--- /dev/null
+From d0f6ba2ef2c1c95069509e71402e7d6d43452512 Mon Sep 17 00:00:00 2001
+From: Vincent Duvert <vincent.ldev@duvert.net>
+Date: Sun, 2 Aug 2020 07:06:51 +0200
+Subject: appletalk: Fix atalk_proc_init() return path
+
+From: Vincent Duvert <vincent.ldev@duvert.net>
+
+commit d0f6ba2ef2c1c95069509e71402e7d6d43452512 upstream.
+
+Add a missing return statement to atalk_proc_init so it doesn't return
+-ENOMEM when successful. This allows the appletalk module to load
+properly.
+
+Fixes: e2bcd8b0ce6e ("appletalk: use remove_proc_subtree to simplify procfs code")
+Link: https://www.downtowndougbrown.com/2020/08/hacking-up-a-fix-for-the-broken-appletalk-kernel-module-in-linux-5-1-and-newer/
+Reported-by: Christopher KOBAYASHI <chris@disavowed.jp>
+Reported-by: Doug Brown <doug@downtowndougbrown.com>
+Signed-off-by: Vincent Duvert <vincent.ldev@duvert.net>
+[lukas: add missing tags]
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org # v5.1+
+Cc: Yue Haibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/appletalk/atalk_proc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/appletalk/atalk_proc.c
++++ b/net/appletalk/atalk_proc.c
+@@ -231,6 +231,8 @@ int __init atalk_proc_init(void)
+
+ return 0;
+
++ return 0;
++
+ out:
+ remove_proc_subtree("atalk", init_net.proc_net);
+ return -ENOMEM;
--- /dev/null
+From 5fe48867856367142d91a82f2cbf7a57a24cbb70 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Sat, 25 Jul 2020 20:00:16 +0800
+Subject: bcache: allocate meta data pages as compound pages
+
+From: Coly Li <colyli@suse.de>
+
+commit 5fe48867856367142d91a82f2cbf7a57a24cbb70 upstream.
+
+There are some meta data of bcache are allocated by multiple pages,
+and they are used as bio bv_page for I/Os to the cache device. for
+example cache_set->uuids, cache->disk_buckets, journal_write->data,
+bset_tree->data.
+
+For such meta data memory, all the allocated pages should be treated
+as a single memory block. Then the memory management and underlying I/O
+code can treat them more clearly.
+
+This patch adds __GFP_COMP flag to all the location allocating >0 order
+pages for the above mentioned meta data. Then their pages are treated
+as compound pages now.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/bset.c | 2 +-
+ drivers/md/bcache/btree.c | 2 +-
+ drivers/md/bcache/journal.c | 4 ++--
+ drivers/md/bcache/super.c | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/bcache/bset.c
++++ b/drivers/md/bcache/bset.c
+@@ -321,7 +321,7 @@ int bch_btree_keys_alloc(struct btree_ke
+
+ b->page_order = page_order;
+
+- t->data = (void *) __get_free_pages(gfp, b->page_order);
++ t->data = (void *) __get_free_pages(__GFP_COMP|gfp, b->page_order);
+ if (!t->data)
+ goto err;
+
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -840,7 +840,7 @@ int bch_btree_cache_alloc(struct cache_s
+ mutex_init(&c->verify_lock);
+
+ c->verify_ondisk = (void *)
+- __get_free_pages(GFP_KERNEL, ilog2(bucket_pages(c)));
++ __get_free_pages(GFP_KERNEL|__GFP_COMP, ilog2(bucket_pages(c)));
+
+ c->verify_data = mca_bucket_alloc(c, &ZERO_KEY, GFP_KERNEL);
+
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -1002,8 +1002,8 @@ int bch_journal_alloc(struct cache_set *
+ j->w[1].c = c;
+
+ if (!(init_fifo(&j->pin, JOURNAL_PIN, GFP_KERNEL)) ||
+- !(j->w[0].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS)) ||
+- !(j->w[1].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS)))
++ !(j->w[0].data = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP, JSET_BITS)) ||
++ !(j->w[1].data = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP, JSET_BITS)))
+ return -ENOMEM;
+
+ return 0;
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1754,7 +1754,7 @@ void bch_cache_set_unregister(struct cac
+ }
+
+ #define alloc_bucket_pages(gfp, c) \
+- ((void *) __get_free_pages(__GFP_ZERO|gfp, ilog2(bucket_pages(c))))
++ ((void *) __get_free_pages(__GFP_ZERO|__GFP_COMP|gfp, ilog2(bucket_pages(c))))
+
+ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
+ {
--- /dev/null
+From 7a1481267999c02abf4a624515c1b5c7c1fccbd6 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Sat, 25 Jul 2020 20:00:22 +0800
+Subject: bcache: fix overflow in offset_to_stripe()
+
+From: Coly Li <colyli@suse.de>
+
+commit 7a1481267999c02abf4a624515c1b5c7c1fccbd6 upstream.
+
+offset_to_stripe() returns the stripe number (in type unsigned int) from
+an offset (in type uint64_t) by the following calculation,
+ do_div(offset, d->stripe_size);
+For large capacity backing device (e.g. 18TB) with small stripe size
+(e.g. 4KB), the result is 4831838208 and exceeds UINT_MAX. The actual
+returned value which caller receives is 536870912, due to the overflow.
+
+Indeed in bcache_device_init(), bcache_device->nr_stripes is limited in
+range [1, INT_MAX]. Therefore all valid stripe numbers in bcache are
+in range [0, bcache_dev->nr_stripes - 1].
+
+This patch adds a upper limition check in offset_to_stripe(): the max
+valid stripe number should be less than bcache_device->nr_stripes. If
+the calculated stripe number from do_div() is equal to or larger than
+bcache_device->nr_stripe, -EINVAL will be returned. (Normally nr_stripes
+is less than INT_MAX, exceeding upper limitation doesn't mean overflow,
+therefore -EOVERFLOW is not used as error code.)
+
+This patch also changes nr_stripes' type of struct bcache_device from
+'unsigned int' to 'int', and return value type of offset_to_stripe()
+from 'unsigned int' to 'int', to match their exact data ranges.
+
+All locations where bcache_device->nr_stripes and offset_to_stripe() are
+referenced also get updated for the above type change.
+
+Reported-and-tested-by: Ken Raeburn <raeburn@redhat.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Cc: stable@vger.kernel.org
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1783075
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/bcache.h | 2 +-
+ drivers/md/bcache/writeback.c | 14 +++++++++-----
+ drivers/md/bcache/writeback.h | 19 +++++++++++++++++--
+ 3 files changed, 27 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/bcache/bcache.h
++++ b/drivers/md/bcache/bcache.h
+@@ -264,7 +264,7 @@ struct bcache_device {
+ #define BCACHE_DEV_UNLINK_DONE 2
+ #define BCACHE_DEV_WB_RUNNING 3
+ #define BCACHE_DEV_RATE_DW_RUNNING 4
+- unsigned int nr_stripes;
++ int nr_stripes;
+ unsigned int stripe_size;
+ atomic_t *stripe_sectors_dirty;
+ unsigned long *full_dirty_stripes;
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -519,15 +519,19 @@ void bcache_dev_sectors_dirty_add(struct
+ uint64_t offset, int nr_sectors)
+ {
+ struct bcache_device *d = c->devices[inode];
+- unsigned int stripe_offset, stripe, sectors_dirty;
++ unsigned int stripe_offset, sectors_dirty;
++ int stripe;
+
+ if (!d)
+ return;
+
++ stripe = offset_to_stripe(d, offset);
++ if (stripe < 0)
++ return;
++
+ if (UUID_FLASH_ONLY(&c->uuids[inode]))
+ atomic_long_add(nr_sectors, &c->flash_dev_dirty_sectors);
+
+- stripe = offset_to_stripe(d, offset);
+ stripe_offset = offset & (d->stripe_size - 1);
+
+ while (nr_sectors) {
+@@ -567,12 +571,12 @@ static bool dirty_pred(struct keybuf *bu
+ static void refill_full_stripes(struct cached_dev *dc)
+ {
+ struct keybuf *buf = &dc->writeback_keys;
+- unsigned int start_stripe, stripe, next_stripe;
++ unsigned int start_stripe, next_stripe;
++ int stripe;
+ bool wrapped = false;
+
+ stripe = offset_to_stripe(&dc->disk, KEY_OFFSET(&buf->last_scanned));
+-
+- if (stripe >= dc->disk.nr_stripes)
++ if (stripe < 0)
+ stripe = 0;
+
+ start_stripe = stripe;
+--- a/drivers/md/bcache/writeback.h
++++ b/drivers/md/bcache/writeback.h
+@@ -33,10 +33,22 @@ static inline uint64_t bcache_dev_sector
+ return ret;
+ }
+
+-static inline unsigned int offset_to_stripe(struct bcache_device *d,
++static inline int offset_to_stripe(struct bcache_device *d,
+ uint64_t offset)
+ {
+ do_div(offset, d->stripe_size);
++
++ /* d->nr_stripes is in range [1, INT_MAX] */
++ if (unlikely(offset >= d->nr_stripes)) {
++ pr_err("Invalid stripe %llu (>= nr_stripes %d).\n",
++ offset, d->nr_stripes);
++ return -EINVAL;
++ }
++
++ /*
++ * Here offset is definitly smaller than INT_MAX,
++ * return it as int will never overflow.
++ */
+ return offset;
+ }
+
+@@ -44,7 +56,10 @@ static inline bool bcache_dev_stripe_dir
+ uint64_t offset,
+ unsigned int nr_sectors)
+ {
+- unsigned int stripe = offset_to_stripe(&dc->disk, offset);
++ int stripe = offset_to_stripe(&dc->disk, offset);
++
++ if (stripe < 0)
++ return false;
+
+ while (1) {
+ if (atomic_read(dc->disk.stripe_sectors_dirty + stripe))
--- /dev/null
+From 02e37571f9e79022498fd0525c073b07e9d9ac69 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 4 Aug 2020 12:31:56 -0400
+Subject: ceph: handle zero-length feature mask in session messages
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 02e37571f9e79022498fd0525c073b07e9d9ac69 upstream.
+
+Most session messages contain a feature mask, but the MDS will
+routinely send a REJECT message with one that is zero-length.
+
+Commit 0fa8263367db ("ceph: fix endianness bug when handling MDS
+session feature bits") fixed the decoding of the feature mask,
+but failed to account for the MDS sending a zero-length feature
+mask. This causes REJECT message decoding to fail.
+
+Skip trying to decode a feature mask if the word count is zero.
+
+Cc: stable@vger.kernel.org
+URL: https://tracker.ceph.com/issues/46823
+Fixes: 0fa8263367db ("ceph: fix endianness bug when handling MDS session feature bits")
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Tested-by: Patrick Donnelly <pdonnell@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/mds_client.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -3091,8 +3091,10 @@ static void handle_session(struct ceph_m
+ goto bad;
+ /* version >= 3, feature bits */
+ ceph_decode_32_safe(&p, end, len, bad);
+- ceph_decode_64_safe(&p, end, features, bad);
+- p += len - sizeof(features);
++ if (len) {
++ ceph_decode_64_safe(&p, end, features, bad);
++ p += len - sizeof(features);
++ }
+ }
+
+ mutex_lock(&mdsc->mutex);
--- /dev/null
+From b748fc7a8763a5b3f8149f12c45711cd73ef8176 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 28 Jul 2020 10:34:20 -0400
+Subject: ceph: set sec_context xattr on symlink creation
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit b748fc7a8763a5b3f8149f12c45711cd73ef8176 upstream.
+
+Symlink inodes should have the security context set in their xattrs on
+creation. We already set the context on creation, but we don't attach
+the pagelist. The effect is that symlink inodes don't get an SELinux
+context set on them at creation, so they end up unlabeled instead of
+inheriting the proper context. Make it do so.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/dir.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ceph/dir.c
++++ b/fs/ceph/dir.c
+@@ -920,6 +920,10 @@ static int ceph_symlink(struct inode *di
+ req->r_num_caps = 2;
+ req->r_dentry_drop = CEPH_CAP_FILE_SHARED | CEPH_CAP_AUTH_EXCL;
+ req->r_dentry_unless = CEPH_CAP_FILE_EXCL;
++ if (as_ctx.pagelist) {
++ req->r_pagelist = as_ctx.pagelist;
++ as_ctx.pagelist = NULL;
++ }
+ err = ceph_mdsc_do_request(mdsc, dir, req);
+ if (!err && !req->r_reply_info.head->is_dentry)
+ err = ceph_handle_notrace_create(dir, dentry);
--- /dev/null
+From 654888327e9f655a9d55ad477a9583e90e8c9b5c Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 8 Jul 2020 15:27:01 +0200
+Subject: driver core: Avoid binding drivers to dead devices
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 654888327e9f655a9d55ad477a9583e90e8c9b5c upstream.
+
+Commit 3451a495ef24 ("driver core: Establish order of operations for
+device_add and device_del via bitflag") sought to prevent asynchronous
+driver binding to a device which is being removed. It added a
+per-device "dead" flag which is checked in the following code paths:
+
+* asynchronous binding in __driver_attach_async_helper()
+* synchronous binding in device_driver_attach()
+* asynchronous binding in __device_attach_async_helper()
+
+It did *not* check the flag upon:
+
+* synchronous binding in __device_attach()
+
+However __device_attach() may also be called asynchronously from:
+
+deferred_probe_work_func()
+ bus_probe_device()
+ device_initial_probe()
+ __device_attach()
+
+So if the commit's intention was to check the "dead" flag in all
+asynchronous code paths, then a check is also necessary in
+__device_attach(). Add the missing check.
+
+Fixes: 3451a495ef24 ("driver core: Establish order of operations for device_add and device_del via bitflag")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org # v5.1+
+Cc: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Link: https://lore.kernel.org/r/de88a23a6fe0ef70f7cfd13c8aea9ab51b4edab6.1594214103.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/dd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -872,7 +872,9 @@ static int __device_attach(struct device
+ int ret = 0;
+
+ device_lock(dev);
+- if (dev->driver) {
++ if (dev->p->dead) {
++ goto out_unlock;
++ } else if (dev->driver) {
+ if (device_is_bound(dev)) {
+ ret = 1;
+ goto out_unlock;
--- /dev/null
+From bc2fbaa4d3808aef82dd1064a8e61c16549fe956 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 20 Apr 2020 16:02:21 -0400
+Subject: ext2: fix missing percpu_counter_inc
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit bc2fbaa4d3808aef82dd1064a8e61c16549fe956 upstream.
+
+sbi->s_freeinodes_counter is only decreased by the ext2 code, it is never
+increased. This patch fixes it.
+
+Note that sbi->s_freeinodes_counter is only used in the algorithm that
+tries to find the group for new allocations, so this bug is not easily
+visible (the only visibility is that the group finding algorithm selects
+inoptinal result).
+
+Link: https://lore.kernel.org/r/alpine.LRH.2.02.2004201538300.19436@file01.intranet.prod.int.rdu2.redhat.com
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext2/ialloc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ext2/ialloc.c
++++ b/fs/ext2/ialloc.c
+@@ -80,6 +80,7 @@ static void ext2_release_inode(struct su
+ if (dir)
+ le16_add_cpu(&desc->bg_used_dirs_count, -1);
+ spin_unlock(sb_bgl_lock(EXT2_SB(sb), group));
++ percpu_counter_inc(&EXT2_SB(sb)->s_freeinodes_counter);
+ if (dir)
+ percpu_counter_dec(&EXT2_SB(sb)->s_dirs_counter);
+ mark_buffer_dirty(bh);
+@@ -528,7 +529,7 @@ got:
+ goto fail;
+ }
+
+- percpu_counter_add(&sbi->s_freeinodes_counter, -1);
++ percpu_counter_dec(&sbi->s_freeinodes_counter);
+ if (S_ISDIR(mode))
+ percpu_counter_inc(&sbi->s_dirs_counter);
+
--- /dev/null
+From 8a224ffb3f52b0027f6b7279854c71a31c48fc97 Mon Sep 17 00:00:00 2001
+From: Chengming Zhou <zhouchengming@bytedance.com>
+Date: Wed, 29 Jul 2020 02:05:53 +0800
+Subject: ftrace: Setup correct FTRACE_FL_REGS flags for module
+
+From: Chengming Zhou <zhouchengming@bytedance.com>
+
+commit 8a224ffb3f52b0027f6b7279854c71a31c48fc97 upstream.
+
+When module loaded and enabled, we will use __ftrace_replace_code
+for module if any ftrace_ops referenced it found. But we will get
+wrong ftrace_addr for module rec in ftrace_get_addr_new, because
+rec->flags has not been setup correctly. It can cause the callback
+function of a ftrace_ops has FTRACE_OPS_FL_SAVE_REGS to be called
+with pt_regs set to NULL.
+So setup correct FTRACE_FL_REGS flags for rec when we call
+referenced_filters to find ftrace_ops references it.
+
+Link: https://lkml.kernel.org/r/20200728180554.65203-1-zhouchengming@bytedance.com
+
+Cc: stable@vger.kernel.org
+Fixes: 8c4f3c3fa9681 ("ftrace: Check module functions being traced on reload")
+Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com>
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -5699,8 +5699,11 @@ static int referenced_filters(struct dyn
+ int cnt = 0;
+
+ for (ops = ftrace_ops_list; ops != &ftrace_list_end; ops = ops->next) {
+- if (ops_references_rec(ops, rec))
+- cnt++;
++ if (ops_references_rec(ops, rec)) {
++ cnt++;
++ if (ops->flags & FTRACE_OPS_FL_SAVE_REGS)
++ rec->flags |= FTRACE_FL_REGS;
++ }
+ }
+
+ return cnt;
+@@ -5877,8 +5880,8 @@ void ftrace_module_enable(struct module
+ if (ftrace_start_up)
+ cnt += referenced_filters(rec);
+
+- /* This clears FTRACE_FL_DISABLED */
+- rec->flags = cnt;
++ rec->flags &= ~FTRACE_FL_DISABLED;
++ rec->flags += cnt;
+
+ if (ftrace_start_up && cnt) {
+ int failed = __ftrace_replace_code(rec, 1);
--- /dev/null
+From 723a80dafed5c95889d48baab9aa433a6ffa0b4e Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Thu, 6 Aug 2020 23:26:15 -0700
+Subject: khugepaged: collapse_pte_mapped_thp() flush the right range
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 723a80dafed5c95889d48baab9aa433a6ffa0b4e upstream.
+
+pmdp_collapse_flush() should be given the start address at which the huge
+page is mapped, haddr: it was given addr, which at that point has been
+used as a local variable, incremented to the end address of the extent.
+
+Found by source inspection while chasing a hugepage locking bug, which I
+then could not explain by this. At first I thought this was very bad;
+then saw that all of the page translations that were not flushed would
+actually still point to the right pages afterwards, so harmless; then
+realized that I know nothing of how different architectures and models
+cache intermediate paging structures, so maybe it matters after all -
+particularly since the page table concerned is immediately freed.
+
+Much easier to fix than to think about.
+
+Fixes: 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP")
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: <stable@vger.kernel.org> [5.4+]
+Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021204390.27773@eggly.anvils
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/khugepaged.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -1384,7 +1384,7 @@ void collapse_pte_mapped_thp(struct mm_s
+
+ /* step 4: collapse pmd */
+ ptl = pmd_lock(vma->vm_mm, pmd);
+- _pmd = pmdp_collapse_flush(vma, addr, pmd);
++ _pmd = pmdp_collapse_flush(vma, haddr, pmd);
+ spin_unlock(ptl);
+ mm_dec_nr_ptes(mm);
+ pte_free(mm, pmd_pgtable(_pmd));
--- /dev/null
+From 119a5fc16105b2b9383a6e2a7800b2ef861b2975 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Thu, 6 Aug 2020 23:26:18 -0700
+Subject: khugepaged: collapse_pte_mapped_thp() protect the pmd lock
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 119a5fc16105b2b9383a6e2a7800b2ef861b2975 upstream.
+
+When retract_page_tables() removes a page table to make way for a huge
+pmd, it holds huge page lock, i_mmap_lock_write, mmap_write_trylock and
+pmd lock; but when collapse_pte_mapped_thp() does the same (to handle the
+case when the original mmap_write_trylock had failed), only
+mmap_write_trylock and pmd lock are held.
+
+That's not enough. One machine has twice crashed under load, with "BUG:
+spinlock bad magic" and GPF on 6b6b6b6b6b6b6b6b. Examining the second
+crash, page_vma_mapped_walk_done()'s spin_unlock of pvmw->ptl (serving
+page_referenced() on a file THP, that had found a page table at *pmd)
+discovers that the page table page and its lock have already been freed by
+the time it comes to unlock.
+
+Follow the example of retract_page_tables(), but we only need one of huge
+page lock or i_mmap_lock_write to secure against this: because it's the
+narrower lock, and because it simplifies collapse_pte_mapped_thp() to know
+the hpage earlier, choose to rely on huge page lock here.
+
+Fixes: 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP")
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: <stable@vger.kernel.org> [5.4+]
+Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021213070.27773@eggly.anvils
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/khugepaged.c | 44 +++++++++++++++++++-------------------------
+ 1 file changed, 19 insertions(+), 25 deletions(-)
+
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -1294,7 +1294,7 @@ void collapse_pte_mapped_thp(struct mm_s
+ {
+ unsigned long haddr = addr & HPAGE_PMD_MASK;
+ struct vm_area_struct *vma = find_vma(mm, haddr);
+- struct page *hpage = NULL;
++ struct page *hpage;
+ pte_t *start_pte, *pte;
+ pmd_t *pmd, _pmd;
+ spinlock_t *ptl;
+@@ -1314,9 +1314,17 @@ void collapse_pte_mapped_thp(struct mm_s
+ if (!hugepage_vma_check(vma, vma->vm_flags | VM_HUGEPAGE))
+ return;
+
++ hpage = find_lock_page(vma->vm_file->f_mapping,
++ linear_page_index(vma, haddr));
++ if (!hpage)
++ return;
++
++ if (!PageHead(hpage))
++ goto drop_hpage;
++
+ pmd = mm_find_pmd(mm, haddr);
+ if (!pmd)
+- return;
++ goto drop_hpage;
+
+ start_pte = pte_offset_map_lock(mm, pmd, haddr, &ptl);
+
+@@ -1335,30 +1343,11 @@ void collapse_pte_mapped_thp(struct mm_s
+
+ page = vm_normal_page(vma, addr, *pte);
+
+- if (!page || !PageCompound(page))
+- goto abort;
+-
+- if (!hpage) {
+- hpage = compound_head(page);
+- /*
+- * The mapping of the THP should not change.
+- *
+- * Note that uprobe, debugger, or MAP_PRIVATE may
+- * change the page table, but the new page will
+- * not pass PageCompound() check.
+- */
+- if (WARN_ON(hpage->mapping != vma->vm_file->f_mapping))
+- goto abort;
+- }
+-
+ /*
+- * Confirm the page maps to the correct subpage.
+- *
+- * Note that uprobe, debugger, or MAP_PRIVATE may change
+- * the page table, but the new page will not pass
+- * PageCompound() check.
++ * Note that uprobe, debugger, or MAP_PRIVATE may change the
++ * page table, but the new page will not be a subpage of hpage.
+ */
+- if (WARN_ON(hpage + i != page))
++ if (hpage + i != page)
+ goto abort;
+ count++;
+ }
+@@ -1377,7 +1366,7 @@ void collapse_pte_mapped_thp(struct mm_s
+ pte_unmap_unlock(start_pte, ptl);
+
+ /* step 3: set proper refcount and mm_counters. */
+- if (hpage) {
++ if (count) {
+ page_ref_sub(hpage, count);
+ add_mm_counter(vma->vm_mm, mm_counter_file(hpage), -count);
+ }
+@@ -1388,10 +1377,15 @@ void collapse_pte_mapped_thp(struct mm_s
+ spin_unlock(ptl);
+ mm_dec_nr_ptes(mm);
+ pte_free(mm, pmd_pgtable(_pmd));
++
++drop_hpage:
++ unlock_page(hpage);
++ put_page(hpage);
+ return;
+
+ abort:
+ pte_unmap_unlock(start_pte, ptl);
++ goto drop_hpage;
+ }
+
+ static int khugepaged_collapse_pte_mapped_thps(struct mm_slot *mm_slot)
--- /dev/null
+From 0cb2f1372baa60af8456388a574af6133edd7d80 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Tue, 28 Jul 2020 14:45:36 +0800
+Subject: kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit 0cb2f1372baa60af8456388a574af6133edd7d80 upstream.
+
+We found a case of kernel panic on our server. The stack trace is as
+follows(omit some irrelevant information):
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000080
+ RIP: 0010:kprobe_ftrace_handler+0x5e/0xe0
+ RSP: 0018:ffffb512c6550998 EFLAGS: 00010282
+ RAX: 0000000000000000 RBX: ffff8e9d16eea018 RCX: 0000000000000000
+ RDX: ffffffffbe1179c0 RSI: ffffffffc0535564 RDI: ffffffffc0534ec0
+ RBP: ffffffffc0534ec1 R08: ffff8e9d1bbb0f00 R09: 0000000000000004
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+ R13: ffff8e9d1f797060 R14: 000000000000bacc R15: ffff8e9ce13eca00
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000080 CR3: 00000008453d0005 CR4: 00000000003606e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <IRQ>
+ ftrace_ops_assist_func+0x56/0xe0
+ ftrace_call+0x5/0x34
+ tcpa_statistic_send+0x5/0x130 [ttcp_engine]
+
+The tcpa_statistic_send is the function being kprobed. After analysis,
+the root cause is that the fourth parameter regs of kprobe_ftrace_handler
+is NULL. Why regs is NULL? We use the crash tool to analyze the kdump.
+
+ crash> dis tcpa_statistic_send -r
+ <tcpa_statistic_send>: callq 0xffffffffbd8018c0 <ftrace_caller>
+
+The tcpa_statistic_send calls ftrace_caller instead of ftrace_regs_caller.
+So it is reasonable that the fourth parameter regs of kprobe_ftrace_handler
+is NULL. In theory, we should call the ftrace_regs_caller instead of the
+ftrace_caller. After in-depth analysis, we found a reproducible path.
+
+ Writing a simple kernel module which starts a periodic timer. The
+ timer's handler is named 'kprobe_test_timer_handler'. The module
+ name is kprobe_test.ko.
+
+ 1) insmod kprobe_test.ko
+ 2) bpftrace -e 'kretprobe:kprobe_test_timer_handler {}'
+ 3) echo 0 > /proc/sys/kernel/ftrace_enabled
+ 4) rmmod kprobe_test
+ 5) stop step 2) kprobe
+ 6) insmod kprobe_test.ko
+ 7) bpftrace -e 'kretprobe:kprobe_test_timer_handler {}'
+
+We mark the kprobe as GONE but not disarm the kprobe in the step 4).
+The step 5) also do not disarm the kprobe when unregister kprobe. So
+we do not remove the ip from the filter. In this case, when the module
+loads again in the step 6), we will replace the code to ftrace_caller
+via the ftrace_module_enable(). When we register kprobe again, we will
+not replace ftrace_caller to ftrace_regs_caller because the ftrace is
+disabled in the step 3). So the step 7) will trigger kernel panic. Fix
+this problem by disarming the kprobe when the module is going away.
+
+Link: https://lkml.kernel.org/r/20200728064536.24405-1-songmuchun@bytedance.com
+
+Cc: stable@vger.kernel.org
+Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization")
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Co-developed-by: Chengming Zhou <zhouchengming@bytedance.com>
+Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/kprobes.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -2104,6 +2104,13 @@ static void kill_kprobe(struct kprobe *p
+ * the original probed function (which will be freed soon) any more.
+ */
+ arch_remove_kprobe(p);
++
++ /*
++ * The module is going away. We should disarm the kprobe which
++ * is using ftrace.
++ */
++ if (kprobe_ftrace(p))
++ disarm_kprobe_ftrace(p);
+ }
+
+ /* Disable one kprobe */
--- /dev/null
+From 5981fe5b0529ba25d95f37d7faa434183ad618c5 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 3 Aug 2020 11:02:10 +0200
+Subject: mac80211: fix misplaced while instead of if
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 5981fe5b0529ba25d95f37d7faa434183ad618c5 upstream.
+
+This never was intended to be a 'while' loop, it should've
+just been an 'if' instead of 'while'. Fix this.
+
+I noticed this while applying another patch from Ben that
+intended to fix a busy loop at this spot.
+
+Cc: stable@vger.kernel.org
+Fixes: b16798f5b907 ("mac80211: mark station unauthorized before key removal")
+Reported-by: Ben Greear <greearb@candelatech.com>
+Link: https://lore.kernel.org/r/20200803110209.253009ae41ff.I3522aad099392b31d5cf2dcca34cbac7e5832dde@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/sta_info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1033,7 +1033,7 @@ static void __sta_info_destroy_part2(str
+ might_sleep();
+ lockdep_assert_held(&local->sta_mtx);
+
+- while (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
++ if (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
+ ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
+ WARN_ON_ONCE(ret);
+ }
--- /dev/null
+From a1c6ae3d9f3dd6aa5981a332a6f700cf1c25edef Mon Sep 17 00:00:00 2001
+From: ChangSyun Peng <allenpeng@synology.com>
+Date: Fri, 31 Jul 2020 17:50:17 +0800
+Subject: md/raid5: Fix Force reconstruct-write io stuck in degraded raid5
+
+From: ChangSyun Peng <allenpeng@synology.com>
+
+commit a1c6ae3d9f3dd6aa5981a332a6f700cf1c25edef upstream.
+
+In degraded raid5, we need to read parity to do reconstruct-write when
+data disks fail. However, we can not read parity from
+handle_stripe_dirtying() in force reconstruct-write mode.
+
+Reproducible Steps:
+
+1. Create degraded raid5
+mdadm -C /dev/md2 --assume-clean -l5 -n3 /dev/sda2 /dev/sdb2 missing
+2. Set rmw_level to 0
+echo 0 > /sys/block/md2/md/rmw_level
+3. IO to raid5
+
+Now some io may be stuck in raid5. We can use handle_stripe_fill() to read
+the parity in this situation.
+
+Cc: <stable@vger.kernel.org> # v4.4+
+Reviewed-by: Alex Wu <alexwu@synology.com>
+Reviewed-by: BingJing Chang <bingjingc@synology.com>
+Reviewed-by: Danny Shih <dannyshih@synology.com>
+Signed-off-by: ChangSyun Peng <allenpeng@synology.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid5.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -3604,6 +3604,7 @@ static int need_this_block(struct stripe
+ * is missing/faulty, then we need to read everything we can.
+ */
+ if (sh->raid_conf->level != 6 &&
++ sh->raid_conf->rmw_level != PARITY_DISABLE_RMW &&
+ sh->sector < sh->raid_conf->mddev->recovery_cp)
+ /* reconstruct-write isn't being forced */
+ return 0;
+@@ -4839,7 +4840,7 @@ static void handle_stripe(struct stripe_
+ * or to load a block that is being partially written.
+ */
+ if (s.to_read || s.non_overwrite
+- || (conf->level == 6 && s.to_write && s.failed)
++ || (s.to_write && s.failed)
+ || (s.syncing && (s.uptodate + s.compute < disks))
+ || s.replacing
+ || s.expanding)
--- /dev/null
+From 9cce844abf07b683cff5f0273977d5f8d0af94c7 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 16 Jul 2020 18:40:23 +0800
+Subject: MIPS: CPU#0 is not hotpluggable
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 9cce844abf07b683cff5f0273977d5f8d0af94c7 upstream.
+
+Now CPU#0 is not hotpluggable on MIPS, so prevent to create /sys/devices
+/system/cpu/cpu0/online which confuses some user-space tools.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/topology.c
++++ b/arch/mips/kernel/topology.c
+@@ -20,7 +20,7 @@ static int __init topology_init(void)
+ for_each_present_cpu(i) {
+ struct cpu *c = &per_cpu(cpu_devices, i);
+
+- c->hotpluggable = 1;
++ c->hotpluggable = !!i;
+ ret = register_cpu(c, i);
+ if (ret)
+ printk(KERN_WARNING "topology_init: register_cpu %d "
--- /dev/null
+From 0889a67a9e7a56ba39af223d536630b20b877fda Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Mon, 27 Jul 2020 20:11:28 +0200
+Subject: MIPS: qi_lb60: Fix routing to audio amplifier
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 0889a67a9e7a56ba39af223d536630b20b877fda upstream.
+
+The ROUT (right channel output of audio codec) was connected to INL
+(left channel of audio amplifier) instead of INR (right channel of audio
+amplifier).
+
+Fixes: 8ddebad15e9b ("MIPS: qi_lb60: Migrate to devicetree")
+Cc: stable@vger.kernel.org # v5.3
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/boot/dts/ingenic/qi_lb60.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/boot/dts/ingenic/qi_lb60.dts
++++ b/arch/mips/boot/dts/ingenic/qi_lb60.dts
+@@ -69,7 +69,7 @@
+ "Speaker", "OUTL",
+ "Speaker", "OUTR",
+ "INL", "LOUT",
+- "INL", "ROUT";
++ "INR", "ROUT";
+
+ simple-audio-card,aux-devs = <&>;
+
--- /dev/null
+From b4223a510e2ab1bf0f971d50af7c1431014b25ad Mon Sep 17 00:00:00 2001
+From: Jia He <justin.he@arm.com>
+Date: Tue, 11 Aug 2020 18:32:20 -0700
+Subject: mm/memory_hotplug: fix unpaired mem_hotplug_begin/done
+
+From: Jia He <justin.he@arm.com>
+
+commit b4223a510e2ab1bf0f971d50af7c1431014b25ad upstream.
+
+When check_memblock_offlined_cb() returns failed rc(e.g. the memblock is
+online at that time), mem_hotplug_begin/done is unpaired in such case.
+
+Therefore a warning:
+ Call Trace:
+ percpu_up_write+0x33/0x40
+ try_remove_memory+0x66/0x120
+ ? _cond_resched+0x19/0x30
+ remove_memory+0x2b/0x40
+ dev_dax_kmem_remove+0x36/0x72 [kmem]
+ device_release_driver_internal+0xf0/0x1c0
+ device_release_driver+0x12/0x20
+ bus_remove_device+0xe1/0x150
+ device_del+0x17b/0x3e0
+ unregister_dev_dax+0x29/0x60
+ devm_action_release+0x15/0x20
+ release_nodes+0x19a/0x1e0
+ devres_release_all+0x3f/0x50
+ device_release_driver_internal+0x100/0x1c0
+ driver_detach+0x4c/0x8f
+ bus_remove_driver+0x5c/0xd0
+ driver_unregister+0x31/0x50
+ dax_pmem_exit+0x10/0xfe0 [dax_pmem]
+
+Fixes: f1037ec0cc8a ("mm/memory_hotplug: fix remove_memory() lockdep splat")
+Signed-off-by: Jia He <justin.he@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Dan Williams <dan.j.williams@intel.com>
+Cc: <stable@vger.kernel.org> [5.6+]
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Chuhong Yuan <hslester96@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jonathan Cameron <Jonathan.Cameron@Huawei.com>
+Cc: Kaly Xin <Kaly.Xin@arm.com>
+Cc: Logan Gunthorpe <logang@deltatee.com>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rich Felker <dalias@libc.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Vishal Verma <vishal.l.verma@intel.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Link: http://lkml.kernel.org/r/20200710031619.18762-3-justin.he@arm.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory_hotplug.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1751,7 +1751,7 @@ static int __ref try_remove_memory(int n
+ */
+ rc = walk_memory_blocks(start, size, NULL, check_memblock_offlined_cb);
+ if (rc)
+- goto done;
++ return rc;
+
+ /* remove memmap entry */
+ firmware_map_remove(start, start + size, "System RAM");
+@@ -1771,9 +1771,8 @@ static int __ref try_remove_memory(int n
+
+ try_offline_node(nid);
+
+-done:
+ mem_hotplug_done();
+- return rc;
++ return 0;
+ }
+
+ /**
--- /dev/null
+From a6f23d14ec7d7d02220ad8bb2774be3322b9aeec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
+Date: Thu, 6 Aug 2020 23:22:18 -0700
+Subject: mm/page_counter.c: fix protection usage propagation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Koutný <mkoutny@suse.com>
+
+commit a6f23d14ec7d7d02220ad8bb2774be3322b9aeec upstream.
+
+When workload runs in cgroups that aren't directly below root cgroup and
+their parent specifies reclaim protection, it may end up ineffective.
+
+The reason is that propagate_protected_usage() is not called in all
+hierarchy up. All the protected usage is incorrectly accumulated in the
+workload's parent. This means that siblings_low_usage is overestimated
+and effective protection underestimated. Even though it is transitional
+phenomenon (uncharge path does correct propagation and fixes the wrong
+children_low_usage), it can undermine the intended protection
+unexpectedly.
+
+We have noticed this problem while seeing a swap out in a descendant of a
+protected memcg (intermediate node) while the parent was conveniently
+under its protection limit and the memory pressure was external to that
+hierarchy. Michal has pinpointed this down to the wrong
+siblings_low_usage which led to the unwanted reclaim.
+
+The fix is simply updating children_low_usage in respective ancestors also
+in the charging path.
+
+Fixes: 230671533d64 ("mm: memory.low hierarchical behavior")
+Signed-off-by: Michal Koutný <mkoutny@suse.com>
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: <stable@vger.kernel.org> [4.18+]
+Link: http://lkml.kernel.org/r/20200803153231.15477-1-mhocko@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_counter.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/mm/page_counter.c
++++ b/mm/page_counter.c
+@@ -77,7 +77,7 @@ void page_counter_charge(struct page_cou
+ long new;
+
+ new = atomic_long_add_return(nr_pages, &c->usage);
+- propagate_protected_usage(counter, new);
++ propagate_protected_usage(c, new);
+ /*
+ * This is indeed racy, but we can live with some
+ * inaccuracy in the watermark.
+@@ -121,7 +121,7 @@ bool page_counter_try_charge(struct page
+ new = atomic_long_add_return(nr_pages, &c->usage);
+ if (new > c->max) {
+ atomic_long_sub(nr_pages, &c->usage);
+- propagate_protected_usage(counter, new);
++ propagate_protected_usage(c, new);
+ /*
+ * This is racy, but we can live with some
+ * inaccuracy in the failcnt.
+@@ -130,7 +130,7 @@ bool page_counter_try_charge(struct page
+ *fail = c;
+ goto failed;
+ }
+- propagate_protected_usage(counter, new);
++ propagate_protected_usage(c, new);
+ /*
+ * Just like with failcnt, we can live with some
+ * inaccuracy in the watermark.
--- /dev/null
+From d9539752d23283db4692384a634034f451261e29 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 9 Jun 2020 16:11:29 -0700
+Subject: net/compat: Add missing sock updates for SCM_RIGHTS
+
+From: Kees Cook <keescook@chromium.org>
+
+commit d9539752d23283db4692384a634034f451261e29 upstream.
+
+Add missed sock updates to compat path via a new helper, which will be
+used more in coming patches. (The net/core/scm.c code is left as-is here
+to assist with -stable backports for the compat path.)
+
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Sargun Dhillon <sargun@sargun.me>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: stable@vger.kernel.org
+Fixes: 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set correctly")
+Fixes: d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set correctly")
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/sock.h | 4 ++++
+ net/compat.c | 1 +
+ net/core/sock.c | 21 +++++++++++++++++++++
+ 3 files changed, 26 insertions(+)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -849,6 +849,8 @@ static inline int sk_memalloc_socks(void
+ {
+ return static_branch_unlikely(&memalloc_socks_key);
+ }
++
++void __receive_sock(struct file *file);
+ #else
+
+ static inline int sk_memalloc_socks(void)
+@@ -856,6 +858,8 @@ static inline int sk_memalloc_socks(void
+ return 0;
+ }
+
++static inline void __receive_sock(struct file *file)
++{ }
+ #endif
+
+ static inline gfp_t sk_gfp_mask(const struct sock *sk, gfp_t gfp_mask)
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -291,6 +291,7 @@ void scm_detach_fds_compat(struct msghdr
+ break;
+ }
+ /* Bump the usage count and install the file. */
++ __receive_sock(fp[i]);
+ fd_install(new_fd, get_file(fp[i]));
+ }
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2736,6 +2736,27 @@ int sock_no_mmap(struct file *file, stru
+ }
+ EXPORT_SYMBOL(sock_no_mmap);
+
++/*
++ * When a file is received (via SCM_RIGHTS, etc), we must bump the
++ * various sock-based usage counts.
++ */
++void __receive_sock(struct file *file)
++{
++ struct socket *sock;
++ int error;
++
++ /*
++ * The resulting value of "error" is ignored here since we only
++ * need to take action when the file is a socket and testing
++ * "sock" for NULL is sufficient.
++ */
++ sock = sock_from_file(file, &error);
++ if (sock) {
++ sock_update_netprioidx(&sock->sk->sk_cgrp_data);
++ sock_update_classid(&sock->sk->sk_cgrp_data);
++ }
++}
++
+ ssize_t sock_no_sendpage(struct socket *sock, struct page *page, int offset, size_t size, int flags)
+ {
+ ssize_t res;
--- /dev/null
+From df43dd526e6609769ae513a81443c7aa727c8ca3 Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@earth.li>
+Date: Wed, 12 Aug 2020 20:37:23 +0100
+Subject: net: ethernet: stmmac: Disable hardware multicast filter
+
+From: Jonathan McDowell <noodles@earth.li>
+
+commit df43dd526e6609769ae513a81443c7aa727c8ca3 upstream.
+
+The IPQ806x does not appear to have a functional multicast ethernet
+address filter. This was observed as a failure to correctly receive IPv6
+packets on a LAN to the all stations address. Checking the vendor driver
+shows that it does not attempt to enable the multicast filter and
+instead falls back to receiving all multicast packets, internally
+setting ALLMULTI.
+
+Use the new fallback support in the dwmac1000 driver to correctly
+achieve the same with the mainline IPQ806x driver. Confirmed to fix IPv6
+functionality on an RB3011 router.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+@@ -350,6 +350,7 @@ static int ipq806x_gmac_probe(struct pla
+ plat_dat->has_gmac = true;
+ plat_dat->bsp_priv = gmac;
+ plat_dat->fix_mac_speed = ipq806x_gmac_fix_mac_speed;
++ plat_dat->multicast_filter_bins = 0;
+
+ err = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res);
+ if (err)
--- /dev/null
+From 592d751c1e174df5ff219946908b005eb48934b3 Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@earth.li>
+Date: Wed, 12 Aug 2020 20:37:01 +0100
+Subject: net: stmmac: dwmac1000: provide multicast filter fallback
+
+From: Jonathan McDowell <noodles@earth.li>
+
+commit 592d751c1e174df5ff219946908b005eb48934b3 upstream.
+
+If we don't have a hardware multicast filter available then instead of
+silently failing to listen for the requested ethernet broadcast
+addresses fall back to receiving all multicast packets, in a similar
+fashion to other drivers with no multicast filter.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+@@ -166,6 +166,9 @@ static void dwmac1000_set_filter(struct
+ value = GMAC_FRAME_FILTER_PR | GMAC_FRAME_FILTER_PCF;
+ } else if (dev->flags & IFF_ALLMULTI) {
+ value = GMAC_FRAME_FILTER_PM; /* pass all multi */
++ } else if (!netdev_mc_empty(dev) && (mcbitslog2 == 0)) {
++ /* Fall back to all multicast if we've no filter */
++ value = GMAC_FRAME_FILTER_PM;
+ } else if (!netdev_mc_empty(dev)) {
+ struct netdev_hw_addr *ha;
+
--- /dev/null
+From 38d51b2dd171ad973afc1f5faab825ed05a2d5e9 Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Thu, 6 Aug 2020 23:18:02 -0700
+Subject: ocfs2: change slot number type s16 to u16
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit 38d51b2dd171ad973afc1f5faab825ed05a2d5e9 upstream.
+
+Dan Carpenter reported the following static checker warning.
+
+ fs/ocfs2/super.c:1269 ocfs2_parse_options() warn: '(-1)' 65535 can't fit into 32767 'mopt->slot'
+ fs/ocfs2/suballoc.c:859 ocfs2_init_inode_steal_slot() warn: '(-1)' 65535 can't fit into 32767 'osb->s_inode_steal_slot'
+ fs/ocfs2/suballoc.c:867 ocfs2_init_meta_steal_slot() warn: '(-1)' 65535 can't fit into 32767 'osb->s_meta_steal_slot'
+
+That's because OCFS2_INVALID_SLOT is (u16)-1. Slot number in ocfs2 can be
+never negative, so change s16 to u16.
+
+Fixes: 9277f8334ffc ("ocfs2: fix value of OCFS2_INVALID_SLOT")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reviewed-by: Gang He <ghe@suse.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200627001259.19757-1-junxiao.bi@oracle.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/ocfs2.h | 4 ++--
+ fs/ocfs2/suballoc.c | 4 ++--
+ fs/ocfs2/super.c | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/fs/ocfs2/ocfs2.h
++++ b/fs/ocfs2/ocfs2.h
+@@ -326,8 +326,8 @@ struct ocfs2_super
+ spinlock_t osb_lock;
+ u32 s_next_generation;
+ unsigned long osb_flags;
+- s16 s_inode_steal_slot;
+- s16 s_meta_steal_slot;
++ u16 s_inode_steal_slot;
++ u16 s_meta_steal_slot;
+ atomic_t s_num_inodes_stolen;
+ atomic_t s_num_meta_stolen;
+
+--- a/fs/ocfs2/suballoc.c
++++ b/fs/ocfs2/suballoc.c
+@@ -879,9 +879,9 @@ static void __ocfs2_set_steal_slot(struc
+ {
+ spin_lock(&osb->osb_lock);
+ if (type == INODE_ALLOC_SYSTEM_INODE)
+- osb->s_inode_steal_slot = slot;
++ osb->s_inode_steal_slot = (u16)slot;
+ else if (type == EXTENT_ALLOC_SYSTEM_INODE)
+- osb->s_meta_steal_slot = slot;
++ osb->s_meta_steal_slot = (u16)slot;
+ spin_unlock(&osb->osb_lock);
+ }
+
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -78,7 +78,7 @@ struct mount_options
+ unsigned long commit_interval;
+ unsigned long mount_opt;
+ unsigned int atime_quantum;
+- signed short slot;
++ unsigned short slot;
+ int localalloc_opt;
+ unsigned int resv_level;
+ int dir_resv_level;
+@@ -1334,7 +1334,7 @@ static int ocfs2_parse_options(struct su
+ goto bail;
+ }
+ if (option)
+- mopt->slot = (s16)option;
++ mopt->slot = (u16)option;
+ break;
+ case Opt_commit:
+ if (match_int(&args[0], &option)) {
--- /dev/null
+From 89c140bbaeee7a55ed0360a88f294ead2b95201b Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@ozlabs.org>
+Date: Wed, 15 Jul 2020 10:08:20 +1000
+Subject: pseries: Fix 64 bit logical memory block panic
+
+From: Anton Blanchard <anton@ozlabs.org>
+
+commit 89c140bbaeee7a55ed0360a88f294ead2b95201b upstream.
+
+Booting with a 4GB LMB size causes us to panic:
+
+ qemu-system-ppc64: OS terminated: OS panic:
+ Memory block size not suitable: 0x0
+
+Fix pseries_memory_block_size() to handle 64 bit LMBs.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Anton Blanchard <anton@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200715000820.1255764-1-anton@ozlabs.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/hotplug-memory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
+@@ -27,7 +27,7 @@ static bool rtas_hp_event;
+ unsigned long pseries_memory_block_size(void)
+ {
+ struct device_node *np;
+- unsigned int memblock_size = MIN_MEMORY_BLOCK_SIZE;
++ u64 memblock_size = MIN_MEMORY_BLOCK_SIZE;
+ struct resource r;
+
+ np = of_find_node_by_path("/ibm,dynamic-reconfiguration-memory");
powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch
pinctrl-ingenic-enhance-support-for-irq_type_edge_both.patch
media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch
+net-ethernet-stmmac-disable-hardware-multicast-filter.patch
+net-stmmac-dwmac1000-provide-multicast-filter-fallback.patch
+net-compat-add-missing-sock-updates-for-scm_rights.patch
+md-raid5-fix-force-reconstruct-write-io-stuck-in-degraded-raid5.patch
+bcache-allocate-meta-data-pages-as-compound-pages.patch
+bcache-fix-overflow-in-offset_to_stripe.patch
+mac80211-fix-misplaced-while-instead-of-if.patch
+appletalk-fix-atalk_proc_init-return-path.patch
+driver-core-avoid-binding-drivers-to-dead-devices.patch
+mips-cpu-0-is-not-hotpluggable.patch
+mips-qi_lb60-fix-routing-to-audio-amplifier.patch
+ext2-fix-missing-percpu_counter_inc.patch
+khugepaged-collapse_pte_mapped_thp-flush-the-right-range.patch
+khugepaged-collapse_pte_mapped_thp-protect-the-pmd-lock.patch
+ocfs2-change-slot-number-type-s16-to-u16.patch
+mm-page_counter.c-fix-protection-usage-propagation.patch
+mm-memory_hotplug-fix-unpaired-mem_hotplug_begin-done.patch
+ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch
+kprobes-fix-null-pointer-dereference-at-kprobe_ftrace_handler.patch
+tracing-hwlat-honor-the-tracing_cpumask.patch
+tracing-use-trace_sched_process_free-instead-of-exit-for-pid-tracing.patch
+tracing-move-pipe-reference-to-trace-array-instead-of-current_tracer.patch
+watchdog-f71808e_wdt-indicate-wdiof_cardreset-support-in-watchdog_info.options.patch
+watchdog-f71808e_wdt-remove-use-of-wrong-watchdog_info-option.patch
+watchdog-f71808e_wdt-clear-watchdog-timeout-occurred-flag.patch
+ceph-set-sec_context-xattr-on-symlink-creation.patch
+ceph-handle-zero-length-feature-mask-in-session-messages.patch
+pseries-fix-64-bit-logical-memory-block-panic.patch
iio-imu-st_lsm6dsx-reset-hw-ts-after-resume.patch
--- /dev/null
+From 96b4833b6827a62c295b149213c68b559514c929 Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Thu, 30 Jul 2020 16:23:18 +0800
+Subject: tracing/hwlat: Honor the tracing_cpumask
+
+From: Kevin Hao <haokexin@gmail.com>
+
+commit 96b4833b6827a62c295b149213c68b559514c929 upstream.
+
+In calculation of the cpu mask for the hwlat kernel thread, the wrong
+cpu mask is used instead of the tracing_cpumask, this causes the
+tracing/tracing_cpumask useless for hwlat tracer. Fixes it.
+
+Link: https://lkml.kernel.org/r/20200730082318.42584-2-haokexin@gmail.com
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 0330f7aa8ee6 ("tracing: Have hwlat trace migrate across tracing_cpumask CPUs")
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_hwlat.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_hwlat.c
++++ b/kernel/trace/trace_hwlat.c
+@@ -270,6 +270,7 @@ static bool disable_migrate;
+ static void move_to_next_cpu(void)
+ {
+ struct cpumask *current_mask = &save_cpumask;
++ struct trace_array *tr = hwlat_trace;
+ int next_cpu;
+
+ if (disable_migrate)
+@@ -283,7 +284,7 @@ static void move_to_next_cpu(void)
+ goto disable;
+
+ get_online_cpus();
+- cpumask_and(current_mask, cpu_online_mask, tracing_buffer_mask);
++ cpumask_and(current_mask, cpu_online_mask, tr->tracing_cpumask);
+ next_cpu = cpumask_next(smp_processor_id(), current_mask);
+ put_online_cpus();
+
+@@ -360,7 +361,7 @@ static int start_kthread(struct trace_ar
+ /* Just pick the first CPU on first iteration */
+ current_mask = &save_cpumask;
+ get_online_cpus();
+- cpumask_and(current_mask, cpu_online_mask, tracing_buffer_mask);
++ cpumask_and(current_mask, cpu_online_mask, tr->tracing_cpumask);
+ put_online_cpus();
+ next_cpu = cpumask_first(current_mask);
+
--- /dev/null
+From 7ef282e05132d56b6f6b71e3873f317664bea78b Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Mon, 29 Jun 2020 23:45:56 -0400
+Subject: tracing: Move pipe reference to trace array instead of current_tracer
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 7ef282e05132d56b6f6b71e3873f317664bea78b upstream.
+
+If a process has the trace_pipe open on a trace_array, the current tracer
+for that trace array should not be changed. This was original enforced by a
+global lock, but when instances were introduced, it was moved to the
+current_trace. But this structure is shared by all instances, and a
+trace_pipe is for a single instance. There's no reason that a process that
+has trace_pipe open on one instance should prevent another instance from
+changing its current tracer. Move the reference counter to the trace_array
+instead.
+
+This is marked as "Fixes" but is more of a clean up than a true fix.
+Backport if you want, but its not critical.
+
+Fixes: cf6ab6d9143b1 ("tracing: Add ref count to tracer for when they are being read by pipe")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+[Resolved conflict in __remove_instance()]
+Signed-off-by: dann frazier <dann.frazier@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 12 ++++++------
+ kernel/trace/trace.h | 2 +-
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -5686,7 +5686,7 @@ static int tracing_set_tracer(struct tra
+ }
+
+ /* If trace pipe files are being read, we can't change the tracer */
+- if (tr->current_trace->ref) {
++ if (tr->trace_ref) {
+ ret = -EBUSY;
+ goto out;
+ }
+@@ -5902,7 +5902,7 @@ static int tracing_open_pipe(struct inod
+
+ nonseekable_open(inode, filp);
+
+- tr->current_trace->ref++;
++ tr->trace_ref++;
+ out:
+ mutex_unlock(&trace_types_lock);
+ return ret;
+@@ -5921,7 +5921,7 @@ static int tracing_release_pipe(struct i
+
+ mutex_lock(&trace_types_lock);
+
+- tr->current_trace->ref--;
++ tr->trace_ref--;
+
+ if (iter->trace->pipe_close)
+ iter->trace->pipe_close(iter);
+@@ -7230,7 +7230,7 @@ static int tracing_buffers_open(struct i
+
+ filp->private_data = info;
+
+- tr->current_trace->ref++;
++ tr->trace_ref++;
+
+ mutex_unlock(&trace_types_lock);
+
+@@ -7331,7 +7331,7 @@ static int tracing_buffers_release(struc
+
+ mutex_lock(&trace_types_lock);
+
+- iter->tr->current_trace->ref--;
++ iter->tr->trace_ref--;
+
+ __trace_array_put(iter->tr);
+
+@@ -8470,7 +8470,7 @@ static int __remove_instance(struct trac
+ {
+ int i;
+
+- if (tr->ref || (tr->current_trace && tr->current_trace->ref))
++ if (tr->ref || (tr->current_trace && tr->trace_ref))
+ return -EBUSY;
+
+ list_del(&tr->list);
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -309,6 +309,7 @@ struct trace_array {
+ struct trace_event_file *trace_marker_file;
+ cpumask_var_t tracing_cpumask; /* only trace on set CPUs */
+ int ref;
++ int trace_ref;
+ #ifdef CONFIG_FUNCTION_TRACER
+ struct ftrace_ops *ops;
+ struct trace_pid_list __rcu *function_pids;
+@@ -498,7 +499,6 @@ struct tracer {
+ struct tracer *next;
+ struct tracer_flags *flags;
+ int enabled;
+- int ref;
+ bool print_max;
+ bool allow_instances;
+ #ifdef CONFIG_TRACER_MAX_TRACE
--- /dev/null
+From afcab636657421f7ebfa0783a91f90256bba0091 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Tue, 4 Aug 2020 20:00:02 -0400
+Subject: tracing: Use trace_sched_process_free() instead of exit() for pid tracing
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit afcab636657421f7ebfa0783a91f90256bba0091 upstream.
+
+On exit, if a process is preempted after the trace_sched_process_exit()
+tracepoint but before the process is done exiting, then when it gets
+scheduled in, the function tracers will not filter it properly against the
+function tracing pid filters.
+
+That is because the function tracing pid filters hooks to the
+sched_process_exit() tracepoint to remove the exiting task's pid from the
+filter list. Because the filtering happens at the sched_switch tracepoint,
+when the exiting task schedules back in to finish up the exit, it will no
+longer be in the function pid filtering tables.
+
+This was noticeable in the notrace self tests on a preemptable kernel, as
+the tests would fail as it exits and preempted after being taken off the
+notrace filter table and on scheduling back in it would not be in the
+notrace list, and then the ending of the exit function would trace. The test
+detected this and would fail.
+
+Cc: stable@vger.kernel.org
+Cc: Namhyung Kim <namhyung@kernel.org>
+Fixes: 1e10486ffee0a ("ftrace: Add 'function-fork' trace option")
+Fixes: c37775d57830a ("tracing: Add infrastructure to allow set_event_pid to follow children"
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 4 ++--
+ kernel/trace/trace_events.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -6462,12 +6462,12 @@ void ftrace_pid_follow_fork(struct trace
+ if (enable) {
+ register_trace_sched_process_fork(ftrace_pid_follow_sched_process_fork,
+ tr);
+- register_trace_sched_process_exit(ftrace_pid_follow_sched_process_exit,
++ register_trace_sched_process_free(ftrace_pid_follow_sched_process_exit,
+ tr);
+ } else {
+ unregister_trace_sched_process_fork(ftrace_pid_follow_sched_process_fork,
+ tr);
+- unregister_trace_sched_process_exit(ftrace_pid_follow_sched_process_exit,
++ unregister_trace_sched_process_free(ftrace_pid_follow_sched_process_exit,
+ tr);
+ }
+ }
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -527,12 +527,12 @@ void trace_event_follow_fork(struct trac
+ if (enable) {
+ register_trace_prio_sched_process_fork(event_filter_pid_sched_process_fork,
+ tr, INT_MIN);
+- register_trace_prio_sched_process_exit(event_filter_pid_sched_process_exit,
++ register_trace_prio_sched_process_free(event_filter_pid_sched_process_exit,
+ tr, INT_MAX);
+ } else {
+ unregister_trace_sched_process_fork(event_filter_pid_sched_process_fork,
+ tr);
+- unregister_trace_sched_process_exit(event_filter_pid_sched_process_exit,
++ unregister_trace_sched_process_free(event_filter_pid_sched_process_exit,
+ tr);
+ }
+ }
--- /dev/null
+From 4f39d575844148fbf3081571a1f3b4ae04150958 Mon Sep 17 00:00:00 2001
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Date: Thu, 11 Jun 2020 21:17:45 +0200
+Subject: watchdog: f71808e_wdt: clear watchdog timeout occurred flag
+
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+
+commit 4f39d575844148fbf3081571a1f3b4ae04150958 upstream.
+
+The flag indicating a watchdog timeout having occurred normally persists
+till Power-On Reset of the Fintek Super I/O chip. The user can clear it
+by writing a `1' to the bit.
+
+The driver doesn't offer a restart method, so regular system reboot
+might not reset the Super I/O and if the watchdog isn't enabled, we
+won't touch the register containing the bit on the next boot.
+In this case all subsequent regular reboots will be wrongly flagged
+by the driver as being caused by the watchdog.
+
+Fix this by having the flag cleared after read. This is also done by
+other drivers like those for the i6300esb and mpc8xxx_wdt.
+
+Fixes: b97cb21a4634 ("watchdog: f71808e_wdt: Fix WDTMOUT_STS register read")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20200611191750.28096-5-a.fatoum@pengutronix.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/f71808e_wdt.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/watchdog/f71808e_wdt.c
++++ b/drivers/watchdog/f71808e_wdt.c
+@@ -705,6 +705,13 @@ static int __init watchdog_init(int sioa
+ wdt_conf = superio_inb(sioaddr, F71808FG_REG_WDT_CONF);
+ watchdog.caused_reboot = wdt_conf & BIT(F71808FG_FLAG_WDTMOUT_STS);
+
++ /*
++ * We don't want WDTMOUT_STS to stick around till regular reboot.
++ * Write 1 to the bit to clear it to zero.
++ */
++ superio_outb(sioaddr, F71808FG_REG_WDT_CONF,
++ wdt_conf | BIT(F71808FG_FLAG_WDTMOUT_STS));
++
+ superio_exit(sioaddr);
+
+ err = watchdog_set_timeout(timeout);
--- /dev/null
+From e871e93fb08a619dfc015974a05768ed6880fd82 Mon Sep 17 00:00:00 2001
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Date: Thu, 11 Jun 2020 21:17:43 +0200
+Subject: watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in watchdog_info.options
+
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+
+commit e871e93fb08a619dfc015974a05768ed6880fd82 upstream.
+
+The driver supports populating bootstatus with WDIOF_CARDRESET, but so
+far userspace couldn't portably determine whether absence of this flag
+meant no watchdog reset or no driver support. Or-in the bit to fix this.
+
+Fixes: b97cb21a4634 ("watchdog: f71808e_wdt: Fix WDTMOUT_STS register read")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20200611191750.28096-3-a.fatoum@pengutronix.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/f71808e_wdt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/watchdog/f71808e_wdt.c
++++ b/drivers/watchdog/f71808e_wdt.c
+@@ -691,7 +691,8 @@ static int __init watchdog_init(int sioa
+ watchdog.sioaddr = sioaddr;
+ watchdog.ident.options = WDIOC_SETTIMEOUT
+ | WDIOF_MAGICCLOSE
+- | WDIOF_KEEPALIVEPING;
++ | WDIOF_KEEPALIVEPING
++ | WDIOF_CARDRESET;
+
+ snprintf(watchdog.ident.identity,
+ sizeof(watchdog.ident.identity), "%s watchdog",
--- /dev/null
+From 802141462d844f2e6a4d63a12260d79b7afc4c34 Mon Sep 17 00:00:00 2001
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Date: Thu, 11 Jun 2020 21:17:44 +0200
+Subject: watchdog: f71808e_wdt: remove use of wrong watchdog_info option
+
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+
+commit 802141462d844f2e6a4d63a12260d79b7afc4c34 upstream.
+
+The flags that should be or-ed into the watchdog_info.options by drivers
+all start with WDIOF_, e.g. WDIOF_SETTIMEOUT, which indicates that the
+driver's watchdog_ops has a usable set_timeout.
+
+WDIOC_SETTIMEOUT was used instead, which expands to 0xc0045706, which
+equals:
+
+ WDIOF_FANFAULT | WDIOF_EXTERN1 | WDIOF_PRETIMEOUT | WDIOF_ALARMONLY |
+ WDIOF_MAGICCLOSE | 0xc0045000
+
+These were so far indicated to userspace on WDIOC_GETSUPPORT.
+As the driver has not yet been migrated to the new watchdog kernel API,
+the constant can just be dropped without substitute.
+
+Fixes: 96cb4eb019ce ("watchdog: f71808e_wdt: new watchdog driver for Fintek F71808E and F71882FG")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20200611191750.28096-4-a.fatoum@pengutronix.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/f71808e_wdt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/watchdog/f71808e_wdt.c
++++ b/drivers/watchdog/f71808e_wdt.c
+@@ -689,8 +689,7 @@ static int __init watchdog_init(int sioa
+ * into the module have been registered yet.
+ */
+ watchdog.sioaddr = sioaddr;
+- watchdog.ident.options = WDIOC_SETTIMEOUT
+- | WDIOF_MAGICCLOSE
++ watchdog.ident.options = WDIOF_MAGICCLOSE
+ | WDIOF_KEEPALIVEPING
+ | WDIOF_CARDRESET;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
