--- /dev/null
+From e1090371e02b601cbfcea175c2a6cc7c955fa830 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:36 +0000
+Subject: binder: fix comment on binder_alloc_new_buf() return value
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit e1090371e02b601cbfcea175c2a6cc7c955fa830 upstream.
+
+Update the comments of binder_alloc_new_buf() to reflect that the return
+value of the function is now ERR_PTR(-errno) on failure.
+
+No functional changes in this patch.
+
+Cc: stable@vger.kernel.org
+Fixes: 57ada2fb2250 ("binder: add log information for binder transaction failures")
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-8-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -557,7 +557,7 @@ err_alloc_buf_struct_failed:
+ * is the sum of the three given sizes (each rounded up to
+ * pointer-sized boundary)
+ *
+- * Return: The allocated buffer or %NULL if error
++ * Return: The allocated buffer or %ERR_PTR(-errno) if error
+ */
+ struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc,
+ size_t data_size,
--- /dev/null
+From 122a3c1cb0ff304c2b8934584fcfea4edb2fe5e3 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:35 +0000
+Subject: binder: fix trivial typo of binder_free_buf_locked()
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 122a3c1cb0ff304c2b8934584fcfea4edb2fe5e3 upstream.
+
+Fix minor misspelling of the function in the comment section.
+
+No functional changes in this patch.
+
+Cc: stable@vger.kernel.org
+Fixes: 0f966cba95c7 ("binder: add flag to clear buffer on txn complete")
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-7-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -706,7 +706,7 @@ void binder_alloc_free_buf(struct binder
+ /*
+ * We could eliminate the call to binder_alloc_clear_buf()
+ * from binder_alloc_deferred_release() by moving this to
+- * binder_alloc_free_buf_locked(). However, that could
++ * binder_free_buf_locked(). However, that could
+ * increase contention for the alloc mutex if clear_on_free
+ * is used frequently for large buffers. The mutex is not
+ * needed for correctness here.
--- /dev/null
+From 3f489c2067c5824528212b0fc18b28d51332d906 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:31 +0000
+Subject: binder: fix use-after-free in shinker's callback
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 3f489c2067c5824528212b0fc18b28d51332d906 upstream.
+
+The mmap read lock is used during the shrinker's callback, which means
+that using alloc->vma pointer isn't safe as it can race with munmap().
+As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in
+munmap") the mmap lock is downgraded after the vma has been isolated.
+
+I was able to reproduce this issue by manually adding some delays and
+triggering page reclaiming through the shrinker's debug sysfs. The
+following KASAN report confirms the UAF:
+
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8
+ Read of size 8 at addr ffff356ed50e50f0 by task bash/478
+
+ CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70
+ Hardware name: linux,dummy-virt (DT)
+ Call trace:
+ zap_page_range_single+0x470/0x4b8
+ binder_alloc_free_page+0x608/0xadc
+ __list_lru_walk_one+0x130/0x3b0
+ list_lru_walk_node+0xc4/0x22c
+ binder_shrink_scan+0x108/0x1dc
+ shrinker_debugfs_scan_write+0x2b4/0x500
+ full_proxy_write+0xd4/0x140
+ vfs_write+0x1ac/0x758
+ ksys_write+0xf0/0x1dc
+ __arm64_sys_write+0x6c/0x9c
+
+ Allocated by task 492:
+ kmem_cache_alloc+0x130/0x368
+ vm_area_alloc+0x2c/0x190
+ mmap_region+0x258/0x18bc
+ do_mmap+0x694/0xa60
+ vm_mmap_pgoff+0x170/0x29c
+ ksys_mmap_pgoff+0x290/0x3a0
+ __arm64_sys_mmap+0xcc/0x144
+
+ Freed by task 491:
+ kmem_cache_free+0x17c/0x3c8
+ vm_area_free_rcu_cb+0x74/0x98
+ rcu_core+0xa38/0x26d4
+ rcu_core_si+0x10/0x1c
+ __do_softirq+0x2fc/0xd24
+
+ Last potentially related work creation:
+ __call_rcu_common.constprop.0+0x6c/0xba0
+ call_rcu+0x10/0x1c
+ vm_area_free+0x18/0x24
+ remove_vma+0xe4/0x118
+ do_vmi_align_munmap.isra.0+0x718/0xb5c
+ do_vmi_munmap+0xdc/0x1fc
+ __vm_munmap+0x10c/0x278
+ __arm64_sys_munmap+0x58/0x7c
+
+Fix this issue by performing instead a vma_lookup() which will fail to
+find the vma that was isolated before the mmap lock downgrade. Note that
+this option has better performance than upgrading to a mmap write lock
+which would increase contention. Plus, mmap_write_trylock() has been
+recently removed anyway.
+
+Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
+Cc: stable@vger.kernel.org
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-3-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -1005,7 +1005,9 @@ enum lru_status binder_alloc_free_page(s
+ goto err_mmget;
+ if (!mmap_read_trylock(mm))
+ goto err_mmap_read_lock_failed;
+- vma = binder_alloc_get_vma(alloc);
++ vma = vma_lookup(mm, page_addr);
++ if (vma && vma != binder_alloc_get_vma(alloc))
++ goto err_invalid_vma;
+
+ list_lru_isolate(lru, item);
+ spin_unlock(lock);
+@@ -1031,6 +1033,8 @@ enum lru_status binder_alloc_free_page(s
+ mutex_unlock(&alloc->mutex);
+ return LRU_REMOVED_RETRY;
+
++err_invalid_vma:
++ mmap_read_unlock(mm);
+ err_mmap_read_lock_failed:
+ mmput_async(mm);
+ err_mmget:
--- /dev/null
+From 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:30 +0000
+Subject: binder: use EPOLLERR from eventpoll.h
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 upstream.
+
+Use EPOLLERR instead of POLLERR to make sure it is cast to the correct
+__poll_t type. This fixes the following sparse issue:
+
+ drivers/android/binder.c:5030:24: warning: incorrect type in return expression (different base types)
+ drivers/android/binder.c:5030:24: expected restricted __poll_t
+ drivers/android/binder.c:5030:24: got int
+
+Fixes: f88982679f54 ("binder: check for binder_thread allocation failure in binder_poll()")
+Cc: stable@vger.kernel.org
+Cc: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-2-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -4836,7 +4836,7 @@ static __poll_t binder_poll(struct file
+
+ thread = binder_get_thread(proc);
+ if (!thread)
+- return POLLERR;
++ return EPOLLERR;
+
+ binder_inner_proc_lock(thread->proc);
+ thread->looper |= BINDER_LOOPER_STATE_POLL;
--- /dev/null
+From cc0271a339cc70cae914c3ec20edc2a8058407da Mon Sep 17 00:00:00 2001
+From: James Clark <james.clark@arm.com>
+Date: Wed, 1 Nov 2023 11:52:06 +0000
+Subject: coresight: etm4x: Fix width of CCITMIN field
+
+From: James Clark <james.clark@arm.com>
+
+commit cc0271a339cc70cae914c3ec20edc2a8058407da upstream.
+
+CCITMIN is a 12 bit field and doesn't fit in a u8, so extend it to u16.
+This probably wasn't an issue previously because values higher than 255
+never occurred.
+
+But since commit 4aff040bcc8d ("coresight: etm: Override TRCIDR3.CCITMIN
+on errata affected cpus"), a comparison with 256 was done to enable the
+errata, generating the following W=1 build error:
+
+ coresight-etm4x-core.c:1188:24: error: result of comparison of
+ constant 256 with expression of type 'u8' (aka 'unsigned char') is
+ always false [-Werror,-Wtautological-constant-out-of-range-compare]
+
+ if (drvdata->ccitmin == 256)
+
+Cc: stable@vger.kernel.org
+Fixes: 2e1cdfe184b5 ("coresight-etm4x: Adding CoreSight ETM4x driver")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202310302043.as36UFED-lkp@intel.com/
+Reviewed-by: Mike Leach <mike.leach@linaro.org>
+Signed-off-by: James Clark <james.clark@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20231101115206.70810-1-james.clark@arm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-etm4x.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-etm4x.h
++++ b/drivers/hwtracing/coresight/coresight-etm4x.h
+@@ -944,7 +944,7 @@ struct etmv4_drvdata {
+ u8 ctxid_size;
+ u8 vmid_size;
+ u8 ccsize;
+- u8 ccitmin;
++ u16 ccitmin;
+ u8 s_ex_level;
+ u8 ns_ex_level;
+ u8 q_support;
--- /dev/null
+From 25054b232681c286fca9c678854f56494d1352cc Mon Sep 17 00:00:00 2001
+From: Florian Eckert <fe@dev.tdt.de>
+Date: Mon, 27 Nov 2023 09:16:21 +0100
+Subject: leds: ledtrig-tty: Free allocated ttyname buffer on deactivate
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Florian Eckert <fe@dev.tdt.de>
+
+commit 25054b232681c286fca9c678854f56494d1352cc upstream.
+
+The ttyname buffer for the ledtrig_tty_data struct is allocated in the
+sysfs ttyname_store() function. This buffer must be released on trigger
+deactivation. This was missing and is thus a memory leak.
+
+While we are at it, the TTY handler in the ledtrig_tty_data struct should
+also be returned in case of the trigger deactivation call.
+
+Cc: stable@vger.kernel.org
+Fixes: fd4a641ac88f ("leds: trigger: implement a tty trigger")
+Signed-off-by: Florian Eckert <fe@dev.tdt.de>
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20231127081621.774866-1-fe@dev.tdt.de
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/trigger/ledtrig-tty.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/leds/trigger/ledtrig-tty.c
++++ b/drivers/leds/trigger/ledtrig-tty.c
+@@ -168,6 +168,10 @@ static void ledtrig_tty_deactivate(struc
+
+ cancel_delayed_work_sync(&trigger_data->dwork);
+
++ kfree(trigger_data->ttyname);
++ tty_kref_put(trigger_data->tty);
++ trigger_data->tty = NULL;
++
+ kfree(trigger_data);
+ }
+
--- /dev/null
+From 65fde134b0a4ffe838729f9ee11b459a2f6f2815 Mon Sep 17 00:00:00 2001
+From: Cameron Williams <cang1@live.co.uk>
+Date: Thu, 2 Nov 2023 21:07:05 +0000
+Subject: parport: parport_serial: Add Brainboxes BAR details
+
+From: Cameron Williams <cang1@live.co.uk>
+
+commit 65fde134b0a4ffe838729f9ee11b459a2f6f2815 upstream.
+
+Add BAR/enum entries for Brainboxes serial/parallel cards.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Cameron Williams <cang1@live.co.uk>
+Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Link: https://lore.kernel.org/r/AS4PR02MB79035155C2D5C3333AE6FA52C4A6A@AS4PR02MB7903.eurprd02.prod.outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/parport/parport_serial.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/parport/parport_serial.c
++++ b/drivers/parport/parport_serial.c
+@@ -65,6 +65,10 @@ enum parport_pc_pci_cards {
+ sunix_5069a,
+ sunix_5079a,
+ sunix_5099a,
++ brainboxes_uc257,
++ brainboxes_is300,
++ brainboxes_uc414,
++ brainboxes_px263,
+ };
+
+ /* each element directly indexed from enum list, above */
+@@ -158,6 +162,10 @@ static struct parport_pc_pci cards[] = {
+ /* sunix_5069a */ { 1, { { 1, 2 }, } },
+ /* sunix_5079a */ { 1, { { 1, 2 }, } },
+ /* sunix_5099a */ { 1, { { 1, 2 }, } },
++ /* brainboxes_uc257 */ { 1, { { 3, -1 }, } },
++ /* brainboxes_is300 */ { 1, { { 3, -1 }, } },
++ /* brainboxes_uc414 */ { 1, { { 3, -1 }, } },
++ /* brainboxes_px263 */ { 1, { { 3, -1 }, } },
+ };
+
+ static struct pci_device_id parport_serial_pci_tbl[] = {
--- /dev/null
+From 6aa1fc5a8085bbc01687aa708dcf2dbe637a5ee3 Mon Sep 17 00:00:00 2001
+From: Cameron Williams <cang1@live.co.uk>
+Date: Thu, 2 Nov 2023 21:07:06 +0000
+Subject: parport: parport_serial: Add Brainboxes device IDs and geometry
+
+From: Cameron Williams <cang1@live.co.uk>
+
+commit 6aa1fc5a8085bbc01687aa708dcf2dbe637a5ee3 upstream.
+
+Add device IDs for the Brainboxes UC-203, UC-257, UC-414, UC-475,
+IS-300/IS-500 and PX-263/PX-295 and define the relevant "geometry"
+for the cards.
+This patch requires part 1 of this series.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Cameron Williams <cang1@live.co.uk>
+Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Link: https://lore.kernel.org/r/AS4PR02MB7903A4094564BE28F1F926A6C4A6A@AS4PR02MB7903.eurprd02.prod.outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/parport/parport_serial.c | 56 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+
+--- a/drivers/parport/parport_serial.c
++++ b/drivers/parport/parport_serial.c
+@@ -285,6 +285,38 @@ static struct pci_device_id parport_seri
+ { PCI_VENDOR_ID_SUNIX, PCI_DEVICE_ID_SUNIX_1999, PCI_VENDOR_ID_SUNIX,
+ 0x0104, 0, 0, sunix_5099a },
+
++ /* Brainboxes UC-203 */
++ { PCI_VENDOR_ID_INTASHIELD, 0x0bc1,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 },
++ { PCI_VENDOR_ID_INTASHIELD, 0x0bc2,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 },
++
++ /* Brainboxes UC-257 */
++ { PCI_VENDOR_ID_INTASHIELD, 0x0861,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 },
++ { PCI_VENDOR_ID_INTASHIELD, 0x0862,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 },
++ { PCI_VENDOR_ID_INTASHIELD, 0x0863,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 },
++
++ /* Brainboxes UC-414 */
++ { PCI_VENDOR_ID_INTASHIELD, 0x0e61,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc414 },
++
++ /* Brainboxes UC-475 */
++ { PCI_VENDOR_ID_INTASHIELD, 0x0981,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 },
++ { PCI_VENDOR_ID_INTASHIELD, 0x0982,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 },
++
++ /* Brainboxes IS-300/IS-500 */
++ { PCI_VENDOR_ID_INTASHIELD, 0x0da0,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_is300 },
++
++ /* Brainboxes PX-263/PX-295 */
++ { PCI_VENDOR_ID_INTASHIELD, 0x402c,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_px263 },
++
+ { 0, } /* terminate list */
+ };
+ MODULE_DEVICE_TABLE(pci,parport_serial_pci_tbl);
+@@ -550,6 +582,30 @@ static struct pciserial_board pci_parpor
+ .base_baud = 921600,
+ .uart_offset = 0x8,
+ },
++ [brainboxes_uc257] = {
++ .flags = FL_BASE2,
++ .num_ports = 2,
++ .base_baud = 115200,
++ .uart_offset = 8,
++ },
++ [brainboxes_is300] = {
++ .flags = FL_BASE2,
++ .num_ports = 1,
++ .base_baud = 115200,
++ .uart_offset = 8,
++ },
++ [brainboxes_uc414] = {
++ .flags = FL_BASE2,
++ .num_ports = 4,
++ .base_baud = 115200,
++ .uart_offset = 8,
++ },
++ [brainboxes_px263] = {
++ .flags = FL_BASE2,
++ .num_ports = 4,
++ .base_baud = 921600,
++ .uart_offset = 8,
++ },
+ };
+
+ struct parport_serial_private {
--- /dev/null
+From e367e3c765f5477b2e79da0f1399aed49e2d1e37 Mon Sep 17 00:00:00 2001
+From: LeoLiuoc <LeoLiu-oc@zhaoxin.com>
+Date: Mon, 11 Dec 2023 17:15:43 +0800
+Subject: PCI: Add ACS quirk for more Zhaoxin Root Ports
+
+From: LeoLiuoc <LeoLiu-oc@zhaoxin.com>
+
+commit e367e3c765f5477b2e79da0f1399aed49e2d1e37 upstream.
+
+Add more Root Port Device IDs to pci_quirk_zhaoxin_pcie_ports_acs() for
+some new Zhaoxin platforms.
+
+Fixes: 299bd044a6f3 ("PCI: Add ACS quirk for Zhaoxin Root/Downstream Ports")
+Link: https://lore.kernel.org/r/20231211091543.735903-1-LeoLiu-oc@zhaoxin.com
+Signed-off-by: LeoLiuoc <LeoLiu-oc@zhaoxin.com>
+[bhelgaas: update subject, drop changelog, add Fixes, add stable tag, fix
+whitespace, wrap code comment]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: <stable@vger.kernel.org> # 5.7
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/quirks.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4577,17 +4577,21 @@ static int pci_quirk_xgene_acs(struct pc
+ * But the implementation could block peer-to-peer transactions between them
+ * and provide ACS-like functionality.
+ */
+-static int pci_quirk_zhaoxin_pcie_ports_acs(struct pci_dev *dev, u16 acs_flags)
++static int pci_quirk_zhaoxin_pcie_ports_acs(struct pci_dev *dev, u16 acs_flags)
+ {
+ if (!pci_is_pcie(dev) ||
+ ((pci_pcie_type(dev) != PCI_EXP_TYPE_ROOT_PORT) &&
+ (pci_pcie_type(dev) != PCI_EXP_TYPE_DOWNSTREAM)))
+ return -ENOTTY;
+
++ /*
++ * Future Zhaoxin Root Ports and Switch Downstream Ports will
++ * implement ACS capability in accordance with the PCIe Spec.
++ */
+ switch (dev->device) {
+ case 0x0710 ... 0x071e:
+ case 0x0721:
+- case 0x0723 ... 0x0732:
++ case 0x0723 ... 0x0752:
+ return pci_acs_ctrl_enabled(acs_flags,
+ PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF);
+ }
--- /dev/null
+From bed9e27baf52a09b7ba2a3714f1e24e17ced386d Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Wed, 8 Nov 2023 10:22:16 -0800
+Subject: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit bed9e27baf52a09b7ba2a3714f1e24e17ced386d upstream.
+
+This reverts commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74.
+
+That commit introduced the following race and can cause system hung.
+
+ md_write_start: raid5d:
+ // mddev->in_sync == 1
+ set "MD_SB_CHANGE_PENDING"
+ // running before md_write_start wakeup it
+ waiting "MD_SB_CHANGE_PENDING" cleared
+ >>>>>>>>> hung
+ wakeup mddev->thread
+ ...
+ waiting "MD_SB_CHANGE_PENDING" cleared
+ >>>> hung, raid5d should clear this flag
+ but get hung by same flag.
+
+The issue reverted commit fixing is fixed by last patch in a new way.
+
+Fixes: 5e2cf333b7bd ("md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d")
+Cc: stable@vger.kernel.org # v5.19+
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20231108182216.73611-2-junxiao.bi@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid5.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -36,7 +36,6 @@
+ */
+
+ #include <linux/blkdev.h>
+-#include <linux/delay.h>
+ #include <linux/kthread.h>
+ #include <linux/raid/pq.h>
+ #include <linux/async_tx.h>
+@@ -6522,18 +6521,7 @@ static void raid5d(struct md_thread *thr
+ spin_unlock_irq(&conf->device_lock);
+ md_check_recovery(mddev);
+ spin_lock_irq(&conf->device_lock);
+-
+- /*
+- * Waiting on MD_SB_CHANGE_PENDING below may deadlock
+- * seeing md_check_recovery() is needed to clear
+- * the flag when using mdmon.
+- */
+- continue;
+ }
+-
+- wait_event_lock_irq(mddev->sb_wait,
+- !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags),
+- conf->device_lock);
+ }
+ pr_debug("%d stripes handled\n", handled);
+
drm-crtc-fix-uninitialized-variable-use.patch
acpi-resource-add-another-dmi-match-for-the-tongfang-gmxxgxx.patch
revert-asoc-atmel-remove-system-clock-tree-configuration-for-at91sam9g20ek.patch
+revert-md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch
+binder-use-epollerr-from-eventpoll.h.patch
+binder-fix-use-after-free-in-shinker-s-callback.patch
+binder-fix-trivial-typo-of-binder_free_buf_locked.patch
+binder-fix-comment-on-binder_alloc_new_buf-return-value.patch
+uio-fix-use-after-free-in-uio_open.patch
+parport-parport_serial-add-brainboxes-bar-details.patch
+parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch
+leds-ledtrig-tty-free-allocated-ttyname-buffer-on-deactivate.patch
+pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch
+coresight-etm4x-fix-width-of-ccitmin-field.patch
--- /dev/null
+From 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 Mon Sep 17 00:00:00 2001
+From: Guanghui Feng <guanghuifeng@linux.alibaba.com>
+Date: Thu, 21 Dec 2023 17:57:43 +0800
+Subject: uio: Fix use-after-free in uio_open
+
+From: Guanghui Feng <guanghuifeng@linux.alibaba.com>
+
+commit 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 upstream.
+
+core-1 core-2
+-------------------------------------------------------
+uio_unregister_device uio_open
+ idev = idr_find()
+device_unregister(&idev->dev)
+put_device(&idev->dev)
+uio_device_release
+ get_device(&idev->dev)
+kfree(idev)
+uio_free_minor(minor)
+ uio_release
+ put_device(&idev->dev)
+ kfree(idev)
+-------------------------------------------------------
+
+In the core-1 uio_unregister_device(), the device_unregister will kfree
+idev when the idev->dev kobject ref is 1. But after core-1
+device_unregister, put_device and before doing kfree, the core-2 may
+get_device. Then:
+1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
+2. When core-2 do uio_release and put_device, the idev will be double
+ freed.
+
+To address this issue, we can get idev atomic & inc idev reference with
+minor_lock.
+
+Fixes: 57c5f4df0a5a ("uio: fix crash after the device is unregistered")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -464,13 +464,13 @@ static int uio_open(struct inode *inode,
+
+ mutex_lock(&minor_lock);
+ idev = idr_find(&uio_idr, iminor(inode));
+- mutex_unlock(&minor_lock);
+ if (!idev) {
+ ret = -ENODEV;
++ mutex_unlock(&minor_lock);
+ goto out;
+ }
+-
+ get_device(&idev->dev);
++ mutex_unlock(&minor_lock);
+
+ if (!try_module_get(idev->owner)) {
+ ret = -ENODEV;
+@@ -1062,9 +1062,8 @@ void uio_unregister_device(struct uio_in
+ wake_up_interruptible(&idev->wait);
+ kill_fasync(&idev->async_queue, SIGIO, POLL_HUP);
+
+- device_unregister(&idev->dev);
+-
+ uio_free_minor(minor);
++ device_unregister(&idev->dev);
+
+ return;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
