From: Greg Kroah-Hartman Date: Wed, 26 Feb 2020 10:47:38 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.215~66 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=92f3446d3e45272bc1009783c1c82edd02851b96;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: genirq-irqdomain-make-sure-all-irq-domain-flags-are-distinct.patch jbd2-fix-ocfs2-corrupt-when-clearing-block-group-bits.patch maintainers-update-drm-i915-bug-filing-url.patch mm-memcontrol.c-lost-css_put-in-memcg_expand_shrinker_maps.patch nvme-multipath-fix-memory-leak-with-ana_log_buf.patch powerpc-tm-fix-clearing-msr-in-current-when-reclaiming-on-signal-delivery.patch revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch serdev-ttyport-restore-client-ops-on-deregistration.patch serial-8250-check-upf_irq_shared-in-advance.patch tty-serial-atmel-manage-shutdown-in-case-of-rs485-or-iso7816-mode.patch tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch x86-cpu-amd-enable-the-fixed-instructions-retired-counter-irperf.patch x86-mce-amd-fix-kobject-lifetime.patch x86-mce-amd-publish-the-bank-pointer-only-after-setup-has-succeeded.patch --- diff --git a/queue-4.19/genirq-irqdomain-make-sure-all-irq-domain-flags-are-distinct.patch b/queue-4.19/genirq-irqdomain-make-sure-all-irq-domain-flags-are-distinct.patch new file mode 100644 index 00000000000..b5b82156b9c --- /dev/null +++ b/queue-4.19/genirq-irqdomain-make-sure-all-irq-domain-flags-are-distinct.patch @@ -0,0 +1,40 @@ +From 2546287c5fb363a0165933ae2181c92f03e701d0 Mon Sep 17 00:00:00 2001 +From: Zenghui Yu +Date: Fri, 21 Feb 2020 10:07:25 +0800 +Subject: genirq/irqdomain: Make sure all irq domain flags are distinct + +From: Zenghui Yu + +commit 2546287c5fb363a0165933ae2181c92f03e701d0 upstream. + +This was noticed when printing debugfs for MSIs on my ARM64 server. The +new dstate IRQD_MSI_NOMASK_QUIRK came out surprisingly while it should only +be the x86 stuff for the time being... + +The new MSI quirk flag uses the same bit as IRQ_DOMAIN_NAME_ALLOCATED which +is oddly defined as bit 6 for no good reason. + +Switch it to the non used bit 1. + +Fixes: 6f1a4891a592 ("x86/apic/msi: Plug non-maskable MSI affinity race") +Signed-off-by: Zenghui Yu +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20200221020725.2038-1-yuzenghui@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/irqdomain.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/irqdomain.h ++++ b/include/linux/irqdomain.h +@@ -188,7 +188,7 @@ enum { + IRQ_DOMAIN_FLAG_HIERARCHY = (1 << 0), + + /* Irq domain name was allocated in __irq_domain_add() */ +- IRQ_DOMAIN_NAME_ALLOCATED = (1 << 6), ++ IRQ_DOMAIN_NAME_ALLOCATED = (1 << 1), + + /* Irq domain is an IPI domain with virq per cpu */ + IRQ_DOMAIN_FLAG_IPI_PER_CPU = (1 << 2), diff --git a/queue-4.19/jbd2-fix-ocfs2-corrupt-when-clearing-block-group-bits.patch b/queue-4.19/jbd2-fix-ocfs2-corrupt-when-clearing-block-group-bits.patch new file mode 100644 index 00000000000..95744ceddc4 --- /dev/null +++ b/queue-4.19/jbd2-fix-ocfs2-corrupt-when-clearing-block-group-bits.patch @@ -0,0 +1,180 @@ +From 8eedabfd66b68a4623beec0789eac54b8c9d0fb6 Mon Sep 17 00:00:00 2001 +From: wangyan +Date: Thu, 20 Feb 2020 21:46:14 +0800 +Subject: jbd2: fix ocfs2 corrupt when clearing block group bits + +From: wangyan + +commit 8eedabfd66b68a4623beec0789eac54b8c9d0fb6 upstream. + +I found a NULL pointer dereference in ocfs2_block_group_clear_bits(). +The running environment: + kernel version: 4.19 + A cluster with two nodes, 5 luns mounted on two nodes, and do some + file operations like dd/fallocate/truncate/rm on every lun with storage + network disconnection. + +The fallocate operation on dm-23-45 caused an null pointer dereference. + +The information of NULL pointer dereference as follows: + [577992.878282] JBD2: Error -5 detected when updating journal superblock for dm-23-45. + [577992.878290] Aborting journal on device dm-23-45. + ... + [577992.890778] JBD2: Error -5 detected when updating journal superblock for dm-24-46. + [577992.890908] __journal_remove_journal_head: freeing b_committed_data + [577992.890916] (fallocate,88392,52):ocfs2_extend_trans:474 ERROR: status = -30 + [577992.890918] __journal_remove_journal_head: freeing b_committed_data + [577992.890920] (fallocate,88392,52):ocfs2_rotate_tree_right:2500 ERROR: status = -30 + [577992.890922] __journal_remove_journal_head: freeing b_committed_data + [577992.890924] (fallocate,88392,52):ocfs2_do_insert_extent:4382 ERROR: status = -30 + [577992.890928] (fallocate,88392,52):ocfs2_insert_extent:4842 ERROR: status = -30 + [577992.890928] __journal_remove_journal_head: freeing b_committed_data + [577992.890930] (fallocate,88392,52):ocfs2_add_clusters_in_btree:4947 ERROR: status = -30 + [577992.890933] __journal_remove_journal_head: freeing b_committed_data + [577992.890939] __journal_remove_journal_head: freeing b_committed_data + [577992.890949] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 + [577992.890950] Mem abort info: + [577992.890951] ESR = 0x96000004 + [577992.890952] Exception class = DABT (current EL), IL = 32 bits + [577992.890952] SET = 0, FnV = 0 + [577992.890953] EA = 0, S1PTW = 0 + [577992.890954] Data abort info: + [577992.890955] ISV = 0, ISS = 0x00000004 + [577992.890956] CM = 0, WnR = 0 + [577992.890958] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000f8da07a9 + [577992.890960] [0000000000000020] pgd=0000000000000000 + [577992.890964] Internal error: Oops: 96000004 [#1] SMP + [577992.890965] Process fallocate (pid: 88392, stack limit = 0x00000000013db2fd) + [577992.890968] CPU: 52 PID: 88392 Comm: fallocate Kdump: loaded Tainted: G W OE 4.19.36 #1 + [577992.890969] Hardware name: Huawei TaiShan 2280 V2/BC82AMDD, BIOS 0.98 08/25/2019 + [577992.890971] pstate: 60400009 (nZCv daif +PAN -UAO) + [577992.891054] pc : _ocfs2_free_suballoc_bits+0x63c/0x968 [ocfs2] + [577992.891082] lr : _ocfs2_free_suballoc_bits+0x618/0x968 [ocfs2] + [577992.891084] sp : ffff0000c8e2b810 + [577992.891085] x29: ffff0000c8e2b820 x28: 0000000000000000 + [577992.891087] x27: 00000000000006f3 x26: ffffa07957b02e70 + [577992.891089] x25: ffff807c59d50000 x24: 00000000000006f2 + [577992.891091] x23: 0000000000000001 x22: ffff807bd39abc30 + [577992.891093] x21: ffff0000811d9000 x20: ffffa07535d6a000 + [577992.891097] x19: ffff000001681638 x18: ffffffffffffffff + [577992.891098] x17: 0000000000000000 x16: ffff000080a03df0 + [577992.891100] x15: ffff0000811d9708 x14: 203d207375746174 + [577992.891101] x13: 73203a524f525245 x12: 20373439343a6565 + [577992.891103] x11: 0000000000000038 x10: 0101010101010101 + [577992.891106] x9 : ffffa07c68a85d70 x8 : 7f7f7f7f7f7f7f7f + [577992.891109] x7 : 0000000000000000 x6 : 0000000000000080 + [577992.891110] x5 : 0000000000000000 x4 : 0000000000000002 + [577992.891112] x3 : ffff000001713390 x2 : 2ff90f88b1c22f00 + [577992.891114] x1 : ffff807bd39abc30 x0 : 0000000000000000 + [577992.891116] Call trace: + [577992.891139] _ocfs2_free_suballoc_bits+0x63c/0x968 [ocfs2] + [577992.891162] _ocfs2_free_clusters+0x100/0x290 [ocfs2] + [577992.891185] ocfs2_free_clusters+0x50/0x68 [ocfs2] + [577992.891206] ocfs2_add_clusters_in_btree+0x198/0x5e0 [ocfs2] + [577992.891227] ocfs2_add_inode_data+0x94/0xc8 [ocfs2] + [577992.891248] ocfs2_extend_allocation+0x1bc/0x7a8 [ocfs2] + [577992.891269] ocfs2_allocate_extents+0x14c/0x338 [ocfs2] + [577992.891290] __ocfs2_change_file_space+0x3f8/0x610 [ocfs2] + [577992.891309] ocfs2_fallocate+0xe4/0x128 [ocfs2] + [577992.891316] vfs_fallocate+0x11c/0x250 + [577992.891317] ksys_fallocate+0x54/0x88 + [577992.891319] __arm64_sys_fallocate+0x28/0x38 + [577992.891323] el0_svc_common+0x78/0x130 + [577992.891325] el0_svc_handler+0x38/0x78 + [577992.891327] el0_svc+0x8/0xc + +My analysis process as follows: +ocfs2_fallocate + __ocfs2_change_file_space + ocfs2_allocate_extents + ocfs2_extend_allocation + ocfs2_add_inode_data + ocfs2_add_clusters_in_btree + ocfs2_insert_extent + ocfs2_do_insert_extent + ocfs2_rotate_tree_right + ocfs2_extend_rotate_transaction + ocfs2_extend_trans + jbd2_journal_restart + jbd2__journal_restart + /* handle->h_transaction is NULL, + * is_handle_aborted(handle) is true + */ + handle->h_transaction = NULL; + start_this_handle + return -EROFS; + ocfs2_free_clusters + _ocfs2_free_clusters + _ocfs2_free_suballoc_bits + ocfs2_block_group_clear_bits + ocfs2_journal_access_gd + __ocfs2_journal_access + jbd2_journal_get_undo_access + /* I think jbd2_write_access_granted() will + * return true, because do_get_write_access() + * will return -EROFS. + */ + if (jbd2_write_access_granted(...)) return 0; + do_get_write_access + /* handle->h_transaction is NULL, it will + * return -EROFS here, so do_get_write_access() + * was not called. + */ + if (is_handle_aborted(handle)) return -EROFS; + /* bh2jh(group_bh) is NULL, caused NULL + pointer dereference */ + undo_bg = (struct ocfs2_group_desc *) + bh2jh(group_bh)->b_committed_data; + +If handle->h_transaction == NULL, then jbd2_write_access_granted() +does not really guarantee that journal_head will stay around, +not even speaking of its b_committed_data. The bh2jh(group_bh) +can be removed after ocfs2_journal_access_gd() and before call +"bh2jh(group_bh)->b_committed_data". So, we should move +is_handle_aborted() check from do_get_write_access() into +jbd2_journal_get_undo_access() and jbd2_journal_get_write_access() +before the call to jbd2_write_access_granted(). + +Link: https://lore.kernel.org/r/f72a623f-b3f1-381a-d91d-d22a1c83a336@huawei.com +Signed-off-by: Yan Wang +Signed-off-by: Theodore Ts'o +Reviewed-by: Jun Piao +Reviewed-by: Jan Kara +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/transaction.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -831,8 +831,6 @@ do_get_write_access(handle_t *handle, st + char *frozen_buffer = NULL; + unsigned long start_lock, time_lock; + +- if (is_handle_aborted(handle)) +- return -EROFS; + journal = transaction->t_journal; + + jbd_debug(5, "journal_head %p, force_copy %d\n", jh, force_copy); +@@ -1084,6 +1082,9 @@ int jbd2_journal_get_write_access(handle + struct journal_head *jh; + int rc; + ++ if (is_handle_aborted(handle)) ++ return -EROFS; ++ + if (jbd2_write_access_granted(handle, bh, false)) + return 0; + +@@ -1221,6 +1222,9 @@ int jbd2_journal_get_undo_access(handle_ + struct journal_head *jh; + char *committed_data = NULL; + ++ if (is_handle_aborted(handle)) ++ return -EROFS; ++ + if (jbd2_write_access_granted(handle, bh, true)) + return 0; + diff --git a/queue-4.19/maintainers-update-drm-i915-bug-filing-url.patch b/queue-4.19/maintainers-update-drm-i915-bug-filing-url.patch new file mode 100644 index 00000000000..0d98eb9db17 --- /dev/null +++ b/queue-4.19/maintainers-update-drm-i915-bug-filing-url.patch @@ -0,0 +1,34 @@ +From 96228b7df33f8eb9006f8ae96949400aed9bd303 Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Wed, 12 Feb 2020 18:04:33 +0200 +Subject: MAINTAINERS: Update drm/i915 bug filing URL + +From: Jani Nikula + +commit 96228b7df33f8eb9006f8ae96949400aed9bd303 upstream. + +We've moved from bugzilla to gitlab. + +Cc: stable@vger.kernel.org +Reviewed-by: Chris Wilson +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20200212160434.6437-1-jani.nikula@intel.com +(cherry picked from commit 3a6a4f0810c8ade6f1ff63c34aa9834176b9d88b) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + MAINTAINERS | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -7340,7 +7340,7 @@ M: Joonas Lahtinen + L: intel-gfx@lists.freedesktop.org + W: https://01.org/linuxgraphics/ +-B: https://01.org/linuxgraphics/documentation/how-report-bugs ++B: https://gitlab.freedesktop.org/drm/intel/-/wikis/How-to-file-i915-bugs + C: irc://chat.freenode.net/intel-gfx + Q: http://patchwork.freedesktop.org/project/intel-gfx/ + T: git git://anongit.freedesktop.org/drm-intel diff --git a/queue-4.19/mm-memcontrol.c-lost-css_put-in-memcg_expand_shrinker_maps.patch b/queue-4.19/mm-memcontrol.c-lost-css_put-in-memcg_expand_shrinker_maps.patch new file mode 100644 index 00000000000..93f852133a8 --- /dev/null +++ b/queue-4.19/mm-memcontrol.c-lost-css_put-in-memcg_expand_shrinker_maps.patch @@ -0,0 +1,43 @@ +From 75866af62b439859d5146b7093ceb6b482852683 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Thu, 20 Feb 2020 20:04:18 -0800 +Subject: mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps() + +From: Vasily Averin + +commit 75866af62b439859d5146b7093ceb6b482852683 upstream. + +for_each_mem_cgroup() increases css reference counter for memory cgroup +and requires to use mem_cgroup_iter_break() if the walk is cancelled. + +Link: http://lkml.kernel.org/r/c98414fb-7e1f-da0f-867a-9340ec4bd30b@virtuozzo.com +Fixes: 0a4465d34028 ("mm, memcg: assign memcg-aware shrinkers bitmap to memcg") +Signed-off-by: Vasily Averin +Acked-by: Kirill Tkhai +Acked-by: Michal Hocko +Reviewed-by: Roman Gushchin +Cc: Johannes Weiner +Cc: Vladimir Davydov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -419,8 +419,10 @@ int memcg_expand_shrinker_maps(int new_i + if (mem_cgroup_is_root(memcg)) + continue; + ret = memcg_expand_one_shrinker_map(memcg, size, old_size); +- if (ret) ++ if (ret) { ++ mem_cgroup_iter_break(NULL, memcg); + goto unlock; ++ } + } + unlock: + if (!ret) diff --git a/queue-4.19/nvme-multipath-fix-memory-leak-with-ana_log_buf.patch b/queue-4.19/nvme-multipath-fix-memory-leak-with-ana_log_buf.patch new file mode 100644 index 00000000000..8dcfd69486e --- /dev/null +++ b/queue-4.19/nvme-multipath-fix-memory-leak-with-ana_log_buf.patch @@ -0,0 +1,66 @@ +From 3b7830904e17202524bad1974505a9bfc718d31f Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Thu, 20 Feb 2020 13:29:53 -0700 +Subject: nvme-multipath: Fix memory leak with ana_log_buf + +From: Logan Gunthorpe + +commit 3b7830904e17202524bad1974505a9bfc718d31f upstream. + +kmemleak reports a memory leak with the ana_log_buf allocated by +nvme_mpath_init(): + +unreferenced object 0xffff888120e94000 (size 8208): + comm "nvme", pid 6884, jiffies 4295020435 (age 78786.312s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ + 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000e2360188>] kmalloc_order+0x97/0xc0 + [<0000000079b18dd4>] kmalloc_order_trace+0x24/0x100 + [<00000000f50c0406>] __kmalloc+0x24c/0x2d0 + [<00000000f31a10b9>] nvme_mpath_init+0x23c/0x2b0 + [<000000005802589e>] nvme_init_identify+0x75f/0x1600 + [<0000000058ef911b>] nvme_loop_configure_admin_queue+0x26d/0x280 + [<00000000673774b9>] nvme_loop_create_ctrl+0x2a7/0x710 + [<00000000f1c7a233>] nvmf_dev_write+0xc66/0x10b9 + [<000000004199f8d0>] __vfs_write+0x50/0xa0 + [<0000000065466fef>] vfs_write+0xf3/0x280 + [<00000000b0db9a8b>] ksys_write+0xc6/0x160 + [<0000000082156b91>] __x64_sys_write+0x43/0x50 + [<00000000c34fbb6d>] do_syscall_64+0x77/0x2f0 + [<00000000bbc574c9>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +nvme_mpath_init() is called by nvme_init_identify() which is called in +multiple places (nvme_reset_work(), nvme_passthru_end(), etc). This +means nvme_mpath_init() may be called multiple times before +nvme_mpath_uninit() (which is only called on nvme_free_ctrl()). + +When nvme_mpath_init() is called multiple times, it overwrites the +ana_log_buf pointer with a new allocation, thus leaking the previous +allocation. + +To fix this, free ana_log_buf before allocating a new one. + +Fixes: 0d0b660f214dc490 ("nvme: add ANA support") +Cc: +Reviewed-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Signed-off-by: Logan Gunthorpe +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvme/host/multipath.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -569,6 +569,7 @@ int nvme_mpath_init(struct nvme_ctrl *ct + } + + INIT_WORK(&ctrl->ana_work, nvme_ana_work); ++ kfree(ctrl->ana_log_buf); + ctrl->ana_log_buf = kmalloc(ctrl->ana_log_size, GFP_KERNEL); + if (!ctrl->ana_log_buf) { + error = -ENOMEM; diff --git a/queue-4.19/powerpc-tm-fix-clearing-msr-in-current-when-reclaiming-on-signal-delivery.patch b/queue-4.19/powerpc-tm-fix-clearing-msr-in-current-when-reclaiming-on-signal-delivery.patch new file mode 100644 index 00000000000..45fc7394807 --- /dev/null +++ b/queue-4.19/powerpc-tm-fix-clearing-msr-in-current-when-reclaiming-on-signal-delivery.patch @@ -0,0 +1,282 @@ +From 2464cc4c345699adea52c7aef75707207cb8a2f6 Mon Sep 17 00:00:00 2001 +From: Gustavo Luiz Duarte +Date: Tue, 11 Feb 2020 00:38:29 -0300 +Subject: powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery + +From: Gustavo Luiz Duarte + +commit 2464cc4c345699adea52c7aef75707207cb8a2f6 upstream. + +After a treclaim, we expect to be in non-transactional state. If we +don't clear the current thread's MSR[TS] before we get preempted, then +tm_recheckpoint_new_task() will recheckpoint and we get rescheduled in +suspended transaction state. + +When handling a signal caught in transactional state, +handle_rt_signal64() calls get_tm_stackpointer() that treclaims the +transaction using tm_reclaim_current() but without clearing the +thread's MSR[TS]. This can cause the TM Bad Thing exception below if +later we pagefault and get preempted trying to access the user's +sigframe, using __put_user(). Afterwards, when we are rescheduled back +into do_page_fault() (but now in suspended state since the thread's +MSR[TS] was not cleared), upon executing 'rfid' after completion of +the page fault handling, the exception is raised because a transition +from suspended to non-transactional state is invalid. + + Unexpected TM Bad Thing exception at c00000000000de44 (msr 0x8000000302a03031) tm_scratch=800000010280b033 + Oops: Unrecoverable exception, sig: 6 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + CPU: 25 PID: 15547 Comm: a.out Not tainted 5.4.0-rc2 #32 + NIP: c00000000000de44 LR: c000000000034728 CTR: 0000000000000000 + REGS: c00000003fe7bd70 TRAP: 0700 Not tainted (5.4.0-rc2) + MSR: 8000000302a03031 CR: 44000884 XER: 00000000 + CFAR: c00000000000dda4 IRQMASK: 0 + PACATMSCRATCH: 800000010280b033 + GPR00: c000000000034728 c000000f65a17c80 c000000001662800 00007fffacf3fd78 + GPR04: 0000000000001000 0000000000001000 0000000000000000 c000000f611f8af0 + GPR08: 0000000000000000 0000000078006001 0000000000000000 000c000000000000 + GPR12: c000000f611f84b0 c00000003ffcb200 0000000000000000 0000000000000000 + GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + GPR20: 0000000000000000 0000000000000000 0000000000000000 c000000f611f8140 + GPR24: 0000000000000000 00007fffacf3fd68 c000000f65a17d90 c000000f611f7800 + GPR28: c000000f65a17e90 c000000f65a17e90 c000000001685e18 00007fffacf3f000 + NIP [c00000000000de44] fast_exception_return+0xf4/0x1b0 + LR [c000000000034728] handle_rt_signal64+0x78/0xc50 + Call Trace: + [c000000f65a17c80] [c000000000034710] handle_rt_signal64+0x60/0xc50 (unreliable) + [c000000f65a17d30] [c000000000023640] do_notify_resume+0x330/0x460 + [c000000f65a17e20] [c00000000000dcc4] ret_from_except_lite+0x70/0x74 + Instruction dump: + 7c4ff120 e8410170 7c5a03a6 38400000 f8410060 e8010070 e8410080 e8610088 + 60000000 60000000 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed0989 + ---[ end trace 93094aa44b442f87 ]--- + +The simplified sequence of events that triggers the above exception is: + + ... # userspace in NON-TRANSACTIONAL state + tbegin # userspace in TRANSACTIONAL state + signal delivery # kernelspace in SUSPENDED state + handle_rt_signal64() + get_tm_stackpointer() + treclaim # kernelspace in NON-TRANSACTIONAL state + __put_user() + page fault happens. We will never get back here because of the TM Bad Thing exception. + + page fault handling kicks in and we voluntarily preempt ourselves + do_page_fault() + __schedule() + __switch_to(other_task) + + our task is rescheduled and we recheckpoint because the thread's MSR[TS] was not cleared + __switch_to(our_task) + switch_to_tm() + tm_recheckpoint_new_task() + trechkpt # kernelspace in SUSPENDED state + + The page fault handling resumes, but now we are in suspended transaction state + do_page_fault() completes + rfid <----- trying to get back where the page fault happened (we were non-transactional back then) + TM Bad Thing # illegal transition from suspended to non-transactional + +This patch fixes that issue by clearing the current thread's MSR[TS] +just after treclaim in get_tm_stackpointer() so that we stay in +non-transactional state in case we are preempted. In order to make +treclaim and clearing the thread's MSR[TS] atomic from a preemption +perspective when CONFIG_PREEMPT is set, preempt_disable/enable() is +used. It's also necessary to save the previous value of the thread's +MSR before get_tm_stackpointer() is called so that it can be exposed +to the signal handler later in setup_tm_sigcontexts() to inform the +userspace MSR at the moment of the signal delivery. + +Found with tm-signal-context-force-tm kernel selftest. + +Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context") +Cc: stable@vger.kernel.org # v3.9 +Signed-off-by: Gustavo Luiz Duarte +Acked-by: Michael Neuling +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200211033831.11165-1-gustavold@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/signal.c | 17 +++++++++++++++-- + arch/powerpc/kernel/signal_32.c | 28 ++++++++++++++-------------- + arch/powerpc/kernel/signal_64.c | 22 ++++++++++------------ + 3 files changed, 39 insertions(+), 28 deletions(-) + +--- a/arch/powerpc/kernel/signal.c ++++ b/arch/powerpc/kernel/signal.c +@@ -200,14 +200,27 @@ unsigned long get_tm_stackpointer(struct + * normal/non-checkpointed stack pointer. + */ + ++ unsigned long ret = tsk->thread.regs->gpr[1]; ++ + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + BUG_ON(tsk != current); + + if (MSR_TM_ACTIVE(tsk->thread.regs->msr)) { ++ preempt_disable(); + tm_reclaim_current(TM_CAUSE_SIGNAL); + if (MSR_TM_TRANSACTIONAL(tsk->thread.regs->msr)) +- return tsk->thread.ckpt_regs.gpr[1]; ++ ret = tsk->thread.ckpt_regs.gpr[1]; ++ ++ /* ++ * If we treclaim, we must clear the current thread's TM bits ++ * before re-enabling preemption. Otherwise we might be ++ * preempted and have the live MSR[TS] changed behind our back ++ * (tm_recheckpoint_new_task() would recheckpoint). Besides, we ++ * enter the signal handler in non-transactional state. ++ */ ++ tsk->thread.regs->msr &= ~MSR_TS_MASK; ++ preempt_enable(); + } + #endif +- return tsk->thread.regs->gpr[1]; ++ return ret; + } +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -493,19 +493,11 @@ static int save_user_regs(struct pt_regs + */ + static int save_tm_user_regs(struct pt_regs *regs, + struct mcontext __user *frame, +- struct mcontext __user *tm_frame, int sigret) ++ struct mcontext __user *tm_frame, int sigret, ++ unsigned long msr) + { +- unsigned long msr = regs->msr; +- + WARN_ON(tm_suspend_disabled); + +- /* Remove TM bits from thread's MSR. The MSR in the sigcontext +- * just indicates to userland that we were doing a transaction, but we +- * don't want to return in transactional state. This also ensures +- * that flush_fp_to_thread won't set TIF_RESTORE_TM again. +- */ +- regs->msr &= ~MSR_TS_MASK; +- + /* Save both sets of general registers */ + if (save_general_regs(¤t->thread.ckpt_regs, frame) + || save_general_regs(regs, tm_frame)) +@@ -916,6 +908,10 @@ int handle_rt_signal32(struct ksignal *k + int sigret; + unsigned long tramp; + struct pt_regs *regs = tsk->thread.regs; ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* Save the thread's msr before get_tm_stackpointer() changes it */ ++ unsigned long msr = regs->msr; ++#endif + + BUG_ON(tsk != current); + +@@ -948,13 +944,13 @@ int handle_rt_signal32(struct ksignal *k + + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + tm_frame = &rt_sf->uc_transact.uc_mcontext; +- if (MSR_TM_ACTIVE(regs->msr)) { ++ if (MSR_TM_ACTIVE(msr)) { + if (__put_user((unsigned long)&rt_sf->uc_transact, + &rt_sf->uc.uc_link) || + __put_user((unsigned long)tm_frame, + &rt_sf->uc_transact.uc_regs)) + goto badframe; +- if (save_tm_user_regs(regs, frame, tm_frame, sigret)) ++ if (save_tm_user_regs(regs, frame, tm_frame, sigret, msr)) + goto badframe; + } + else +@@ -1365,6 +1361,10 @@ int handle_signal32(struct ksignal *ksig + int sigret; + unsigned long tramp; + struct pt_regs *regs = tsk->thread.regs; ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* Save the thread's msr before get_tm_stackpointer() changes it */ ++ unsigned long msr = regs->msr; ++#endif + + BUG_ON(tsk != current); + +@@ -1398,9 +1398,9 @@ int handle_signal32(struct ksignal *ksig + + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + tm_mctx = &frame->mctx_transact; +- if (MSR_TM_ACTIVE(regs->msr)) { ++ if (MSR_TM_ACTIVE(msr)) { + if (save_tm_user_regs(regs, &frame->mctx, &frame->mctx_transact, +- sigret)) ++ sigret, msr)) + goto badframe; + } + else +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -196,7 +196,8 @@ static long setup_sigcontext(struct sigc + static long setup_tm_sigcontexts(struct sigcontext __user *sc, + struct sigcontext __user *tm_sc, + struct task_struct *tsk, +- int signr, sigset_t *set, unsigned long handler) ++ int signr, sigset_t *set, unsigned long handler, ++ unsigned long msr) + { + /* When CONFIG_ALTIVEC is set, we _always_ setup v_regs even if the + * process never used altivec yet (MSR_VEC is zero in pt_regs of +@@ -211,12 +212,11 @@ static long setup_tm_sigcontexts(struct + elf_vrreg_t __user *tm_v_regs = sigcontext_vmx_regs(tm_sc); + #endif + struct pt_regs *regs = tsk->thread.regs; +- unsigned long msr = tsk->thread.regs->msr; + long err = 0; + + BUG_ON(tsk != current); + +- BUG_ON(!MSR_TM_ACTIVE(regs->msr)); ++ BUG_ON(!MSR_TM_ACTIVE(msr)); + + WARN_ON(tm_suspend_disabled); + +@@ -226,13 +226,6 @@ static long setup_tm_sigcontexts(struct + */ + msr |= tsk->thread.ckpt_regs.msr & (MSR_FP | MSR_VEC | MSR_VSX); + +- /* Remove TM bits from thread's MSR. The MSR in the sigcontext +- * just indicates to userland that we were doing a transaction, but we +- * don't want to return in transactional state. This also ensures +- * that flush_fp_to_thread won't set TIF_RESTORE_TM again. +- */ +- regs->msr &= ~MSR_TS_MASK; +- + #ifdef CONFIG_ALTIVEC + err |= __put_user(v_regs, &sc->v_regs); + err |= __put_user(tm_v_regs, &tm_sc->v_regs); +@@ -803,6 +796,10 @@ int handle_rt_signal64(struct ksignal *k + unsigned long newsp = 0; + long err = 0; + struct pt_regs *regs = tsk->thread.regs; ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* Save the thread's msr before get_tm_stackpointer() changes it */ ++ unsigned long msr = regs->msr; ++#endif + + BUG_ON(tsk != current); + +@@ -820,7 +817,7 @@ int handle_rt_signal64(struct ksignal *k + err |= __put_user(0, &frame->uc.uc_flags); + err |= __save_altstack(&frame->uc.uc_stack, regs->gpr[1]); + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM +- if (MSR_TM_ACTIVE(regs->msr)) { ++ if (MSR_TM_ACTIVE(msr)) { + /* The ucontext_t passed to userland points to the second + * ucontext_t (for transactional state) with its uc_link ptr. + */ +@@ -828,7 +825,8 @@ int handle_rt_signal64(struct ksignal *k + err |= setup_tm_sigcontexts(&frame->uc.uc_mcontext, + &frame->uc_transact.uc_mcontext, + tsk, ksig->sig, NULL, +- (unsigned long)ksig->ka.sa.sa_handler); ++ (unsigned long)ksig->ka.sa.sa_handler, ++ msr); + } else + #endif + { diff --git a/queue-4.19/revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch b/queue-4.19/revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch new file mode 100644 index 00000000000..e48d9962fc2 --- /dev/null +++ b/queue-4.19/revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch @@ -0,0 +1,135 @@ +From edf28f4061afe4c2d9eb1c3323d90e882c1d6800 Mon Sep 17 00:00:00 2001 +From: Ioanna Alifieraki +Date: Thu, 20 Feb 2020 20:04:00 -0800 +Subject: Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" + +From: Ioanna Alifieraki + +commit edf28f4061afe4c2d9eb1c3323d90e882c1d6800 upstream. + +This reverts commit a97955844807e327df11aa33869009d14d6b7de0. + +Commit a97955844807 ("ipc,sem: remove uneeded sem_undo_list lock usage +in exit_sem()") removes a lock that is needed. This leads to a process +looping infinitely in exit_sem() and can also lead to a crash. There is +a reproducer available in [1] and with the commit reverted the issue +does not reproduce anymore. + +Using the reproducer found in [1] is fairly easy to reach a point where +one of the child processes is looping infinitely in exit_sem between +for(;;) and if (semid == -1) block, while it's trying to free its last +sem_undo structure which has already been freed by freeary(). + +Each sem_undo struct is on two lists: one per semaphore set (list_id) +and one per process (list_proc). The list_id list tracks undos by +semaphore set, and the list_proc by process. + +Undo structures are removed either by freeary() or by exit_sem(). The +freeary function is invoked when the user invokes a syscall to remove a +semaphore set. During this operation freeary() traverses the list_id +associated with the semaphore set and removes the undo structures from +both the list_id and list_proc lists. + +For this case, exit_sem() is called at process exit. Each process +contains a struct sem_undo_list (referred to as "ulp") which contains +the head for the list_proc list. When the process exits, exit_sem() +traverses this list to remove each sem_undo struct. As in freeary(), +whenever a sem_undo struct is removed from list_proc, it is also removed +from the list_id list. + +Removing elements from list_id is safe for both exit_sem() and freeary() +due to sem_lock(). Removing elements from list_proc is not safe; +freeary() locks &un->ulp->lock when it performs +list_del_rcu(&un->list_proc) but exit_sem() does not (locking was +removed by commit a97955844807 ("ipc,sem: remove uneeded sem_undo_list +lock usage in exit_sem()"). + +This can result in the following situation while executing the +reproducer [1] : Consider a child process in exit_sem() and the parent +in freeary() (because of semctl(sid[i], NSEM, IPC_RMID)). + + - The list_proc for the child contains the last two undo structs A and + B (the rest have been removed either by exit_sem() or freeary()). + + - The semid for A is 1 and semid for B is 2. + + - exit_sem() removes A and at the same time freeary() removes B. + + - Since A and B have different semid sem_lock() will acquire different + locks for each process and both can proceed. + +The bug is that they remove A and B from the same list_proc at the same +time because only freeary() acquires the ulp lock. When exit_sem() +removes A it makes ulp->list_proc.next to point at B and at the same +time freeary() removes B setting B->semid=-1. + +At the next iteration of for(;;) loop exit_sem() will try to remove B. + +The only way to break from for(;;) is for (&un->list_proc == +&ulp->list_proc) to be true which is not. Then exit_sem() will check if +B->semid=-1 which is and will continue looping in for(;;) until the +memory for B is reallocated and the value at B->semid is changed. + +At that point, exit_sem() will crash attempting to unlink B from the +lists (this can be easily triggered by running the reproducer [1] a +second time). + +To prove this scenario instrumentation was added to keep information +about each sem_undo (un) struct that is removed per process and per +semaphore set (sma). + + CPU0 CPU1 + [caller holds sem_lock(sma for A)] ... + freeary() exit_sem() + ... ... + ... sem_lock(sma for B) + spin_lock(A->ulp->lock) ... + list_del_rcu(un_A->list_proc) list_del_rcu(un_B->list_proc) + +Undo structures A and B have different semid and sem_lock() operations +proceed. However they belong to the same list_proc list and they are +removed at the same time. This results into ulp->list_proc.next +pointing to the address of B which is already removed. + +After reverting commit a97955844807 ("ipc,sem: remove uneeded +sem_undo_list lock usage in exit_sem()") the issue was no longer +reproducible. + +[1] https://bugzilla.redhat.com/show_bug.cgi?id=1694779 + +Link: http://lkml.kernel.org/r/20191211191318.11860-1-ioanna-maria.alifieraki@canonical.com +Fixes: a97955844807 ("ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()") +Signed-off-by: Ioanna Alifieraki +Acked-by: Manfred Spraul +Acked-by: Herton R. Krzesinski +Cc: Arnd Bergmann +Cc: Catalin Marinas +Cc: +Cc: Joel Fernandes (Google) +Cc: Davidlohr Bueso +Cc: Jay Vosburgh +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/sem.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/ipc/sem.c ++++ b/ipc/sem.c +@@ -2345,11 +2345,9 @@ void exit_sem(struct task_struct *tsk) + ipc_assert_locked_object(&sma->sem_perm); + list_del(&un->list_id); + +- /* we are the last process using this ulp, acquiring ulp->lock +- * isn't required. Besides that, we are also protected against +- * IPC_RMID as we hold sma->sem_perm lock now +- */ ++ spin_lock(&ulp->lock); + list_del_rcu(&un->list_proc); ++ spin_unlock(&ulp->lock); + + /* perform adjustments registered in un */ + for (i = 0; i < sma->sem_nsems; i++) { diff --git a/queue-4.19/serdev-ttyport-restore-client-ops-on-deregistration.patch b/queue-4.19/serdev-ttyport-restore-client-ops-on-deregistration.patch new file mode 100644 index 00000000000..2cdf81e962c --- /dev/null +++ b/queue-4.19/serdev-ttyport-restore-client-ops-on-deregistration.patch @@ -0,0 +1,107 @@ +From 0c5aae59270fb1f827acce182786094c9ccf598e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 10 Feb 2020 15:57:30 +0100 +Subject: serdev: ttyport: restore client ops on deregistration + +From: Johan Hovold + +commit 0c5aae59270fb1f827acce182786094c9ccf598e upstream. + +The serdev tty-port controller driver should reset the tty-port client +operations also on deregistration to avoid a NULL-pointer dereference in +case the port is later re-registered as a normal tty device. + +Note that this can only happen with tty drivers such as 8250 which have +statically allocated port structures that can end up being reused and +where a later registration would not register a serdev controller (e.g. +due to registration errors or if the devicetree has been changed in +between). + +Specifically, this can be an issue for any statically defined ports that +would be registered by 8250 core when an 8250 driver is being unbound. + +Fixes: bed35c6dfa6a ("serdev: add a tty port controller driver") +Cc: stable # 4.11 +Reported-by: Loic Poulain +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20200210145730.22762-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serdev/serdev-ttyport.c | 6 ++---- + drivers/tty/tty_port.c | 5 +++-- + include/linux/tty.h | 2 ++ + 3 files changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/tty/serdev/serdev-ttyport.c ++++ b/drivers/tty/serdev/serdev-ttyport.c +@@ -265,7 +265,6 @@ struct device *serdev_tty_port_register( + struct device *parent, + struct tty_driver *drv, int idx) + { +- const struct tty_port_client_operations *old_ops; + struct serdev_controller *ctrl; + struct serport *serport; + int ret; +@@ -284,7 +283,6 @@ struct device *serdev_tty_port_register( + + ctrl->ops = &ctrl_ops; + +- old_ops = port->client_ops; + port->client_ops = &client_ops; + port->client_data = ctrl; + +@@ -297,7 +295,7 @@ struct device *serdev_tty_port_register( + + err_reset_data: + port->client_data = NULL; +- port->client_ops = old_ops; ++ port->client_ops = &tty_port_default_client_ops; + serdev_controller_put(ctrl); + + return ERR_PTR(ret); +@@ -312,8 +310,8 @@ int serdev_tty_port_unregister(struct tt + return -ENODEV; + + serdev_controller_remove(ctrl); +- port->client_ops = NULL; + port->client_data = NULL; ++ port->client_ops = &tty_port_default_client_ops; + serdev_controller_put(ctrl); + + return 0; +--- a/drivers/tty/tty_port.c ++++ b/drivers/tty/tty_port.c +@@ -52,10 +52,11 @@ static void tty_port_default_wakeup(stru + } + } + +-static const struct tty_port_client_operations default_client_ops = { ++const struct tty_port_client_operations tty_port_default_client_ops = { + .receive_buf = tty_port_default_receive_buf, + .write_wakeup = tty_port_default_wakeup, + }; ++EXPORT_SYMBOL_GPL(tty_port_default_client_ops); + + void tty_port_init(struct tty_port *port) + { +@@ -68,7 +69,7 @@ void tty_port_init(struct tty_port *port + spin_lock_init(&port->lock); + port->close_delay = (50 * HZ) / 100; + port->closing_wait = (3000 * HZ) / 100; +- port->client_ops = &default_client_ops; ++ port->client_ops = &tty_port_default_client_ops; + kref_init(&port->kref); + } + EXPORT_SYMBOL(tty_port_init); +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -225,6 +225,8 @@ struct tty_port_client_operations { + void (*write_wakeup)(struct tty_port *port); + }; + ++extern const struct tty_port_client_operations tty_port_default_client_ops; ++ + struct tty_port { + struct tty_bufhead buf; /* Locked internally */ + struct tty_struct *tty; /* Back pointer */ diff --git a/queue-4.19/serial-8250-check-upf_irq_shared-in-advance.patch b/queue-4.19/serial-8250-check-upf_irq_shared-in-advance.patch new file mode 100644 index 00000000000..9debf594fa5 --- /dev/null +++ b/queue-4.19/serial-8250-check-upf_irq_shared-in-advance.patch @@ -0,0 +1,128 @@ +From 7febbcbc48fc92e3f33863b32ed715ba4aff18c4 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Tue, 11 Feb 2020 15:55:59 +0200 +Subject: serial: 8250: Check UPF_IRQ_SHARED in advance + +From: Andy Shevchenko + +commit 7febbcbc48fc92e3f33863b32ed715ba4aff18c4 upstream. + +The commit 54e53b2e8081 + ("tty: serial: 8250: pass IRQ shared flag to UART ports") +nicely explained the problem: + +---8<---8<--- + +On some systems IRQ lines between multiple UARTs might be shared. If so, the +irqflags have to be configured accordingly. The reason is: The 8250 port startup +code performs IRQ tests *before* the IRQ handler for that particular port is +registered. This is performed in serial8250_do_startup(). This function checks +whether IRQF_SHARED is configured and only then disables the IRQ line while +testing. + +This test is performed upon each open() of the UART device. Imagine two UARTs +share the same IRQ line: On is already opened and the IRQ is active. When the +second UART is opened, the IRQ line has to be disabled while performing IRQ +tests. Otherwise an IRQ might handler might be invoked, but the IRQ itself +cannot be handled, because the corresponding handler isn't registered, +yet. That's because the 8250 code uses a chain-handler and invokes the +corresponding port's IRQ handling routines himself. + +Unfortunately this IRQF_SHARED flag isn't configured for UARTs probed via device +tree even if the IRQs are shared. This way, the actual and shared IRQ line isn't +disabled while performing tests and the kernel correctly detects a spurious +IRQ. So, adding this flag to the DT probe solves the issue. + +Note: The UPF_SHARE_IRQ flag is configured unconditionally. Therefore, the +IRQF_SHARED flag can be set unconditionally as well. + +Example stack trace by performing `echo 1 > /dev/ttyS2` on a non-patched system: + +|irq 85: nobody cared (try booting with the "irqpoll" option) +| [...] +|handlers: +|[] irq_default_primary_handler threaded [] serial8250_interrupt +|Disabling IRQ #85 + +---8<---8<--- + +But unfortunately didn't fix the root cause. Let's try again here by moving +IRQ flag assignment from serial_link_irq_chain() to serial8250_do_startup(). + +This should fix the similar issue reported for 8250_pnp case. + +Since this change we don't need to have custom solutions in 8250_aspeed_vuart +and 8250_of drivers, thus, drop them. + +Fixes: 1c2f04937b3e ("serial: 8250: add IRQ trigger support") +Reported-by: Li RongQing +Cc: Kurt Kanzenbach +Cc: Vikram Pandita +Signed-off-by: Andy Shevchenko +Cc: stable +Acked-by: Kurt Kanzenbach +Link: https://lore.kernel.org/r/20200211135559.85960-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_aspeed_vuart.c | 1 - + drivers/tty/serial/8250/8250_core.c | 5 ++--- + drivers/tty/serial/8250/8250_of.c | 1 - + drivers/tty/serial/8250/8250_port.c | 4 ++++ + 4 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/tty/serial/8250/8250_aspeed_vuart.c ++++ b/drivers/tty/serial/8250/8250_aspeed_vuart.c +@@ -375,7 +375,6 @@ static int aspeed_vuart_probe(struct pla + port.port.line = rc; + + port.port.irq = irq_of_parse_and_map(np, 0); +- port.port.irqflags = IRQF_SHARED; + port.port.handle_irq = aspeed_vuart_handle_irq; + port.port.iotype = UPIO_MEM; + port.port.type = PORT_16550A; +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -177,7 +177,7 @@ static int serial_link_irq_chain(struct + struct hlist_head *h; + struct hlist_node *n; + struct irq_info *i; +- int ret, irq_flags = up->port.flags & UPF_SHARE_IRQ ? IRQF_SHARED : 0; ++ int ret; + + mutex_lock(&hash_mutex); + +@@ -212,9 +212,8 @@ static int serial_link_irq_chain(struct + INIT_LIST_HEAD(&up->list); + i->head = &up->list; + spin_unlock_irq(&i->lock); +- irq_flags |= up->port.irqflags; + ret = request_irq(up->port.irq, serial8250_interrupt, +- irq_flags, up->port.name, i); ++ up->port.irqflags, up->port.name, i); + if (ret < 0) + serial_do_unlink(i, up); + } +--- a/drivers/tty/serial/8250/8250_of.c ++++ b/drivers/tty/serial/8250/8250_of.c +@@ -171,7 +171,6 @@ static int of_platform_serial_setup(stru + + port->type = type; + port->uartclk = clk; +- port->irqflags |= IRQF_SHARED; + + if (of_property_read_bool(np, "no-loopback-test")) + port->flags |= UPF_SKIP_TEST; +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2253,6 +2253,10 @@ int serial8250_do_startup(struct uart_po + } + } + ++ /* Check if we need to have shared IRQs */ ++ if (port->irq && (up->port.flags & UPF_SHARE_IRQ)) ++ up->port.irqflags |= IRQF_SHARED; ++ + if (port->irq && !(up->port.flags & UPF_NO_THRE_TEST)) { + unsigned char iir1; + /* diff --git a/queue-4.19/series b/queue-4.19/series index 2be647efceb..4620e80df43 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -32,3 +32,17 @@ staging-rtl8188eu-fix-potential-security-hole.patch staging-rtl8188eu-fix-potential-overuse-of-kernel-memory.patch staging-rtl8723bs-fix-potential-security-hole.patch staging-rtl8723bs-fix-potential-overuse-of-kernel-memory.patch +powerpc-tm-fix-clearing-msr-in-current-when-reclaiming-on-signal-delivery.patch +jbd2-fix-ocfs2-corrupt-when-clearing-block-group-bits.patch +x86-mce-amd-publish-the-bank-pointer-only-after-setup-has-succeeded.patch +x86-mce-amd-fix-kobject-lifetime.patch +x86-cpu-amd-enable-the-fixed-instructions-retired-counter-irperf.patch +serial-8250-check-upf_irq_shared-in-advance.patch +tty-serial-atmel-manage-shutdown-in-case-of-rs485-or-iso7816-mode.patch +tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch +serdev-ttyport-restore-client-ops-on-deregistration.patch +maintainers-update-drm-i915-bug-filing-url.patch +revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch +mm-memcontrol.c-lost-css_put-in-memcg_expand_shrinker_maps.patch +nvme-multipath-fix-memory-leak-with-ana_log_buf.patch +genirq-irqdomain-make-sure-all-irq-domain-flags-are-distinct.patch diff --git a/queue-4.19/tty-serial-atmel-manage-shutdown-in-case-of-rs485-or-iso7816-mode.patch b/queue-4.19/tty-serial-atmel-manage-shutdown-in-case-of-rs485-or-iso7816-mode.patch new file mode 100644 index 00000000000..da5f964e5b4 --- /dev/null +++ b/queue-4.19/tty-serial-atmel-manage-shutdown-in-case-of-rs485-or-iso7816-mode.patch @@ -0,0 +1,36 @@ +From 04b5bfe3dc94e64d0590c54045815cb5183fb095 Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre +Date: Mon, 10 Feb 2020 16:20:53 +0100 +Subject: tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode + +From: Nicolas Ferre + +commit 04b5bfe3dc94e64d0590c54045815cb5183fb095 upstream. + +In atmel_shutdown() we call atmel_stop_rx() and atmel_stop_tx() functions. +Prevent the rx restart that is implemented in RS485 or ISO7816 modes when +calling atmel_stop_tx() by using the atomic information tasklet_shutdown +that is already in place for this purpose. + +Fixes: 98f2082c3ac4 ("tty/serial: atmel: enforce tasklet init and termination sequences") +Signed-off-by: Nicolas Ferre +Cc: stable +Link: https://lore.kernel.org/r/20200210152053.8289-1-nicolas.ferre@microchip.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/atmel_serial.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -490,7 +490,8 @@ static void atmel_stop_tx(struct uart_po + atmel_uart_writel(port, ATMEL_US_IDR, atmel_port->tx_done_mask); + + if (atmel_uart_is_half_duplex(port)) +- atmel_start_rx(port); ++ if (!atomic_read(&atmel_port->tasklet_shutdown)) ++ atmel_start_rx(port); + + } + diff --git a/queue-4.19/tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch b/queue-4.19/tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch new file mode 100644 index 00000000000..47b85def76e --- /dev/null +++ b/queue-4.19/tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch @@ -0,0 +1,110 @@ +From f76707831829530ffdd3888bebc108aecefccaa0 Mon Sep 17 00:00:00 2001 +From: Fugang Duan +Date: Tue, 11 Feb 2020 14:16:01 +0800 +Subject: tty: serial: imx: setup the correct sg entry for tx dma +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fugang Duan + +commit f76707831829530ffdd3888bebc108aecefccaa0 upstream. + +There has oops as below happen on i.MX8MP EVK platform that has +6G bytes DDR memory. + +when (xmit->tail < xmit->head) && (xmit->head == 0), +it setups one sg entry with sg->length is zero: + sg_set_buf(sgl + 1, xmit->buf, xmit->head); + +if xmit->buf is allocated from >4G address space, and SDMA only +support <4G address space, then dma_map_sg() will call swiotlb_map() +to do bounce buffer copying and mapping. + +But swiotlb_map() don't allow sg entry's length is zero, otherwise +report BUG_ON(). + +So the patch is to correct the tx DMA scatter list. + +Oops: +[ 287.675715] kernel BUG at kernel/dma/swiotlb.c:497! +[ 287.680592] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +[ 287.686075] Modules linked in: +[ 287.689133] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.3-00016-g3fdc4e0-dirty #10 +[ 287.696872] Hardware name: FSL i.MX8MP EVK (DT) +[ 287.701402] pstate: 80000085 (Nzcv daIf -PAN -UAO) +[ 287.706199] pc : swiotlb_tbl_map_single+0x1fc/0x310 +[ 287.711076] lr : swiotlb_map+0x60/0x148 +[ 287.714909] sp : ffff800010003c00 +[ 287.718221] x29: ffff800010003c00 x28: 0000000000000000 +[ 287.723533] x27: 0000000000000040 x26: ffff800011ae0000 +[ 287.728844] x25: ffff800011ae09f8 x24: 0000000000000000 +[ 287.734155] x23: 00000001b7af9000 x22: 0000000000000000 +[ 287.739465] x21: ffff000176409c10 x20: 00000000001f7ffe +[ 287.744776] x19: ffff000176409c10 x18: 000000000000002e +[ 287.750087] x17: 0000000000000000 x16: 0000000000000000 +[ 287.755397] x15: 0000000000000000 x14: 0000000000000000 +[ 287.760707] x13: ffff00017f334000 x12: 0000000000000001 +[ 287.766018] x11: 00000000001fffff x10: 0000000000000000 +[ 287.771328] x9 : 0000000000000003 x8 : 0000000000000000 +[ 287.776638] x7 : 0000000000000000 x6 : 0000000000000000 +[ 287.781949] x5 : 0000000000200000 x4 : 0000000000000000 +[ 287.787259] x3 : 0000000000000001 x2 : 00000001b7af9000 +[ 287.792570] x1 : 00000000fbfff000 x0 : 0000000000000000 +[ 287.797881] Call trace: +[ 287.800328] swiotlb_tbl_map_single+0x1fc/0x310 +[ 287.804859] swiotlb_map+0x60/0x148 +[ 287.808347] dma_direct_map_page+0xf0/0x130 +[ 287.812530] dma_direct_map_sg+0x78/0xe0 +[ 287.816453] imx_uart_dma_tx+0x134/0x2f8 +[ 287.820374] imx_uart_dma_tx_callback+0xd8/0x168 +[ 287.824992] vchan_complete+0x194/0x200 +[ 287.828828] tasklet_action_common.isra.0+0x154/0x1a0 +[ 287.833879] tasklet_action+0x24/0x30 +[ 287.837540] __do_softirq+0x120/0x23c +[ 287.841202] irq_exit+0xb8/0xd8 +[ 287.844343] __handle_domain_irq+0x64/0xb8 +[ 287.848438] gic_handle_irq+0x5c/0x148 +[ 287.852185] el1_irq+0xb8/0x180 +[ 287.855327] cpuidle_enter_state+0x84/0x360 +[ 287.859508] cpuidle_enter+0x34/0x48 +[ 287.863083] call_cpuidle+0x18/0x38 +[ 287.866571] do_idle+0x1e0/0x280 +[ 287.869798] cpu_startup_entry+0x20/0x40 +[ 287.873721] rest_init+0xd4/0xe0 +[ 287.876949] arch_call_rest_init+0xc/0x14 +[ 287.880958] start_kernel+0x420/0x44c +[ 287.884622] Code: 9124c021 9417aff8 a94363f7 17ffffd5 (d4210000) +[ 287.890718] ---[ end trace 5bc44c4ab6b009ce ]--- +[ 287.895334] Kernel panic - not syncing: Fatal exception in interrupt +[ 287.901686] SMP: stopping secondary CPUs +[ 288.905607] SMP: failed to stop secondary CPUs 0-1 +[ 288.910395] Kernel Offset: disabled +[ 288.913882] CPU features: 0x0002,2000200c +[ 288.917888] Memory Limit: none +[ 288.920944] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +Reported-by: Eagle Zhou +Tested-by: Eagle Zhou +Signed-off-by: Fugang Duan +Cc: stable +Fixes: 7942f8577f2a ("serial: imx: TX DMA: clean up sg initialization") +Reviewed-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/1581401761-6378-1-git-send-email-fugang.duan@nxp.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/imx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -608,7 +608,7 @@ static void imx_uart_dma_tx(struct imx_p + + sport->tx_bytes = uart_circ_chars_pending(xmit); + +- if (xmit->tail < xmit->head) { ++ if (xmit->tail < xmit->head || xmit->head == 0) { + sport->dma_tx_nents = 1; + sg_init_one(sgl, xmit->buf + xmit->tail, sport->tx_bytes); + } else { diff --git a/queue-4.19/x86-cpu-amd-enable-the-fixed-instructions-retired-counter-irperf.patch b/queue-4.19/x86-cpu-amd-enable-the-fixed-instructions-retired-counter-irperf.patch new file mode 100644 index 00000000000..209b1f31249 --- /dev/null +++ b/queue-4.19/x86-cpu-amd-enable-the-fixed-instructions-retired-counter-irperf.patch @@ -0,0 +1,113 @@ +From 21b5ee59ef18e27d85810584caf1f7ddc705ea83 Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Wed, 19 Feb 2020 18:52:43 +0100 +Subject: x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF + +From: Kim Phillips + +commit 21b5ee59ef18e27d85810584caf1f7ddc705ea83 upstream. + +Commit + + aaf248848db50 ("perf/x86/msr: Add AMD IRPERF (Instructions Retired) + performance counter") + +added support for access to the free-running counter via 'perf -e +msr/irperf/', but when exercised, it always returns a 0 count: + +BEFORE: + + $ perf stat -e instructions,msr/irperf/ true + + Performance counter stats for 'true': + + 624,833 instructions + 0 msr/irperf/ + +Simply set its enable bit - HWCR bit 30 - to make it start counting. + +Enablement is restricted to all machines advertising IRPERF capability, +except those susceptible to an erratum that makes the IRPERF return +bad values. + +That erratum occurs in Family 17h models 00-1fh [1], but not in F17h +models 20h and above [2]. + +AFTER (on a family 17h model 31h machine): + + $ perf stat -e instructions,msr/irperf/ true + + Performance counter stats for 'true': + + 621,690 instructions + 622,490 msr/irperf/ + +[1] Revision Guide for AMD Family 17h Models 00h-0Fh Processors +[2] Revision Guide for AMD Family 17h Models 30h-3Fh Processors + +The revision guides are available from the bugzilla Link below. + + [ bp: Massage commit message. ] + +Fixes: aaf248848db50 ("perf/x86/msr: Add AMD IRPERF (Instructions Retired) performance counter") +Signed-off-by: Kim Phillips +Signed-off-by: Borislav Petkov +Cc: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 +Link: http://lkml.kernel.org/r/20200214201805.13830-1-kim.phillips@amd.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/msr-index.h | 2 ++ + arch/x86/kernel/cpu/amd.c | 14 ++++++++++++++ + 2 files changed, 16 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -455,6 +455,8 @@ + #define MSR_K7_HWCR 0xc0010015 + #define MSR_K7_HWCR_SMMLOCK_BIT 0 + #define MSR_K7_HWCR_SMMLOCK BIT_ULL(MSR_K7_HWCR_SMMLOCK_BIT) ++#define MSR_K7_HWCR_IRPERF_EN_BIT 30 ++#define MSR_K7_HWCR_IRPERF_EN BIT_ULL(MSR_K7_HWCR_IRPERF_EN_BIT) + #define MSR_K7_FID_VID_CTL 0xc0010041 + #define MSR_K7_FID_VID_STATUS 0xc0010042 + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -25,6 +25,7 @@ + + static const int amd_erratum_383[]; + static const int amd_erratum_400[]; ++static const int amd_erratum_1054[]; + static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum); + + /* +@@ -983,6 +984,15 @@ static void init_amd(struct cpuinfo_x86 + /* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */ + if (!cpu_has(c, X86_FEATURE_XENPV)) + set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); ++ ++ /* ++ * Turn on the Instructions Retired free counter on machines not ++ * susceptible to erratum #1054 "Instructions Retired Performance ++ * Counter May Be Inaccurate". ++ */ ++ if (cpu_has(c, X86_FEATURE_IRPERF) && ++ !cpu_has_amd_erratum(c, amd_erratum_1054)) ++ msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT); + } + + #ifdef CONFIG_X86_32 +@@ -1110,6 +1120,10 @@ static const int amd_erratum_400[] = + static const int amd_erratum_383[] = + AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); + ++/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ ++static const int amd_erratum_1054[] = ++ AMD_OSVW_ERRATUM(0, AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); ++ + + static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) + { diff --git a/queue-4.19/x86-mce-amd-fix-kobject-lifetime.patch b/queue-4.19/x86-mce-amd-fix-kobject-lifetime.patch new file mode 100644 index 00000000000..25698e0a25c --- /dev/null +++ b/queue-4.19/x86-mce-amd-fix-kobject-lifetime.patch @@ -0,0 +1,87 @@ +From 51dede9c05df2b78acd6dcf6a17d21f0877d2d7b Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 13 Feb 2020 19:01:34 +0100 +Subject: x86/mce/amd: Fix kobject lifetime + +From: Thomas Gleixner + +commit 51dede9c05df2b78acd6dcf6a17d21f0877d2d7b upstream. + +Accessing the MCA thresholding controls in sysfs concurrently with CPU +hotplug can lead to a couple of KASAN-reported issues: + + BUG: KASAN: use-after-free in sysfs_file_ops+0x155/0x180 + Read of size 8 at addr ffff888367578940 by task grep/4019 + +and + + BUG: KASAN: use-after-free in show_error_count+0x15c/0x180 + Read of size 2 at addr ffff888368a05514 by task grep/4454 + +for example. Both result from the fact that the threshold block +creation/teardown code frees the descriptor memory itself instead of +defining proper ->release function and leaving it to the driver core to +take care of that, after all sysfs accesses have completed. + +Do that and get rid of the custom freeing code, fixing the above UAFs in +the process. + + [ bp: write commit message. ] + +Fixes: 95268664390b ("[PATCH] x86_64: mce_amd support for family 0x10 processors") +Signed-off-by: Thomas Gleixner +Signed-off-by: Borislav Petkov +Cc: +Link: https://lkml.kernel.org/r/20200214082801.13836-1-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce_amd.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c ++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c +@@ -1117,9 +1117,12 @@ static const struct sysfs_ops threshold_ + .store = store, + }; + ++static void threshold_block_release(struct kobject *kobj); ++ + static struct kobj_type threshold_ktype = { + .sysfs_ops = &threshold_ops, + .default_attrs = default_attrs, ++ .release = threshold_block_release, + }; + + static const char *get_name(unsigned int bank, struct threshold_block *b) +@@ -1321,8 +1324,12 @@ static int threshold_create_bank(unsigne + return err; + } + +-static void deallocate_threshold_block(unsigned int cpu, +- unsigned int bank) ++static void threshold_block_release(struct kobject *kobj) ++{ ++ kfree(to_block(kobj)); ++} ++ ++static void deallocate_threshold_block(unsigned int cpu, unsigned int bank) + { + struct threshold_block *pos = NULL; + struct threshold_block *tmp = NULL; +@@ -1332,13 +1339,11 @@ static void deallocate_threshold_block(u + return; + + list_for_each_entry_safe(pos, tmp, &head->blocks->miscj, miscj) { +- kobject_put(&pos->kobj); + list_del(&pos->miscj); +- kfree(pos); ++ kobject_put(&pos->kobj); + } + +- kfree(per_cpu(threshold_banks, cpu)[bank]->blocks); +- per_cpu(threshold_banks, cpu)[bank]->blocks = NULL; ++ kobject_put(&head->blocks->kobj); + } + + static void __threshold_remove_blocks(struct threshold_bank *b) diff --git a/queue-4.19/x86-mce-amd-publish-the-bank-pointer-only-after-setup-has-succeeded.patch b/queue-4.19/x86-mce-amd-publish-the-bank-pointer-only-after-setup-has-succeeded.patch new file mode 100644 index 00000000000..9a209372b63 --- /dev/null +++ b/queue-4.19/x86-mce-amd-publish-the-bank-pointer-only-after-setup-has-succeeded.patch @@ -0,0 +1,104 @@ +From 6e5cf31fbe651bed7ba1df768f2e123531132417 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Tue, 4 Feb 2020 13:28:41 +0100 +Subject: x86/mce/amd: Publish the bank pointer only after setup has succeeded + +From: Borislav Petkov + +commit 6e5cf31fbe651bed7ba1df768f2e123531132417 upstream. + +threshold_create_bank() creates a bank descriptor per MCA error +thresholding counter which can be controlled over sysfs. It publishes +the pointer to that bank in a per-CPU variable and then goes on to +create additional thresholding blocks if the bank has such. + +However, that creation of additional blocks in +allocate_threshold_blocks() can fail, leading to a use-after-free +through the per-CPU pointer. + +Therefore, publish that pointer only after all blocks have been setup +successfully. + +Fixes: 019f34fccfd5 ("x86, MCE, AMD: Move shared bank to node descriptor") +Reported-by: Saar Amar +Reported-by: Dan Carpenter +Signed-off-by: Borislav Petkov +Cc: +Link: http://lkml.kernel.org/r/20200128140846.phctkvx5btiexvbx@kili.mountain +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce_amd.c | 33 ++++++++++++++++----------------- + 1 file changed, 16 insertions(+), 17 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c ++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c +@@ -1152,8 +1152,9 @@ static const char *get_name(unsigned int + return buf_mcatype; + } + +-static int allocate_threshold_blocks(unsigned int cpu, unsigned int bank, +- unsigned int block, u32 address) ++static int allocate_threshold_blocks(unsigned int cpu, struct threshold_bank *tb, ++ unsigned int bank, unsigned int block, ++ u32 address) + { + struct threshold_block *b = NULL; + u32 low, high; +@@ -1197,16 +1198,12 @@ static int allocate_threshold_blocks(uns + + INIT_LIST_HEAD(&b->miscj); + +- if (per_cpu(threshold_banks, cpu)[bank]->blocks) { +- list_add(&b->miscj, +- &per_cpu(threshold_banks, cpu)[bank]->blocks->miscj); +- } else { +- per_cpu(threshold_banks, cpu)[bank]->blocks = b; +- } ++ if (tb->blocks) ++ list_add(&b->miscj, &tb->blocks->miscj); ++ else ++ tb->blocks = b; + +- err = kobject_init_and_add(&b->kobj, &threshold_ktype, +- per_cpu(threshold_banks, cpu)[bank]->kobj, +- get_name(bank, b)); ++ err = kobject_init_and_add(&b->kobj, &threshold_ktype, tb->kobj, get_name(bank, b)); + if (err) + goto out_free; + recurse: +@@ -1214,7 +1211,7 @@ recurse: + if (!address) + return 0; + +- err = allocate_threshold_blocks(cpu, bank, block, address); ++ err = allocate_threshold_blocks(cpu, tb, bank, block, address); + if (err) + goto out_free; + +@@ -1299,8 +1296,6 @@ static int threshold_create_bank(unsigne + goto out_free; + } + +- per_cpu(threshold_banks, cpu)[bank] = b; +- + if (is_shared_bank(bank)) { + refcount_set(&b->cpus, 1); + +@@ -1311,9 +1306,13 @@ static int threshold_create_bank(unsigne + } + } + +- err = allocate_threshold_blocks(cpu, bank, 0, msr_ops.misc(bank)); +- if (!err) +- goto out; ++ err = allocate_threshold_blocks(cpu, b, bank, 0, msr_ops.misc(bank)); ++ if (err) ++ goto out_free; ++ ++ per_cpu(threshold_banks, cpu)[bank] = b; ++ ++ return 0; + + out_free: + kfree(b);