From: Greg Kroah-Hartman Date: Fri, 1 Apr 2022 10:38:45 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.14.275~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c0a89ed47d38e7c5ab1c8b26ae0a538c5b625370;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: clk-uniphier-fix-fixed-rate-initialization.patch coresight-fix-trcconfigr.qe-sysfs-interface.patch documentation-add-link-to-stable-release-candidate-tree.patch documentation-update-stable-tree-link.patch f2fs-fix-to-do-sanity-check-on-.cp_pack_total_block_count.patch f2fs-fix-to-unlock-page-correctly-in-error-path-of-is_alive.patch f2fs-quota-fix-loop-condition-at-f2fs_quota_sync.patch firmware-stratix10-svc-add-missing-callback-parameter-on-rsu.patch greybus-svc-fix-an-error-handling-bug-in-gb_svc_hello.patch hid-intel-ish-hid-use-dma_alloc_coherent-for-firmware-update.patch iio-afe-rescale-use-s64-for-temporary-scale-calculations.patch iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch iio-inkern-make-a-best-effort-on-offset-calculation.patch keys-fix-length-validation-in-keyctl_pkey_params_get_2.patch mtd-rawnand-protect-access-to-rawnand-devices-while-in-suspend.patch nfsd-prevent-integer-overflow-on-32-bit-systems.patch nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch remoteproc-fix-count-check-in-rproc_coredump_write.patch serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch spi-mxic-fix-the-transmit-path.patch sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch --- diff --git a/queue-5.10/clk-uniphier-fix-fixed-rate-initialization.patch b/queue-5.10/clk-uniphier-fix-fixed-rate-initialization.patch new file mode 100644 index 00000000000..0a5d3a4ea6e --- /dev/null +++ b/queue-5.10/clk-uniphier-fix-fixed-rate-initialization.patch @@ -0,0 +1,35 @@ +From ca85a66710a8a1f6b0719397225c3e9ee0abb692 Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Wed, 9 Mar 2022 15:55:18 +0900 +Subject: clk: uniphier: Fix fixed-rate initialization + +From: Kunihiko Hayashi + +commit ca85a66710a8a1f6b0719397225c3e9ee0abb692 upstream. + +Fixed-rate clocks in UniPhier don't have any parent clocks, however, +initial data "init.flags" isn't initialized, so it might be determined +that there is a parent clock for fixed-rate clock. + +This sets init.flags to zero as initialization. + +Cc: +Fixes: 734d82f4a678 ("clk: uniphier: add core support code for UniPhier clock driver") +Signed-off-by: Kunihiko Hayashi +Link: https://lore.kernel.org/r/1646808918-30899-1-git-send-email-hayashi.kunihiko@socionext.com +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/uniphier/clk-uniphier-fixed-rate.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/uniphier/clk-uniphier-fixed-rate.c ++++ b/drivers/clk/uniphier/clk-uniphier-fixed-rate.c +@@ -24,6 +24,7 @@ struct clk_hw *uniphier_clk_register_fix + + init.name = name; + init.ops = &clk_fixed_rate_ops; ++ init.flags = 0; + init.parent_names = NULL; + init.num_parents = 0; + diff --git a/queue-5.10/coresight-fix-trcconfigr.qe-sysfs-interface.patch b/queue-5.10/coresight-fix-trcconfigr.qe-sysfs-interface.patch new file mode 100644 index 00000000000..0e62c69b84f --- /dev/null +++ b/queue-5.10/coresight-fix-trcconfigr.qe-sysfs-interface.patch @@ -0,0 +1,56 @@ +From ea75a342aed5ed72c87f38fbe0df2f5df7eae374 Mon Sep 17 00:00:00 2001 +From: James Clark +Date: Thu, 20 Jan 2022 11:30:47 +0000 +Subject: coresight: Fix TRCCONFIGR.QE sysfs interface + +From: James Clark + +commit ea75a342aed5ed72c87f38fbe0df2f5df7eae374 upstream. + +It's impossible to program a valid value for TRCCONFIGR.QE +when TRCIDR0.QSUPP==0b10. In that case the following is true: + + Q element support is implemented, and only supports Q elements without + instruction counts. TRCCONFIGR.QE can only take the values 0b00 or 0b11. + +Currently the low bit of QSUPP is checked to see if the low bit of QE can +be written to, but as you can see when QSUPP==0b10 the low bit is cleared +making it impossible to ever write the only valid value of 0b11 to QE. +0b10 would be written instead, which is a reserved QE value even for all +values of QSUPP. + +The fix is to allow writing the low bit of QE for any non zero value of +QSUPP. + +This change also ensures that the low bit is always set, even when the +user attempts to only set the high bit. + +Signed-off-by: James Clark +Reviewed-by: Mike Leach +Fixes: d8c66962084f ("coresight-etm4x: Controls pertaining to the reset, mode, pe and events") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220120113047.2839622-2-james.clark@arm.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Suzuki K Poulose +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c +@@ -364,8 +364,12 @@ static ssize_t mode_store(struct device + mode = ETM_MODE_QELEM(config->mode); + /* start by clearing QE bits */ + config->cfg &= ~(BIT(13) | BIT(14)); +- /* if supported, Q elements with instruction counts are enabled */ +- if ((mode & BIT(0)) && (drvdata->q_support & BIT(0))) ++ /* ++ * if supported, Q elements with instruction counts are enabled. ++ * Always set the low bit for any requested mode. Valid combos are ++ * 0b00, 0b01 and 0b11. ++ */ ++ if (mode && drvdata->q_support) + config->cfg |= BIT(13); + /* + * if supported, Q elements with and without instruction diff --git a/queue-5.10/documentation-add-link-to-stable-release-candidate-tree.patch b/queue-5.10/documentation-add-link-to-stable-release-candidate-tree.patch new file mode 100644 index 00000000000..07b9e47c558 --- /dev/null +++ b/queue-5.10/documentation-add-link-to-stable-release-candidate-tree.patch @@ -0,0 +1,42 @@ +From 587d39b260c4d090166314d64be70b1f6a26b0b5 Mon Sep 17 00:00:00 2001 +From: Bagas Sanjaya +Date: Mon, 14 Mar 2022 18:33:28 +0700 +Subject: Documentation: add link to stable release candidate tree + +From: Bagas Sanjaya + +commit 587d39b260c4d090166314d64be70b1f6a26b0b5 upstream. + +There is also stable release candidate tree. Mention it, however with a +warning that the tree is for testing purposes. + +Cc: Greg Kroah-Hartman +Cc: Sasha Levin +Cc: Jonathan Corbet +Cc: stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Bagas Sanjaya +Link: https://lore.kernel.org/r/20220314113329.485372-5-bagasdotme@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/process/stable-kernel-rules.rst | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/Documentation/process/stable-kernel-rules.rst ++++ b/Documentation/process/stable-kernel-rules.rst +@@ -170,6 +170,15 @@ Trees + + https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git + ++ - The release candidate of all stable kernel versions can be found at: ++ ++ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/ ++ ++ .. warning:: ++ The -stable-rc tree is a snapshot in time of the stable-queue tree and ++ will change frequently, hence will be rebased often. It should only be ++ used for testing purposes (e.g. to be consumed by CI systems). ++ + + Review committee + ---------------- diff --git a/queue-5.10/documentation-update-stable-tree-link.patch b/queue-5.10/documentation-update-stable-tree-link.patch new file mode 100644 index 00000000000..520d880d0d8 --- /dev/null +++ b/queue-5.10/documentation-update-stable-tree-link.patch @@ -0,0 +1,36 @@ +From 555d44932c67e617d89bc13c81c7efac5b51fcfa Mon Sep 17 00:00:00 2001 +From: Bagas Sanjaya +Date: Mon, 14 Mar 2022 18:33:29 +0700 +Subject: Documentation: update stable tree link + +From: Bagas Sanjaya + +commit 555d44932c67e617d89bc13c81c7efac5b51fcfa upstream. + +The link to stable tree is redirected to +https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git. Update +accordingly. + +Cc: Greg Kroah-Hartman +Cc: Sasha Levin +Cc: Jonathan Corbet +Cc: stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Bagas Sanjaya +Link: https://lore.kernel.org/r/20220314113329.485372-6-bagasdotme@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/process/stable-kernel-rules.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/process/stable-kernel-rules.rst ++++ b/Documentation/process/stable-kernel-rules.rst +@@ -168,7 +168,7 @@ Trees + - The finalized and tagged releases of all stable kernels can be found + in separate branches per version at: + +- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git ++ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git + + - The release candidate of all stable kernel versions can be found at: + diff --git a/queue-5.10/f2fs-fix-to-do-sanity-check-on-.cp_pack_total_block_count.patch b/queue-5.10/f2fs-fix-to-do-sanity-check-on-.cp_pack_total_block_count.patch new file mode 100644 index 00000000000..7b7b9eb43be --- /dev/null +++ b/queue-5.10/f2fs-fix-to-do-sanity-check-on-.cp_pack_total_block_count.patch @@ -0,0 +1,76 @@ +From 5b5b4f85b01604389f7a0f11ef180a725bf0e2d4 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 21 Mar 2022 23:22:11 +0800 +Subject: f2fs: fix to do sanity check on .cp_pack_total_block_count + +From: Chao Yu + +commit 5b5b4f85b01604389f7a0f11ef180a725bf0e2d4 upstream. + +As bughunter reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=215709 + +f2fs may hang when mounting a fuzzed image, the dmesg shows as below: + +__filemap_get_folio+0x3a9/0x590 +pagecache_get_page+0x18/0x60 +__get_meta_page+0x95/0x460 [f2fs] +get_checkpoint_version+0x2a/0x1e0 [f2fs] +validate_checkpoint+0x8e/0x2a0 [f2fs] +f2fs_get_valid_checkpoint+0xd0/0x620 [f2fs] +f2fs_fill_super+0xc01/0x1d40 [f2fs] +mount_bdev+0x18a/0x1c0 +f2fs_mount+0x15/0x20 [f2fs] +legacy_get_tree+0x28/0x50 +vfs_get_tree+0x27/0xc0 +path_mount+0x480/0xaa0 +do_mount+0x7c/0xa0 +__x64_sys_mount+0x8b/0xe0 +do_syscall_64+0x38/0xc0 +entry_SYSCALL_64_after_hwframe+0x44/0xae + +The root cause is cp_pack_total_block_count field in checkpoint was fuzzed +to one, as calcuated, two cp pack block locates in the same block address, +so then read latter cp pack block, it will block on the page lock due to +the lock has already held when reading previous cp pack block, fix it by +adding sanity check for cp_pack_total_block_count. + +Cc: stable@vger.kernel.org +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/checkpoint.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -851,6 +851,7 @@ static struct page *validate_checkpoint( + struct page *cp_page_1 = NULL, *cp_page_2 = NULL; + struct f2fs_checkpoint *cp_block = NULL; + unsigned long long cur_version = 0, pre_version = 0; ++ unsigned int cp_blocks; + int err; + + err = get_checkpoint_version(sbi, cp_addr, &cp_block, +@@ -858,15 +859,16 @@ static struct page *validate_checkpoint( + if (err) + return NULL; + +- if (le32_to_cpu(cp_block->cp_pack_total_block_count) > +- sbi->blocks_per_seg) { ++ cp_blocks = le32_to_cpu(cp_block->cp_pack_total_block_count); ++ ++ if (cp_blocks > sbi->blocks_per_seg || cp_blocks <= F2FS_CP_PACKS) { + f2fs_warn(sbi, "invalid cp_pack_total_block_count:%u", + le32_to_cpu(cp_block->cp_pack_total_block_count)); + goto invalid_cp; + } + pre_version = *version; + +- cp_addr += le32_to_cpu(cp_block->cp_pack_total_block_count) - 1; ++ cp_addr += cp_blocks - 1; + err = get_checkpoint_version(sbi, cp_addr, &cp_block, + &cp_page_2, version); + if (err) diff --git a/queue-5.10/f2fs-fix-to-unlock-page-correctly-in-error-path-of-is_alive.patch b/queue-5.10/f2fs-fix-to-unlock-page-correctly-in-error-path-of-is_alive.patch new file mode 100644 index 00000000000..d796052d900 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-unlock-page-correctly-in-error-path-of-is_alive.patch @@ -0,0 +1,43 @@ +From 6d18762ed5cd549fde74fd0e05d4d87bac5a3beb Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Fri, 4 Feb 2022 11:21:14 +0800 +Subject: f2fs: fix to unlock page correctly in error path of is_alive() + +From: Chao Yu + +commit 6d18762ed5cd549fde74fd0e05d4d87bac5a3beb upstream. + +As Pavel Machek reported in below link [1]: + +After commit 77900c45ee5c ("f2fs: fix to do sanity check in is_alive()"), +node page should be unlock via calling f2fs_put_page() in the error path +of is_alive(), otherwise, f2fs may hang when it tries to lock the node +page, fix it. + +[1] https://lore.kernel.org/stable/20220124203637.GA19321@duo.ucw.cz/ + +Fixes: 77900c45ee5c ("f2fs: fix to do sanity check in is_alive()") +Cc: +Reported-by: Pavel Machek +Signed-off-by: Pavel Machek +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -998,8 +998,10 @@ static bool is_alive(struct f2fs_sb_info + set_sbi_flag(sbi, SBI_NEED_FSCK); + } + +- if (f2fs_check_nid_range(sbi, dni->ino)) ++ if (f2fs_check_nid_range(sbi, dni->ino)) { ++ f2fs_put_page(node_page, 1); + return false; ++ } + + *nofs = ofs_of_node(node_page); + source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node); diff --git a/queue-5.10/f2fs-quota-fix-loop-condition-at-f2fs_quota_sync.patch b/queue-5.10/f2fs-quota-fix-loop-condition-at-f2fs_quota_sync.patch new file mode 100644 index 00000000000..9cba0308a57 --- /dev/null +++ b/queue-5.10/f2fs-quota-fix-loop-condition-at-f2fs_quota_sync.patch @@ -0,0 +1,95 @@ +From 680af5b824a52faa819167628665804a14f0e0df Mon Sep 17 00:00:00 2001 +From: Juhyung Park +Date: Tue, 15 Feb 2022 17:27:21 +0900 +Subject: f2fs: quota: fix loop condition at f2fs_quota_sync() + +From: Juhyung Park + +commit 680af5b824a52faa819167628665804a14f0e0df upstream. + +cnt should be passed to sb_has_quota_active() instead of type to check +active quota properly. + +Moreover, when the type is -1, the compiler with enough inline knowledge +can discard sb_has_quota_active() check altogether, causing a NULL pointer +dereference at the following inode_lock(dqopt->files[cnt]): + +[ 2.796010] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 +[ 2.796024] Mem abort info: +[ 2.796025] ESR = 0x96000005 +[ 2.796028] EC = 0x25: DABT (current EL), IL = 32 bits +[ 2.796029] SET = 0, FnV = 0 +[ 2.796031] EA = 0, S1PTW = 0 +[ 2.796032] Data abort info: +[ 2.796034] ISV = 0, ISS = 0x00000005 +[ 2.796035] CM = 0, WnR = 0 +[ 2.796046] user pgtable: 4k pages, 39-bit VAs, pgdp=00000003370d1000 +[ 2.796048] [00000000000000a0] pgd=0000000000000000, pud=0000000000000000 +[ 2.796051] Internal error: Oops: 96000005 [#1] PREEMPT SMP +[ 2.796056] CPU: 7 PID: 640 Comm: f2fs_ckpt-259:7 Tainted: G S 5.4.179-arter97-r8-64666-g2f16e087f9d8 #1 +[ 2.796057] Hardware name: Qualcomm Technologies, Inc. Lahaina MTP lemonadep (DT) +[ 2.796059] pstate: 80c00005 (Nzcv daif +PAN +UAO) +[ 2.796065] pc : down_write+0x28/0x70 +[ 2.796070] lr : f2fs_quota_sync+0x100/0x294 +[ 2.796071] sp : ffffffa3f48ffc30 +[ 2.796073] x29: ffffffa3f48ffc30 x28: 0000000000000000 +[ 2.796075] x27: ffffffa3f6d718b8 x26: ffffffa415fe9d80 +[ 2.796077] x25: ffffffa3f7290048 x24: 0000000000000001 +[ 2.796078] x23: 0000000000000000 x22: ffffffa3f7290000 +[ 2.796080] x21: ffffffa3f72904a0 x20: ffffffa3f7290110 +[ 2.796081] x19: ffffffa3f77a9800 x18: ffffffc020aae038 +[ 2.796083] x17: ffffffa40e38e040 x16: ffffffa40e38e6d0 +[ 2.796085] x15: ffffffa40e38e6cc x14: ffffffa40e38e6d0 +[ 2.796086] x13: 00000000000004f6 x12: 00162c44ff493000 +[ 2.796088] x11: 0000000000000400 x10: ffffffa40e38c948 +[ 2.796090] x9 : 0000000000000000 x8 : 00000000000000a0 +[ 2.796091] x7 : 0000000000000000 x6 : 0000d1060f00002a +[ 2.796093] x5 : ffffffa3f48ff718 x4 : 000000000000000d +[ 2.796094] x3 : 00000000060c0000 x2 : 0000000000000001 +[ 2.796096] x1 : 0000000000000000 x0 : 00000000000000a0 +[ 2.796098] Call trace: +[ 2.796100] down_write+0x28/0x70 +[ 2.796102] f2fs_quota_sync+0x100/0x294 +[ 2.796104] block_operations+0x120/0x204 +[ 2.796106] f2fs_write_checkpoint+0x11c/0x520 +[ 2.796107] __checkpoint_and_complete_reqs+0x7c/0xd34 +[ 2.796109] issue_checkpoint_thread+0x6c/0xb8 +[ 2.796112] kthread+0x138/0x414 +[ 2.796114] ret_from_fork+0x10/0x18 +[ 2.796117] Code: aa0803e0 aa1f03e1 52800022 aa0103e9 (c8e97d02) +[ 2.796120] ---[ end trace 96e942e8eb6a0b53 ]--- +[ 2.800116] Kernel panic - not syncing: Fatal exception +[ 2.800120] SMP: stopping secondary CPUs + +Fixes: 9de71ede81e6 ("f2fs: quota: fix potential deadlock") +Cc: # v5.15+ +Signed-off-by: Juhyung Park +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2278,7 +2278,7 @@ int f2fs_quota_sync(struct super_block * + struct f2fs_sb_info *sbi = F2FS_SB(sb); + struct quota_info *dqopt = sb_dqopt(sb); + int cnt; +- int ret; ++ int ret = 0; + + /* + * Now when everything is written we can discard the pagecache so +@@ -2289,8 +2289,8 @@ int f2fs_quota_sync(struct super_block * + if (type != -1 && cnt != type) + continue; + +- if (!sb_has_quota_active(sb, type)) +- return 0; ++ if (!sb_has_quota_active(sb, cnt)) ++ continue; + + inode_lock(dqopt->files[cnt]); + diff --git a/queue-5.10/firmware-stratix10-svc-add-missing-callback-parameter-on-rsu.patch b/queue-5.10/firmware-stratix10-svc-add-missing-callback-parameter-on-rsu.patch new file mode 100644 index 00000000000..c80b70b158e --- /dev/null +++ b/queue-5.10/firmware-stratix10-svc-add-missing-callback-parameter-on-rsu.patch @@ -0,0 +1,35 @@ +From b850b7a8b369322adf699ef48ceff4d902525c8c Mon Sep 17 00:00:00 2001 +From: Ang Tien Sung +Date: Wed, 23 Feb 2022 08:41:46 -0600 +Subject: firmware: stratix10-svc: add missing callback parameter on RSU + +From: Ang Tien Sung + +commit b850b7a8b369322adf699ef48ceff4d902525c8c upstream. + +Fix a bug whereby, the return response of parameter a1 from an +SMC call is not properly set to the callback data during an +INTEL_SIP_SMC_RSU_ERROR command. + +Link: https://lore.kernel.org/lkml/20220216081513.28319-1-tien.sung.ang@intel.com +Fixes: 6b50d882d38d ("firmware: add remote status update client support") +Cc: stable@vger.kernel.org +Signed-off-by: Ang Tien Sung +Signed-off-by: Dinh Nguyen +Link: https://lore.kernel.org/r/20220223144146.399263-1-dinguyen@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/stratix10-svc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -477,7 +477,7 @@ static int svc_normal_to_secure_thread(v + case INTEL_SIP_SMC_RSU_ERROR: + pr_err("%s: STATUS_ERROR\n", __func__); + cbdata->status = BIT(SVC_STATUS_ERROR); +- cbdata->kaddr1 = NULL; ++ cbdata->kaddr1 = &res.a1; + cbdata->kaddr2 = NULL; + cbdata->kaddr3 = NULL; + pdata->chan->scl->receive_cb(pdata->chan->scl, cbdata); diff --git a/queue-5.10/greybus-svc-fix-an-error-handling-bug-in-gb_svc_hello.patch b/queue-5.10/greybus-svc-fix-an-error-handling-bug-in-gb_svc_hello.patch new file mode 100644 index 00000000000..a7b10b43a8b --- /dev/null +++ b/queue-5.10/greybus-svc-fix-an-error-handling-bug-in-gb_svc_hello.patch @@ -0,0 +1,41 @@ +From 5f8583a3b7552092582a92e7bbd2153319929ad7 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 2 Feb 2022 12:33:45 +0100 +Subject: greybus: svc: fix an error handling bug in gb_svc_hello() + +From: Dan Carpenter + +commit 5f8583a3b7552092582a92e7bbd2153319929ad7 upstream. + +Cleanup if gb_svc_queue_deferred_request() fails. + +Link: https://lore.kernel.org/r/20220202072016.GA6748@kili +Fixes: ee2f2074fdb2 ("greybus: svc: reconfig APBridgeA-Switch link to handle required load") +Cc: stable@vger.kernel.org # 4.9 +[johan: fix commit summary prefix and rename label ] +Signed-off-by: Dan Carpenter +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220202113347.1288-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/greybus/svc.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/greybus/svc.c ++++ b/drivers/greybus/svc.c +@@ -866,8 +866,14 @@ static int gb_svc_hello(struct gb_operat + + gb_svc_debugfs_init(svc); + +- return gb_svc_queue_deferred_request(op); ++ ret = gb_svc_queue_deferred_request(op); ++ if (ret) ++ goto err_remove_debugfs; + ++ return 0; ++ ++err_remove_debugfs: ++ gb_svc_debugfs_exit(svc); + err_unregister_device: + gb_svc_watchdog_destroy(svc); + device_del(&svc->dev); diff --git a/queue-5.10/hid-intel-ish-hid-use-dma_alloc_coherent-for-firmware-update.patch b/queue-5.10/hid-intel-ish-hid-use-dma_alloc_coherent-for-firmware-update.patch new file mode 100644 index 00000000000..d4d9c457a30 --- /dev/null +++ b/queue-5.10/hid-intel-ish-hid-use-dma_alloc_coherent-for-firmware-update.patch @@ -0,0 +1,92 @@ +From f97ec5d75e9261a5da78dc28a8955b7cc0c4468b Mon Sep 17 00:00:00 2001 +From: Gwendal Grignou +Date: Tue, 8 Feb 2022 21:09:47 -0800 +Subject: HID: intel-ish-hid: Use dma_alloc_coherent for firmware update + +From: Gwendal Grignou + +commit f97ec5d75e9261a5da78dc28a8955b7cc0c4468b upstream. + +Allocating memory with kmalloc and GPF_DMA32 is not allowed, the +allocator will ignore the attribute. + +Instead, use dma_alloc_coherent() API as we allocate a small amount of +memory to transfer firmware fragment to the ISH. + +On Arcada chromebook, after the patch the warning: +"Unexpected gfp: 0x4 (GFP_DMA32). Fixing up to gfp: 0xcc0 (GFP_KERNEL). Fix your code!" +is gone. The ISH firmware is loaded properly and we can interact with +the ISH: +> ectool --name cros_ish version +... +Build info: arcada_ish_v2.0.3661+3c1a1c1ae0 2022-02-08 05:37:47 @localhost +Tool version: v2.0.12300-900b03ec7f 2022-02-08 10:01:48 @localhost + +Fixes: commit 91b228107da3 ("HID: intel-ish-hid: ISH firmware loader client driver") +Signed-off-by: Gwendal Grignou +Acked-by: Srinivas Pandruvada +Cc: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/intel-ish-hid/ishtp-fw-loader.c | 29 ++-------------------------- + 1 file changed, 3 insertions(+), 26 deletions(-) + +--- a/drivers/hid/intel-ish-hid/ishtp-fw-loader.c ++++ b/drivers/hid/intel-ish-hid/ishtp-fw-loader.c +@@ -656,21 +656,12 @@ static int ish_fw_xfer_direct_dma(struct + */ + payload_max_size &= ~(L1_CACHE_BYTES - 1); + +- dma_buf = kmalloc(payload_max_size, GFP_KERNEL | GFP_DMA32); ++ dma_buf = dma_alloc_coherent(devc, payload_max_size, &dma_buf_phy, GFP_KERNEL); + if (!dma_buf) { + client_data->flag_retry = true; + return -ENOMEM; + } + +- dma_buf_phy = dma_map_single(devc, dma_buf, payload_max_size, +- DMA_TO_DEVICE); +- if (dma_mapping_error(devc, dma_buf_phy)) { +- dev_err(cl_data_to_dev(client_data), "DMA map failed\n"); +- client_data->flag_retry = true; +- rv = -ENOMEM; +- goto end_err_dma_buf_release; +- } +- + ldr_xfer_dma_frag.fragment.hdr.command = LOADER_CMD_XFER_FRAGMENT; + ldr_xfer_dma_frag.fragment.xfer_mode = LOADER_XFER_MODE_DIRECT_DMA; + ldr_xfer_dma_frag.ddr_phys_addr = (u64)dma_buf_phy; +@@ -690,14 +681,7 @@ static int ish_fw_xfer_direct_dma(struct + ldr_xfer_dma_frag.fragment.size = fragment_size; + memcpy(dma_buf, &fw->data[fragment_offset], fragment_size); + +- dma_sync_single_for_device(devc, dma_buf_phy, +- payload_max_size, +- DMA_TO_DEVICE); +- +- /* +- * Flush cache here because the dma_sync_single_for_device() +- * does not do for x86. +- */ ++ /* Flush cache to be sure the data is in main memory. */ + clflush_cache_range(dma_buf, payload_max_size); + + dev_dbg(cl_data_to_dev(client_data), +@@ -720,15 +704,8 @@ static int ish_fw_xfer_direct_dma(struct + fragment_offset += fragment_size; + } + +- dma_unmap_single(devc, dma_buf_phy, payload_max_size, DMA_TO_DEVICE); +- kfree(dma_buf); +- return 0; +- + end_err_resp_buf_release: +- /* Free ISH buffer if not done already, in error case */ +- dma_unmap_single(devc, dma_buf_phy, payload_max_size, DMA_TO_DEVICE); +-end_err_dma_buf_release: +- kfree(dma_buf); ++ dma_free_coherent(devc, payload_max_size, dma_buf, dma_buf_phy); + return rv; + } + diff --git a/queue-5.10/iio-afe-rescale-use-s64-for-temporary-scale-calculations.patch b/queue-5.10/iio-afe-rescale-use-s64-for-temporary-scale-calculations.patch new file mode 100644 index 00000000000..2c087fc01cb --- /dev/null +++ b/queue-5.10/iio-afe-rescale-use-s64-for-temporary-scale-calculations.patch @@ -0,0 +1,50 @@ +From 51593106b608ae4247cc8da928813347da16d025 Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:07 -0500 +Subject: iio: afe: rescale: use s64 for temporary scale calculations + +From: Liam Beguin + +commit 51593106b608ae4247cc8da928813347da16d025 upstream. + +All four scaling coefficients can take signed values. +Make tmp a signed 64-bit integer and switch to div_s64() to preserve +signs during 64-bit divisions. + +Fixes: 8b74816b5a9a ("iio: afe: rescale: new driver") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-5-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/afe/iio-rescale.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/iio/afe/iio-rescale.c ++++ b/drivers/iio/afe/iio-rescale.c +@@ -38,7 +38,7 @@ static int rescale_read_raw(struct iio_d + int *val, int *val2, long mask) + { + struct rescale *rescale = iio_priv(indio_dev); +- unsigned long long tmp; ++ s64 tmp; + int ret; + + switch (mask) { +@@ -59,10 +59,10 @@ static int rescale_read_raw(struct iio_d + *val2 = rescale->denominator; + return IIO_VAL_FRACTIONAL; + case IIO_VAL_FRACTIONAL_LOG2: +- tmp = *val * 1000000000LL; +- do_div(tmp, rescale->denominator); ++ tmp = (s64)*val * 1000000000LL; ++ tmp = div_s64(tmp, rescale->denominator); + tmp *= rescale->numerator; +- do_div(tmp, 1000000000LL); ++ tmp = div_s64(tmp, 1000000000LL); + *val = tmp; + return ret; + default: diff --git a/queue-5.10/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch b/queue-5.10/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch new file mode 100644 index 00000000000..451168ff847 --- /dev/null +++ b/queue-5.10/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch @@ -0,0 +1,42 @@ +From 1bca97ff95c732a516ebb68da72814194980e0a5 Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:04 -0500 +Subject: iio: inkern: apply consumer scale on IIO_VAL_INT cases + +From: Liam Beguin + +commit 1bca97ff95c732a516ebb68da72814194980e0a5 upstream. + +When a consumer calls iio_read_channel_processed() and the channel has +an integer scale, the scale channel scale is applied and the processed +value is returned as expected. + +On the other hand, if the consumer calls iio_convert_raw_to_processed() +the scaling factor requested by the consumer is not applied. + +This for example causes the consumer to process mV when expecting uV. +Make sure to always apply the scaling factor requested by the consumer. + +Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-2-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -582,7 +582,7 @@ static int iio_convert_raw_to_processed_ + + switch (scale_type) { + case IIO_VAL_INT: +- *processed = raw64 * scale_val; ++ *processed = raw64 * scale_val * scale; + break; + case IIO_VAL_INT_PLUS_MICRO: + if (scale_val2 < 0) diff --git a/queue-5.10/iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch b/queue-5.10/iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch new file mode 100644 index 00000000000..1571a2d8ead --- /dev/null +++ b/queue-5.10/iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch @@ -0,0 +1,47 @@ +From 14b457fdde38de594a4bc4bd9075019319d978da Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:05 -0500 +Subject: iio: inkern: apply consumer scale when no channel scale is available + +From: Liam Beguin + +commit 14b457fdde38de594a4bc4bd9075019319d978da upstream. + +When a consumer calls iio_read_channel_processed() and no channel scale +is available, it's assumed that the scale is one and the raw value is +returned as expected. + +On the other hand, if the consumer calls iio_convert_raw_to_processed() +the scaling factor requested by the consumer is not applied. + +This for example causes the consumer to process mV when expecting uV. +Make sure to always apply the scaling factor requested by the consumer. + +Fixes: adc8ec5ff183 ("iio: inkern: pass through raw values if no scaling") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-3-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -573,10 +573,10 @@ static int iio_convert_raw_to_processed_ + IIO_CHAN_INFO_SCALE); + if (scale_type < 0) { + /* +- * Just pass raw values as processed if no scaling is +- * available. ++ * If no channel scaling is available apply consumer scale to ++ * raw value and return. + */ +- *processed = raw; ++ *processed = raw * scale; + return 0; + } + diff --git a/queue-5.10/iio-inkern-make-a-best-effort-on-offset-calculation.patch b/queue-5.10/iio-inkern-make-a-best-effort-on-offset-calculation.patch new file mode 100644 index 00000000000..d59446a3e90 --- /dev/null +++ b/queue-5.10/iio-inkern-make-a-best-effort-on-offset-calculation.patch @@ -0,0 +1,68 @@ +From ca85123354e1a65a22170286387b4791997fe864 Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:06 -0500 +Subject: iio: inkern: make a best effort on offset calculation + +From: Liam Beguin + +commit ca85123354e1a65a22170286387b4791997fe864 upstream. + +iio_convert_raw_to_processed_unlocked() assumes the offset is an +integer. Make a best effort to get a valid offset value for fractional +cases without breaking implicit truncations. + +Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-4-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 32 +++++++++++++++++++++++++++----- + 1 file changed, 27 insertions(+), 5 deletions(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -561,13 +561,35 @@ EXPORT_SYMBOL_GPL(iio_read_channel_avera + static int iio_convert_raw_to_processed_unlocked(struct iio_channel *chan, + int raw, int *processed, unsigned int scale) + { +- int scale_type, scale_val, scale_val2, offset; ++ int scale_type, scale_val, scale_val2; ++ int offset_type, offset_val, offset_val2; + s64 raw64 = raw; +- int ret; + +- ret = iio_channel_read(chan, &offset, NULL, IIO_CHAN_INFO_OFFSET); +- if (ret >= 0) +- raw64 += offset; ++ offset_type = iio_channel_read(chan, &offset_val, &offset_val2, ++ IIO_CHAN_INFO_OFFSET); ++ if (offset_type >= 0) { ++ switch (offset_type) { ++ case IIO_VAL_INT: ++ break; ++ case IIO_VAL_INT_PLUS_MICRO: ++ case IIO_VAL_INT_PLUS_NANO: ++ /* ++ * Both IIO_VAL_INT_PLUS_MICRO and IIO_VAL_INT_PLUS_NANO ++ * implicitely truncate the offset to it's integer form. ++ */ ++ break; ++ case IIO_VAL_FRACTIONAL: ++ offset_val /= offset_val2; ++ break; ++ case IIO_VAL_FRACTIONAL_LOG2: ++ offset_val >>= offset_val2; ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ raw64 += offset_val; ++ } + + scale_type = iio_channel_read(chan, &scale_val, &scale_val2, + IIO_CHAN_INFO_SCALE); diff --git a/queue-5.10/keys-fix-length-validation-in-keyctl_pkey_params_get_2.patch b/queue-5.10/keys-fix-length-validation-in-keyctl_pkey_params_get_2.patch new file mode 100644 index 00000000000..cde1c22a0c6 --- /dev/null +++ b/queue-5.10/keys-fix-length-validation-in-keyctl_pkey_params_get_2.patch @@ -0,0 +1,66 @@ +From c51abd96837f600d8fd940b6ab8e2da578575504 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 13 Jan 2022 12:04:54 -0800 +Subject: KEYS: fix length validation in keyctl_pkey_params_get_2() + +From: Eric Biggers + +commit c51abd96837f600d8fd940b6ab8e2da578575504 upstream. + +In many cases, keyctl_pkey_params_get_2() is validating the user buffer +lengths against the wrong algorithm properties. Fix it to check against +the correct properties. + +Probably this wasn't noticed before because for all asymmetric keys of +the "public_key" subtype, max_data_size == max_sig_size == max_enc_size +== max_dec_size. However, this isn't necessarily true for the +"asym_tpm" subtype (it should be, but it's not strictly validated). Of +course, future key types could have different values as well. + +Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]") +Cc: # v4.20+ +Signed-off-by: Eric Biggers +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/keyctl_pkey.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/security/keys/keyctl_pkey.c ++++ b/security/keys/keyctl_pkey.c +@@ -135,15 +135,23 @@ static int keyctl_pkey_params_get_2(cons + + switch (op) { + case KEYCTL_PKEY_ENCRYPT: ++ if (uparams.in_len > info.max_dec_size || ++ uparams.out_len > info.max_enc_size) ++ return -EINVAL; ++ break; + case KEYCTL_PKEY_DECRYPT: + if (uparams.in_len > info.max_enc_size || + uparams.out_len > info.max_dec_size) + return -EINVAL; + break; + case KEYCTL_PKEY_SIGN: ++ if (uparams.in_len > info.max_data_size || ++ uparams.out_len > info.max_sig_size) ++ return -EINVAL; ++ break; + case KEYCTL_PKEY_VERIFY: +- if (uparams.in_len > info.max_sig_size || +- uparams.out_len > info.max_data_size) ++ if (uparams.in_len > info.max_data_size || ++ uparams.in2_len > info.max_sig_size) + return -EINVAL; + break; + default: +@@ -151,7 +159,7 @@ static int keyctl_pkey_params_get_2(cons + } + + params->in_len = uparams.in_len; +- params->out_len = uparams.out_len; ++ params->out_len = uparams.out_len; /* Note: same as in2_len */ + return 0; + } + diff --git a/queue-5.10/mtd-rawnand-protect-access-to-rawnand-devices-while-in-suspend.patch b/queue-5.10/mtd-rawnand-protect-access-to-rawnand-devices-while-in-suspend.patch new file mode 100644 index 00000000000..adac1b39d11 --- /dev/null +++ b/queue-5.10/mtd-rawnand-protect-access-to-rawnand-devices-while-in-suspend.patch @@ -0,0 +1,161 @@ +From 8cba323437a49a45756d661f500b324fc2d486fe Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Tue, 8 Feb 2022 09:52:13 +0100 +Subject: mtd: rawnand: protect access to rawnand devices while in suspend + +From: Sean Nyekjaer + +commit 8cba323437a49a45756d661f500b324fc2d486fe upstream. + +Prevent rawnand access while in a suspended state. + +Commit 013e6292aaf5 ("mtd: rawnand: Simplify the locking") allows the +rawnand layer to return errors rather than waiting in a blocking wait. + +Tested on a iMX6ULL. + +Fixes: 013e6292aaf5 ("mtd: rawnand: Simplify the locking") +Signed-off-by: Sean Nyekjaer +Reviewed-by: Boris Brezillon +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220208085213.1838273-1-sean@geanix.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/nand_base.c | 44 +++++++++++++++++---------------------- + include/linux/mtd/rawnand.h | 2 + + 2 files changed, 22 insertions(+), 24 deletions(-) + +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -297,16 +297,19 @@ static int nand_isbad_bbm(struct nand_ch + * + * Return: -EBUSY if the chip has been suspended, 0 otherwise + */ +-static int nand_get_device(struct nand_chip *chip) ++static void nand_get_device(struct nand_chip *chip) + { +- mutex_lock(&chip->lock); +- if (chip->suspended) { ++ /* Wait until the device is resumed. */ ++ while (1) { ++ mutex_lock(&chip->lock); ++ if (!chip->suspended) { ++ mutex_lock(&chip->controller->lock); ++ return; ++ } + mutex_unlock(&chip->lock); +- return -EBUSY; +- } +- mutex_lock(&chip->controller->lock); + +- return 0; ++ wait_event(chip->resume_wq, !chip->suspended); ++ } + } + + /** +@@ -531,9 +534,7 @@ static int nand_block_markbad_lowlevel(s + nand_erase_nand(chip, &einfo, 0); + + /* Write bad block marker to OOB */ +- ret = nand_get_device(chip); +- if (ret) +- return ret; ++ nand_get_device(chip); + + ret = nand_markbad_bbm(chip, ofs); + nand_release_device(chip); +@@ -3534,9 +3535,7 @@ static int nand_read_oob(struct mtd_info + ops->mode != MTD_OPS_RAW) + return -ENOTSUPP; + +- ret = nand_get_device(chip); +- if (ret) +- return ret; ++ nand_get_device(chip); + + if (!ops->datbuf) + ret = nand_do_read_oob(chip, from, ops); +@@ -4119,13 +4118,11 @@ static int nand_write_oob(struct mtd_inf + struct mtd_oob_ops *ops) + { + struct nand_chip *chip = mtd_to_nand(mtd); +- int ret; ++ int ret = 0; + + ops->retlen = 0; + +- ret = nand_get_device(chip); +- if (ret) +- return ret; ++ nand_get_device(chip); + + switch (ops->mode) { + case MTD_OPS_PLACE_OOB: +@@ -4181,9 +4178,7 @@ int nand_erase_nand(struct nand_chip *ch + return -EINVAL; + + /* Grab the lock and see if the device is available */ +- ret = nand_get_device(chip); +- if (ret) +- return ret; ++ nand_get_device(chip); + + /* Shift to get first page */ + page = (int)(instr->addr >> chip->page_shift); +@@ -4270,7 +4265,7 @@ static void nand_sync(struct mtd_info *m + pr_debug("%s: called\n", __func__); + + /* Grab the lock and see if the device is available */ +- WARN_ON(nand_get_device(chip)); ++ nand_get_device(chip); + /* Release it and go back */ + nand_release_device(chip); + } +@@ -4287,9 +4282,7 @@ static int nand_block_isbad(struct mtd_i + int ret; + + /* Select the NAND device */ +- ret = nand_get_device(chip); +- if (ret) +- return ret; ++ nand_get_device(chip); + + nand_select_target(chip, chipnr); + +@@ -4360,6 +4353,8 @@ static void nand_resume(struct mtd_info + __func__); + } + mutex_unlock(&chip->lock); ++ ++ wake_up_all(&chip->resume_wq); + } + + /** +@@ -5068,6 +5063,7 @@ static int nand_scan_ident(struct nand_c + chip->cur_cs = -1; + + mutex_init(&chip->lock); ++ init_waitqueue_head(&chip->resume_wq); + + /* Enforce the right timings for reset/detection */ + chip->current_interface_config = nand_get_reset_interface_config(); +--- a/include/linux/mtd/rawnand.h ++++ b/include/linux/mtd/rawnand.h +@@ -1083,6 +1083,7 @@ struct nand_manufacturer { + * @lock: Lock protecting the suspended field. Also used to serialize accesses + * to the NAND device + * @suspended: Set to 1 when the device is suspended, 0 when it's not ++ * @resume_wq: wait queue to sleep if rawnand is in suspended state. + * @cur_cs: Currently selected target. -1 means no target selected, otherwise we + * should always have cur_cs >= 0 && cur_cs < nanddev_ntargets(). + * NAND Controller drivers should not modify this value, but they're +@@ -1135,6 +1136,7 @@ struct nand_chip { + /* Internals */ + struct mutex lock; + unsigned int suspended : 1; ++ wait_queue_head_t resume_wq; + int cur_cs; + int read_retries; + diff --git a/queue-5.10/nfsd-prevent-integer-overflow-on-32-bit-systems.patch b/queue-5.10/nfsd-prevent-integer-overflow-on-32-bit-systems.patch new file mode 100644 index 00000000000..09afda173af --- /dev/null +++ b/queue-5.10/nfsd-prevent-integer-overflow-on-32-bit-systems.patch @@ -0,0 +1,31 @@ +From 23a9dbbe0faf124fc4c139615633b9d12a3a89ef Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 15 Mar 2022 18:34:06 +0300 +Subject: NFSD: prevent integer overflow on 32 bit systems + +From: Dan Carpenter + +commit 23a9dbbe0faf124fc4c139615633b9d12a3a89ef upstream. + +On a 32 bit system, the "len * sizeof(*p)" operation can have an +integer overflow. + +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sunrpc/xdr.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/sunrpc/xdr.h ++++ b/include/linux/sunrpc/xdr.h +@@ -603,6 +603,8 @@ xdr_stream_decode_uint32_array(struct xd + + if (unlikely(xdr_stream_decode_u32(xdr, &len) < 0)) + return -EBADMSG; ++ if (len > SIZE_MAX / sizeof(*p)) ++ return -EBADMSG; + p = xdr_inline_decode(xdr, len * sizeof(*p)); + if (unlikely(!p)) + return -EBADMSG; diff --git a/queue-5.10/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch b/queue-5.10/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch new file mode 100644 index 00000000000..6dd72c3bc9d --- /dev/null +++ b/queue-5.10/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch @@ -0,0 +1,47 @@ +From 184416d4b98509fb4c3d8fc3d6dc1437896cc159 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 15 Mar 2022 13:30:09 +0300 +Subject: NFSD: prevent underflow in nfssvc_decode_writeargs() + +From: Dan Carpenter + +commit 184416d4b98509fb4c3d8fc3d6dc1437896cc159 upstream. + +Smatch complains: + + fs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs() + warn: no lower bound on 'args->len' + +Change the type to unsigned to prevent this issue. + +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsproc.c | 2 +- + fs/nfsd/xdr.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfsproc.c ++++ b/fs/nfsd/nfsproc.c +@@ -223,7 +223,7 @@ nfsd_proc_write(struct svc_rqst *rqstp) + unsigned long cnt = argp->len; + unsigned int nvecs; + +- dprintk("nfsd: WRITE %s %d bytes at %d\n", ++ dprintk("nfsd: WRITE %s %u bytes at %d\n", + SVCFH_fmt(&argp->fh), + argp->len, argp->offset); + +--- a/fs/nfsd/xdr.h ++++ b/fs/nfsd/xdr.h +@@ -33,7 +33,7 @@ struct nfsd_readargs { + struct nfsd_writeargs { + svc_fh fh; + __u32 offset; +- int len; ++ __u32 len; + struct kvec first; + }; + diff --git a/queue-5.10/pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch b/queue-5.10/pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch new file mode 100644 index 00000000000..d500630d2ac --- /dev/null +++ b/queue-5.10/pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch @@ -0,0 +1,83 @@ +From 50ebd19e3585b9792e994cfa8cbee8947fe06371 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 11 Jan 2022 21:13:59 +0100 +Subject: pinctrl: samsung: drop pin banks references on error paths + +From: Krzysztof Kozlowski + +commit 50ebd19e3585b9792e994cfa8cbee8947fe06371 upstream. + +The driver iterates over its devicetree children with +for_each_child_of_node() and stores for later found node pointer. This +has to be put in error paths to avoid leak during re-probing. + +Fixes: ab663789d697 ("pinctrl: samsung: Match pin banks with their device nodes") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Sam Protsenko +Reviewed-by: Chanho Park +Link: https://lore.kernel.org/r/20220111201426.326777-2-krzysztof.kozlowski@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/samsung/pinctrl-samsung.c | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -1002,6 +1002,16 @@ samsung_pinctrl_get_soc_data_for_of_alia + return &(of_data->ctrl[id]); + } + ++static void samsung_banks_of_node_put(struct samsung_pinctrl_drv_data *d) ++{ ++ struct samsung_pin_bank *bank; ++ unsigned int i; ++ ++ bank = d->pin_banks; ++ for (i = 0; i < d->nr_banks; ++i, ++bank) ++ of_node_put(bank->of_node); ++} ++ + /* retrieve the soc specific data */ + static const struct samsung_pin_ctrl * + samsung_pinctrl_get_soc_data(struct samsung_pinctrl_drv_data *d, +@@ -1116,19 +1126,19 @@ static int samsung_pinctrl_probe(struct + if (ctrl->retention_data) { + drvdata->retention_ctrl = ctrl->retention_data->init(drvdata, + ctrl->retention_data); +- if (IS_ERR(drvdata->retention_ctrl)) +- return PTR_ERR(drvdata->retention_ctrl); ++ if (IS_ERR(drvdata->retention_ctrl)) { ++ ret = PTR_ERR(drvdata->retention_ctrl); ++ goto err_put_banks; ++ } + } + + ret = samsung_pinctrl_register(pdev, drvdata); + if (ret) +- return ret; ++ goto err_put_banks; + + ret = samsung_gpiolib_register(pdev, drvdata); +- if (ret) { +- samsung_pinctrl_unregister(pdev, drvdata); +- return ret; +- } ++ if (ret) ++ goto err_unregister; + + if (ctrl->eint_gpio_init) + ctrl->eint_gpio_init(drvdata); +@@ -1138,6 +1148,12 @@ static int samsung_pinctrl_probe(struct + platform_set_drvdata(pdev, drvdata); + + return 0; ++ ++err_unregister: ++ samsung_pinctrl_unregister(pdev, drvdata); ++err_put_banks: ++ samsung_banks_of_node_put(drvdata); ++ return ret; + } + + /* diff --git a/queue-5.10/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch b/queue-5.10/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch new file mode 100644 index 00000000000..2fba96a479d --- /dev/null +++ b/queue-5.10/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch @@ -0,0 +1,105 @@ +From ee1fee900537b5d9560e9f937402de5ddc8412f3 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Sat, 19 Mar 2022 02:08:37 +0100 +Subject: ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE + +From: Jann Horn + +commit ee1fee900537b5d9560e9f937402de5ddc8412f3 upstream. + +Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged +operation because it allows the tracee to completely bypass all seccomp +filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to +be settable by a process with global CAP_SYS_ADMIN, and only if that +process is not subject to any seccomp filters at all. + +However, while these permission checks were done on the PTRACE_SETOPTIONS +path, they were missing on the PTRACE_SEIZE path, which also sets +user-specified ptrace flags. + +Move the permissions checks out into a helper function and let both +ptrace_attach() and ptrace_setoptions() call it. + +Cc: stable@kernel.org +Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume") +Signed-off-by: Jann Horn +Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman +--- + kernel/ptrace.c | 47 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 15 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -370,6 +370,26 @@ bool ptrace_may_access(struct task_struc + return !err; + } + ++static int check_ptrace_options(unsigned long data) ++{ ++ if (data & ~(unsigned long)PTRACE_O_MASK) ++ return -EINVAL; ++ ++ if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { ++ if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || ++ !IS_ENABLED(CONFIG_SECCOMP)) ++ return -EINVAL; ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || ++ current->ptrace & PT_SUSPEND_SECCOMP) ++ return -EPERM; ++ } ++ return 0; ++} ++ + static int ptrace_attach(struct task_struct *task, long request, + unsigned long addr, + unsigned long flags) +@@ -381,8 +401,16 @@ static int ptrace_attach(struct task_str + if (seize) { + if (addr != 0) + goto out; ++ /* ++ * This duplicates the check in check_ptrace_options() because ++ * ptrace_attach() and ptrace_setoptions() have historically ++ * used different error codes for unknown ptrace options. ++ */ + if (flags & ~(unsigned long)PTRACE_O_MASK) + goto out; ++ retval = check_ptrace_options(flags); ++ if (retval) ++ return retval; + flags = PT_PTRACED | PT_SEIZED | (flags << PT_OPT_FLAG_SHIFT); + } else { + flags = PT_PTRACED; +@@ -655,22 +683,11 @@ int ptrace_writedata(struct task_struct + static int ptrace_setoptions(struct task_struct *child, unsigned long data) + { + unsigned flags; ++ int ret; + +- if (data & ~(unsigned long)PTRACE_O_MASK) +- return -EINVAL; +- +- if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { +- if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || +- !IS_ENABLED(CONFIG_SECCOMP)) +- return -EINVAL; +- +- if (!capable(CAP_SYS_ADMIN)) +- return -EPERM; +- +- if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || +- current->ptrace & PT_SUSPEND_SECCOMP) +- return -EPERM; +- } ++ ret = check_ptrace_options(data); ++ if (ret) ++ return ret; + + /* Avoid intermediate state when all opts are cleared */ + flags = child->ptrace; diff --git a/queue-5.10/remoteproc-fix-count-check-in-rproc_coredump_write.patch b/queue-5.10/remoteproc-fix-count-check-in-rproc_coredump_write.patch new file mode 100644 index 00000000000..3e974598199 --- /dev/null +++ b/queue-5.10/remoteproc-fix-count-check-in-rproc_coredump_write.patch @@ -0,0 +1,41 @@ +From f89672cc3681952f2d06314981a6b45f8b0045d1 Mon Sep 17 00:00:00 2001 +From: Alistair Delva +Date: Wed, 19 Jan 2022 23:21:39 +0000 +Subject: remoteproc: Fix count check in rproc_coredump_write() + +From: Alistair Delva + +commit f89672cc3681952f2d06314981a6b45f8b0045d1 upstream. + +Check count for 0, to avoid a potential underflow. Make the check the +same as the one in rproc_recovery_write(). + +Fixes: 3afdc59e4390 ("remoteproc: Add coredump debugfs entry") +Signed-off-by: Alistair Delva +Cc: Rishabh Bhatnagar +Cc: stable@vger.kernel.org +Cc: Ohad Ben-Cohen +Cc: Bjorn Andersson +Cc: Mathieu Poirier +Cc: Sibi Sankar +Cc: linux-remoteproc@vger.kernel.org +Cc: kernel-team@android.com +Reviewed-by: Bjorn Andersson +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220119232139.1125908-1-adelva@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/remoteproc_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/remoteproc/remoteproc_debugfs.c ++++ b/drivers/remoteproc/remoteproc_debugfs.c +@@ -76,7 +76,7 @@ static ssize_t rproc_coredump_write(stru + int ret, err = 0; + char buf[20]; + +- if (count > sizeof(buf)) ++ if (count < 1 || count > sizeof(buf)) + return -EINVAL; + + ret = copy_from_user(buf, user_buf, count); diff --git a/queue-5.10/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch b/queue-5.10/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch new file mode 100644 index 00000000000..d71bc510b8f --- /dev/null +++ b/queue-5.10/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch @@ -0,0 +1,42 @@ +From 927728a34f11b5a27f4610bdb7068317d6fdc72a Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Tue, 8 Mar 2022 19:00:42 +0800 +Subject: serial: sc16is7xx: Clear RS485 bits in the shutdown + +From: Hui Wang + +commit 927728a34f11b5a27f4610bdb7068317d6fdc72a upstream. + +We tested RS485 function on an EVB which has SC16IS752, after +finishing the test, we started the RS232 function test, but found the +RTS is still working in the RS485 mode. + +That is because both startup and shutdown call port_update() to set +the EFCR_REG, this will not clear the RS485 bits once the bits are set +in the reconf_rs485(). To fix it, clear the RS485 bits in shutdown. + +Cc: +Signed-off-by: Hui Wang +Link: https://lore.kernel.org/r/20220308110042.108451-1-hui.wang@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sc16is7xx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -1055,10 +1055,12 @@ static void sc16is7xx_shutdown(struct ua + + /* Disable all interrupts */ + sc16is7xx_port_write(port, SC16IS7XX_IER_REG, 0); +- /* Disable TX/RX */ ++ /* Disable TX/RX, clear auto RS485 and RTS invert */ + sc16is7xx_port_update(port, SC16IS7XX_EFCR_REG, + SC16IS7XX_EFCR_RXDISABLE_BIT | +- SC16IS7XX_EFCR_TXDISABLE_BIT, ++ SC16IS7XX_EFCR_TXDISABLE_BIT | ++ SC16IS7XX_EFCR_AUTO_RS485_BIT | ++ SC16IS7XX_EFCR_RTS_INVERT_BIT, + SC16IS7XX_EFCR_RXDISABLE_BIT | + SC16IS7XX_EFCR_TXDISABLE_BIT); + diff --git a/queue-5.10/series b/queue-5.10/series index 0688504b5e6..074f28e2927 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -29,3 +29,27 @@ xhci-make-xhci_handshake-timeout-for-xhci_reset-adjustable.patch xhci-fix-uninitialized-string-returned-by-xhci_decode_ctrl_ctx.patch mei-me-add-alder-lake-n-device-id.patch mei-avoid-iterator-usage-outside-of-list_for_each_entry.patch +coresight-fix-trcconfigr.qe-sysfs-interface.patch +iio-afe-rescale-use-s64-for-temporary-scale-calculations.patch +iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch +iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch +iio-inkern-make-a-best-effort-on-offset-calculation.patch +greybus-svc-fix-an-error-handling-bug-in-gb_svc_hello.patch +clk-uniphier-fix-fixed-rate-initialization.patch +ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch +keys-fix-length-validation-in-keyctl_pkey_params_get_2.patch +serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch +documentation-add-link-to-stable-release-candidate-tree.patch +documentation-update-stable-tree-link.patch +firmware-stratix10-svc-add-missing-callback-parameter-on-rsu.patch +hid-intel-ish-hid-use-dma_alloc_coherent-for-firmware-update.patch +sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch +nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch +nfsd-prevent-integer-overflow-on-32-bit-systems.patch +f2fs-fix-to-unlock-page-correctly-in-error-path-of-is_alive.patch +f2fs-quota-fix-loop-condition-at-f2fs_quota_sync.patch +f2fs-fix-to-do-sanity-check-on-.cp_pack_total_block_count.patch +remoteproc-fix-count-check-in-rproc_coredump_write.patch +pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch +spi-mxic-fix-the-transmit-path.patch +mtd-rawnand-protect-access-to-rawnand-devices-while-in-suspend.patch diff --git a/queue-5.10/spi-mxic-fix-the-transmit-path.patch b/queue-5.10/spi-mxic-fix-the-transmit-path.patch new file mode 100644 index 00000000000..08f5d1b78ea --- /dev/null +++ b/queue-5.10/spi-mxic-fix-the-transmit-path.patch @@ -0,0 +1,66 @@ +From 5fd6739e0df7e320bcac103dfb95fe75941fea17 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 27 Jan 2022 10:18:04 +0100 +Subject: spi: mxic: Fix the transmit path + +From: Miquel Raynal + +commit 5fd6739e0df7e320bcac103dfb95fe75941fea17 upstream. + +By working with external hardware ECC engines, we figured out that +Under certain circumstances, it is needed for the SPI controller to +check INT_TX_EMPTY and INT_RX_NOT_EMPTY in both receive and transmit +path (not only in the receive path). The delay penalty being +negligible, move this code in the common path. + +Fixes: b942d80b0a39 ("spi: Add MXIC controller driver") +Cc: stable@vger.kernel.org +Suggested-by: Mason Yang +Signed-off-by: Miquel Raynal +Reviewed-by: Zhengxun Li +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/linux-mtd/20220127091808.1043392-10-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-mxic.c | 26 +++++++++++--------------- + 1 file changed, 11 insertions(+), 15 deletions(-) + +--- a/drivers/spi/spi-mxic.c ++++ b/drivers/spi/spi-mxic.c +@@ -304,25 +304,21 @@ static int mxic_spi_data_xfer(struct mxi + + writel(data, mxic->regs + TXD(nbytes % 4)); + +- if (rxbuf) { +- ret = readl_poll_timeout(mxic->regs + INT_STS, sts, +- sts & INT_TX_EMPTY, 0, +- USEC_PER_SEC); +- if (ret) +- return ret; ++ ret = readl_poll_timeout(mxic->regs + INT_STS, sts, ++ sts & INT_TX_EMPTY, 0, USEC_PER_SEC); ++ if (ret) ++ return ret; + +- ret = readl_poll_timeout(mxic->regs + INT_STS, sts, +- sts & INT_RX_NOT_EMPTY, 0, +- USEC_PER_SEC); +- if (ret) +- return ret; ++ ret = readl_poll_timeout(mxic->regs + INT_STS, sts, ++ sts & INT_RX_NOT_EMPTY, 0, ++ USEC_PER_SEC); ++ if (ret) ++ return ret; + +- data = readl(mxic->regs + RXD); ++ data = readl(mxic->regs + RXD); ++ if (rxbuf) { + data >>= (8 * (4 - nbytes)); + memcpy(rxbuf + pos, &data, nbytes); +- WARN_ON(readl(mxic->regs + INT_STS) & INT_RX_NOT_EMPTY); +- } else { +- readl(mxic->regs + RXD); + } + WARN_ON(readl(mxic->regs + INT_STS) & INT_RX_NOT_EMPTY); + diff --git a/queue-5.10/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch b/queue-5.10/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch new file mode 100644 index 00000000000..bdadb989a71 --- /dev/null +++ b/queue-5.10/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch @@ -0,0 +1,49 @@ +From 3848e96edf4788f772d83990022fa7023a233d83 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Tue, 8 Mar 2022 13:42:17 +1100 +Subject: SUNRPC: avoid race between mod_timer() and del_timer_sync() + +From: NeilBrown + +commit 3848e96edf4788f772d83990022fa7023a233d83 upstream. + +xprt_destory() claims XPRT_LOCKED and then calls del_timer_sync(). +Both xprt_unlock_connect() and xprt_release() call + ->release_xprt() +which drops XPRT_LOCKED and *then* xprt_schedule_autodisconnect() +which calls mod_timer(). + +This may result in mod_timer() being called *after* del_timer_sync(). +When this happens, the timer may fire long after the xprt has been freed, +and run_timer_softirq() will probably crash. + +The pairing of ->release_xprt() and xprt_schedule_autodisconnect() is +always called under ->transport_lock. So if we take ->transport_lock to +call del_timer_sync(), we can be sure that mod_timer() will run first +(if it runs at all). + +Cc: stable@vger.kernel.org +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprt.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -2037,7 +2037,14 @@ static void xprt_destroy(struct rpc_xprt + */ + wait_on_bit_lock(&xprt->state, XPRT_LOCKED, TASK_UNINTERRUPTIBLE); + ++ /* ++ * xprt_schedule_autodisconnect() can run after XPRT_LOCKED ++ * is cleared. We use ->transport_lock to ensure the mod_timer() ++ * can only run *before* del_time_sync(), never after. ++ */ ++ spin_lock(&xprt->transport_lock); + del_timer_sync(&xprt->timer); ++ spin_unlock(&xprt->transport_lock); + + /* + * Destroy sockets etc from the system workqueue so they can