--- /dev/null
+From 41e46b3c2aa24f755b2ae9ec4ce931ba5f0d8532 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Date: Fri, 3 Jun 2022 11:19:05 +0900
+Subject: block: Fix potential deadlock in blk_ia_range_sysfs_show()
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+commit 41e46b3c2aa24f755b2ae9ec4ce931ba5f0d8532 upstream.
+
+When being read, a sysfs attribute is already protected against removal
+with the kobject node active reference counter. As a result, in
+blk_ia_range_sysfs_show(), there is no need to take the queue sysfs
+lock when reading the value of a range attribute. Using the queue sysfs
+lock in this function creates a potential deadlock situation with the
+disk removal, something that a lockdep signals with a splat when the
+device is removed:
+
+[ 760.703551] Possible unsafe locking scenario:
+[ 760.703551]
+[ 760.703554] CPU0 CPU1
+[ 760.703556] ---- ----
+[ 760.703558] lock(&q->sysfs_lock);
+[ 760.703565] lock(kn->active#385);
+[ 760.703573] lock(&q->sysfs_lock);
+[ 760.703579] lock(kn->active#385);
+[ 760.703587]
+[ 760.703587] *** DEADLOCK ***
+
+Solve this by removing the mutex_lock()/mutex_unlock() calls from
+blk_ia_range_sysfs_show().
+
+Fixes: a2247f19ee1c ("block: Add independent access ranges support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Link: https://lore.kernel.org/r/20220603021905.1441419-1-damien.lemoal@opensource.wdc.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-ia-ranges.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/block/blk-ia-ranges.c
++++ b/block/blk-ia-ranges.c
+@@ -54,13 +54,8 @@ static ssize_t blk_ia_range_sysfs_show(s
+ container_of(attr, struct blk_ia_range_sysfs_entry, attr);
+ struct blk_independent_access_range *iar =
+ container_of(kobj, struct blk_independent_access_range, kobj);
+- ssize_t ret;
+
+- mutex_lock(&iar->queue->sysfs_lock);
+- ret = entry->show(iar, buf);
+- mutex_unlock(&iar->queue->sysfs_lock);
+-
+- return ret;
++ return entry->show(iar, buf);
+ }
+
+ static const struct sysfs_ops blk_ia_range_sysfs_ops = {
--- /dev/null
+From 1689c169134f4b5a39156122d799b7dca76d8ddb Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Fri, 29 Apr 2022 11:06:51 -0400
+Subject: dlm: fix missing lkb refcount handling
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 1689c169134f4b5a39156122d799b7dca76d8ddb upstream.
+
+We always call hold_lkb(lkb) if we increment lkb->lkb_wait_count.
+So, we always need to call unhold_lkb(lkb) if we decrement
+lkb->lkb_wait_count. This patch will add missing unhold_lkb(lkb) if we
+decrement lkb->lkb_wait_count. In case of setting lkb->lkb_wait_count to
+zero we need to countdown until reaching zero and call unhold_lkb(lkb).
+The waiters list unhold_lkb(lkb) can be removed because it's done for
+the last lkb_wait_count decrement iteration as it's done in
+_remove_from_waiters().
+
+This issue was discovered by a dlm gfs2 test case which use excessively
+dlm_unlock(LKF_CANCEL) feature. Probably the lkb->lkb_wait_count value
+never reached above 1 if this feature isn't used and so it was not
+discovered before.
+
+The testcase ended in a rsb on the rsb keep data structure with a
+refcount of 1 but no lkb was associated with it, which is itself
+an invalid behaviour. A side effect of that was a condition in which
+the dlm was sending remove messages in a looping behaviour. With this
+patch that has not been reproduced.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dlm/lock.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -1559,6 +1559,7 @@ static int _remove_from_waiters(struct d
+ lkb->lkb_wait_type = 0;
+ lkb->lkb_flags &= ~DLM_IFL_OVERLAP_CANCEL;
+ lkb->lkb_wait_count--;
++ unhold_lkb(lkb);
+ goto out_del;
+ }
+
+@@ -1585,6 +1586,7 @@ static int _remove_from_waiters(struct d
+ log_error(ls, "remwait error %x reply %d wait_type %d overlap",
+ lkb->lkb_id, mstype, lkb->lkb_wait_type);
+ lkb->lkb_wait_count--;
++ unhold_lkb(lkb);
+ lkb->lkb_wait_type = 0;
+ }
+
+@@ -5331,11 +5333,16 @@ int dlm_recover_waiters_post(struct dlm_
+ lkb->lkb_flags &= ~DLM_IFL_OVERLAP_UNLOCK;
+ lkb->lkb_flags &= ~DLM_IFL_OVERLAP_CANCEL;
+ lkb->lkb_wait_type = 0;
+- lkb->lkb_wait_count = 0;
++ /* drop all wait_count references we still
++ * hold a reference for this iteration.
++ */
++ while (lkb->lkb_wait_count) {
++ lkb->lkb_wait_count--;
++ unhold_lkb(lkb);
++ }
+ mutex_lock(&ls->ls_waiters_mutex);
+ list_del_init(&lkb->lkb_wait_reply);
+ mutex_unlock(&ls->ls_waiters_mutex);
+- unhold_lkb(lkb); /* for waiters list */
+
+ if (oc || ou) {
+ /* do an unlock or cancel instead of resending */
--- /dev/null
+From 42252d0d2aa9b94d168241710a761588b3959019 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Mon, 4 Apr 2022 16:06:30 -0400
+Subject: dlm: fix plock invalid read
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 42252d0d2aa9b94d168241710a761588b3959019 upstream.
+
+This patch fixes an invalid read showed by KASAN. A unlock will allocate a
+"struct plock_op" and a followed send_op() will append it to a global
+send_list data structure. In some cases a followed dev_read() moves it
+to recv_list and dev_write() will cast it to "struct plock_xop" and access
+fields which are only available in those structures. At this point an
+invalid read happens by accessing those fields.
+
+To fix this issue the "callback" field is moved to "struct plock_op" to
+indicate that a cast to "plock_xop" is allowed and does the additional
+"plock_xop" handling if set.
+
+Example of the KASAN output which showed the invalid read:
+
+[ 2064.296453] ==================================================================
+[ 2064.304852] BUG: KASAN: slab-out-of-bounds in dev_write+0x52b/0x5a0 [dlm]
+[ 2064.306491] Read of size 8 at addr ffff88800ef227d8 by task dlm_controld/7484
+[ 2064.308168]
+[ 2064.308575] CPU: 0 PID: 7484 Comm: dlm_controld Kdump: loaded Not tainted 5.14.0+ #9
+[ 2064.310292] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+[ 2064.311618] Call Trace:
+[ 2064.312218] dump_stack_lvl+0x56/0x7b
+[ 2064.313150] print_address_description.constprop.8+0x21/0x150
+[ 2064.314578] ? dev_write+0x52b/0x5a0 [dlm]
+[ 2064.315610] ? dev_write+0x52b/0x5a0 [dlm]
+[ 2064.316595] kasan_report.cold.14+0x7f/0x11b
+[ 2064.317674] ? dev_write+0x52b/0x5a0 [dlm]
+[ 2064.318687] dev_write+0x52b/0x5a0 [dlm]
+[ 2064.319629] ? dev_read+0x4a0/0x4a0 [dlm]
+[ 2064.320713] ? bpf_lsm_kernfs_init_security+0x10/0x10
+[ 2064.321926] vfs_write+0x17e/0x930
+[ 2064.322769] ? __fget_light+0x1aa/0x220
+[ 2064.323753] ksys_write+0xf1/0x1c0
+[ 2064.324548] ? __ia32_sys_read+0xb0/0xb0
+[ 2064.325464] do_syscall_64+0x3a/0x80
+[ 2064.326387] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 2064.327606] RIP: 0033:0x7f807e4ba96f
+[ 2064.328470] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 39 87 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 7c 87 f8 ff 48
+[ 2064.332902] RSP: 002b:00007ffd50cfe6e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
+[ 2064.334658] RAX: ffffffffffffffda RBX: 000055cc3886eb30 RCX: 00007f807e4ba96f
+[ 2064.336275] RDX: 0000000000000040 RSI: 00007ffd50cfe7e0 RDI: 0000000000000010
+[ 2064.337980] RBP: 00007ffd50cfe7e0 R08: 0000000000000000 R09: 0000000000000001
+[ 2064.339560] R10: 000055cc3886eb30 R11: 0000000000000293 R12: 000055cc3886eb80
+[ 2064.341237] R13: 000055cc3886eb00 R14: 000055cc3886f590 R15: 0000000000000001
+[ 2064.342857]
+[ 2064.343226] Allocated by task 12438:
+[ 2064.344057] kasan_save_stack+0x1c/0x40
+[ 2064.345079] __kasan_kmalloc+0x84/0xa0
+[ 2064.345933] kmem_cache_alloc_trace+0x13b/0x220
+[ 2064.346953] dlm_posix_unlock+0xec/0x720 [dlm]
+[ 2064.348811] do_lock_file_wait.part.32+0xca/0x1d0
+[ 2064.351070] fcntl_setlk+0x281/0xbc0
+[ 2064.352879] do_fcntl+0x5e4/0xfe0
+[ 2064.354657] __x64_sys_fcntl+0x11f/0x170
+[ 2064.356550] do_syscall_64+0x3a/0x80
+[ 2064.358259] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 2064.360745]
+[ 2064.361511] Last potentially related work creation:
+[ 2064.363957] kasan_save_stack+0x1c/0x40
+[ 2064.365811] __kasan_record_aux_stack+0xaf/0xc0
+[ 2064.368100] call_rcu+0x11b/0xf70
+[ 2064.369785] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]
+[ 2064.372404] receive_from_sock+0x290/0x770 [dlm]
+[ 2064.374607] process_recv_sockets+0x32/0x40 [dlm]
+[ 2064.377290] process_one_work+0x9a8/0x16e0
+[ 2064.379357] worker_thread+0x87/0xbf0
+[ 2064.381188] kthread+0x3ac/0x490
+[ 2064.383460] ret_from_fork+0x22/0x30
+[ 2064.385588]
+[ 2064.386518] Second to last potentially related work creation:
+[ 2064.389219] kasan_save_stack+0x1c/0x40
+[ 2064.391043] __kasan_record_aux_stack+0xaf/0xc0
+[ 2064.393303] call_rcu+0x11b/0xf70
+[ 2064.394885] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]
+[ 2064.397694] receive_from_sock+0x290/0x770 [dlm]
+[ 2064.399932] process_recv_sockets+0x32/0x40 [dlm]
+[ 2064.402180] process_one_work+0x9a8/0x16e0
+[ 2064.404388] worker_thread+0x87/0xbf0
+[ 2064.406124] kthread+0x3ac/0x490
+[ 2064.408021] ret_from_fork+0x22/0x30
+[ 2064.409834]
+[ 2064.410599] The buggy address belongs to the object at ffff88800ef22780
+[ 2064.410599] which belongs to the cache kmalloc-96 of size 96
+[ 2064.416495] The buggy address is located 88 bytes inside of
+[ 2064.416495] 96-byte region [ffff88800ef22780, ffff88800ef227e0)
+[ 2064.422045] The buggy address belongs to the page:
+[ 2064.424635] page:00000000b6bef8bc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xef22
+[ 2064.428970] flags: 0xfffffc0000200(slab|node=0|zone=1|lastcpupid=0x1fffff)
+[ 2064.432515] raw: 000fffffc0000200 ffffea0000d68b80 0000001400000014 ffff888001041780
+[ 2064.436110] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
+[ 2064.439813] page dumped because: kasan: bad access detected
+[ 2064.442548]
+[ 2064.443310] Memory state around the buggy address:
+[ 2064.445988] ffff88800ef22680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
+[ 2064.449444] ffff88800ef22700: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
+[ 2064.452941] >ffff88800ef22780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
+[ 2064.456383] ^
+[ 2064.459386] ffff88800ef22800: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
+[ 2064.462788] ffff88800ef22880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
+[ 2064.466239] ==================================================================
+
+reproducer in python:
+
+import argparse
+import struct
+import fcntl
+import os
+
+parser = argparse.ArgumentParser()
+
+parser.add_argument('-f', '--file',
+ help='file to use fcntl, must be on dlm lock filesystem e.g. gfs2')
+
+args = parser.parse_args()
+
+f = open(args.file, 'wb+')
+
+lockdata = struct.pack('hhllhh', fcntl.F_WRLCK,0,0,0,0,0)
+fcntl.fcntl(f, fcntl.F_SETLK, lockdata)
+lockdata = struct.pack('hhllhh', fcntl.F_UNLCK,0,0,0,0,0)
+fcntl.fcntl(f, fcntl.F_SETLK, lockdata)
+
+Fixes: 586759f03e2e ("gfs2: nfs lock support for gfs2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dlm/plock.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/fs/dlm/plock.c
++++ b/fs/dlm/plock.c
+@@ -23,11 +23,11 @@ struct plock_op {
+ struct list_head list;
+ int done;
+ struct dlm_plock_info info;
++ int (*callback)(struct file_lock *fl, int result);
+ };
+
+ struct plock_xop {
+ struct plock_op xop;
+- int (*callback)(struct file_lock *fl, int result);
+ void *fl;
+ void *file;
+ struct file_lock flc;
+@@ -129,19 +129,18 @@ int dlm_posix_lock(dlm_lockspace_t *lock
+ /* fl_owner is lockd which doesn't distinguish
+ processes on the nfs client */
+ op->info.owner = (__u64) fl->fl_pid;
+- xop->callback = fl->fl_lmops->lm_grant;
++ op->callback = fl->fl_lmops->lm_grant;
+ locks_init_lock(&xop->flc);
+ locks_copy_lock(&xop->flc, fl);
+ xop->fl = fl;
+ xop->file = file;
+ } else {
+ op->info.owner = (__u64)(long) fl->fl_owner;
+- xop->callback = NULL;
+ }
+
+ send_op(op);
+
+- if (xop->callback == NULL) {
++ if (!op->callback) {
+ rv = wait_event_interruptible(recv_wq, (op->done != 0));
+ if (rv == -ERESTARTSYS) {
+ log_debug(ls, "dlm_posix_lock: wait killed %llx",
+@@ -203,7 +202,7 @@ static int dlm_plock_callback(struct plo
+ file = xop->file;
+ flc = &xop->flc;
+ fl = xop->fl;
+- notify = xop->callback;
++ notify = op->callback;
+
+ if (op->info.rv) {
+ notify(fl, op->info.rv);
+@@ -436,10 +435,9 @@ static ssize_t dev_write(struct file *fi
+ if (op->info.fsid == info.fsid &&
+ op->info.number == info.number &&
+ op->info.owner == info.owner) {
+- struct plock_xop *xop = (struct plock_xop *)op;
+ list_del_init(&op->list);
+ memcpy(&op->info, &info, sizeof(info));
+- if (xop->callback)
++ if (op->callback)
+ do_callback = 1;
+ else
+ op->done = 1;
--- /dev/null
+From f6f7418357457ed58cbb020fc97e74d4e0e7b47f Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Wed, 6 Apr 2022 13:34:15 -0400
+Subject: dlm: fix wake_up() calls for pending remove
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit f6f7418357457ed58cbb020fc97e74d4e0e7b47f upstream.
+
+This patch move the wake_up() call at the point when a remove message
+completed. Before it was only when a remove message was going to be
+sent. The possible waiter in wait_pending_remove() waits until a remove
+is done if the resource name matches with the per ls variable
+ls->ls_remove_name. If this is the case we must wait until a pending
+remove is done which is indicated if DLM_WAIT_PENDING_COND() returns
+false which will always be the case when ls_remove_len and
+ls_remove_name are unset to indicate that a remove is not going on
+anymore.
+
+Fixes: 21d9ac1a5376 ("fs: dlm: use event based wait for pending remove")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dlm/lock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -1795,7 +1795,6 @@ static void shrink_bucket(struct dlm_ls
+ memcpy(ls->ls_remove_name, name, DLM_RESNAME_MAXLEN);
+ spin_unlock(&ls->ls_remove_spin);
+ spin_unlock(&ls->ls_rsbtbl[b].lock);
+- wake_up(&ls->ls_remove_wait);
+
+ send_remove(r);
+
+@@ -1804,6 +1803,7 @@ static void shrink_bucket(struct dlm_ls
+ ls->ls_remove_len = 0;
+ memset(ls->ls_remove_name, 0, DLM_RESNAME_MAXLEN);
+ spin_unlock(&ls->ls_remove_spin);
++ wake_up(&ls->ls_remove_wait);
+
+ dlm_free_rsb(r);
+ }
+@@ -4079,7 +4079,6 @@ static void send_repeat_remove(struct dl
+ memcpy(ls->ls_remove_name, name, DLM_RESNAME_MAXLEN);
+ spin_unlock(&ls->ls_remove_spin);
+ spin_unlock(&ls->ls_rsbtbl[b].lock);
+- wake_up(&ls->ls_remove_wait);
+
+ rv = _create_message(ls, sizeof(struct dlm_message) + len,
+ dir_nodeid, DLM_MSG_REMOVE, &ms, &mh);
+@@ -4095,6 +4094,7 @@ static void send_repeat_remove(struct dl
+ ls->ls_remove_len = 0;
+ memset(ls->ls_remove_name, 0, DLM_RESNAME_MAXLEN);
+ spin_unlock(&ls->ls_remove_spin);
++ wake_up(&ls->ls_remove_wait);
+ }
+
+ static int receive_request(struct dlm_ls *ls, struct dlm_message *ms)
--- /dev/null
+From 1f4f10845e14690b02410de50d9ea9684625a4ae Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 4 Apr 2022 16:06:28 -0400
+Subject: dlm: uninitialized variable on error in dlm_listen_for_all()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 1f4f10845e14690b02410de50d9ea9684625a4ae upstream.
+
+The "sock" variable is not initialized on this error path.
+
+Cc: stable@vger.kernel.org
+Fixes: 2dc6b1158c28 ("fs: dlm: introduce generic listen")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dlm/lowcomms.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/dlm/lowcomms.c
++++ b/fs/dlm/lowcomms.c
+@@ -1789,7 +1789,7 @@ static int dlm_listen_for_all(void)
+ SOCK_STREAM, dlm_proto_ops->proto, &sock);
+ if (result < 0) {
+ log_print("Can't create comms socket: %d", result);
+- goto out;
++ return result;
+ }
+
+ sock_set_mark(sock->sk, dlm_config.ci_mark);
--- /dev/null
+From 62e9bd20035b53ff6c679499c08546d96c6c60a7 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 24 May 2022 23:23:59 -0400
+Subject: drm/amdgpu: add beige goby PCI ID
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 62e9bd20035b53ff6c679499c08546d96c6c60a7 upstream.
+
+Add a beige goby PCI ID.
+
+Reviewed-by: Guchun Chen <guchun.chen@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -1955,6 +1955,7 @@ static const struct pci_device_id pciidl
+ {0x1002, 0x7421, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_BEIGE_GOBY},
+ {0x1002, 0x7422, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_BEIGE_GOBY},
+ {0x1002, 0x7423, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_BEIGE_GOBY},
++ {0x1002, 0x7424, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_BEIGE_GOBY},
+ {0x1002, 0x743F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_BEIGE_GOBY},
+
+ { PCI_DEVICE(0x1002, PCI_ANY_ID),
--- /dev/null
+From bbe832b9db2e1ad21522f8f0bf02775fff8a0e0e Mon Sep 17 00:00:00 2001
+From: Rei Yamamoto <yamamoto.rei@jp.fujitsu.com>
+Date: Fri, 13 May 2022 16:48:57 -0700
+Subject: mm, compaction: fast_find_migrateblock() should return pfn in the target zone
+
+From: Rei Yamamoto <yamamoto.rei@jp.fujitsu.com>
+
+commit bbe832b9db2e1ad21522f8f0bf02775fff8a0e0e upstream.
+
+At present, pages not in the target zone are added to cc->migratepages
+list in isolate_migratepages_block(). As a result, pages may migrate
+between nodes unintentionally.
+
+This would be a serious problem for older kernels without commit
+a984226f457f849e ("mm: memcontrol: remove the pgdata parameter of
+mem_cgroup_page_lruvec"), because it can corrupt the lru list by
+handling pages in list without holding proper lru_lock.
+
+Avoid returning a pfn outside the target zone in the case that it is
+not aligned with a pageblock boundary. Otherwise
+isolate_migratepages_block() will handle pages not in the target zone.
+
+Link: https://lkml.kernel.org/r/20220511044300.4069-1-yamamoto.rei@jp.fujitsu.com
+Fixes: 70b44595eafe ("mm, compaction: use free lists to quickly locate a migration source")
+Signed-off-by: Rei Yamamoto <yamamoto.rei@jp.fujitsu.com>
+Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
+Acked-by: Mel Gorman <mgorman@techsingularity.net>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Don Dutile <ddutile@redhat.com>
+Cc: Wonhyuk Yang <vvghjk1234@gmail.com>
+Cc: Rei Yamamoto <yamamoto.rei@jp.fujitsu.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/compaction.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/compaction.c
++++ b/mm/compaction.c
+@@ -1821,6 +1821,8 @@ static unsigned long fast_find_migratebl
+
+ update_fast_start_pfn(cc, free_pfn);
+ pfn = pageblock_start_pfn(free_pfn);
++ if (pfn < cc->zone->zone_start_pfn)
++ pfn = cc->zone->zone_start_pfn;
+ cc->fast_search_fail = 0;
+ found_block = true;
+ set_pageblock_skip(freepage);
--- /dev/null
+From 863e0d81b6683c4cbc588ad831f560c90e494bef Mon Sep 17 00:00:00 2001
+From: Junxiao Bi via Ocfs2-devel <ocfs2-devel@oss.oracle.com>
+Date: Wed, 18 May 2022 16:52:24 -0700
+Subject: ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock
+
+From: Junxiao Bi via Ocfs2-devel <ocfs2-devel@oss.oracle.com>
+
+commit 863e0d81b6683c4cbc588ad831f560c90e494bef upstream.
+
+When user_dlm_destroy_lock failed, it didn't clean up the flags it set
+before exit. For USER_LOCK_IN_TEARDOWN, if this function fails because of
+lock is still in used, next time when unlink invokes this function, it
+will return succeed, and then unlink will remove inode and dentry if lock
+is not in used(file closed), but the dlm lock is still linked in dlm lock
+resource, then when bast come in, it will trigger a panic due to
+user-after-free. See the following panic call trace. To fix this,
+USER_LOCK_IN_TEARDOWN should be reverted if fail. And also error should
+be returned if USER_LOCK_IN_TEARDOWN is set to let user know that unlink
+fail.
+
+For the case of ocfs2_dlm_unlock failure, besides USER_LOCK_IN_TEARDOWN,
+USER_LOCK_BUSY is also required to be cleared. Even though spin lock is
+released in between, but USER_LOCK_IN_TEARDOWN is still set, for
+USER_LOCK_BUSY, if before every place that waits on this flag,
+USER_LOCK_IN_TEARDOWN is checked to bail out, that will make sure no flow
+waits on the busy flag set by user_dlm_destroy_lock(), then we can
+simplely revert USER_LOCK_BUSY when ocfs2_dlm_unlock fails. Fix
+user_dlm_cluster_lock() which is the only function not following this.
+
+[ 941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: unlink
+004fb0000060000b5a90b8c847b72e1, error -16 from destroy
+[ 989.757536] ------------[ cut here ]------------
+[ 989.757709] kernel BUG at fs/ocfs2/dlmfs/userdlm.c:173!
+[ 989.757876] invalid opcode: 0000 [#1] SMP
+[ 989.758027] Modules linked in: ksplice_2zhuk2jr_ib_ipoib_new(O)
+ksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc
+xen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5
+auth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs
+ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc
+fcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf bridge stp llc
+rds_rdma rds bonding ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad
+rdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE)
+mlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad
+ib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt iTCO_vendor_support
+pcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si
+ipmi_msghandler
+[ 989.760686] ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp
+pps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel
+be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio
+libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi
+dm_mirror dm_region_hash dm_log dm_mod [last unloaded:
+ksplice_2zhuk2jr_ib_ipoib_old]
+[ 989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Tainted: P OE
+4.1.12-124.57.1.el6uek.x86_64 #2
+[ 989.762290] Hardware name: Oracle Corporation ORACLE SERVER
+X5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 06/17/2021
+[ 989.762599] task: ffff880178af6200 ti: ffff88017f7c8000 task.ti:
+ffff88017f7c8000
+[ 989.762848] RIP: e030:[<ffffffffc07d4316>] [<ffffffffc07d4316>]
+__user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs]
+[ 989.763185] RSP: e02b:ffff88017f7cbcb8 EFLAGS: 00010246
+[ 989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX:
+0000000000000003
+[ 989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI:
+ffff880174d48170
+[ 989.763778] RBP: ffff88017f7cbcc8 R08: ffff88021f4293b0 R09:
+0000000000000000
+[ 989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12:
+ffff880174d48008
+[ 989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15:
+ffff88021db7a000
+[ 989.764422] FS: 0000000000000000(0000) GS:ffff880247480000(0000)
+knlGS:ffff880247480000
+[ 989.764685] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 989.764865] CR2: ffff8000007f6800 CR3: 0000000001ae0000 CR4:
+0000000000042660
+[ 989.765081] Stack:
+[ 989.765167] 0000000000000003 ffff880174d48040 ffff88017f7cbd18
+ffffffffc07d455f
+[ 989.765442] ffff88017f7cbd88 ffffffff816fb639 ffff88017f7cbd38
+ffff8800361b5600
+[ 989.765717] ffff88021db7a000 ffff88021f429380 0000000000000003
+ffffffffc0453020
+[ 989.765991] Call Trace:
+[ 989.766093] [<ffffffffc07d455f>] user_bast+0x5f/0xf0 [ocfs2_dlmfs]
+[ 989.766287] [<ffffffff816fb639>] ? schedule_timeout+0x169/0x2d0
+[ 989.766475] [<ffffffffc0453020>] ? o2dlm_lock_ast_wrapper+0x20/0x20
+[ocfs2_stack_o2cb]
+[ 989.766738] [<ffffffffc045303a>] o2dlm_blocking_ast_wrapper+0x1a/0x20
+[ocfs2_stack_o2cb]
+[ 989.767010] [<ffffffffc0864ec6>] dlm_do_local_bast+0x46/0xe0 [ocfs2_dlm]
+[ 989.767217] [<ffffffffc084f5cc>] ? dlm_lockres_calc_usage+0x4c/0x60
+[ocfs2_dlm]
+[ 989.767466] [<ffffffffc08501f1>] dlm_thread+0xa31/0x1140 [ocfs2_dlm]
+[ 989.767662] [<ffffffff816f78da>] ? __schedule+0x24a/0x810
+[ 989.767834] [<ffffffff816f78ce>] ? __schedule+0x23e/0x810
+[ 989.768006] [<ffffffff816f78da>] ? __schedule+0x24a/0x810
+[ 989.768178] [<ffffffff816f78ce>] ? __schedule+0x23e/0x810
+[ 989.768349] [<ffffffff816f78da>] ? __schedule+0x24a/0x810
+[ 989.768521] [<ffffffff816f78ce>] ? __schedule+0x23e/0x810
+[ 989.768693] [<ffffffff816f78da>] ? __schedule+0x24a/0x810
+[ 989.768893] [<ffffffff816f78ce>] ? __schedule+0x23e/0x810
+[ 989.769067] [<ffffffff816f78da>] ? __schedule+0x24a/0x810
+[ 989.769241] [<ffffffff810ce4d0>] ? wait_woken+0x90/0x90
+[ 989.769411] [<ffffffffc084f7c0>] ? dlm_kick_thread+0x80/0x80 [ocfs2_dlm]
+[ 989.769617] [<ffffffff810a8bbb>] kthread+0xcb/0xf0
+[ 989.769774] [<ffffffff816f78da>] ? __schedule+0x24a/0x810
+[ 989.769945] [<ffffffff816f78da>] ? __schedule+0x24a/0x810
+[ 989.770117] [<ffffffff810a8af0>] ? kthread_create_on_node+0x180/0x180
+[ 989.770321] [<ffffffff816fdaa1>] ret_from_fork+0x61/0x90
+[ 989.770492] [<ffffffff810a8af0>] ? kthread_create_on_node+0x180/0x180
+[ 989.770689] Code: d0 00 00 00 f0 45 7d c0 bf 00 20 00 00 48 89 83 c0 00 00
+00 48 89 83 c8 00 00 00 e8 55 c1 8c c0 83 4b 04 10 48 83 c4 08 5b 5d c3 <0f>
+0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 83
+[ 989.771892] RIP [<ffffffffc07d4316>]
+__user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs]
+[ 989.772174] RSP <ffff88017f7cbcb8>
+[ 989.772704] ---[ end trace ebd1e38cebcc93a8 ]---
+[ 989.772907] Kernel panic - not syncing: Fatal exception
+[ 989.773173] Kernel Offset: disabled
+
+Link: https://lkml.kernel.org/r/20220518235224.87100-2-junxiao.bi@oracle.com
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/dlmfs/userdlm.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/fs/ocfs2/dlmfs/userdlm.c
++++ b/fs/ocfs2/dlmfs/userdlm.c
+@@ -433,6 +433,11 @@ again:
+ }
+
+ spin_lock(&lockres->l_lock);
++ if (lockres->l_flags & USER_LOCK_IN_TEARDOWN) {
++ spin_unlock(&lockres->l_lock);
++ status = -EAGAIN;
++ goto bail;
++ }
+
+ /* We only compare against the currently granted level
+ * here. If the lock is blocked waiting on a downconvert,
+@@ -595,7 +600,7 @@ int user_dlm_destroy_lock(struct user_lo
+ spin_lock(&lockres->l_lock);
+ if (lockres->l_flags & USER_LOCK_IN_TEARDOWN) {
+ spin_unlock(&lockres->l_lock);
+- return 0;
++ goto bail;
+ }
+
+ lockres->l_flags |= USER_LOCK_IN_TEARDOWN;
+@@ -609,12 +614,17 @@ int user_dlm_destroy_lock(struct user_lo
+ }
+
+ if (lockres->l_ro_holders || lockres->l_ex_holders) {
++ lockres->l_flags &= ~USER_LOCK_IN_TEARDOWN;
+ spin_unlock(&lockres->l_lock);
+ goto bail;
+ }
+
+ status = 0;
+ if (!(lockres->l_flags & USER_LOCK_ATTACHED)) {
++ /*
++ * lock is never requested, leave USER_LOCK_IN_TEARDOWN set
++ * to avoid new lock request coming in.
++ */
+ spin_unlock(&lockres->l_lock);
+ goto bail;
+ }
+@@ -625,6 +635,10 @@ int user_dlm_destroy_lock(struct user_lo
+
+ status = ocfs2_dlm_unlock(conn, &lockres->l_lksb, DLM_LKF_VALBLK);
+ if (status) {
++ spin_lock(&lockres->l_lock);
++ lockres->l_flags &= ~USER_LOCK_IN_TEARDOWN;
++ lockres->l_flags &= ~USER_LOCK_BUSY;
++ spin_unlock(&lockres->l_lock);
+ user_log_dlm_error("ocfs2_dlm_unlock", status, lockres);
+ goto bail;
+ }
--- /dev/null
+From 12068bb346db5776d0ec9bb4cd073f8427a1ac92 Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Thu, 26 May 2022 16:52:23 -0500
+Subject: PCI/PM: Fix bridge_d3_blacklist[] Elo i2 overwrite of Gigabyte X299
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit 12068bb346db5776d0ec9bb4cd073f8427a1ac92 upstream.
+
+92597f97a40b ("PCI/PM: Avoid putting Elo i2 PCIe Ports in D3cold") omitted
+braces around the new Elo i2 entry, so it overwrote the existing Gigabyte
+X299 entry. Add the appropriate braces.
+
+Found by:
+
+ $ make W=1 drivers/pci/pci.o
+ CC drivers/pci/pci.o
+ drivers/pci/pci.c:2974:12: error: initialized field overwritten [-Werror=override-init]
+ 2974 | .ident = "Elo i2",
+ | ^~~~~~~~
+
+Link: https://lore.kernel.org/r/20220526221258.GA409855@bhelgaas
+Fixes: 92597f97a40b ("PCI/PM: Avoid putting Elo i2 PCIe Ports in D3cold")
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v5.15+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -2920,6 +2920,8 @@ static const struct dmi_system_id bridge
+ DMI_MATCH(DMI_BOARD_VENDOR, "Gigabyte Technology Co., Ltd."),
+ DMI_MATCH(DMI_BOARD_NAME, "X299 DESIGNARE EX-CF"),
+ },
++ },
++ {
+ /*
+ * Downstream device is not accessible after putting a root port
+ * into D3cold and back into D0 on Elo i2.
--- /dev/null
+From 87d83b96c8d6c6c2d2096bd0bdba73bcf42b8ef0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Fri, 1 Apr 2022 15:38:53 +0200
+Subject: PCI: qcom: Fix runtime PM imbalance on probe errors
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 87d83b96c8d6c6c2d2096bd0bdba73bcf42b8ef0 upstream.
+
+Drop the leftover pm_runtime_disable() calls from the late probe error
+paths that would, for example, prevent runtime PM from being reenabled
+after a probe deferral.
+
+Link: https://lore.kernel.org/r/20220401133854.10421-2-johan+linaro@kernel.org
+Fixes: 6e5da6f7d824 ("PCI: qcom: Fix error handling in runtime PM support")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Acked-by: Stanimir Varbanov <svarbanov@mm-sol.com>
+Cc: stable@vger.kernel.org # 4.20
+Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pcie-qcom.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pcie-qcom.c
++++ b/drivers/pci/controller/dwc/pcie-qcom.c
+@@ -1593,17 +1593,14 @@ static int qcom_pcie_probe(struct platfo
+ pp->ops = &qcom_pcie_dw_ops;
+
+ ret = phy_init(pcie->phy);
+- if (ret) {
+- pm_runtime_disable(&pdev->dev);
++ if (ret)
+ goto err_pm_runtime_put;
+- }
+
+ platform_set_drvdata(pdev, pcie);
+
+ ret = dw_pcie_host_init(pp);
+ if (ret) {
+ dev_err(dev, "cannot initialize host\n");
+- pm_runtime_disable(&pdev->dev);
+ goto err_pm_runtime_put;
+ }
+
--- /dev/null
+From 83013631f0f9961416abd812e228c8efbc2f6069 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Fri, 1 Apr 2022 15:38:54 +0200
+Subject: PCI: qcom: Fix unbalanced PHY init on probe errors
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 83013631f0f9961416abd812e228c8efbc2f6069 upstream.
+
+Undo the PHY initialisation (e.g. balance runtime PM) if host
+initialisation fails during probe.
+
+Link: https://lore.kernel.org/r/20220401133854.10421-3-johan+linaro@kernel.org
+Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Acked-by: Stanimir Varbanov <svarbanov@mm-sol.com>
+Cc: stable@vger.kernel.org # 4.5
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pcie-qcom.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/controller/dwc/pcie-qcom.c
++++ b/drivers/pci/controller/dwc/pcie-qcom.c
+@@ -1601,11 +1601,13 @@ static int qcom_pcie_probe(struct platfo
+ ret = dw_pcie_host_init(pp);
+ if (ret) {
+ dev_err(dev, "cannot initialize host\n");
+- goto err_pm_runtime_put;
++ goto err_phy_exit;
+ }
+
+ return 0;
+
++err_phy_exit:
++ phy_exit(pcie->phy);
+ err_pm_runtime_put:
+ pm_runtime_put(dev);
+ pm_runtime_disable(dev);
--- /dev/null
+From c9bfb460c3e4da2462e16b0f0b200990b36b1dd2 Mon Sep 17 00:00:00 2001
+From: Nico Boehr <nrb@linux.ibm.com>
+Date: Tue, 24 May 2022 15:43:20 +0200
+Subject: s390/perf: obtain sie_block from the right address
+
+From: Nico Boehr <nrb@linux.ibm.com>
+
+commit c9bfb460c3e4da2462e16b0f0b200990b36b1dd2 upstream.
+
+Since commit 1179f170b6f0 ("s390: fix fpu restore in entry.S"), the
+sie_block pointer is located at empty1[1], but in sie_block() it was
+taken from empty1[0].
+
+This leads to a random pointer being dereferenced, possibly causing
+system crash.
+
+This problem can be observed when running a simple guest with an endless
+loop and recording the cpu-clock event:
+
+ sudo perf kvm --guestvmlinux=<guestkernel> --guest top -e cpu-clock
+
+With this fix, the correct guest address is shown.
+
+Fixes: 1179f170b6f0 ("s390: fix fpu restore in entry.S")
+Cc: stable@vger.kernel.org
+Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Acked-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Nico Boehr <nrb@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/perf_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/perf_event.c
++++ b/arch/s390/kernel/perf_event.c
+@@ -30,7 +30,7 @@ static struct kvm_s390_sie_block *sie_bl
+ if (!stack)
+ return NULL;
+
+- return (struct kvm_s390_sie_block *) stack->empty1[0];
++ return (struct kvm_s390_sie_block *)stack->empty1[1];
+ }
+
+ static bool is_in_guest(struct pt_regs *regs)
--- /dev/null
+From 5ace65ebb5ce9fe1cc8fdbdd97079fb566ef0ea4 Mon Sep 17 00:00:00 2001
+From: Sven Schnelle <svens@linux.ibm.com>
+Date: Tue, 3 May 2022 09:58:33 +0200
+Subject: s390/stp: clock_delta should be signed
+
+From: Sven Schnelle <svens@linux.ibm.com>
+
+commit 5ace65ebb5ce9fe1cc8fdbdd97079fb566ef0ea4 upstream.
+
+clock_delta is declared as unsigned long in various places. However,
+the clock sync delta can be negative. This would add a huge positive
+offset in clock_sync_global where clock_delta is added to clk.eitod
+which is a 72 bit integer. Declare it as signed long to fix this.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/cio.h | 2 +-
+ arch/s390/kernel/time.c | 8 ++++----
+ drivers/s390/cio/chsc.c | 4 ++--
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/arch/s390/include/asm/cio.h
++++ b/arch/s390/include/asm/cio.h
+@@ -369,7 +369,7 @@ void cio_gp_dma_destroy(struct gen_pool
+ struct gen_pool *cio_gp_dma_create(struct device *dma_dev, int nr_pages);
+
+ /* Function from drivers/s390/cio/chsc.c */
+-int chsc_sstpc(void *page, unsigned int op, u16 ctrl, u64 *clock_delta);
++int chsc_sstpc(void *page, unsigned int op, u16 ctrl, long *clock_delta);
+ int chsc_sstpi(void *page, void *result, size_t size);
+ int chsc_stzi(void *page, void *result, size_t size);
+ int chsc_sgib(u32 origin);
+--- a/arch/s390/kernel/time.c
++++ b/arch/s390/kernel/time.c
+@@ -364,7 +364,7 @@ static inline int check_sync_clock(void)
+ * Apply clock delta to the global data structures.
+ * This is called once on the CPU that performed the clock sync.
+ */
+-static void clock_sync_global(unsigned long delta)
++static void clock_sync_global(long delta)
+ {
+ unsigned long now, adj;
+ struct ptff_qto qto;
+@@ -400,7 +400,7 @@ static void clock_sync_global(unsigned l
+ * Apply clock delta to the per-CPU data structures of this CPU.
+ * This is called for each online CPU after the call to clock_sync_global.
+ */
+-static void clock_sync_local(unsigned long delta)
++static void clock_sync_local(long delta)
+ {
+ /* Add the delta to the clock comparator. */
+ if (S390_lowcore.clock_comparator != clock_comparator_max) {
+@@ -424,7 +424,7 @@ static void __init time_init_wq(void)
+ struct clock_sync_data {
+ atomic_t cpus;
+ int in_sync;
+- unsigned long clock_delta;
++ long clock_delta;
+ };
+
+ /*
+@@ -544,7 +544,7 @@ static int stpinfo_valid(void)
+ static int stp_sync_clock(void *data)
+ {
+ struct clock_sync_data *sync = data;
+- u64 clock_delta, flags;
++ long clock_delta, flags;
+ static int first;
+ int rc;
+
+--- a/drivers/s390/cio/chsc.c
++++ b/drivers/s390/cio/chsc.c
+@@ -1255,7 +1255,7 @@ exit:
+ EXPORT_SYMBOL_GPL(css_general_characteristics);
+ EXPORT_SYMBOL_GPL(css_chsc_characteristics);
+
+-int chsc_sstpc(void *page, unsigned int op, u16 ctrl, u64 *clock_delta)
++int chsc_sstpc(void *page, unsigned int op, u16 ctrl, long *clock_delta)
+ {
+ struct {
+ struct chsc_header request;
+@@ -1266,7 +1266,7 @@ int chsc_sstpc(void *page, unsigned int
+ unsigned int rsvd2[5];
+ struct chsc_header response;
+ unsigned int rsvd3[3];
+- u64 clock_delta;
++ s64 clock_delta;
+ unsigned int rsvd4[2];
+ } *rr;
+ int rc;
--- /dev/null
+From 036a45aa587a10fa2abbd50fbd0f6c4cfc44f69f Mon Sep 17 00:00:00 2001
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Date: Thu, 14 Apr 2022 12:02:31 +0800
+Subject: scsi: dc395x: Fix a missing check on list iterator
+
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+
+commit 036a45aa587a10fa2abbd50fbd0f6c4cfc44f69f upstream.
+
+The bug is here:
+
+ p->target_id, p->target_lun);
+
+The list iterator 'p' will point to a bogus position containing HEAD if the
+list is empty or no element is found. This case must be checked before any
+use of the iterator, otherwise it will lead to an invalid memory access.
+
+To fix this bug, add a check. Use a new variable 'iter' as the list
+iterator, and use the original variable 'p' as a dedicated pointer to point
+to the found element.
+
+Link: https://lore.kernel.org/r/20220414040231.2662-1-xiam0nd.tong@gmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/dc395x.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/dc395x.c
++++ b/drivers/scsi/dc395x.c
+@@ -3588,10 +3588,19 @@ static struct DeviceCtlBlk *device_alloc
+ #endif
+ if (dcb->target_lun != 0) {
+ /* Copy settings */
+- struct DeviceCtlBlk *p;
+- list_for_each_entry(p, &acb->dcb_list, list)
+- if (p->target_id == dcb->target_id)
++ struct DeviceCtlBlk *p = NULL, *iter;
++
++ list_for_each_entry(iter, &acb->dcb_list, list)
++ if (iter->target_id == dcb->target_id) {
++ p = iter;
+ break;
++ }
++
++ if (!p) {
++ kfree(dcb);
++ return NULL;
++ }
++
+ dprintkdbg(DBG_1,
+ "device_alloc: <%02i-%i> copy from <%02i-%i>\n",
+ dcb->target_id, dcb->target_lun,
--- /dev/null
+From 8eecddfca30e1651dc1c74531ed5eef21dcce7e3 Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Wed, 4 May 2022 14:12:10 +0530
+Subject: scsi: ufs: qcom: Add a readl() to make sure ref_clk gets enabled
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+commit 8eecddfca30e1651dc1c74531ed5eef21dcce7e3 upstream.
+
+In ufs_qcom_dev_ref_clk_ctrl(), it was noted that the ref_clk needs to be
+stable for at least 1us. Even though there is wmb() to make sure the write
+gets "completed", there is no guarantee that the write actually reached the
+UFS device. There is a good chance that the write could be stored in a
+Write Buffer (WB). In that case, even though the CPU waits for 1us, the
+ref_clk might not be stable for that period.
+
+So lets do a readl() to make sure that the previous write has reached the
+UFS device before udelay().
+
+Also, the wmb() after writel_relaxed() is not really needed. Both writel()
+and readl() are ordered on all architectures and the CPU won't speculate
+instructions after readl() due to the in-built control dependency with read
+value on weakly ordered architectures. So it can be safely removed.
+
+Link: https://lore.kernel.org/r/20220504084212.11605-4-manivannan.sadhasivam@linaro.org
+Fixes: f06fcc7155dc ("scsi: ufs-qcom: add QUniPro hardware support and power optimizations")
+Cc: stable@vger.kernel.org
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufs-qcom.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufs-qcom.c
++++ b/drivers/scsi/ufs/ufs-qcom.c
+@@ -682,8 +682,11 @@ static void ufs_qcom_dev_ref_clk_ctrl(st
+
+ writel_relaxed(temp, host->dev_ref_clk_ctrl_mmio);
+
+- /* ensure that ref_clk is enabled/disabled before we return */
+- wmb();
++ /*
++ * Make sure the write to ref_clk reaches the destination and
++ * not stored in a Write Buffer (WB).
++ */
++ readl(host->dev_ref_clk_ctrl_mmio);
+
+ /*
+ * If we call hibern8 exit after this, we need to make sure that
ext4-verify-dir-block-before-splitting-it.patch
ext4-avoid-cycles-in-directory-h-tree.patch
acpi-property-release-subnode-properties-with-data-nodes.patch
+tty-goldfish-introduce-gf_ioread32-gf_iowrite32.patch
+tracing-fix-potential-double-free-in-create_var_ref.patch
+tracing-fix-return-value-of-trace_pid_write.patch
+tracing-initialize-integer-variable-to-prevent-garbage-return-value.patch
+drm-amdgpu-add-beige-goby-pci-id.patch
+pci-pm-fix-bridge_d3_blacklist-elo-i2-overwrite-of-gigabyte-x299.patch
+pci-qcom-fix-runtime-pm-imbalance-on-probe-errors.patch
+pci-qcom-fix-unbalanced-phy-init-on-probe-errors.patch
+staging-r8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch
+block-fix-potential-deadlock-in-blk_ia_range_sysfs_show.patch
+mm-compaction-fast_find_migrateblock-should-return-pfn-in-the-target-zone.patch
+s390-perf-obtain-sie_block-from-the-right-address.patch
+s390-stp-clock_delta-should-be-signed.patch
+dlm-fix-plock-invalid-read.patch
+dlm-uninitialized-variable-on-error-in-dlm_listen_for_all.patch
+dlm-fix-wake_up-calls-for-pending-remove.patch
+dlm-fix-missing-lkb-refcount-handling.patch
+ocfs2-dlmfs-fix-error-handling-of-user_dlm_destroy_lock.patch
+scsi-dc395x-fix-a-missing-check-on-list-iterator.patch
+scsi-ufs-qcom-add-a-readl-to-make-sure-ref_clk-gets-enabled.patch
--- /dev/null
+From bc10916e890948d8927a5c8c40fb5dc44be5e1b8 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <denis.e.efremov@oracle.com>
+Date: Wed, 18 May 2022 11:00:52 +0400
+Subject: staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan()
+
+From: Denis Efremov <denis.e.efremov@oracle.com>
+
+commit bc10916e890948d8927a5c8c40fb5dc44be5e1b8 upstream.
+
+This code has a check to prevent read overflow but it needs another
+check to prevent writing beyond the end of the ->Ssid[] array.
+
+Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
+Link: https://lore.kernel.org/r/20220518070052.108287-1-denis.e.efremov@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/r8188eu/os_dep/ioctl_linux.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c
++++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
+@@ -1181,9 +1181,11 @@ static int rtw_wx_set_scan(struct net_de
+ break;
+ }
+ sec_len = *(pos++); len -= 1;
+- if (sec_len > 0 && sec_len <= len) {
++ if (sec_len > 0 &&
++ sec_len <= len &&
++ sec_len <= 32) {
+ ssid[ssid_index].SsidLength = sec_len;
+- memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength);
++ memcpy(ssid[ssid_index].Ssid, pos, sec_len);
+ ssid_index++;
+ }
+ pos += sec_len;
--- /dev/null
+From 99696a2592bca641eb88cc9a80c90e591afebd0f Mon Sep 17 00:00:00 2001
+From: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+Date: Mon, 25 Apr 2022 06:37:38 +0000
+Subject: tracing: Fix potential double free in create_var_ref()
+
+From: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+
+commit 99696a2592bca641eb88cc9a80c90e591afebd0f upstream.
+
+In create_var_ref(), init_var_ref() is called to initialize the fields
+of variable ref_field, which is allocated in the previous function call
+to create_hist_field(). Function init_var_ref() allocates the
+corresponding fields such as ref_field->system, but frees these fields
+when the function encounters an error. The caller later calls
+destroy_hist_field() to conduct error handling, which frees the fields
+and the variable itself. This results in double free of the fields which
+are already freed in the previous function.
+
+Fix this by storing NULL to the corresponding fields when they are freed
+in init_var_ref().
+
+Link: https://lkml.kernel.org/r/20220425063739.3859998-1-keitasuzuki.park@sslab.ics.keio.ac.jp
+
+Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
+CC: stable@vger.kernel.org
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reviewed-by: Tom Zanussi <zanussi@kernel.org>
+Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_hist.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -2074,8 +2074,11 @@ static int init_var_ref(struct hist_fiel
+ return err;
+ free:
+ kfree(ref_field->system);
++ ref_field->system = NULL;
+ kfree(ref_field->event_name);
++ ref_field->event_name = NULL;
+ kfree(ref_field->name);
++ ref_field->name = NULL;
+
+ goto out;
+ }
--- /dev/null
+From b27f266f74fbda4ee36c2b2b04d15992860cf23b Mon Sep 17 00:00:00 2001
+From: Wonhyuk Yang <vvghjk1234@gmail.com>
+Date: Tue, 3 May 2022 14:05:46 +0900
+Subject: tracing: Fix return value of trace_pid_write()
+
+From: Wonhyuk Yang <vvghjk1234@gmail.com>
+
+commit b27f266f74fbda4ee36c2b2b04d15992860cf23b upstream.
+
+Setting set_event_pid with trailing whitespace lead to endless write
+system calls like below.
+
+ $ strace echo "123 " > /sys/kernel/debug/tracing/set_event_pid
+ execve("/usr/bin/echo", ["echo", "123 "], ...) = 0
+ ...
+ write(1, "123 \n", 5) = 4
+ write(1, "\n", 1) = 0
+ write(1, "\n", 1) = 0
+ write(1, "\n", 1) = 0
+ write(1, "\n", 1) = 0
+ write(1, "\n", 1) = 0
+ ....
+
+This is because, the result of trace_get_user's are not returned when it
+read at least one pid. To fix it, update read variable even if
+parser->idx == 0.
+
+The result of applied patch is below.
+
+ $ strace echo "123 " > /sys/kernel/debug/tracing/set_event_pid
+ execve("/usr/bin/echo", ["echo", "123 "], ...) = 0
+ ...
+ write(1, "123 \n", 5) = 5
+ close(1) = 0
+
+Link: https://lkml.kernel.org/r/20220503050546.288911-1-vvghjk1234@gmail.com
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Baik Song An <bsahn@etri.re.kr>
+Cc: Hong Yeon Kim <kimhy@etri.re.kr>
+Cc: Taeung Song <taeung@reallinux.co.kr>
+Cc: linuxgeek@linuxgeek.io
+Cc: stable@vger.kernel.org
+Fixes: 4909010788640 ("tracing: Add set_event_pid directory for future use")
+Signed-off-by: Wonhyuk Yang <vvghjk1234@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -711,13 +711,16 @@ int trace_pid_write(struct trace_pid_lis
+ pos = 0;
+
+ ret = trace_get_user(&parser, ubuf, cnt, &pos);
+- if (ret < 0 || !trace_parser_loaded(&parser))
++ if (ret < 0)
+ break;
+
+ read += ret;
+ ubuf += ret;
+ cnt -= ret;
+
++ if (!trace_parser_loaded(&parser))
++ break;
++
+ ret = -EINVAL;
+ if (kstrtoul(parser.buffer, 0, &val))
+ break;
+@@ -743,7 +746,6 @@ int trace_pid_write(struct trace_pid_lis
+ if (!nr_pids) {
+ /* Cleared the list of pids */
+ trace_pid_list_free(pid_list);
+- read = ret;
+ pid_list = NULL;
+ }
+
--- /dev/null
+From 154827f8e53d8c492b3fb0cb757fbcadb5d516b5 Mon Sep 17 00:00:00 2001
+From: Gautam Menghani <gautammenghani201@gmail.com>
+Date: Sat, 21 May 2022 23:18:26 -0700
+Subject: tracing: Initialize integer variable to prevent garbage return value
+
+From: Gautam Menghani <gautammenghani201@gmail.com>
+
+commit 154827f8e53d8c492b3fb0cb757fbcadb5d516b5 upstream.
+
+Initialize the integer variable to 0 to fix the clang scan warning:
+Undefined or garbage value returned to caller
+[core.uninitialized.UndefReturn]
+ return ret;
+
+Link: https://lkml.kernel.org/r/20220522061826.1751-1-gautammenghani201@gmail.com
+
+Cc: stable@vger.kernel.org
+Fixes: 8993665abcce ("tracing/boot: Support multiple handlers for per-event histogram")
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_boot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_boot.c
++++ b/kernel/trace/trace_boot.c
+@@ -300,7 +300,7 @@ trace_boot_hist_add_handlers(struct xbc_
+ {
+ struct xbc_node *node;
+ const char *p, *handler;
+- int ret;
++ int ret = 0;
+
+ handler = xbc_node_get_data(hnode);
+
--- /dev/null
+From 2e2ac4a3327479f7e2744cdd88a5c823f2057bad Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <laurent@vivier.eu>
+Date: Wed, 6 Apr 2022 22:15:20 +0200
+Subject: tty: goldfish: Introduce gf_ioread32()/gf_iowrite32()
+
+From: Laurent Vivier <laurent@vivier.eu>
+
+commit 2e2ac4a3327479f7e2744cdd88a5c823f2057bad upstream.
+
+The goldfish TTY device was clearly defined as having little-endian
+registers, but the switch to __raw_{read,write}l(() broke its driver
+when running on big-endian kernels (if anyone ever tried this).
+
+The m68k qemu implementation got this wrong, and assumed native-endian
+registers. While this is a bug in qemu, it is probably impossible to
+fix that since there is no way of knowing which other operating systems
+have started relying on that bug over the years.
+
+Hence revert commit da31de35cd2f ("tty: goldfish: use
+__raw_writel()/__raw_readl()", and define gf_ioread32()/gf_iowrite32()
+to be able to use accessors defined by the architecture.
+
+Cc: stable@vger.kernel.org # v5.11+
+Fixes: da31de35cd2fb78f ("tty: goldfish: use __raw_writel()/__raw_readl()")
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Link: https://lore.kernel.org/r/20220406201523.243733-2-laurent@vivier.eu
+[geert: Add rationale based on Arnd's comments]
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/goldfish.c | 20 ++++++++++----------
+ include/linux/goldfish.h | 15 +++++++++++----
+ 2 files changed, 21 insertions(+), 14 deletions(-)
+
+--- a/drivers/tty/goldfish.c
++++ b/drivers/tty/goldfish.c
+@@ -61,13 +61,13 @@ static void do_rw_io(struct goldfish_tty
+ spin_lock_irqsave(&qtty->lock, irq_flags);
+ gf_write_ptr((void *)address, base + GOLDFISH_TTY_REG_DATA_PTR,
+ base + GOLDFISH_TTY_REG_DATA_PTR_HIGH);
+- __raw_writel(count, base + GOLDFISH_TTY_REG_DATA_LEN);
++ gf_iowrite32(count, base + GOLDFISH_TTY_REG_DATA_LEN);
+
+ if (is_write)
+- __raw_writel(GOLDFISH_TTY_CMD_WRITE_BUFFER,
++ gf_iowrite32(GOLDFISH_TTY_CMD_WRITE_BUFFER,
+ base + GOLDFISH_TTY_REG_CMD);
+ else
+- __raw_writel(GOLDFISH_TTY_CMD_READ_BUFFER,
++ gf_iowrite32(GOLDFISH_TTY_CMD_READ_BUFFER,
+ base + GOLDFISH_TTY_REG_CMD);
+
+ spin_unlock_irqrestore(&qtty->lock, irq_flags);
+@@ -142,7 +142,7 @@ static irqreturn_t goldfish_tty_interrup
+ unsigned char *buf;
+ u32 count;
+
+- count = __raw_readl(base + GOLDFISH_TTY_REG_BYTES_READY);
++ count = gf_ioread32(base + GOLDFISH_TTY_REG_BYTES_READY);
+ if (count == 0)
+ return IRQ_NONE;
+
+@@ -159,7 +159,7 @@ static int goldfish_tty_activate(struct
+ {
+ struct goldfish_tty *qtty = container_of(port, struct goldfish_tty,
+ port);
+- __raw_writel(GOLDFISH_TTY_CMD_INT_ENABLE, qtty->base + GOLDFISH_TTY_REG_CMD);
++ gf_iowrite32(GOLDFISH_TTY_CMD_INT_ENABLE, qtty->base + GOLDFISH_TTY_REG_CMD);
+ return 0;
+ }
+
+@@ -167,7 +167,7 @@ static void goldfish_tty_shutdown(struct
+ {
+ struct goldfish_tty *qtty = container_of(port, struct goldfish_tty,
+ port);
+- __raw_writel(GOLDFISH_TTY_CMD_INT_DISABLE, qtty->base + GOLDFISH_TTY_REG_CMD);
++ gf_iowrite32(GOLDFISH_TTY_CMD_INT_DISABLE, qtty->base + GOLDFISH_TTY_REG_CMD);
+ }
+
+ static int goldfish_tty_open(struct tty_struct *tty, struct file *filp)
+@@ -202,7 +202,7 @@ static unsigned int goldfish_tty_chars_i
+ {
+ struct goldfish_tty *qtty = &goldfish_ttys[tty->index];
+ void __iomem *base = qtty->base;
+- return __raw_readl(base + GOLDFISH_TTY_REG_BYTES_READY);
++ return gf_ioread32(base + GOLDFISH_TTY_REG_BYTES_READY);
+ }
+
+ static void goldfish_tty_console_write(struct console *co, const char *b,
+@@ -355,7 +355,7 @@ static int goldfish_tty_probe(struct pla
+ * on Ranchu emulator (qemu2) returns 1 here and
+ * driver will use physical addresses.
+ */
+- qtty->version = __raw_readl(base + GOLDFISH_TTY_REG_VERSION);
++ qtty->version = gf_ioread32(base + GOLDFISH_TTY_REG_VERSION);
+
+ /*
+ * Goldfish TTY device on Ranchu emulator (qemu2)
+@@ -374,7 +374,7 @@ static int goldfish_tty_probe(struct pla
+ }
+ }
+
+- __raw_writel(GOLDFISH_TTY_CMD_INT_DISABLE, base + GOLDFISH_TTY_REG_CMD);
++ gf_iowrite32(GOLDFISH_TTY_CMD_INT_DISABLE, base + GOLDFISH_TTY_REG_CMD);
+
+ ret = request_irq(irq, goldfish_tty_interrupt, IRQF_SHARED,
+ "goldfish_tty", qtty);
+@@ -436,7 +436,7 @@ static int goldfish_tty_remove(struct pl
+ #ifdef CONFIG_GOLDFISH_TTY_EARLY_CONSOLE
+ static void gf_early_console_putchar(struct uart_port *port, int ch)
+ {
+- __raw_writel(ch, port->membase);
++ gf_iowrite32(ch, port->membase);
+ }
+
+ static void gf_early_write(struct console *con, const char *s, unsigned int n)
+--- a/include/linux/goldfish.h
++++ b/include/linux/goldfish.h
+@@ -8,14 +8,21 @@
+
+ /* Helpers for Goldfish virtual platform */
+
++#ifndef gf_ioread32
++#define gf_ioread32 ioread32
++#endif
++#ifndef gf_iowrite32
++#define gf_iowrite32 iowrite32
++#endif
++
+ static inline void gf_write_ptr(const void *ptr, void __iomem *portl,
+ void __iomem *porth)
+ {
+ const unsigned long addr = (unsigned long)ptr;
+
+- __raw_writel(lower_32_bits(addr), portl);
++ gf_iowrite32(lower_32_bits(addr), portl);
+ #ifdef CONFIG_64BIT
+- __raw_writel(upper_32_bits(addr), porth);
++ gf_iowrite32(upper_32_bits(addr), porth);
+ #endif
+ }
+
+@@ -23,9 +30,9 @@ static inline void gf_write_dma_addr(con
+ void __iomem *portl,
+ void __iomem *porth)
+ {
+- __raw_writel(lower_32_bits(addr), portl);
++ gf_iowrite32(lower_32_bits(addr), portl);
+ #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT
+- __raw_writel(upper_32_bits(addr), porth);
++ gf_iowrite32(upper_32_bits(addr), porth);
+ #endif
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
