs: fix a race in configfs_{,un}register_subsystem()
+
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+
+[ Upstream commit 84ec758fb2daa236026506868c8796b0500c047d ]
+
+When configfs_register_subsystem() or configfs_unregister_subsystem()
+is executing link_group() or unlink_group(),
+it is possible that two processes add or delete list concurrently.
+Some unfortunate interleavings of them can cause kernel panic.
+
+One of cases is:
+A --> B --> C --> D
+A <-- B <-- C <-- D
+
+     delete list_head *B        |      delete list_head *C
+--------------------------------|-----------------------------------
+configfs_unregister_subsystem   |   configfs_unregister_subsystem
+  unlink_group                  |     unlink_group
+    unlink_obj                  |       unlink_obj
+      list_del_init             |         list_del_init
+        __list_del_entry        |           __list_del_entry
+          __list_del            |             __list_del
+            // next == C        |
+            next->prev = prev   |
+                                |               next->prev = prev
+            prev->next = next   |
+                                |                 // prev == B
+                                |                 prev->next = next
+
+Fix this by adding mutex when calling link_group() or unlink_group(),
+but parent configfs_subsystem is NULL when config_item is root.
+So I create a mutex configfs_subsystem_mutex.
+
+Fixes: 7063fbf22611 ("[PATCH] configfs: User-driven configuration filesystem")
+Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
+Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/configfs/dir.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
+index 32ddad3ec5d53..5ad27e484014f 100644
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -36,6 +36,14 @@
+  */
+ DEFINE_SPINLOCK(configfs_dirent_lock);
+ 
++/*
++ * All of link_obj/unlink_obj/link_group/unlink_group require that
++ * subsys->su_mutex is held.
++ * But parent configfs_subsystem is NULL when config_item is root.
++ * Use this mutex when config_item is root.
++ */
++static DEFINE_MUTEX(configfs_subsystem_mutex);
++
+ static void configfs_d_iput(struct dentry * dentry,
+                           struct inode * inode)
+ {
+@@ -1884,7 +1892,9 @@ int configfs_register_subsystem(struct configfs_subsystem *subsys)
+               group->cg_item.ci_name = group->cg_item.ci_namebuf;
+ 
+       sd = root->d_fsdata;
++      mutex_lock(&configfs_subsystem_mutex);
+       link_group(to_config_group(sd->s_element), group);
++      mutex_unlock(&configfs_subsystem_mutex);
+ 
+       inode_lock_nested(d_inode(root), I_MUTEX_PARENT);
+ 
+@@ -1909,7 +1919,9 @@ int configfs_register_subsystem(struct configfs_subsystem *subsys)
+       inode_unlock(d_inode(root));
+ 
+       if (err) {
++              mutex_lock(&configfs_subsystem_mutex);
+               unlink_group(group);
++              mutex_unlock(&configfs_subsystem_mutex);
+               configfs_release_fs();
+       }
+       put_fragment(frag);
+@@ -1956,7 +1968,9 @@ void configfs_unregister_subsystem(struct configfs_subsystem *subsys)
+ 
+       dput(dentry);
+ 
++      mutex_lock(&configfs_subsystem_mutex);
+       unlink_group(group);
++      mutex_unlock(&configfs_subsystem_mutex);
+       configfs_release_fs();
+ }
+ 
+-- 
+2.34.1
+

diff --git a/queue-5.10/rdma-ib_srp-fix-a-deadlock.patch b/queue-5.10/rdma-ib_srp-fix-a-deadlock.patch
new file mode 100644 (file)
index 0000000..55b27d8
--- /dev/null
+++ b/queue-5.10/rdma-ib_srp-fix-a-deadlock.patch
@@ -0,0 +1,45 @@
+From 083e648dc5ce9d314d1c9c63b011cfdbe1869e4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Feb 2022 13:05:11 -0800
+Subject: RDMA/ib_srp: Fix a deadlock
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 081bdc9fe05bb23248f5effb6f811da3da4b8252 ]
+
+Remove the flush_workqueue(system_long_wq) call since flushing
+system_long_wq is deadlock-prone and since that call is redundant with a
+preceding cancel_work_sync()
+
+Link: https://lore.kernel.org/r/20220215210511.28303-3-bvanassche@acm.org
+Fixes: ef6c49d87c34 ("IB/srp: Eliminate state SRP_TARGET_DEAD")
+Reported-by: syzbot+831661966588c802aae9@syzkaller.appspotmail.com
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
+index 86d5c4c92b363..b4ccb333a8342 100644
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -4045,9 +4045,11 @@ static void srp_remove_one(struct ib_device *device, void *client_data)
+               spin_unlock(&host->target_lock);
+ 
+               /*
+-               * Wait for tl_err and target port removal tasks.
++               * srp_queue_remove_work() queues a call to
++               * srp_remove_target(). The latter function cancels
++               * target->tl_err_work so waiting for the remove works to
++               * finish is sufficient.
+                */
+-              flush_workqueue(system_long_wq);
+               flush_workqueue(srp_remove_wq);
+ 
+               kfree(host);
+-- 
+2.34.1
+

diff --git a/queue-5.10/rdma-rtrs-clt-fix-possible-double-free-in-error-case.patch b/queue-5.10/rdma-rtrs-clt-fix-possible-double-free-in-error-case.patch
new file mode 100644 (file)
index 0000000..5681b8e
--- /dev/null
+++ b/queue-5.10/rdma-rtrs-clt-fix-possible-double-free-in-error-case.patch
@@ -0,0 +1,125 @@
+From 79dbf4fa4fd811f839cdb77fa7f8a7ee14c09c8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Feb 2022 04:09:28 +0100
+Subject: RDMA/rtrs-clt: Fix possible double free in error case
+
+From: Md Haris Iqbal <haris.iqbal@ionos.com>
+
+[ Upstream commit 8700af2cc18c919b2a83e74e0479038fd113c15d ]
+
+Callback function rtrs_clt_dev_release() for put_device() calls kfree(clt)
+to free memory. We shouldn't call kfree(clt) again, and we can't use the
+clt after kfree too.
+
+Replace device_register() with device_initialize() and device_add() so that
+dev_set_name can() be used appropriately.
+
+Move mutex_destroy() to the release function so it can be called in
+the alloc_clt err path.
+
+Fixes: eab098246625 ("RDMA/rtrs-clt: Refactor the failure cases in alloc_clt")
+Link: https://lore.kernel.org/r/20220217030929.323849-1-haris.iqbal@ionos.com
+Reported-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Md Haris Iqbal <haris.iqbal@ionos.com>
+Reviewed-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 37 ++++++++++++++------------
+ 1 file changed, 20 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index 46fad202a380e..8937530a42d3d 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -2540,6 +2540,8 @@ static void rtrs_clt_dev_release(struct device *dev)
+ {
+       struct rtrs_clt *clt = container_of(dev, struct rtrs_clt, dev);
+ 
++      mutex_destroy(&clt->paths_ev_mutex);
++      mutex_destroy(&clt->paths_mutex);
+       kfree(clt);
+ }
+ 
+@@ -2571,6 +2573,8 @@ static struct rtrs_clt *alloc_clt(const char *sessname, size_t paths_num,
+               return ERR_PTR(-ENOMEM);
+       }
+ 
++      clt->dev.class = rtrs_clt_dev_class;
++      clt->dev.release = rtrs_clt_dev_release;
+       uuid_gen(&clt->paths_uuid);
+       INIT_LIST_HEAD_RCU(&clt->paths_list);
+       clt->paths_num = paths_num;
+@@ -2588,43 +2592,41 @@ static struct rtrs_clt *alloc_clt(const char *sessname, size_t paths_num,
+       init_waitqueue_head(&clt->permits_wait);
+       mutex_init(&clt->paths_ev_mutex);
+       mutex_init(&clt->paths_mutex);
++      device_initialize(&clt->dev);
+ 
+-      clt->dev.class = rtrs_clt_dev_class;
+-      clt->dev.release = rtrs_clt_dev_release;
+       err = dev_set_name(&clt->dev, "%s", sessname);
+       if (err)
+-              goto err;
++              goto err_put;
++
+       /*
+        * Suppress user space notification until
+        * sysfs files are created
+        */
+       dev_set_uevent_suppress(&clt->dev, true);
+-      err = device_register(&clt->dev);
+-      if (err) {
+-              put_device(&clt->dev);
+-              goto err;
+-      }
++      err = device_add(&clt->dev);
++      if (err)
++              goto err_put;
+ 
+       clt->kobj_paths = kobject_create_and_add("paths", &clt->dev.kobj);
+       if (!clt->kobj_paths) {
+               err = -ENOMEM;
+-              goto err_dev;
++              goto err_del;
+       }
+       err = rtrs_clt_create_sysfs_root_files(clt);
+       if (err) {
+               kobject_del(clt->kobj_paths);
+               kobject_put(clt->kobj_paths);
+-              goto err_dev;
++              goto err_del;
+       }
+       dev_set_uevent_suppress(&clt->dev, false);
+       kobject_uevent(&clt->dev.kobj, KOBJ_ADD);
+ 
+       return clt;
+-err_dev:
+-      device_unregister(&clt->dev);
+-err:
++err_del:
++      device_del(&clt->dev);
++err_put:
+       free_percpu(clt->pcpu_path);
+-      kfree(clt);
++      put_device(&clt->dev);
+       return ERR_PTR(err);
+ }
+ 
+@@ -2643,9 +2645,10 @@ static void free_clt(struct rtrs_clt *clt)
+       wait_for_inflight_permits(clt);
+       free_permits(clt);
+       free_percpu(clt->pcpu_path);
+-      mutex_destroy(&clt->paths_ev_mutex);
+-      mutex_destroy(&clt->paths_mutex);
+-      /* release callback will free clt in last put */
++
++      /*
++       * release callback will free clt and destroy mutexes in last put
++       */
+       device_unregister(&clt->dev);
+ }
+ 
+-- 
+2.34.1
+

diff --git a/queue-5.10/rdma-rtrs-clt-kill-wait_for_inflight_permits.patch b/queue-5.10/rdma-rtrs-clt-kill-wait_for_inflight_permits.patch
new file mode 100644 (file)
index 0000000..213bf56
--- /dev/null
+++ b/queue-5.10/rdma-rtrs-clt-kill-wait_for_inflight_permits.patch
@@ -0,0 +1,61 @@
+From 6cf8d8fc8bd6e666233d769c811cd1212a352f77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Dec 2020 15:19:05 +0100
+Subject: RDMA/rtrs-clt: Kill wait_for_inflight_permits
+
+From: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+
+[ Upstream commit 25a033f5a75873cfdd36eca3c702363b682afb42 ]
+
+Let's wait the inflight permits before free it.
+
+Link: https://lore.kernel.org/r/20201217141915.56989-10-jinpu.wang@cloud.ionos.com
+Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+Reviewed-by: Md Haris Iqbal <haris.iqbal@cloud.ionos.com>
+Signed-off-by: Jack Wang <jinpu.wang@cloud.ionos.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 17 ++++++-----------
+ 1 file changed, 6 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index 8937530a42d3d..5a3c11b0b3102 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -1328,6 +1328,12 @@ static int alloc_permits(struct rtrs_clt *clt)
+ 
+ static void free_permits(struct rtrs_clt *clt)
+ {
++      if (clt->permits_map) {
++              size_t sz = clt->queue_depth;
++
++              wait_event(clt->permits_wait,
++                         find_first_bit(clt->permits_map, sz) >= sz);
++      }
+       kfree(clt->permits_map);
+       clt->permits_map = NULL;
+       kfree(clt->permits);
+@@ -2630,19 +2636,8 @@ static struct rtrs_clt *alloc_clt(const char *sessname, size_t paths_num,
+       return ERR_PTR(err);
+ }
+ 
+-static void wait_for_inflight_permits(struct rtrs_clt *clt)
+-{
+-      if (clt->permits_map) {
+-              size_t sz = clt->queue_depth;
+-
+-              wait_event(clt->permits_wait,
+-                         find_first_bit(clt->permits_map, sz) >= sz);
+-      }
+-}
+-
+ static void free_clt(struct rtrs_clt *clt)
+ {
+-      wait_for_inflight_permits(clt);
+       free_permits(clt);
+       free_percpu(clt->pcpu_path);
+ 
+-- 
+2.34.1
+

diff --git a/queue-5.10/rdma-rtrs-clt-move-free_permit-from-free_clt-to-rtrs.patch b/queue-5.10/rdma-rtrs-clt-move-free_permit-from-free_clt-to-rtrs.patch
new file mode 100644 (file)
index 0000000..6661136
--- /dev/null
+++ b/queue-5.10/rdma-rtrs-clt-move-free_permit-from-free_clt-to-rtrs.patch
@@ -0,0 +1,49 @@
+From a77c0172ca90402b741845c88556be58012cbaf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Feb 2022 04:09:29 +0100
+Subject: RDMA/rtrs-clt: Move free_permit from free_clt to rtrs_clt_close
+
+From: Md Haris Iqbal <haris.iqbal@ionos.com>
+
+[ Upstream commit c46fa8911b17e3f808679061a8af8bee219f4602 ]
+
+Error path of rtrs_clt_open() calls free_clt(), where free_permit is
+called.  This is wrong since error path of rtrs_clt_open() does not need
+to call free_permit().
+
+Also, moving free_permits() call to rtrs_clt_close(), makes it more
+aligned with the call to alloc_permit() in rtrs_clt_open().
+
+Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
+Link: https://lore.kernel.org/r/20220217030929.323849-2-haris.iqbal@ionos.com
+Signed-off-by: Md Haris Iqbal <haris.iqbal@ionos.com>
+Reviewed-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index 5a3c11b0b3102..13634eda833de 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -2638,7 +2638,6 @@ static struct rtrs_clt *alloc_clt(const char *sessname, size_t paths_num,
+ 
+ static void free_clt(struct rtrs_clt *clt)
+ {
+-      free_permits(clt);
+       free_percpu(clt->pcpu_path);
+ 
+       /*
+@@ -2759,6 +2758,7 @@ void rtrs_clt_close(struct rtrs_clt *clt)
+               rtrs_clt_destroy_sess_files(sess, NULL);
+               kobject_put(&sess->kobj);
+       }
++      free_permits(clt);
+       free_clt(clt);
+ }
+ EXPORT_SYMBOL(rtrs_clt_close);
+-- 
+2.34.1
+

diff --git a/queue-5.10/regmap-irq-update-interrupt-clear-register-for-prope.patch b/queue-5.10/regmap-irq-update-interrupt-clear-register-for-prope.patch
new file mode 100644 (file)
index 0000000..6b6a3a5
--- /dev/null
+++ b/queue-5.10/regmap-irq-update-interrupt-clear-register-for-prope.patch
@@ -0,0 +1,105 @@
+From 5e36315a30f9d78b774e59b93c71b57f369d1785 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Feb 2022 14:20:07 +0530
+Subject: regmap-irq: Update interrupt clear register for proper reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Prasad Kumpatla <quic_pkumpatl@quicinc.com>
+
+[ Upstream commit d04ad245d67a3991dfea5e108e4c452c2ab39bac ]
+
+With the existing logic where clear_ack is true (HW doesn’t support
+auto clear for ICR), interrupt clear register reset is not handled
+properly. Due to this only the first interrupts get processed properly
+and further interrupts are blocked due to not resetting interrupt
+clear register.
+
+Example for issue case where Invert_ack is false and clear_ack is true:
+
+    Say Default ISR=0x00 & ICR=0x00 and ISR is triggered with 2
+    interrupts making ISR = 0x11.
+
+    Step 1: Say ISR is set 0x11 (store status_buff = ISR). ISR needs to
+            be cleared with the help of ICR once the Interrupt is processed.
+
+    Step 2: Write ICR = 0x11 (status_buff), this will clear the ISR to 0x00.
+
+    Step 3: Issue - In the existing code, ICR is written with ICR =
+            ~(status_buff) i.e ICR = 0xEE -> This will block all the interrupts
+            from raising except for interrupts 0 and 4. So expectation here is to
+            reset ICR, which will unblock all the interrupts.
+
+            if (chip->clear_ack) {
+                 if (chip->ack_invert && !ret)
+                  ........
+                 else if (!ret)
+                     ret = regmap_write(map, reg,
+                            ~data->status_buf[i]);
+
+So writing 0 and 0xff (when ack_invert is true) should have no effect, other
+than clearing the ACKs just set.
+
+Fixes: 3a6f0fb7b8eb ("regmap: irq: Add support to clear ack registers")
+Signed-off-by: Prasad Kumpatla <quic_pkumpatl@quicinc.com>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Link: https://lore.kernel.org/r/20220217085007.30218-1-quic_pkumpatl@quicinc.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap-irq.c | 20 ++++++--------------
+ 1 file changed, 6 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/base/regmap/regmap-irq.c b/drivers/base/regmap/regmap-irq.c
+index ad5c2de395d1f..87c5c421e0f46 100644
+--- a/drivers/base/regmap/regmap-irq.c
++++ b/drivers/base/regmap/regmap-irq.c
+@@ -170,11 +170,9 @@ static void regmap_irq_sync_unlock(struct irq_data *data)
+                               ret = regmap_write(map, reg, d->mask_buf[i]);
+                       if (d->chip->clear_ack) {
+                               if (d->chip->ack_invert && !ret)
+-                                      ret = regmap_write(map, reg,
+-                                                         d->mask_buf[i]);
++                                      ret = regmap_write(map, reg, UINT_MAX);
+                               else if (!ret)
+-                                      ret = regmap_write(map, reg,
+-                                                         ~d->mask_buf[i]);
++                                      ret = regmap_write(map, reg, 0);
+                       }
+                       if (ret != 0)
+                               dev_err(d->map->dev, "Failed to ack 0x%x: %d\n",
+@@ -509,11 +507,9 @@ static irqreturn_t regmap_irq_thread(int irq, void *d)
+                                               data->status_buf[i]);
+                       if (chip->clear_ack) {
+                               if (chip->ack_invert && !ret)
+-                                      ret = regmap_write(map, reg,
+-                                                      data->status_buf[i]);
++                                      ret = regmap_write(map, reg, UINT_MAX);
+                               else if (!ret)
+-                                      ret = regmap_write(map, reg,
+-                                                      ~data->status_buf[i]);
++                                      ret = regmap_write(map, reg, 0);
+                       }
+                       if (ret != 0)
+                               dev_err(map->dev, "Failed to ack 0x%x: %d\n",
+@@ -745,13 +741,9 @@ int regmap_add_irq_chip_fwnode(struct fwnode_handle *fwnode,
+                                       d->status_buf[i] & d->mask_buf[i]);
+                       if (chip->clear_ack) {
+                               if (chip->ack_invert && !ret)
+-                                      ret = regmap_write(map, reg,
+-                                              (d->status_buf[i] &
+-                                               d->mask_buf[i]));
++                                      ret = regmap_write(map, reg, UINT_MAX);
+                               else if (!ret)
+-                                      ret = regmap_write(map, reg,
+-                                              ~(d->status_buf[i] &
+-                                                d->mask_buf[i]));
++                                      ret = regmap_write(map, reg, 0);
+                       }
+                       if (ret != 0) {
+                               dev_err(map->dev, "Failed to ack 0x%x: %d\n",
+-- 
+2.34.1
+

diff --git a/queue-5.10/series b/queue-5.10/series
index 069e64311c9d2fda5809c0ceb489597c21473c1e..e75a9b232064a0b144e4bf95206d84a3755b665d 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -42,3 +42,10 @@ udp_tunnel-fix-end-of-loop-test-in-udp_tunnel_nic_unregister.patch
 net-mlx5-fix-possible-deadlock-on-rule-deletion.patch
 net-mlx5-fix-wrong-limitation-of-metadata-match-on-ecpf.patch
 net-mlx5e-ktls-use-checksum_unnecessary-for-device-offloaded-packets.patch
+spi-spi-zynq-qspi-fix-a-null-pointer-dereference-in-.patch
+regmap-irq-update-interrupt-clear-register-for-prope.patch
+rdma-rtrs-clt-fix-possible-double-free-in-error-case.patch
+rdma-rtrs-clt-kill-wait_for_inflight_permits.patch
+rdma-rtrs-clt-move-free_permit-from-free_clt-to-rtrs.patch
+configfs-fix-a-race-in-configfs_-un-register_subsyst.patch
+rdma-ib_srp-fix-a-deadlock.patch

diff --git a/queue-5.10/spi-spi-zynq-qspi-fix-a-null-pointer-dereference-in-.patch b/queue-5.10/spi-spi-zynq-qspi-fix-a-null-pointer-dereference-in-.patch
new file mode 100644 (file)
index 0000000..2fd6c9b
--- /dev/null
+++ b/queue-5.10/spi-spi-zynq-qspi-fix-a-null-pointer-dereference-in-.patch
@@ -0,0 +1,55 @@
+From 9124f2fcff30df4086e6dab80a7ac30731c4ed73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 01:22:53 +0800
+Subject: spi: spi-zynq-qspi: Fix a NULL pointer dereference in
+ zynq_qspi_exec_mem_op()
+
+From: Zhou Qingyang <zhou1615@umn.edu>
+
+[ Upstream commit ab3824427b848da10e9fe2727f035bbeecae6ff4 ]
+
+In zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(),
+which could lead to a NULL pointer dereference on failure of
+kzalloc().
+
+Fix this bug by adding a check of tmpbuf.
+
+This bug was found by a static analyzer. The analysis employs
+differential checking to identify inconsistent security operations
+(e.g., checks or kfrees) between two code paths and confirms that the
+inconsistent operations are not recovered in the current function or
+the callers, so they constitute bugs.
+
+Note that, as a bug found by static analysis, it can be a false
+positive or hard to trigger. Multiple researchers have cross-reviewed
+the bug.
+
+Builds with CONFIG_SPI_ZYNQ_QSPI=m show no new warnings,
+and our static analyzer no longer warns about this code.
+
+Fixes: 67dca5e580f1 ("spi: spi-mem: Add support for Zynq QSPI controller")
+Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
+Link: https://lore.kernel.org/r/20211130172253.203700-1-zhou1615@umn.edu
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-zynq-qspi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c
+index b635835729d66..13c0b15fe1764 100644
+--- a/drivers/spi/spi-zynq-qspi.c
++++ b/drivers/spi/spi-zynq-qspi.c
+@@ -570,6 +570,9 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
+ 
+       if (op->dummy.nbytes) {
+               tmpbuf = kzalloc(op->dummy.nbytes, GFP_KERNEL);
++              if (!tmpbuf)
++                      return -ENOMEM;
++
+               memset(tmpbuf, 0xff, op->dummy.nbytes);
+               reinit_completion(&xqspi->data_completion);
+               xqspi->txbuf = tmpbuf;
+-- 
+2.34.1
+