--- /dev/null
+From f43e5210c739fe76a4b0ed851559d6902f20ceb1 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 23 Sep 2019 13:51:16 +0200
+Subject: cfg80211: initialize on-stack chandefs
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit f43e5210c739fe76a4b0ed851559d6902f20ceb1 upstream.
+
+In a few places we don't properly initialize on-stack chandefs,
+resulting in EDMG data to be non-zero, which broke things.
+
+Additionally, in a few places we rely on the driver to init the
+data completely, but perhaps we shouldn't as non-EDMG drivers
+may not initialize the EDMG data, also initialize it there.
+
+Cc: stable@vger.kernel.org
+Fixes: 2a38075cd0be ("nl80211: Add support for EDMG channels")
+Reported-by: Dmitry Osipenko <digetx@gmail.com>
+Tested-by: Dmitry Osipenko <digetx@gmail.com>
+Link: https://lore.kernel.org/r/1569239475-I2dcce394ecf873376c386a78f31c2ec8b538fa25@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 4 +++-
+ net/wireless/reg.c | 2 +-
+ net/wireless/wext-compat.c | 2 +-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -2111,6 +2111,8 @@ static int nl80211_parse_chandef(struct
+
+ control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
+
++ memset(chandef, 0, sizeof(*chandef));
++
+ chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
+ chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
+ chandef->center_freq1 = control_freq;
+@@ -2580,7 +2582,7 @@ static int nl80211_send_iface(struct sk_
+
+ if (rdev->ops->get_channel) {
+ int ret;
+- struct cfg80211_chan_def chandef;
++ struct cfg80211_chan_def chandef = {};
+
+ ret = rdev_get_channel(rdev, wdev, &chandef);
+ if (ret == 0) {
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -1567,7 +1567,7 @@ static void reg_call_notifier(struct wip
+
+ static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev)
+ {
+- struct cfg80211_chan_def chandef;
++ struct cfg80211_chan_def chandef = {};
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
+ enum nl80211_iftype iftype;
+
+--- a/net/wireless/wext-compat.c
++++ b/net/wireless/wext-compat.c
+@@ -800,7 +800,7 @@ static int cfg80211_wext_giwfreq(struct
+ {
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
+- struct cfg80211_chan_def chandef;
++ struct cfg80211_chan_def chandef = {};
+ int ret;
+
+ switch (wdev->iftype) {
--- /dev/null
+From e2c4ed148cf3ec8669a1d90dc66966028e5fad70 Mon Sep 17 00:00:00 2001
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Wed, 2 Oct 2019 15:25:42 +0300
+Subject: drm/omap: fix max fclk divider for omap36xx
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+commit e2c4ed148cf3ec8669a1d90dc66966028e5fad70 upstream.
+
+The OMAP36xx and AM/DM37x TRMs say that the maximum divider for DSS fclk
+(in CM_CLKSEL_DSS) is 32. Experimentation shows that this is not
+correct, and using divider of 32 breaks DSS with a flood or underflows
+and sync losts. Dividers up to 31 seem to work fine.
+
+There is another patch to the DT files to limit the divider correctly,
+but as the DSS driver also needs to know the maximum divider to be able
+to iteratively find good rates, we also need to do the fix in the DSS
+driver.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: Adam Ford <aford173@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://patchwork.freedesktop.org/patch/msgid/20191002122542.8449-1-tomi.valkeinen@ti.com
+Tested-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Jyri Sarha <jsarha@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/omapdrm/dss/dss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/omapdrm/dss/dss.c
++++ b/drivers/gpu/drm/omapdrm/dss/dss.c
+@@ -1100,7 +1100,7 @@ static const struct dss_features omap34x
+
+ static const struct dss_features omap3630_dss_feats = {
+ .model = DSS_MODEL_OMAP3,
+- .fck_div_max = 32,
++ .fck_div_max = 31,
+ .fck_freq_max = 173000000,
+ .dss_fck_multiplier = 1,
+ .parent_clk_name = "dpll4_ck",
--- /dev/null
+From 7fd25e6fc035f4b04b75bca6d7e8daa069603a76 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Sep 2019 14:12:34 +0200
+Subject: ieee802154: atusb: fix use-after-free at disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7fd25e6fc035f4b04b75bca6d7e8daa069603a76 upstream.
+
+The disconnect callback was accessing the hardware-descriptor private
+data after having having freed it.
+
+Fixes: 7490b008d123 ("ieee802154: add support for atusb transceiver")
+Cc: stable <stable@vger.kernel.org> # 4.2
+Cc: Alexander Aring <alex.aring@gmail.com>
+Reported-by: syzbot+f4509a9138a1472e7e80@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ieee802154/atusb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ieee802154/atusb.c
++++ b/drivers/net/ieee802154/atusb.c
+@@ -907,10 +907,11 @@ static void atusb_disconnect(struct usb_
+
+ ieee802154_unregister_hw(atusb->hw);
+
++ usb_put_dev(atusb->usb_dev);
++
+ ieee802154_free_hw(atusb->hw);
+
+ usb_set_intfdata(interface, NULL);
+- usb_put_dev(atusb->usb_dev);
+
+ pr_debug("atusb_disconnect done\n");
+ }
--- /dev/null
+From d1c536e3177390da43d99f20143b810c35433d1f Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Sun, 22 Sep 2019 11:26:53 +0100
+Subject: mmc: sdhci: improve ADMA error reporting
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit d1c536e3177390da43d99f20143b810c35433d1f upstream.
+
+ADMA errors are potentially data corrupting events; although we print
+the register state, we do not usefully print the ADMA descriptors.
+Worse than that, we print them by referencing their virtual address
+which is meaningless when the register state gives us the DMA address
+of the failing descriptor.
+
+Print the ADMA descriptors giving their DMA addresses rather than their
+virtual addresses, and print them using SDHCI_DUMP() rather than DBG().
+
+We also do not show the correct value of the interrupt status register;
+the register dump shows the current value, after we have cleared the
+pending interrupts we are going to service. What is more useful is to
+print the interrupts that _were_ pending at the time the ADMA error was
+encountered. Fix that too.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -2638,6 +2638,7 @@ static void sdhci_cmd_irq(struct sdhci_h
+ static void sdhci_adma_show_error(struct sdhci_host *host)
+ {
+ void *desc = host->adma_table;
++ dma_addr_t dma = host->adma_addr;
+
+ sdhci_dumpregs(host);
+
+@@ -2645,18 +2646,21 @@ static void sdhci_adma_show_error(struct
+ struct sdhci_adma2_64_desc *dma_desc = desc;
+
+ if (host->flags & SDHCI_USE_64_BIT_DMA)
+- DBG("%p: DMA 0x%08x%08x, LEN 0x%04x, Attr=0x%02x\n",
+- desc, le32_to_cpu(dma_desc->addr_hi),
++ SDHCI_DUMP("%08llx: DMA 0x%08x%08x, LEN 0x%04x, Attr=0x%02x\n",
++ (unsigned long long)dma,
++ le32_to_cpu(dma_desc->addr_hi),
+ le32_to_cpu(dma_desc->addr_lo),
+ le16_to_cpu(dma_desc->len),
+ le16_to_cpu(dma_desc->cmd));
+ else
+- DBG("%p: DMA 0x%08x, LEN 0x%04x, Attr=0x%02x\n",
+- desc, le32_to_cpu(dma_desc->addr_lo),
++ SDHCI_DUMP("%08llx: DMA 0x%08x, LEN 0x%04x, Attr=0x%02x\n",
++ (unsigned long long)dma,
++ le32_to_cpu(dma_desc->addr_lo),
+ le16_to_cpu(dma_desc->len),
+ le16_to_cpu(dma_desc->cmd));
+
+ desc += host->desc_sz;
++ dma += host->desc_sz;
+
+ if (dma_desc->cmd & cpu_to_le16(ADMA2_END))
+ break;
+@@ -2732,7 +2736,8 @@ static void sdhci_data_irq(struct sdhci_
+ != MMC_BUS_TEST_R)
+ host->data->error = -EILSEQ;
+ else if (intmask & SDHCI_INT_ADMA_ERROR) {
+- pr_err("%s: ADMA error\n", mmc_hostname(host->mmc));
++ pr_err("%s: ADMA error: 0x%08x\n", mmc_hostname(host->mmc),
++ intmask);
+ sdhci_adma_show_error(host);
+ host->data->error = -EIO;
+ if (host->ops->adma_workaround)
--- /dev/null
+From 121bd08b029e03404c451bb237729cdff76eafed Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Sun, 22 Sep 2019 11:26:58 +0100
+Subject: mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit 121bd08b029e03404c451bb237729cdff76eafed upstream.
+
+We must not unconditionally set the DMA snoop bit; if the DMA API is
+assuming that the device is not DMA coherent, and the device snoops the
+CPU caches, the device can see stale cache lines brought in by
+speculative prefetch.
+
+This leads to the device seeing stale data, potentially resulting in
+corrupted data transfers. Commonly, this results in a descriptor fetch
+error such as:
+
+mmc0: ADMA error
+mmc0: sdhci: ============ SDHCI REGISTER DUMP ===========
+mmc0: sdhci: Sys addr: 0x00000000 | Version: 0x00002202
+mmc0: sdhci: Blk size: 0x00000008 | Blk cnt: 0x00000001
+mmc0: sdhci: Argument: 0x00000000 | Trn mode: 0x00000013
+mmc0: sdhci: Present: 0x01f50008 | Host ctl: 0x00000038
+mmc0: sdhci: Power: 0x00000003 | Blk gap: 0x00000000
+mmc0: sdhci: Wake-up: 0x00000000 | Clock: 0x000040d8
+mmc0: sdhci: Timeout: 0x00000003 | Int stat: 0x00000001
+mmc0: sdhci: Int enab: 0x037f108f | Sig enab: 0x037f108b
+mmc0: sdhci: ACmd stat: 0x00000000 | Slot int: 0x00002202
+mmc0: sdhci: Caps: 0x35fa0000 | Caps_1: 0x0000af00
+mmc0: sdhci: Cmd: 0x0000333a | Max curr: 0x00000000
+mmc0: sdhci: Resp[0]: 0x00000920 | Resp[1]: 0x001d8a33
+mmc0: sdhci: Resp[2]: 0x325b5900 | Resp[3]: 0x3f400e00
+mmc0: sdhci: Host ctl2: 0x00000000
+mmc0: sdhci: ADMA Err: 0x00000009 | ADMA Ptr: 0x000000236d43820c
+mmc0: sdhci: ============================================
+mmc0: error -5 whilst initialising SD card
+
+but can lead to other errors, and potentially direct the SDHCI
+controller to read/write data to other memory locations (e.g. if a valid
+descriptor is visible to the device in a stale cache line.)
+
+Fix this by ensuring that the DMA snoop bit corresponds with the
+behaviour of the DMA API. Since the driver currently only supports DT,
+use of_dma_is_coherent(). Note that device_get_dma_attr() can not be
+used as that risks re-introducing this bug if/when the driver is
+converted to ACPI.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -435,7 +435,12 @@ static int esdhc_of_enable_dma(struct sd
+ dma_set_mask_and_coherent(dev, DMA_BIT_MASK(40));
+
+ value = sdhci_readl(host, ESDHC_DMA_SYSCTL);
+- value |= ESDHC_DMA_SNOOP;
++
++ if (of_dma_is_coherent(dev->of_node))
++ value |= ESDHC_DMA_SNOOP;
++ else
++ value &= ~ESDHC_DMA_SNOOP;
++
+ sdhci_writel(host, value, ESDHC_DMA_SYSCTL);
+ return 0;
+ }
--- /dev/null
+From 89340d0935c9296c7b8222b6eab30e67cb57ab82 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpengli@tencent.com>
+Date: Mon, 9 Sep 2019 09:40:28 +0800
+Subject: Revert "locking/pvqspinlock: Don't wait if vCPU is preempted"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpengli@tencent.com>
+
+commit 89340d0935c9296c7b8222b6eab30e67cb57ab82 upstream.
+
+This patch reverts commit 75437bb304b20 (locking/pvqspinlock: Don't
+wait if vCPU is preempted). A large performance regression was caused
+by this commit. on over-subscription scenarios.
+
+The test was run on a Xeon Skylake box, 2 sockets, 40 cores, 80 threads,
+with three VMs of 80 vCPUs each. The score of ebizzy -M is reduced from
+13000-14000 records/s to 1700-1800 records/s:
+
+ Host Guest score
+
+vanilla w/o kvm optimizations upstream 1700-1800 records/s
+vanilla w/o kvm optimizations revert 13000-14000 records/s
+vanilla w/ kvm optimizations upstream 4500-5000 records/s
+vanilla w/ kvm optimizations revert 14000-15500 records/s
+
+Exit from aggressive wait-early mechanism can result in premature yield
+and extra scheduling latency.
+
+Actually, only 6% of wait_early events are caused by vcpu_is_preempted()
+being true. However, when one vCPU voluntarily releases its vCPU, all
+the subsequently waiters in the queue will do the same and the cascading
+effect leads to bad performance.
+
+kvm optimizations:
+[1] commit d73eb57b80b (KVM: Boost vCPUs that are delivering interrupts)
+[2] commit 266e85a5ec9 (KVM: X86: Boost queue head vCPU to mitigate lock waiter preemption)
+
+Tested-by: loobinliu@tencent.com
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Waiman Long <longman@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: loobinliu@tencent.com
+Cc: stable@vger.kernel.org
+Fixes: 75437bb304b20 (locking/pvqspinlock: Don't wait if vCPU is preempted)
+Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/locking/qspinlock_paravirt.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/locking/qspinlock_paravirt.h
++++ b/kernel/locking/qspinlock_paravirt.h
+@@ -247,7 +247,7 @@ pv_wait_early(struct pv_node *prev, int
+ if ((loop & PV_PREV_CHECK_MASK) != 0)
+ return false;
+
+- return READ_ONCE(prev->state) != vcpu_running || vcpu_is_preempted(prev->cpu);
++ return READ_ONCE(prev->state) != vcpu_running;
+ }
+
+ /*
mips-treat-loongson-extensions-as-ases.patch
usercopy-avoid-highmem-pfn-warning.patch
timer-read-jiffies-once-when-forwarding-base-clk.patch
+watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch
+drm-omap-fix-max-fclk-divider-for-omap36xx.patch
+mmc-sdhci-improve-adma-error-reporting.patch
+mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch
+revert-locking-pvqspinlock-don-t-wait-if-vcpu-is-preempted.patch
+xen-xenbus-fix-self-deadlock-after-killing-user-process.patch
+ieee802154-atusb-fix-use-after-free-at-disconnect.patch
+cfg80211-initialize-on-stack-chandefs.patch
--- /dev/null
+From 144783a80cd2cbc45c6ce17db649140b65f203dd Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Mon, 12 Aug 2019 15:13:56 +0200
+Subject: watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit 144783a80cd2cbc45c6ce17db649140b65f203dd upstream.
+
+Converting from ms to s requires dividing by 1000, not multiplying. So
+this is currently taking the smaller of new_timeout and 1.28e8,
+i.e. effectively new_timeout.
+
+The driver knows what it set max_hw_heartbeat_ms to, so use that
+value instead of doing a division at run-time.
+
+FWIW, this can easily be tested by booting into a busybox shell and
+doing "watchdog -t 5 -T 130 /dev/watchdog" - without this patch, the
+watchdog fires after 130&127 == 2 seconds.
+
+Fixes: b07e228eee69 "watchdog: imx2_wdt: Fix set_timeout for big timeout values"
+Cc: stable@vger.kernel.org # 5.2 plus anything the above got backported to
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20190812131356.23039-1-linux@rasmusvillemoes.dk
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/imx2_wdt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/watchdog/imx2_wdt.c
++++ b/drivers/watchdog/imx2_wdt.c
+@@ -58,7 +58,7 @@
+
+ #define IMX2_WDT_WMCR 0x08 /* Misc Register */
+
+-#define IMX2_WDT_MAX_TIME 128
++#define IMX2_WDT_MAX_TIME 128U
+ #define IMX2_WDT_DEFAULT_TIME 60 /* in seconds */
+
+ #define WDOG_SEC_TO_COUNT(s) ((s * 2 - 1) << 8)
+@@ -183,7 +183,7 @@ static int imx2_wdt_set_timeout(struct w
+ {
+ unsigned int actual;
+
+- actual = min(new_timeout, wdog->max_hw_heartbeat_ms * 1000);
++ actual = min(new_timeout, IMX2_WDT_MAX_TIME);
+ __imx2_wdt_set_timeout(wdog, actual);
+ wdog->timeout = new_timeout;
+ return 0;
--- /dev/null
+From a8fabb38525c51a094607768bac3ba46b3f4a9d5 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Tue, 1 Oct 2019 17:03:55 +0200
+Subject: xen/xenbus: fix self-deadlock after killing user process
+
+From: Juergen Gross <jgross@suse.com>
+
+commit a8fabb38525c51a094607768bac3ba46b3f4a9d5 upstream.
+
+In case a user process using xenbus has open transactions and is killed
+e.g. via ctrl-C the following cleanup of the allocated resources might
+result in a deadlock due to trying to end a transaction in the xenbus
+worker thread:
+
+[ 2551.474706] INFO: task xenbus:37 blocked for more than 120 seconds.
+[ 2551.492215] Tainted: P OE 5.0.0-29-generic #5
+[ 2551.510263] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[ 2551.528585] xenbus D 0 37 2 0x80000080
+[ 2551.528590] Call Trace:
+[ 2551.528603] __schedule+0x2c0/0x870
+[ 2551.528606] ? _cond_resched+0x19/0x40
+[ 2551.528632] schedule+0x2c/0x70
+[ 2551.528637] xs_talkv+0x1ec/0x2b0
+[ 2551.528642] ? wait_woken+0x80/0x80
+[ 2551.528645] xs_single+0x53/0x80
+[ 2551.528648] xenbus_transaction_end+0x3b/0x70
+[ 2551.528651] xenbus_file_free+0x5a/0x160
+[ 2551.528654] xenbus_dev_queue_reply+0xc4/0x220
+[ 2551.528657] xenbus_thread+0x7de/0x880
+[ 2551.528660] ? wait_woken+0x80/0x80
+[ 2551.528665] kthread+0x121/0x140
+[ 2551.528667] ? xb_read+0x1d0/0x1d0
+[ 2551.528670] ? kthread_park+0x90/0x90
+[ 2551.528673] ret_from_fork+0x35/0x40
+
+Fix this by doing the cleanup via a workqueue instead.
+
+Reported-by: James Dingwall <james@dingwall.me.uk>
+Fixes: fd8aa9095a95c ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
+Cc: <stable@vger.kernel.org> # 4.11
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xenbus/xenbus_dev_frontend.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
+@@ -55,6 +55,7 @@
+ #include <linux/string.h>
+ #include <linux/slab.h>
+ #include <linux/miscdevice.h>
++#include <linux/workqueue.h>
+
+ #include <xen/xenbus.h>
+ #include <xen/xen.h>
+@@ -113,6 +114,8 @@ struct xenbus_file_priv {
+ wait_queue_head_t read_waitq;
+
+ struct kref kref;
++
++ struct work_struct wq;
+ };
+
+ /* Read out any raw xenbus messages queued up. */
+@@ -297,14 +300,14 @@ static void watch_fired(struct xenbus_wa
+ mutex_unlock(&adap->dev_data->reply_mutex);
+ }
+
+-static void xenbus_file_free(struct kref *kref)
++static void xenbus_worker(struct work_struct *wq)
+ {
+ struct xenbus_file_priv *u;
+ struct xenbus_transaction_holder *trans, *tmp;
+ struct watch_adapter *watch, *tmp_watch;
+ struct read_buffer *rb, *tmp_rb;
+
+- u = container_of(kref, struct xenbus_file_priv, kref);
++ u = container_of(wq, struct xenbus_file_priv, wq);
+
+ /*
+ * No need for locking here because there are no other users,
+@@ -330,6 +333,18 @@ static void xenbus_file_free(struct kref
+ kfree(u);
+ }
+
++static void xenbus_file_free(struct kref *kref)
++{
++ struct xenbus_file_priv *u;
++
++ /*
++ * We might be called in xenbus_thread().
++ * Use workqueue to avoid deadlock.
++ */
++ u = container_of(kref, struct xenbus_file_priv, kref);
++ schedule_work(&u->wq);
++}
++
+ static struct xenbus_transaction_holder *xenbus_get_transaction(
+ struct xenbus_file_priv *u, uint32_t tx_id)
+ {
+@@ -626,6 +641,7 @@ static int xenbus_file_open(struct inode
+ INIT_LIST_HEAD(&u->watches);
+ INIT_LIST_HEAD(&u->read_buffers);
+ init_waitqueue_head(&u->read_waitq);
++ INIT_WORK(&u->wq, xenbus_worker);
+
+ mutex_init(&u->reply_mutex);
+ mutex_init(&u->msgbuffer_mutex);
projects / thirdparty / kernel / stable-queue.git / commitdiff
