--- /dev/null
+From ddc204b517e60ae64db34f9832dc41dafa77c751 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Tue, 8 Feb 2022 11:39:12 -0500
+Subject: copy_process(): Move fd_install() out of sighand->siglock critical section
+
+From: Waiman Long <longman@redhat.com>
+
+commit ddc204b517e60ae64db34f9832dc41dafa77c751 upstream.
+
+I was made aware of the following lockdep splat:
+
+[ 2516.308763] =====================================================
+[ 2516.309085] WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
+[ 2516.309433] 5.14.0-51.el9.aarch64+debug #1 Not tainted
+[ 2516.309703] -----------------------------------------------------
+[ 2516.310149] stress-ng/153663 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
+[ 2516.310512] ffff0000e422b198 (&newf->file_lock){+.+.}-{2:2}, at: fd_install+0x368/0x4f0
+[ 2516.310944]
+ and this task is already holding:
+[ 2516.311248] ffff0000c08140d8 (&sighand->siglock){-.-.}-{2:2}, at: copy_process+0x1e2c/0x3e80
+[ 2516.311804] which would create a new lock dependency:
+[ 2516.312066] (&sighand->siglock){-.-.}-{2:2} -> (&newf->file_lock){+.+.}-{2:2}
+[ 2516.312446]
+ but this new dependency connects a HARDIRQ-irq-safe lock:
+[ 2516.312983] (&sighand->siglock){-.-.}-{2:2}
+ :
+[ 2516.330700] Possible interrupt unsafe locking scenario:
+
+[ 2516.331075] CPU0 CPU1
+[ 2516.331328] ---- ----
+[ 2516.331580] lock(&newf->file_lock);
+[ 2516.331790] local_irq_disable();
+[ 2516.332231] lock(&sighand->siglock);
+[ 2516.332579] lock(&newf->file_lock);
+[ 2516.332922] <Interrupt>
+[ 2516.333069] lock(&sighand->siglock);
+[ 2516.333291]
+ *** DEADLOCK ***
+[ 2516.389845]
+ stack backtrace:
+[ 2516.390101] CPU: 3 PID: 153663 Comm: stress-ng Kdump: loaded Not tainted 5.14.0-51.el9.aarch64+debug #1
+[ 2516.390756] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+[ 2516.391155] Call trace:
+[ 2516.391302] dump_backtrace+0x0/0x3e0
+[ 2516.391518] show_stack+0x24/0x30
+[ 2516.391717] dump_stack_lvl+0x9c/0xd8
+[ 2516.391938] dump_stack+0x1c/0x38
+[ 2516.392247] print_bad_irq_dependency+0x620/0x710
+[ 2516.392525] check_irq_usage+0x4fc/0x86c
+[ 2516.392756] check_prev_add+0x180/0x1d90
+[ 2516.392988] validate_chain+0x8e0/0xee0
+[ 2516.393215] __lock_acquire+0x97c/0x1e40
+[ 2516.393449] lock_acquire.part.0+0x240/0x570
+[ 2516.393814] lock_acquire+0x90/0xb4
+[ 2516.394021] _raw_spin_lock+0xe8/0x154
+[ 2516.394244] fd_install+0x368/0x4f0
+[ 2516.394451] copy_process+0x1f5c/0x3e80
+[ 2516.394678] kernel_clone+0x134/0x660
+[ 2516.394895] __do_sys_clone3+0x130/0x1f4
+[ 2516.395128] __arm64_sys_clone3+0x5c/0x7c
+[ 2516.395478] invoke_syscall.constprop.0+0x78/0x1f0
+[ 2516.395762] el0_svc_common.constprop.0+0x22c/0x2c4
+[ 2516.396050] do_el0_svc+0xb0/0x10c
+[ 2516.396252] el0_svc+0x24/0x34
+[ 2516.396436] el0t_64_sync_handler+0xa4/0x12c
+[ 2516.396688] el0t_64_sync+0x198/0x19c
+[ 2517.491197] NET: Registered PF_ATMPVC protocol family
+[ 2517.491524] NET: Registered PF_ATMSVC protocol family
+[ 2591.991877] sched: RT throttling activated
+
+One way to solve this problem is to move the fd_install() call out of
+the sighand->siglock critical section.
+
+Before commit 6fd2fe494b17 ("copy_process(): don't use ksys_close()
+on cleanups"), the pidfd installation was done without holding both
+the task_list lock and the sighand->siglock. Obviously, holding these
+two locks are not really needed to protect the fd_install() call.
+So move the fd_install() call down to after the releases of both locks.
+
+Link: https://lore.kernel.org/r/20220208163912.1084752-1-longman@redhat.com
+Fixes: 6fd2fe494b17 ("copy_process(): don't use ksys_close() on cleanups")
+Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/fork.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -2353,10 +2353,6 @@ static __latent_entropy struct task_stru
+ goto bad_fork_cancel_cgroup;
+ }
+
+- /* past the last point of failure */
+- if (pidfile)
+- fd_install(pidfd, pidfile);
+-
+ init_task_pid_links(p);
+ if (likely(p->pid)) {
+ ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
+@@ -2405,6 +2401,9 @@ static __latent_entropy struct task_stru
+ syscall_tracepoint_update(p);
+ write_unlock_irq(&tasklist_lock);
+
++ if (pidfile)
++ fd_install(pidfd, pidfile);
++
+ proc_fork_connector(p);
+ sched_post_fork(p, args);
+ cgroup_post_fork(p, args);
--- /dev/null
+From 3c62fd3406e0b2277c76a6984d3979c7f3f1d129 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sat, 5 Feb 2022 07:58:44 +0100
+Subject: dmaengine: ptdma: Fix the error handling path in pt_core_init()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 3c62fd3406e0b2277c76a6984d3979c7f3f1d129 upstream.
+
+In order to free resources correctly in the error handling path of
+pt_core_init(), 2 goto's have to be switched. Otherwise, some resources
+will leak and we will try to release things that have not been allocated
+yet.
+
+Also move a dev_err() to a place where it is more meaningful.
+
+Fixes: fa5d823b16a9 ("dmaengine: ptdma: Initial driver for the AMD PTDMA")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Sanjay R Mehta <sanju.mehta@amd.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/41a963a35173f89c874f5c44df5530dc09fea8da.1644044244.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/ptdma/ptdma-dev.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/drivers/dma/ptdma/ptdma-dev.c
++++ b/drivers/dma/ptdma/ptdma-dev.c
+@@ -207,7 +207,7 @@ int pt_core_init(struct pt_device *pt)
+ if (!cmd_q->qbase) {
+ dev_err(dev, "unable to allocate command queue\n");
+ ret = -ENOMEM;
+- goto e_dma_alloc;
++ goto e_destroy_pool;
+ }
+
+ cmd_q->qidx = 0;
+@@ -229,8 +229,10 @@ int pt_core_init(struct pt_device *pt)
+
+ /* Request an irq */
+ ret = request_irq(pt->pt_irq, pt_core_irq_handler, 0, dev_name(pt->dev), pt);
+- if (ret)
+- goto e_pool;
++ if (ret) {
++ dev_err(dev, "unable to allocate an IRQ\n");
++ goto e_free_dma;
++ }
+
+ /* Update the device registers with queue information. */
+ cmd_q->qcontrol &= ~CMD_Q_SIZE;
+@@ -250,21 +252,20 @@ int pt_core_init(struct pt_device *pt)
+ /* Register the DMA engine support */
+ ret = pt_dmaengine_register(pt);
+ if (ret)
+- goto e_dmaengine;
++ goto e_free_irq;
+
+ /* Set up debugfs entries */
+ ptdma_debugfs_setup(pt);
+
+ return 0;
+
+-e_dmaengine:
++e_free_irq:
+ free_irq(pt->pt_irq, pt);
+
+-e_dma_alloc:
++e_free_dma:
+ dma_free_coherent(dev, cmd_q->qsize, cmd_q->qbase, cmd_q->qbase_dma);
+
+-e_pool:
+- dev_err(dev, "unable to allocate an IRQ\n");
++e_destroy_pool:
+ dma_pool_destroy(pt->cmd_q.dma_pool);
+
+ return ret;
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- drivers/dma/sh/rcar-dmac.c | 5 ++++-
+ drivers/dma/sh/rcar-dmac.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
-diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c
-index 4a34ddd9c1c6..13d12d660cc2 100644
--- a/drivers/dma/sh/rcar-dmac.c
+++ b/drivers/dma/sh/rcar-dmac.c
-@@ -1868,7 +1868,10 @@ static int rcar_dmac_probe(struct platform_device *pdev)
+@@ -1868,7 +1868,10 @@ static int rcar_dmac_probe(struct platfo
dmac->dev = &pdev->dev;
platform_set_drvdata(pdev, dmac);
ret = dma_set_mask_and_coherent(dmac->dev, DMA_BIT_MASK(40));
if (ret)
return ret;
---
-2.35.1
-
--- /dev/null
+From 834cea3a252ed4847db076a769ad9efe06afe2d5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Tue, 15 Feb 2022 08:27:35 +0100
+Subject: i2c: brcmstb: fix support for DSL and CM variants
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+commit 834cea3a252ed4847db076a769ad9efe06afe2d5 upstream.
+
+DSL and CM (Cable Modem) support 8 B max transfer size and have a custom
+DT binding for that reason. This driver was checking for a wrong
+"compatible" however which resulted in an incorrect setup.
+
+Fixes: e2e5a2c61837 ("i2c: brcmstb: Adding support for CM and DSL SoCs")
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-brcmstb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-brcmstb.c
++++ b/drivers/i2c/busses/i2c-brcmstb.c
+@@ -673,7 +673,7 @@ static int brcmstb_i2c_probe(struct plat
+
+ /* set the data in/out register size for compatible SoCs */
+ if (of_device_is_compatible(dev->device->of_node,
+- "brcmstb,brcmper-i2c"))
++ "brcm,brcmper-i2c"))
+ dev->data_regsz = sizeof(u8);
+ else
+ dev->data_regsz = sizeof(u32);
--- /dev/null
+From a0d48505a1d68e27220369e2dd1e3573a2f362d2 Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Date: Thu, 3 Feb 2022 18:47:00 +0200
+Subject: i2c: qcom-cci: don't delete an unregistered adapter
+
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+
+commit a0d48505a1d68e27220369e2dd1e3573a2f362d2 upstream.
+
+If i2c_add_adapter() fails to add an I2C adapter found on QCOM CCI
+controller, on error path i2c_del_adapter() is still called.
+
+Fortunately there is a sanity check in the I2C core, so the only
+visible implication is a printed debug level message:
+
+ i2c-core: attempting to delete unregistered adapter [Qualcomm-CCI]
+
+Nevertheless it would be reasonable to correct the probe error path.
+
+Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
+Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-qcom-cci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-qcom-cci.c
++++ b/drivers/i2c/busses/i2c-qcom-cci.c
+@@ -655,7 +655,7 @@ static int cci_probe(struct platform_dev
+ return 0;
+
+ error_i2c:
+- for (; i >= 0; i--) {
++ for (--i ; i >= 0; i--) {
+ if (cci->master[i].cci)
+ i2c_del_adapter(&cci->master[i].adap);
+ }
--- /dev/null
+From 02a4a69667a2ad32f3b52ca906f19628fbdd8a01 Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Date: Thu, 3 Feb 2022 18:47:03 +0200
+Subject: i2c: qcom-cci: don't put a device tree node before i2c_add_adapter()
+
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+
+commit 02a4a69667a2ad32f3b52ca906f19628fbdd8a01 upstream.
+
+There is a minor chance for a race, if a pointer to an i2c-bus subnode
+is stored and then reused after releasing its reference, and it would
+be sufficient to get one more reference under a loop over children
+subnodes.
+
+Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
+Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-qcom-cci.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-qcom-cci.c
++++ b/drivers/i2c/busses/i2c-qcom-cci.c
+@@ -558,7 +558,7 @@ static int cci_probe(struct platform_dev
+ cci->master[idx].adap.quirks = &cci->data->quirks;
+ cci->master[idx].adap.algo = &cci_algo;
+ cci->master[idx].adap.dev.parent = dev;
+- cci->master[idx].adap.dev.of_node = child;
++ cci->master[idx].adap.dev.of_node = of_node_get(child);
+ cci->master[idx].master = idx;
+ cci->master[idx].cci = cci;
+
+@@ -643,8 +643,10 @@ static int cci_probe(struct platform_dev
+ continue;
+
+ ret = i2c_add_adapter(&cci->master[i].adap);
+- if (ret < 0)
++ if (ret < 0) {
++ of_node_put(cci->master[i].adap.dev.of_node);
+ goto error_i2c;
++ }
+ }
+
+ pm_runtime_set_autosuspend_delay(dev, MSEC_PER_SEC);
+@@ -656,8 +658,10 @@ static int cci_probe(struct platform_dev
+
+ error_i2c:
+ for (--i ; i >= 0; i--) {
+- if (cci->master[i].cci)
++ if (cci->master[i].cci) {
+ i2c_del_adapter(&cci->master[i].adap);
++ of_node_put(cci->master[i].adap.dev.of_node);
++ }
+ }
+ error:
+ disable_irq(cci->irq);
+@@ -673,8 +677,10 @@ static int cci_remove(struct platform_de
+ int i;
+
+ for (i = 0; i < cci->data->num_masters; i++) {
+- if (cci->master[i].cci)
++ if (cci->master[i].cci) {
+ i2c_del_adapter(&cci->master[i].adap);
++ of_node_put(cci->master[i].adap.dev.of_node);
++ }
+ cci_halt(cci, i);
+ }
+
--- /dev/null
+From 86006f996346e8a5a1ea80637ec949ceeea4ecbc Mon Sep 17 00:00:00 2001
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Fri, 11 Feb 2022 09:14:18 -0800
+Subject: ice: enable parsing IPSEC SPI headers for RSS
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+commit 86006f996346e8a5a1ea80637ec949ceeea4ecbc upstream.
+
+The COMMS package can enable the hardware parser to recognize IPSEC
+frames with ESP header and SPI identifier. If this package is available
+and configured for loading in /lib/firmware, then the driver will
+succeed in enabling this protocol type for RSS.
+
+This in turn allows the hardware to hash over the SPI and use it to pick
+a consistent receive queue for the same secure flow. Without this all
+traffic is steered to the same queue for multiple traffic threads from
+the same IP address. For that reason this is marked as a fix, as the
+driver supports the model, but it wasn't enabled.
+
+If the package is not available, adding this type will fail, but the
+failure is ignored on purpose as it has no negative affect.
+
+Fixes: c90ed40cefe1 ("ice: Enable writing hardware filtering tables")
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -1521,6 +1521,12 @@ static void ice_vsi_set_rss_flow_fld(str
+ if (status)
+ dev_dbg(dev, "ice_add_rss_cfg failed for sctp6 flow, vsi = %d, error = %s\n",
+ vsi_num, ice_stat_str(status));
++
++ status = ice_add_rss_cfg(hw, vsi_handle, ICE_FLOW_HASH_ESP_SPI,
++ ICE_FLOW_SEG_HDR_ESP);
++ if (status)
++ dev_dbg(dev, "ice_add_rss_cfg failed for esp/spi flow, vsi = %d, error = %d\n",
++ vsi_num, status);
+ }
+
+ /**
--- /dev/null
+From 28df029d53a2fd80c1b8674d47895648ad26dcfb Mon Sep 17 00:00:00 2001
+From: Cheng Jui Wang <cheng-jui.wang@mediatek.com>
+Date: Thu, 10 Feb 2022 18:50:11 +0800
+Subject: lockdep: Correct lock_classes index mapping
+
+From: Cheng Jui Wang <cheng-jui.wang@mediatek.com>
+
+commit 28df029d53a2fd80c1b8674d47895648ad26dcfb upstream.
+
+A kernel exception was hit when trying to dump /proc/lockdep_chains after
+lockdep report "BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low!":
+
+Unable to handle kernel paging request at virtual address 00054005450e05c3
+...
+00054005450e05c3] address between user and kernel address ranges
+...
+pc : [0xffffffece769b3a8] string+0x50/0x10c
+lr : [0xffffffece769ac88] vsnprintf+0x468/0x69c
+...
+ Call trace:
+ string+0x50/0x10c
+ vsnprintf+0x468/0x69c
+ seq_printf+0x8c/0xd8
+ print_name+0x64/0xf4
+ lc_show+0xb8/0x128
+ seq_read_iter+0x3cc/0x5fc
+ proc_reg_read_iter+0xdc/0x1d4
+
+The cause of the problem is the function lock_chain_get_class() will
+shift lock_classes index by 1, but the index don't need to be shifted
+anymore since commit 01bb6f0af992 ("locking/lockdep: Change the range
+of class_idx in held_lock struct") already change the index to start
+from 0.
+
+The lock_classes[-1] located at chain_hlocks array. When printing
+lock_classes[-1] after the chain_hlocks entries are modified, the
+exception happened.
+
+The output of lockdep_chains are incorrect due to this problem too.
+
+Fixes: f611e8cf98ec ("lockdep: Take read/write status in consideration when generate chainkey")
+Signed-off-by: Cheng Jui Wang <cheng-jui.wang@mediatek.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
+Link: https://lore.kernel.org/r/20220210105011.21712-1-cheng-jui.wang@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/locking/lockdep.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -3450,7 +3450,7 @@ struct lock_class *lock_chain_get_class(
+ u16 chain_hlock = chain_hlocks[chain->base + i];
+ unsigned int class_idx = chain_hlock_class_idx(chain_hlock);
+
+- return lock_classes + class_idx - 1;
++ return lock_classes + class_idx;
+ }
+
+ /*
+@@ -3518,7 +3518,7 @@ static void print_chain_keys_chain(struc
+ hlock_id = chain_hlocks[chain->base + i];
+ chain_key = print_chain_key_iteration(hlock_id, chain_key);
+
+- print_lock_name(lock_classes + chain_hlock_class_idx(hlock_id) - 1);
++ print_lock_name(lock_classes + chain_hlock_class_idx(hlock_id));
+ printk("\n");
+ }
+ }
--- /dev/null
+From f10f582d28220f50099d3f561116256267821429 Mon Sep 17 00:00:00 2001
+From: Mike Christie <michael.christie@oracle.com>
+Date: Tue, 8 Feb 2022 12:54:48 -0600
+Subject: scsi: qedi: Fix ABBA deadlock in qedi_process_tmf_resp() and qedi_process_cmd_cleanup_resp()
+
+From: Mike Christie <michael.christie@oracle.com>
+
+commit f10f582d28220f50099d3f561116256267821429 upstream.
+
+This fixes a deadlock added with commit b40f3894e39e ("scsi: qedi: Complete
+TMF works before disconnect")
+
+Bug description from Jia-Ju Bai:
+
+qedi_process_tmf_resp()
+ spin_lock(&session->back_lock); --> Line 201 (Lock A)
+ spin_lock(&qedi_conn->tmf_work_lock); --> Line 230 (Lock B)
+
+qedi_process_cmd_cleanup_resp()
+ spin_lock_bh(&qedi_conn->tmf_work_lock); --> Line 752 (Lock B)
+ spin_lock_bh(&conn->session->back_lock); --> Line 784 (Lock A)
+
+When qedi_process_tmf_resp() and qedi_process_cmd_cleanup_resp() are
+concurrently executed, the deadlock can occur.
+
+This patch fixes the deadlock by not holding the tmf_work_lock in
+qedi_process_cmd_cleanup_resp while holding the back_lock. The
+tmf_work_lock is only needed while we remove the tmf_work from the
+work_list.
+
+Link: https://lore.kernel.org/r/20220208185448.6206-1-michael.christie@oracle.com
+Fixes: b40f3894e39e ("scsi: qedi: Complete TMF works before disconnect")
+Cc: Manish Rangankar <mrangankar@marvell.com>
+Cc: Nilesh Javali <njavali@marvell.com>
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qedi/qedi_fw.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/qedi/qedi_fw.c
++++ b/drivers/scsi/qedi/qedi_fw.c
+@@ -772,11 +772,10 @@ static void qedi_process_cmd_cleanup_res
+ qedi_cmd->list_tmf_work = NULL;
+ }
+ }
++ spin_unlock_bh(&qedi_conn->tmf_work_lock);
+
+- if (!found) {
+- spin_unlock_bh(&qedi_conn->tmf_work_lock);
++ if (!found)
+ goto check_cleanup_reqs;
+- }
+
+ QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_SCSI_TM,
+ "TMF work, cqe->tid=0x%x, tmf flags=0x%x, cid=0x%x\n",
+@@ -807,7 +806,6 @@ static void qedi_process_cmd_cleanup_res
+ qedi_cmd->state = CLEANUP_RECV;
+ unlock:
+ spin_unlock_bh(&conn->session->back_lock);
+- spin_unlock_bh(&qedi_conn->tmf_work_lock);
+ wake_up_interruptible(&qedi_conn->wait_queue);
+ return;
+
dmaengine-sh-rcar-dmac-check-for-error-num-after-setting-mask.patch
dmaengine-stm32-dmamux-fix-pm-disable-depth-imbalance-in-stm32_dmamux_probe.patch
dmaengine-sh-rcar-dmac-check-for-error-num-after-dma_set_max_seg_size.patch
+tests-fix-idmapped-mount_setattr-test.patch
+i2c-qcom-cci-don-t-delete-an-unregistered-adapter.patch
+i2c-qcom-cci-don-t-put-a-device-tree-node-before-i2c_add_adapter.patch
+dmaengine-ptdma-fix-the-error-handling-path-in-pt_core_init.patch
+copy_process-move-fd_install-out-of-sighand-siglock-critical-section.patch
+scsi-qedi-fix-abba-deadlock-in-qedi_process_tmf_resp-and-qedi_process_cmd_cleanup_resp.patch
+ice-enable-parsing-ipsec-spi-headers-for-rss.patch
+i2c-brcmstb-fix-support-for-dsl-and-cm-variants.patch
+lockdep-correct-lock_classes-index-mapping.patch
--- /dev/null
+From d1c56bfdaca465bd1d0e913053a9c5cafe8b6a6c Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Thu, 3 Feb 2022 14:14:05 +0100
+Subject: tests: fix idmapped mount_setattr test
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit d1c56bfdaca465bd1d0e913053a9c5cafe8b6a6c upstream.
+
+The test treated zero as a successful run when it really should treat
+non-zero as a successful run. A mount's idmapping can't change once it
+has been attached to the filesystem.
+
+Link: https://lore.kernel.org/r/20220203131411.3093040-2-brauner@kernel.org
+Fixes: 01eadc8dd96d ("tests: add mount_setattr() selftests")
+Cc: Seth Forshee <seth.forshee@digitalocean.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: linux-fsdevel@vger.kernel.org
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/mount_setattr/mount_setattr_test.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/mount_setattr/mount_setattr_test.c
++++ b/tools/testing/selftests/mount_setattr/mount_setattr_test.c
+@@ -1236,7 +1236,7 @@ static int get_userns_fd(unsigned long n
+ }
+
+ /**
+- * Validate that an attached mount in our mount namespace can be idmapped.
++ * Validate that an attached mount in our mount namespace cannot be idmapped.
+ * (The kernel enforces that the mount's mount namespace and the caller's mount
+ * namespace match.)
+ */
+@@ -1259,7 +1259,7 @@ TEST_F(mount_setattr_idmapped, attached_
+
+ attr.userns_fd = get_userns_fd(0, 10000, 10000);
+ ASSERT_GE(attr.userns_fd, 0);
+- ASSERT_EQ(sys_mount_setattr(open_tree_fd, "", AT_EMPTY_PATH, &attr, sizeof(attr)), 0);
++ ASSERT_NE(sys_mount_setattr(open_tree_fd, "", AT_EMPTY_PATH, &attr, sizeof(attr)), 0);
+ ASSERT_EQ(close(attr.userns_fd), 0);
+ ASSERT_EQ(close(open_tree_fd), 0);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
