From: Sasha Levin Date: Mon, 22 Aug 2022 13:27:04 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.9.326~29^2~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=461e42efdee511ca926118be09507f97e199ca6f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-core-add-async-signal-helpers.patch b/queue-5.4/alsa-core-add-async-signal-helpers.patch new file mode 100644 index 00000000000..638bde60cff --- /dev/null +++ b/queue-5.4/alsa-core-add-async-signal-helpers.patch @@ -0,0 +1,158 @@ +From b4710563727109304e029e80cfcadcf58291ca90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 14:59:42 +0200 +Subject: ALSA: core: Add async signal helpers + +From: Takashi Iwai + +[ Upstream commit ef34a0ae7a2654bc9e58675e36898217fb2799d8 ] + +Currently the call of kill_fasync() from an interrupt handler might +lead to potential spin deadlocks, as spotted by syzkaller. +Unfortunately, it's not so trivial to fix this lock chain as it's +involved with the tasklist_lock that is touched in allover places. + +As a temporary workaround, this patch provides the way to defer the +async signal notification in a work. The new helper functions, +snd_fasync_helper() and snd_kill_faync() are replacements for +fasync_helper() and kill_fasync(), respectively. In addition, +snd_fasync_free() needs to be called at the destructor of the relevant +file object. + +Link: https://lore.kernel.org/r/20220728125945.29533-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/core.h | 8 ++++ + sound/core/misc.c | 94 ++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 102 insertions(+) + +diff --git a/include/sound/core.h b/include/sound/core.h +index ee238f100f73..8a80121811d9 100644 +--- a/include/sound/core.h ++++ b/include/sound/core.h +@@ -440,4 +440,12 @@ snd_pci_quirk_lookup_id(u16 vendor, u16 device, + } + #endif + ++/* async signal helpers */ ++struct snd_fasync; ++ ++int snd_fasync_helper(int fd, struct file *file, int on, ++ struct snd_fasync **fasyncp); ++void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll); ++void snd_fasync_free(struct snd_fasync *fasync); ++ + #endif /* __SOUND_CORE_H */ +diff --git a/sound/core/misc.c b/sound/core/misc.c +index 3579dd7a161f..c3f3d94b5197 100644 +--- a/sound/core/misc.c ++++ b/sound/core/misc.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + + #ifdef CONFIG_SND_DEBUG +@@ -145,3 +146,96 @@ snd_pci_quirk_lookup(struct pci_dev *pci, const struct snd_pci_quirk *list) + } + EXPORT_SYMBOL(snd_pci_quirk_lookup); + #endif ++ ++/* ++ * Deferred async signal helpers ++ * ++ * Below are a few helper functions to wrap the async signal handling ++ * in the deferred work. The main purpose is to avoid the messy deadlock ++ * around tasklist_lock and co at the kill_fasync() invocation. ++ * fasync_helper() and kill_fasync() are replaced with snd_fasync_helper() ++ * and snd_kill_fasync(), respectively. In addition, snd_fasync_free() has ++ * to be called at releasing the relevant file object. ++ */ ++struct snd_fasync { ++ struct fasync_struct *fasync; ++ int signal; ++ int poll; ++ int on; ++ struct list_head list; ++}; ++ ++static DEFINE_SPINLOCK(snd_fasync_lock); ++static LIST_HEAD(snd_fasync_list); ++ ++static void snd_fasync_work_fn(struct work_struct *work) ++{ ++ struct snd_fasync *fasync; ++ ++ spin_lock_irq(&snd_fasync_lock); ++ while (!list_empty(&snd_fasync_list)) { ++ fasync = list_first_entry(&snd_fasync_list, struct snd_fasync, list); ++ list_del_init(&fasync->list); ++ spin_unlock_irq(&snd_fasync_lock); ++ if (fasync->on) ++ kill_fasync(&fasync->fasync, fasync->signal, fasync->poll); ++ spin_lock_irq(&snd_fasync_lock); ++ } ++ spin_unlock_irq(&snd_fasync_lock); ++} ++ ++static DECLARE_WORK(snd_fasync_work, snd_fasync_work_fn); ++ ++int snd_fasync_helper(int fd, struct file *file, int on, ++ struct snd_fasync **fasyncp) ++{ ++ struct snd_fasync *fasync = NULL; ++ ++ if (on) { ++ fasync = kzalloc(sizeof(*fasync), GFP_KERNEL); ++ if (!fasync) ++ return -ENOMEM; ++ INIT_LIST_HEAD(&fasync->list); ++ } ++ ++ spin_lock_irq(&snd_fasync_lock); ++ if (*fasyncp) { ++ kfree(fasync); ++ fasync = *fasyncp; ++ } else { ++ if (!fasync) { ++ spin_unlock_irq(&snd_fasync_lock); ++ return 0; ++ } ++ *fasyncp = fasync; ++ } ++ fasync->on = on; ++ spin_unlock_irq(&snd_fasync_lock); ++ return fasync_helper(fd, file, on, &fasync->fasync); ++} ++EXPORT_SYMBOL_GPL(snd_fasync_helper); ++ ++void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll) ++{ ++ unsigned long flags; ++ ++ if (!fasync || !fasync->on) ++ return; ++ spin_lock_irqsave(&snd_fasync_lock, flags); ++ fasync->signal = signal; ++ fasync->poll = poll; ++ list_move(&fasync->list, &snd_fasync_list); ++ schedule_work(&snd_fasync_work); ++ spin_unlock_irqrestore(&snd_fasync_lock, flags); ++} ++EXPORT_SYMBOL_GPL(snd_kill_fasync); ++ ++void snd_fasync_free(struct snd_fasync *fasync) ++{ ++ if (!fasync) ++ return; ++ fasync->on = 0; ++ flush_work(&snd_fasync_work); ++ kfree(fasync); ++} ++EXPORT_SYMBOL_GPL(snd_fasync_free); +-- +2.35.1 + diff --git a/queue-5.4/alsa-timer-use-deferred-fasync-helper.patch b/queue-5.4/alsa-timer-use-deferred-fasync-helper.patch new file mode 100644 index 00000000000..5e8f03ef517 --- /dev/null +++ b/queue-5.4/alsa-timer-use-deferred-fasync-helper.patch @@ -0,0 +1,83 @@ +From 0ef36260779f9d3a7f51b9d365fe2013358ff5da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 14:59:43 +0200 +Subject: ALSA: timer: Use deferred fasync helper + +From: Takashi Iwai + +[ Upstream commit 95cc637c1afd83fb7dd3d7c8a53710488f4caf9c ] + +For avoiding the potential deadlock via kill_fasync() call, use the +new fasync helpers to defer the invocation from PCI API. Note that +it's merely a workaround. + +Reported-by: syzbot+1ee0910eca9c94f71f25@syzkaller.appspotmail.com +Reported-by: syzbot+49b10793b867871ee26f@syzkaller.appspotmail.com +Reported-by: syzbot+8285e973a41b5aa68902@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20220728125945.29533-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/timer.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index d684aa4150aa..420cc07a7f88 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -61,7 +61,7 @@ struct snd_timer_user { + unsigned int filter; + struct timespec tstamp; /* trigger tstamp */ + wait_queue_head_t qchange_sleep; +- struct fasync_struct *fasync; ++ struct snd_fasync *fasync; + struct mutex ioctl_lock; + }; + +@@ -1317,7 +1317,7 @@ static void snd_timer_user_interrupt(struct snd_timer_instance *timeri, + } + __wake: + spin_unlock(&tu->qlock); +- kill_fasync(&tu->fasync, SIGIO, POLL_IN); ++ snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); + wake_up(&tu->qchange_sleep); + } + +@@ -1354,7 +1354,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, + spin_lock_irqsave(&tu->qlock, flags); + snd_timer_user_append_to_tqueue(tu, &r1); + spin_unlock_irqrestore(&tu->qlock, flags); +- kill_fasync(&tu->fasync, SIGIO, POLL_IN); ++ snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); + wake_up(&tu->qchange_sleep); + } + +@@ -1421,7 +1421,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, + spin_unlock(&tu->qlock); + if (append == 0) + return; +- kill_fasync(&tu->fasync, SIGIO, POLL_IN); ++ snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); + wake_up(&tu->qchange_sleep); + } + +@@ -1487,6 +1487,7 @@ static int snd_timer_user_release(struct inode *inode, struct file *file) + if (tu->timeri) + snd_timer_close(tu->timeri); + mutex_unlock(&tu->ioctl_lock); ++ snd_fasync_free(tu->fasync); + kfree(tu->queue); + kfree(tu->tqueue); + kfree(tu); +@@ -2050,7 +2051,7 @@ static int snd_timer_user_fasync(int fd, struct file * file, int on) + struct snd_timer_user *tu; + + tu = file->private_data; +- return fasync_helper(fd, file, on, &tu->fasync); ++ return snd_fasync_helper(fd, file, on, &tu->fasync); + } + + static ssize_t snd_timer_user_read(struct file *file, char __user *buffer, +-- +2.35.1 + diff --git a/queue-5.4/clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch b/queue-5.4/clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch new file mode 100644 index 00000000000..6a241c6b442 --- /dev/null +++ b/queue-5.4/clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch @@ -0,0 +1,85 @@ +From 9eae21550b37bea90736222fb97fc8ab06b644b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 23:00:47 +0200 +Subject: clk: qcom: ipq8074: dont disable gcc_sleep_clk_src + +From: Robert Marko + +[ Upstream commit 1bf7305e79aab095196131bdc87a97796e0e3fac ] + +Once the usb sleep clocks are disabled, clock framework is trying to +disable the sleep clock source also. + +However, it seems that it cannot be disabled and trying to do so produces: +[ 245.436390] ------------[ cut here ]------------ +[ 245.441233] gcc_sleep_clk_src status stuck at 'on' +[ 245.441254] WARNING: CPU: 2 PID: 223 at clk_branch_wait+0x130/0x140 +[ 245.450435] Modules linked in: xhci_plat_hcd xhci_hcd dwc3 dwc3_qcom leds_gpio +[ 245.456601] CPU: 2 PID: 223 Comm: sh Not tainted 5.18.0-rc4 #215 +[ 245.463889] Hardware name: Xiaomi AX9000 (DT) +[ 245.470050] pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 245.474307] pc : clk_branch_wait+0x130/0x140 +[ 245.481073] lr : clk_branch_wait+0x130/0x140 +[ 245.485588] sp : ffffffc009f2bad0 +[ 245.489838] x29: ffffffc009f2bad0 x28: ffffff8003e6c800 x27: 0000000000000000 +[ 245.493057] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800226ef20 +[ 245.500175] x23: ffffffc0089ff550 x22: 0000000000000000 x21: ffffffc008476ad0 +[ 245.507294] x20: 0000000000000000 x19: ffffffc00965ac70 x18: fffffffffffc51a7 +[ 245.514413] x17: 68702e3030303837 x16: 3a6d726f6674616c x15: ffffffc089f2b777 +[ 245.521531] x14: ffffffc0095c9d18 x13: 0000000000000129 x12: 0000000000000129 +[ 245.528649] x11: 00000000ffffffea x10: ffffffc009621d18 x9 : 0000000000000001 +[ 245.535767] x8 : 0000000000000001 x7 : 0000000000017fe8 x6 : 0000000000000001 +[ 245.542885] x5 : ffffff803fdca6d8 x4 : 0000000000000000 x3 : 0000000000000027 +[ 245.550002] x2 : 0000000000000027 x1 : 0000000000000023 x0 : 0000000000000026 +[ 245.557122] Call trace: +[ 245.564229] clk_branch_wait+0x130/0x140 +[ 245.566490] clk_branch2_disable+0x2c/0x40 +[ 245.570656] clk_core_disable+0x60/0xb0 +[ 245.574561] clk_core_disable+0x68/0xb0 +[ 245.578293] clk_disable+0x30/0x50 +[ 245.582113] dwc3_qcom_remove+0x60/0xc0 [dwc3_qcom] +[ 245.585588] platform_remove+0x28/0x60 +[ 245.590361] device_remove+0x4c/0x80 +[ 245.594179] device_release_driver_internal+0x1dc/0x230 +[ 245.597914] device_driver_detach+0x18/0x30 +[ 245.602861] unbind_store+0xec/0x110 +[ 245.607027] drv_attr_store+0x24/0x40 +[ 245.610847] sysfs_kf_write+0x44/0x60 +[ 245.614405] kernfs_fop_write_iter+0x128/0x1c0 +[ 245.618052] new_sync_write+0xc0/0x130 +[ 245.622391] vfs_write+0x1d4/0x2a0 +[ 245.626123] ksys_write+0x58/0xe0 +[ 245.629508] __arm64_sys_write+0x1c/0x30 +[ 245.632895] invoke_syscall.constprop.0+0x5c/0x110 +[ 245.636890] do_el0_svc+0xa0/0x150 +[ 245.641488] el0_svc+0x18/0x60 +[ 245.644872] el0t_64_sync_handler+0xa4/0x130 +[ 245.647914] el0t_64_sync+0x174/0x178 +[ 245.652340] ---[ end trace 0000000000000000 ]--- + +So, add CLK_IS_CRITICAL flag to the clock so that the kernel won't try +to disable the sleep clock. + +Signed-off-by: Robert Marko +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220515210048.483898-10-robimarko@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-ipq8074.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/gcc-ipq8074.c b/drivers/clk/qcom/gcc-ipq8074.c +index 68fe80a0a92f..e9835db941d8 100644 +--- a/drivers/clk/qcom/gcc-ipq8074.c ++++ b/drivers/clk/qcom/gcc-ipq8074.c +@@ -667,6 +667,7 @@ static struct clk_branch gcc_sleep_clk_src = { + }, + .num_parents = 1, + .ops = &clk_branch2_ops, ++ .flags = CLK_IS_CRITICAL, + }, + }, + }; +-- +2.35.1 + diff --git a/queue-5.4/cxl-fix-a-memory-leak-in-an-error-handling-path.patch b/queue-5.4/cxl-fix-a-memory-leak-in-an-error-handling-path.patch new file mode 100644 index 00000000000..e6ca7310767 --- /dev/null +++ b/queue-5.4/cxl-fix-a-memory-leak-in-an-error-handling-path.patch @@ -0,0 +1,36 @@ +From 9385a2af6c73fda95d4cd920adc1360f0324ca67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 21:14:48 +0200 +Subject: cxl: Fix a memory leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit 3a15b45b5454da862376b5d69a4967f5c6fa1368 ] + +A bitmap_zalloc() must be balanced by a corresponding bitmap_free() in the +error handling path of afu_allocate_irqs(). + +Acked-by: Andrew Donnellan +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/ce5869418f5838187946eb6b11a52715a93ece3d.1657566849.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cxl/irq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/cxl/irq.c b/drivers/misc/cxl/irq.c +index 4cb829d5d873..2e4dcfebf19a 100644 +--- a/drivers/misc/cxl/irq.c ++++ b/drivers/misc/cxl/irq.c +@@ -349,6 +349,7 @@ int afu_allocate_irqs(struct cxl_context *ctx, u32 count) + + out: + cxl_ops->release_irq_ranges(&ctx->irqs, ctx->afu->adapter); ++ bitmap_free(ctx->irq_bitmap); + afu_irq_name_free(ctx); + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-5.4/dmaengine-sprd-cleanup-in-.remove-after-pm_runtime_g.patch b/queue-5.4/dmaengine-sprd-cleanup-in-.remove-after-pm_runtime_g.patch new file mode 100644 index 00000000000..1d835469bba --- /dev/null +++ b/queue-5.4/dmaengine-sprd-cleanup-in-.remove-after-pm_runtime_g.patch @@ -0,0 +1,51 @@ +From 83d5f5ea43196476e6aa40edd0a5535a22a1914d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 22:40:54 +0200 +Subject: dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() + failed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 1e42f82cbec7b2cc4873751e7791e6611901c5fc ] + +It's not allowed to quit remove early without cleaning up completely. +Otherwise this results in resource leaks that probably yield graver +problems later. Here for example some tasklets might survive the lifetime +of the sprd-dma device and access sdev which is freed after .remove() +returns. + +As none of the device freeing requires an active device, just ignore the +return value of pm_runtime_get_sync(). + +Signed-off-by: Uwe Kleine-König +Reviewed-by: Baolin Wang +Link: https://lore.kernel.org/r/20220721204054.323602-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sprd-dma.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c +index b966115bfad1..4f0c50106321 100644 +--- a/drivers/dma/sprd-dma.c ++++ b/drivers/dma/sprd-dma.c +@@ -1201,11 +1201,8 @@ static int sprd_dma_remove(struct platform_device *pdev) + { + struct sprd_dma_dev *sdev = platform_get_drvdata(pdev); + struct sprd_dma_chn *c, *cn; +- int ret; + +- ret = pm_runtime_get_sync(&pdev->dev); +- if (ret < 0) +- return ret; ++ pm_runtime_get_sync(&pdev->dev); + + /* explicitly free the irq */ + if (sdev->irq > 0) +-- +2.35.1 + diff --git a/queue-5.4/drivers-md-fix-a-potential-use-after-free-bug.patch b/queue-5.4/drivers-md-fix-a-potential-use-after-free-bug.patch new file mode 100644 index 00000000000..bdcdb529e6c --- /dev/null +++ b/queue-5.4/drivers-md-fix-a-potential-use-after-free-bug.patch @@ -0,0 +1,44 @@ +From dd12d934863cf975be772682161f0367766bed64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 19:39:19 +0800 +Subject: drivers:md:fix a potential use-after-free bug + +From: Wentao_Liang + +[ Upstream commit 104212471b1c1817b311771d817fb692af983173 ] + +In line 2884, "raid5_release_stripe(sh);" drops the reference to sh and +may cause sh to be released. However, sh is subsequently used in lines +2886 "if (sh->batch_head && sh != sh->batch_head)". This may result in an +use-after-free bug. + +It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of +the function. + +Signed-off-by: Wentao_Liang +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 474cf6abefea..fe99e8cdc026 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2666,10 +2666,10 @@ static void raid5_end_write_request(struct bio *bi) + if (!test_and_clear_bit(R5_DOUBLE_LOCKED, &sh->dev[i].flags)) + clear_bit(R5_LOCKED, &sh->dev[i].flags); + set_bit(STRIPE_HANDLE, &sh->state); +- raid5_release_stripe(sh); + + if (sh->batch_head && sh != sh->batch_head) + raid5_release_stripe(sh->batch_head); ++ raid5_release_stripe(sh); + } + + static void raid5_error(struct mddev *mddev, struct md_rdev *rdev) +-- +2.35.1 + diff --git a/queue-5.4/drm-meson-fix-overflow-implicit-truncation-warnings.patch b/queue-5.4/drm-meson-fix-overflow-implicit-truncation-warnings.patch new file mode 100644 index 00000000000..3325e10f7d3 --- /dev/null +++ b/queue-5.4/drm-meson-fix-overflow-implicit-truncation-warnings.patch @@ -0,0 +1,72 @@ +From 6a5fda91db5269aa2830934c713b3160f04e6466 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 22:14:13 +0530 +Subject: drm/meson: Fix overflow implicit truncation warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sai Prakash Ranjan + +[ Upstream commit 98692f52c588225034cbff458622c2c06dfcb544 ] + +Fix -Woverflow warnings for drm/meson driver which is a result +of moving arm64 custom MMIO accessor macros to asm-generic function +implementations giving a bonus type-checking now and uncovering these +overflow warnings. + +drivers/gpu/drm/meson/meson_viu.c: In function ‘meson_viu_init’: +drivers/gpu/drm/meson/meson_registers.h:1826:48: error: large integer implicitly truncated to unsigned type [-Werror=overflow] + #define VIU_OSD_BLEND_REORDER(dest, src) ((src) << (dest * 4)) + ^ +drivers/gpu/drm/meson/meson_viu.c:472:18: note: in expansion of macro ‘VIU_OSD_BLEND_REORDER’ + writel_relaxed(VIU_OSD_BLEND_REORDER(0, 1) | + ^~~~~~~~~~~~~~~~~~~~~ + +Reported-by: kernel test robot +Signed-off-by: Sai Prakash Ranjan +Reviewed-by: Arnd Bergmann +Cc: Arnd Bergmann +Cc: Neil Armstrong +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_viu.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/gpu/drm/meson/meson_viu.c b/drivers/gpu/drm/meson/meson_viu.c +index 33698814c022..9991f0a43b1a 100644 +--- a/drivers/gpu/drm/meson/meson_viu.c ++++ b/drivers/gpu/drm/meson/meson_viu.c +@@ -400,17 +400,17 @@ void meson_viu_init(struct meson_drm *priv) + priv->io_base + _REG(VD2_IF0_LUMA_FIFO_SIZE)); + + if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) { +- writel_relaxed(VIU_OSD_BLEND_REORDER(0, 1) | +- VIU_OSD_BLEND_REORDER(1, 0) | +- VIU_OSD_BLEND_REORDER(2, 0) | +- VIU_OSD_BLEND_REORDER(3, 0) | +- VIU_OSD_BLEND_DIN_EN(1) | +- VIU_OSD_BLEND1_DIN3_BYPASS_TO_DOUT1 | +- VIU_OSD_BLEND1_DOUT_BYPASS_TO_BLEND2 | +- VIU_OSD_BLEND_DIN0_BYPASS_TO_DOUT0 | +- VIU_OSD_BLEND_BLEN2_PREMULT_EN(1) | +- VIU_OSD_BLEND_HOLD_LINES(4), +- priv->io_base + _REG(VIU_OSD_BLEND_CTRL)); ++ u32 val = (u32)VIU_OSD_BLEND_REORDER(0, 1) | ++ (u32)VIU_OSD_BLEND_REORDER(1, 0) | ++ (u32)VIU_OSD_BLEND_REORDER(2, 0) | ++ (u32)VIU_OSD_BLEND_REORDER(3, 0) | ++ (u32)VIU_OSD_BLEND_DIN_EN(1) | ++ (u32)VIU_OSD_BLEND1_DIN3_BYPASS_TO_DOUT1 | ++ (u32)VIU_OSD_BLEND1_DOUT_BYPASS_TO_BLEND2 | ++ (u32)VIU_OSD_BLEND_DIN0_BYPASS_TO_DOUT0 | ++ (u32)VIU_OSD_BLEND_BLEN2_PREMULT_EN(1) | ++ (u32)VIU_OSD_BLEND_HOLD_LINES(4); ++ writel_relaxed(val, priv->io_base + _REG(VIU_OSD_BLEND_CTRL)); + + writel_relaxed(OSD_BLEND_PATH_SEL_ENABLE, + priv->io_base + _REG(OSD1_BLEND_SRC_CTRL)); +-- +2.35.1 + diff --git a/queue-5.4/drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch b/queue-5.4/drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch new file mode 100644 index 00000000000..419aafca578 --- /dev/null +++ b/queue-5.4/drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch @@ -0,0 +1,46 @@ +From 46c2393bc2f23c109b303d581b9712f22427a370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 09:07:22 +0800 +Subject: drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors() + +From: Liang He + +[ Upstream commit 91b3c8dbe898df158fd2a84675f3a284ff6666f7 ] + +In this function, there are two refcount leak bugs: +(1) when breaking out of for_each_endpoint_of_node(), we need call +the of_node_put() for the 'ep'; +(2) we should call of_node_put() for the reference returned by +of_graph_get_remote_port() when it is not used anymore. + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Liang He +Acked-by: Martin Blumenstingl +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220726010722.1319416-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_drv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c +index 61a6536e7e61..9a39afc3939b 100644 +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -124,8 +124,11 @@ static bool meson_vpu_has_available_connectors(struct device *dev) + for_each_endpoint_of_node(dev->of_node, ep) { + /* If the endpoint node exists, consider it enabled */ + remote = of_graph_get_remote_port(ep); +- if (remote) ++ if (remote) { ++ of_node_put(remote); ++ of_node_put(ep); + return true; ++ } + } + + return false; +-- +2.35.1 + diff --git a/queue-5.4/ext4-avoid-remove-directory-when-directory-is-corrup.patch b/queue-5.4/ext4-avoid-remove-directory-when-directory-is-corrup.patch new file mode 100644 index 00000000000..bdc2a5bbd5b --- /dev/null +++ b/queue-5.4/ext4-avoid-remove-directory-when-directory-is-corrup.patch @@ -0,0 +1,43 @@ +From c2be3bb37a0dfb46d57c13cebb468c6f77c6aafe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jun 2022 17:02:23 +0800 +Subject: ext4: avoid remove directory when directory is corrupted + +From: Ye Bin + +[ Upstream commit b24e77ef1c6d4dbf42749ad4903c97539cc9755a ] + +Now if check directoy entry is corrupted, ext4_empty_dir may return true +then directory will be removed when file system mounted with "errors=continue". +In order not to make things worse just return false when directory is corrupted. + +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220622090223.682234-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 0ba35465ac75..aaf1ed8ba87c 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2929,11 +2929,8 @@ bool ext4_empty_dir(struct inode *inode) + de = (struct ext4_dir_entry_2 *) (bh->b_data + + (offset & (sb->s_blocksize - 1))); + if (ext4_check_dir_entry(inode, NULL, de, bh, +- bh->b_data, bh->b_size, offset)) { +- offset = (offset | (sb->s_blocksize - 1)) + 1; +- continue; +- } +- if (le32_to_cpu(de->inode)) { ++ bh->b_data, bh->b_size, offset) || ++ le32_to_cpu(de->inode)) { + brelse(bh); + return false; + } +-- +2.35.1 + diff --git a/queue-5.4/ext4-avoid-resizing-to-a-partial-cluster-size.patch b/queue-5.4/ext4-avoid-resizing-to-a-partial-cluster-size.patch new file mode 100644 index 00000000000..ed4dea518ee --- /dev/null +++ b/queue-5.4/ext4-avoid-resizing-to-a-partial-cluster-size.patch @@ -0,0 +1,47 @@ +From dc60e56b13d53b32ff7424aa8c4177ee62287431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 04:27:48 +0000 +Subject: ext4: avoid resizing to a partial cluster size + +From: Kiselev, Oleg + +[ Upstream commit 69cb8e9d8cd97cdf5e293b26d70a9dee3e35e6bd ] + +This patch avoids an attempt to resize the filesystem to an +unaligned cluster boundary. An online resize to a size that is not +integral to cluster size results in the last iteration attempting to +grow the fs by a negative amount, which trips a BUG_ON and leaves the fs +with a corrupted in-memory superblock. + +Signed-off-by: Oleg Kiselev +Link: https://lore.kernel.org/r/0E92A0AB-4F16-4F1A-94B7-702CC6504FDE@amazon.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 306003e29c4c..f0fc7fc579e6 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1979,6 +1979,16 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) + } + brelse(bh); + ++ /* ++ * For bigalloc, trim the requested size to the nearest cluster ++ * boundary to avoid creating an unusable filesystem. We do this ++ * silently, instead of returning an error, to avoid breaking ++ * callers that blindly resize the filesystem to the full size of ++ * the underlying block device. ++ */ ++ if (ext4_has_feature_bigalloc(sb)) ++ n_blocks_count &= ~((1 << EXT4_CLUSTER_BITS(sb)) - 1); ++ + retry: + o_blocks_count = ext4_blocks_count(es); + +-- +2.35.1 + diff --git a/queue-5.4/f2fs-fix-to-avoid-use-f2fs_bug_on-in-f2fs_new_node_p.patch b/queue-5.4/f2fs-fix-to-avoid-use-f2fs_bug_on-in-f2fs_new_node_p.patch new file mode 100644 index 00000000000..e11a077af1d --- /dev/null +++ b/queue-5.4/f2fs-fix-to-avoid-use-f2fs_bug_on-in-f2fs_new_node_p.patch @@ -0,0 +1,63 @@ +From d073d5aa3808ca4d7397d4b7ff01d51674930281 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 00:03:23 +0800 +Subject: f2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page() + +From: Chao Yu + +[ Upstream commit 141170b759e03958f296033bb7001be62d1d363b ] + +As Dipanjan Das reported, syzkaller +found a f2fs bug as below: + +RIP: 0010:f2fs_new_node_page+0x19ac/0x1fc0 fs/f2fs/node.c:1295 +Call Trace: + write_all_xattrs fs/f2fs/xattr.c:487 [inline] + __f2fs_setxattr+0xe76/0x2e10 fs/f2fs/xattr.c:743 + f2fs_setxattr+0x233/0xab0 fs/f2fs/xattr.c:790 + f2fs_xattr_generic_set+0x133/0x170 fs/f2fs/xattr.c:86 + __vfs_setxattr+0x115/0x180 fs/xattr.c:182 + __vfs_setxattr_noperm+0x125/0x5f0 fs/xattr.c:216 + __vfs_setxattr_locked+0x1cf/0x260 fs/xattr.c:277 + vfs_setxattr+0x13f/0x330 fs/xattr.c:303 + setxattr+0x146/0x160 fs/xattr.c:611 + path_setxattr+0x1a7/0x1d0 fs/xattr.c:630 + __do_sys_lsetxattr fs/xattr.c:653 [inline] + __se_sys_lsetxattr fs/xattr.c:649 [inline] + __x64_sys_lsetxattr+0xbd/0x150 fs/xattr.c:649 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +NAT entry and nat bitmap can be inconsistent, e.g. one nid is free +in nat bitmap, and blkaddr in its NAT entry is not NULL_ADDR, it +may trigger BUG_ON() in f2fs_new_node_page(), fix it. + +Reported-by: Dipanjan Das +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/node.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index 3dc7cc3d6ac6..b080d5c58f6c 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1240,7 +1240,11 @@ struct page *f2fs_new_node_page(struct dnode_of_data *dn, unsigned int ofs) + dec_valid_node_count(sbi, dn->inode, !ofs); + goto fail; + } +- f2fs_bug_on(sbi, new_ni.blk_addr != NULL_ADDR); ++ if (unlikely(new_ni.blk_addr != NULL_ADDR)) { ++ err = -EFSCORRUPTED; ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ goto fail; ++ } + #endif + new_ni.nid = dn->nid; + new_ni.ino = dn->inode->i_ino; +-- +2.35.1 + diff --git a/queue-5.4/gadgetfs-ep_io-wait-until-irq-finishes.patch b/queue-5.4/gadgetfs-ep_io-wait-until-irq-finishes.patch new file mode 100644 index 00000000000..fec004dc26d --- /dev/null +++ b/queue-5.4/gadgetfs-ep_io-wait-until-irq-finishes.patch @@ -0,0 +1,37 @@ +From d59e708248a0c66d3fd6c9a29c7e7b012bf97a5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 09:06:44 +0200 +Subject: gadgetfs: ep_io - wait until IRQ finishes + +From: Jozef Martiniak + +[ Upstream commit 04cb742d4d8f30dc2e83b46ac317eec09191c68e ] + +after usb_ep_queue() if wait_for_completion_interruptible() is +interrupted we need to wait until IRQ gets finished. + +Otherwise complete() from epio_complete() can corrupt stack. + +Signed-off-by: Jozef Martiniak +Link: https://lore.kernel.org/r/20220708070645.6130-1-jomajm@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/legacy/inode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index 9cd80ad075bd..97c73d610eeb 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -362,6 +362,7 @@ ep_io (struct ep_data *epdata, void *buf, unsigned len) + spin_unlock_irq (&epdata->dev->lock); + + DBG (epdata->dev, "endpoint gone\n"); ++ wait_for_completion(&done); + epdata->status = -ENODEV; + } + } +-- +2.35.1 + diff --git a/queue-5.4/irqchip-tegra-fix-overflow-implicit-truncation-warni.patch b/queue-5.4/irqchip-tegra-fix-overflow-implicit-truncation-warni.patch new file mode 100644 index 00000000000..258db3ab986 --- /dev/null +++ b/queue-5.4/irqchip-tegra-fix-overflow-implicit-truncation-warni.patch @@ -0,0 +1,76 @@ +From 04f374c8ef05d221d54b6c5f3e938004bfb2ded7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 22:14:12 +0530 +Subject: irqchip/tegra: Fix overflow implicit truncation warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sai Prakash Ranjan + +[ Upstream commit 443685992bda9bb4f8b17fc02c9f6c60e62b1461 ] + +Fix -Woverflow warnings for tegra irqchip driver which is a result +of moving arm64 custom MMIO accessor macros to asm-generic function +implementations giving a bonus type-checking now and uncovering these +overflow warnings. + +drivers/irqchip/irq-tegra.c: In function ‘tegra_ictlr_suspend’: +drivers/irqchip/irq-tegra.c:151:18: warning: large integer implicitly truncated to unsigned type [-Woverflow] + writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); + ^ + +Suggested-by: Marc Zyngier +Signed-off-by: Sai Prakash Ranjan +Reviewed-by: Arnd Bergmann +Cc: Marc Zyngier +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-tegra.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/irqchip/irq-tegra.c b/drivers/irqchip/irq-tegra.c +index e1f771c72fc4..ad3e2c1b3c87 100644 +--- a/drivers/irqchip/irq-tegra.c ++++ b/drivers/irqchip/irq-tegra.c +@@ -148,10 +148,10 @@ static int tegra_ictlr_suspend(void) + lic->cop_iep[i] = readl_relaxed(ictlr + ICTLR_COP_IEP_CLASS); + + /* Disable COP interrupts */ +- writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_COP_IER_CLR); + + /* Disable CPU interrupts */ +- writel_relaxed(~0ul, ictlr + ICTLR_CPU_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_CPU_IER_CLR); + + /* Enable the wakeup sources of ictlr */ + writel_relaxed(lic->ictlr_wake_mask[i], ictlr + ICTLR_CPU_IER_SET); +@@ -172,12 +172,12 @@ static void tegra_ictlr_resume(void) + + writel_relaxed(lic->cpu_iep[i], + ictlr + ICTLR_CPU_IEP_CLASS); +- writel_relaxed(~0ul, ictlr + ICTLR_CPU_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_CPU_IER_CLR); + writel_relaxed(lic->cpu_ier[i], + ictlr + ICTLR_CPU_IER_SET); + writel_relaxed(lic->cop_iep[i], + ictlr + ICTLR_COP_IEP_CLASS); +- writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_COP_IER_CLR); + writel_relaxed(lic->cop_ier[i], + ictlr + ICTLR_COP_IER_SET); + } +@@ -312,7 +312,7 @@ static int __init tegra_ictlr_init(struct device_node *node, + lic->base[i] = base; + + /* Disable all interrupts */ +- writel_relaxed(~0UL, base + ICTLR_CPU_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), base + ICTLR_CPU_IER_CLR); + /* All interrupts target IRQ */ + writel_relaxed(0, base + ICTLR_CPU_IEP_CLASS); + +-- +2.35.1 + diff --git a/queue-5.4/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch b/queue-5.4/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch new file mode 100644 index 00000000000..8a77272bd8a --- /dev/null +++ b/queue-5.4/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch @@ -0,0 +1,55 @@ +From 250cedbe34c467df6f6cf1dfe1489f9ba3fc63b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 23:27:48 +0000 +Subject: KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks + +From: Sean Christopherson + +commit ec6e4d863258d4bfb36d48d5e3ef68140234d688 upstream. + +Wait to mark the TSS as busy during LTR emulation until after all fault +checks for the LTR have passed. Specifically, don't mark the TSS busy if +the new TSS base is non-canonical. + +Opportunistically drop the one-off !seg_desc.PRESENT check for TR as the +only reason for the early check was to avoid marking a !PRESENT TSS as +busy, i.e. the common !PRESENT is now done before setting the busy bit. + +Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR") +Reported-by: syzbot+760a73552f47a8cd0fd9@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Cc: Tetsuo Handa +Cc: Hou Wenlong +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220711232750.1092012-2-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/emulate.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index fcb59dc54bf5..325f3520713b 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -1802,6 +1802,15 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, + if (ret != X86EMUL_CONTINUE) + return ret; + } ++ ++ if (seg == VCPU_SREG_TR) { ++ old_desc = seg_desc; ++ seg_desc.type |= 2; /* busy */ ++ ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc, ++ sizeof(seg_desc), &ctxt->exception); ++ if (ret != X86EMUL_CONTINUE) ++ return ret; ++ } + load: + ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg); + if (desc) +-- +2.35.1 + diff --git a/queue-5.4/lib-list_debug.c-detect-uninitialized-lists.patch b/queue-5.4/lib-list_debug.c-detect-uninitialized-lists.patch new file mode 100644 index 00000000000..c0f9d9ce2d2 --- /dev/null +++ b/queue-5.4/lib-list_debug.c-detect-uninitialized-lists.patch @@ -0,0 +1,80 @@ +From e3a7063428fab1d72981df4feda06112a634f8f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 15:29:51 -0700 +Subject: lib/list_debug.c: Detect uninitialized lists + +From: Guenter Roeck + +[ Upstream commit 0cc011c576aaa4de505046f7a6c90933d7c749a9 ] + +In some circumstances, attempts are made to add entries to or to remove +entries from an uninitialized list. A prime example is +amdgpu_bo_vm_destroy(): It is indirectly called from +ttm_bo_init_reserved() if that function fails, and tries to remove an +entry from a list. However, that list is only initialized in +amdgpu_bo_create_vm() after the call to ttm_bo_init_reserved() returned +success. This results in crashes such as + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 1 PID: 1479 Comm: chrome Not tainted 5.10.110-15768-g29a72e65dae5 + Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.11031.149.0 07/15/2020 + RIP: 0010:__list_del_entry_valid+0x26/0x7d + ... + Call Trace: + amdgpu_bo_vm_destroy+0x48/0x8b + ttm_bo_init_reserved+0x1d7/0x1e0 + amdgpu_bo_create+0x212/0x476 + ? amdgpu_bo_user_destroy+0x23/0x23 + ? kmem_cache_alloc+0x60/0x271 + amdgpu_bo_create_vm+0x40/0x7d + amdgpu_vm_pt_create+0xe8/0x24b + ... + +Check if the list's prev and next pointers are NULL to catch such problems. + +Link: https://lkml.kernel.org/r/20220531222951.92073-1-linux@roeck-us.net +Signed-off-by: Guenter Roeck +Cc: Steven Rostedt +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/list_debug.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lib/list_debug.c b/lib/list_debug.c +index 5d5424b51b74..413daa72a3d8 100644 +--- a/lib/list_debug.c ++++ b/lib/list_debug.c +@@ -20,7 +20,11 @@ + bool __list_add_valid(struct list_head *new, struct list_head *prev, + struct list_head *next) + { +- if (CHECK_DATA_CORRUPTION(next->prev != prev, ++ if (CHECK_DATA_CORRUPTION(prev == NULL, ++ "list_add corruption. prev is NULL.\n") || ++ CHECK_DATA_CORRUPTION(next == NULL, ++ "list_add corruption. next is NULL.\n") || ++ CHECK_DATA_CORRUPTION(next->prev != prev, + "list_add corruption. next->prev should be prev (%px), but was %px. (next=%px).\n", + prev, next->prev, next) || + CHECK_DATA_CORRUPTION(prev->next != next, +@@ -42,7 +46,11 @@ bool __list_del_entry_valid(struct list_head *entry) + prev = entry->prev; + next = entry->next; + +- if (CHECK_DATA_CORRUPTION(next == LIST_POISON1, ++ if (CHECK_DATA_CORRUPTION(next == NULL, ++ "list_del corruption, %px->next is NULL\n", entry) || ++ CHECK_DATA_CORRUPTION(prev == NULL, ++ "list_del corruption, %px->prev is NULL\n", entry) || ++ CHECK_DATA_CORRUPTION(next == LIST_POISON1, + "list_del corruption, %px->next is LIST_POISON1 (%px)\n", + entry, LIST_POISON1) || + CHECK_DATA_CORRUPTION(prev == LIST_POISON2, +-- +2.35.1 + diff --git a/queue-5.4/mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch b/queue-5.4/mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch new file mode 100644 index 00000000000..65f84b226d6 --- /dev/null +++ b/queue-5.4/mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch @@ -0,0 +1,42 @@ +From 964f0ecbeba0f86716b1ccee6125cbeb9aa4ab77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 20:41:12 +0800 +Subject: mips: cavium-octeon: Fix missing of_node_put() in + octeon2_usb_clocks_start + +From: Liang He + +[ Upstream commit 7a9f743ceead60ed454c46fbc3085ee9a79cbebb ] + +We should call of_node_put() for the reference 'uctl_node' returned by +of_get_parent() which will increase the refcount. Otherwise, there will +be a refcount leak bug. + +Signed-off-by: Liang He +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/cavium-octeon/octeon-platform.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/cavium-octeon/octeon-platform.c b/arch/mips/cavium-octeon/octeon-platform.c +index c214fe4e678b..04bc34714727 100644 +--- a/arch/mips/cavium-octeon/octeon-platform.c ++++ b/arch/mips/cavium-octeon/octeon-platform.c +@@ -86,11 +86,12 @@ static void octeon2_usb_clocks_start(struct device *dev) + "refclk-frequency", &clock_rate); + if (i) { + dev_err(dev, "No UCTL \"refclk-frequency\"\n"); ++ of_node_put(uctl_node); + goto exit; + } + i = of_property_read_string(uctl_node, + "refclk-type", &clock_type); +- ++ of_node_put(uctl_node); + if (!i && strcmp("crystal", clock_type) == 0) + is_crystal_clock = true; + } +-- +2.35.1 + diff --git a/queue-5.4/mips-tlbex-explicitly-compare-_page_no_exec-against-.patch b/queue-5.4/mips-tlbex-explicitly-compare-_page_no_exec-against-.patch new file mode 100644 index 00000000000..bd05b838767 --- /dev/null +++ b/queue-5.4/mips-tlbex-explicitly-compare-_page_no_exec-against-.patch @@ -0,0 +1,70 @@ +From 97688c518d0998d5b07719fa355ea4da57d22875 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 10:59:36 -0700 +Subject: MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 + +From: Nathan Chancellor + +[ Upstream commit 74de14fe05dd6b151d73cb0c73c8ec874cbdcde6 ] + +When CONFIG_XPA is enabled, Clang warns: + + arch/mips/mm/tlbex.c:629:24: error: converting the result of '<<' to a boolean; did you mean '(1 << _PAGE_NO_EXEC_SHIFT) != 0'? [-Werror,-Wint-in-bool-context] + if (cpu_has_rixi && !!_PAGE_NO_EXEC) { + ^ + arch/mips/include/asm/pgtable-bits.h:174:28: note: expanded from macro '_PAGE_NO_EXEC' + # define _PAGE_NO_EXEC (1 << _PAGE_NO_EXEC_SHIFT) + ^ + arch/mips/mm/tlbex.c:2568:24: error: converting the result of '<<' to a boolean; did you mean '(1 << _PAGE_NO_EXEC_SHIFT) != 0'? [-Werror,-Wint-in-bool-context] + if (!cpu_has_rixi || !_PAGE_NO_EXEC) { + ^ + arch/mips/include/asm/pgtable-bits.h:174:28: note: expanded from macro '_PAGE_NO_EXEC' + # define _PAGE_NO_EXEC (1 << _PAGE_NO_EXEC_SHIFT) + ^ + 2 errors generated. + +_PAGE_NO_EXEC can be '0' or '1 << _PAGE_NO_EXEC_SHIFT' depending on the +build and runtime configuration, which is what the negation operators +are trying to convey. To silence the warning, explicitly compare against +0 so the result of the '<<' operator is not implicitly converted to a +boolean. + +According to its documentation, GCC enables -Wint-in-bool-context with +-Wall but this warning is not visible when building the same +configuration with GCC. It appears GCC only warns when compiling C++, +not C, although the documentation makes no note of this: +https://godbolt.org/z/x39q3brxf + +Reported-by: Sudip Mukherjee (Codethink) +Signed-off-by: Nathan Chancellor +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/mm/tlbex.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c +index 547d813ead48..061dc5c97d5a 100644 +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -629,7 +629,7 @@ static __maybe_unused void build_convert_pte_to_entrylo(u32 **p, + return; + } + +- if (cpu_has_rixi && !!_PAGE_NO_EXEC) { ++ if (cpu_has_rixi && _PAGE_NO_EXEC != 0) { + if (fill_includes_sw_bits) { + UASM_i_ROTR(p, reg, reg, ilog2(_PAGE_GLOBAL)); + } else { +@@ -2568,7 +2568,7 @@ static void check_pabits(void) + unsigned long entry; + unsigned pabits, fillbits; + +- if (!cpu_has_rixi || !_PAGE_NO_EXEC) { ++ if (!cpu_has_rixi || _PAGE_NO_EXEC == 0) { + /* + * We'll only be making use of the fact that we can rotate bits + * into the fill if the CPU supports RIXI, so don't bother +-- +2.35.1 + diff --git a/queue-5.4/nvmet-tcp-fix-lockdep-complaint-on-nvmet_tcp_wq-flus.patch b/queue-5.4/nvmet-tcp-fix-lockdep-complaint-on-nvmet_tcp_wq-flus.patch new file mode 100644 index 00000000000..5909b9dc463 --- /dev/null +++ b/queue-5.4/nvmet-tcp-fix-lockdep-complaint-on-nvmet_tcp_wq-flus.patch @@ -0,0 +1,46 @@ +From 6ebae861c7fc654d043d2a8a8aff642b2d6c6924 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Jul 2022 11:58:43 +0300 +Subject: nvmet-tcp: fix lockdep complaint on nvmet_tcp_wq flush during queue + teardown + +From: Sagi Grimberg + +[ Upstream commit 533d2e8b4d5e4c89772a0adce913525fb86cbbee ] + +We probably need nvmet_tcp_wq to have MEM_RECLAIM as we are +sending/receiving for the socket from works on this workqueue. +Also this eliminates lockdep complaints: +-- +[ 6174.010200] workqueue: WQ_MEM_RECLAIM +nvmet-wq:nvmet_tcp_release_queue_work [nvmet_tcp] is flushing +!WQ_MEM_RECLAIM nvmet_tcp_wq:nvmet_tcp_io_work [nvmet_tcp] +[ 6174.010216] WARNING: CPU: 20 PID: 14456 at kernel/workqueue.c:2628 +check_flush_dependency+0x110/0x14c + +Reported-by: Yi Zhang +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 4341c7244662..e9512d077b8a 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -1762,7 +1762,8 @@ static int __init nvmet_tcp_init(void) + { + int ret; + +- nvmet_tcp_wq = alloc_workqueue("nvmet_tcp_wq", WQ_HIGHPRI, 0); ++ nvmet_tcp_wq = alloc_workqueue("nvmet_tcp_wq", ++ WQ_MEM_RECLAIM | WQ_HIGHPRI, 0); + if (!nvmet_tcp_wq) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-5.4/pci-acpi-guard-arm64-specific-mcfg_quirks.patch b/queue-5.4/pci-acpi-guard-arm64-specific-mcfg_quirks.patch new file mode 100644 index 00000000000..8064bd91d9b --- /dev/null +++ b/queue-5.4/pci-acpi-guard-arm64-specific-mcfg_quirks.patch @@ -0,0 +1,44 @@ +From 79aa41b4dc5f84219a6bdc3b2d7308efcac4f454 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jul 2022 20:42:10 +0800 +Subject: PCI/ACPI: Guard ARM64-specific mcfg_quirks + +From: Huacai Chen + +[ Upstream commit 40a6cc141b4b9580de140bcb3e893445708acc5d ] + +Guard ARM64-specific quirks with CONFIG_ARM64 to avoid build errors, +since mcfg_quirks will be shared by more than one architectures. + +Link: https://lore.kernel.org/r/20220714124216.1489304-2-chenhuacai@loongson.cn +Signed-off-by: Huacai Chen +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/acpi/pci_mcfg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/pci_mcfg.c b/drivers/acpi/pci_mcfg.c +index 47e43c949825..ed2f880b63b5 100644 +--- a/drivers/acpi/pci_mcfg.c ++++ b/drivers/acpi/pci_mcfg.c +@@ -41,6 +41,8 @@ struct mcfg_fixup { + static struct mcfg_fixup mcfg_quirks[] = { + /* { OEM_ID, OEM_TABLE_ID, REV, SEGMENT, BUS_RANGE, ops, cfgres }, */ + ++#ifdef CONFIG_ARM64 ++ + #define AL_ECAM(table_id, rev, seg, ops) \ + { "AMAZON", table_id, rev, seg, MCFG_BUS_ANY, ops } + +@@ -162,6 +164,7 @@ static struct mcfg_fixup mcfg_quirks[] = { + ALTRA_ECAM_QUIRK(1, 13), + ALTRA_ECAM_QUIRK(1, 14), + ALTRA_ECAM_QUIRK(1, 15), ++#endif /* ARM64 */ + }; + + static char mcfg_oem_id[ACPI_OEM_ID_SIZE]; +-- +2.35.1 + diff --git a/queue-5.4/pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch b/queue-5.4/pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch new file mode 100644 index 00000000000..28ac24d48da --- /dev/null +++ b/queue-5.4/pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch @@ -0,0 +1,44 @@ +From 7b9c5394b48141843db3cafd94b572c4660baf1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jun 2022 13:41:47 -0400 +Subject: PCI: Add ACS quirk for Broadcom BCM5750x NICs + +From: Pavan Chebbi + +[ Upstream commit afd306a65cedb9589564bdb23a0c368abc4215fd ] + +The Broadcom BCM5750x NICs may be multi-function devices. They do not +advertise ACS capability. Peer-to-peer transactions are not possible +between the individual functions, so it is safe to treat them as fully +isolated. + +Add an ACS quirk for these devices so the functions can be in independent +IOMMU groups and attached individually to userspace applications using +VFIO. + +Link: https://lore.kernel.org/r/1654796507-28610-1-git-send-email-michael.chan@broadcom.com +Signed-off-by: Pavan Chebbi +Signed-off-by: Michael Chan +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 2a4bc8df8563..8b98b7f3eb24 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4943,6 +4943,9 @@ static const struct pci_dev_acs_enabled { + { PCI_VENDOR_ID_AMPERE, 0xE00C, pci_quirk_xgene_acs }, + /* Broadcom multi-function device */ + { PCI_VENDOR_ID_BROADCOM, 0x16D7, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1750, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1751, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1752, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs }, + /* Amazon Annapurna Labs */ + { PCI_VENDOR_ID_AMAZON_ANNAPURNA_LABS, 0x0031, pci_quirk_al_acs }, +-- +2.35.1 + diff --git a/queue-5.4/powerpc-32-don-t-always-pass-mcpu-powerpc-to-the-com.patch b/queue-5.4/powerpc-32-don-t-always-pass-mcpu-powerpc-to-the-com.patch new file mode 100644 index 00000000000..ca40e80860b --- /dev/null +++ b/queue-5.4/powerpc-32-don-t-always-pass-mcpu-powerpc-to-the-com.patch @@ -0,0 +1,151 @@ +From 55033a5763c92c994f578a19bd40ab949e5db342 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 16:19:30 +0200 +Subject: powerpc/32: Don't always pass -mcpu=powerpc to the compiler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christophe Leroy + +[ Upstream commit 446cda1b21d9a6b3697fe399c6a3a00ff4a285f5 ] + +Since commit 4bf4f42a2feb ("powerpc/kbuild: Set default generic +machine type for 32-bit compile"), when building a 32 bits kernel +with a bi-arch version of GCC, or when building a book3s/32 kernel, +the option -mcpu=powerpc is passed to GCC at all time, relying on it +being eventually overriden by a subsequent -mcpu=xxxx. + +But when building the same kernel with a 32 bits only version of GCC, +that is not done, relying on gcc being built with the expected default +CPU. + +This logic has two problems. First, it is a bit fragile to rely on +whether the GCC version is bi-arch or not, because today we can have +bi-arch versions of GCC configured with a 32 bits default. Second, +there are some versions of GCC which don't support -mcpu=powerpc, +for instance for e500 SPE-only versions. + +So, stop relying on this approximative logic and allow the user to +decide whether he/she wants to use the toolchain's default CPU or if +he/she wants to set one, and allow only possible CPUs based on the +selected target. + +Reported-by: Pali Rohár +Signed-off-by: Christophe Leroy +Tested-by: Pali Rohár +Reviewed-by: Arnd Bergmann +Reviewed-by: Segher Boessenkool +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/d4df724691351531bf46d685d654689e5dfa0d74.1657549153.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/Makefile | 26 +------------------------- + arch/powerpc/platforms/Kconfig.cputype | 21 ++++++++++++++++++--- + 2 files changed, 19 insertions(+), 28 deletions(-) + +diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile +index b9d2fcf030d0..eedd114a017c 100644 +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -17,23 +17,6 @@ HAS_BIARCH := $(call cc-option-yn, -m32) + # Set default 32 bits cross compilers for vdso and boot wrapper + CROSS32_COMPILE ?= + +-ifeq ($(HAS_BIARCH),y) +-ifeq ($(CROSS32_COMPILE),) +-ifdef CONFIG_PPC32 +-# These options will be overridden by any -mcpu option that the CPU +-# or platform code sets later on the command line, but they are needed +-# to set a sane 32-bit cpu target for the 64-bit cross compiler which +-# may default to the wrong ISA. +-KBUILD_CFLAGS += -mcpu=powerpc +-KBUILD_AFLAGS += -mcpu=powerpc +-endif +-endif +-endif +- +-ifdef CONFIG_PPC_BOOK3S_32 +-KBUILD_CFLAGS += -mcpu=powerpc +-endif +- + # If we're on a ppc/ppc64/ppc64le machine use that defconfig, otherwise just use + # ppc64_defconfig because we have nothing better to go on. + uname := $(shell uname -m) +@@ -192,6 +175,7 @@ endif + endif + + CFLAGS-$(CONFIG_TARGET_CPU_BOOL) += $(call cc-option,-mcpu=$(CONFIG_TARGET_CPU)) ++AFLAGS-$(CONFIG_TARGET_CPU_BOOL) += $(call cc-option,-mcpu=$(CONFIG_TARGET_CPU)) + + # Altivec option not allowed with e500mc64 in GCC. + ifdef CONFIG_ALTIVEC +@@ -202,14 +186,6 @@ endif + CFLAGS-$(CONFIG_E5500_CPU) += $(E5500_CPU) + CFLAGS-$(CONFIG_E6500_CPU) += $(call cc-option,-mcpu=e6500,$(E5500_CPU)) + +-ifdef CONFIG_PPC32 +-ifdef CONFIG_PPC_E500MC +-CFLAGS-y += $(call cc-option,-mcpu=e500mc,-mcpu=powerpc) +-else +-CFLAGS-$(CONFIG_E500) += $(call cc-option,-mcpu=8540 -msoft-float,-mcpu=powerpc) +-endif +-endif +- + asinstr := $(call as-instr,lis 9$(comma)foo@high,-DHAVE_AS_ATHIGH=1) + + KBUILD_CPPFLAGS += -I $(srctree)/arch/$(ARCH) $(asinstr) +diff --git a/arch/powerpc/platforms/Kconfig.cputype b/arch/powerpc/platforms/Kconfig.cputype +index a9b20aa1dfd4..325dc8b53422 100644 +--- a/arch/powerpc/platforms/Kconfig.cputype ++++ b/arch/powerpc/platforms/Kconfig.cputype +@@ -118,9 +118,9 @@ config GENERIC_CPU + depends on PPC64 && CPU_LITTLE_ENDIAN + select ARCH_HAS_FAST_MULTIPLIER + +-config GENERIC_CPU ++config POWERPC_CPU + bool "Generic 32 bits powerpc" +- depends on PPC32 && !PPC_8xx ++ depends on PPC32 && !PPC_8xx && !PPC_85xx + + config CELL_CPU + bool "Cell Broadband Engine" +@@ -174,11 +174,23 @@ config G4_CPU + depends on PPC_BOOK3S_32 + select ALTIVEC + ++config E500_CPU ++ bool "e500 (8540)" ++ depends on PPC_85xx && !PPC_E500MC ++ ++config E500MC_CPU ++ bool "e500mc" ++ depends on PPC_85xx && PPC_E500MC ++ ++config TOOLCHAIN_DEFAULT_CPU ++ bool "Rely on the toolchain's implicit default CPU" ++ depends on PPC32 ++ + endchoice + + config TARGET_CPU_BOOL + bool +- default !GENERIC_CPU ++ default !GENERIC_CPU && !TOOLCHAIN_DEFAULT_CPU + + config TARGET_CPU + string +@@ -193,6 +205,9 @@ config TARGET_CPU + default "e300c2" if E300C2_CPU + default "e300c3" if E300C3_CPU + default "G4" if G4_CPU ++ default "8540" if E500_CPU ++ default "e500mc" if E500MC_CPU ++ default "powerpc" if POWERPC_CPU + + config PPC_BOOK3S + def_bool y +-- +2.35.1 + diff --git a/queue-5.4/powerpc-64-init-jump-labels-before-parse_early_param.patch b/queue-5.4/powerpc-64-init-jump-labels-before-parse_early_param.patch new file mode 100644 index 00000000000..b9aecaecc31 --- /dev/null +++ b/queue-5.4/powerpc-64-init-jump-labels-before-parse_early_param.patch @@ -0,0 +1,65 @@ +From 2a98ae79c073505115fe2ea8391d6bec751d65c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 09:57:47 +0800 +Subject: powerpc/64: Init jump labels before parse_early_param() + +From: Zhouyi Zhou + +[ Upstream commit ca829e05d3d4f728810cc5e4b468d9ebc7745eb3 ] + +On 64-bit, calling jump_label_init() in setup_feature_keys() is too +late because static keys may be used in subroutines of +parse_early_param() which is again subroutine of early_init_devtree(). + +For example booting with "threadirqs": + + static_key_enable_cpuslocked(): static key '0xc000000002953260' used before call to jump_label_init() + WARNING: CPU: 0 PID: 0 at kernel/jump_label.c:166 static_key_enable_cpuslocked+0xfc/0x120 + ... + NIP static_key_enable_cpuslocked+0xfc/0x120 + LR static_key_enable_cpuslocked+0xf8/0x120 + Call Trace: + static_key_enable_cpuslocked+0xf8/0x120 (unreliable) + static_key_enable+0x30/0x50 + setup_forced_irqthreads+0x28/0x40 + do_early_param+0xa0/0x108 + parse_args+0x290/0x4e0 + parse_early_options+0x48/0x5c + parse_early_param+0x58/0x84 + early_init_devtree+0xd4/0x518 + early_setup+0xb4/0x214 + +So call jump_label_init() just before parse_early_param() in +early_init_devtree(). + +Suggested-by: Michael Ellerman +Signed-off-by: Zhouyi Zhou +[mpe: Add call trace to change log and minor wording edits.] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220726015747.11754-1-zhouzhouyi@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/prom.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c +index 537142b877b8..d1ba17501343 100644 +--- a/arch/powerpc/kernel/prom.c ++++ b/arch/powerpc/kernel/prom.c +@@ -740,6 +740,13 @@ void __init early_init_devtree(void *params) + of_scan_flat_dt(early_init_dt_scan_root, NULL); + of_scan_flat_dt(early_init_dt_scan_memory_ppc, NULL); + ++ /* ++ * As generic code authors expect to be able to use static keys ++ * in early_param() handlers, we initialize the static keys just ++ * before parsing early params (it's fine to call jump_label_init() ++ * more than once). ++ */ ++ jump_label_init(); + parse_early_param(); + + /* make sure we've parsed cmdline for mem= before this */ +-- +2.35.1 + diff --git a/queue-5.4/risc-v-add-fast-call-path-of-crash_kexec.patch b/queue-5.4/risc-v-add-fast-call-path-of-crash_kexec.patch new file mode 100644 index 00000000000..099ffb8bf54 --- /dev/null +++ b/queue-5.4/risc-v-add-fast-call-path-of-crash_kexec.patch @@ -0,0 +1,73 @@ +From 50a6d6e5ca84b11c8ac9cc5e26c08a3181bf2720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 16:23:08 +0800 +Subject: RISC-V: Add fast call path of crash_kexec() + +From: Xianting Tian + +[ Upstream commit 3f1901110a89b0e2e13adb2ac8d1a7102879ea98 ] + +Currently, almost all archs (x86, arm64, mips...) support fast call +of crash_kexec() when "regs && kexec_should_crash()" is true. But +RISC-V not, it can only enter crash system via panic(). However panic() +doesn't pass the regs of the real accident scene to crash_kexec(), +it caused we can't get accurate backtrace via gdb, + $ riscv64-linux-gnu-gdb vmlinux vmcore + Reading symbols from vmlinux... + [New LWP 95] + #0 console_unlock () at kernel/printk/printk.c:2557 + 2557 if (do_cond_resched) + (gdb) bt + #0 console_unlock () at kernel/printk/printk.c:2557 + #1 0x0000000000000000 in ?? () + +With the patch we can get the accurate backtrace, + $ riscv64-linux-gnu-gdb vmlinux vmcore + Reading symbols from vmlinux... + [New LWP 95] + #0 0xffffffe00063a4e0 in test_thread (data=) at drivers/test_crash.c:81 + 81 *(int *)p = 0xdead; + (gdb) + (gdb) bt + #0 0xffffffe00064d5c0 in test_thread (data=) at drivers/test_crash.c:81 + #1 0x0000000000000000 in ?? () + +Test code to produce NULL address dereference in test_crash.c, + void *p = NULL; + *(int *)p = 0xdead; + +Reviewed-by: Guo Ren +Tested-by: Xianting Tian +Signed-off-by: Xianting Tian +Link: https://lore.kernel.org/r/20220606082308.2883458-1-xianting.tian@linux.alibaba.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/traps.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c +index 473de3ae8bb7..ae462037910b 100644 +--- a/arch/riscv/kernel/traps.c ++++ b/arch/riscv/kernel/traps.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -43,6 +44,9 @@ void die(struct pt_regs *regs, const char *str) + + ret = notify_die(DIE_OOPS, str, regs, 0, regs->scause, SIGSEGV); + ++ if (regs && kexec_should_crash(current)) ++ crash_kexec(regs); ++ + bust_spinlocks(0); + add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE); + spin_unlock_irq(&die_lock); +-- +2.35.1 + diff --git a/queue-5.4/riscv-dts-sifive-add-fu540-topology-information.patch b/queue-5.4/riscv-dts-sifive-add-fu540-topology-information.patch new file mode 100644 index 00000000000..faee1eeddb7 --- /dev/null +++ b/queue-5.4/riscv-dts-sifive-add-fu540-topology-information.patch @@ -0,0 +1,60 @@ +From d26c6f87f0b6235fd86fe3d4b83e1c02aeb6a872 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jul 2022 20:04:33 +0100 +Subject: riscv: dts: sifive: Add fu540 topology information + +From: Conor Dooley + +[ Upstream commit af8f260abc608c06e4466a282b53f1e2dc09f042 ] + +The fu540 has no cpu-map node, so tools like hwloc cannot correctly +parse the topology. Add the node using the existing node labels. + +Reported-by: Brice Goglin +Link: https://github.com/open-mpi/hwloc/issues/536 +Signed-off-by: Conor Dooley +Link: https://lore.kernel.org/r/20220705190435.1790466-3-mail@conchuod.ie +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/boot/dts/sifive/fu540-c000.dtsi | 24 ++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/arch/riscv/boot/dts/sifive/fu540-c000.dtsi b/arch/riscv/boot/dts/sifive/fu540-c000.dtsi +index afa43c7ea369..0e4514f32576 100644 +--- a/arch/riscv/boot/dts/sifive/fu540-c000.dtsi ++++ b/arch/riscv/boot/dts/sifive/fu540-c000.dtsi +@@ -129,6 +129,30 @@ + interrupt-controller; + }; + }; ++ ++ cpu-map { ++ cluster0 { ++ core0 { ++ cpu = <&cpu0>; ++ }; ++ ++ core1 { ++ cpu = <&cpu1>; ++ }; ++ ++ core2 { ++ cpu = <&cpu2>; ++ }; ++ ++ core3 { ++ cpu = <&cpu3>; ++ }; ++ ++ core4 { ++ cpu = <&cpu4>; ++ }; ++ }; ++ }; + }; + soc { + #address-cells = <2>; +-- +2.35.1 + diff --git a/queue-5.4/riscv-mmap-with-prot_write-but-no-prot_read-is-inval.patch b/queue-5.4/riscv-mmap-with-prot_write-but-no-prot_read-is-inval.patch new file mode 100644 index 00000000000..c70c61430e7 --- /dev/null +++ b/queue-5.4/riscv-mmap-with-prot_write-but-no-prot_read-is-inval.patch @@ -0,0 +1,47 @@ +From a888111652b612c3965410bcb6a468ae0edbb0f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 15:56:52 +0800 +Subject: riscv: mmap with PROT_WRITE but no PROT_READ is invalid + +From: Celeste Liu + +[ Upstream commit 2139619bcad7ac44cc8f6f749089120594056613 ] + +As mentioned in Table 4.5 in RISC-V spec Volume 2 Section 4.3, write +but not read is "Reserved for future use.". For now, they are not valid. +In the current code, -wx is marked as invalid, but -w- is not marked +as invalid. +This patch refines that judgment. + +Reported-by: xctan +Co-developed-by: dram +Signed-off-by: dram +Co-developed-by: Ruizhe Pan +Signed-off-by: Ruizhe Pan +Signed-off-by: Celeste Liu +Link: https://lore.kernel.org/r/PH7PR14MB559464DBDD310E755F5B21E8CEDC9@PH7PR14MB5594.namprd14.prod.outlook.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/sys_riscv.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/riscv/kernel/sys_riscv.c b/arch/riscv/kernel/sys_riscv.c +index 12f8a7fce78b..8a7880b9c433 100644 +--- a/arch/riscv/kernel/sys_riscv.c ++++ b/arch/riscv/kernel/sys_riscv.c +@@ -18,9 +18,8 @@ static long riscv_sys_mmap(unsigned long addr, unsigned long len, + if (unlikely(offset & (~PAGE_MASK >> page_shift_offset))) + return -EINVAL; + +- if ((prot & PROT_WRITE) && (prot & PROT_EXEC)) +- if (unlikely(!(prot & PROT_READ))) +- return -EINVAL; ++ if (unlikely((prot & PROT_WRITE) && !(prot & PROT_READ))) ++ return -EINVAL; + + return ksys_mmap_pgoff(addr, len, prot, flags, fd, + offset >> (PAGE_SHIFT - page_shift_offset)); +-- +2.35.1 + diff --git a/queue-5.4/scsi-lpfc-prevent-buffer-overflow-crashes-in-debugfs.patch b/queue-5.4/scsi-lpfc-prevent-buffer-overflow-crashes-in-debugfs.patch new file mode 100644 index 00000000000..4c7ccd0951b --- /dev/null +++ b/queue-5.4/scsi-lpfc-prevent-buffer-overflow-crashes-in-debugfs.patch @@ -0,0 +1,86 @@ +From c0ac250e4fdfbcdb1e39113162842f8edbc820e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 14:14:15 -0700 +Subject: scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed + user input + +From: James Smart + +[ Upstream commit f8191d40aa612981ce897e66cda6a88db8df17bb ] + +Malformed user input to debugfs results in buffer overflow crashes. Adapt +input string lengths to fit within internal buffers, leaving space for NULL +terminators. + +Link: https://lore.kernel.org/r/20220701211425.2708-3-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_debugfs.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index e15bb3dfe995..69551132f304 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -2402,8 +2402,8 @@ lpfc_debugfs_multixripools_write(struct file *file, const char __user *buf, + struct lpfc_sli4_hdw_queue *qp; + struct lpfc_multixri_pool *multixri_pool; + +- if (nbytes > 64) +- nbytes = 64; ++ if (nbytes > sizeof(mybuf) - 1) ++ nbytes = sizeof(mybuf) - 1; + + /* Protect copy from user */ + if (!access_ok(buf, nbytes)) +@@ -2487,8 +2487,8 @@ lpfc_debugfs_nvmestat_write(struct file *file, const char __user *buf, + if (!phba->targetport) + return -ENXIO; + +- if (nbytes > 64) +- nbytes = 64; ++ if (nbytes > sizeof(mybuf) - 1) ++ nbytes = sizeof(mybuf) - 1; + + memset(mybuf, 0, sizeof(mybuf)); + +@@ -2629,8 +2629,8 @@ lpfc_debugfs_nvmektime_write(struct file *file, const char __user *buf, + char mybuf[64]; + char *pbuf; + +- if (nbytes > 64) +- nbytes = 64; ++ if (nbytes > sizeof(mybuf) - 1) ++ nbytes = sizeof(mybuf) - 1; + + memset(mybuf, 0, sizeof(mybuf)); + +@@ -2757,8 +2757,8 @@ lpfc_debugfs_nvmeio_trc_write(struct file *file, const char __user *buf, + char mybuf[64]; + char *pbuf; + +- if (nbytes > 63) +- nbytes = 63; ++ if (nbytes > sizeof(mybuf) - 1) ++ nbytes = sizeof(mybuf) - 1; + + memset(mybuf, 0, sizeof(mybuf)); + +@@ -2863,8 +2863,8 @@ lpfc_debugfs_cpucheck_write(struct file *file, const char __user *buf, + char *pbuf; + int i, j; + +- if (nbytes > 64) +- nbytes = 64; ++ if (nbytes > sizeof(mybuf) - 1) ++ nbytes = sizeof(mybuf) - 1; + + memset(mybuf, 0, sizeof(mybuf)); + +-- +2.35.1 + diff --git a/queue-5.4/selftests-kprobe-do-not-test-for-grp-without-event-f.patch b/queue-5.4/selftests-kprobe-do-not-test-for-grp-without-event-f.patch new file mode 100644 index 00000000000..e69700ce85c --- /dev/null +++ b/queue-5.4/selftests-kprobe-do-not-test-for-grp-without-event-f.patch @@ -0,0 +1,50 @@ +From c894858bffcfba2a61f9fef7296c00a1cda791a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 16:17:07 -0400 +Subject: selftests/kprobe: Do not test for GRP/ without event failures + +From: Steven Rostedt (Google) + +[ Upstream commit f5eab65ff2b76449286d18efc7fee3e0b72f7d9b ] + +A new feature is added where kprobes (and other probes) do not need to +explicitly state the event name when creating a probe. The event name will +come from what is being attached. + +That is: + + # echo 'p:foo/ vfs_read' > kprobe_events + +Will no longer error, but instead create an event: + + # cat kprobe_events + p:foo/p_vfs_read_0 vfs_read + +This should not be tested as an error case anymore. Remove it from the +selftest as now this feature "breaks" the selftest as it no longer fails +as expected. + +Link: https://lore.kernel.org/all/1656296348-16111-1-git-send-email-quic_linyyuan@quicinc.com/ +Link: https://lkml.kernel.org/r/20220712161707.6dc08a14@gandalf.local.home + +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + .../selftests/ftrace/test.d/kprobe/kprobe_syntax_errors.tc | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_syntax_errors.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_syntax_errors.tc +index ef1e9bafb098..728c2762ee58 100644 +--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_syntax_errors.tc ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_syntax_errors.tc +@@ -24,7 +24,6 @@ check_error 'p:^/bar vfs_read' # NO_GROUP_NAME + check_error 'p:^12345678901234567890123456789012345678901234567890123456789012345/bar vfs_read' # GROUP_TOO_LONG + + check_error 'p:^foo.1/bar vfs_read' # BAD_GROUP_NAME +-check_error 'p:foo/^ vfs_read' # NO_EVENT_NAME + check_error 'p:foo/^12345678901234567890123456789012345678901234567890123456789012345 vfs_read' # EVENT_TOO_LONG + check_error 'p:foo/^bar.1 vfs_read' # BAD_EVENT_NAME + +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 41883a7348b..e8d98f45661 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -344,3 +344,42 @@ i40e-fix-to-stop-tx_timeout-recovery-if-globr-fails.patch fec-fix-timer-capture-timing-in-fec_ptp_enable_pps.patch igb-add-lock-to-avoid-data-race.patch gcc-plugins-undefine-latent_entropy_plugin-when-plugin-disabled-for-a-file.patch +kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch +tee-add-overflow-check-in-register_shm_helper.patch-3415 +drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch +pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch +usb-cdns3-fix-use-after-free-at-workaround-2.patch +usb-gadget-uvc-call-uvc-uvcg_warn-on-completed-statu.patch +irqchip-tegra-fix-overflow-implicit-truncation-warni.patch +drm-meson-fix-overflow-implicit-truncation-warnings.patch +usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch +usb-renesas-fix-refcount-leak-bug.patch +vboxguest-do-not-use-devm-for-irq.patch +clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch +scsi-lpfc-prevent-buffer-overflow-crashes-in-debugfs.patch +gadgetfs-ep_io-wait-until-irq-finishes.patch +cxl-fix-a-memory-leak-in-an-error-handling-path.patch +pci-acpi-guard-arm64-specific-mcfg_quirks.patch +um-add-noreboot-command-line-option-for-panic_timeou.patch +selftests-kprobe-do-not-test-for-grp-without-event-f.patch +dmaengine-sprd-cleanup-in-.remove-after-pm_runtime_g.patch +nvmet-tcp-fix-lockdep-complaint-on-nvmet_tcp_wq-flus.patch +drivers-md-fix-a-potential-use-after-free-bug.patch +ext4-avoid-remove-directory-when-directory-is-corrup.patch +ext4-avoid-resizing-to-a-partial-cluster-size.patch +lib-list_debug.c-detect-uninitialized-lists.patch +tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch +vfio-clear-the-caps-buf-to-null-after-free.patch +mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch +riscv-dts-sifive-add-fu540-topology-information.patch +riscv-mmap-with-prot_write-but-no-prot_read-is-inval.patch +risc-v-add-fast-call-path-of-crash_kexec.patch +watchdog-export-lockup_detector_reconfigure.patch +powerpc-32-don-t-always-pass-mcpu-powerpc-to-the-com.patch +alsa-core-add-async-signal-helpers.patch +alsa-timer-use-deferred-fasync-helper.patch +f2fs-fix-to-avoid-use-f2fs_bug_on-in-f2fs_new_node_p.patch +smb3-check-xattr-value-length-earlier.patch +powerpc-64-init-jump-labels-before-parse_early_param.patch +video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch +mips-tlbex-explicitly-compare-_page_no_exec-against-.patch diff --git a/queue-5.4/smb3-check-xattr-value-length-earlier.patch b/queue-5.4/smb3-check-xattr-value-length-earlier.patch new file mode 100644 index 00000000000..0f0dbe60243 --- /dev/null +++ b/queue-5.4/smb3-check-xattr-value-length-earlier.patch @@ -0,0 +1,51 @@ +From cb515753fb9cf09781d3a1329c56e84954565fd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 11:43:44 -0500 +Subject: smb3: check xattr value length earlier + +From: Steve French + +[ Upstream commit 5fa2cffba0b82336a2244d941322eb1627ff787b ] + +Coverity complains about assigning a pointer based on +value length before checking that value length goes +beyond the end of the SMB. Although this is even more +unlikely as value length is a single byte, and the +pointer is not dereferenced until laterm, it is clearer +to check the lengths first. + +Addresses-Coverity: 1467704 ("Speculative execution data leak") +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 57164563eec6..6ae281cff0d5 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -960,9 +960,7 @@ move_smb2_ea_to_cifs(char *dst, size_t dst_size, + size_t name_len, value_len, user_name_len; + + while (src_size > 0) { +- name = &src->ea_data[0]; + name_len = (size_t)src->ea_name_length; +- value = &src->ea_data[src->ea_name_length + 1]; + value_len = (size_t)le16_to_cpu(src->ea_value_length); + + if (name_len == 0) +@@ -974,6 +972,9 @@ move_smb2_ea_to_cifs(char *dst, size_t dst_size, + goto out; + } + ++ name = &src->ea_data[0]; ++ value = &src->ea_data[src->ea_name_length + 1]; ++ + if (ea_name) { + if (ea_name_len == name_len && + memcmp(ea_name, name, name_len) == 0) { +-- +2.35.1 + diff --git a/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch-3415 b/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch-3415 new file mode 100644 index 00000000000..787e90e79b1 --- /dev/null +++ b/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch-3415 @@ -0,0 +1,65 @@ +From 33a8cb3b7eee713281a22f4e34f50a8137fc310c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 13:08:59 +0200 +Subject: tee: add overflow check in register_shm_helper() + +From: Jens Wiklander + +commit 573ae4f13f630d6660008f1974c0a8a29c30e18a upstream. + +With special lengths supplied by user space, register_shm_helper() has +an integer overflow when calculating the number of pages covered by a +supplied user space memory region. + +This causes internal_get_user_pages_fast() a helper function of +pin_user_pages_fast() to do a NULL pointer dereference: + + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 + Modules linked in: + CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11 + Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 + pc : internal_get_user_pages_fast+0x474/0xa80 + Call trace: + internal_get_user_pages_fast+0x474/0xa80 + pin_user_pages_fast+0x24/0x4c + register_shm_helper+0x194/0x330 + tee_shm_register_user_buf+0x78/0x120 + tee_ioctl+0xd0/0x11a0 + __arm64_sys_ioctl+0xa8/0xec + invoke_syscall+0x48/0x114 + +Fix this by adding an an explicit call to access_ok() in +tee_shm_register_user_buf() to catch an invalid user space address +early. + +Fixes: 033ddf12bcf5 ("tee: add register user memory") +Cc: stable@vger.kernel.org +Reported-by: Nimish Mishra +Reported-by: Anirban Chakraborty +Reported-by: Debdeep Mukhopadhyay +Suggested-by: Jerome Forissier +Signed-off-by: Jens Wiklander +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tee/tee_shm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c +index 0d5ae8053049..6b8d112d492e 100644 +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -239,6 +239,9 @@ struct tee_shm *tee_shm_register(struct tee_context *ctx, unsigned long addr, + goto err; + } + ++ if (!access_ok((void __user *)addr, length)) ++ return ERR_PTR(-EFAULT); ++ + mutex_lock(&teedev->mutex); + list_add_tail(&shm->link, &ctx->list_shm); + mutex_unlock(&teedev->mutex); +-- +2.35.1 + diff --git a/queue-5.4/tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch b/queue-5.4/tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch new file mode 100644 index 00000000000..925fe85e787 --- /dev/null +++ b/queue-5.4/tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch @@ -0,0 +1,38 @@ +From 6a9c1d69ff8493ea32a45b44a11a2c80d7a0bc4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Jun 2022 14:08:50 +0800 +Subject: tty: serial: Fix refcount leak bug in ucc_uart.c + +From: Liang He + +[ Upstream commit d24d7bb2cd947676f9b71fb944d045e09b8b282f ] + +In soc_info(), of_find_node_by_type() will return a node pointer +with refcount incremented. We should use of_node_put() when it is +not used anymore. + +Acked-by: Timur Tabi +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220618060850.4058525-1-windhl@126.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/ucc_uart.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/ucc_uart.c b/drivers/tty/serial/ucc_uart.c +index a0555ae2b1ef..181d55e0c60f 100644 +--- a/drivers/tty/serial/ucc_uart.c ++++ b/drivers/tty/serial/ucc_uart.c +@@ -1141,6 +1141,8 @@ static unsigned int soc_info(unsigned int *rev_h, unsigned int *rev_l) + /* No compatible property, so try the name. */ + soc_string = np->name; + ++ of_node_put(np); ++ + /* Extract the SOC number from the "PowerPC," string */ + if ((sscanf(soc_string, "PowerPC,%u", &soc) != 1) || !soc) + return 0; +-- +2.35.1 + diff --git a/queue-5.4/um-add-noreboot-command-line-option-for-panic_timeou.patch b/queue-5.4/um-add-noreboot-command-line-option-for-panic_timeou.patch new file mode 100644 index 00000000000..394f9a87c8c --- /dev/null +++ b/queue-5.4/um-add-noreboot-command-line-option-for-panic_timeou.patch @@ -0,0 +1,63 @@ +From 29b98eba433085bfbda6d310305ed9c1b1683b17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 13:56:17 +0200 +Subject: um: add "noreboot" command line option for PANIC_TIMEOUT=-1 setups + +From: Jason A. Donenfeld + +[ Upstream commit dda520d07b95072a0b63f6c52a8eb566d08ea897 ] + +QEMU has a -no-reboot option, which halts instead of reboots when the +guest asks to reboot. This is invaluable when used with +CONFIG_PANIC_TIMEOUT=-1 (and panic_on_warn), because it allows panics +and warnings to be caught immediately in CI. Implement this in UML too, +by way of a basic setup param. + +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/os-Linux/skas/process.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/arch/um/os-Linux/skas/process.c b/arch/um/os-Linux/skas/process.c +index 4fb877b99dde..0571cc0a30fc 100644 +--- a/arch/um/os-Linux/skas/process.c ++++ b/arch/um/os-Linux/skas/process.c +@@ -5,6 +5,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -641,10 +642,24 @@ void halt_skas(void) + UML_LONGJMP(&initial_jmpbuf, INIT_JMP_HALT); + } + ++static bool noreboot; ++ ++static int __init noreboot_cmd_param(char *str, int *add) ++{ ++ noreboot = true; ++ return 0; ++} ++ ++__uml_setup("noreboot", noreboot_cmd_param, ++"noreboot\n" ++" Rather than rebooting, exit always, akin to QEMU's -no-reboot option.\n" ++" This is useful if you're using CONFIG_PANIC_TIMEOUT in order to catch\n" ++" crashes in CI\n"); ++ + void reboot_skas(void) + { + block_signals_trace(); +- UML_LONGJMP(&initial_jmpbuf, INIT_JMP_REBOOT); ++ UML_LONGJMP(&initial_jmpbuf, noreboot ? INIT_JMP_HALT : INIT_JMP_REBOOT); + } + + void __switch_mm(struct mm_id *mm_idp) +-- +2.35.1 + diff --git a/queue-5.4/usb-cdns3-fix-use-after-free-at-workaround-2.patch b/queue-5.4/usb-cdns3-fix-use-after-free-at-workaround-2.patch new file mode 100644 index 00000000000..1c9ce50cb28 --- /dev/null +++ b/queue-5.4/usb-cdns3-fix-use-after-free-at-workaround-2.patch @@ -0,0 +1,53 @@ +From 495321267347df7509a5f91cbd15a248485117fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 14:04:30 -0500 +Subject: usb: cdns3 fix use-after-free at workaround 2 + +From: Frank Li + +[ Upstream commit 7d602f30149a117eea260208b1661bc404c21dfd ] + +BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xac + +cdns3_wa2_remove_old_request() +{ + ... + kfree(priv_req->request.buf); + cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); + list_del_init(&priv_req->list); + ^^^ use after free + ... +} + +cdns3_gadget_ep_free_request() free the space pointed by priv_req, +but priv_req is used in the following list_del_init(). + +This patch move list_del_init() before cdns3_gadget_ep_free_request(). + +Signed-off-by: Frank Li +Signed-off-by: Faqiang Zhu +Link: https://lore.kernel.org/r/20220608190430.2814358-1-Frank.Li@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/cdns3/gadget.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/cdns3/gadget.c b/drivers/usb/cdns3/gadget.c +index 296f2ee1b680..a9399f2b3930 100644 +--- a/drivers/usb/cdns3/gadget.c ++++ b/drivers/usb/cdns3/gadget.c +@@ -549,9 +549,9 @@ static void cdns3_wa2_remove_old_request(struct cdns3_endpoint *priv_ep) + trace_cdns3_wa2(priv_ep, "removes eldest request"); + + kfree(priv_req->request.buf); ++ list_del_init(&priv_req->list); + cdns3_gadget_ep_free_request(&priv_ep->endpoint, + &priv_req->request); +- list_del_init(&priv_req->list); + --priv_ep->wa2_counter; + + if (!chain) +-- +2.35.1 + diff --git a/queue-5.4/usb-gadget-uvc-call-uvc-uvcg_warn-on-completed-statu.patch b/queue-5.4/usb-gadget-uvc-call-uvc-uvcg_warn-on-completed-statu.patch new file mode 100644 index 00000000000..867928aa878 --- /dev/null +++ b/queue-5.4/usb-gadget-uvc-call-uvc-uvcg_warn-on-completed-statu.patch @@ -0,0 +1,39 @@ +From 1d122154599310d3949142c18220cec1ae5c62ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 00:38:48 +0200 +Subject: usb: gadget: uvc: call uvc uvcg_warn on completed status instead of + uvcg_info + +From: Michael Grzeschik + +[ Upstream commit a725d0f6dfc5d3739d6499f30ec865305ba3544d ] + +Likewise to the uvcvideo hostside driver, this patch is changing the +usb_request message of an non zero completion handler call from dev_info +to dev_warn. + +Reviewed-by: Laurent Pinchart +Signed-off-by: Michael Grzeschik +Link: https://lore.kernel.org/r/20220529223848.105914-4-m.grzeschik@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/uvc_video.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c +index 5c042f380708..f9fad639a489 100644 +--- a/drivers/usb/gadget/function/uvc_video.c ++++ b/drivers/usb/gadget/function/uvc_video.c +@@ -191,7 +191,7 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) + goto requeue; + + default: +- uvcg_info(&video->uvc->func, ++ uvcg_warn(&video->uvc->func, + "VS request completed with status %d.\n", + req->status); + uvcg_queue_cancel(queue, 0); +-- +2.35.1 + diff --git a/queue-5.4/usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch b/queue-5.4/usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch new file mode 100644 index 00000000000..a78c91f1f52 --- /dev/null +++ b/queue-5.4/usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch @@ -0,0 +1,37 @@ +From 67361f7e69e8de20a694011829151748beb206e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 11:46:37 +0800 +Subject: usb: host: ohci-ppc-of: Fix refcount leak bug + +From: Liang He + +[ Upstream commit 40a959d7042bb7711e404ad2318b30e9f92c6b9b ] + +In ohci_hcd_ppc_of_probe(), of_find_compatible_node() will return +a node pointer with refcount incremented. We should use of_node_put() +when it is not used anymore. + +Acked-by: Alan Stern +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220617034637.4003115-1-windhl@126.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-ppc-of.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/host/ohci-ppc-of.c b/drivers/usb/host/ohci-ppc-of.c +index 45f7cceb6df3..98e46725999e 100644 +--- a/drivers/usb/host/ohci-ppc-of.c ++++ b/drivers/usb/host/ohci-ppc-of.c +@@ -169,6 +169,7 @@ static int ohci_hcd_ppc_of_probe(struct platform_device *op) + release_mem_region(res.start, 0x4); + } else + pr_debug("%s: cannot get ehci offset from fdt\n", __FILE__); ++ of_node_put(np); + } + + irq_dispose_mapping(irq); +-- +2.35.1 + diff --git a/queue-5.4/usb-renesas-fix-refcount-leak-bug.patch b/queue-5.4/usb-renesas-fix-refcount-leak-bug.patch new file mode 100644 index 00000000000..598bdd95226 --- /dev/null +++ b/queue-5.4/usb-renesas-fix-refcount-leak-bug.patch @@ -0,0 +1,39 @@ +From bcae5c28c3cb59cb3fa3f4a2f8e92d541b4bf3be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Jun 2022 10:32:05 +0800 +Subject: usb: renesas: Fix refcount leak bug + +From: Liang He + +[ Upstream commit 9d6d5303c39b8bc182475b22f45504106a07f086 ] + +In usbhs_rza1_hardware_init(), of_find_node_by_name() will return +a node pointer with refcount incremented. We should use of_node_put() +when it is not used anymore. + +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220618023205.4056548-1-windhl@126.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/renesas_usbhs/rza.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/renesas_usbhs/rza.c b/drivers/usb/renesas_usbhs/rza.c +index 24de64edb674..2d77edefb4b3 100644 +--- a/drivers/usb/renesas_usbhs/rza.c ++++ b/drivers/usb/renesas_usbhs/rza.c +@@ -23,6 +23,10 @@ static int usbhs_rza1_hardware_init(struct platform_device *pdev) + extal_clk = of_find_node_by_name(NULL, "extal"); + of_property_read_u32(usb_x1_clk, "clock-frequency", &freq_usb); + of_property_read_u32(extal_clk, "clock-frequency", &freq_extal); ++ ++ of_node_put(usb_x1_clk); ++ of_node_put(extal_clk); ++ + if (freq_usb == 0) { + if (freq_extal == 12000000) { + /* Select 12MHz XTAL */ +-- +2.35.1 + diff --git a/queue-5.4/vboxguest-do-not-use-devm-for-irq.patch b/queue-5.4/vboxguest-do-not-use-devm-for-irq.patch new file mode 100644 index 00000000000..c3c93756ba2 --- /dev/null +++ b/queue-5.4/vboxguest-do-not-use-devm-for-irq.patch @@ -0,0 +1,81 @@ +From 81ab75ac8257f650314244fd370eee8f18d7da67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jun 2022 14:37:44 +0100 +Subject: vboxguest: Do not use devm for irq + +From: Pascal Terjan + +[ Upstream commit 6169525b76764acb81918aa387ac168fb9a55575 ] + +When relying on devm it doesn't get freed early enough which causes the +following warning when unloading the module: + +[249348.837181] remove_proc_entry: removing non-empty directory 'irq/20', leaking at least 'vboxguest' +[249348.837219] WARNING: CPU: 0 PID: 6708 at fs/proc/generic.c:715 remove_proc_entry+0x119/0x140 + +[249348.837379] Call Trace: +[249348.837385] unregister_irq_proc+0xbd/0xe0 +[249348.837392] free_desc+0x23/0x60 +[249348.837396] irq_free_descs+0x4a/0x70 +[249348.837401] irq_domain_free_irqs+0x160/0x1a0 +[249348.837452] mp_unmap_irq+0x5c/0x60 +[249348.837458] acpi_unregister_gsi_ioapic+0x29/0x40 +[249348.837463] acpi_unregister_gsi+0x17/0x30 +[249348.837467] acpi_pci_irq_disable+0xbf/0xe0 +[249348.837473] pcibios_disable_device+0x20/0x30 +[249348.837478] pci_disable_device+0xef/0x120 +[249348.837482] vbg_pci_remove+0x6c/0x70 [vboxguest] + +Reviewed-by: Hans de Goede +Signed-off-by: Pascal Terjan +Link: https://lore.kernel.org/r/20220612133744.4030602-1-pterjan@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/virt/vboxguest/vboxguest_linux.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c +index 32c2c52f7e84..484c2f09f2ea 100644 +--- a/drivers/virt/vboxguest/vboxguest_linux.c ++++ b/drivers/virt/vboxguest/vboxguest_linux.c +@@ -361,8 +361,8 @@ static int vbg_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + goto err_vbg_core_exit; + } + +- ret = devm_request_irq(dev, pci->irq, vbg_core_isr, IRQF_SHARED, +- DEVICE_NAME, gdev); ++ ret = request_irq(pci->irq, vbg_core_isr, IRQF_SHARED, DEVICE_NAME, ++ gdev); + if (ret) { + vbg_err("vboxguest: Error requesting irq: %d\n", ret); + goto err_vbg_core_exit; +@@ -372,7 +372,7 @@ static int vbg_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + if (ret) { + vbg_err("vboxguest: Error misc_register %s failed: %d\n", + DEVICE_NAME, ret); +- goto err_vbg_core_exit; ++ goto err_free_irq; + } + + ret = misc_register(&gdev->misc_device_user); +@@ -408,6 +408,8 @@ static int vbg_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + misc_deregister(&gdev->misc_device_user); + err_unregister_misc_device: + misc_deregister(&gdev->misc_device); ++err_free_irq: ++ free_irq(pci->irq, gdev); + err_vbg_core_exit: + vbg_core_exit(gdev); + err_disable_pcidev: +@@ -424,6 +426,7 @@ static void vbg_pci_remove(struct pci_dev *pci) + vbg_gdev = NULL; + mutex_unlock(&vbg_gdev_mutex); + ++ free_irq(pci->irq, gdev); + device_remove_file(gdev->dev, &dev_attr_host_features); + device_remove_file(gdev->dev, &dev_attr_host_version); + misc_deregister(&gdev->misc_device_user); +-- +2.35.1 + diff --git a/queue-5.4/vfio-clear-the-caps-buf-to-null-after-free.patch b/queue-5.4/vfio-clear-the-caps-buf-to-null-after-free.patch new file mode 100644 index 00000000000..eee6cdb722e --- /dev/null +++ b/queue-5.4/vfio-clear-the-caps-buf-to-null-after-free.patch @@ -0,0 +1,38 @@ +From 05455c4429e4da8fd8b28b6d6448c0eaa3260fdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jun 2022 10:29:48 +0800 +Subject: vfio: Clear the caps->buf to NULL after free + +From: Schspa Shi + +[ Upstream commit 6641085e8d7b3f061911517f79a2a15a0a21b97b ] + +On buffer resize failure, vfio_info_cap_add() will free the buffer, +report zero for the size, and return -ENOMEM. As additional +hardening, also clear the buffer pointer to prevent any chance of a +double free. + +Signed-off-by: Schspa Shi +Reviewed-by: Cornelia Huck +Link: https://lore.kernel.org/r/20220629022948.55608-1-schspa@gmail.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c +index 388597930b64..efd3782ead97 100644 +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -1802,6 +1802,7 @@ struct vfio_info_cap_header *vfio_info_cap_add(struct vfio_info_cap *caps, + buf = krealloc(caps->buf, caps->size + size, GFP_KERNEL); + if (!buf) { + kfree(caps->buf); ++ caps->buf = NULL; + caps->size = 0; + return ERR_PTR(-ENOMEM); + } +-- +2.35.1 + diff --git a/queue-5.4/video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch b/queue-5.4/video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch new file mode 100644 index 00000000000..85e6b274c8d --- /dev/null +++ b/queue-5.4/video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch @@ -0,0 +1,67 @@ +From 2af403a983dd6ed123c11e6de0454576f34c8ad0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 17:24:19 +0800 +Subject: video: fbdev: i740fb: Check the argument of i740_calc_vclk() + +From: Zheyu Ma + +[ Upstream commit 40bf722f8064f50200b8c4f8946cd625b441dda9 ] + +Since the user can control the arguments of the ioctl() from the user +space, under special arguments that may result in a divide-by-zero bug. + +If the user provides an improper 'pixclock' value that makes the argumet +of i740_calc_vclk() less than 'I740_RFREQ_FIX', it will cause a +divide-by-zero bug in: + drivers/video/fbdev/i740fb.c:353 p_best = min(15, ilog2(I740_MAX_VCO_FREQ / (freq / I740_RFREQ_FIX))); + +The following log can reveal it: + +divide error: 0000 [#1] PREEMPT SMP KASAN PTI +RIP: 0010:i740_calc_vclk drivers/video/fbdev/i740fb.c:353 [inline] +RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:646 [inline] +RIP: 0010:i740fb_set_par+0x163f/0x3b70 drivers/video/fbdev/i740fb.c:742 +Call Trace: + fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 + do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 + fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 + +Fix this by checking the argument of i740_calc_vclk() first. + +Signed-off-by: Zheyu Ma +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/i740fb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c +index 347cf8babc3e..1434eb0220e7 100644 +--- a/drivers/video/fbdev/i740fb.c ++++ b/drivers/video/fbdev/i740fb.c +@@ -400,7 +400,7 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, + u32 xres, right, hslen, left, xtotal; + u32 yres, lower, vslen, upper, ytotal; + u32 vxres, xoffset, vyres, yoffset; +- u32 bpp, base, dacspeed24, mem; ++ u32 bpp, base, dacspeed24, mem, freq; + u8 r7; + int i; + +@@ -643,7 +643,12 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, + par->atc[VGA_ATC_OVERSCAN] = 0; + + /* Calculate VCLK that most closely matches the requested dot clock */ +- i740_calc_vclk((((u32)1e9) / var->pixclock) * (u32)(1e3), par); ++ freq = (((u32)1e9) / var->pixclock) * (u32)(1e3); ++ if (freq < I740_RFREQ_FIX) { ++ fb_dbg(info, "invalid pixclock\n"); ++ freq = I740_RFREQ_FIX; ++ } ++ i740_calc_vclk(freq, par); + + /* Since we program the clocks ourselves, always use VCLK2. */ + par->misc |= 0x0C; +-- +2.35.1 + diff --git a/queue-5.4/watchdog-export-lockup_detector_reconfigure.patch b/queue-5.4/watchdog-export-lockup_detector_reconfigure.patch new file mode 100644 index 00000000000..1db2d22edd3 --- /dev/null +++ b/queue-5.4/watchdog-export-lockup_detector_reconfigure.patch @@ -0,0 +1,115 @@ +From 89891dad04deb79a8087d2b6ff528051e2da8a12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 17:47:27 +0200 +Subject: watchdog: export lockup_detector_reconfigure + +From: Laurent Dufour + +[ Upstream commit 7c56a8733d0a2a4be2438a7512566e5ce552fccf ] + +In some circumstances it may be interesting to reconfigure the watchdog +from inside the kernel. + +On PowerPC, this may helpful before and after a LPAR migration (LPM) is +initiated, because it implies some latencies, watchdog, and especially NMI +watchdog is expected to be triggered during this operation. Reconfiguring +the watchdog with a factor, would prevent it to happen too frequently +during LPM. + +Rename lockup_detector_reconfigure() as __lockup_detector_reconfigure() and +create a new function lockup_detector_reconfigure() calling +__lockup_detector_reconfigure() under the protection of watchdog_mutex. + +Signed-off-by: Laurent Dufour +[mpe: Squash in build fix from Laurent, reported by Sachin] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220713154729.80789-3-ldufour@linux.ibm.com +Signed-off-by: Sasha Levin +--- + include/linux/nmi.h | 2 ++ + kernel/watchdog.c | 21 ++++++++++++++++----- + 2 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/include/linux/nmi.h b/include/linux/nmi.h +index 9003e29cde46..e972d1ae1ee6 100644 +--- a/include/linux/nmi.h ++++ b/include/linux/nmi.h +@@ -122,6 +122,8 @@ int watchdog_nmi_probe(void); + int watchdog_nmi_enable(unsigned int cpu); + void watchdog_nmi_disable(unsigned int cpu); + ++void lockup_detector_reconfigure(void); ++ + /** + * touch_nmi_watchdog - restart NMI watchdog timeout. + * +diff --git a/kernel/watchdog.c b/kernel/watchdog.c +index cbd3cf503c90..a3d0e928305c 100644 +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -568,7 +568,7 @@ int lockup_detector_offline_cpu(unsigned int cpu) + return 0; + } + +-static void lockup_detector_reconfigure(void) ++static void __lockup_detector_reconfigure(void) + { + cpus_read_lock(); + watchdog_nmi_stop(); +@@ -588,6 +588,13 @@ static void lockup_detector_reconfigure(void) + __lockup_detector_cleanup(); + } + ++void lockup_detector_reconfigure(void) ++{ ++ mutex_lock(&watchdog_mutex); ++ __lockup_detector_reconfigure(); ++ mutex_unlock(&watchdog_mutex); ++} ++ + /* + * Create the watchdog thread infrastructure and configure the detector(s). + * +@@ -608,13 +615,13 @@ static __init void lockup_detector_setup(void) + return; + + mutex_lock(&watchdog_mutex); +- lockup_detector_reconfigure(); ++ __lockup_detector_reconfigure(); + softlockup_initialized = true; + mutex_unlock(&watchdog_mutex); + } + + #else /* CONFIG_SOFTLOCKUP_DETECTOR */ +-static void lockup_detector_reconfigure(void) ++static void __lockup_detector_reconfigure(void) + { + cpus_read_lock(); + watchdog_nmi_stop(); +@@ -622,9 +629,13 @@ static void lockup_detector_reconfigure(void) + watchdog_nmi_start(); + cpus_read_unlock(); + } ++void lockup_detector_reconfigure(void) ++{ ++ __lockup_detector_reconfigure(); ++} + static inline void lockup_detector_setup(void) + { +- lockup_detector_reconfigure(); ++ __lockup_detector_reconfigure(); + } + #endif /* !CONFIG_SOFTLOCKUP_DETECTOR */ + +@@ -664,7 +675,7 @@ static void proc_watchdog_update(void) + { + /* Remove impossible cpus to keep sysctl output clean. */ + cpumask_and(&watchdog_cpumask, &watchdog_cpumask, cpu_possible_mask); +- lockup_detector_reconfigure(); ++ __lockup_detector_reconfigure(); + } + + /* +-- +2.35.1 +