--- /dev/null
+From 88a06d6fd6b369d88cec46c62db3e2604a2f50d5 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 6 Dec 2020 09:35:27 +0100
+Subject: ALSA: rawmidi: Access runtime->avail always in spinlock
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 88a06d6fd6b369d88cec46c62db3e2604a2f50d5 upstream.
+
+The runtime->avail field may be accessed concurrently while some
+places refer to it without taking the runtime->lock spinlock, as
+detected by KCSAN. Usually this isn't a big problem, but for
+consistency and safety, we should take the spinlock at each place
+referencing this field.
+
+Reported-by: syzbot+a23a6f1215c84756577c@syzkaller.appspotmail.com
+Reported-by: syzbot+3d367d1df1d2b67f5c19@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20201206083527.21163-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/rawmidi.c | 49 +++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 35 insertions(+), 14 deletions(-)
+
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -95,11 +95,21 @@ static inline unsigned short snd_rawmidi
+ }
+ }
+
+-static inline int snd_rawmidi_ready(struct snd_rawmidi_substream *substream)
++static inline bool __snd_rawmidi_ready(struct snd_rawmidi_runtime *runtime)
++{
++ return runtime->avail >= runtime->avail_min;
++}
++
++static bool snd_rawmidi_ready(struct snd_rawmidi_substream *substream)
+ {
+ struct snd_rawmidi_runtime *runtime = substream->runtime;
++ unsigned long flags;
++ bool ready;
+
+- return runtime->avail >= runtime->avail_min;
++ spin_lock_irqsave(&runtime->lock, flags);
++ ready = __snd_rawmidi_ready(runtime);
++ spin_unlock_irqrestore(&runtime->lock, flags);
++ return ready;
+ }
+
+ static inline int snd_rawmidi_ready_append(struct snd_rawmidi_substream *substream,
+@@ -1019,7 +1029,7 @@ int snd_rawmidi_receive(struct snd_rawmi
+ if (result > 0) {
+ if (runtime->event)
+ schedule_work(&runtime->event_work);
+- else if (snd_rawmidi_ready(substream))
++ else if (__snd_rawmidi_ready(runtime))
+ wake_up(&runtime->sleep);
+ }
+ spin_unlock_irqrestore(&runtime->lock, flags);
+@@ -1098,7 +1108,7 @@ static ssize_t snd_rawmidi_read(struct f
+ result = 0;
+ while (count > 0) {
+ spin_lock_irq(&runtime->lock);
+- while (!snd_rawmidi_ready(substream)) {
++ while (!__snd_rawmidi_ready(runtime)) {
+ wait_queue_entry_t wait;
+
+ if ((file->f_flags & O_NONBLOCK) != 0 || result > 0) {
+@@ -1115,9 +1125,11 @@ static ssize_t snd_rawmidi_read(struct f
+ return -ENODEV;
+ if (signal_pending(current))
+ return result > 0 ? result : -ERESTARTSYS;
+- if (!runtime->avail)
+- return result > 0 ? result : -EIO;
+ spin_lock_irq(&runtime->lock);
++ if (!runtime->avail) {
++ spin_unlock_irq(&runtime->lock);
++ return result > 0 ? result : -EIO;
++ }
+ }
+ spin_unlock_irq(&runtime->lock);
+ count1 = snd_rawmidi_kernel_read1(substream,
+@@ -1255,7 +1267,7 @@ int __snd_rawmidi_transmit_ack(struct sn
+ runtime->avail += count;
+ substream->bytes += count;
+ if (count > 0) {
+- if (runtime->drain || snd_rawmidi_ready(substream))
++ if (runtime->drain || __snd_rawmidi_ready(runtime))
+ wake_up(&runtime->sleep);
+ }
+ return count;
+@@ -1444,9 +1456,11 @@ static ssize_t snd_rawmidi_write(struct
+ return -ENODEV;
+ if (signal_pending(current))
+ return result > 0 ? result : -ERESTARTSYS;
+- if (!runtime->avail && !timeout)
+- return result > 0 ? result : -EIO;
+ spin_lock_irq(&runtime->lock);
++ if (!runtime->avail && !timeout) {
++ spin_unlock_irq(&runtime->lock);
++ return result > 0 ? result : -EIO;
++ }
+ }
+ spin_unlock_irq(&runtime->lock);
+ count1 = snd_rawmidi_kernel_write1(substream, buf, NULL, count);
+@@ -1526,6 +1540,7 @@ static void snd_rawmidi_proc_info_read(s
+ struct snd_rawmidi *rmidi;
+ struct snd_rawmidi_substream *substream;
+ struct snd_rawmidi_runtime *runtime;
++ unsigned long buffer_size, avail, xruns;
+
+ rmidi = entry->private_data;
+ snd_iprintf(buffer, "%s\n\n", rmidi->name);
+@@ -1544,13 +1559,16 @@ static void snd_rawmidi_proc_info_read(s
+ " Owner PID : %d\n",
+ pid_vnr(substream->pid));
+ runtime = substream->runtime;
++ spin_lock_irq(&runtime->lock);
++ buffer_size = runtime->buffer_size;
++ avail = runtime->avail;
++ spin_unlock_irq(&runtime->lock);
+ snd_iprintf(buffer,
+ " Mode : %s\n"
+ " Buffer size : %lu\n"
+ " Avail : %lu\n",
+ runtime->oss ? "OSS compatible" : "native",
+- (unsigned long) runtime->buffer_size,
+- (unsigned long) runtime->avail);
++ buffer_size, avail);
+ }
+ }
+ }
+@@ -1568,13 +1586,16 @@ static void snd_rawmidi_proc_info_read(s
+ " Owner PID : %d\n",
+ pid_vnr(substream->pid));
+ runtime = substream->runtime;
++ spin_lock_irq(&runtime->lock);
++ buffer_size = runtime->buffer_size;
++ avail = runtime->avail;
++ xruns = runtime->xruns;
++ spin_unlock_irq(&runtime->lock);
+ snd_iprintf(buffer,
+ " Buffer size : %lu\n"
+ " Avail : %lu\n"
+ " Overruns : %lu\n",
+- (unsigned long) runtime->buffer_size,
+- (unsigned long) runtime->avail,
+- (unsigned long) runtime->xruns);
++ buffer_size, avail, xruns);
+ }
+ }
+ }
--- /dev/null
+From 4ebd47037027c4beae99680bff3b20fdee5d7c1e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 6 Dec 2020 09:34:56 +0100
+Subject: ALSA: seq: Use bool for snd_seq_queue internal flags
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4ebd47037027c4beae99680bff3b20fdee5d7c1e upstream.
+
+The snd_seq_queue struct contains various flags in the bit fields.
+Those are categorized to two different use cases, both of which are
+protected by different spinlocks. That implies that there are still
+potential risks of the bad operations for bit fields by concurrent
+accesses.
+
+For addressing the problem, this patch rearranges those flags to be
+a standard bool instead of a bit field.
+
+Reported-by: syzbot+63cbe31877bb80ef58f5@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20201206083456.21110-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_queue.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/core/seq/seq_queue.h
++++ b/sound/core/seq/seq_queue.h
+@@ -26,10 +26,10 @@ struct snd_seq_queue {
+
+ struct snd_seq_timer *timer; /* time keeper for this queue */
+ int owner; /* client that 'owns' the timer */
+- unsigned int locked:1, /* timer is only accesibble by owner if set */
+- klocked:1, /* kernel lock (after START) */
+- check_again:1,
+- check_blocked:1;
++ bool locked; /* timer is only accesibble by owner if set */
++ bool klocked; /* kernel lock (after START) */
++ bool check_again; /* concurrent access happened during check */
++ bool check_blocked; /* queue being checked */
+
+ unsigned int flags; /* status flags */
+ unsigned int info_flags; /* info for sync */
--- /dev/null
+From dc889b8d4a8122549feabe99eead04e6b23b6513 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Tue, 15 Dec 2020 20:45:44 -0800
+Subject: bfs: don't use WARNING: string when it's just info.
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit dc889b8d4a8122549feabe99eead04e6b23b6513 upstream.
+
+Make the printk() [bfs "printf" macro] seem less severe by changing
+"WARNING:" to "NOTE:".
+
+<asm-generic/bug.h> warns us about using WARNING or BUG in a format string
+other than in WARN() or BUG() family macros. bfs/inode.c is doing just
+that in a normal printk() call, so change the "WARNING" string to be
+"NOTE".
+
+Link: https://lkml.kernel.org/r/20201203212634.17278-1-rdunlap@infradead.org
+Reported-by: syzbot+3fd34060f26e766536ff@syzkaller.appspotmail.com
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Al Viro <viro@ZenIV.linux.org.uk>
+Cc: "Tigran A. Aivazian" <aivazian.tigran@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/bfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/bfs/inode.c
++++ b/fs/bfs/inode.c
+@@ -350,7 +350,7 @@ static int bfs_fill_super(struct super_b
+
+ info->si_lasti = (le32_to_cpu(bfs_sb->s_start) - BFS_BSIZE) / sizeof(struct bfs_inode) + BFS_ROOT_INO - 1;
+ if (info->si_lasti == BFS_MAX_LASTI)
+- printf("WARNING: filesystem %s was created with 512 inodes, the real maximum is 511, mounting anyway\n", s->s_id);
++ printf("NOTE: filesystem %s was created with 512 inodes, the real maximum is 511, mounting anyway\n", s->s_id);
+ else if (info->si_lasti > BFS_MAX_LASTI) {
+ printf("Impossible last inode number %lu > %d on %s\n", info->si_lasti, BFS_MAX_LASTI, s->s_id);
+ goto out1;
--- /dev/null
+From 70f259a3f4276b71db365b1d6ff1eab805ea6ec3 Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Wed, 30 Sep 2020 00:28:15 +0530
+Subject: Bluetooth: hci_h5: close serdev device and free hu in h5_close
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 70f259a3f4276b71db365b1d6ff1eab805ea6ec3 upstream.
+
+When h5_close() gets called, the memory allocated for the hu gets
+freed only if hu->serdev doesn't exist. This leads to a memory leak.
+So when h5_close() is requested, close the serdev device instance and
+free the memory allocated to the hu entirely instead.
+
+Fixes: https://syzkaller.appspot.com/bug?extid=6ce141c55b2f7aafd1c4
+Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
+Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_h5.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/bluetooth/hci_h5.c
++++ b/drivers/bluetooth/hci_h5.c
+@@ -251,8 +251,12 @@ static int h5_close(struct hci_uart *hu)
+ if (h5->vnd && h5->vnd->close)
+ h5->vnd->close(h5);
+
+- if (!hu->serdev)
+- kfree(h5);
++ if (hu->serdev)
++ serdev_device_close(hu->serdev);
++
++ kfree_skb(h5->rx_skb);
++ kfree(h5);
++ h5 = NULL;
+
+ return 0;
+ }
--- /dev/null
+From 2d18e54dd8662442ef5898c6bdadeaf90b3cebbc Mon Sep 17 00:00:00 2001
+From: Qinglang Miao <miaoqinglang@huawei.com>
+Date: Thu, 10 Dec 2020 09:29:43 +0800
+Subject: cgroup: Fix memory leak when parsing multiple source parameters
+
+From: Qinglang Miao <miaoqinglang@huawei.com>
+
+commit 2d18e54dd8662442ef5898c6bdadeaf90b3cebbc upstream.
+
+A memory leak is found in cgroup1_parse_param() when multiple source
+parameters overwrite fc->source in the fs_context struct without free.
+
+unreferenced object 0xffff888100d930e0 (size 16):
+ comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
+ hex dump (first 16 bytes):
+ 74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........
+ backtrace:
+ [<000000003e5023ec>] kmemdup_nul+0x2d/0xa0
+ [<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150
+ [<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
+ [<000000000f750198>] path_mount+0xee1/0x1820
+ [<0000000004756de2>] do_mount+0xea/0x100
+ [<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0
+
+Fix this bug by permitting a single source parameter and rejecting with
+an error all subsequent ones.
+
+Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
+Reviewed-by: Zefan Li <lizefan@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup/cgroup-v1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/cgroup/cgroup-v1.c
++++ b/kernel/cgroup/cgroup-v1.c
+@@ -908,6 +908,8 @@ int cgroup1_parse_param(struct fs_contex
+ opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
+ if (opt == -ENOPARAM) {
+ if (strcmp(param->key, "source") == 0) {
++ if (fc->source)
++ return invalf(fc, "Multiple sources not supported");
+ fc->source = param->string;
+ param->string = NULL;
+ return 0;
--- /dev/null
+From c9200760da8a728eb9767ca41a956764b28c1310 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 9 Dec 2020 15:59:11 -0500
+Subject: ext4: check for invalid block size early when mounting a file system
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit c9200760da8a728eb9767ca41a956764b28c1310 upstream.
+
+Check for valid block size directly by validating s_log_block_size; we
+were doing this in two places. First, by calculating blocksize via
+BLOCK_SIZE << s_log_block_size, and then checking that the blocksize
+was valid. And then secondly, by checking s_log_block_size directly.
+
+The first check is not reliable, and can trigger an UBSAN warning if
+s_log_block_size on a maliciously corrupted superblock is greater than
+22. This is harmless, since the second test will correctly reject the
+maliciously fuzzed file system, but to make syzbot shut up, and
+because the two checks are duplicative in any case, delete the
+blocksize check, and move the s_log_block_size earlier in
+ext4_fill_super().
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reported-by: syzbot+345b75652b1d24227443@syzkaller.appspotmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 40 ++++++++++++++++------------------------
+ 1 file changed, 16 insertions(+), 24 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4186,18 +4186,25 @@ static int ext4_fill_super(struct super_
+ */
+ sbi->s_li_wait_mult = EXT4_DEF_LI_WAIT_MULT;
+
+- blocksize = BLOCK_SIZE << le32_to_cpu(es->s_log_block_size);
+-
+- if (blocksize == PAGE_SIZE)
+- set_opt(sb, DIOREAD_NOLOCK);
+-
+- if (blocksize < EXT4_MIN_BLOCK_SIZE ||
+- blocksize > EXT4_MAX_BLOCK_SIZE) {
++ if (le32_to_cpu(es->s_log_block_size) >
++ (EXT4_MAX_BLOCK_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
+ ext4_msg(sb, KERN_ERR,
+- "Unsupported filesystem blocksize %d (%d log_block_size)",
+- blocksize, le32_to_cpu(es->s_log_block_size));
++ "Invalid log block size: %u",
++ le32_to_cpu(es->s_log_block_size));
+ goto failed_mount;
+ }
++ if (le32_to_cpu(es->s_log_cluster_size) >
++ (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
++ ext4_msg(sb, KERN_ERR,
++ "Invalid log cluster size: %u",
++ le32_to_cpu(es->s_log_cluster_size));
++ goto failed_mount;
++ }
++
++ blocksize = EXT4_MIN_BLOCK_SIZE << le32_to_cpu(es->s_log_block_size);
++
++ if (blocksize == PAGE_SIZE)
++ set_opt(sb, DIOREAD_NOLOCK);
+
+ if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV) {
+ sbi->s_inode_size = EXT4_GOOD_OLD_INODE_SIZE;
+@@ -4416,21 +4423,6 @@ static int ext4_fill_super(struct super_
+ if (!ext4_feature_set_ok(sb, (sb_rdonly(sb))))
+ goto failed_mount;
+
+- if (le32_to_cpu(es->s_log_block_size) >
+- (EXT4_MAX_BLOCK_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
+- ext4_msg(sb, KERN_ERR,
+- "Invalid log block size: %u",
+- le32_to_cpu(es->s_log_block_size));
+- goto failed_mount;
+- }
+- if (le32_to_cpu(es->s_log_cluster_size) >
+- (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
+- ext4_msg(sb, KERN_ERR,
+- "Invalid log cluster size: %u",
+- le32_to_cpu(es->s_log_cluster_size));
+- goto failed_mount;
+- }
+-
+ if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) {
+ ext4_msg(sb, KERN_ERR,
+ "Number of reserved GDT blocks insanely large: %d",
--- /dev/null
+From e584bbe821229a3e7cc409eecd51df66f9268c21 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 9 Dec 2020 16:49:36 +0800
+Subject: f2fs: fix shift-out-of-bounds in sanity_check_raw_super()
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit e584bbe821229a3e7cc409eecd51df66f9268c21 upstream.
+
+syzbot reported a bug which could cause shift-out-of-bounds issue,
+fix it.
+
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x107/0x163 lib/dump_stack.c:120
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
+ sanity_check_raw_super fs/f2fs/super.c:2812 [inline]
+ read_raw_super_block fs/f2fs/super.c:3267 [inline]
+ f2fs_fill_super.cold+0x16c9/0x16f6 fs/f2fs/super.c:3519
+ mount_bdev+0x34d/0x410 fs/super.c:1366
+ legacy_get_tree+0x105/0x220 fs/fs_context.c:592
+ vfs_get_tree+0x89/0x2f0 fs/super.c:1496
+ do_new_mount fs/namespace.c:2896 [inline]
+ path_mount+0x12ae/0x1e70 fs/namespace.c:3227
+ do_mount fs/namespace.c:3240 [inline]
+ __do_sys_mount fs/namespace.c:3448 [inline]
+ __se_sys_mount fs/namespace.c:3425 [inline]
+ __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported-by: syzbot+ca9a785f8ac472085994@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/super.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -2744,7 +2744,6 @@ static int sanity_check_raw_super(struct
+ block_t total_sections, blocks_per_seg;
+ struct f2fs_super_block *raw_super = (struct f2fs_super_block *)
+ (bh->b_data + F2FS_SUPER_OFFSET);
+- unsigned int blocksize;
+ size_t crc_offset = 0;
+ __u32 crc = 0;
+
+@@ -2778,10 +2777,10 @@ static int sanity_check_raw_super(struct
+ }
+
+ /* Currently, support only 4KB block size */
+- blocksize = 1 << le32_to_cpu(raw_super->log_blocksize);
+- if (blocksize != F2FS_BLKSIZE) {
+- f2fs_info(sbi, "Invalid blocksize (%u), supports only 4KB",
+- blocksize);
++ if (le32_to_cpu(raw_super->log_blocksize) != F2FS_BLKSIZE_BITS) {
++ f2fs_info(sbi, "Invalid log_blocksize (%u), supports only %u",
++ le32_to_cpu(raw_super->log_blocksize),
++ F2FS_BLKSIZE_BITS);
+ return -EFSCORRUPTED;
+ }
+
--- /dev/null
+From 39aead8373b3c20bb5965c024dfb51a94e526151 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Thu, 29 Oct 2020 14:22:29 +0100
+Subject: fbcon: Disable accelerated scrolling
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 39aead8373b3c20bb5965c024dfb51a94e526151 upstream.
+
+So ever since syzbot discovered fbcon, we have solid proof that it's
+full of bugs. And often the solution is to just delete code and remove
+features, e.g. 50145474f6ef ("fbcon: remove soft scrollback code").
+
+Now the problem is that most modern-ish drivers really only treat
+fbcon as an dumb kernel console until userspace takes over, and Oops
+printer for some emergencies. Looking at drm drivers and the basic
+vesa/efi fbdev drivers shows that only 3 drivers support any kind of
+acceleration:
+
+- nouveau, seems to be enabled by default
+- omapdrm, when a DMM remapper exists using remapper rewriting for
+ y/xpanning
+- gma500, but that is getting deleted now for the GTT remapper trick,
+ and the accelerated copyarea never set the FBINFO_HWACCEL_COPYAREA
+ flag, so unused (and could be deleted already I think).
+
+No other driver supportes accelerated fbcon. And fbcon is the only
+user of this accel code (it's not exposed as uapi through ioctls),
+which means we could garbage collect fairly enormous amounts of code
+if we kill this.
+
+Plus because syzbot only runs on virtual hardware, and none of the
+drivers for that have acceleration, we'd remove a huge gap in testing.
+And there's no other even remotely comprehensive testing aside from
+syzbot.
+
+This patch here just disables the acceleration code by always
+redrawing when scrolling. The plan is that once this has been merged
+for well over a year in released kernels, we can start to go around
+and delete a lot of code.
+
+v2:
+- Drop a few more unused local variables, somehow I missed the
+compiler warnings (Sam)
+- Fix typo in comment (Jiri)
+- add a todo entry for the cleanup (Thomas)
+
+v3: Remove more unused variables (0day)
+
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Sam Ravnborg <sam@ravnborg.org>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Ben Skeggs <bskeggs@redhat.com>
+Cc: nouveau@lists.freedesktop.org
+Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Peilin Ye <yepeilin.cs@gmail.com>
+Cc: George Kennedy <george.kennedy@oracle.com>
+Cc: Nathan Chancellor <natechancellor@gmail.com>
+Cc: Peter Rosin <peda@axentia.se>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201029132229.4068359-1-daniel.vetter@ffwll.ch
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/gpu/todo.rst | 18 +++++++++++++++
+ drivers/video/fbdev/core/fbcon.c | 45 ++++++---------------------------------
+ 2 files changed, 26 insertions(+), 37 deletions(-)
+
+--- a/Documentation/gpu/todo.rst
++++ b/Documentation/gpu/todo.rst
+@@ -273,6 +273,24 @@ Contact: Daniel Vetter, Noralf Tronnes
+
+ Level: Advanced
+
++Garbage collect fbdev scrolling acceleration
++--------------------------------------------
++
++Scroll acceleration is disabled in fbcon by hard-wiring p->scrollmode =
++SCROLL_REDRAW. There's a ton of code this will allow us to remove:
++- lots of code in fbcon.c
++- a bunch of the hooks in fbcon_ops, maybe the remaining hooks could be called
++ directly instead of the function table (with a switch on p->rotate)
++- fb_copyarea is unused after this, and can be deleted from all drivers
++
++Note that not all acceleration code can be deleted, since clearing and cursor
++support is still accelerated, which might be good candidates for further
++deletion projects.
++
++Contact: Daniel Vetter
++
++Level: Intermediate
++
+ idr_init_base()
+ ---------------
+
+--- a/drivers/video/fbdev/core/fbcon.c
++++ b/drivers/video/fbdev/core/fbcon.c
+@@ -1033,7 +1033,7 @@ static void fbcon_init(struct vc_data *v
+ struct vc_data *svc = *default_mode;
+ struct fbcon_display *t, *p = &fb_display[vc->vc_num];
+ int logo = 1, new_rows, new_cols, rows, cols, charcnt = 256;
+- int cap, ret;
++ int ret;
+
+ if (WARN_ON(info_idx == -1))
+ return;
+@@ -1042,7 +1042,6 @@ static void fbcon_init(struct vc_data *v
+ con2fb_map[vc->vc_num] = info_idx;
+
+ info = registered_fb[con2fb_map[vc->vc_num]];
+- cap = info->flags;
+
+ if (logo_shown < 0 && console_loglevel <= CONSOLE_LOGLEVEL_QUIET)
+ logo_shown = FBCON_LOGO_DONTSHOW;
+@@ -1147,11 +1146,13 @@ static void fbcon_init(struct vc_data *v
+
+ ops->graphics = 0;
+
+- if ((cap & FBINFO_HWACCEL_COPYAREA) &&
+- !(cap & FBINFO_HWACCEL_DISABLED))
+- p->scrollmode = SCROLL_MOVE;
+- else /* default to something safe */
+- p->scrollmode = SCROLL_REDRAW;
++ /*
++ * No more hw acceleration for fbcon.
++ *
++ * FIXME: Garbage collect all the now dead code after sufficient time
++ * has passed.
++ */
++ p->scrollmode = SCROLL_REDRAW;
+
+ /*
+ * ++guenther: console.c:vc_allocate() relies on initializing
+@@ -1961,45 +1962,15 @@ static void updatescrollmode(struct fbco
+ {
+ struct fbcon_ops *ops = info->fbcon_par;
+ int fh = vc->vc_font.height;
+- int cap = info->flags;
+- u16 t = 0;
+- int ypan = FBCON_SWAP(ops->rotate, info->fix.ypanstep,
+- info->fix.xpanstep);
+- int ywrap = FBCON_SWAP(ops->rotate, info->fix.ywrapstep, t);
+ int yres = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
+ int vyres = FBCON_SWAP(ops->rotate, info->var.yres_virtual,
+ info->var.xres_virtual);
+- int good_pan = (cap & FBINFO_HWACCEL_YPAN) &&
+- divides(ypan, vc->vc_font.height) && vyres > yres;
+- int good_wrap = (cap & FBINFO_HWACCEL_YWRAP) &&
+- divides(ywrap, vc->vc_font.height) &&
+- divides(vc->vc_font.height, vyres) &&
+- divides(vc->vc_font.height, yres);
+- int reading_fast = cap & FBINFO_READS_FAST;
+- int fast_copyarea = (cap & FBINFO_HWACCEL_COPYAREA) &&
+- !(cap & FBINFO_HWACCEL_DISABLED);
+- int fast_imageblit = (cap & FBINFO_HWACCEL_IMAGEBLIT) &&
+- !(cap & FBINFO_HWACCEL_DISABLED);
+
+ p->vrows = vyres/fh;
+ if (yres > (fh * (vc->vc_rows + 1)))
+ p->vrows -= (yres - (fh * vc->vc_rows)) / fh;
+ if ((yres % fh) && (vyres % fh < yres % fh))
+ p->vrows--;
+-
+- if (good_wrap || good_pan) {
+- if (reading_fast || fast_copyarea)
+- p->scrollmode = good_wrap ?
+- SCROLL_WRAP_MOVE : SCROLL_PAN_MOVE;
+- else
+- p->scrollmode = good_wrap ? SCROLL_REDRAW :
+- SCROLL_PAN_REDRAW;
+- } else {
+- if (reading_fast || (fast_copyarea && !fast_imageblit))
+- p->scrollmode = SCROLL_MOVE;
+- else
+- p->scrollmode = SCROLL_REDRAW;
+- }
+ }
+
+ #define PITCH(w) (((w) + 7) >> 3)
--- /dev/null
+From 8d1ddb5e79374fb277985a6b3faa2ed8631c5b4c Mon Sep 17 00:00:00 2001
+From: Boqun Feng <boqun.feng@gmail.com>
+Date: Thu, 5 Nov 2020 14:23:51 +0800
+Subject: fcntl: Fix potential deadlock in send_sig{io, urg}()
+
+From: Boqun Feng <boqun.feng@gmail.com>
+
+commit 8d1ddb5e79374fb277985a6b3faa2ed8631c5b4c upstream.
+
+Syzbot reports a potential deadlock found by the newly added recursive
+read deadlock detection in lockdep:
+
+[...] ========================================================
+[...] WARNING: possible irq lock inversion dependency detected
+[...] 5.9.0-rc2-syzkaller #0 Not tainted
+[...] --------------------------------------------------------
+[...] syz-executor.1/10214 just changed the state of lock:
+[...] ffff88811f506338 (&f->f_owner.lock){.+..}-{2:2}, at: send_sigurg+0x1d/0x200
+[...] but this lock was taken by another, HARDIRQ-safe lock in the past:
+[...] (&dev->event_lock){-...}-{2:2}
+[...]
+[...]
+[...] and interrupts could create inverse lock ordering between them.
+[...]
+[...]
+[...] other info that might help us debug this:
+[...] Chain exists of:
+[...] &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
+[...]
+[...] Possible interrupt unsafe locking scenario:
+[...]
+[...] CPU0 CPU1
+[...] ---- ----
+[...] lock(&f->f_owner.lock);
+[...] local_irq_disable();
+[...] lock(&dev->event_lock);
+[...] lock(&new->fa_lock);
+[...] <Interrupt>
+[...] lock(&dev->event_lock);
+[...]
+[...] *** DEADLOCK ***
+
+The corresponding deadlock case is as followed:
+
+ CPU 0 CPU 1 CPU 2
+ read_lock(&fown->lock);
+ spin_lock_irqsave(&dev->event_lock, ...)
+ write_lock_irq(&filp->f_owner.lock); // wait for the lock
+ read_lock(&fown-lock); // have to wait until the writer release
+ // due to the fairness
+ <interrupted>
+ spin_lock_irqsave(&dev->event_lock); // wait for the lock
+
+The lock dependency on CPU 1 happens if there exists a call sequence:
+
+ input_inject_event():
+ spin_lock_irqsave(&dev->event_lock,...);
+ input_handle_event():
+ input_pass_values():
+ input_to_handler():
+ handler->event(): // evdev_event()
+ evdev_pass_values():
+ spin_lock(&client->buffer_lock);
+ __pass_event():
+ kill_fasync():
+ kill_fasync_rcu():
+ read_lock(&fa->fa_lock);
+ send_sigio():
+ read_lock(&fown->lock);
+
+To fix this, make the reader in send_sigurg() and send_sigio() use
+read_lock_irqsave() and read_lock_irqrestore().
+
+Reported-by: syzbot+22e87cdf94021b984aa6@syzkaller.appspotmail.com
+Reported-by: syzbot+c5e32344981ad9f33750@syzkaller.appspotmail.com
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fcntl.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/fs/fcntl.c
++++ b/fs/fcntl.c
+@@ -781,9 +781,10 @@ void send_sigio(struct fown_struct *fown
+ {
+ struct task_struct *p;
+ enum pid_type type;
++ unsigned long flags;
+ struct pid *pid;
+
+- read_lock(&fown->lock);
++ read_lock_irqsave(&fown->lock, flags);
+
+ type = fown->pid_type;
+ pid = fown->pid;
+@@ -804,7 +805,7 @@ void send_sigio(struct fown_struct *fown
+ read_unlock(&tasklist_lock);
+ }
+ out_unlock_fown:
+- read_unlock(&fown->lock);
++ read_unlock_irqrestore(&fown->lock, flags);
+ }
+
+ static void send_sigurg_to_task(struct task_struct *p,
+@@ -819,9 +820,10 @@ int send_sigurg(struct fown_struct *fown
+ struct task_struct *p;
+ enum pid_type type;
+ struct pid *pid;
++ unsigned long flags;
+ int ret = 0;
+
+- read_lock(&fown->lock);
++ read_lock_irqsave(&fown->lock, flags);
+
+ type = fown->pid_type;
+ pid = fown->pid;
+@@ -844,7 +846,7 @@ int send_sigurg(struct fown_struct *fown
+ read_unlock(&tasklist_lock);
+ }
+ out_unlock_fown:
+- read_unlock(&fown->lock);
++ read_unlock_irqrestore(&fown->lock, flags);
+ return ret;
+ }
+
--- /dev/null
+From 65b2b213484acd89a3c20dbb524e52a2f3793b78 Mon Sep 17 00:00:00 2001
+From: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
+Date: Thu, 19 Nov 2020 17:44:46 +0800
+Subject: io_uring: check kthread stopped flag when sq thread is unparked
+
+From: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
+
+commit 65b2b213484acd89a3c20dbb524e52a2f3793b78 upstream.
+
+syzbot reports following issue:
+INFO: task syz-executor.2:12399 can't die for more than 143 seconds.
+task:syz-executor.2 state:D stack:28744 pid:12399 ppid: 8504 flags:0x00004004
+Call Trace:
+ context_switch kernel/sched/core.c:3773 [inline]
+ __schedule+0x893/0x2170 kernel/sched/core.c:4522
+ schedule+0xcf/0x270 kernel/sched/core.c:4600
+ schedule_timeout+0x1d8/0x250 kernel/time/timer.c:1847
+ do_wait_for_common kernel/sched/completion.c:85 [inline]
+ __wait_for_common kernel/sched/completion.c:106 [inline]
+ wait_for_common kernel/sched/completion.c:117 [inline]
+ wait_for_completion+0x163/0x260 kernel/sched/completion.c:138
+ kthread_stop+0x17a/0x720 kernel/kthread.c:596
+ io_put_sq_data fs/io_uring.c:7193 [inline]
+ io_sq_thread_stop+0x452/0x570 fs/io_uring.c:7290
+ io_finish_async fs/io_uring.c:7297 [inline]
+ io_sq_offload_create fs/io_uring.c:8015 [inline]
+ io_uring_create fs/io_uring.c:9433 [inline]
+ io_uring_setup+0x19b7/0x3730 fs/io_uring.c:9507
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45deb9
+Code: Unable to access opcode bytes at RIP 0x45de8f.
+RSP: 002b:00007f174e51ac78 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9
+RAX: ffffffffffffffda RBX: 0000000000008640 RCX: 000000000045deb9
+RDX: 0000000000000000 RSI: 0000000020000140 RDI: 00000000000050e5
+RBP: 000000000118bf58 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
+R13: 00007ffed9ca723f R14: 00007f174e51b9c0 R15: 000000000118bf2c
+INFO: task syz-executor.2:12399 blocked for more than 143 seconds.
+ Not tainted 5.10.0-rc3-next-20201110-syzkaller #0
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+
+Currently we don't have a reproducer yet, but seems that there is a
+race in current codes:
+=> io_put_sq_data
+ ctx_list is empty now. |
+==> kthread_park(sqd->thread); |
+ | T1: sq thread is parked now.
+==> kthread_stop(sqd->thread); |
+ KTHREAD_SHOULD_STOP is set now.|
+===> kthread_unpark(k); |
+ | T2: sq thread is now unparkd, run again.
+ |
+ | T3: sq thread is now preempted out.
+ |
+===> wake_up_process(k); |
+ |
+ | T4: Since sqd ctx_list is empty, needs_sched will be true,
+ | then sq thread sets task state to TASK_INTERRUPTIBLE,
+ | and schedule, now sq thread will never be waken up.
+===> wait_for_completion |
+
+I have artificially used mdelay() to simulate above race, will get same
+stack like this syzbot report, but to be honest, I'm not sure this code
+race triggers syzbot report.
+
+To fix this possible code race, when sq thread is unparked, need to check
+whether sq thread has been stopped.
+
+Reported-by: syzbot+03beeb595f074db9cfd1@syzkaller.appspotmail.com
+Signed-off-by: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/io_uring.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -6802,8 +6802,16 @@ static int io_sq_thread(void *data)
+ * kthread parking. This synchronizes the thread vs users,
+ * the users are synchronized on the sqd->ctx_lock.
+ */
+- if (kthread_should_park())
++ if (kthread_should_park()) {
+ kthread_parkme();
++ /*
++ * When sq thread is unparked, in case the previous park operation
++ * comes from io_put_sq_data(), which means that sq thread is going
++ * to be stopped, so here needs to have a check.
++ */
++ if (kthread_should_stop())
++ break;
++ }
+
+ if (unlikely(!list_empty(&sqd->ctx_new_list)))
+ io_sqd_init_new(sqd);
--- /dev/null
+From d0ac1a26ed5943127cb0156148735f5f52a07075 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Fri, 27 Nov 2020 07:40:21 +0100
+Subject: media: gp8psk: initialize stats at power control logic
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit d0ac1a26ed5943127cb0156148735f5f52a07075 upstream.
+
+As reported on:
+ https://lore.kernel.org/linux-media/20190627222020.45909-1-willemdebruijn.kernel@gmail.com/
+
+if gp8psk_usb_in_op() returns an error, the status var is not
+initialized. Yet, this var is used later on, in order to
+identify:
+ - if the device was already started;
+ - if firmware has loaded;
+ - if the LNBf was powered on.
+
+Using status = 0 seems to ensure that everything will be
+properly powered up.
+
+So, instead of the proposed solution, let's just set
+status = 0.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reported-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/gp8psk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb/gp8psk.c
++++ b/drivers/media/usb/dvb-usb/gp8psk.c
+@@ -182,7 +182,7 @@ out_rel_fw:
+
+ static int gp8psk_power_ctrl(struct dvb_usb_device *d, int onoff)
+ {
+- u8 status, buf;
++ u8 status = 0, buf;
+ int gp_product_id = le16_to_cpu(d->udev->descriptor.idProduct);
+
+ if (onoff) {
--- /dev/null
+From 31dcb6c30a26d32650ce134820f27de3c675a45a Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Mon, 23 Nov 2020 04:15:34 +0530
+Subject: misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells()
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 31dcb6c30a26d32650ce134820f27de3c675a45a upstream.
+
+A kernel-infoleak was reported by syzbot, which was caused because
+dbells was left uninitialized.
+Using kzalloc() instead of kmalloc() fixes this issue.
+
+Reported-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com
+Tested-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Link: https://lore.kernel.org/r/20201122224534.333471-1-anant.thazhemadam@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vmw_vmci/vmci_context.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_context.c
++++ b/drivers/misc/vmw_vmci/vmci_context.c
+@@ -743,7 +743,7 @@ static int vmci_ctx_get_chkpt_doorbells(
+ return VMCI_ERROR_MORE_DATA;
+ }
+
+- dbells = kmalloc(data_size, GFP_ATOMIC);
++ dbells = kzalloc(data_size, GFP_ATOMIC);
+ if (!dbells)
+ return VMCI_ERROR_NO_MEM;
+
--- /dev/null
+From d24396c5290ba8ab04ba505176874c4e04a2d53c Mon Sep 17 00:00:00 2001
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+Date: Sun, 1 Nov 2020 06:09:58 -0800
+Subject: reiserfs: add check for an invalid ih_entry_count
+
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+
+commit d24396c5290ba8ab04ba505176874c4e04a2d53c upstream.
+
+when directory item has an invalid value set for ih_entry_count it might
+trigger use-after-free or out-of-bounds read in bin_search_in_dir_item()
+
+ih_entry_count * IH_SIZE for directory item should not be larger than
+ih_item_len
+
+Link: https://lore.kernel.org/r/20201101140958.3650143-1-rkovhaev@gmail.com
+Reported-and-tested-by: syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=83b6f7cf9922cae5c4d7
+Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/stree.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/reiserfs/stree.c
++++ b/fs/reiserfs/stree.c
+@@ -454,6 +454,12 @@ static int is_leaf(char *buf, int blocks
+ "(second one): %h", ih);
+ return 0;
+ }
++ if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
++ reiserfs_warning(NULL, "reiserfs-5093",
++ "item entry count seems wrong %h",
++ ih);
++ return 0;
++ }
+ prev_location = ih_location(ih);
+ }
+
--- /dev/null
+From cb5253198f10a4cd79b7523c581e6173c7d49ddb Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Tue, 8 Dec 2020 14:05:05 -0800
+Subject: scsi: cxgb4i: Fix TLS dependency
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit cb5253198f10a4cd79b7523c581e6173c7d49ddb upstream.
+
+SCSI_CXGB4_ISCSI selects CHELSIO_T4. The latter depends on TLS || TLS=n, so
+since 'select' does not check dependencies of the selected symbol,
+SCSI_CXGB4_ISCSI should also depend on TLS || TLS=n.
+
+This prevents the following kconfig warning and restricts SCSI_CXGB4_ISCSI
+to 'm' whenever TLS=m.
+
+WARNING: unmet direct dependencies detected for CHELSIO_T4
+ Depends on [m]: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_CHELSIO [=y] && PCI [=y] && (IPV6 [=y] || IPV6 [=y]=n) && (TLS [=m] || TLS [=m]=n)
+ Selected by [y]:
+ - SCSI_CXGB4_ISCSI [=y] && SCSI_LOWLEVEL [=y] && SCSI [=y] && PCI [=y] && INET [=y] && (IPV6 [=y] || IPV6 [=y]=n) && ETHERNET [=y]
+
+Link: https://lore.kernel.org/r/20201208220505.24488-1-rdunlap@infradead.org
+Fixes: 7b36b6e03b0d ("[SCSI] cxgb4i v5: iscsi driver")
+Cc: Karen Xie <kxie@chelsio.com>
+Cc: linux-scsi@vger.kernel.org
+Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/cxgbi/cxgb4i/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/cxgbi/cxgb4i/Kconfig
++++ b/drivers/scsi/cxgbi/cxgb4i/Kconfig
+@@ -4,6 +4,7 @@ config SCSI_CXGB4_ISCSI
+ depends on PCI && INET && (IPV6 || IPV6=n)
+ depends on THERMAL || !THERMAL
+ depends on ETHERNET
++ depends on TLS || TLS=n
+ select NET_VENDOR_CHELSIO
+ select CHELSIO_T4
+ select CHELSIO_LIB
kernel-io_uring-cancel-io_uring-before-task-works.patch
uapi-move-constants-from-linux-kernel.h-to-linux-const.h.patch
tools-headers-uapi-sync-linux-const.h-with-the-kernel-headers.patch
+cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch
+zlib-move-export_symbol-and-module_license-out-of-dfltcc_syms.c.patch
+scsi-cxgb4i-fix-tls-dependency.patch
+bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch
+fbcon-disable-accelerated-scrolling.patch
+reiserfs-add-check-for-an-invalid-ih_entry_count.patch
+misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch
+media-gp8psk-initialize-stats-at-power-control-logic.patch
+f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch
+alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch
+alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch
+bfs-don-t-use-warning-string-when-it-s-just-info.patch
+ext4-check-for-invalid-block-size-early-when-mounting-a-file-system.patch
+fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch
+io_uring-check-kthread-stopped-flag-when-sq-thread-is-unparked.patch
--- /dev/null
+From 605cc30dea249edf1b659e7d0146a2cf13cbbf71 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Tue, 29 Dec 2020 15:15:04 -0800
+Subject: zlib: move EXPORT_SYMBOL() and MODULE_LICENSE() out of dfltcc_syms.c
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 605cc30dea249edf1b659e7d0146a2cf13cbbf71 upstream.
+
+In commit 11fb479ff5d9 ("zlib: export S390 symbols for zlib modules"), I
+added EXPORT_SYMBOL()s to dfltcc_inflate.c but then Mikhail said that
+these should probably be in dfltcc_syms.c with the other
+EXPORT_SYMBOL()s.
+
+However, that is contrary to the current kernel style, which places
+EXPORT_SYMBOL() immediately after the function that it applies to, so
+move all EXPORT_SYMBOL()s to their respective function locations and
+drop the dfltcc_syms.c file. Also move MODULE_LICENSE() from the
+deleted file to dfltcc.c.
+
+[rdunlap@infradead.org: remove dfltcc_syms.o from Makefile]
+ Link: https://lkml.kernel.org/r/20201227171837.15492-1-rdunlap@infradead.org
+
+Link: https://lkml.kernel.org/r/20201219052530.28461-1-rdunlap@infradead.org
+Fixes: 11fb479ff5d9 ("zlib: export S390 symbols for zlib modules")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Zaslonko Mikhail <zaslonko@linux.ibm.com>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/zlib_dfltcc/Makefile | 2 +-
+ lib/zlib_dfltcc/dfltcc.c | 6 +++++-
+ lib/zlib_dfltcc/dfltcc_deflate.c | 3 +++
+ lib/zlib_dfltcc/dfltcc_syms.c | 17 -----------------
+ 4 files changed, 9 insertions(+), 19 deletions(-)
+
+--- a/lib/zlib_dfltcc/Makefile
++++ b/lib/zlib_dfltcc/Makefile
+@@ -8,4 +8,4 @@
+
+ obj-$(CONFIG_ZLIB_DFLTCC) += zlib_dfltcc.o
+
+-zlib_dfltcc-objs := dfltcc.o dfltcc_deflate.o dfltcc_inflate.o dfltcc_syms.o
++zlib_dfltcc-objs := dfltcc.o dfltcc_deflate.o dfltcc_inflate.o
+--- a/lib/zlib_dfltcc/dfltcc.c
++++ b/lib/zlib_dfltcc/dfltcc.c
+@@ -1,7 +1,8 @@
+ // SPDX-License-Identifier: Zlib
+ /* dfltcc.c - SystemZ DEFLATE CONVERSION CALL support. */
+
+-#include <linux/zutil.h>
++#include <linux/export.h>
++#include <linux/module.h>
+ #include "dfltcc_util.h"
+ #include "dfltcc.h"
+
+@@ -53,3 +54,6 @@ void dfltcc_reset(
+ dfltcc_state->dht_threshold = DFLTCC_DHT_MIN_SAMPLE_SIZE;
+ dfltcc_state->param.ribm = DFLTCC_RIBM;
+ }
++EXPORT_SYMBOL(dfltcc_reset);
++
++MODULE_LICENSE("GPL");
+--- a/lib/zlib_dfltcc/dfltcc_deflate.c
++++ b/lib/zlib_dfltcc/dfltcc_deflate.c
+@@ -4,6 +4,7 @@
+ #include "dfltcc_util.h"
+ #include "dfltcc.h"
+ #include <asm/setup.h>
++#include <linux/export.h>
+ #include <linux/zutil.h>
+
+ /*
+@@ -34,6 +35,7 @@ int dfltcc_can_deflate(
+
+ return 1;
+ }
++EXPORT_SYMBOL(dfltcc_can_deflate);
+
+ static void dfltcc_gdht(
+ z_streamp strm
+@@ -277,3 +279,4 @@ again:
+ goto again; /* deflate() must use all input or all output */
+ return 1;
+ }
++EXPORT_SYMBOL(dfltcc_deflate);
+--- a/lib/zlib_dfltcc/dfltcc_syms.c
++++ /dev/null
+@@ -1,17 +0,0 @@
+-// SPDX-License-Identifier: GPL-2.0-only
+-/*
+- * linux/lib/zlib_dfltcc/dfltcc_syms.c
+- *
+- * Exported symbols for the s390 zlib dfltcc support.
+- *
+- */
+-
+-#include <linux/init.h>
+-#include <linux/module.h>
+-#include <linux/zlib.h>
+-#include "dfltcc.h"
+-
+-EXPORT_SYMBOL(dfltcc_can_deflate);
+-EXPORT_SYMBOL(dfltcc_deflate);
+-EXPORT_SYMBOL(dfltcc_reset);
+-MODULE_LICENSE("GPL");
projects / thirdparty / kernel / stable-queue.git / commitdiff
