From: Sasha Levin Date: Mon, 13 Jun 2022 00:59:20 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.9.318~90 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a28391e476b068797d85c056c14c8911a60f16d3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/ceph-allow-ceph.dir.rctime-xattr-to-be-updatable.patch-27466 b/queue-5.10/ceph-allow-ceph.dir.rctime-xattr-to-be-updatable.patch-27466 new file mode 100644 index 00000000000..3e6916d8847 --- /dev/null +++ b/queue-5.10/ceph-allow-ceph.dir.rctime-xattr-to-be-updatable.patch-27466 @@ -0,0 +1,67 @@ +From e302d24f0ada102fe3fc387638d62e4d3b304fd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Mar 2022 09:34:19 -0500 +Subject: ceph: allow ceph.dir.rctime xattr to be updatable + +From: Venky Shankar + +[ Upstream commit d7a2dc523085f8b8c60548ceedc696934aefeb0e ] + +`rctime' has been a pain point in cephfs due to its buggy +nature - inconsistent values reported and those sorts. +Fixing rctime is non-trivial needing an overall redesign +of the entire nested statistics infrastructure. + +As a workaround, PR + + http://github.com/ceph/ceph/pull/37938 + +allows this extended attribute to be manually set. This allows +users to "fixup" inconsistent rctime values. While this sounds +messy, its probably the wisest approach allowing users/scripts +to workaround buggy rctime values. + +The above PR enables Ceph MDS to allow manually setting +rctime extended attribute with the corresponding user-land +changes. We may as well allow the same to be done via kclient +for parity. + +Signed-off-by: Venky Shankar +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/xattr.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c +index 197cb1234341..76322c0f6e5f 100644 +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -317,6 +317,14 @@ static ssize_t ceph_vxattrcb_snap_btime(struct ceph_inode_info *ci, char *val, + } + #define XATTR_RSTAT_FIELD(_type, _name) \ + XATTR_NAME_CEPH(_type, _name, VXATTR_FLAG_RSTAT) ++#define XATTR_RSTAT_FIELD_UPDATABLE(_type, _name) \ ++ { \ ++ .name = CEPH_XATTR_NAME(_type, _name), \ ++ .name_size = sizeof (CEPH_XATTR_NAME(_type, _name)), \ ++ .getxattr_cb = ceph_vxattrcb_ ## _type ## _ ## _name, \ ++ .exists_cb = NULL, \ ++ .flags = VXATTR_FLAG_RSTAT, \ ++ } + #define XATTR_LAYOUT_FIELD(_type, _name, _field) \ + { \ + .name = CEPH_XATTR_NAME2(_type, _name, _field), \ +@@ -354,7 +362,7 @@ static struct ceph_vxattr ceph_dir_vxattrs[] = { + XATTR_RSTAT_FIELD(dir, rfiles), + XATTR_RSTAT_FIELD(dir, rsubdirs), + XATTR_RSTAT_FIELD(dir, rbytes), +- XATTR_RSTAT_FIELD(dir, rctime), ++ XATTR_RSTAT_FIELD_UPDATABLE(dir, rctime), + { + .name = "ceph.dir.pin", + .name_size = sizeof("ceph.dir.pin"), +-- +2.35.1 + diff --git a/queue-5.10/cifs-version-operations-for-smb20-unneeded-when-lega.patch-7858 b/queue-5.10/cifs-version-operations-for-smb20-unneeded-when-lega.patch-7858 new file mode 100644 index 00000000000..52e58f9ad78 --- /dev/null +++ b/queue-5.10/cifs-version-operations-for-smb20-unneeded-when-lega.patch-7858 @@ -0,0 +1,97 @@ +From 2a06fcd9fb269e22c3c81f9d3b54fdfc161dc35a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 22:08:46 -0500 +Subject: cifs: version operations for smb20 unneeded when legacy support + disabled + +From: Steve French + +[ Upstream commit 7ef93ffccd55fb0ba000ed16ef6a81cd7dee07b5 ] + +We should not be including unused smb20 specific code when legacy +support is disabled (CONFIG_CIFS_ALLOW_INSECURE_LEGACY turned +off). For example smb2_operations and smb2_values aren't used +in that case. Over time we can move more and more SMB1/CIFS and SMB2.0 +code into the insecure legacy ifdefs + +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsglob.h | 4 +++- + fs/cifs/smb2ops.c | 7 ++++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index 6599069be690..196285b0fe46 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1982,11 +1982,13 @@ extern mempool_t *cifs_mid_poolp; + + /* Operations for different SMB versions */ + #define SMB1_VERSION_STRING "1.0" ++#define SMB20_VERSION_STRING "2.0" ++#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY + extern struct smb_version_operations smb1_operations; + extern struct smb_version_values smb1_values; +-#define SMB20_VERSION_STRING "2.0" + extern struct smb_version_operations smb20_operations; + extern struct smb_version_values smb20_values; ++#endif /* CIFS_ALLOW_INSECURE_LEGACY */ + #define SMB21_VERSION_STRING "2.1" + extern struct smb_version_operations smb21_operations; + extern struct smb_version_values smb21_values; +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 7fea94ebda57..b855abfaaf87 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -4032,11 +4032,13 @@ smb3_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, + } + } + ++#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY + static bool + smb2_is_read_op(__u32 oplock) + { + return oplock == SMB2_OPLOCK_LEVEL_II; + } ++#endif /* CIFS_ALLOW_INSECURE_LEGACY */ + + static bool + smb21_is_read_op(__u32 oplock) +@@ -5122,7 +5124,7 @@ smb2_make_node(unsigned int xid, struct inode *inode, + return rc; + } + +- ++#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY + struct smb_version_operations smb20_operations = { + .compare_fids = smb2_compare_fids, + .setup_request = smb2_setup_request, +@@ -5220,6 +5222,7 @@ struct smb_version_operations smb20_operations = { + .llseek = smb3_llseek, + .is_status_io_timeout = smb2_is_status_io_timeout, + }; ++#endif /* CIFS_ALLOW_INSECURE_LEGACY */ + + struct smb_version_operations smb21_operations = { + .compare_fids = smb2_compare_fids, +@@ -5548,6 +5551,7 @@ struct smb_version_operations smb311_operations = { + .is_status_io_timeout = smb2_is_status_io_timeout, + }; + ++#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY + struct smb_version_values smb20_values = { + .version_string = SMB20_VERSION_STRING, + .protocol_id = SMB20_PROT_ID, +@@ -5568,6 +5572,7 @@ struct smb_version_values smb20_values = { + .signing_required = SMB2_NEGOTIATE_SIGNING_REQUIRED, + .create_lease_size = sizeof(struct create_lease), + }; ++#endif /* ALLOW_INSECURE_LEGACY */ + + struct smb_version_values smb21_values = { + .version_string = SMB21_VERSION_STRING, +-- +2.35.1 + diff --git a/queue-5.10/clocksource-drivers-sp804-avoid-error-on-multiple-in.patch-19066 b/queue-5.10/clocksource-drivers-sp804-avoid-error-on-multiple-in.patch-19066 new file mode 100644 index 00000000000..01f76f8a8cb --- /dev/null +++ b/queue-5.10/clocksource-drivers-sp804-avoid-error-on-multiple-in.patch-19066 @@ -0,0 +1,65 @@ +From bae02a6eef1793947e7965f3219cd4345f6bf778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 17:25:22 +0100 +Subject: clocksource/drivers/sp804: Avoid error on multiple instances + +From: Andre Przywara + +[ Upstream commit a98399cbc1e05f7b977419f03905501d566cf54e ] + +When a machine sports more than one SP804 timer instance, we only bring +up the first one, since multiple timers of the same kind are not useful +to Linux. As this is intentional behaviour, we should not return an +error message, as we do today: +=============== +[ 0.000800] Failed to initialize '/bus@8000000/motherboard-bus@8000000/iofpga-bus@300000000/timer@120000': -22 +=============== + +Replace the -EINVAL return with a debug message and return 0 instead. + +Also we do not reach the init function anymore if the DT node is +disabled (as this is now handled by OF_DECLARE), so remove the explicit +check for that case. + +This fixes a long standing bogus error when booting ARM's fastmodels. + +Signed-off-by: Andre Przywara +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20220506162522.3675399-1-andre.przywara@arm.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-sp804.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/clocksource/timer-sp804.c b/drivers/clocksource/timer-sp804.c +index 6e8ad4a4ea3c..bedd3570474b 100644 +--- a/drivers/clocksource/timer-sp804.c ++++ b/drivers/clocksource/timer-sp804.c +@@ -274,6 +274,11 @@ static int __init sp804_of_init(struct device_node *np, struct sp804_timer *time + struct clk *clk1, *clk2; + const char *name = of_get_property(np, "compatible", NULL); + ++ if (initialized) { ++ pr_debug("%pOF: skipping further SP804 timer device\n", np); ++ return 0; ++ } ++ + base = of_iomap(np, 0); + if (!base) + return -ENXIO; +@@ -285,11 +290,6 @@ static int __init sp804_of_init(struct device_node *np, struct sp804_timer *time + writel(0, timer1_base + timer->ctrl); + writel(0, timer2_base + timer->ctrl); + +- if (initialized || !of_device_is_available(np)) { +- ret = -EINVAL; +- goto err; +- } +- + clk1 = of_clk_get(np, 0); + if (IS_ERR(clk1)) + clk1 = NULL; +-- +2.35.1 + diff --git a/queue-5.10/drivers-staging-rtl8192e-fix-deadlock-in-rtllib_beac.patch-27076 b/queue-5.10/drivers-staging-rtl8192e-fix-deadlock-in-rtllib_beac.patch-27076 new file mode 100644 index 00000000000..550a9d276ce --- /dev/null +++ b/queue-5.10/drivers-staging-rtl8192e-fix-deadlock-in-rtllib_beac.patch-27076 @@ -0,0 +1,55 @@ +From 2705bde1781e8e909321831265ac574ea476326f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Apr 2022 22:16:41 +0800 +Subject: drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop() + +From: Duoming Zhou + +[ Upstream commit 9b6bdbd9337de3917945847bde262a34a87a6303 ] + +There is a deadlock in rtllib_beacons_stop(), which is shown +below: + + (Thread 1) | (Thread 2) + | rtllib_send_beacon() +rtllib_beacons_stop() | mod_timer() + spin_lock_irqsave() //(1) | (wait a time) + ... | rtllib_send_beacon_cb() + del_timer_sync() | spin_lock_irqsave() //(2) + (wait timer to stop) | ... + +We hold ieee->beacon_lock in position (1) of thread 1 and +use del_timer_sync() to wait timer to stop, but timer handler +also need ieee->beacon_lock in position (2) of thread 2. +As a result, rtllib_beacons_stop() will block forever. + +This patch extracts del_timer_sync() from the protection of +spin_lock_irqsave(), which could let timer handler to obtain +the needed lock. + +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220417141641.124388-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192e/rtllib_softmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192e/rtllib_softmac.c b/drivers/staging/rtl8192e/rtllib_softmac.c +index e8e72f79ca00..aeb6f015fdda 100644 +--- a/drivers/staging/rtl8192e/rtllib_softmac.c ++++ b/drivers/staging/rtl8192e/rtllib_softmac.c +@@ -651,9 +651,9 @@ static void rtllib_beacons_stop(struct rtllib_device *ieee) + spin_lock_irqsave(&ieee->beacon_lock, flags); + + ieee->beacon_txing = 0; +- del_timer_sync(&ieee->beacon_timer); + + spin_unlock_irqrestore(&ieee->beacon_lock, flags); ++ del_timer_sync(&ieee->beacon_timer); + + } + +-- +2.35.1 + diff --git a/queue-5.10/drivers-staging-rtl8192u-fix-deadlock-in-ieee80211_b.patch-17013 b/queue-5.10/drivers-staging-rtl8192u-fix-deadlock-in-ieee80211_b.patch-17013 new file mode 100644 index 00000000000..536d126da8c --- /dev/null +++ b/queue-5.10/drivers-staging-rtl8192u-fix-deadlock-in-ieee80211_b.patch-17013 @@ -0,0 +1,54 @@ +From c02c5591b9fe58e05f752c48964e2f036f9c7b76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Apr 2022 21:54:07 +0800 +Subject: drivers: staging: rtl8192u: Fix deadlock in ieee80211_beacons_stop() + +From: Duoming Zhou + +[ Upstream commit 806c7b53414934ba2a39449b31fd1a038e500273 ] + +There is a deadlock in ieee80211_beacons_stop(), which is shown below: + + (Thread 1) | (Thread 2) + | ieee80211_send_beacon() +ieee80211_beacons_stop() | mod_timer() + spin_lock_irqsave() //(1) | (wait a time) + ... | ieee80211_send_beacon_cb() + del_timer_sync() | spin_lock_irqsave() //(2) + (wait timer to stop) | ... + +We hold ieee->beacon_lock in position (1) of thread 1 and use +del_timer_sync() to wait timer to stop, but timer handler +also need ieee->beacon_lock in position (2) of thread 2. +As a result, ieee80211_beacons_stop() will block forever. + +This patch extracts del_timer_sync() from the protection of +spin_lock_irqsave(), which could let timer handler to obtain +the needed lock. + +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220417135407.109536-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192u/ieee80211/ieee80211_softmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac.c +index 690b664df8fa..56a447651644 100644 +--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac.c ++++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac.c +@@ -528,9 +528,9 @@ static void ieee80211_beacons_stop(struct ieee80211_device *ieee) + spin_lock_irqsave(&ieee->beacon_lock, flags); + + ieee->beacon_txing = 0; +- del_timer_sync(&ieee->beacon_timer); + + spin_unlock_irqrestore(&ieee->beacon_lock, flags); ++ del_timer_sync(&ieee->beacon_timer); + } + + void ieee80211_stop_send_beacons(struct ieee80211_device *ieee) +-- +2.35.1 + diff --git a/queue-5.10/drivers-tty-serial-fix-deadlock-in-sa1100_set_termio.patch-14283 b/queue-5.10/drivers-tty-serial-fix-deadlock-in-sa1100_set_termio.patch-14283 new file mode 100644 index 00000000000..5648be2ee9c --- /dev/null +++ b/queue-5.10/drivers-tty-serial-fix-deadlock-in-sa1100_set_termio.patch-14283 @@ -0,0 +1,61 @@ +From 5d7a02c9635ec7ddfcf2fc59692627ceafb2790b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Apr 2022 19:16:26 +0800 +Subject: drivers: tty: serial: Fix deadlock in sa1100_set_termios() + +From: Duoming Zhou + +[ Upstream commit 62b2caef400c1738b6d22f636c628d9f85cd4c4c ] + +There is a deadlock in sa1100_set_termios(), which is shown +below: + + (Thread 1) | (Thread 2) + | sa1100_enable_ms() +sa1100_set_termios() | mod_timer() + spin_lock_irqsave() //(1) | (wait a time) + ... | sa1100_timeout() + del_timer_sync() | spin_lock_irqsave() //(2) + (wait timer to stop) | ... + +We hold sport->port.lock in position (1) of thread 1 and +use del_timer_sync() to wait timer to stop, but timer handler +also need sport->port.lock in position (2) of thread 2. As a result, +sa1100_set_termios() will block forever. + +This patch moves del_timer_sync() before spin_lock_irqsave() +in order to prevent the deadlock. + +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220417111626.7802-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sa1100.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/sa1100.c b/drivers/tty/serial/sa1100.c +index f5fab1dd96bc..aa1cf2ae17a9 100644 +--- a/drivers/tty/serial/sa1100.c ++++ b/drivers/tty/serial/sa1100.c +@@ -448,6 +448,8 @@ sa1100_set_termios(struct uart_port *port, struct ktermios *termios, + baud = uart_get_baud_rate(port, termios, old, 0, port->uartclk/16); + quot = uart_get_divisor(port, baud); + ++ del_timer_sync(&sport->timer); ++ + spin_lock_irqsave(&sport->port.lock, flags); + + sport->port.read_status_mask &= UTSR0_TO_SM(UTSR0_TFS); +@@ -478,8 +480,6 @@ sa1100_set_termios(struct uart_port *port, struct ktermios *termios, + UTSR1_TO_SM(UTSR1_ROR); + } + +- del_timer_sync(&sport->timer); +- + /* + * Update the per-port timeout. + */ +-- +2.35.1 + diff --git a/queue-5.10/drivers-usb-host-fix-deadlock-in-oxu_bus_suspend.patch-6734 b/queue-5.10/drivers-usb-host-fix-deadlock-in-oxu_bus_suspend.patch-6734 new file mode 100644 index 00000000000..48cda51a3ad --- /dev/null +++ b/queue-5.10/drivers-usb-host-fix-deadlock-in-oxu_bus_suspend.patch-6734 @@ -0,0 +1,54 @@ +From 400eedd6cbbe2ab8210b5063719d50fb1a4e8743 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Apr 2022 20:03:05 +0800 +Subject: drivers: usb: host: Fix deadlock in oxu_bus_suspend() + +From: Duoming Zhou + +[ Upstream commit 4d378f2ae58138d4c55684e1d274e7dd94aa6524 ] + +There is a deadlock in oxu_bus_suspend(), which is shown below: + + (Thread 1) | (Thread 2) + | timer_action() +oxu_bus_suspend() | mod_timer() + spin_lock_irq() //(1) | (wait a time) + ... | oxu_watchdog() + del_timer_sync() | spin_lock_irq() //(2) + (wait timer to stop) | ... + +We hold oxu->lock in position (1) of thread 1, and use +del_timer_sync() to wait timer to stop, but timer handler +also need oxu->lock in position (2) of thread 2. As a result, +oxu_bus_suspend() will block forever. + +This patch extracts del_timer_sync() from the protection of +spin_lock_irq(), which could let timer handler to obtain +the needed lock. + +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220417120305.64577-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/oxu210hp-hcd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/host/oxu210hp-hcd.c b/drivers/usb/host/oxu210hp-hcd.c +index e832909a924f..6df2881cd7b9 100644 +--- a/drivers/usb/host/oxu210hp-hcd.c ++++ b/drivers/usb/host/oxu210hp-hcd.c +@@ -3908,8 +3908,10 @@ static int oxu_bus_suspend(struct usb_hcd *hcd) + } + } + ++ spin_unlock_irq(&oxu->lock); + /* turn off now-idle HC */ + del_timer_sync(&oxu->watchdog); ++ spin_lock_irq(&oxu->lock); + ehci_halt(oxu); + hcd->state = HC_STATE_SUSPENDED; + +-- +2.35.1 + diff --git a/queue-5.10/drm-radeon-fix-a-possible-null-pointer-dereference.patch-17377 b/queue-5.10/drm-radeon-fix-a-possible-null-pointer-dereference.patch-17377 new file mode 100644 index 00000000000..701e7ce2be7 --- /dev/null +++ b/queue-5.10/drm-radeon-fix-a-possible-null-pointer-dereference.patch-17377 @@ -0,0 +1,47 @@ +From 129f8909239b623bdb6ea9a54144217412a48fc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 17:57:00 +0800 +Subject: drm/radeon: fix a possible null pointer dereference + +From: Gong Yuanjun + +[ Upstream commit a2b28708b645c5632dc93669ab06e97874c8244f ] + +In radeon_fp_native_mode(), the return value of drm_mode_duplicate() +is assigned to mode, which will lead to a NULL pointer dereference +on failure of drm_mode_duplicate(). Add a check to avoid npd. + +The failure status of drm_cvt_mode() on the other path is checked too. + +Signed-off-by: Gong Yuanjun +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_connectors.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c +index e30834434442..ef111d460be2 100644 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -473,6 +473,8 @@ static struct drm_display_mode *radeon_fp_native_mode(struct drm_encoder *encode + native_mode->vdisplay != 0 && + native_mode->clock != 0) { + mode = drm_mode_duplicate(dev, native_mode); ++ if (!mode) ++ return NULL; + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER; + drm_mode_set_name(mode); + +@@ -487,6 +489,8 @@ static struct drm_display_mode *radeon_fp_native_mode(struct drm_encoder *encode + * simpler. + */ + mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false); ++ if (!mode) ++ return NULL; + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER; + DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name); + } +-- +2.35.1 + diff --git a/queue-5.10/extcon-modify-extcon-device-to-be-created-after-driv.patch-22062 b/queue-5.10/extcon-modify-extcon-device-to-be-created-after-driv.patch-22062 new file mode 100644 index 00000000000..6c84df14183 --- /dev/null +++ b/queue-5.10/extcon-modify-extcon-device-to-be-created-after-driv.patch-22062 @@ -0,0 +1,100 @@ +From 4eed5dd4537571a5b0d82ed8eb89d18c40f979ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Apr 2022 12:00:05 +0900 +Subject: extcon: Modify extcon device to be created after driver data is set + +From: bumwoo lee + +[ Upstream commit 5dcc2afe716d69f5112ce035cb14f007461ff189 ] + +Currently, someone can invoke the sysfs such as state_show() +intermittently before dev_set_drvdata() is done. +And it can be a cause of kernel Oops because of edev is Null at that time. +So modified the driver registration to after setting drviver data. + +- Oops's backtrace. + +Backtrace: +[] (state_show) from [] (dev_attr_show) +[] (dev_attr_show) from [] (sysfs_kf_seq_show) +[] (sysfs_kf_seq_show) from [] (kernfs_seq_show) +[] (kernfs_seq_show) from [] (seq_read) +[] (seq_read) from [] (kernfs_fop_read) +[] (kernfs_fop_read) from [] (__vfs_read) +[] (__vfs_read) from [] (vfs_read) +[] (vfs_read) from [] (ksys_read) +[] (ksys_read) from [] (sys_read) +[] (sys_read) from [] (__sys_trace_return) + +Signed-off-by: bumwoo lee +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon.c | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c +index e7a9561a826d..356610404bb4 100644 +--- a/drivers/extcon/extcon.c ++++ b/drivers/extcon/extcon.c +@@ -1230,19 +1230,14 @@ int extcon_dev_register(struct extcon_dev *edev) + edev->dev.type = &edev->extcon_dev_type; + } + +- ret = device_register(&edev->dev); +- if (ret) { +- put_device(&edev->dev); +- goto err_dev; +- } +- + spin_lock_init(&edev->lock); +- edev->nh = devm_kcalloc(&edev->dev, edev->max_supported, +- sizeof(*edev->nh), GFP_KERNEL); +- if (!edev->nh) { +- ret = -ENOMEM; +- device_unregister(&edev->dev); +- goto err_dev; ++ if (edev->max_supported) { ++ edev->nh = kcalloc(edev->max_supported, sizeof(*edev->nh), ++ GFP_KERNEL); ++ if (!edev->nh) { ++ ret = -ENOMEM; ++ goto err_alloc_nh; ++ } + } + + for (index = 0; index < edev->max_supported; index++) +@@ -1253,6 +1248,12 @@ int extcon_dev_register(struct extcon_dev *edev) + dev_set_drvdata(&edev->dev, edev); + edev->state = 0; + ++ ret = device_register(&edev->dev); ++ if (ret) { ++ put_device(&edev->dev); ++ goto err_dev; ++ } ++ + mutex_lock(&extcon_dev_list_lock); + list_add(&edev->entry, &extcon_dev_list); + mutex_unlock(&extcon_dev_list_lock); +@@ -1260,6 +1261,9 @@ int extcon_dev_register(struct extcon_dev *edev) + return 0; + + err_dev: ++ if (edev->max_supported) ++ kfree(edev->nh); ++err_alloc_nh: + if (edev->max_supported) + kfree(edev->extcon_dev_type.groups); + err_alloc_groups: +@@ -1320,6 +1324,7 @@ void extcon_dev_unregister(struct extcon_dev *edev) + if (edev->max_supported) { + kfree(edev->extcon_dev_type.groups); + kfree(edev->cables); ++ kfree(edev->nh); + } + + put_device(&edev->dev); +-- +2.35.1 + diff --git a/queue-5.10/iio-dummy-iio_simple_dummy-check-the-return-value-of.patch-26829 b/queue-5.10/iio-dummy-iio_simple_dummy-check-the-return-value-of.patch-26829 new file mode 100644 index 00000000000..2db60f83cf6 --- /dev/null +++ b/queue-5.10/iio-dummy-iio_simple_dummy-check-the-return-value-of.patch-26829 @@ -0,0 +1,88 @@ +From d012df3771a4f2956be904ec24896c1eb66d5a38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 11:14:05 +0800 +Subject: iio: dummy: iio_simple_dummy: check the return value of kstrdup() + +From: Xiaoke Wang + +[ Upstream commit ba93642188a6fed754bf7447f638bc410e05a929 ] + +kstrdup() is also a memory allocation-related function, it returns NULL +when some memory errors happen. So it is better to check the return +value of it so to catch the memory error in time. Besides, there should +have a kfree() to clear up the allocation if we get a failure later in +this function to prevent memory leak. + +Signed-off-by: Xiaoke Wang +Link: https://lore.kernel.org/r/tencent_C920CFCC33B9CC1C63141FE1334A39FF8508@qq.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/dummy/iio_simple_dummy.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/iio/dummy/iio_simple_dummy.c b/drivers/iio/dummy/iio_simple_dummy.c +index c0b7ef900735..c24f609c2ade 100644 +--- a/drivers/iio/dummy/iio_simple_dummy.c ++++ b/drivers/iio/dummy/iio_simple_dummy.c +@@ -575,10 +575,9 @@ static struct iio_sw_device *iio_dummy_probe(const char *name) + */ + + swd = kzalloc(sizeof(*swd), GFP_KERNEL); +- if (!swd) { +- ret = -ENOMEM; +- goto error_kzalloc; +- } ++ if (!swd) ++ return ERR_PTR(-ENOMEM); ++ + /* + * Allocate an IIO device. + * +@@ -590,7 +589,7 @@ static struct iio_sw_device *iio_dummy_probe(const char *name) + indio_dev = iio_device_alloc(parent, sizeof(*st)); + if (!indio_dev) { + ret = -ENOMEM; +- goto error_ret; ++ goto error_free_swd; + } + + st = iio_priv(indio_dev); +@@ -616,6 +615,10 @@ static struct iio_sw_device *iio_dummy_probe(const char *name) + * indio_dev->name = spi_get_device_id(spi)->name; + */ + indio_dev->name = kstrdup(name, GFP_KERNEL); ++ if (!indio_dev->name) { ++ ret = -ENOMEM; ++ goto error_free_device; ++ } + + /* Provide description of available channels */ + indio_dev->channels = iio_dummy_channels; +@@ -632,7 +635,7 @@ static struct iio_sw_device *iio_dummy_probe(const char *name) + + ret = iio_simple_dummy_events_register(indio_dev); + if (ret < 0) +- goto error_free_device; ++ goto error_free_name; + + ret = iio_simple_dummy_configure_buffer(indio_dev); + if (ret < 0) +@@ -649,11 +652,12 @@ static struct iio_sw_device *iio_dummy_probe(const char *name) + iio_simple_dummy_unconfigure_buffer(indio_dev); + error_unregister_events: + iio_simple_dummy_events_unregister(indio_dev); ++error_free_name: ++ kfree(indio_dev->name); + error_free_device: + iio_device_free(indio_dev); +-error_ret: ++error_free_swd: + kfree(swd); +-error_kzalloc: + return ERR_PTR(ret); + } + +-- +2.35.1 + diff --git a/queue-5.10/iio-st_sensors-add-a-local-lock-for-protecting-odr.patch-29552 b/queue-5.10/iio-st_sensors-add-a-local-lock-for-protecting-odr.patch-29552 new file mode 100644 index 00000000000..c480259aa3e --- /dev/null +++ b/queue-5.10/iio-st_sensors-add-a-local-lock-for-protecting-odr.patch-29552 @@ -0,0 +1,123 @@ +From e6990fe7ee0cd995ee35c5d261a920e7701a48c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 15:38:33 +0100 +Subject: iio: st_sensors: Add a local lock for protecting odr + +From: Miquel Raynal + +[ Upstream commit 474010127e2505fc463236470908e1ff5ddb3578 ] + +Right now the (framework) mlock lock is (ab)used for multiple purposes: +1- protecting concurrent accesses over the odr local cache +2- avoid changing samplig frequency whilst buffer is running + +Let's start by handling situation #1 with a local lock. + +Suggested-by: Jonathan Cameron +Cc: Denis Ciocca +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20220207143840.707510-7-miquel.raynal@bootlin.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + .../iio/common/st_sensors/st_sensors_core.c | 24 ++++++++++++++----- + include/linux/iio/common/st_sensors.h | 3 +++ + 2 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/drivers/iio/common/st_sensors/st_sensors_core.c b/drivers/iio/common/st_sensors/st_sensors_core.c +index 7a69c1be7393..56206fdbceb9 100644 +--- a/drivers/iio/common/st_sensors/st_sensors_core.c ++++ b/drivers/iio/common/st_sensors/st_sensors_core.c +@@ -70,16 +70,18 @@ static int st_sensors_match_odr(struct st_sensor_settings *sensor_settings, + + int st_sensors_set_odr(struct iio_dev *indio_dev, unsigned int odr) + { +- int err; ++ int err = 0; + struct st_sensor_odr_avl odr_out = {0, 0}; + struct st_sensor_data *sdata = iio_priv(indio_dev); + ++ mutex_lock(&sdata->odr_lock); ++ + if (!sdata->sensor_settings->odr.mask) +- return 0; ++ goto unlock_mutex; + + err = st_sensors_match_odr(sdata->sensor_settings, odr, &odr_out); + if (err < 0) +- goto st_sensors_match_odr_error; ++ goto unlock_mutex; + + if ((sdata->sensor_settings->odr.addr == + sdata->sensor_settings->pw.addr) && +@@ -102,7 +104,9 @@ int st_sensors_set_odr(struct iio_dev *indio_dev, unsigned int odr) + if (err >= 0) + sdata->odr = odr_out.hz; + +-st_sensors_match_odr_error: ++unlock_mutex: ++ mutex_unlock(&sdata->odr_lock); ++ + return err; + } + EXPORT_SYMBOL(st_sensors_set_odr); +@@ -364,6 +368,8 @@ int st_sensors_init_sensor(struct iio_dev *indio_dev, + struct st_sensors_platform_data *of_pdata; + int err = 0; + ++ mutex_init(&sdata->odr_lock); ++ + /* If OF/DT pdata exists, it will take precedence of anything else */ + of_pdata = st_sensors_dev_probe(indio_dev->dev.parent, pdata); + if (IS_ERR(of_pdata)) +@@ -557,18 +563,24 @@ int st_sensors_read_info_raw(struct iio_dev *indio_dev, + err = -EBUSY; + goto out; + } else { ++ mutex_lock(&sdata->odr_lock); + err = st_sensors_set_enable(indio_dev, true); +- if (err < 0) ++ if (err < 0) { ++ mutex_unlock(&sdata->odr_lock); + goto out; ++ } + + msleep((sdata->sensor_settings->bootime * 1000) / sdata->odr); + err = st_sensors_read_axis_data(indio_dev, ch, val); +- if (err < 0) ++ if (err < 0) { ++ mutex_unlock(&sdata->odr_lock); + goto out; ++ } + + *val = *val >> ch->scan_type.shift; + + err = st_sensors_set_enable(indio_dev, false); ++ mutex_unlock(&sdata->odr_lock); + } + out: + mutex_unlock(&indio_dev->mlock); +diff --git a/include/linux/iio/common/st_sensors.h b/include/linux/iio/common/st_sensors.h +index 33e939977444..c16a9dda3ad5 100644 +--- a/include/linux/iio/common/st_sensors.h ++++ b/include/linux/iio/common/st_sensors.h +@@ -228,6 +228,7 @@ struct st_sensor_settings { + * @hw_irq_trigger: if we're using the hardware interrupt on the sensor. + * @hw_timestamp: Latest timestamp from the interrupt handler, when in use. + * @buffer_data: Data used by buffer part. ++ * @odr_lock: Local lock for preventing concurrent ODR accesses/changes + */ + struct st_sensor_data { + struct device *dev; +@@ -253,6 +254,8 @@ struct st_sensor_data { + s64 hw_timestamp; + + char buffer_data[ST_SENSORS_MAX_BUFFER_SIZE] ____cacheline_aligned; ++ ++ struct mutex odr_lock; + }; + + #ifdef CONFIG_IIO_BUFFER +-- +2.35.1 + diff --git a/queue-5.10/jump_label-noinstr-avoid-instrumentation-for-jump_la.patch-9176 b/queue-5.10/jump_label-noinstr-avoid-instrumentation-for-jump_la.patch-9176 new file mode 100644 index 00000000000..3fb8c5e70c7 --- /dev/null +++ b/queue-5.10/jump_label-noinstr-avoid-instrumentation-for-jump_la.patch-9176 @@ -0,0 +1,44 @@ +From 5bfa6e6e24a20dd875007dd0ea4d0e442a18cc37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 May 2022 12:30:20 +0200 +Subject: jump_label,noinstr: Avoid instrumentation for JUMP_LABEL=n builds + +From: Peter Zijlstra + +[ Upstream commit 656d054e0a15ec327bd82801ccd58201e59f6896 ] + +When building x86_64 with JUMP_LABEL=n it's possible for +instrumentation to sneak into noinstr: + +vmlinux.o: warning: objtool: exit_to_user_mode+0x14: call to static_key_count.constprop.0() leaves .noinstr.text section +vmlinux.o: warning: objtool: syscall_exit_to_user_mode+0x2d: call to static_key_count.constprop.0() leaves .noinstr.text section +vmlinux.o: warning: objtool: irqentry_exit_to_user_mode+0x1b: call to static_key_count.constprop.0() leaves .noinstr.text section + +Switch to arch_ prefixed atomic to avoid the explicit instrumentation. + +Reported-by: kernel test robot +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Sasha Levin +--- + include/linux/jump_label.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/jump_label.h b/include/linux/jump_label.h +index 32809624d422..e67ee4d7318f 100644 +--- a/include/linux/jump_label.h ++++ b/include/linux/jump_label.h +@@ -249,9 +249,9 @@ extern void static_key_disable_cpuslocked(struct static_key *key); + #include + #include + +-static inline int static_key_count(struct static_key *key) ++static __always_inline int static_key_count(struct static_key *key) + { +- return atomic_read(&key->enabled); ++ return arch_atomic_read(&key->enabled); + } + + static __always_inline void jump_label_init(void) +-- +2.35.1 + diff --git a/queue-5.10/kernfs-separate-kernfs_pr_cont_buf-and-rename_lock.patch-27813 b/queue-5.10/kernfs-separate-kernfs_pr_cont_buf-and-rename_lock.patch-27813 new file mode 100644 index 00000000000..425d78d1468 --- /dev/null +++ b/queue-5.10/kernfs-separate-kernfs_pr_cont_buf-and-rename_lock.patch-27813 @@ -0,0 +1,142 @@ +From 7f480157a495e089b6f214370d752c949fa1e692 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 May 2022 12:09:51 -0700 +Subject: kernfs: Separate kernfs_pr_cont_buf and rename_lock. + +From: Hao Luo + +[ Upstream commit 1a702dc88e150487c9c173a249b3d236498b9183 ] + +Previously the protection of kernfs_pr_cont_buf was piggy backed by +rename_lock, which means that pr_cont() needs to be protected under +rename_lock. This can cause potential circular lock dependencies. + +If there is an OOM, we have the following call hierarchy: + + -> cpuset_print_current_mems_allowed() + -> pr_cont_cgroup_name() + -> pr_cont_kernfs_name() + +pr_cont_kernfs_name() will grab rename_lock and call printk. So we have +the following lock dependencies: + + kernfs_rename_lock -> console_sem + +Sometimes, printk does a wakeup before releasing console_sem, which has +the dependence chain: + + console_sem -> p->pi_lock -> rq->lock + +Now, imagine one wants to read cgroup_name under rq->lock, for example, +printing cgroup_name in a tracepoint in the scheduler code. They will +be holding rq->lock and take rename_lock: + + rq->lock -> kernfs_rename_lock + +Now they will deadlock. + +A prevention to this circular lock dependency is to separate the +protection of pr_cont_buf from rename_lock. In principle, rename_lock +is to protect the integrity of cgroup name when copying to buf. Once +pr_cont_buf has got its content, rename_lock can be dropped. So it's +safe to drop rename_lock after kernfs_name_locked (and +kernfs_path_from_node_locked) and rely on a dedicated pr_cont_lock +to protect pr_cont_buf. + +Acked-by: Tejun Heo +Signed-off-by: Hao Luo +Link: https://lore.kernel.org/r/20220516190951.3144144-1-haoluo@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/kernfs/dir.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c +index 9aec80b9d7c6..afb39e1bbe3b 100644 +--- a/fs/kernfs/dir.c ++++ b/fs/kernfs/dir.c +@@ -19,7 +19,15 @@ + + DEFINE_MUTEX(kernfs_mutex); + static DEFINE_SPINLOCK(kernfs_rename_lock); /* kn->parent and ->name */ +-static char kernfs_pr_cont_buf[PATH_MAX]; /* protected by rename_lock */ ++/* ++ * Don't use rename_lock to piggy back on pr_cont_buf. We don't want to ++ * call pr_cont() while holding rename_lock. Because sometimes pr_cont() ++ * will perform wakeups when releasing console_sem. Holding rename_lock ++ * will introduce deadlock if the scheduler reads the kernfs_name in the ++ * wakeup path. ++ */ ++static DEFINE_SPINLOCK(kernfs_pr_cont_lock); ++static char kernfs_pr_cont_buf[PATH_MAX]; /* protected by pr_cont_lock */ + static DEFINE_SPINLOCK(kernfs_idr_lock); /* root->ino_idr */ + + #define rb_to_kn(X) rb_entry((X), struct kernfs_node, rb) +@@ -230,12 +238,12 @@ void pr_cont_kernfs_name(struct kernfs_node *kn) + { + unsigned long flags; + +- spin_lock_irqsave(&kernfs_rename_lock, flags); ++ spin_lock_irqsave(&kernfs_pr_cont_lock, flags); + +- kernfs_name_locked(kn, kernfs_pr_cont_buf, sizeof(kernfs_pr_cont_buf)); ++ kernfs_name(kn, kernfs_pr_cont_buf, sizeof(kernfs_pr_cont_buf)); + pr_cont("%s", kernfs_pr_cont_buf); + +- spin_unlock_irqrestore(&kernfs_rename_lock, flags); ++ spin_unlock_irqrestore(&kernfs_pr_cont_lock, flags); + } + + /** +@@ -249,10 +257,10 @@ void pr_cont_kernfs_path(struct kernfs_node *kn) + unsigned long flags; + int sz; + +- spin_lock_irqsave(&kernfs_rename_lock, flags); ++ spin_lock_irqsave(&kernfs_pr_cont_lock, flags); + +- sz = kernfs_path_from_node_locked(kn, NULL, kernfs_pr_cont_buf, +- sizeof(kernfs_pr_cont_buf)); ++ sz = kernfs_path_from_node(kn, NULL, kernfs_pr_cont_buf, ++ sizeof(kernfs_pr_cont_buf)); + if (sz < 0) { + pr_cont("(error)"); + goto out; +@@ -266,7 +274,7 @@ void pr_cont_kernfs_path(struct kernfs_node *kn) + pr_cont("%s", kernfs_pr_cont_buf); + + out: +- spin_unlock_irqrestore(&kernfs_rename_lock, flags); ++ spin_unlock_irqrestore(&kernfs_pr_cont_lock, flags); + } + + /** +@@ -864,13 +872,12 @@ static struct kernfs_node *kernfs_walk_ns(struct kernfs_node *parent, + + lockdep_assert_held(&kernfs_mutex); + +- /* grab kernfs_rename_lock to piggy back on kernfs_pr_cont_buf */ +- spin_lock_irq(&kernfs_rename_lock); ++ spin_lock_irq(&kernfs_pr_cont_lock); + + len = strlcpy(kernfs_pr_cont_buf, path, sizeof(kernfs_pr_cont_buf)); + + if (len >= sizeof(kernfs_pr_cont_buf)) { +- spin_unlock_irq(&kernfs_rename_lock); ++ spin_unlock_irq(&kernfs_pr_cont_lock); + return NULL; + } + +@@ -882,7 +889,7 @@ static struct kernfs_node *kernfs_walk_ns(struct kernfs_node *parent, + parent = kernfs_find_ns(parent, name, ns); + } + +- spin_unlock_irq(&kernfs_rename_lock); ++ spin_unlock_irq(&kernfs_pr_cont_lock); + + return parent; + } +-- +2.35.1 + diff --git a/queue-5.10/lkdtm-usercopy-expand-size-of-out-of-frame-object.patch-18499 b/queue-5.10/lkdtm-usercopy-expand-size-of-out-of-frame-object.patch-18499 new file mode 100644 index 00000000000..9233c4ae8b1 --- /dev/null +++ b/queue-5.10/lkdtm-usercopy-expand-size-of-out-of-frame-object.patch-18499 @@ -0,0 +1,75 @@ +From 50967b1ce8a831f8a3a242102a427821657cf551 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Feb 2022 12:15:03 -0800 +Subject: lkdtm/usercopy: Expand size of "out of frame" object + +From: Kees Cook + +[ Upstream commit f387e86d3a74407bdd9c5815820ac9d060962840 ] + +To be sufficiently out of range for the usercopy test to see the lifetime +mismatch, expand the size of the "bad" buffer, which will let it be +beyond current_stack_pointer regardless of stack growth direction. +Paired with the recent addition of stack depth checking under +CONFIG_HARDENED_USERCOPY=y, this will correctly start tripping again. + +Reported-by: Muhammad Usama Anjum +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Reviewed-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/lkml/762faf1b-0443-5ddf-4430-44a20cf2ec4d@collabora.com/ +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm/usercopy.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/misc/lkdtm/usercopy.c b/drivers/misc/lkdtm/usercopy.c +index 109e8d4302c1..cde2655487ff 100644 +--- a/drivers/misc/lkdtm/usercopy.c ++++ b/drivers/misc/lkdtm/usercopy.c +@@ -30,12 +30,12 @@ static const unsigned char test_text[] = "This is a test.\n"; + */ + static noinline unsigned char *trick_compiler(unsigned char *stack) + { +- return stack + 0; ++ return stack + unconst; + } + + static noinline unsigned char *do_usercopy_stack_callee(int value) + { +- unsigned char buf[32]; ++ unsigned char buf[128]; + int i; + + /* Exercise stack to avoid everything living in registers. */ +@@ -43,7 +43,12 @@ static noinline unsigned char *do_usercopy_stack_callee(int value) + buf[i] = value & 0xff; + } + +- return trick_compiler(buf); ++ /* ++ * Put the target buffer in the middle of stack allocation ++ * so that we don't step on future stack users regardless ++ * of stack growth direction. ++ */ ++ return trick_compiler(&buf[(128/2)-32]); + } + + static noinline void do_usercopy_stack(bool to_user, bool bad_frame) +@@ -66,6 +71,12 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame) + bad_stack -= sizeof(unsigned long); + } + ++#ifdef ARCH_HAS_CURRENT_STACK_POINTER ++ pr_info("stack : %px\n", (void *)current_stack_pointer); ++#endif ++ pr_info("good_stack: %px-%px\n", good_stack, good_stack + sizeof(good_stack)); ++ pr_info("bad_stack : %px-%px\n", bad_stack, bad_stack + sizeof(good_stack)); ++ + user_addr = vm_mmap(NULL, 0, PAGE_SIZE, + PROT_READ | PROT_WRITE | PROT_EXEC, + MAP_ANONYMOUS | MAP_PRIVATE, 0); +-- +2.35.1 + diff --git a/queue-5.10/md-protect-md_unregister_thread-from-reentrancy.patch-28068 b/queue-5.10/md-protect-md_unregister_thread-from-reentrancy.patch-28068 new file mode 100644 index 00000000000..aab9efc1eb7 --- /dev/null +++ b/queue-5.10/md-protect-md_unregister_thread-from-reentrancy.patch-28068 @@ -0,0 +1,63 @@ +From 6901145d6a3ae03df8a285d7e0a40b28ea5c845b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Apr 2022 16:49:09 +0800 +Subject: md: protect md_unregister_thread from reentrancy + +From: Guoqing Jiang + +[ Upstream commit 1e267742283a4b5a8ca65755c44166be27e9aa0f ] + +Generally, the md_unregister_thread is called with reconfig_mutex, but +raid_message in dm-raid doesn't hold reconfig_mutex to unregister thread, +so md_unregister_thread can be called simulitaneously from two call sites +in theory. + +Then after previous commit which remove the protection of reconfig_mutex +for md_unregister_thread completely, the potential issue could be worse +than before. + +Let's take pers_lock at the beginning of function to ensure reentrancy. + +Reported-by: Donald Buczek +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 7a9701adee73..5bd1edbb415b 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7970,17 +7970,22 @@ EXPORT_SYMBOL(md_register_thread); + + void md_unregister_thread(struct md_thread **threadp) + { +- struct md_thread *thread = *threadp; +- if (!thread) +- return; +- pr_debug("interrupting MD-thread pid %d\n", task_pid_nr(thread->tsk)); +- /* Locking ensures that mddev_unlock does not wake_up a ++ struct md_thread *thread; ++ ++ /* ++ * Locking ensures that mddev_unlock does not wake_up a + * non-existent thread + */ + spin_lock(&pers_lock); ++ thread = *threadp; ++ if (!thread) { ++ spin_unlock(&pers_lock); ++ return; ++ } + *threadp = NULL; + spin_unlock(&pers_lock); + ++ pr_debug("interrupting MD-thread pid %d\n", task_pid_nr(thread->tsk)); + kthread_stop(thread->tsk); + kfree(thread); + } +-- +2.35.1 + diff --git a/queue-5.10/misc-rtsx-set-null-intfdata-when-probe-fails.patch-1526 b/queue-5.10/misc-rtsx-set-null-intfdata-when-probe-fails.patch-1526 new file mode 100644 index 00000000000..f559c017002 --- /dev/null +++ b/queue-5.10/misc-rtsx-set-null-intfdata-when-probe-fails.patch-1526 @@ -0,0 +1,39 @@ +From 4846d1a58aff422aa70bdb7abe67ed3786d4563d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Apr 2022 15:09:13 -0600 +Subject: misc: rtsx: set NULL intfdata when probe fails + +From: Shuah Khan + +[ Upstream commit f861d36e021e1ac4a0a2a1f6411d623809975d63 ] + +rtsx_usb_probe() doesn't call usb_set_intfdata() to null out the +interface pointer when probe fails. This leaves a stale pointer. +Noticed the missing usb_set_intfdata() while debugging an unrelated +invalid DMA mapping problem. + +Fix it with a call to usb_set_intfdata(..., NULL). + +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/20220429210913.46804-1-skhan@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cardreader/rtsx_usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/cardreader/rtsx_usb.c b/drivers/misc/cardreader/rtsx_usb.c +index 59eda55d92a3..1ef9b61077c4 100644 +--- a/drivers/misc/cardreader/rtsx_usb.c ++++ b/drivers/misc/cardreader/rtsx_usb.c +@@ -667,6 +667,7 @@ static int rtsx_usb_probe(struct usb_interface *intf, + return 0; + + out_init_fail: ++ usb_set_intfdata(ucr->pusb_intf, NULL); + usb_free_coherent(ucr->pusb_dev, IOBUF_SIZE, ucr->iobuf, + ucr->iobuf_dma); + return ret; +-- +2.35.1 + diff --git a/queue-5.10/modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch-18554 b/queue-5.10/modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch-18554 new file mode 100644 index 00000000000..3fa01b1a08c --- /dev/null +++ b/queue-5.10/modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch-18554 @@ -0,0 +1,63 @@ +From ddfbe07eb337e4435ca4cc218b2e45ecc01fcc5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 May 2022 01:46:22 +0900 +Subject: modpost: fix undefined behavior of is_arm_mapping_symbol() + +From: Masahiro Yamada + +[ Upstream commit d6b732666a1bae0df3c3ae06925043bba34502b1 ] + +The return value of is_arm_mapping_symbol() is unpredictable when "$" +is passed in. + +strchr(3) says: + The strchr() and strrchr() functions return a pointer to the matched + character or NULL if the character is not found. The terminating null + byte is considered part of the string, so that if c is specified as + '\0', these functions return a pointer to the terminator. + +When str[1] is '\0', strchr("axtd", str[1]) is not NULL, and str[2] is +referenced (i.e. buffer overrun). + +Test code +--------- + + char str1[] = "abc"; + char str2[] = "ab"; + + strcpy(str1, "$"); + strcpy(str2, "$"); + + printf("test1: %d\n", is_arm_mapping_symbol(str1)); + printf("test2: %d\n", is_arm_mapping_symbol(str2)); + +Result +------ + + test1: 0 + test2: 1 + +Signed-off-by: Masahiro Yamada +Reviewed-by: Nick Desaulniers +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index a21aa74b4948..79aef50ede17 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1271,7 +1271,8 @@ static int secref_whitelist(const struct sectioncheck *mismatch, + + static inline int is_arm_mapping_symbol(const char *str) + { +- return str[0] == '$' && strchr("axtd", str[1]) ++ return str[0] == '$' && ++ (str[1] == 'a' || str[1] == 'd' || str[1] == 't' || str[1] == 'x') + && (str[2] == '\0' || str[2] == '.'); + } + +-- +2.35.1 + diff --git a/queue-5.10/nbd-call-genl_unregister_family-first-in-nbd_cleanup.patch-5010 b/queue-5.10/nbd-call-genl_unregister_family-first-in-nbd_cleanup.patch-5010 new file mode 100644 index 00000000000..dddf348d4bb --- /dev/null +++ b/queue-5.10/nbd-call-genl_unregister_family-first-in-nbd_cleanup.patch-5010 @@ -0,0 +1,74 @@ +From dc5f8424295cf0b8bf398a5dd33cf328ef1ba795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 May 2022 15:37:44 +0800 +Subject: nbd: call genl_unregister_family() first in nbd_cleanup() + +From: Yu Kuai + +[ Upstream commit 06c4da89c24e7023ea448cadf8e9daf06a0aae6e ] + +Otherwise there may be race between module removal and the handling of +netlink command, which can lead to the oops as shown below: + + BUG: kernel NULL pointer dereference, address: 0000000000000098 + Oops: 0002 [#1] SMP PTI + CPU: 1 PID: 31299 Comm: nbd-client Tainted: G E 5.14.0-rc4 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) + RIP: 0010:down_write+0x1a/0x50 + Call Trace: + start_creating+0x89/0x130 + debugfs_create_dir+0x1b/0x130 + nbd_start_device+0x13d/0x390 [nbd] + nbd_genl_connect+0x42f/0x748 [nbd] + genl_family_rcv_msg_doit.isra.0+0xec/0x150 + genl_rcv_msg+0xe5/0x1e0 + netlink_rcv_skb+0x55/0x100 + genl_rcv+0x29/0x40 + netlink_unicast+0x1a8/0x250 + netlink_sendmsg+0x21b/0x430 + ____sys_sendmsg+0x2a4/0x2d0 + ___sys_sendmsg+0x81/0xc0 + __sys_sendmsg+0x62/0xb0 + __x64_sys_sendmsg+0x1f/0x30 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + Modules linked in: nbd(E-) + +Signed-off-by: Hou Tao +Signed-off-by: Yu Kuai +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20220521073749.3146892-2-yukuai3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index ecde800ba210..1ca326c66521 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -2461,6 +2461,12 @@ static void __exit nbd_cleanup(void) + struct nbd_device *nbd; + LIST_HEAD(del_list); + ++ /* ++ * Unregister netlink interface prior to waiting ++ * for the completion of netlink commands. ++ */ ++ genl_unregister_family(&nbd_genl_family); ++ + nbd_dbg_close(); + + mutex_lock(&nbd_index_mutex); +@@ -2476,7 +2482,6 @@ static void __exit nbd_cleanup(void) + } + + idr_destroy(&nbd_index_idr); +- genl_unregister_family(&nbd_genl_family); + unregister_blkdev(NBD_MAJOR, "nbd"); + } + +-- +2.35.1 + diff --git a/queue-5.10/nbd-fix-io-hung-while-disconnecting-device.patch-1884 b/queue-5.10/nbd-fix-io-hung-while-disconnecting-device.patch-1884 new file mode 100644 index 00000000000..910c7425d7f --- /dev/null +++ b/queue-5.10/nbd-fix-io-hung-while-disconnecting-device.patch-1884 @@ -0,0 +1,78 @@ +From 4b02e5f6cce268d6412f22c16cb8650bf04d2b22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 May 2022 15:37:47 +0800 +Subject: nbd: fix io hung while disconnecting device + +From: Yu Kuai + +[ Upstream commit 09dadb5985023e27d4740ebd17e6fea4640110e5 ] + +In our tests, "qemu-nbd" triggers a io hung: + +INFO: task qemu-nbd:11445 blocked for more than 368 seconds. + Not tainted 5.18.0-rc3-next-20220422-00003-g2176915513ca #884 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:qemu-nbd state:D stack: 0 pid:11445 ppid: 1 flags:0x00000000 +Call Trace: + + __schedule+0x480/0x1050 + ? _raw_spin_lock_irqsave+0x3e/0xb0 + schedule+0x9c/0x1b0 + blk_mq_freeze_queue_wait+0x9d/0xf0 + ? ipi_rseq+0x70/0x70 + blk_mq_freeze_queue+0x2b/0x40 + nbd_add_socket+0x6b/0x270 [nbd] + nbd_ioctl+0x383/0x510 [nbd] + blkdev_ioctl+0x18e/0x3e0 + __x64_sys_ioctl+0xac/0x120 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7fd8ff706577 +RSP: 002b:00007fd8fcdfebf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 0000000040000000 RCX: 00007fd8ff706577 +RDX: 000000000000000d RSI: 000000000000ab00 RDI: 000000000000000f +RBP: 000000000000000f R08: 000000000000fbe8 R09: 000055fe497c62b0 +R10: 00000002aff20000 R11: 0000000000000246 R12: 000000000000006d +R13: 0000000000000000 R14: 00007ffe82dc5e70 R15: 00007fd8fcdff9c0 + +"qemu-ndb -d" will call ioctl 'NBD_DISCONNECT' first, however, following +message was found: + +block nbd0: Send disconnect failed -32 + +Which indicate that something is wrong with the server. Then, +"qemu-nbd -d" will call ioctl 'NBD_CLEAR_SOCK', however ioctl can't clear +requests after commit 2516ab1543fd("nbd: only clear the queue on device +teardown"). And in the meantime, request can't complete through timeout +because nbd_xmit_timeout() will always return 'BLK_EH_RESET_TIMER', which +means such request will never be completed in this situation. + +Now that the flag 'NBD_CMD_INFLIGHT' can make sure requests won't +complete multiple times, switch back to call nbd_clear_sock() in +nbd_clear_sock_ioctl(), so that inflight requests can be cleared. + +Signed-off-by: Yu Kuai +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20220521073749.3146892-5-yukuai3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 74afa50c7864..4a6b82d434ee 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1359,7 +1359,7 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd, struct block_device *b + static void nbd_clear_sock_ioctl(struct nbd_device *nbd, + struct block_device *bdev) + { +- sock_shutdown(nbd); ++ nbd_clear_sock(nbd); + __invalidate_device(bdev, true); + nbd_bdev_reset(bdev); + if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, +-- +2.35.1 + diff --git a/queue-5.10/nbd-fix-race-between-nbd_alloc_config-and-module-rem.patch-30620 b/queue-5.10/nbd-fix-race-between-nbd_alloc_config-and-module-rem.patch-30620 new file mode 100644 index 00000000000..adc6628821b --- /dev/null +++ b/queue-5.10/nbd-fix-race-between-nbd_alloc_config-and-module-rem.patch-30620 @@ -0,0 +1,124 @@ +From fce2955f201d5856c3addce14d2dfd47a25de055 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 May 2022 15:37:45 +0800 +Subject: nbd: fix race between nbd_alloc_config() and module removal + +From: Yu Kuai + +[ Upstream commit c55b2b983b0fa012942c3eb16384b2b722caa810 ] + +When nbd module is being removing, nbd_alloc_config() may be +called concurrently by nbd_genl_connect(), although try_module_get() +will return false, but nbd_alloc_config() doesn't handle it. + +The race may lead to the leak of nbd_config and its related +resources (e.g, recv_workq) and oops in nbd_read_stat() due +to the unload of nbd module as shown below: + + BUG: kernel NULL pointer dereference, address: 0000000000000040 + Oops: 0000 [#1] SMP PTI + CPU: 5 PID: 13840 Comm: kworker/u17:33 Not tainted 5.14.0+ #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) + Workqueue: knbd16-recv recv_work [nbd] + RIP: 0010:nbd_read_stat.cold+0x130/0x1a4 [nbd] + Call Trace: + recv_work+0x3b/0xb0 [nbd] + process_one_work+0x1ed/0x390 + worker_thread+0x4a/0x3d0 + kthread+0x12a/0x150 + ret_from_fork+0x22/0x30 + +Fixing it by checking the return value of try_module_get() +in nbd_alloc_config(). As nbd_alloc_config() may return ERR_PTR(-ENODEV), +assign nbd->config only when nbd_alloc_config() succeeds to ensure +the value of nbd->config is binary (valid or NULL). + +Also adding a debug message to check the reference counter +of nbd_config during module removal. + +Signed-off-by: Hou Tao +Signed-off-by: Yu Kuai +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20220521073749.3146892-3-yukuai3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 1ca326c66521..74afa50c7864 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1472,15 +1472,20 @@ static struct nbd_config *nbd_alloc_config(void) + { + struct nbd_config *config; + ++ if (!try_module_get(THIS_MODULE)) ++ return ERR_PTR(-ENODEV); ++ + config = kzalloc(sizeof(struct nbd_config), GFP_NOFS); +- if (!config) +- return NULL; ++ if (!config) { ++ module_put(THIS_MODULE); ++ return ERR_PTR(-ENOMEM); ++ } ++ + atomic_set(&config->recv_threads, 0); + init_waitqueue_head(&config->recv_wq); + init_waitqueue_head(&config->conn_wait); + config->blksize = NBD_DEF_BLKSIZE; + atomic_set(&config->live_connections, 0); +- try_module_get(THIS_MODULE); + return config; + } + +@@ -1507,12 +1512,13 @@ static int nbd_open(struct block_device *bdev, fmode_t mode) + mutex_unlock(&nbd->config_lock); + goto out; + } +- config = nbd->config = nbd_alloc_config(); +- if (!config) { +- ret = -ENOMEM; ++ config = nbd_alloc_config(); ++ if (IS_ERR(config)) { ++ ret = PTR_ERR(config); + mutex_unlock(&nbd->config_lock); + goto out; + } ++ nbd->config = config; + refcount_set(&nbd->config_refs, 1); + refcount_inc(&nbd->refs); + mutex_unlock(&nbd->config_lock); +@@ -1934,13 +1940,14 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info) + nbd_put(nbd); + return -EINVAL; + } +- config = nbd->config = nbd_alloc_config(); +- if (!nbd->config) { ++ config = nbd_alloc_config(); ++ if (IS_ERR(config)) { + mutex_unlock(&nbd->config_lock); + nbd_put(nbd); + printk(KERN_ERR "nbd: couldn't allocate config\n"); +- return -ENOMEM; ++ return PTR_ERR(config); + } ++ nbd->config = config; + refcount_set(&nbd->config_refs, 1); + set_bit(NBD_RT_BOUND, &config->runtime_flags); + +@@ -2476,6 +2483,9 @@ static void __exit nbd_cleanup(void) + while (!list_empty(&del_list)) { + nbd = list_first_entry(&del_list, struct nbd_device, list); + list_del_init(&nbd->list); ++ if (refcount_read(&nbd->config_refs)) ++ printk(KERN_ERR "nbd: possibly leaking nbd_config (ref %d)\n", ++ refcount_read(&nbd->config_refs)); + if (refcount_read(&nbd->refs) != 1) + printk(KERN_ERR "nbd: possibly leaking a device\n"); + nbd_put(nbd); +-- +2.35.1 + diff --git a/queue-5.10/nodemask-fix-return-values-to-be-unsigned.patch-29989 b/queue-5.10/nodemask-fix-return-values-to-be-unsigned.patch-29989 new file mode 100644 index 00000000000..cf405bf2c32 --- /dev/null +++ b/queue-5.10/nodemask-fix-return-values-to-be-unsigned.patch-29989 @@ -0,0 +1,189 @@ +From d5eb9e49bd4d98e2e805e145479d630131a5042e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 13:52:23 -0700 +Subject: nodemask: Fix return values to be unsigned +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit 0dfe54071d7c828a02917b595456bfde1afdddc9 ] + +The nodemask routines had mixed return values that provided potentially +signed return values that could never happen. This was leading to the +compiler getting confusing about the range of possible return values +(it was thinking things could be negative where they could not be). Fix +all the nodemask routines that should be returning unsigned +(or bool) values. Silences: + + mm/swapfile.c: In function ‘setup_swap_info’: + mm/swapfile.c:2291:47: error: array subscript -1 is below array bounds of ‘struct plist_node[]’ [-Werror=array-bounds] + 2291 | p->avail_lists[i].prio = 1; + | ~~~~~~~~~~~~~~^~~ + In file included from mm/swapfile.c:16: + ./include/linux/swap.h:292:27: note: while referencing ‘avail_lists’ + 292 | struct plist_node avail_lists[]; /* + | ^~~~~~~~~~~ + +Reported-by: Christophe de Dinechin +Link: https://lore.kernel.org/lkml/20220414150855.2407137-3-dinechin@redhat.com/ +Cc: Alexey Dobriyan +Cc: Yury Norov +Cc: Andy Shevchenko +Cc: Rasmus Villemoes +Cc: Andrew Morton +Cc: Zhen Lei +Signed-off-by: Kees Cook +Signed-off-by: Yury Norov +Signed-off-by: Sasha Levin +--- + include/linux/nodemask.h | 38 +++++++++++++++++++------------------- + lib/nodemask.c | 4 ++-- + 2 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/include/linux/nodemask.h b/include/linux/nodemask.h +index 843678bfc364..2a63ef05a6cc 100644 +--- a/include/linux/nodemask.h ++++ b/include/linux/nodemask.h +@@ -42,11 +42,11 @@ + * void nodes_shift_right(dst, src, n) Shift right + * void nodes_shift_left(dst, src, n) Shift left + * +- * int first_node(mask) Number lowest set bit, or MAX_NUMNODES +- * int next_node(node, mask) Next node past 'node', or MAX_NUMNODES +- * int next_node_in(node, mask) Next node past 'node', or wrap to first, ++ * unsigned int first_node(mask) Number lowest set bit, or MAX_NUMNODES ++ * unsigend int next_node(node, mask) Next node past 'node', or MAX_NUMNODES ++ * unsigned int next_node_in(node, mask) Next node past 'node', or wrap to first, + * or MAX_NUMNODES +- * int first_unset_node(mask) First node not set in mask, or ++ * unsigned int first_unset_node(mask) First node not set in mask, or + * MAX_NUMNODES + * + * nodemask_t nodemask_of_node(node) Return nodemask with bit 'node' set +@@ -153,7 +153,7 @@ static inline void __nodes_clear(nodemask_t *dstp, unsigned int nbits) + + #define node_test_and_set(node, nodemask) \ + __node_test_and_set((node), &(nodemask)) +-static inline int __node_test_and_set(int node, nodemask_t *addr) ++static inline bool __node_test_and_set(int node, nodemask_t *addr) + { + return test_and_set_bit(node, addr->bits); + } +@@ -200,7 +200,7 @@ static inline void __nodes_complement(nodemask_t *dstp, + + #define nodes_equal(src1, src2) \ + __nodes_equal(&(src1), &(src2), MAX_NUMNODES) +-static inline int __nodes_equal(const nodemask_t *src1p, ++static inline bool __nodes_equal(const nodemask_t *src1p, + const nodemask_t *src2p, unsigned int nbits) + { + return bitmap_equal(src1p->bits, src2p->bits, nbits); +@@ -208,7 +208,7 @@ static inline int __nodes_equal(const nodemask_t *src1p, + + #define nodes_intersects(src1, src2) \ + __nodes_intersects(&(src1), &(src2), MAX_NUMNODES) +-static inline int __nodes_intersects(const nodemask_t *src1p, ++static inline bool __nodes_intersects(const nodemask_t *src1p, + const nodemask_t *src2p, unsigned int nbits) + { + return bitmap_intersects(src1p->bits, src2p->bits, nbits); +@@ -216,20 +216,20 @@ static inline int __nodes_intersects(const nodemask_t *src1p, + + #define nodes_subset(src1, src2) \ + __nodes_subset(&(src1), &(src2), MAX_NUMNODES) +-static inline int __nodes_subset(const nodemask_t *src1p, ++static inline bool __nodes_subset(const nodemask_t *src1p, + const nodemask_t *src2p, unsigned int nbits) + { + return bitmap_subset(src1p->bits, src2p->bits, nbits); + } + + #define nodes_empty(src) __nodes_empty(&(src), MAX_NUMNODES) +-static inline int __nodes_empty(const nodemask_t *srcp, unsigned int nbits) ++static inline bool __nodes_empty(const nodemask_t *srcp, unsigned int nbits) + { + return bitmap_empty(srcp->bits, nbits); + } + + #define nodes_full(nodemask) __nodes_full(&(nodemask), MAX_NUMNODES) +-static inline int __nodes_full(const nodemask_t *srcp, unsigned int nbits) ++static inline bool __nodes_full(const nodemask_t *srcp, unsigned int nbits) + { + return bitmap_full(srcp->bits, nbits); + } +@@ -260,15 +260,15 @@ static inline void __nodes_shift_left(nodemask_t *dstp, + > MAX_NUMNODES, then the silly min_ts could be dropped. */ + + #define first_node(src) __first_node(&(src)) +-static inline int __first_node(const nodemask_t *srcp) ++static inline unsigned int __first_node(const nodemask_t *srcp) + { +- return min_t(int, MAX_NUMNODES, find_first_bit(srcp->bits, MAX_NUMNODES)); ++ return min_t(unsigned int, MAX_NUMNODES, find_first_bit(srcp->bits, MAX_NUMNODES)); + } + + #define next_node(n, src) __next_node((n), &(src)) +-static inline int __next_node(int n, const nodemask_t *srcp) ++static inline unsigned int __next_node(int n, const nodemask_t *srcp) + { +- return min_t(int,MAX_NUMNODES,find_next_bit(srcp->bits, MAX_NUMNODES, n+1)); ++ return min_t(unsigned int, MAX_NUMNODES, find_next_bit(srcp->bits, MAX_NUMNODES, n+1)); + } + + /* +@@ -276,7 +276,7 @@ static inline int __next_node(int n, const nodemask_t *srcp) + * the first node in src if needed. Returns MAX_NUMNODES if src is empty. + */ + #define next_node_in(n, src) __next_node_in((n), &(src)) +-int __next_node_in(int node, const nodemask_t *srcp); ++unsigned int __next_node_in(int node, const nodemask_t *srcp); + + static inline void init_nodemask_of_node(nodemask_t *mask, int node) + { +@@ -296,9 +296,9 @@ static inline void init_nodemask_of_node(nodemask_t *mask, int node) + }) + + #define first_unset_node(mask) __first_unset_node(&(mask)) +-static inline int __first_unset_node(const nodemask_t *maskp) ++static inline unsigned int __first_unset_node(const nodemask_t *maskp) + { +- return min_t(int,MAX_NUMNODES, ++ return min_t(unsigned int, MAX_NUMNODES, + find_first_zero_bit(maskp->bits, MAX_NUMNODES)); + } + +@@ -435,11 +435,11 @@ static inline int num_node_state(enum node_states state) + + #define first_online_node first_node(node_states[N_ONLINE]) + #define first_memory_node first_node(node_states[N_MEMORY]) +-static inline int next_online_node(int nid) ++static inline unsigned int next_online_node(int nid) + { + return next_node(nid, node_states[N_ONLINE]); + } +-static inline int next_memory_node(int nid) ++static inline unsigned int next_memory_node(int nid) + { + return next_node(nid, node_states[N_MEMORY]); + } +diff --git a/lib/nodemask.c b/lib/nodemask.c +index 3aa454c54c0d..e22647f5181b 100644 +--- a/lib/nodemask.c ++++ b/lib/nodemask.c +@@ -3,9 +3,9 @@ + #include + #include + +-int __next_node_in(int node, const nodemask_t *srcp) ++unsigned int __next_node_in(int node, const nodemask_t *srcp) + { +- int ret = __next_node(node, srcp); ++ unsigned int ret = __next_node(node, srcp); + + if (ret == MAX_NUMNODES) + ret = __first_node(srcp); +-- +2.35.1 + diff --git a/queue-5.10/revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch-16084 b/queue-5.10/revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch-16084 new file mode 100644 index 00000000000..cfc5f119f69 --- /dev/null +++ b/queue-5.10/revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch-16084 @@ -0,0 +1,60 @@ +From f0fc8e752b1736a0c9fbb1ebc9f2c7458c7d69ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 22:05:24 +0200 +Subject: Revert "net: af_key: add check for pfkey_broadcast in function + pfkey_process" + +From: Michal Kubecek + +[ Upstream commit 9c90c9b3e50e16d03c7f87d63e9db373974781e0 ] + +This reverts commit 4dc2a5a8f6754492180741facf2a8787f2c415d7. + +A non-zero return value from pfkey_broadcast() does not necessarily mean +an error occurred as this function returns -ESRCH when no registered +listener received the message. In particular, a call with +BROADCAST_PROMISC_ONLY flag and null one_sk argument can never return +zero so that this commit in fact prevents processing any PF_KEY message. +One visible effect is that racoon daemon fails to find encryption +algorithms like aes and refuses to start. + +Excluding -ESRCH return value would fix this but it's not obvious that +we really want to bail out here and most other callers of +pfkey_broadcast() also ignore the return value. Also, as pointed out by +Steffen Klassert, PF_KEY is kind of deprecated and newer userspace code +should use netlink instead so that we should only disturb the code for +really important fixes. + +v2: add a comment explaining why is the return value ignored + +Signed-off-by: Michal Kubecek +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 6b7ed5568c09..2aa16a171285 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2830,10 +2830,12 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb + void *ext_hdrs[SADB_EXT_MAX]; + int err; + +- err = pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, +- BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); +- if (err) +- return err; ++ /* Non-zero return value of pfkey_broadcast() does not always signal ++ * an error and even on an actual error we may still want to process ++ * the message so rather ignore the return value. ++ */ ++ pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, ++ BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); + + memset(ext_hdrs, 0, sizeof(ext_hdrs)); + err = parse_exthdrs(skb, hdr, ext_hdrs); +-- +2.35.1 + diff --git a/queue-5.10/s390-gmap-voluntarily-schedule-during-key-setting.patch-23608 b/queue-5.10/s390-gmap-voluntarily-schedule-during-key-setting.patch-23608 new file mode 100644 index 00000000000..56956f34f72 --- /dev/null +++ b/queue-5.10/s390-gmap-voluntarily-schedule-during-key-setting.patch-23608 @@ -0,0 +1,86 @@ +From 5f41a8881fabd106ed54e7e12770afc1f796154e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 11:27:05 +0200 +Subject: s390/gmap: voluntarily schedule during key setting + +From: Christian Borntraeger + +[ Upstream commit 6d5946274df1fff539a7eece458a43be733d1db8 ] + +With large and many guest with storage keys it is possible to create +large latencies or stalls during initial key setting: + +rcu: INFO: rcu_sched self-detected stall on CPU +rcu: 18-....: (2099 ticks this GP) idle=54e/1/0x4000000000000002 softirq=35598716/35598716 fqs=998 + (t=2100 jiffies g=155867385 q=20879) +Task dump for CPU 18: +CPU 1/KVM R running task 0 1030947 256019 0x06000004 +Call Trace: +sched_show_task +rcu_dump_cpu_stacks +rcu_sched_clock_irq +update_process_times +tick_sched_handle +tick_sched_timer +__hrtimer_run_queues +hrtimer_interrupt +do_IRQ +ext_int_handler +ptep_zap_key + +The mmap lock is held during the page walking but since this is a +semaphore scheduling is still possible. Same for the kvm srcu. +To minimize overhead do this on every segment table entry or large page. + +Signed-off-by: Christian Borntraeger +Reviewed-by: Alexander Gordeev +Reviewed-by: Claudio Imbrenda +Link: https://lore.kernel.org/r/20220530092706.11637-2-borntraeger@linux.ibm.com +Signed-off-by: Christian Borntraeger +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/mm/gmap.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c +index f2d19d40272c..2db097c14cec 100644 +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -2596,6 +2596,18 @@ static int __s390_enable_skey_pte(pte_t *pte, unsigned long addr, + return 0; + } + ++/* ++ * Give a chance to schedule after setting a key to 256 pages. ++ * We only hold the mm lock, which is a rwsem and the kvm srcu. ++ * Both can sleep. ++ */ ++static int __s390_enable_skey_pmd(pmd_t *pmd, unsigned long addr, ++ unsigned long next, struct mm_walk *walk) ++{ ++ cond_resched(); ++ return 0; ++} ++ + static int __s390_enable_skey_hugetlb(pte_t *pte, unsigned long addr, + unsigned long hmask, unsigned long next, + struct mm_walk *walk) +@@ -2618,12 +2630,14 @@ static int __s390_enable_skey_hugetlb(pte_t *pte, unsigned long addr, + end = start + HPAGE_SIZE - 1; + __storage_key_init_range(start, end); + set_bit(PG_arch_1, &page->flags); ++ cond_resched(); + return 0; + } + + static const struct mm_walk_ops enable_skey_walk_ops = { + .hugetlb_entry = __s390_enable_skey_hugetlb, + .pte_entry = __s390_enable_skey_pte, ++ .pmd_entry = __s390_enable_skey_pmd, + }; + + int s390_enable_skey(void) +-- +2.35.1 + diff --git a/queue-5.10/scsi-myrb-fix-up-null-pointer-access-on-myrb_cleanup.patch-30371 b/queue-5.10/scsi-myrb-fix-up-null-pointer-access-on-myrb_cleanup.patch-30371 new file mode 100644 index 00000000000..a67ce434da6 --- /dev/null +++ b/queue-5.10/scsi-myrb-fix-up-null-pointer-access-on-myrb_cleanup.patch-30371 @@ -0,0 +1,57 @@ +From a1511d33ffd95d75438b29c30690abc95b5acf1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 14:02:44 +0200 +Subject: scsi: myrb: Fix up null pointer access on myrb_cleanup() + +From: Hannes Reinecke + +[ Upstream commit f9f0a46141e2e39bedb4779c88380d1b5f018c14 ] + +When myrb_probe() fails the callback might not be set, so we need to +validate the 'disable_intr' callback in myrb_cleanup() to not cause a null +pointer exception. And while at it do not call myrb_cleanup() if we cannot +enable the PCI device at all. + +Link: https://lore.kernel.org/r/20220523120244.99515-1-hare@suse.de +Reported-by: Zheyu Ma +Tested-by: Zheyu Ma +Signed-off-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/myrb.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/myrb.c b/drivers/scsi/myrb.c +index 5fa0f4ed6565..ad17c2beaaca 100644 +--- a/drivers/scsi/myrb.c ++++ b/drivers/scsi/myrb.c +@@ -1241,7 +1241,8 @@ static void myrb_cleanup(struct myrb_hba *cb) + myrb_unmap(cb); + + if (cb->mmio_base) { +- cb->disable_intr(cb->io_base); ++ if (cb->disable_intr) ++ cb->disable_intr(cb->io_base); + iounmap(cb->mmio_base); + } + if (cb->irq) +@@ -3515,9 +3516,13 @@ static struct myrb_hba *myrb_detect(struct pci_dev *pdev, + mutex_init(&cb->dcmd_mutex); + mutex_init(&cb->dma_mutex); + cb->pdev = pdev; ++ cb->host = shost; + +- if (pci_enable_device(pdev)) +- goto failure; ++ if (pci_enable_device(pdev)) { ++ dev_err(&pdev->dev, "Failed to enable PCI device\n"); ++ scsi_host_put(shost); ++ return NULL; ++ } + + if (privdata->hw_init == DAC960_PD_hw_init || + privdata->hw_init == DAC960_P_hw_init) { +-- +2.35.1 + diff --git a/queue-5.10/serial-msm_serial-disable-interrupts-in-__msm_consol.patch-14348 b/queue-5.10/serial-msm_serial-disable-interrupts-in-__msm_consol.patch-14348 new file mode 100644 index 00000000000..62d76745b79 --- /dev/null +++ b/queue-5.10/serial-msm_serial-disable-interrupts-in-__msm_consol.patch-14348 @@ -0,0 +1,59 @@ +From 23b93c40678a8368da5defbbc92b014578ed0143 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 23:39:24 +0206 +Subject: serial: msm_serial: disable interrupts in __msm_console_write() + +From: John Ogness + +[ Upstream commit aabdbb1b7a5819e18c403334a31fb0cc2c06ad41 ] + +__msm_console_write() assumes that interrupts are disabled, but +with threaded console printers it is possible that the write() +callback of the console is called with interrupts enabled. + +Explicitly disable interrupts using local_irq_save() to preserve +the assumed context. + +Reported-by: Marek Szyprowski +Reviewed-by: Petr Mladek +Signed-off-by: John Ogness +Link: https://lore.kernel.org/r/20220506213324.470461-1-john.ogness@linutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/msm_serial.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c +index 26bcbec5422e..27023a56f3ac 100644 +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -1593,6 +1593,7 @@ static inline struct uart_port *msm_get_port_from_line(unsigned int line) + static void __msm_console_write(struct uart_port *port, const char *s, + unsigned int count, bool is_uartdm) + { ++ unsigned long flags; + int i; + int num_newlines = 0; + bool replaced = false; +@@ -1610,6 +1611,8 @@ static void __msm_console_write(struct uart_port *port, const char *s, + num_newlines++; + count += num_newlines; + ++ local_irq_save(flags); ++ + if (port->sysrq) + locked = 0; + else if (oops_in_progress) +@@ -1655,6 +1658,8 @@ static void __msm_console_write(struct uart_port *port, const char *s, + + if (locked) + spin_unlock(&port->lock); ++ ++ local_irq_restore(flags); + } + + static void msm_console_write(struct console *co, const char *s, +-- +2.35.1 + diff --git a/queue-5.10/series b/queue-5.10/series index 825d50852f3..f452970c73a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -111,3 +111,111 @@ net-mlx5-fs-fail-conflicting-actions.patch ip_gre-test-csum_start-instead-of-transport-header.patch net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch drm-imx-fix-compiler-warning-with-gcc-12.patch +iio-dummy-iio_simple_dummy-check-the-return-value-of.patch +staging-rtl8712-fix-a-potential-memory-leak-in-r871x.patch +iio-st_sensors-add-a-local-lock-for-protecting-odr.patch +lkdtm-usercopy-expand-size-of-out-of-frame-object.patch +tty-synclink_gt-fix-null-pointer-dereference-in-slgt.patch +tty-fix-a-possible-resource-leak-in-icom_probe.patch +drivers-staging-rtl8192u-fix-deadlock-in-ieee80211_b.patch +drivers-staging-rtl8192e-fix-deadlock-in-rtllib_beac.patch +usb-host-isp116x-check-return-value-after-calling-pl.patch +drivers-tty-serial-fix-deadlock-in-sa1100_set_termio.patch +drivers-usb-host-fix-deadlock-in-oxu_bus_suspend.patch +usb-hcd-pci-fully-suspend-across-freeze-thaw-cycle.patch +sysrq-do-not-omit-current-cpu-when-showing-backtrace.patch +usb-dwc2-gadget-don-t-reset-gadget-s-driver-bus.patch +misc-rtsx-set-null-intfdata-when-probe-fails.patch +extcon-modify-extcon-device-to-be-created-after-driv.patch +clocksource-drivers-sp804-avoid-error-on-multiple-in.patch +staging-rtl8712-fix-uninit-value-in-usb_read8-and-fr.patch +staging-rtl8712-fix-uninit-value-in-r871xu_drv_init.patch +serial-msm_serial-disable-interrupts-in-__msm_consol.patch +kernfs-separate-kernfs_pr_cont_buf-and-rename_lock.patch +watchdog-wdat_wdt-stop-watchdog-when-rebooting-the-s.patch +md-protect-md_unregister_thread-from-reentrancy.patch +scsi-myrb-fix-up-null-pointer-access-on-myrb_cleanup.patch +revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch +ceph-allow-ceph.dir.rctime-xattr-to-be-updatable.patch +drm-radeon-fix-a-possible-null-pointer-dereference.patch +modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch +x86-cpu-elide-kcsan-for-cpu_has-and-friends.patch +jump_label-noinstr-avoid-instrumentation-for-jump_la.patch +nbd-call-genl_unregister_family-first-in-nbd_cleanup.patch +nbd-fix-race-between-nbd_alloc_config-and-module-rem.patch +nbd-fix-io-hung-while-disconnecting-device.patch +s390-gmap-voluntarily-schedule-during-key-setting.patch +cifs-version-operations-for-smb20-unneeded-when-lega.patch +nodemask-fix-return-values-to-be-unsigned.patch +iio-dummy-iio_simple_dummy-check-the-return-value-of.patch-16521 +staging-rtl8712-fix-a-potential-memory-leak-in-r871x.patch-20463 +iio-st_sensors-add-a-local-lock-for-protecting-odr.patch-11569 +lkdtm-usercopy-expand-size-of-out-of-frame-object.patch-24349 +tty-synclink_gt-fix-null-pointer-dereference-in-slgt.patch-16563 +tty-fix-a-possible-resource-leak-in-icom_probe.patch-15428 +drivers-staging-rtl8192u-fix-deadlock-in-ieee80211_b.patch-23959 +drivers-staging-rtl8192e-fix-deadlock-in-rtllib_beac.patch-9683 +usb-host-isp116x-check-return-value-after-calling-pl.patch-14563 +drivers-tty-serial-fix-deadlock-in-sa1100_set_termio.patch-29525 +drivers-usb-host-fix-deadlock-in-oxu_bus_suspend.patch-15433 +usb-hcd-pci-fully-suspend-across-freeze-thaw-cycle.patch-10581 +sysrq-do-not-omit-current-cpu-when-showing-backtrace.patch-27183 +usb-dwc2-gadget-don-t-reset-gadget-s-driver-bus.patch-16108 +misc-rtsx-set-null-intfdata-when-probe-fails.patch-21544 +extcon-modify-extcon-device-to-be-created-after-driv.patch-16488 +clocksource-drivers-sp804-avoid-error-on-multiple-in.patch-6528 +staging-rtl8712-fix-uninit-value-in-usb_read8-and-fr.patch-2136 +staging-rtl8712-fix-uninit-value-in-r871xu_drv_init.patch-28995 +serial-msm_serial-disable-interrupts-in-__msm_consol.patch-2470 +kernfs-separate-kernfs_pr_cont_buf-and-rename_lock.patch-27001 +watchdog-wdat_wdt-stop-watchdog-when-rebooting-the-s.patch-7365 +md-protect-md_unregister_thread-from-reentrancy.patch-18044 +scsi-myrb-fix-up-null-pointer-access-on-myrb_cleanup.patch-20253 +revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch-8483 +ceph-allow-ceph.dir.rctime-xattr-to-be-updatable.patch-32443 +drm-radeon-fix-a-possible-null-pointer-dereference.patch-29704 +modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch-2294 +x86-cpu-elide-kcsan-for-cpu_has-and-friends.patch-31253 +jump_label-noinstr-avoid-instrumentation-for-jump_la.patch-9808 +nbd-call-genl_unregister_family-first-in-nbd_cleanup.patch-5487 +nbd-fix-race-between-nbd_alloc_config-and-module-rem.patch-12090 +nbd-fix-io-hung-while-disconnecting-device.patch-5544 +s390-gmap-voluntarily-schedule-during-key-setting.patch-11322 +cifs-version-operations-for-smb20-unneeded-when-lega.patch-21431 +nodemask-fix-return-values-to-be-unsigned.patch-27058 +iio-dummy-iio_simple_dummy-check-the-return-value-of.patch-26829 +staging-rtl8712-fix-a-potential-memory-leak-in-r871x.patch-16376 +iio-st_sensors-add-a-local-lock-for-protecting-odr.patch-29552 +lkdtm-usercopy-expand-size-of-out-of-frame-object.patch-18499 +tty-synclink_gt-fix-null-pointer-dereference-in-slgt.patch-16288 +tty-fix-a-possible-resource-leak-in-icom_probe.patch-21804 +drivers-staging-rtl8192u-fix-deadlock-in-ieee80211_b.patch-17013 +drivers-staging-rtl8192e-fix-deadlock-in-rtllib_beac.patch-27076 +usb-host-isp116x-check-return-value-after-calling-pl.patch-226 +drivers-tty-serial-fix-deadlock-in-sa1100_set_termio.patch-14283 +drivers-usb-host-fix-deadlock-in-oxu_bus_suspend.patch-6734 +usb-hcd-pci-fully-suspend-across-freeze-thaw-cycle.patch-9437 +sysrq-do-not-omit-current-cpu-when-showing-backtrace.patch-29291 +usb-dwc2-gadget-don-t-reset-gadget-s-driver-bus.patch-30811 +misc-rtsx-set-null-intfdata-when-probe-fails.patch-1526 +extcon-modify-extcon-device-to-be-created-after-driv.patch-22062 +clocksource-drivers-sp804-avoid-error-on-multiple-in.patch-19066 +staging-rtl8712-fix-uninit-value-in-usb_read8-and-fr.patch-18919 +staging-rtl8712-fix-uninit-value-in-r871xu_drv_init.patch-24043 +serial-msm_serial-disable-interrupts-in-__msm_consol.patch-14348 +kernfs-separate-kernfs_pr_cont_buf-and-rename_lock.patch-27813 +watchdog-wdat_wdt-stop-watchdog-when-rebooting-the-s.patch-17227 +md-protect-md_unregister_thread-from-reentrancy.patch-28068 +scsi-myrb-fix-up-null-pointer-access-on-myrb_cleanup.patch-30371 +revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch-16084 +ceph-allow-ceph.dir.rctime-xattr-to-be-updatable.patch-27466 +drm-radeon-fix-a-possible-null-pointer-dereference.patch-17377 +modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch-18554 +x86-cpu-elide-kcsan-for-cpu_has-and-friends.patch-267 +jump_label-noinstr-avoid-instrumentation-for-jump_la.patch-9176 +nbd-call-genl_unregister_family-first-in-nbd_cleanup.patch-5010 +nbd-fix-race-between-nbd_alloc_config-and-module-rem.patch-30620 +nbd-fix-io-hung-while-disconnecting-device.patch-1884 +s390-gmap-voluntarily-schedule-during-key-setting.patch-23608 +cifs-version-operations-for-smb20-unneeded-when-lega.patch-7858 +nodemask-fix-return-values-to-be-unsigned.patch-29989 diff --git a/queue-5.10/staging-rtl8712-fix-a-potential-memory-leak-in-r871x.patch-16376 b/queue-5.10/staging-rtl8712-fix-a-potential-memory-leak-in-r871x.patch-16376 new file mode 100644 index 00000000000..84811bad8fc --- /dev/null +++ b/queue-5.10/staging-rtl8712-fix-a-potential-memory-leak-in-r871x.patch-16376 @@ -0,0 +1,81 @@ +From c3a444378ba379bdb090fc4efe354062b2e6c306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 12:43:07 +0800 +Subject: staging: rtl8712: fix a potential memory leak in r871xu_drv_init() + +From: Xiaoke Wang + +[ Upstream commit 7288ff561de650d4139fab80e9cb0da9b5b32434 ] + +In r871xu_drv_init(), if r8712_init_drv_sw() fails, then the memory +allocated by r8712_alloc_io_queue() in r8712_usb_dvobj_init() is not +properly released as there is no action will be performed by +r8712_usb_dvobj_deinit(). +To properly release it, we should call r8712_free_io_queue() in +r8712_usb_dvobj_deinit(). + +Besides, in r871xu_dev_remove(), r8712_usb_dvobj_deinit() will be called +by r871x_dev_unload() under condition `padapter->bup` and +r8712_free_io_queue() is called by r8712_free_drv_sw(). +However, r8712_usb_dvobj_deinit() does not rely on `padapter->bup` and +calling r8712_free_io_queue() in r8712_free_drv_sw() is negative for +better understading the code. +So I move r8712_usb_dvobj_deinit() into r871xu_dev_remove(), and remove +r8712_free_io_queue() from r8712_free_drv_sw(). + +Reviewed-by: Dan Carpenter +Signed-off-by: Xiaoke Wang +Link: https://lore.kernel.org/r/tencent_B8048C592777830380A23A7C4409F9DF1305@qq.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8712/os_intfs.c | 1 - + drivers/staging/rtl8712/usb_intf.c | 6 +++--- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/rtl8712/os_intfs.c b/drivers/staging/rtl8712/os_intfs.c +index 2214aca09730..daa3180dfde3 100644 +--- a/drivers/staging/rtl8712/os_intfs.c ++++ b/drivers/staging/rtl8712/os_intfs.c +@@ -332,7 +332,6 @@ void r8712_free_drv_sw(struct _adapter *padapter) + r8712_free_evt_priv(&padapter->evtpriv); + r8712_DeInitSwLeds(padapter); + r8712_free_mlme_priv(&padapter->mlmepriv); +- r8712_free_io_queue(padapter); + _free_xmit_priv(&padapter->xmitpriv); + _r8712_free_sta_priv(&padapter->stapriv); + _r8712_free_recv_priv(&padapter->recvpriv); +diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c +index fed96d4251bf..77f090bdd36e 100644 +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -266,6 +266,7 @@ static uint r8712_usb_dvobj_init(struct _adapter *padapter) + + static void r8712_usb_dvobj_deinit(struct _adapter *padapter) + { ++ r8712_free_io_queue(padapter); + } + + void rtl871x_intf_stop(struct _adapter *padapter) +@@ -303,9 +304,6 @@ void r871x_dev_unload(struct _adapter *padapter) + rtl8712_hal_deinit(padapter); + } + +- /*s6.*/ +- if (padapter->dvobj_deinit) +- padapter->dvobj_deinit(padapter); + padapter->bup = false; + } + } +@@ -610,6 +608,8 @@ static void r871xu_dev_remove(struct usb_interface *pusb_intf) + /* Stop driver mlme relation timer */ + r8712_stop_drv_timers(padapter); + r871x_dev_unload(padapter); ++ if (padapter->dvobj_deinit) ++ padapter->dvobj_deinit(padapter); + r8712_free_drv_sw(padapter); + free_netdev(pnetdev); + +-- +2.35.1 + diff --git a/queue-5.10/staging-rtl8712-fix-uninit-value-in-r871xu_drv_init.patch-24043 b/queue-5.10/staging-rtl8712-fix-uninit-value-in-r871xu_drv_init.patch-24043 new file mode 100644 index 00000000000..37520ee9f37 --- /dev/null +++ b/queue-5.10/staging-rtl8712-fix-uninit-value-in-r871xu_drv_init.patch-24043 @@ -0,0 +1,88 @@ +From 0f38b6b75c53587b85faf16a69de31290c6e3c11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 May 2022 17:22:41 +0800 +Subject: staging: rtl8712: fix uninit-value in r871xu_drv_init() + +From: Wang Cheng + +[ Upstream commit 0458e5428e5e959d201a40ffe71d762a79ecedc4 ] + +When 'tmpU1b' returns from r8712_read8(padapter, EE_9346CR) is 0, +'mac[6]' will not be initialized. + +BUG: KMSAN: uninit-value in r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541 + r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541 + usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396 + really_probe+0x653/0x14b0 drivers/base/dd.c:596 + __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752 + driver_probe_device drivers/base/dd.c:782 [inline] + __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899 + bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 + __device_attach+0x593/0x8e0 drivers/base/dd.c:970 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017 + bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487 + device_add+0x1fff/0x26e0 drivers/base/core.c:3405 + usb_set_configuration+0x37e9/0x3ed0 drivers/usb/core/message.c:2170 + usb_generic_driver_probe+0x13c/0x300 drivers/usb/core/generic.c:238 + usb_probe_device+0x309/0x570 drivers/usb/core/driver.c:293 + really_probe+0x653/0x14b0 drivers/base/dd.c:596 + __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752 + driver_probe_device drivers/base/dd.c:782 [inline] + __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899 + bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 + __device_attach+0x593/0x8e0 drivers/base/dd.c:970 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017 + bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487 + device_add+0x1fff/0x26e0 drivers/base/core.c:3405 + usb_new_device+0x1b8e/0x2950 drivers/usb/core/hub.c:2566 + hub_port_connect drivers/usb/core/hub.c:5358 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5502 [inline] + port_event drivers/usb/core/hub.c:5660 [inline] + hub_event+0x58e3/0x89e0 drivers/usb/core/hub.c:5742 + process_one_work+0xdb6/0x1820 kernel/workqueue.c:2307 + worker_thread+0x10b3/0x21e0 kernel/workqueue.c:2454 + kthread+0x3c7/0x500 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +Local variable mac created at: + r871xu_drv_init+0x1771/0x3070 drivers/staging/rtl8712/usb_intf.c:394 + usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396 + +KMSAN: uninit-value in r871xu_drv_init +https://syzkaller.appspot.com/bug?id=3cd92b1d85428b128503bfa7a250294c9ae00bd8 + +Reported-by: +Tested-by: +Reviewed-by: Dan Carpenter +Signed-off-by: Wang Cheng +Link: https://lore.kernel.org/r/14c3886173dfa4597f0704547c414cfdbcd11d16.1652618244.git.wanngchenng@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8712/usb_intf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c +index 77f090bdd36e..68d66c3ce2c8 100644 +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -539,13 +539,13 @@ static int r871xu_drv_init(struct usb_interface *pusb_intf, + } else { + AutoloadFail = false; + } +- if (((mac[0] == 0xff) && (mac[1] == 0xff) && ++ if ((!AutoloadFail) || ++ ((mac[0] == 0xff) && (mac[1] == 0xff) && + (mac[2] == 0xff) && (mac[3] == 0xff) && + (mac[4] == 0xff) && (mac[5] == 0xff)) || + ((mac[0] == 0x00) && (mac[1] == 0x00) && + (mac[2] == 0x00) && (mac[3] == 0x00) && +- (mac[4] == 0x00) && (mac[5] == 0x00)) || +- (!AutoloadFail)) { ++ (mac[4] == 0x00) && (mac[5] == 0x00))) { + mac[0] = 0x00; + mac[1] = 0xe0; + mac[2] = 0x4c; +-- +2.35.1 + diff --git a/queue-5.10/staging-rtl8712-fix-uninit-value-in-usb_read8-and-fr.patch-18919 b/queue-5.10/staging-rtl8712-fix-uninit-value-in-usb_read8-and-fr.patch-18919 new file mode 100644 index 00000000000..d933399d8a6 --- /dev/null +++ b/queue-5.10/staging-rtl8712-fix-uninit-value-in-usb_read8-and-fr.patch-18919 @@ -0,0 +1,153 @@ +From eb82638fc758a456a46369c09e3033cc02ca001d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 May 2022 17:22:23 +0800 +Subject: staging: rtl8712: fix uninit-value in usb_read8() and friends + +From: Wang Cheng + +[ Upstream commit d1b57669732d09da7e13ef86d058dab0cd57f6e0 ] + +When r8712_usbctrl_vendorreq() returns negative, 'data' in +usb_read{8,16,32} will not be initialized. + +BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:643 [inline] +BUG: KMSAN: uninit-value in string+0x4ec/0x6f0 lib/vsprintf.c:725 + string_nocheck lib/vsprintf.c:643 [inline] + string+0x4ec/0x6f0 lib/vsprintf.c:725 + vsnprintf+0x2222/0x3650 lib/vsprintf.c:2806 + va_format lib/vsprintf.c:1704 [inline] + pointer+0x18e6/0x1f70 lib/vsprintf.c:2443 + vsnprintf+0x1a9b/0x3650 lib/vsprintf.c:2810 + vprintk_store+0x537/0x2150 kernel/printk/printk.c:2158 + vprintk_emit+0x28b/0xab0 kernel/printk/printk.c:2256 + dev_vprintk_emit+0x5ef/0x6d0 drivers/base/core.c:4604 + dev_printk_emit+0x1dd/0x21f drivers/base/core.c:4615 + __dev_printk+0x3be/0x440 drivers/base/core.c:4627 + _dev_info+0x1ea/0x22f drivers/base/core.c:4673 + r871xu_drv_init+0x1929/0x3070 drivers/staging/rtl8712/usb_intf.c:401 + usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396 + really_probe+0x6c7/0x1350 drivers/base/dd.c:621 + __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752 + driver_probe_device drivers/base/dd.c:782 [inline] + __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899 + bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 + __device_attach+0x593/0x8e0 drivers/base/dd.c:970 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017 + bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487 + device_add+0x1fff/0x26e0 drivers/base/core.c:3405 + usb_set_configuration+0x37e9/0x3ed0 drivers/usb/core/message.c:2170 + usb_generic_driver_probe+0x13c/0x300 drivers/usb/core/generic.c:238 + usb_probe_device+0x309/0x570 drivers/usb/core/driver.c:293 + really_probe+0x6c7/0x1350 drivers/base/dd.c:621 + __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752 + driver_probe_device drivers/base/dd.c:782 [inline] + __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899 + bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 + __device_attach+0x593/0x8e0 drivers/base/dd.c:970 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017 + bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487 + device_add+0x1fff/0x26e0 drivers/base/core.c:3405 + usb_new_device+0x1b91/0x2950 drivers/usb/core/hub.c:2566 + hub_port_connect drivers/usb/core/hub.c:5363 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5507 [inline] + port_event drivers/usb/core/hub.c:5665 [inline] + hub_event+0x58e3/0x89e0 drivers/usb/core/hub.c:5747 + process_one_work+0xdb6/0x1820 kernel/workqueue.c:2289 + worker_thread+0x10d0/0x2240 kernel/workqueue.c:2436 + kthread+0x3c7/0x500 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 + +Local variable data created at: + usb_read8+0x5d/0x130 drivers/staging/rtl8712/usb_ops.c:33 + r8712_read8+0xa5/0xd0 drivers/staging/rtl8712/rtl8712_io.c:29 + +KMSAN: uninit-value in r871xu_drv_init +https://syzkaller.appspot.com/bug?id=3cd92b1d85428b128503bfa7a250294c9ae00bd8 + +Reported-by: +Tested-by: +Reviewed-by: Dan Carpenter +Signed-off-by: Wang Cheng +Link: https://lore.kernel.org/r/b9b7a6ee02c02aa28054f5cf16129977775f3cd9.1652618244.git.wanngchenng@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8712/usb_ops.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/drivers/staging/rtl8712/usb_ops.c b/drivers/staging/rtl8712/usb_ops.c +index e64845e6adf3..af9966d03979 100644 +--- a/drivers/staging/rtl8712/usb_ops.c ++++ b/drivers/staging/rtl8712/usb_ops.c +@@ -29,7 +29,8 @@ static u8 usb_read8(struct intf_hdl *intfhdl, u32 addr) + u16 wvalue; + u16 index; + u16 len; +- __le32 data; ++ int status; ++ __le32 data = 0; + struct intf_priv *intfpriv = intfhdl->pintfpriv; + + request = 0x05; +@@ -37,8 +38,10 @@ static u8 usb_read8(struct intf_hdl *intfhdl, u32 addr) + index = 0; + wvalue = (u16)(addr & 0x0000ffff); + len = 1; +- r8712_usbctrl_vendorreq(intfpriv, request, wvalue, index, &data, len, +- requesttype); ++ status = r8712_usbctrl_vendorreq(intfpriv, request, wvalue, index, ++ &data, len, requesttype); ++ if (status < 0) ++ return 0; + return (u8)(le32_to_cpu(data) & 0x0ff); + } + +@@ -49,7 +52,8 @@ static u16 usb_read16(struct intf_hdl *intfhdl, u32 addr) + u16 wvalue; + u16 index; + u16 len; +- __le32 data; ++ int status; ++ __le32 data = 0; + struct intf_priv *intfpriv = intfhdl->pintfpriv; + + request = 0x05; +@@ -57,8 +61,10 @@ static u16 usb_read16(struct intf_hdl *intfhdl, u32 addr) + index = 0; + wvalue = (u16)(addr & 0x0000ffff); + len = 2; +- r8712_usbctrl_vendorreq(intfpriv, request, wvalue, index, &data, len, +- requesttype); ++ status = r8712_usbctrl_vendorreq(intfpriv, request, wvalue, index, ++ &data, len, requesttype); ++ if (status < 0) ++ return 0; + return (u16)(le32_to_cpu(data) & 0xffff); + } + +@@ -69,7 +75,8 @@ static u32 usb_read32(struct intf_hdl *intfhdl, u32 addr) + u16 wvalue; + u16 index; + u16 len; +- __le32 data; ++ int status; ++ __le32 data = 0; + struct intf_priv *intfpriv = intfhdl->pintfpriv; + + request = 0x05; +@@ -77,8 +84,10 @@ static u32 usb_read32(struct intf_hdl *intfhdl, u32 addr) + index = 0; + wvalue = (u16)(addr & 0x0000ffff); + len = 4; +- r8712_usbctrl_vendorreq(intfpriv, request, wvalue, index, &data, len, +- requesttype); ++ status = r8712_usbctrl_vendorreq(intfpriv, request, wvalue, index, ++ &data, len, requesttype); ++ if (status < 0) ++ return 0; + return le32_to_cpu(data); + } + +-- +2.35.1 + diff --git a/queue-5.10/sysrq-do-not-omit-current-cpu-when-showing-backtrace.patch-29291 b/queue-5.10/sysrq-do-not-omit-current-cpu-when-showing-backtrace.patch-29291 new file mode 100644 index 00000000000..0c577f22dd9 --- /dev/null +++ b/queue-5.10/sysrq-do-not-omit-current-cpu-when-showing-backtrace.patch-29291 @@ -0,0 +1,91 @@ +From 49ce3de182e75033abc33f12fc01295a77e47b4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jan 2022 23:43:00 +0800 +Subject: sysrq: do not omit current cpu when showing backtrace of all active + CPUs + +From: Changbin Du + +[ Upstream commit 5390e7f46b9d5546d45a83e6463bc656678b1d0e ] + +The backtrace of current CPU also should be printed as it is active. This +change add stack trace for current CPU and print a hint for idle CPU for +the generic workqueue based printing. (x86 already does this) + +Now it looks like below: +[ 279.401567] sysrq: Show backtrace of all active CPUs +[ 279.407234] sysrq: CPU5: +[ 279.407505] Call Trace: +[ 279.408789] [] dump_backtrace+0x2c/0x3a +[ 279.411698] [] show_stack+0x32/0x3e +[ 279.411809] [] sysrq_handle_showallcpus+0x4c/0xc6 +[ 279.411929] [] __handle_sysrq+0x106/0x26c +[ 279.412034] [] write_sysrq_trigger+0x64/0x74 +[ 279.412139] [] proc_reg_write+0x8e/0xe2 +[ 279.412252] [] vfs_write+0x90/0x2be +[ 279.412362] [] ksys_write+0xa6/0xce +[ 279.412467] [] sys_write+0x2a/0x38 +[ 279.412689] [] ret_from_syscall+0x0/0x2 +[ 279.417173] sysrq: CPU6: backtrace skipped as idling +[ 279.417185] sysrq: CPU4: backtrace skipped as idling +[ 279.417187] sysrq: CPU0: backtrace skipped as idling +[ 279.417181] sysrq: CPU7: backtrace skipped as idling +[ 279.417190] sysrq: CPU1: backtrace skipped as idling +[ 279.417193] sysrq: CPU3: backtrace skipped as idling +[ 279.417219] sysrq: CPU2: +[ 279.419179] Call Trace: +[ 279.419440] [] dump_backtrace+0x2c/0x3a +[ 279.419782] [] show_stack+0x32/0x3e +[ 279.420015] [] showacpu+0x5c/0x96 +[ 279.420317] [] flush_smp_call_function_queue+0xd6/0x218 +[ 279.420569] [] generic_smp_call_function_single_interrupt+0x14/0x1c +[ 279.420798] [] handle_IPI+0xaa/0x13a +[ 279.421024] [] riscv_intc_irq+0x56/0x70 +[ 279.421274] [] generic_handle_arch_irq+0x6a/0xfa +[ 279.421518] [] ret_from_exception+0x0/0x10 +[ 279.421750] [] rcu_idle_enter+0x16/0x1e + +Signed-off-by: Changbin Du +Link: https://lore.kernel.org/r/20220117154300.2808-1-changbin.du@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/sysrq.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c +index 959f9e121cc6..7ca209d4e088 100644 +--- a/drivers/tty/sysrq.c ++++ b/drivers/tty/sysrq.c +@@ -231,8 +231,10 @@ static void showacpu(void *dummy) + unsigned long flags; + + /* Idle CPUs have no interesting backtrace. */ +- if (idle_cpu(smp_processor_id())) ++ if (idle_cpu(smp_processor_id())) { ++ pr_info("CPU%d: backtrace skipped as idling\n", smp_processor_id()); + return; ++ } + + raw_spin_lock_irqsave(&show_lock, flags); + pr_info("CPU%d:\n", smp_processor_id()); +@@ -259,10 +261,13 @@ static void sysrq_handle_showallcpus(int key) + + if (in_irq()) + regs = get_irq_regs(); +- if (regs) { +- pr_info("CPU%d:\n", smp_processor_id()); ++ ++ pr_info("CPU%d:\n", smp_processor_id()); ++ if (regs) + show_regs(regs); +- } ++ else ++ show_stack(NULL, NULL, KERN_INFO); ++ + schedule_work(&sysrq_showallcpus); + } + } +-- +2.35.1 + diff --git a/queue-5.10/tty-fix-a-possible-resource-leak-in-icom_probe.patch-21804 b/queue-5.10/tty-fix-a-possible-resource-leak-in-icom_probe.patch-21804 new file mode 100644 index 00000000000..e30db0f6c68 --- /dev/null +++ b/queue-5.10/tty-fix-a-possible-resource-leak-in-icom_probe.patch-21804 @@ -0,0 +1,37 @@ +From ed5c688524357ad4181628a7bac37b7d6382a238 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Mar 2022 17:10:05 +0800 +Subject: tty: Fix a possible resource leak in icom_probe + +From: Huang Guobin + +[ Upstream commit ee157a79e7c82b01ae4c25de0ac75899801f322c ] + +When pci_read_config_dword failed, call pci_release_regions() and +pci_disable_device() to recycle the resource previously allocated. + +Reviewed-by: Jiri Slaby +Signed-off-by: Huang Guobin +Link: https://lore.kernel.org/r/20220331091005.3290753-1-huangguobin4@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/icom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/icom.c b/drivers/tty/serial/icom.c +index 94c8281ddb5f..74b325c344da 100644 +--- a/drivers/tty/serial/icom.c ++++ b/drivers/tty/serial/icom.c +@@ -1503,7 +1503,7 @@ static int icom_probe(struct pci_dev *dev, + retval = pci_read_config_dword(dev, PCI_COMMAND, &command_reg); + if (retval) { + dev_err(&dev->dev, "PCI Config read FAILED\n"); +- return retval; ++ goto probe_exit0; + } + + pci_write_config_dword(dev, PCI_COMMAND, +-- +2.35.1 + diff --git a/queue-5.10/tty-synclink_gt-fix-null-pointer-dereference-in-slgt.patch-16288 b/queue-5.10/tty-synclink_gt-fix-null-pointer-dereference-in-slgt.patch-16288 new file mode 100644 index 00000000000..01931f5c370 --- /dev/null +++ b/queue-5.10/tty-synclink_gt-fix-null-pointer-dereference-in-slgt.patch-16288 @@ -0,0 +1,47 @@ +From 1a119772a45cd66eb916fc6ac087b0a26e24185f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Apr 2022 19:48:14 +0800 +Subject: tty: synclink_gt: Fix null-pointer-dereference in slgt_clean() + +From: Zheyu Ma + +[ Upstream commit 689ca31c542687709ba21ec2195c1fbce34fd029 ] + +When the driver fails at alloc_hdlcdev(), and then we remove the driver +module, we will get the following splat: + +[ 25.065966] general protection fault, probably for non-canonical address 0xdffffc0000000182: 0000 [#1] PREEMPT SMP KASAN PTI +[ 25.066914] KASAN: null-ptr-deref in range [0x0000000000000c10-0x0000000000000c17] +[ 25.069262] RIP: 0010:detach_hdlc_protocol+0x2a/0x3e0 +[ 25.077709] Call Trace: +[ 25.077924] +[ 25.078108] unregister_hdlc_device+0x16/0x30 +[ 25.078481] slgt_cleanup+0x157/0x9f0 [synclink_gt] + +Fix this by checking whether the 'info->netdev' is a null pointer first. + +Reviewed-by: Jiri Slaby +Signed-off-by: Zheyu Ma +Link: https://lore.kernel.org/r/20220410114814.3920474-1-zheyuma97@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclink_gt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index 1a0c7beec101..0569d5949133 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -1749,6 +1749,8 @@ static int hdlcdev_init(struct slgt_info *info) + */ + static void hdlcdev_exit(struct slgt_info *info) + { ++ if (!info->netdev) ++ return; + unregister_hdlc_device(info->netdev); + free_netdev(info->netdev); + info->netdev = NULL; +-- +2.35.1 + diff --git a/queue-5.10/usb-dwc2-gadget-don-t-reset-gadget-s-driver-bus.patch-30811 b/queue-5.10/usb-dwc2-gadget-don-t-reset-gadget-s-driver-bus.patch-30811 new file mode 100644 index 00000000000..691b3e78f1f --- /dev/null +++ b/queue-5.10/usb-dwc2-gadget-don-t-reset-gadget-s-driver-bus.patch-30811 @@ -0,0 +1,66 @@ +From e49352ab0634992b5a5a844c7eccbac28e447d71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 12:46:18 +0200 +Subject: usb: dwc2: gadget: don't reset gadget's driver->bus + +From: Marek Szyprowski + +[ Upstream commit 3120aac6d0ecd9accf56894aeac0e265f74d3d5a ] + +UDC driver should not touch gadget's driver internals, especially it +should not reset driver->bus. This wasn't harmful so far, but since +commit fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") gadget +subsystem got it's own bus and messing with ->bus triggers the +following NULL pointer dereference: + +dwc2 12480000.hsotg: bound driver g_ether +8<--- cut here --- +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +[00000000] *pgd=00000000 +Internal error: Oops: 5 [#1] SMP ARM +Modules linked in: ... +CPU: 0 PID: 620 Comm: modprobe Not tainted 5.18.0-rc5-next-20220504 #11862 +Hardware name: Samsung Exynos (Flattened Device Tree) +PC is at module_add_driver+0x44/0xe8 +LR is at sysfs_do_create_link_sd+0x84/0xe0 +... +Process modprobe (pid: 620, stack limit = 0x(ptrval)) +... + module_add_driver from bus_add_driver+0xf4/0x1e4 + bus_add_driver from driver_register+0x78/0x10c + driver_register from usb_gadget_register_driver_owner+0x40/0xb4 + usb_gadget_register_driver_owner from do_one_initcall+0x44/0x1e0 + do_one_initcall from do_init_module+0x44/0x1c8 + do_init_module from load_module+0x19b8/0x1b9c + load_module from sys_finit_module+0xdc/0xfc + sys_finit_module from ret_fast_syscall+0x0/0x54 +Exception stack(0xf1771fa8 to 0xf1771ff0) +... +dwc2 12480000.hsotg: new device is high-speed +---[ end trace 0000000000000000 ]--- + +Fix this by removing driver->bus entry reset. + +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20220505104618.22729-1-m.szyprowski@samsung.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/gadget.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c +index ec54971063f8..64485f82dc5b 100644 +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -4518,7 +4518,6 @@ static int dwc2_hsotg_udc_start(struct usb_gadget *gadget, + + WARN_ON(hsotg->driver); + +- driver->driver.bus = NULL; + hsotg->driver = driver; + hsotg->gadget.dev.of_node = hsotg->dev->of_node; + hsotg->gadget.speed = USB_SPEED_UNKNOWN; +-- +2.35.1 + diff --git a/queue-5.10/usb-hcd-pci-fully-suspend-across-freeze-thaw-cycle.patch-9437 b/queue-5.10/usb-hcd-pci-fully-suspend-across-freeze-thaw-cycle.patch-9437 new file mode 100644 index 00000000000..2f276613562 --- /dev/null +++ b/queue-5.10/usb-hcd-pci-fully-suspend-across-freeze-thaw-cycle.patch-9437 @@ -0,0 +1,50 @@ +From 155fe6fbacde4bf10c864e4dd00bd071bba954ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Apr 2022 10:39:27 -0700 +Subject: USB: hcd-pci: Fully suspend across freeze/thaw cycle + +From: Evan Green + +[ Upstream commit 63acaa8e9c65dc34dc249440216f8e977f5d2748 ] + +The documentation for the freeze() method says that it "should quiesce +the device so that it doesn't generate IRQs or DMA". The unspoken +consequence of not doing this is that MSIs aimed at non-boot CPUs may +get fully lost if they're sent during the period where the target CPU is +offline. + +The current callbacks for USB HCD do not fully quiesce interrupts, +specifically on XHCI. Change to use the full suspend/resume flow for +freeze/thaw to ensure interrupts are fully quiesced. This fixes issues +where USB devices fail to thaw during hibernation because XHCI misses +its interrupt and cannot recover. + +Acked-by: Alan Stern +Signed-off-by: Evan Green +Link: https://lore.kernel.org/r/20220421103751.v3.2.I8226c7fdae88329ef70957b96a39b346c69a914e@changeid +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hcd-pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c +index ec0d6c50610c..eee78cbfaa72 100644 +--- a/drivers/usb/core/hcd-pci.c ++++ b/drivers/usb/core/hcd-pci.c +@@ -614,10 +614,10 @@ const struct dev_pm_ops usb_hcd_pci_pm_ops = { + .suspend_noirq = hcd_pci_suspend_noirq, + .resume_noirq = hcd_pci_resume_noirq, + .resume = hcd_pci_resume, +- .freeze = check_root_hub_suspended, ++ .freeze = hcd_pci_suspend, + .freeze_noirq = check_root_hub_suspended, + .thaw_noirq = NULL, +- .thaw = NULL, ++ .thaw = hcd_pci_resume, + .poweroff = hcd_pci_suspend, + .poweroff_noirq = hcd_pci_suspend_noirq, + .restore_noirq = hcd_pci_resume_noirq, +-- +2.35.1 + diff --git a/queue-5.10/usb-host-isp116x-check-return-value-after-calling-pl.patch-226 b/queue-5.10/usb-host-isp116x-check-return-value-after-calling-pl.patch-226 new file mode 100644 index 00000000000..a4e0f3fae27 --- /dev/null +++ b/queue-5.10/usb-host-isp116x-check-return-value-after-calling-pl.patch-226 @@ -0,0 +1,43 @@ +From e0cfdd5247858a62c4348408d6ca5a122e9c5e29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 11:37:16 +0800 +Subject: USB: host: isp116x: check return value after calling + platform_get_resource() + +From: Zhen Ni + +[ Upstream commit 134a3408c2d3f7e23eb0e4556e0a2d9f36c2614e ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Signed-off-by: Zhen Ni +Link: https://lore.kernel.org/r/20220302033716.31272-1-nizhen@uniontech.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/isp116x-hcd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/isp116x-hcd.c b/drivers/usb/host/isp116x-hcd.c +index 3055d9abfec3..3e5c54742bef 100644 +--- a/drivers/usb/host/isp116x-hcd.c ++++ b/drivers/usb/host/isp116x-hcd.c +@@ -1541,10 +1541,12 @@ static int isp116x_remove(struct platform_device *pdev) + + iounmap(isp116x->data_reg); + res = platform_get_resource(pdev, IORESOURCE_MEM, 1); +- release_mem_region(res->start, 2); ++ if (res) ++ release_mem_region(res->start, 2); + iounmap(isp116x->addr_reg); + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- release_mem_region(res->start, 2); ++ if (res) ++ release_mem_region(res->start, 2); + + usb_put_hcd(hcd); + return 0; +-- +2.35.1 + diff --git a/queue-5.10/watchdog-wdat_wdt-stop-watchdog-when-rebooting-the-s.patch-17227 b/queue-5.10/watchdog-wdat_wdt-stop-watchdog-when-rebooting-the-s.patch-17227 new file mode 100644 index 00000000000..54ebe9c30c1 --- /dev/null +++ b/queue-5.10/watchdog-wdat_wdt-stop-watchdog-when-rebooting-the-s.patch-17227 @@ -0,0 +1,48 @@ +From 0888967fd0ee62103398895cb9db0a7b1902d09a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Apr 2022 22:53:29 +0800 +Subject: watchdog: wdat_wdt: Stop watchdog when rebooting the system + +From: Liu Xinpeng + +[ Upstream commit 27fdf84510a1374748904db43f6755f912736d92 ] + +Executing reboot command several times on the machine "Dell +PowerEdge R740", UEFI security detection stopped machine +with the following prompt: + +UEFI0082: The system was reset due to a timeout from the watchdog +timer. Check the System Event Log (SEL) or crash dumps from +Operating Sysstem to identify the source that triggered the +watchdog timer reset. Update the firmware or driver for the +identified device. + +iDRAC has warning event: "The watchdog timer reset the system". + +This patch fixes this issue by adding the reboot notifier. + +Signed-off-by: Liu Xinpeng +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/1650984810-6247-3-git-send-email-liuxp11@chinatelecom.cn +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/wdat_wdt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/watchdog/wdat_wdt.c b/drivers/watchdog/wdat_wdt.c +index 3065dd670a18..c60723f5ed99 100644 +--- a/drivers/watchdog/wdat_wdt.c ++++ b/drivers/watchdog/wdat_wdt.c +@@ -462,6 +462,7 @@ static int wdat_wdt_probe(struct platform_device *pdev) + return ret; + + watchdog_set_nowayout(&wdat->wdd, nowayout); ++ watchdog_stop_on_reboot(&wdat->wdd); + return devm_watchdog_register_device(dev, &wdat->wdd); + } + +-- +2.35.1 + diff --git a/queue-5.10/x86-cpu-elide-kcsan-for-cpu_has-and-friends.patch-267 b/queue-5.10/x86-cpu-elide-kcsan-for-cpu_has-and-friends.patch-267 new file mode 100644 index 00000000000..e5b20fa379e --- /dev/null +++ b/queue-5.10/x86-cpu-elide-kcsan-for-cpu_has-and-friends.patch-267 @@ -0,0 +1,50 @@ +From 28354886cec736051e31d26890e68f3058c53e12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 May 2022 12:15:23 +0200 +Subject: x86/cpu: Elide KCSAN for cpu_has() and friends + +From: Peter Zijlstra + +[ Upstream commit a6a5eb269f6f3a2fe392f725a8d9052190c731e2 ] + +As x86 uses the headers, the +regular forms of all bitops are instrumented with explicit calls to +KASAN and KCSAN checks. As these are explicit calls, these are not +suppressed by the noinstr function attribute. + +This can result in calls to those check functions in noinstr code, which +objtool warns about: + +vmlinux.o: warning: objtool: enter_from_user_mode+0x24: call to __kcsan_check_access() leaves .noinstr.text section +vmlinux.o: warning: objtool: syscall_enter_from_user_mode+0x28: call to __kcsan_check_access() leaves .noinstr.text section +vmlinux.o: warning: objtool: syscall_enter_from_user_mode_prepare+0x24: call to __kcsan_check_access() leaves .noinstr.text section +vmlinux.o: warning: objtool: irqentry_enter_from_user_mode+0x24: call to __kcsan_check_access() leaves .noinstr.text section + +Prevent this by using the arch_*() bitops, which are the underlying +bitops without explciit instrumentation. + +[null: Changelog] +Reported-by: kernel test robot +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20220502111216.290518605@infradead.org +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/cpufeature.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h +index 59bf91c57aa8..619c1f80a2ab 100644 +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -49,7 +49,7 @@ extern const char * const x86_power_flags[32]; + extern const char * const x86_bug_flags[NBUGINTS*32]; + + #define test_cpu_cap(c, bit) \ +- test_bit(bit, (unsigned long *)((c)->x86_capability)) ++ arch_test_bit(bit, (unsigned long *)((c)->x86_capability)) + + /* + * There are 32 bits/features in each mask word. The high bits +-- +2.35.1 +