--- /dev/null
+From 2546287c5fb363a0165933ae2181c92f03e701d0 Mon Sep 17 00:00:00 2001
+From: Zenghui Yu <yuzenghui@huawei.com>
+Date: Fri, 21 Feb 2020 10:07:25 +0800
+Subject: genirq/irqdomain: Make sure all irq domain flags are distinct
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+commit 2546287c5fb363a0165933ae2181c92f03e701d0 upstream.
+
+This was noticed when printing debugfs for MSIs on my ARM64 server. The
+new dstate IRQD_MSI_NOMASK_QUIRK came out surprisingly while it should only
+be the x86 stuff for the time being...
+
+The new MSI quirk flag uses the same bit as IRQ_DOMAIN_NAME_ALLOCATED which
+is oddly defined as bit 6 for no good reason.
+
+Switch it to the non used bit 1.
+
+Fixes: 6f1a4891a592 ("x86/apic/msi: Plug non-maskable MSI affinity race")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20200221020725.2038-1-yuzenghui@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/irqdomain.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/irqdomain.h
++++ b/include/linux/irqdomain.h
+@@ -188,7 +188,7 @@ enum {
+ IRQ_DOMAIN_FLAG_HIERARCHY = (1 << 0),
+
+ /* Irq domain name was allocated in __irq_domain_add() */
+- IRQ_DOMAIN_NAME_ALLOCATED = (1 << 6),
++ IRQ_DOMAIN_NAME_ALLOCATED = (1 << 1),
+
+ /* Irq domain is an IPI domain with virq per cpu */
+ IRQ_DOMAIN_FLAG_IPI_PER_CPU = (1 << 2),
--- /dev/null
+From 8eedabfd66b68a4623beec0789eac54b8c9d0fb6 Mon Sep 17 00:00:00 2001
+From: wangyan <wangyan122@huawei.com>
+Date: Thu, 20 Feb 2020 21:46:14 +0800
+Subject: jbd2: fix ocfs2 corrupt when clearing block group bits
+
+From: wangyan <wangyan122@huawei.com>
+
+commit 8eedabfd66b68a4623beec0789eac54b8c9d0fb6 upstream.
+
+I found a NULL pointer dereference in ocfs2_block_group_clear_bits().
+The running environment:
+ kernel version: 4.19
+ A cluster with two nodes, 5 luns mounted on two nodes, and do some
+ file operations like dd/fallocate/truncate/rm on every lun with storage
+ network disconnection.
+
+The fallocate operation on dm-23-45 caused an null pointer dereference.
+
+The information of NULL pointer dereference as follows:
+ [577992.878282] JBD2: Error -5 detected when updating journal superblock for dm-23-45.
+ [577992.878290] Aborting journal on device dm-23-45.
+ ...
+ [577992.890778] JBD2: Error -5 detected when updating journal superblock for dm-24-46.
+ [577992.890908] __journal_remove_journal_head: freeing b_committed_data
+ [577992.890916] (fallocate,88392,52):ocfs2_extend_trans:474 ERROR: status = -30
+ [577992.890918] __journal_remove_journal_head: freeing b_committed_data
+ [577992.890920] (fallocate,88392,52):ocfs2_rotate_tree_right:2500 ERROR: status = -30
+ [577992.890922] __journal_remove_journal_head: freeing b_committed_data
+ [577992.890924] (fallocate,88392,52):ocfs2_do_insert_extent:4382 ERROR: status = -30
+ [577992.890928] (fallocate,88392,52):ocfs2_insert_extent:4842 ERROR: status = -30
+ [577992.890928] __journal_remove_journal_head: freeing b_committed_data
+ [577992.890930] (fallocate,88392,52):ocfs2_add_clusters_in_btree:4947 ERROR: status = -30
+ [577992.890933] __journal_remove_journal_head: freeing b_committed_data
+ [577992.890939] __journal_remove_journal_head: freeing b_committed_data
+ [577992.890949] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
+ [577992.890950] Mem abort info:
+ [577992.890951] ESR = 0x96000004
+ [577992.890952] Exception class = DABT (current EL), IL = 32 bits
+ [577992.890952] SET = 0, FnV = 0
+ [577992.890953] EA = 0, S1PTW = 0
+ [577992.890954] Data abort info:
+ [577992.890955] ISV = 0, ISS = 0x00000004
+ [577992.890956] CM = 0, WnR = 0
+ [577992.890958] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000f8da07a9
+ [577992.890960] [0000000000000020] pgd=0000000000000000
+ [577992.890964] Internal error: Oops: 96000004 [#1] SMP
+ [577992.890965] Process fallocate (pid: 88392, stack limit = 0x00000000013db2fd)
+ [577992.890968] CPU: 52 PID: 88392 Comm: fallocate Kdump: loaded Tainted: G W OE 4.19.36 #1
+ [577992.890969] Hardware name: Huawei TaiShan 2280 V2/BC82AMDD, BIOS 0.98 08/25/2019
+ [577992.890971] pstate: 60400009 (nZCv daif +PAN -UAO)
+ [577992.891054] pc : _ocfs2_free_suballoc_bits+0x63c/0x968 [ocfs2]
+ [577992.891082] lr : _ocfs2_free_suballoc_bits+0x618/0x968 [ocfs2]
+ [577992.891084] sp : ffff0000c8e2b810
+ [577992.891085] x29: ffff0000c8e2b820 x28: 0000000000000000
+ [577992.891087] x27: 00000000000006f3 x26: ffffa07957b02e70
+ [577992.891089] x25: ffff807c59d50000 x24: 00000000000006f2
+ [577992.891091] x23: 0000000000000001 x22: ffff807bd39abc30
+ [577992.891093] x21: ffff0000811d9000 x20: ffffa07535d6a000
+ [577992.891097] x19: ffff000001681638 x18: ffffffffffffffff
+ [577992.891098] x17: 0000000000000000 x16: ffff000080a03df0
+ [577992.891100] x15: ffff0000811d9708 x14: 203d207375746174
+ [577992.891101] x13: 73203a524f525245 x12: 20373439343a6565
+ [577992.891103] x11: 0000000000000038 x10: 0101010101010101
+ [577992.891106] x9 : ffffa07c68a85d70 x8 : 7f7f7f7f7f7f7f7f
+ [577992.891109] x7 : 0000000000000000 x6 : 0000000000000080
+ [577992.891110] x5 : 0000000000000000 x4 : 0000000000000002
+ [577992.891112] x3 : ffff000001713390 x2 : 2ff90f88b1c22f00
+ [577992.891114] x1 : ffff807bd39abc30 x0 : 0000000000000000
+ [577992.891116] Call trace:
+ [577992.891139] _ocfs2_free_suballoc_bits+0x63c/0x968 [ocfs2]
+ [577992.891162] _ocfs2_free_clusters+0x100/0x290 [ocfs2]
+ [577992.891185] ocfs2_free_clusters+0x50/0x68 [ocfs2]
+ [577992.891206] ocfs2_add_clusters_in_btree+0x198/0x5e0 [ocfs2]
+ [577992.891227] ocfs2_add_inode_data+0x94/0xc8 [ocfs2]
+ [577992.891248] ocfs2_extend_allocation+0x1bc/0x7a8 [ocfs2]
+ [577992.891269] ocfs2_allocate_extents+0x14c/0x338 [ocfs2]
+ [577992.891290] __ocfs2_change_file_space+0x3f8/0x610 [ocfs2]
+ [577992.891309] ocfs2_fallocate+0xe4/0x128 [ocfs2]
+ [577992.891316] vfs_fallocate+0x11c/0x250
+ [577992.891317] ksys_fallocate+0x54/0x88
+ [577992.891319] __arm64_sys_fallocate+0x28/0x38
+ [577992.891323] el0_svc_common+0x78/0x130
+ [577992.891325] el0_svc_handler+0x38/0x78
+ [577992.891327] el0_svc+0x8/0xc
+
+My analysis process as follows:
+ocfs2_fallocate
+ __ocfs2_change_file_space
+ ocfs2_allocate_extents
+ ocfs2_extend_allocation
+ ocfs2_add_inode_data
+ ocfs2_add_clusters_in_btree
+ ocfs2_insert_extent
+ ocfs2_do_insert_extent
+ ocfs2_rotate_tree_right
+ ocfs2_extend_rotate_transaction
+ ocfs2_extend_trans
+ jbd2_journal_restart
+ jbd2__journal_restart
+ /* handle->h_transaction is NULL,
+ * is_handle_aborted(handle) is true
+ */
+ handle->h_transaction = NULL;
+ start_this_handle
+ return -EROFS;
+ ocfs2_free_clusters
+ _ocfs2_free_clusters
+ _ocfs2_free_suballoc_bits
+ ocfs2_block_group_clear_bits
+ ocfs2_journal_access_gd
+ __ocfs2_journal_access
+ jbd2_journal_get_undo_access
+ /* I think jbd2_write_access_granted() will
+ * return true, because do_get_write_access()
+ * will return -EROFS.
+ */
+ if (jbd2_write_access_granted(...)) return 0;
+ do_get_write_access
+ /* handle->h_transaction is NULL, it will
+ * return -EROFS here, so do_get_write_access()
+ * was not called.
+ */
+ if (is_handle_aborted(handle)) return -EROFS;
+ /* bh2jh(group_bh) is NULL, caused NULL
+ pointer dereference */
+ undo_bg = (struct ocfs2_group_desc *)
+ bh2jh(group_bh)->b_committed_data;
+
+If handle->h_transaction == NULL, then jbd2_write_access_granted()
+does not really guarantee that journal_head will stay around,
+not even speaking of its b_committed_data. The bh2jh(group_bh)
+can be removed after ocfs2_journal_access_gd() and before call
+"bh2jh(group_bh)->b_committed_data". So, we should move
+is_handle_aborted() check from do_get_write_access() into
+jbd2_journal_get_undo_access() and jbd2_journal_get_write_access()
+before the call to jbd2_write_access_granted().
+
+Link: https://lore.kernel.org/r/f72a623f-b3f1-381a-d91d-d22a1c83a336@huawei.com
+Signed-off-by: Yan Wang <wangyan122@huawei.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jun Piao <piaojun@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/transaction.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -831,8 +831,6 @@ do_get_write_access(handle_t *handle, st
+ char *frozen_buffer = NULL;
+ unsigned long start_lock, time_lock;
+
+- if (is_handle_aborted(handle))
+- return -EROFS;
+ journal = transaction->t_journal;
+
+ jbd_debug(5, "journal_head %p, force_copy %d\n", jh, force_copy);
+@@ -1084,6 +1082,9 @@ int jbd2_journal_get_write_access(handle
+ struct journal_head *jh;
+ int rc;
+
++ if (is_handle_aborted(handle))
++ return -EROFS;
++
+ if (jbd2_write_access_granted(handle, bh, false))
+ return 0;
+
+@@ -1221,6 +1222,9 @@ int jbd2_journal_get_undo_access(handle_
+ struct journal_head *jh;
+ char *committed_data = NULL;
+
++ if (is_handle_aborted(handle))
++ return -EROFS;
++
+ if (jbd2_write_access_granted(handle, bh, true))
+ return 0;
+
--- /dev/null
+From 96228b7df33f8eb9006f8ae96949400aed9bd303 Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Wed, 12 Feb 2020 18:04:33 +0200
+Subject: MAINTAINERS: Update drm/i915 bug filing URL
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit 96228b7df33f8eb9006f8ae96949400aed9bd303 upstream.
+
+We've moved from bugzilla to gitlab.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200212160434.6437-1-jani.nikula@intel.com
+(cherry picked from commit 3a6a4f0810c8ade6f1ff63c34aa9834176b9d88b)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ MAINTAINERS | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -7340,7 +7340,7 @@ M: Joonas Lahtinen <joonas.lahtinen@linu
+ M: Rodrigo Vivi <rodrigo.vivi@intel.com>
+ L: intel-gfx@lists.freedesktop.org
+ W: https://01.org/linuxgraphics/
+-B: https://01.org/linuxgraphics/documentation/how-report-bugs
++B: https://gitlab.freedesktop.org/drm/intel/-/wikis/How-to-file-i915-bugs
+ C: irc://chat.freenode.net/intel-gfx
+ Q: http://patchwork.freedesktop.org/project/intel-gfx/
+ T: git git://anongit.freedesktop.org/drm-intel
--- /dev/null
+From 75866af62b439859d5146b7093ceb6b482852683 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 20 Feb 2020 20:04:18 -0800
+Subject: mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 75866af62b439859d5146b7093ceb6b482852683 upstream.
+
+for_each_mem_cgroup() increases css reference counter for memory cgroup
+and requires to use mem_cgroup_iter_break() if the walk is cancelled.
+
+Link: http://lkml.kernel.org/r/c98414fb-7e1f-da0f-867a-9340ec4bd30b@virtuozzo.com
+Fixes: 0a4465d34028 ("mm, memcg: assign memcg-aware shrinkers bitmap to memcg")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Acked-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Roman Gushchin <guro@fb.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memcontrol.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -419,8 +419,10 @@ int memcg_expand_shrinker_maps(int new_i
+ if (mem_cgroup_is_root(memcg))
+ continue;
+ ret = memcg_expand_one_shrinker_map(memcg, size, old_size);
+- if (ret)
++ if (ret) {
++ mem_cgroup_iter_break(NULL, memcg);
+ goto unlock;
++ }
+ }
+ unlock:
+ if (!ret)
--- /dev/null
+From 3b7830904e17202524bad1974505a9bfc718d31f Mon Sep 17 00:00:00 2001
+From: Logan Gunthorpe <logang@deltatee.com>
+Date: Thu, 20 Feb 2020 13:29:53 -0700
+Subject: nvme-multipath: Fix memory leak with ana_log_buf
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+commit 3b7830904e17202524bad1974505a9bfc718d31f upstream.
+
+kmemleak reports a memory leak with the ana_log_buf allocated by
+nvme_mpath_init():
+
+unreferenced object 0xffff888120e94000 (size 8208):
+ comm "nvme", pid 6884, jiffies 4295020435 (age 78786.312s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
+ 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000e2360188>] kmalloc_order+0x97/0xc0
+ [<0000000079b18dd4>] kmalloc_order_trace+0x24/0x100
+ [<00000000f50c0406>] __kmalloc+0x24c/0x2d0
+ [<00000000f31a10b9>] nvme_mpath_init+0x23c/0x2b0
+ [<000000005802589e>] nvme_init_identify+0x75f/0x1600
+ [<0000000058ef911b>] nvme_loop_configure_admin_queue+0x26d/0x280
+ [<00000000673774b9>] nvme_loop_create_ctrl+0x2a7/0x710
+ [<00000000f1c7a233>] nvmf_dev_write+0xc66/0x10b9
+ [<000000004199f8d0>] __vfs_write+0x50/0xa0
+ [<0000000065466fef>] vfs_write+0xf3/0x280
+ [<00000000b0db9a8b>] ksys_write+0xc6/0x160
+ [<0000000082156b91>] __x64_sys_write+0x43/0x50
+ [<00000000c34fbb6d>] do_syscall_64+0x77/0x2f0
+ [<00000000bbc574c9>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+nvme_mpath_init() is called by nvme_init_identify() which is called in
+multiple places (nvme_reset_work(), nvme_passthru_end(), etc). This
+means nvme_mpath_init() may be called multiple times before
+nvme_mpath_uninit() (which is only called on nvme_free_ctrl()).
+
+When nvme_mpath_init() is called multiple times, it overwrites the
+ana_log_buf pointer with a new allocation, thus leaking the previous
+allocation.
+
+To fix this, free ana_log_buf before allocating a new one.
+
+Fixes: 0d0b660f214dc490 ("nvme: add ANA support")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvme/host/multipath.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -569,6 +569,7 @@ int nvme_mpath_init(struct nvme_ctrl *ct
+ }
+
+ INIT_WORK(&ctrl->ana_work, nvme_ana_work);
++ kfree(ctrl->ana_log_buf);
+ ctrl->ana_log_buf = kmalloc(ctrl->ana_log_size, GFP_KERNEL);
+ if (!ctrl->ana_log_buf) {
+ error = -ENOMEM;
--- /dev/null
+From 2464cc4c345699adea52c7aef75707207cb8a2f6 Mon Sep 17 00:00:00 2001
+From: Gustavo Luiz Duarte <gustavold@linux.ibm.com>
+Date: Tue, 11 Feb 2020 00:38:29 -0300
+Subject: powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery
+
+From: Gustavo Luiz Duarte <gustavold@linux.ibm.com>
+
+commit 2464cc4c345699adea52c7aef75707207cb8a2f6 upstream.
+
+After a treclaim, we expect to be in non-transactional state. If we
+don't clear the current thread's MSR[TS] before we get preempted, then
+tm_recheckpoint_new_task() will recheckpoint and we get rescheduled in
+suspended transaction state.
+
+When handling a signal caught in transactional state,
+handle_rt_signal64() calls get_tm_stackpointer() that treclaims the
+transaction using tm_reclaim_current() but without clearing the
+thread's MSR[TS]. This can cause the TM Bad Thing exception below if
+later we pagefault and get preempted trying to access the user's
+sigframe, using __put_user(). Afterwards, when we are rescheduled back
+into do_page_fault() (but now in suspended state since the thread's
+MSR[TS] was not cleared), upon executing 'rfid' after completion of
+the page fault handling, the exception is raised because a transition
+from suspended to non-transactional state is invalid.
+
+ Unexpected TM Bad Thing exception at c00000000000de44 (msr 0x8000000302a03031) tm_scratch=800000010280b033
+ Oops: Unrecoverable exception, sig: 6 [#1]
+ LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
+ CPU: 25 PID: 15547 Comm: a.out Not tainted 5.4.0-rc2 #32
+ NIP: c00000000000de44 LR: c000000000034728 CTR: 0000000000000000
+ REGS: c00000003fe7bd70 TRAP: 0700 Not tainted (5.4.0-rc2)
+ MSR: 8000000302a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[SE]> CR: 44000884 XER: 00000000
+ CFAR: c00000000000dda4 IRQMASK: 0
+ PACATMSCRATCH: 800000010280b033
+ GPR00: c000000000034728 c000000f65a17c80 c000000001662800 00007fffacf3fd78
+ GPR04: 0000000000001000 0000000000001000 0000000000000000 c000000f611f8af0
+ GPR08: 0000000000000000 0000000078006001 0000000000000000 000c000000000000
+ GPR12: c000000f611f84b0 c00000003ffcb200 0000000000000000 0000000000000000
+ GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+ GPR20: 0000000000000000 0000000000000000 0000000000000000 c000000f611f8140
+ GPR24: 0000000000000000 00007fffacf3fd68 c000000f65a17d90 c000000f611f7800
+ GPR28: c000000f65a17e90 c000000f65a17e90 c000000001685e18 00007fffacf3f000
+ NIP [c00000000000de44] fast_exception_return+0xf4/0x1b0
+ LR [c000000000034728] handle_rt_signal64+0x78/0xc50
+ Call Trace:
+ [c000000f65a17c80] [c000000000034710] handle_rt_signal64+0x60/0xc50 (unreliable)
+ [c000000f65a17d30] [c000000000023640] do_notify_resume+0x330/0x460
+ [c000000f65a17e20] [c00000000000dcc4] ret_from_except_lite+0x70/0x74
+ Instruction dump:
+ 7c4ff120 e8410170 7c5a03a6 38400000 f8410060 e8010070 e8410080 e8610088
+ 60000000 60000000 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed0989
+ ---[ end trace 93094aa44b442f87 ]---
+
+The simplified sequence of events that triggers the above exception is:
+
+ ... # userspace in NON-TRANSACTIONAL state
+ tbegin # userspace in TRANSACTIONAL state
+ signal delivery # kernelspace in SUSPENDED state
+ handle_rt_signal64()
+ get_tm_stackpointer()
+ treclaim # kernelspace in NON-TRANSACTIONAL state
+ __put_user()
+ page fault happens. We will never get back here because of the TM Bad Thing exception.
+
+ page fault handling kicks in and we voluntarily preempt ourselves
+ do_page_fault()
+ __schedule()
+ __switch_to(other_task)
+
+ our task is rescheduled and we recheckpoint because the thread's MSR[TS] was not cleared
+ __switch_to(our_task)
+ switch_to_tm()
+ tm_recheckpoint_new_task()
+ trechkpt # kernelspace in SUSPENDED state
+
+ The page fault handling resumes, but now we are in suspended transaction state
+ do_page_fault() completes
+ rfid <----- trying to get back where the page fault happened (we were non-transactional back then)
+ TM Bad Thing # illegal transition from suspended to non-transactional
+
+This patch fixes that issue by clearing the current thread's MSR[TS]
+just after treclaim in get_tm_stackpointer() so that we stay in
+non-transactional state in case we are preempted. In order to make
+treclaim and clearing the thread's MSR[TS] atomic from a preemption
+perspective when CONFIG_PREEMPT is set, preempt_disable/enable() is
+used. It's also necessary to save the previous value of the thread's
+MSR before get_tm_stackpointer() is called so that it can be exposed
+to the signal handler later in setup_tm_sigcontexts() to inform the
+userspace MSR at the moment of the signal delivery.
+
+Found with tm-signal-context-force-tm kernel selftest.
+
+Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
+Cc: stable@vger.kernel.org # v3.9
+Signed-off-by: Gustavo Luiz Duarte <gustavold@linux.ibm.com>
+Acked-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200211033831.11165-1-gustavold@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/signal.c | 17 +++++++++++++++--
+ arch/powerpc/kernel/signal_32.c | 28 ++++++++++++++--------------
+ arch/powerpc/kernel/signal_64.c | 22 ++++++++++------------
+ 3 files changed, 39 insertions(+), 28 deletions(-)
+
+--- a/arch/powerpc/kernel/signal.c
++++ b/arch/powerpc/kernel/signal.c
+@@ -200,14 +200,27 @@ unsigned long get_tm_stackpointer(struct
+ * normal/non-checkpointed stack pointer.
+ */
+
++ unsigned long ret = tsk->thread.regs->gpr[1];
++
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ BUG_ON(tsk != current);
+
+ if (MSR_TM_ACTIVE(tsk->thread.regs->msr)) {
++ preempt_disable();
+ tm_reclaim_current(TM_CAUSE_SIGNAL);
+ if (MSR_TM_TRANSACTIONAL(tsk->thread.regs->msr))
+- return tsk->thread.ckpt_regs.gpr[1];
++ ret = tsk->thread.ckpt_regs.gpr[1];
++
++ /*
++ * If we treclaim, we must clear the current thread's TM bits
++ * before re-enabling preemption. Otherwise we might be
++ * preempted and have the live MSR[TS] changed behind our back
++ * (tm_recheckpoint_new_task() would recheckpoint). Besides, we
++ * enter the signal handler in non-transactional state.
++ */
++ tsk->thread.regs->msr &= ~MSR_TS_MASK;
++ preempt_enable();
+ }
+ #endif
+- return tsk->thread.regs->gpr[1];
++ return ret;
+ }
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -493,19 +493,11 @@ static int save_user_regs(struct pt_regs
+ */
+ static int save_tm_user_regs(struct pt_regs *regs,
+ struct mcontext __user *frame,
+- struct mcontext __user *tm_frame, int sigret)
++ struct mcontext __user *tm_frame, int sigret,
++ unsigned long msr)
+ {
+- unsigned long msr = regs->msr;
+-
+ WARN_ON(tm_suspend_disabled);
+
+- /* Remove TM bits from thread's MSR. The MSR in the sigcontext
+- * just indicates to userland that we were doing a transaction, but we
+- * don't want to return in transactional state. This also ensures
+- * that flush_fp_to_thread won't set TIF_RESTORE_TM again.
+- */
+- regs->msr &= ~MSR_TS_MASK;
+-
+ /* Save both sets of general registers */
+ if (save_general_regs(¤t->thread.ckpt_regs, frame)
+ || save_general_regs(regs, tm_frame))
+@@ -916,6 +908,10 @@ int handle_rt_signal32(struct ksignal *k
+ int sigret;
+ unsigned long tramp;
+ struct pt_regs *regs = tsk->thread.regs;
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++ /* Save the thread's msr before get_tm_stackpointer() changes it */
++ unsigned long msr = regs->msr;
++#endif
+
+ BUG_ON(tsk != current);
+
+@@ -948,13 +944,13 @@ int handle_rt_signal32(struct ksignal *k
+
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ tm_frame = &rt_sf->uc_transact.uc_mcontext;
+- if (MSR_TM_ACTIVE(regs->msr)) {
++ if (MSR_TM_ACTIVE(msr)) {
+ if (__put_user((unsigned long)&rt_sf->uc_transact,
+ &rt_sf->uc.uc_link) ||
+ __put_user((unsigned long)tm_frame,
+ &rt_sf->uc_transact.uc_regs))
+ goto badframe;
+- if (save_tm_user_regs(regs, frame, tm_frame, sigret))
++ if (save_tm_user_regs(regs, frame, tm_frame, sigret, msr))
+ goto badframe;
+ }
+ else
+@@ -1365,6 +1361,10 @@ int handle_signal32(struct ksignal *ksig
+ int sigret;
+ unsigned long tramp;
+ struct pt_regs *regs = tsk->thread.regs;
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++ /* Save the thread's msr before get_tm_stackpointer() changes it */
++ unsigned long msr = regs->msr;
++#endif
+
+ BUG_ON(tsk != current);
+
+@@ -1398,9 +1398,9 @@ int handle_signal32(struct ksignal *ksig
+
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ tm_mctx = &frame->mctx_transact;
+- if (MSR_TM_ACTIVE(regs->msr)) {
++ if (MSR_TM_ACTIVE(msr)) {
+ if (save_tm_user_regs(regs, &frame->mctx, &frame->mctx_transact,
+- sigret))
++ sigret, msr))
+ goto badframe;
+ }
+ else
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -196,7 +196,8 @@ static long setup_sigcontext(struct sigc
+ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+ struct sigcontext __user *tm_sc,
+ struct task_struct *tsk,
+- int signr, sigset_t *set, unsigned long handler)
++ int signr, sigset_t *set, unsigned long handler,
++ unsigned long msr)
+ {
+ /* When CONFIG_ALTIVEC is set, we _always_ setup v_regs even if the
+ * process never used altivec yet (MSR_VEC is zero in pt_regs of
+@@ -211,12 +212,11 @@ static long setup_tm_sigcontexts(struct
+ elf_vrreg_t __user *tm_v_regs = sigcontext_vmx_regs(tm_sc);
+ #endif
+ struct pt_regs *regs = tsk->thread.regs;
+- unsigned long msr = tsk->thread.regs->msr;
+ long err = 0;
+
+ BUG_ON(tsk != current);
+
+- BUG_ON(!MSR_TM_ACTIVE(regs->msr));
++ BUG_ON(!MSR_TM_ACTIVE(msr));
+
+ WARN_ON(tm_suspend_disabled);
+
+@@ -226,13 +226,6 @@ static long setup_tm_sigcontexts(struct
+ */
+ msr |= tsk->thread.ckpt_regs.msr & (MSR_FP | MSR_VEC | MSR_VSX);
+
+- /* Remove TM bits from thread's MSR. The MSR in the sigcontext
+- * just indicates to userland that we were doing a transaction, but we
+- * don't want to return in transactional state. This also ensures
+- * that flush_fp_to_thread won't set TIF_RESTORE_TM again.
+- */
+- regs->msr &= ~MSR_TS_MASK;
+-
+ #ifdef CONFIG_ALTIVEC
+ err |= __put_user(v_regs, &sc->v_regs);
+ err |= __put_user(tm_v_regs, &tm_sc->v_regs);
+@@ -803,6 +796,10 @@ int handle_rt_signal64(struct ksignal *k
+ unsigned long newsp = 0;
+ long err = 0;
+ struct pt_regs *regs = tsk->thread.regs;
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++ /* Save the thread's msr before get_tm_stackpointer() changes it */
++ unsigned long msr = regs->msr;
++#endif
+
+ BUG_ON(tsk != current);
+
+@@ -820,7 +817,7 @@ int handle_rt_signal64(struct ksignal *k
+ err |= __put_user(0, &frame->uc.uc_flags);
+ err |= __save_altstack(&frame->uc.uc_stack, regs->gpr[1]);
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+- if (MSR_TM_ACTIVE(regs->msr)) {
++ if (MSR_TM_ACTIVE(msr)) {
+ /* The ucontext_t passed to userland points to the second
+ * ucontext_t (for transactional state) with its uc_link ptr.
+ */
+@@ -828,7 +825,8 @@ int handle_rt_signal64(struct ksignal *k
+ err |= setup_tm_sigcontexts(&frame->uc.uc_mcontext,
+ &frame->uc_transact.uc_mcontext,
+ tsk, ksig->sig, NULL,
+- (unsigned long)ksig->ka.sa.sa_handler);
++ (unsigned long)ksig->ka.sa.sa_handler,
++ msr);
+ } else
+ #endif
+ {
--- /dev/null
+From edf28f4061afe4c2d9eb1c3323d90e882c1d6800 Mon Sep 17 00:00:00 2001
+From: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+Date: Thu, 20 Feb 2020 20:04:00 -0800
+Subject: Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()"
+
+From: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+
+commit edf28f4061afe4c2d9eb1c3323d90e882c1d6800 upstream.
+
+This reverts commit a97955844807e327df11aa33869009d14d6b7de0.
+
+Commit a97955844807 ("ipc,sem: remove uneeded sem_undo_list lock usage
+in exit_sem()") removes a lock that is needed. This leads to a process
+looping infinitely in exit_sem() and can also lead to a crash. There is
+a reproducer available in [1] and with the commit reverted the issue
+does not reproduce anymore.
+
+Using the reproducer found in [1] is fairly easy to reach a point where
+one of the child processes is looping infinitely in exit_sem between
+for(;;) and if (semid == -1) block, while it's trying to free its last
+sem_undo structure which has already been freed by freeary().
+
+Each sem_undo struct is on two lists: one per semaphore set (list_id)
+and one per process (list_proc). The list_id list tracks undos by
+semaphore set, and the list_proc by process.
+
+Undo structures are removed either by freeary() or by exit_sem(). The
+freeary function is invoked when the user invokes a syscall to remove a
+semaphore set. During this operation freeary() traverses the list_id
+associated with the semaphore set and removes the undo structures from
+both the list_id and list_proc lists.
+
+For this case, exit_sem() is called at process exit. Each process
+contains a struct sem_undo_list (referred to as "ulp") which contains
+the head for the list_proc list. When the process exits, exit_sem()
+traverses this list to remove each sem_undo struct. As in freeary(),
+whenever a sem_undo struct is removed from list_proc, it is also removed
+from the list_id list.
+
+Removing elements from list_id is safe for both exit_sem() and freeary()
+due to sem_lock(). Removing elements from list_proc is not safe;
+freeary() locks &un->ulp->lock when it performs
+list_del_rcu(&un->list_proc) but exit_sem() does not (locking was
+removed by commit a97955844807 ("ipc,sem: remove uneeded sem_undo_list
+lock usage in exit_sem()").
+
+This can result in the following situation while executing the
+reproducer [1] : Consider a child process in exit_sem() and the parent
+in freeary() (because of semctl(sid[i], NSEM, IPC_RMID)).
+
+ - The list_proc for the child contains the last two undo structs A and
+ B (the rest have been removed either by exit_sem() or freeary()).
+
+ - The semid for A is 1 and semid for B is 2.
+
+ - exit_sem() removes A and at the same time freeary() removes B.
+
+ - Since A and B have different semid sem_lock() will acquire different
+ locks for each process and both can proceed.
+
+The bug is that they remove A and B from the same list_proc at the same
+time because only freeary() acquires the ulp lock. When exit_sem()
+removes A it makes ulp->list_proc.next to point at B and at the same
+time freeary() removes B setting B->semid=-1.
+
+At the next iteration of for(;;) loop exit_sem() will try to remove B.
+
+The only way to break from for(;;) is for (&un->list_proc ==
+&ulp->list_proc) to be true which is not. Then exit_sem() will check if
+B->semid=-1 which is and will continue looping in for(;;) until the
+memory for B is reallocated and the value at B->semid is changed.
+
+At that point, exit_sem() will crash attempting to unlink B from the
+lists (this can be easily triggered by running the reproducer [1] a
+second time).
+
+To prove this scenario instrumentation was added to keep information
+about each sem_undo (un) struct that is removed per process and per
+semaphore set (sma).
+
+ CPU0 CPU1
+ [caller holds sem_lock(sma for A)] ...
+ freeary() exit_sem()
+ ... ...
+ ... sem_lock(sma for B)
+ spin_lock(A->ulp->lock) ...
+ list_del_rcu(un_A->list_proc) list_del_rcu(un_B->list_proc)
+
+Undo structures A and B have different semid and sem_lock() operations
+proceed. However they belong to the same list_proc list and they are
+removed at the same time. This results into ulp->list_proc.next
+pointing to the address of B which is already removed.
+
+After reverting commit a97955844807 ("ipc,sem: remove uneeded
+sem_undo_list lock usage in exit_sem()") the issue was no longer
+reproducible.
+
+[1] https://bugzilla.redhat.com/show_bug.cgi?id=1694779
+
+Link: http://lkml.kernel.org/r/20191211191318.11860-1-ioanna-maria.alifieraki@canonical.com
+Fixes: a97955844807 ("ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()")
+Signed-off-by: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+Acked-by: Manfred Spraul <manfred@colorfullife.com>
+Acked-by: Herton R. Krzesinski <herton@redhat.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: <malat@debian.org>
+Cc: Joel Fernandes (Google) <joel@joelfernandes.org>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Jay Vosburgh <jay.vosburgh@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/sem.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -2345,11 +2345,9 @@ void exit_sem(struct task_struct *tsk)
+ ipc_assert_locked_object(&sma->sem_perm);
+ list_del(&un->list_id);
+
+- /* we are the last process using this ulp, acquiring ulp->lock
+- * isn't required. Besides that, we are also protected against
+- * IPC_RMID as we hold sma->sem_perm lock now
+- */
++ spin_lock(&ulp->lock);
+ list_del_rcu(&un->list_proc);
++ spin_unlock(&ulp->lock);
+
+ /* perform adjustments registered in un */
+ for (i = 0; i < sma->sem_nsems; i++) {
--- /dev/null
+From 0c5aae59270fb1f827acce182786094c9ccf598e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 10 Feb 2020 15:57:30 +0100
+Subject: serdev: ttyport: restore client ops on deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0c5aae59270fb1f827acce182786094c9ccf598e upstream.
+
+The serdev tty-port controller driver should reset the tty-port client
+operations also on deregistration to avoid a NULL-pointer dereference in
+case the port is later re-registered as a normal tty device.
+
+Note that this can only happen with tty drivers such as 8250 which have
+statically allocated port structures that can end up being reused and
+where a later registration would not register a serdev controller (e.g.
+due to registration errors or if the devicetree has been changed in
+between).
+
+Specifically, this can be an issue for any statically defined ports that
+would be registered by 8250 core when an 8250 driver is being unbound.
+
+Fixes: bed35c6dfa6a ("serdev: add a tty port controller driver")
+Cc: stable <stable@vger.kernel.org> # 4.11
+Reported-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20200210145730.22762-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serdev/serdev-ttyport.c | 6 ++----
+ drivers/tty/tty_port.c | 5 +++--
+ include/linux/tty.h | 2 ++
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/serdev/serdev-ttyport.c
++++ b/drivers/tty/serdev/serdev-ttyport.c
+@@ -265,7 +265,6 @@ struct device *serdev_tty_port_register(
+ struct device *parent,
+ struct tty_driver *drv, int idx)
+ {
+- const struct tty_port_client_operations *old_ops;
+ struct serdev_controller *ctrl;
+ struct serport *serport;
+ int ret;
+@@ -284,7 +283,6 @@ struct device *serdev_tty_port_register(
+
+ ctrl->ops = &ctrl_ops;
+
+- old_ops = port->client_ops;
+ port->client_ops = &client_ops;
+ port->client_data = ctrl;
+
+@@ -297,7 +295,7 @@ struct device *serdev_tty_port_register(
+
+ err_reset_data:
+ port->client_data = NULL;
+- port->client_ops = old_ops;
++ port->client_ops = &tty_port_default_client_ops;
+ serdev_controller_put(ctrl);
+
+ return ERR_PTR(ret);
+@@ -312,8 +310,8 @@ int serdev_tty_port_unregister(struct tt
+ return -ENODEV;
+
+ serdev_controller_remove(ctrl);
+- port->client_ops = NULL;
+ port->client_data = NULL;
++ port->client_ops = &tty_port_default_client_ops;
+ serdev_controller_put(ctrl);
+
+ return 0;
+--- a/drivers/tty/tty_port.c
++++ b/drivers/tty/tty_port.c
+@@ -52,10 +52,11 @@ static void tty_port_default_wakeup(stru
+ }
+ }
+
+-static const struct tty_port_client_operations default_client_ops = {
++const struct tty_port_client_operations tty_port_default_client_ops = {
+ .receive_buf = tty_port_default_receive_buf,
+ .write_wakeup = tty_port_default_wakeup,
+ };
++EXPORT_SYMBOL_GPL(tty_port_default_client_ops);
+
+ void tty_port_init(struct tty_port *port)
+ {
+@@ -68,7 +69,7 @@ void tty_port_init(struct tty_port *port
+ spin_lock_init(&port->lock);
+ port->close_delay = (50 * HZ) / 100;
+ port->closing_wait = (3000 * HZ) / 100;
+- port->client_ops = &default_client_ops;
++ port->client_ops = &tty_port_default_client_ops;
+ kref_init(&port->kref);
+ }
+ EXPORT_SYMBOL(tty_port_init);
+--- a/include/linux/tty.h
++++ b/include/linux/tty.h
+@@ -225,6 +225,8 @@ struct tty_port_client_operations {
+ void (*write_wakeup)(struct tty_port *port);
+ };
+
++extern const struct tty_port_client_operations tty_port_default_client_ops;
++
+ struct tty_port {
+ struct tty_bufhead buf; /* Locked internally */
+ struct tty_struct *tty; /* Back pointer */
--- /dev/null
+From 7febbcbc48fc92e3f33863b32ed715ba4aff18c4 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Tue, 11 Feb 2020 15:55:59 +0200
+Subject: serial: 8250: Check UPF_IRQ_SHARED in advance
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 7febbcbc48fc92e3f33863b32ed715ba4aff18c4 upstream.
+
+The commit 54e53b2e8081
+ ("tty: serial: 8250: pass IRQ shared flag to UART ports")
+nicely explained the problem:
+
+---8<---8<---
+
+On some systems IRQ lines between multiple UARTs might be shared. If so, the
+irqflags have to be configured accordingly. The reason is: The 8250 port startup
+code performs IRQ tests *before* the IRQ handler for that particular port is
+registered. This is performed in serial8250_do_startup(). This function checks
+whether IRQF_SHARED is configured and only then disables the IRQ line while
+testing.
+
+This test is performed upon each open() of the UART device. Imagine two UARTs
+share the same IRQ line: On is already opened and the IRQ is active. When the
+second UART is opened, the IRQ line has to be disabled while performing IRQ
+tests. Otherwise an IRQ might handler might be invoked, but the IRQ itself
+cannot be handled, because the corresponding handler isn't registered,
+yet. That's because the 8250 code uses a chain-handler and invokes the
+corresponding port's IRQ handling routines himself.
+
+Unfortunately this IRQF_SHARED flag isn't configured for UARTs probed via device
+tree even if the IRQs are shared. This way, the actual and shared IRQ line isn't
+disabled while performing tests and the kernel correctly detects a spurious
+IRQ. So, adding this flag to the DT probe solves the issue.
+
+Note: The UPF_SHARE_IRQ flag is configured unconditionally. Therefore, the
+IRQF_SHARED flag can be set unconditionally as well.
+
+Example stack trace by performing `echo 1 > /dev/ttyS2` on a non-patched system:
+
+|irq 85: nobody cared (try booting with the "irqpoll" option)
+| [...]
+|handlers:
+|[<ffff0000080fc628>] irq_default_primary_handler threaded [<ffff00000855fbb8>] serial8250_interrupt
+|Disabling IRQ #85
+
+---8<---8<---
+
+But unfortunately didn't fix the root cause. Let's try again here by moving
+IRQ flag assignment from serial_link_irq_chain() to serial8250_do_startup().
+
+This should fix the similar issue reported for 8250_pnp case.
+
+Since this change we don't need to have custom solutions in 8250_aspeed_vuart
+and 8250_of drivers, thus, drop them.
+
+Fixes: 1c2f04937b3e ("serial: 8250: add IRQ trigger support")
+Reported-by: Li RongQing <lirongqing@baidu.com>
+Cc: Kurt Kanzenbach <kurt@linutronix.de>
+Cc: Vikram Pandita <vikram.pandita@ti.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Kurt Kanzenbach <kurt@linutronix.de>
+Link: https://lore.kernel.org/r/20200211135559.85960-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_aspeed_vuart.c | 1 -
+ drivers/tty/serial/8250/8250_core.c | 5 ++---
+ drivers/tty/serial/8250/8250_of.c | 1 -
+ drivers/tty/serial/8250/8250_port.c | 4 ++++
+ 4 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_aspeed_vuart.c
++++ b/drivers/tty/serial/8250/8250_aspeed_vuart.c
+@@ -375,7 +375,6 @@ static int aspeed_vuart_probe(struct pla
+ port.port.line = rc;
+
+ port.port.irq = irq_of_parse_and_map(np, 0);
+- port.port.irqflags = IRQF_SHARED;
+ port.port.handle_irq = aspeed_vuart_handle_irq;
+ port.port.iotype = UPIO_MEM;
+ port.port.type = PORT_16550A;
+--- a/drivers/tty/serial/8250/8250_core.c
++++ b/drivers/tty/serial/8250/8250_core.c
+@@ -177,7 +177,7 @@ static int serial_link_irq_chain(struct
+ struct hlist_head *h;
+ struct hlist_node *n;
+ struct irq_info *i;
+- int ret, irq_flags = up->port.flags & UPF_SHARE_IRQ ? IRQF_SHARED : 0;
++ int ret;
+
+ mutex_lock(&hash_mutex);
+
+@@ -212,9 +212,8 @@ static int serial_link_irq_chain(struct
+ INIT_LIST_HEAD(&up->list);
+ i->head = &up->list;
+ spin_unlock_irq(&i->lock);
+- irq_flags |= up->port.irqflags;
+ ret = request_irq(up->port.irq, serial8250_interrupt,
+- irq_flags, up->port.name, i);
++ up->port.irqflags, up->port.name, i);
+ if (ret < 0)
+ serial_do_unlink(i, up);
+ }
+--- a/drivers/tty/serial/8250/8250_of.c
++++ b/drivers/tty/serial/8250/8250_of.c
+@@ -171,7 +171,6 @@ static int of_platform_serial_setup(stru
+
+ port->type = type;
+ port->uartclk = clk;
+- port->irqflags |= IRQF_SHARED;
+
+ if (of_property_read_bool(np, "no-loopback-test"))
+ port->flags |= UPF_SKIP_TEST;
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -2253,6 +2253,10 @@ int serial8250_do_startup(struct uart_po
+ }
+ }
+
++ /* Check if we need to have shared IRQs */
++ if (port->irq && (up->port.flags & UPF_SHARE_IRQ))
++ up->port.irqflags |= IRQF_SHARED;
++
+ if (port->irq && !(up->port.flags & UPF_NO_THRE_TEST)) {
+ unsigned char iir1;
+ /*
staging-rtl8188eu-fix-potential-overuse-of-kernel-memory.patch
staging-rtl8723bs-fix-potential-security-hole.patch
staging-rtl8723bs-fix-potential-overuse-of-kernel-memory.patch
+powerpc-tm-fix-clearing-msr-in-current-when-reclaiming-on-signal-delivery.patch
+jbd2-fix-ocfs2-corrupt-when-clearing-block-group-bits.patch
+x86-mce-amd-publish-the-bank-pointer-only-after-setup-has-succeeded.patch
+x86-mce-amd-fix-kobject-lifetime.patch
+x86-cpu-amd-enable-the-fixed-instructions-retired-counter-irperf.patch
+serial-8250-check-upf_irq_shared-in-advance.patch
+tty-serial-atmel-manage-shutdown-in-case-of-rs485-or-iso7816-mode.patch
+tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch
+serdev-ttyport-restore-client-ops-on-deregistration.patch
+maintainers-update-drm-i915-bug-filing-url.patch
+revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch
+mm-memcontrol.c-lost-css_put-in-memcg_expand_shrinker_maps.patch
+nvme-multipath-fix-memory-leak-with-ana_log_buf.patch
+genirq-irqdomain-make-sure-all-irq-domain-flags-are-distinct.patch
--- /dev/null
+From 04b5bfe3dc94e64d0590c54045815cb5183fb095 Mon Sep 17 00:00:00 2001
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+Date: Mon, 10 Feb 2020 16:20:53 +0100
+Subject: tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode
+
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+
+commit 04b5bfe3dc94e64d0590c54045815cb5183fb095 upstream.
+
+In atmel_shutdown() we call atmel_stop_rx() and atmel_stop_tx() functions.
+Prevent the rx restart that is implemented in RS485 or ISO7816 modes when
+calling atmel_stop_tx() by using the atomic information tasklet_shutdown
+that is already in place for this purpose.
+
+Fixes: 98f2082c3ac4 ("tty/serial: atmel: enforce tasklet init and termination sequences")
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200210152053.8289-1-nicolas.ferre@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -490,7 +490,8 @@ static void atmel_stop_tx(struct uart_po
+ atmel_uart_writel(port, ATMEL_US_IDR, atmel_port->tx_done_mask);
+
+ if (atmel_uart_is_half_duplex(port))
+- atmel_start_rx(port);
++ if (!atomic_read(&atmel_port->tasklet_shutdown))
++ atmel_start_rx(port);
+
+ }
+
--- /dev/null
+From f76707831829530ffdd3888bebc108aecefccaa0 Mon Sep 17 00:00:00 2001
+From: Fugang Duan <fugang.duan@nxp.com>
+Date: Tue, 11 Feb 2020 14:16:01 +0800
+Subject: tty: serial: imx: setup the correct sg entry for tx dma
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fugang Duan <fugang.duan@nxp.com>
+
+commit f76707831829530ffdd3888bebc108aecefccaa0 upstream.
+
+There has oops as below happen on i.MX8MP EVK platform that has
+6G bytes DDR memory.
+
+when (xmit->tail < xmit->head) && (xmit->head == 0),
+it setups one sg entry with sg->length is zero:
+ sg_set_buf(sgl + 1, xmit->buf, xmit->head);
+
+if xmit->buf is allocated from >4G address space, and SDMA only
+support <4G address space, then dma_map_sg() will call swiotlb_map()
+to do bounce buffer copying and mapping.
+
+But swiotlb_map() don't allow sg entry's length is zero, otherwise
+report BUG_ON().
+
+So the patch is to correct the tx DMA scatter list.
+
+Oops:
+[ 287.675715] kernel BUG at kernel/dma/swiotlb.c:497!
+[ 287.680592] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+[ 287.686075] Modules linked in:
+[ 287.689133] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.3-00016-g3fdc4e0-dirty #10
+[ 287.696872] Hardware name: FSL i.MX8MP EVK (DT)
+[ 287.701402] pstate: 80000085 (Nzcv daIf -PAN -UAO)
+[ 287.706199] pc : swiotlb_tbl_map_single+0x1fc/0x310
+[ 287.711076] lr : swiotlb_map+0x60/0x148
+[ 287.714909] sp : ffff800010003c00
+[ 287.718221] x29: ffff800010003c00 x28: 0000000000000000
+[ 287.723533] x27: 0000000000000040 x26: ffff800011ae0000
+[ 287.728844] x25: ffff800011ae09f8 x24: 0000000000000000
+[ 287.734155] x23: 00000001b7af9000 x22: 0000000000000000
+[ 287.739465] x21: ffff000176409c10 x20: 00000000001f7ffe
+[ 287.744776] x19: ffff000176409c10 x18: 000000000000002e
+[ 287.750087] x17: 0000000000000000 x16: 0000000000000000
+[ 287.755397] x15: 0000000000000000 x14: 0000000000000000
+[ 287.760707] x13: ffff00017f334000 x12: 0000000000000001
+[ 287.766018] x11: 00000000001fffff x10: 0000000000000000
+[ 287.771328] x9 : 0000000000000003 x8 : 0000000000000000
+[ 287.776638] x7 : 0000000000000000 x6 : 0000000000000000
+[ 287.781949] x5 : 0000000000200000 x4 : 0000000000000000
+[ 287.787259] x3 : 0000000000000001 x2 : 00000001b7af9000
+[ 287.792570] x1 : 00000000fbfff000 x0 : 0000000000000000
+[ 287.797881] Call trace:
+[ 287.800328] swiotlb_tbl_map_single+0x1fc/0x310
+[ 287.804859] swiotlb_map+0x60/0x148
+[ 287.808347] dma_direct_map_page+0xf0/0x130
+[ 287.812530] dma_direct_map_sg+0x78/0xe0
+[ 287.816453] imx_uart_dma_tx+0x134/0x2f8
+[ 287.820374] imx_uart_dma_tx_callback+0xd8/0x168
+[ 287.824992] vchan_complete+0x194/0x200
+[ 287.828828] tasklet_action_common.isra.0+0x154/0x1a0
+[ 287.833879] tasklet_action+0x24/0x30
+[ 287.837540] __do_softirq+0x120/0x23c
+[ 287.841202] irq_exit+0xb8/0xd8
+[ 287.844343] __handle_domain_irq+0x64/0xb8
+[ 287.848438] gic_handle_irq+0x5c/0x148
+[ 287.852185] el1_irq+0xb8/0x180
+[ 287.855327] cpuidle_enter_state+0x84/0x360
+[ 287.859508] cpuidle_enter+0x34/0x48
+[ 287.863083] call_cpuidle+0x18/0x38
+[ 287.866571] do_idle+0x1e0/0x280
+[ 287.869798] cpu_startup_entry+0x20/0x40
+[ 287.873721] rest_init+0xd4/0xe0
+[ 287.876949] arch_call_rest_init+0xc/0x14
+[ 287.880958] start_kernel+0x420/0x44c
+[ 287.884622] Code: 9124c021 9417aff8 a94363f7 17ffffd5 (d4210000)
+[ 287.890718] ---[ end trace 5bc44c4ab6b009ce ]---
+[ 287.895334] Kernel panic - not syncing: Fatal exception in interrupt
+[ 287.901686] SMP: stopping secondary CPUs
+[ 288.905607] SMP: failed to stop secondary CPUs 0-1
+[ 288.910395] Kernel Offset: disabled
+[ 288.913882] CPU features: 0x0002,2000200c
+[ 288.917888] Memory Limit: none
+[ 288.920944] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
+
+Reported-by: Eagle Zhou <eagle.zhou@nxp.com>
+Tested-by: Eagle Zhou <eagle.zhou@nxp.com>
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Cc: stable <stable@vger.kernel.org>
+Fixes: 7942f8577f2a ("serial: imx: TX DMA: clean up sg initialization")
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/1581401761-6378-1-git-send-email-fugang.duan@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/imx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -608,7 +608,7 @@ static void imx_uart_dma_tx(struct imx_p
+
+ sport->tx_bytes = uart_circ_chars_pending(xmit);
+
+- if (xmit->tail < xmit->head) {
++ if (xmit->tail < xmit->head || xmit->head == 0) {
+ sport->dma_tx_nents = 1;
+ sg_init_one(sgl, xmit->buf + xmit->tail, sport->tx_bytes);
+ } else {
--- /dev/null
+From 21b5ee59ef18e27d85810584caf1f7ddc705ea83 Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@amd.com>
+Date: Wed, 19 Feb 2020 18:52:43 +0100
+Subject: x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+commit 21b5ee59ef18e27d85810584caf1f7ddc705ea83 upstream.
+
+Commit
+
+ aaf248848db50 ("perf/x86/msr: Add AMD IRPERF (Instructions Retired)
+ performance counter")
+
+added support for access to the free-running counter via 'perf -e
+msr/irperf/', but when exercised, it always returns a 0 count:
+
+BEFORE:
+
+ $ perf stat -e instructions,msr/irperf/ true
+
+ Performance counter stats for 'true':
+
+ 624,833 instructions
+ 0 msr/irperf/
+
+Simply set its enable bit - HWCR bit 30 - to make it start counting.
+
+Enablement is restricted to all machines advertising IRPERF capability,
+except those susceptible to an erratum that makes the IRPERF return
+bad values.
+
+That erratum occurs in Family 17h models 00-1fh [1], but not in F17h
+models 20h and above [2].
+
+AFTER (on a family 17h model 31h machine):
+
+ $ perf stat -e instructions,msr/irperf/ true
+
+ Performance counter stats for 'true':
+
+ 621,690 instructions
+ 622,490 msr/irperf/
+
+[1] Revision Guide for AMD Family 17h Models 00h-0Fh Processors
+[2] Revision Guide for AMD Family 17h Models 30h-3Fh Processors
+
+The revision guides are available from the bugzilla Link below.
+
+ [ bp: Massage commit message. ]
+
+Fixes: aaf248848db50 ("perf/x86/msr: Add AMD IRPERF (Instructions Retired) performance counter")
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537
+Link: http://lkml.kernel.org/r/20200214201805.13830-1-kim.phillips@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/msr-index.h | 2 ++
+ arch/x86/kernel/cpu/amd.c | 14 ++++++++++++++
+ 2 files changed, 16 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -455,6 +455,8 @@
+ #define MSR_K7_HWCR 0xc0010015
+ #define MSR_K7_HWCR_SMMLOCK_BIT 0
+ #define MSR_K7_HWCR_SMMLOCK BIT_ULL(MSR_K7_HWCR_SMMLOCK_BIT)
++#define MSR_K7_HWCR_IRPERF_EN_BIT 30
++#define MSR_K7_HWCR_IRPERF_EN BIT_ULL(MSR_K7_HWCR_IRPERF_EN_BIT)
+ #define MSR_K7_FID_VID_CTL 0xc0010041
+ #define MSR_K7_FID_VID_STATUS 0xc0010042
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -25,6 +25,7 @@
+
+ static const int amd_erratum_383[];
+ static const int amd_erratum_400[];
++static const int amd_erratum_1054[];
+ static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum);
+
+ /*
+@@ -983,6 +984,15 @@ static void init_amd(struct cpuinfo_x86
+ /* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */
+ if (!cpu_has(c, X86_FEATURE_XENPV))
+ set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
++
++ /*
++ * Turn on the Instructions Retired free counter on machines not
++ * susceptible to erratum #1054 "Instructions Retired Performance
++ * Counter May Be Inaccurate".
++ */
++ if (cpu_has(c, X86_FEATURE_IRPERF) &&
++ !cpu_has_amd_erratum(c, amd_erratum_1054))
++ msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT);
+ }
+
+ #ifdef CONFIG_X86_32
+@@ -1110,6 +1120,10 @@ static const int amd_erratum_400[] =
+ static const int amd_erratum_383[] =
+ AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf));
+
++/* #1054: Instructions Retired Performance Counter May Be Inaccurate */
++static const int amd_erratum_1054[] =
++ AMD_OSVW_ERRATUM(0, AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf));
++
+
+ static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum)
+ {
--- /dev/null
+From 51dede9c05df2b78acd6dcf6a17d21f0877d2d7b Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Thu, 13 Feb 2020 19:01:34 +0100
+Subject: x86/mce/amd: Fix kobject lifetime
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 51dede9c05df2b78acd6dcf6a17d21f0877d2d7b upstream.
+
+Accessing the MCA thresholding controls in sysfs concurrently with CPU
+hotplug can lead to a couple of KASAN-reported issues:
+
+ BUG: KASAN: use-after-free in sysfs_file_ops+0x155/0x180
+ Read of size 8 at addr ffff888367578940 by task grep/4019
+
+and
+
+ BUG: KASAN: use-after-free in show_error_count+0x15c/0x180
+ Read of size 2 at addr ffff888368a05514 by task grep/4454
+
+for example. Both result from the fact that the threshold block
+creation/teardown code frees the descriptor memory itself instead of
+defining proper ->release function and leaving it to the driver core to
+take care of that, after all sysfs accesses have completed.
+
+Do that and get rid of the custom freeing code, fixing the above UAFs in
+the process.
+
+ [ bp: write commit message. ]
+
+Fixes: 95268664390b ("[PATCH] x86_64: mce_amd support for family 0x10 processors")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20200214082801.13836-1-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce_amd.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
+@@ -1117,9 +1117,12 @@ static const struct sysfs_ops threshold_
+ .store = store,
+ };
+
++static void threshold_block_release(struct kobject *kobj);
++
+ static struct kobj_type threshold_ktype = {
+ .sysfs_ops = &threshold_ops,
+ .default_attrs = default_attrs,
++ .release = threshold_block_release,
+ };
+
+ static const char *get_name(unsigned int bank, struct threshold_block *b)
+@@ -1321,8 +1324,12 @@ static int threshold_create_bank(unsigne
+ return err;
+ }
+
+-static void deallocate_threshold_block(unsigned int cpu,
+- unsigned int bank)
++static void threshold_block_release(struct kobject *kobj)
++{
++ kfree(to_block(kobj));
++}
++
++static void deallocate_threshold_block(unsigned int cpu, unsigned int bank)
+ {
+ struct threshold_block *pos = NULL;
+ struct threshold_block *tmp = NULL;
+@@ -1332,13 +1339,11 @@ static void deallocate_threshold_block(u
+ return;
+
+ list_for_each_entry_safe(pos, tmp, &head->blocks->miscj, miscj) {
+- kobject_put(&pos->kobj);
+ list_del(&pos->miscj);
+- kfree(pos);
++ kobject_put(&pos->kobj);
+ }
+
+- kfree(per_cpu(threshold_banks, cpu)[bank]->blocks);
+- per_cpu(threshold_banks, cpu)[bank]->blocks = NULL;
++ kobject_put(&head->blocks->kobj);
+ }
+
+ static void __threshold_remove_blocks(struct threshold_bank *b)
--- /dev/null
+From 6e5cf31fbe651bed7ba1df768f2e123531132417 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Tue, 4 Feb 2020 13:28:41 +0100
+Subject: x86/mce/amd: Publish the bank pointer only after setup has succeeded
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 6e5cf31fbe651bed7ba1df768f2e123531132417 upstream.
+
+threshold_create_bank() creates a bank descriptor per MCA error
+thresholding counter which can be controlled over sysfs. It publishes
+the pointer to that bank in a per-CPU variable and then goes on to
+create additional thresholding blocks if the bank has such.
+
+However, that creation of additional blocks in
+allocate_threshold_blocks() can fail, leading to a use-after-free
+through the per-CPU pointer.
+
+Therefore, publish that pointer only after all blocks have been setup
+successfully.
+
+Fixes: 019f34fccfd5 ("x86, MCE, AMD: Move shared bank to node descriptor")
+Reported-by: Saar Amar <Saar.Amar@microsoft.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200128140846.phctkvx5btiexvbx@kili.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce_amd.c | 33 ++++++++++++++++-----------------
+ 1 file changed, 16 insertions(+), 17 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
+@@ -1152,8 +1152,9 @@ static const char *get_name(unsigned int
+ return buf_mcatype;
+ }
+
+-static int allocate_threshold_blocks(unsigned int cpu, unsigned int bank,
+- unsigned int block, u32 address)
++static int allocate_threshold_blocks(unsigned int cpu, struct threshold_bank *tb,
++ unsigned int bank, unsigned int block,
++ u32 address)
+ {
+ struct threshold_block *b = NULL;
+ u32 low, high;
+@@ -1197,16 +1198,12 @@ static int allocate_threshold_blocks(uns
+
+ INIT_LIST_HEAD(&b->miscj);
+
+- if (per_cpu(threshold_banks, cpu)[bank]->blocks) {
+- list_add(&b->miscj,
+- &per_cpu(threshold_banks, cpu)[bank]->blocks->miscj);
+- } else {
+- per_cpu(threshold_banks, cpu)[bank]->blocks = b;
+- }
++ if (tb->blocks)
++ list_add(&b->miscj, &tb->blocks->miscj);
++ else
++ tb->blocks = b;
+
+- err = kobject_init_and_add(&b->kobj, &threshold_ktype,
+- per_cpu(threshold_banks, cpu)[bank]->kobj,
+- get_name(bank, b));
++ err = kobject_init_and_add(&b->kobj, &threshold_ktype, tb->kobj, get_name(bank, b));
+ if (err)
+ goto out_free;
+ recurse:
+@@ -1214,7 +1211,7 @@ recurse:
+ if (!address)
+ return 0;
+
+- err = allocate_threshold_blocks(cpu, bank, block, address);
++ err = allocate_threshold_blocks(cpu, tb, bank, block, address);
+ if (err)
+ goto out_free;
+
+@@ -1299,8 +1296,6 @@ static int threshold_create_bank(unsigne
+ goto out_free;
+ }
+
+- per_cpu(threshold_banks, cpu)[bank] = b;
+-
+ if (is_shared_bank(bank)) {
+ refcount_set(&b->cpus, 1);
+
+@@ -1311,9 +1306,13 @@ static int threshold_create_bank(unsigne
+ }
+ }
+
+- err = allocate_threshold_blocks(cpu, bank, 0, msr_ops.misc(bank));
+- if (!err)
+- goto out;
++ err = allocate_threshold_blocks(cpu, b, bank, 0, msr_ops.misc(bank));
++ if (err)
++ goto out_free;
++
++ per_cpu(threshold_banks, cpu)[bank] = b;
++
++ return 0;
+
+ out_free:
+ kfree(b);