From 57d273258cf479d73f8a7828bef49ee2743abfb6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 6 Jun 2022 14:38:11 +0200 Subject: [PATCH] 5.18-stable patches added patches: block-fix-potential-deadlock-in-blk_ia_range_sysfs_show.patch dlm-fix-missing-lkb-refcount-handling.patch dlm-fix-plock-invalid-read.patch dlm-fix-wake_up-calls-for-pending-remove.patch dlm-uninitialized-variable-on-error-in-dlm_listen_for_all.patch drm-amdgpu-add-beige-goby-pci-id.patch mm-compaction-fast_find_migrateblock-should-return-pfn-in-the-target-zone.patch ocfs2-dlmfs-fix-error-handling-of-user_dlm_destroy_lock.patch pci-pm-fix-bridge_d3_blacklist-elo-i2-overwrite-of-gigabyte-x299.patch pci-qcom-fix-pipe-clock-imbalance.patch pci-qcom-fix-runtime-pm-imbalance-on-probe-errors.patch pci-qcom-fix-unbalanced-phy-init-on-probe-errors.patch s390-perf-obtain-sie_block-from-the-right-address.patch s390-stp-clock_delta-should-be-signed.patch scsi-dc395x-fix-a-missing-check-on-list-iterator.patch scsi-ufs-qcom-add-a-readl-to-make-sure-ref_clk-gets-enabled.patch staging-r8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch tracing-fix-potential-double-free-in-create_var_ref.patch tracing-fix-return-value-of-trace_pid_write.patch tracing-have-event-format-check-not-flag-p-on-__get_dynamic_array.patch tracing-initialize-integer-variable-to-prevent-garbage-return-value.patch tty-goldfish-introduce-gf_ioread32-gf_iowrite32.patch --- ...-deadlock-in-blk_ia_range_sysfs_show.patch | 58 +++++ ...lm-fix-missing-lkb-refcount-handling.patch | 74 +++++++ queue-5.18/dlm-fix-plock-invalid-read.patch | 198 ++++++++++++++++++ ...fix-wake_up-calls-for-pending-remove.patch | 62 ++++++ ...iable-on-error-in-dlm_listen_for_all.patch | 32 +++ .../drm-amdgpu-add-beige-goby-pci-id.patch | 29 +++ ...should-return-pfn-in-the-target-zone.patch | 49 +++++ ...or-handling-of-user_dlm_destroy_lock.patch | 189 +++++++++++++++++ ...st-elo-i2-overwrite-of-gigabyte-x299.patch | 41 ++++ .../pci-qcom-fix-pipe-clock-imbalance.patch | 44 ++++ ...runtime-pm-imbalance-on-probe-errors.patch | 48 +++++ ...-unbalanced-phy-init-on-probe-errors.patch | 42 ++++ ...ain-sie_block-from-the-right-address.patch | 46 ++++ ...390-stp-clock_delta-should-be-signed.patch | 94 +++++++++ ...fix-a-missing-check-on-list-iterator.patch | 56 +++++ ...dl-to-make-sure-ref_clk-gets-enabled.patch | 51 +++++ queue-5.18/series | 22 ++ ...ent-ssid-overflow-in-rtw_wx_set_scan.patch | 37 ++++ ...ential-double-free-in-create_var_ref.patch | 48 +++++ ...-fix-return-value-of-trace_pid_write.patch | 79 +++++++ ...ck-not-flag-p-on-__get_dynamic_array.patch | 56 +++++ ...able-to-prevent-garbage-return-value.patch | 37 ++++ ...h-introduce-gf_ioread32-gf_iowrite32.patch | 154 ++++++++++++++ 23 files changed, 1546 insertions(+) create mode 100644 queue-5.18/block-fix-potential-deadlock-in-blk_ia_range_sysfs_show.patch create mode 100644 queue-5.18/dlm-fix-missing-lkb-refcount-handling.patch create mode 100644 queue-5.18/dlm-fix-plock-invalid-read.patch create mode 100644 queue-5.18/dlm-fix-wake_up-calls-for-pending-remove.patch create mode 100644 queue-5.18/dlm-uninitialized-variable-on-error-in-dlm_listen_for_all.patch create mode 100644 queue-5.18/drm-amdgpu-add-beige-goby-pci-id.patch create mode 100644 queue-5.18/mm-compaction-fast_find_migrateblock-should-return-pfn-in-the-target-zone.patch create mode 100644 queue-5.18/ocfs2-dlmfs-fix-error-handling-of-user_dlm_destroy_lock.patch create mode 100644 queue-5.18/pci-pm-fix-bridge_d3_blacklist-elo-i2-overwrite-of-gigabyte-x299.patch create mode 100644 queue-5.18/pci-qcom-fix-pipe-clock-imbalance.patch create mode 100644 queue-5.18/pci-qcom-fix-runtime-pm-imbalance-on-probe-errors.patch create mode 100644 queue-5.18/pci-qcom-fix-unbalanced-phy-init-on-probe-errors.patch create mode 100644 queue-5.18/s390-perf-obtain-sie_block-from-the-right-address.patch create mode 100644 queue-5.18/s390-stp-clock_delta-should-be-signed.patch create mode 100644 queue-5.18/scsi-dc395x-fix-a-missing-check-on-list-iterator.patch create mode 100644 queue-5.18/scsi-ufs-qcom-add-a-readl-to-make-sure-ref_clk-gets-enabled.patch create mode 100644 queue-5.18/staging-r8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch create mode 100644 queue-5.18/tracing-fix-potential-double-free-in-create_var_ref.patch create mode 100644 queue-5.18/tracing-fix-return-value-of-trace_pid_write.patch create mode 100644 queue-5.18/tracing-have-event-format-check-not-flag-p-on-__get_dynamic_array.patch create mode 100644 queue-5.18/tracing-initialize-integer-variable-to-prevent-garbage-return-value.patch create mode 100644 queue-5.18/tty-goldfish-introduce-gf_ioread32-gf_iowrite32.patch diff --git a/queue-5.18/block-fix-potential-deadlock-in-blk_ia_range_sysfs_show.patch b/queue-5.18/block-fix-potential-deadlock-in-blk_ia_range_sysfs_show.patch new file mode 100644 index 00000000000..9e77c3af264 --- /dev/null +++ b/queue-5.18/block-fix-potential-deadlock-in-blk_ia_range_sysfs_show.patch @@ -0,0 +1,58 @@ +From 41e46b3c2aa24f755b2ae9ec4ce931ba5f0d8532 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Fri, 3 Jun 2022 11:19:05 +0900 +Subject: block: Fix potential deadlock in blk_ia_range_sysfs_show() + +From: Damien Le Moal + +commit 41e46b3c2aa24f755b2ae9ec4ce931ba5f0d8532 upstream. + +When being read, a sysfs attribute is already protected against removal +with the kobject node active reference counter. As a result, in +blk_ia_range_sysfs_show(), there is no need to take the queue sysfs +lock when reading the value of a range attribute. Using the queue sysfs +lock in this function creates a potential deadlock situation with the +disk removal, something that a lockdep signals with a splat when the +device is removed: + +[ 760.703551] Possible unsafe locking scenario: +[ 760.703551] +[ 760.703554] CPU0 CPU1 +[ 760.703556] ---- ---- +[ 760.703558] lock(&q->sysfs_lock); +[ 760.703565] lock(kn->active#385); +[ 760.703573] lock(&q->sysfs_lock); +[ 760.703579] lock(kn->active#385); +[ 760.703587] +[ 760.703587] *** DEADLOCK *** + +Solve this by removing the mutex_lock()/mutex_unlock() calls from +blk_ia_range_sysfs_show(). + +Fixes: a2247f19ee1c ("block: Add independent access ranges support") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20220603021905.1441419-1-damien.lemoal@opensource.wdc.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-ia-ranges.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/block/blk-ia-ranges.c ++++ b/block/blk-ia-ranges.c +@@ -54,13 +54,8 @@ static ssize_t blk_ia_range_sysfs_show(s + container_of(attr, struct blk_ia_range_sysfs_entry, attr); + struct blk_independent_access_range *iar = + container_of(kobj, struct blk_independent_access_range, kobj); +- ssize_t ret; + +- mutex_lock(&iar->queue->sysfs_lock); +- ret = entry->show(iar, buf); +- mutex_unlock(&iar->queue->sysfs_lock); +- +- return ret; ++ return entry->show(iar, buf); + } + + static const struct sysfs_ops blk_ia_range_sysfs_ops = { diff --git a/queue-5.18/dlm-fix-missing-lkb-refcount-handling.patch b/queue-5.18/dlm-fix-missing-lkb-refcount-handling.patch new file mode 100644 index 00000000000..0629d69b4ed --- /dev/null +++ b/queue-5.18/dlm-fix-missing-lkb-refcount-handling.patch @@ -0,0 +1,74 @@ +From 1689c169134f4b5a39156122d799b7dca76d8ddb Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Fri, 29 Apr 2022 11:06:51 -0400 +Subject: dlm: fix missing lkb refcount handling + +From: Alexander Aring + +commit 1689c169134f4b5a39156122d799b7dca76d8ddb upstream. + +We always call hold_lkb(lkb) if we increment lkb->lkb_wait_count. +So, we always need to call unhold_lkb(lkb) if we decrement +lkb->lkb_wait_count. This patch will add missing unhold_lkb(lkb) if we +decrement lkb->lkb_wait_count. In case of setting lkb->lkb_wait_count to +zero we need to countdown until reaching zero and call unhold_lkb(lkb). +The waiters list unhold_lkb(lkb) can be removed because it's done for +the last lkb_wait_count decrement iteration as it's done in +_remove_from_waiters(). + +This issue was discovered by a dlm gfs2 test case which use excessively +dlm_unlock(LKF_CANCEL) feature. Probably the lkb->lkb_wait_count value +never reached above 1 if this feature isn't used and so it was not +discovered before. + +The testcase ended in a rsb on the rsb keep data structure with a +refcount of 1 but no lkb was associated with it, which is itself +an invalid behaviour. A side effect of that was a condition in which +the dlm was sending remove messages in a looping behaviour. With this +patch that has not been reproduced. + +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/lock.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -1559,6 +1559,7 @@ static int _remove_from_waiters(struct d + lkb->lkb_wait_type = 0; + lkb->lkb_flags &= ~DLM_IFL_OVERLAP_CANCEL; + lkb->lkb_wait_count--; ++ unhold_lkb(lkb); + goto out_del; + } + +@@ -1585,6 +1586,7 @@ static int _remove_from_waiters(struct d + log_error(ls, "remwait error %x reply %d wait_type %d overlap", + lkb->lkb_id, mstype, lkb->lkb_wait_type); + lkb->lkb_wait_count--; ++ unhold_lkb(lkb); + lkb->lkb_wait_type = 0; + } + +@@ -5331,11 +5333,16 @@ int dlm_recover_waiters_post(struct dlm_ + lkb->lkb_flags &= ~DLM_IFL_OVERLAP_UNLOCK; + lkb->lkb_flags &= ~DLM_IFL_OVERLAP_CANCEL; + lkb->lkb_wait_type = 0; +- lkb->lkb_wait_count = 0; ++ /* drop all wait_count references we still ++ * hold a reference for this iteration. ++ */ ++ while (lkb->lkb_wait_count) { ++ lkb->lkb_wait_count--; ++ unhold_lkb(lkb); ++ } + mutex_lock(&ls->ls_waiters_mutex); + list_del_init(&lkb->lkb_wait_reply); + mutex_unlock(&ls->ls_waiters_mutex); +- unhold_lkb(lkb); /* for waiters list */ + + if (oc || ou) { + /* do an unlock or cancel instead of resending */ diff --git a/queue-5.18/dlm-fix-plock-invalid-read.patch b/queue-5.18/dlm-fix-plock-invalid-read.patch new file mode 100644 index 00000000000..82ffa0b1e6d --- /dev/null +++ b/queue-5.18/dlm-fix-plock-invalid-read.patch @@ -0,0 +1,198 @@ +From 42252d0d2aa9b94d168241710a761588b3959019 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Mon, 4 Apr 2022 16:06:30 -0400 +Subject: dlm: fix plock invalid read + +From: Alexander Aring + +commit 42252d0d2aa9b94d168241710a761588b3959019 upstream. + +This patch fixes an invalid read showed by KASAN. A unlock will allocate a +"struct plock_op" and a followed send_op() will append it to a global +send_list data structure. In some cases a followed dev_read() moves it +to recv_list and dev_write() will cast it to "struct plock_xop" and access +fields which are only available in those structures. At this point an +invalid read happens by accessing those fields. + +To fix this issue the "callback" field is moved to "struct plock_op" to +indicate that a cast to "plock_xop" is allowed and does the additional +"plock_xop" handling if set. + +Example of the KASAN output which showed the invalid read: + +[ 2064.296453] ================================================================== +[ 2064.304852] BUG: KASAN: slab-out-of-bounds in dev_write+0x52b/0x5a0 [dlm] +[ 2064.306491] Read of size 8 at addr ffff88800ef227d8 by task dlm_controld/7484 +[ 2064.308168] +[ 2064.308575] CPU: 0 PID: 7484 Comm: dlm_controld Kdump: loaded Not tainted 5.14.0+ #9 +[ 2064.310292] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +[ 2064.311618] Call Trace: +[ 2064.312218] dump_stack_lvl+0x56/0x7b +[ 2064.313150] print_address_description.constprop.8+0x21/0x150 +[ 2064.314578] ? dev_write+0x52b/0x5a0 [dlm] +[ 2064.315610] ? dev_write+0x52b/0x5a0 [dlm] +[ 2064.316595] kasan_report.cold.14+0x7f/0x11b +[ 2064.317674] ? dev_write+0x52b/0x5a0 [dlm] +[ 2064.318687] dev_write+0x52b/0x5a0 [dlm] +[ 2064.319629] ? dev_read+0x4a0/0x4a0 [dlm] +[ 2064.320713] ? bpf_lsm_kernfs_init_security+0x10/0x10 +[ 2064.321926] vfs_write+0x17e/0x930 +[ 2064.322769] ? __fget_light+0x1aa/0x220 +[ 2064.323753] ksys_write+0xf1/0x1c0 +[ 2064.324548] ? __ia32_sys_read+0xb0/0xb0 +[ 2064.325464] do_syscall_64+0x3a/0x80 +[ 2064.326387] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 2064.327606] RIP: 0033:0x7f807e4ba96f +[ 2064.328470] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 39 87 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 7c 87 f8 ff 48 +[ 2064.332902] RSP: 002b:00007ffd50cfe6e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 +[ 2064.334658] RAX: ffffffffffffffda RBX: 000055cc3886eb30 RCX: 00007f807e4ba96f +[ 2064.336275] RDX: 0000000000000040 RSI: 00007ffd50cfe7e0 RDI: 0000000000000010 +[ 2064.337980] RBP: 00007ffd50cfe7e0 R08: 0000000000000000 R09: 0000000000000001 +[ 2064.339560] R10: 000055cc3886eb30 R11: 0000000000000293 R12: 000055cc3886eb80 +[ 2064.341237] R13: 000055cc3886eb00 R14: 000055cc3886f590 R15: 0000000000000001 +[ 2064.342857] +[ 2064.343226] Allocated by task 12438: +[ 2064.344057] kasan_save_stack+0x1c/0x40 +[ 2064.345079] __kasan_kmalloc+0x84/0xa0 +[ 2064.345933] kmem_cache_alloc_trace+0x13b/0x220 +[ 2064.346953] dlm_posix_unlock+0xec/0x720 [dlm] +[ 2064.348811] do_lock_file_wait.part.32+0xca/0x1d0 +[ 2064.351070] fcntl_setlk+0x281/0xbc0 +[ 2064.352879] do_fcntl+0x5e4/0xfe0 +[ 2064.354657] __x64_sys_fcntl+0x11f/0x170 +[ 2064.356550] do_syscall_64+0x3a/0x80 +[ 2064.358259] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 2064.360745] +[ 2064.361511] Last potentially related work creation: +[ 2064.363957] kasan_save_stack+0x1c/0x40 +[ 2064.365811] __kasan_record_aux_stack+0xaf/0xc0 +[ 2064.368100] call_rcu+0x11b/0xf70 +[ 2064.369785] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm] +[ 2064.372404] receive_from_sock+0x290/0x770 [dlm] +[ 2064.374607] process_recv_sockets+0x32/0x40 [dlm] +[ 2064.377290] process_one_work+0x9a8/0x16e0 +[ 2064.379357] worker_thread+0x87/0xbf0 +[ 2064.381188] kthread+0x3ac/0x490 +[ 2064.383460] ret_from_fork+0x22/0x30 +[ 2064.385588] +[ 2064.386518] Second to last potentially related work creation: +[ 2064.389219] kasan_save_stack+0x1c/0x40 +[ 2064.391043] __kasan_record_aux_stack+0xaf/0xc0 +[ 2064.393303] call_rcu+0x11b/0xf70 +[ 2064.394885] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm] +[ 2064.397694] receive_from_sock+0x290/0x770 [dlm] +[ 2064.399932] process_recv_sockets+0x32/0x40 [dlm] +[ 2064.402180] process_one_work+0x9a8/0x16e0 +[ 2064.404388] worker_thread+0x87/0xbf0 +[ 2064.406124] kthread+0x3ac/0x490 +[ 2064.408021] ret_from_fork+0x22/0x30 +[ 2064.409834] +[ 2064.410599] The buggy address belongs to the object at ffff88800ef22780 +[ 2064.410599] which belongs to the cache kmalloc-96 of size 96 +[ 2064.416495] The buggy address is located 88 bytes inside of +[ 2064.416495] 96-byte region [ffff88800ef22780, ffff88800ef227e0) +[ 2064.422045] The buggy address belongs to the page: +[ 2064.424635] page:00000000b6bef8bc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xef22 +[ 2064.428970] flags: 0xfffffc0000200(slab|node=0|zone=1|lastcpupid=0x1fffff) +[ 2064.432515] raw: 000fffffc0000200 ffffea0000d68b80 0000001400000014 ffff888001041780 +[ 2064.436110] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 +[ 2064.439813] page dumped because: kasan: bad access detected +[ 2064.442548] +[ 2064.443310] Memory state around the buggy address: +[ 2064.445988] ffff88800ef22680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc +[ 2064.449444] ffff88800ef22700: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc +[ 2064.452941] >ffff88800ef22780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc +[ 2064.456383] ^ +[ 2064.459386] ffff88800ef22800: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc +[ 2064.462788] ffff88800ef22880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc +[ 2064.466239] ================================================================== + +reproducer in python: + +import argparse +import struct +import fcntl +import os + +parser = argparse.ArgumentParser() + +parser.add_argument('-f', '--file', + help='file to use fcntl, must be on dlm lock filesystem e.g. gfs2') + +args = parser.parse_args() + +f = open(args.file, 'wb+') + +lockdata = struct.pack('hhllhh', fcntl.F_WRLCK,0,0,0,0,0) +fcntl.fcntl(f, fcntl.F_SETLK, lockdata) +lockdata = struct.pack('hhllhh', fcntl.F_UNLCK,0,0,0,0,0) +fcntl.fcntl(f, fcntl.F_SETLK, lockdata) + +Fixes: 586759f03e2e ("gfs2: nfs lock support for gfs2") +Cc: stable@vger.kernel.org +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/plock.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/fs/dlm/plock.c ++++ b/fs/dlm/plock.c +@@ -23,11 +23,11 @@ struct plock_op { + struct list_head list; + int done; + struct dlm_plock_info info; ++ int (*callback)(struct file_lock *fl, int result); + }; + + struct plock_xop { + struct plock_op xop; +- int (*callback)(struct file_lock *fl, int result); + void *fl; + void *file; + struct file_lock flc; +@@ -129,19 +129,18 @@ int dlm_posix_lock(dlm_lockspace_t *lock + /* fl_owner is lockd which doesn't distinguish + processes on the nfs client */ + op->info.owner = (__u64) fl->fl_pid; +- xop->callback = fl->fl_lmops->lm_grant; ++ op->callback = fl->fl_lmops->lm_grant; + locks_init_lock(&xop->flc); + locks_copy_lock(&xop->flc, fl); + xop->fl = fl; + xop->file = file; + } else { + op->info.owner = (__u64)(long) fl->fl_owner; +- xop->callback = NULL; + } + + send_op(op); + +- if (xop->callback == NULL) { ++ if (!op->callback) { + rv = wait_event_interruptible(recv_wq, (op->done != 0)); + if (rv == -ERESTARTSYS) { + log_debug(ls, "dlm_posix_lock: wait killed %llx", +@@ -203,7 +202,7 @@ static int dlm_plock_callback(struct plo + file = xop->file; + flc = &xop->flc; + fl = xop->fl; +- notify = xop->callback; ++ notify = op->callback; + + if (op->info.rv) { + notify(fl, op->info.rv); +@@ -436,10 +435,9 @@ static ssize_t dev_write(struct file *fi + if (op->info.fsid == info.fsid && + op->info.number == info.number && + op->info.owner == info.owner) { +- struct plock_xop *xop = (struct plock_xop *)op; + list_del_init(&op->list); + memcpy(&op->info, &info, sizeof(info)); +- if (xop->callback) ++ if (op->callback) + do_callback = 1; + else + op->done = 1; diff --git a/queue-5.18/dlm-fix-wake_up-calls-for-pending-remove.patch b/queue-5.18/dlm-fix-wake_up-calls-for-pending-remove.patch new file mode 100644 index 00000000000..cb1caa1647c --- /dev/null +++ b/queue-5.18/dlm-fix-wake_up-calls-for-pending-remove.patch @@ -0,0 +1,62 @@ +From f6f7418357457ed58cbb020fc97e74d4e0e7b47f Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Wed, 6 Apr 2022 13:34:15 -0400 +Subject: dlm: fix wake_up() calls for pending remove + +From: Alexander Aring + +commit f6f7418357457ed58cbb020fc97e74d4e0e7b47f upstream. + +This patch move the wake_up() call at the point when a remove message +completed. Before it was only when a remove message was going to be +sent. The possible waiter in wait_pending_remove() waits until a remove +is done if the resource name matches with the per ls variable +ls->ls_remove_name. If this is the case we must wait until a pending +remove is done which is indicated if DLM_WAIT_PENDING_COND() returns +false which will always be the case when ls_remove_len and +ls_remove_name are unset to indicate that a remove is not going on +anymore. + +Fixes: 21d9ac1a5376 ("fs: dlm: use event based wait for pending remove") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/lock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -1795,7 +1795,6 @@ static void shrink_bucket(struct dlm_ls + memcpy(ls->ls_remove_name, name, DLM_RESNAME_MAXLEN); + spin_unlock(&ls->ls_remove_spin); + spin_unlock(&ls->ls_rsbtbl[b].lock); +- wake_up(&ls->ls_remove_wait); + + send_remove(r); + +@@ -1804,6 +1803,7 @@ static void shrink_bucket(struct dlm_ls + ls->ls_remove_len = 0; + memset(ls->ls_remove_name, 0, DLM_RESNAME_MAXLEN); + spin_unlock(&ls->ls_remove_spin); ++ wake_up(&ls->ls_remove_wait); + + dlm_free_rsb(r); + } +@@ -4079,7 +4079,6 @@ static void send_repeat_remove(struct dl + memcpy(ls->ls_remove_name, name, DLM_RESNAME_MAXLEN); + spin_unlock(&ls->ls_remove_spin); + spin_unlock(&ls->ls_rsbtbl[b].lock); +- wake_up(&ls->ls_remove_wait); + + rv = _create_message(ls, sizeof(struct dlm_message) + len, + dir_nodeid, DLM_MSG_REMOVE, &ms, &mh); +@@ -4095,6 +4094,7 @@ static void send_repeat_remove(struct dl + ls->ls_remove_len = 0; + memset(ls->ls_remove_name, 0, DLM_RESNAME_MAXLEN); + spin_unlock(&ls->ls_remove_spin); ++ wake_up(&ls->ls_remove_wait); + } + + static int receive_request(struct dlm_ls *ls, struct dlm_message *ms) diff --git a/queue-5.18/dlm-uninitialized-variable-on-error-in-dlm_listen_for_all.patch b/queue-5.18/dlm-uninitialized-variable-on-error-in-dlm_listen_for_all.patch new file mode 100644 index 00000000000..94747979041 --- /dev/null +++ b/queue-5.18/dlm-uninitialized-variable-on-error-in-dlm_listen_for_all.patch @@ -0,0 +1,32 @@ +From 1f4f10845e14690b02410de50d9ea9684625a4ae Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 4 Apr 2022 16:06:28 -0400 +Subject: dlm: uninitialized variable on error in dlm_listen_for_all() + +From: Dan Carpenter + +commit 1f4f10845e14690b02410de50d9ea9684625a4ae upstream. + +The "sock" variable is not initialized on this error path. + +Cc: stable@vger.kernel.org +Fixes: 2dc6b1158c28 ("fs: dlm: introduce generic listen") +Signed-off-by: Dan Carpenter +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/lowcomms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/dlm/lowcomms.c ++++ b/fs/dlm/lowcomms.c +@@ -1789,7 +1789,7 @@ static int dlm_listen_for_all(void) + SOCK_STREAM, dlm_proto_ops->proto, &sock); + if (result < 0) { + log_print("Can't create comms socket: %d", result); +- goto out; ++ return result; + } + + sock_set_mark(sock->sk, dlm_config.ci_mark); diff --git a/queue-5.18/drm-amdgpu-add-beige-goby-pci-id.patch b/queue-5.18/drm-amdgpu-add-beige-goby-pci-id.patch new file mode 100644 index 00000000000..c5052084349 --- /dev/null +++ b/queue-5.18/drm-amdgpu-add-beige-goby-pci-id.patch @@ -0,0 +1,29 @@ +From 62e9bd20035b53ff6c679499c08546d96c6c60a7 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 24 May 2022 23:23:59 -0400 +Subject: drm/amdgpu: add beige goby PCI ID + +From: Alex Deucher + +commit 62e9bd20035b53ff6c679499c08546d96c6c60a7 upstream. + +Add a beige goby PCI ID. + +Reviewed-by: Guchun Chen +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -1931,6 +1931,7 @@ static const struct pci_device_id pciidl + {0x1002, 0x7421, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_BEIGE_GOBY}, + {0x1002, 0x7422, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_BEIGE_GOBY}, + {0x1002, 0x7423, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_BEIGE_GOBY}, ++ {0x1002, 0x7424, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_BEIGE_GOBY}, + {0x1002, 0x743F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_BEIGE_GOBY}, + + { PCI_DEVICE(0x1002, PCI_ANY_ID), diff --git a/queue-5.18/mm-compaction-fast_find_migrateblock-should-return-pfn-in-the-target-zone.patch b/queue-5.18/mm-compaction-fast_find_migrateblock-should-return-pfn-in-the-target-zone.patch new file mode 100644 index 00000000000..305749f9899 --- /dev/null +++ b/queue-5.18/mm-compaction-fast_find_migrateblock-should-return-pfn-in-the-target-zone.patch @@ -0,0 +1,49 @@ +From bbe832b9db2e1ad21522f8f0bf02775fff8a0e0e Mon Sep 17 00:00:00 2001 +From: Rei Yamamoto +Date: Fri, 13 May 2022 16:48:57 -0700 +Subject: mm, compaction: fast_find_migrateblock() should return pfn in the target zone + +From: Rei Yamamoto + +commit bbe832b9db2e1ad21522f8f0bf02775fff8a0e0e upstream. + +At present, pages not in the target zone are added to cc->migratepages +list in isolate_migratepages_block(). As a result, pages may migrate +between nodes unintentionally. + +This would be a serious problem for older kernels without commit +a984226f457f849e ("mm: memcontrol: remove the pgdata parameter of +mem_cgroup_page_lruvec"), because it can corrupt the lru list by +handling pages in list without holding proper lru_lock. + +Avoid returning a pfn outside the target zone in the case that it is +not aligned with a pageblock boundary. Otherwise +isolate_migratepages_block() will handle pages not in the target zone. + +Link: https://lkml.kernel.org/r/20220511044300.4069-1-yamamoto.rei@jp.fujitsu.com +Fixes: 70b44595eafe ("mm, compaction: use free lists to quickly locate a migration source") +Signed-off-by: Rei Yamamoto +Reviewed-by: Miaohe Lin +Acked-by: Mel Gorman +Reviewed-by: Oscar Salvador +Cc: Don Dutile +Cc: Wonhyuk Yang +Cc: Rei Yamamoto +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/compaction.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/compaction.c ++++ b/mm/compaction.c +@@ -1858,6 +1858,8 @@ static unsigned long fast_find_migratebl + + update_fast_start_pfn(cc, free_pfn); + pfn = pageblock_start_pfn(free_pfn); ++ if (pfn < cc->zone->zone_start_pfn) ++ pfn = cc->zone->zone_start_pfn; + cc->fast_search_fail = 0; + found_block = true; + set_pageblock_skip(freepage); diff --git a/queue-5.18/ocfs2-dlmfs-fix-error-handling-of-user_dlm_destroy_lock.patch b/queue-5.18/ocfs2-dlmfs-fix-error-handling-of-user_dlm_destroy_lock.patch new file mode 100644 index 00000000000..38511eb2988 --- /dev/null +++ b/queue-5.18/ocfs2-dlmfs-fix-error-handling-of-user_dlm_destroy_lock.patch @@ -0,0 +1,189 @@ +From 863e0d81b6683c4cbc588ad831f560c90e494bef Mon Sep 17 00:00:00 2001 +From: Junxiao Bi via Ocfs2-devel +Date: Wed, 18 May 2022 16:52:24 -0700 +Subject: ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock + +From: Junxiao Bi via Ocfs2-devel + +commit 863e0d81b6683c4cbc588ad831f560c90e494bef upstream. + +When user_dlm_destroy_lock failed, it didn't clean up the flags it set +before exit. For USER_LOCK_IN_TEARDOWN, if this function fails because of +lock is still in used, next time when unlink invokes this function, it +will return succeed, and then unlink will remove inode and dentry if lock +is not in used(file closed), but the dlm lock is still linked in dlm lock +resource, then when bast come in, it will trigger a panic due to +user-after-free. See the following panic call trace. To fix this, +USER_LOCK_IN_TEARDOWN should be reverted if fail. And also error should +be returned if USER_LOCK_IN_TEARDOWN is set to let user know that unlink +fail. + +For the case of ocfs2_dlm_unlock failure, besides USER_LOCK_IN_TEARDOWN, +USER_LOCK_BUSY is also required to be cleared. Even though spin lock is +released in between, but USER_LOCK_IN_TEARDOWN is still set, for +USER_LOCK_BUSY, if before every place that waits on this flag, +USER_LOCK_IN_TEARDOWN is checked to bail out, that will make sure no flow +waits on the busy flag set by user_dlm_destroy_lock(), then we can +simplely revert USER_LOCK_BUSY when ocfs2_dlm_unlock fails. Fix +user_dlm_cluster_lock() which is the only function not following this. + +[ 941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: unlink +004fb0000060000b5a90b8c847b72e1, error -16 from destroy +[ 989.757536] ------------[ cut here ]------------ +[ 989.757709] kernel BUG at fs/ocfs2/dlmfs/userdlm.c:173! +[ 989.757876] invalid opcode: 0000 [#1] SMP +[ 989.758027] Modules linked in: ksplice_2zhuk2jr_ib_ipoib_new(O) +ksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc +xen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5 +auth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs +ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc +fcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf bridge stp llc +rds_rdma rds bonding ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad +rdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE) +mlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad +ib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt iTCO_vendor_support +pcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si +ipmi_msghandler +[ 989.760686] ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp +pps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel +be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio +libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi +dm_mirror dm_region_hash dm_log dm_mod [last unloaded: +ksplice_2zhuk2jr_ib_ipoib_old] +[ 989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Tainted: P OE +4.1.12-124.57.1.el6uek.x86_64 #2 +[ 989.762290] Hardware name: Oracle Corporation ORACLE SERVER +X5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 06/17/2021 +[ 989.762599] task: ffff880178af6200 ti: ffff88017f7c8000 task.ti: +ffff88017f7c8000 +[ 989.762848] RIP: e030:[] [] +__user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs] +[ 989.763185] RSP: e02b:ffff88017f7cbcb8 EFLAGS: 00010246 +[ 989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX: +0000000000000003 +[ 989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI: +ffff880174d48170 +[ 989.763778] RBP: ffff88017f7cbcc8 R08: ffff88021f4293b0 R09: +0000000000000000 +[ 989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12: +ffff880174d48008 +[ 989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15: +ffff88021db7a000 +[ 989.764422] FS: 0000000000000000(0000) GS:ffff880247480000(0000) +knlGS:ffff880247480000 +[ 989.764685] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 989.764865] CR2: ffff8000007f6800 CR3: 0000000001ae0000 CR4: +0000000000042660 +[ 989.765081] Stack: +[ 989.765167] 0000000000000003 ffff880174d48040 ffff88017f7cbd18 +ffffffffc07d455f +[ 989.765442] ffff88017f7cbd88 ffffffff816fb639 ffff88017f7cbd38 +ffff8800361b5600 +[ 989.765717] ffff88021db7a000 ffff88021f429380 0000000000000003 +ffffffffc0453020 +[ 989.765991] Call Trace: +[ 989.766093] [] user_bast+0x5f/0xf0 [ocfs2_dlmfs] +[ 989.766287] [] ? schedule_timeout+0x169/0x2d0 +[ 989.766475] [] ? o2dlm_lock_ast_wrapper+0x20/0x20 +[ocfs2_stack_o2cb] +[ 989.766738] [] o2dlm_blocking_ast_wrapper+0x1a/0x20 +[ocfs2_stack_o2cb] +[ 989.767010] [] dlm_do_local_bast+0x46/0xe0 [ocfs2_dlm] +[ 989.767217] [] ? dlm_lockres_calc_usage+0x4c/0x60 +[ocfs2_dlm] +[ 989.767466] [] dlm_thread+0xa31/0x1140 [ocfs2_dlm] +[ 989.767662] [] ? __schedule+0x24a/0x810 +[ 989.767834] [] ? __schedule+0x23e/0x810 +[ 989.768006] [] ? __schedule+0x24a/0x810 +[ 989.768178] [] ? __schedule+0x23e/0x810 +[ 989.768349] [] ? __schedule+0x24a/0x810 +[ 989.768521] [] ? __schedule+0x23e/0x810 +[ 989.768693] [] ? __schedule+0x24a/0x810 +[ 989.768893] [] ? __schedule+0x23e/0x810 +[ 989.769067] [] ? __schedule+0x24a/0x810 +[ 989.769241] [] ? wait_woken+0x90/0x90 +[ 989.769411] [] ? dlm_kick_thread+0x80/0x80 [ocfs2_dlm] +[ 989.769617] [] kthread+0xcb/0xf0 +[ 989.769774] [] ? __schedule+0x24a/0x810 +[ 989.769945] [] ? __schedule+0x24a/0x810 +[ 989.770117] [] ? kthread_create_on_node+0x180/0x180 +[ 989.770321] [] ret_from_fork+0x61/0x90 +[ 989.770492] [] ? kthread_create_on_node+0x180/0x180 +[ 989.770689] Code: d0 00 00 00 f0 45 7d c0 bf 00 20 00 00 48 89 83 c0 00 00 +00 48 89 83 c8 00 00 00 e8 55 c1 8c c0 83 4b 04 10 48 83 c4 08 5b 5d c3 <0f> +0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 83 +[ 989.771892] RIP [] +__user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs] +[ 989.772174] RSP +[ 989.772704] ---[ end trace ebd1e38cebcc93a8 ]--- +[ 989.772907] Kernel panic - not syncing: Fatal exception +[ 989.773173] Kernel Offset: disabled + +Link: https://lkml.kernel.org/r/20220518235224.87100-2-junxiao.bi@oracle.com +Signed-off-by: Junxiao Bi +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Joseph Qi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/dlmfs/userdlm.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/fs/ocfs2/dlmfs/userdlm.c ++++ b/fs/ocfs2/dlmfs/userdlm.c +@@ -433,6 +433,11 @@ again: + } + + spin_lock(&lockres->l_lock); ++ if (lockres->l_flags & USER_LOCK_IN_TEARDOWN) { ++ spin_unlock(&lockres->l_lock); ++ status = -EAGAIN; ++ goto bail; ++ } + + /* We only compare against the currently granted level + * here. If the lock is blocked waiting on a downconvert, +@@ -595,7 +600,7 @@ int user_dlm_destroy_lock(struct user_lo + spin_lock(&lockres->l_lock); + if (lockres->l_flags & USER_LOCK_IN_TEARDOWN) { + spin_unlock(&lockres->l_lock); +- return 0; ++ goto bail; + } + + lockres->l_flags |= USER_LOCK_IN_TEARDOWN; +@@ -609,12 +614,17 @@ int user_dlm_destroy_lock(struct user_lo + } + + if (lockres->l_ro_holders || lockres->l_ex_holders) { ++ lockres->l_flags &= ~USER_LOCK_IN_TEARDOWN; + spin_unlock(&lockres->l_lock); + goto bail; + } + + status = 0; + if (!(lockres->l_flags & USER_LOCK_ATTACHED)) { ++ /* ++ * lock is never requested, leave USER_LOCK_IN_TEARDOWN set ++ * to avoid new lock request coming in. ++ */ + spin_unlock(&lockres->l_lock); + goto bail; + } +@@ -625,6 +635,10 @@ int user_dlm_destroy_lock(struct user_lo + + status = ocfs2_dlm_unlock(conn, &lockres->l_lksb, DLM_LKF_VALBLK); + if (status) { ++ spin_lock(&lockres->l_lock); ++ lockres->l_flags &= ~USER_LOCK_IN_TEARDOWN; ++ lockres->l_flags &= ~USER_LOCK_BUSY; ++ spin_unlock(&lockres->l_lock); + user_log_dlm_error("ocfs2_dlm_unlock", status, lockres); + goto bail; + } diff --git a/queue-5.18/pci-pm-fix-bridge_d3_blacklist-elo-i2-overwrite-of-gigabyte-x299.patch b/queue-5.18/pci-pm-fix-bridge_d3_blacklist-elo-i2-overwrite-of-gigabyte-x299.patch new file mode 100644 index 00000000000..cca9242eaf0 --- /dev/null +++ b/queue-5.18/pci-pm-fix-bridge_d3_blacklist-elo-i2-overwrite-of-gigabyte-x299.patch @@ -0,0 +1,41 @@ +From 12068bb346db5776d0ec9bb4cd073f8427a1ac92 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Thu, 26 May 2022 16:52:23 -0500 +Subject: PCI/PM: Fix bridge_d3_blacklist[] Elo i2 overwrite of Gigabyte X299 + +From: Bjorn Helgaas + +commit 12068bb346db5776d0ec9bb4cd073f8427a1ac92 upstream. + +92597f97a40b ("PCI/PM: Avoid putting Elo i2 PCIe Ports in D3cold") omitted +braces around the new Elo i2 entry, so it overwrote the existing Gigabyte +X299 entry. Add the appropriate braces. + +Found by: + + $ make W=1 drivers/pci/pci.o + CC drivers/pci/pci.o + drivers/pci/pci.c:2974:12: error: initialized field overwritten [-Werror=override-init] + 2974 | .ident = "Elo i2", + | ^~~~~~~~ + +Link: https://lore.kernel.org/r/20220526221258.GA409855@bhelgaas +Fixes: 92597f97a40b ("PCI/PM: Avoid putting Elo i2 PCIe Ports in D3cold") +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2920,6 +2920,8 @@ static const struct dmi_system_id bridge + DMI_MATCH(DMI_BOARD_VENDOR, "Gigabyte Technology Co., Ltd."), + DMI_MATCH(DMI_BOARD_NAME, "X299 DESIGNARE EX-CF"), + }, ++ }, ++ { + /* + * Downstream device is not accessible after putting a root port + * into D3cold and back into D0 on Elo i2. diff --git a/queue-5.18/pci-qcom-fix-pipe-clock-imbalance.patch b/queue-5.18/pci-qcom-fix-pipe-clock-imbalance.patch new file mode 100644 index 00000000000..4fa050903ce --- /dev/null +++ b/queue-5.18/pci-qcom-fix-pipe-clock-imbalance.patch @@ -0,0 +1,44 @@ +From fdf6a2f533115ec5d4d9629178f8196331f1ac50 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 1 Apr 2022 15:33:51 +0200 +Subject: PCI: qcom: Fix pipe clock imbalance + +From: Johan Hovold + +commit fdf6a2f533115ec5d4d9629178f8196331f1ac50 upstream. + +Fix a clock imbalance introduced by ed8cc3b1fc84 ("PCI: qcom: Add support +for SDM845 PCIe controller"), which enables the pipe clock both in init() +and in post_init() but only disables in post_deinit(). + +Note that the pipe clock was also never disabled in the init() error +paths and that enabling the clock before powering up the PHY looks +questionable. + +Link: https://lore.kernel.org/r/20220401133351.10113-1-johan+linaro@kernel.org +Fixes: ed8cc3b1fc84 ("PCI: qcom: Add support for SDM845 PCIe controller") +Signed-off-by: Johan Hovold +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Reviewed-by: Bjorn Andersson +Cc: stable@vger.kernel.org # 5.6 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-qcom.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -1238,12 +1238,6 @@ static int qcom_pcie_init_2_7_0(struct q + goto err_disable_clocks; + } + +- ret = clk_prepare_enable(res->pipe_clk); +- if (ret) { +- dev_err(dev, "cannot prepare/enable pipe clock\n"); +- goto err_disable_clocks; +- } +- + /* Wait for reset to complete, required on SM8450 */ + usleep_range(1000, 1500); + diff --git a/queue-5.18/pci-qcom-fix-runtime-pm-imbalance-on-probe-errors.patch b/queue-5.18/pci-qcom-fix-runtime-pm-imbalance-on-probe-errors.patch new file mode 100644 index 00000000000..0ff38f36365 --- /dev/null +++ b/queue-5.18/pci-qcom-fix-runtime-pm-imbalance-on-probe-errors.patch @@ -0,0 +1,48 @@ +From 87d83b96c8d6c6c2d2096bd0bdba73bcf42b8ef0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 1 Apr 2022 15:38:53 +0200 +Subject: PCI: qcom: Fix runtime PM imbalance on probe errors + +From: Johan Hovold + +commit 87d83b96c8d6c6c2d2096bd0bdba73bcf42b8ef0 upstream. + +Drop the leftover pm_runtime_disable() calls from the late probe error +paths that would, for example, prevent runtime PM from being reenabled +after a probe deferral. + +Link: https://lore.kernel.org/r/20220401133854.10421-2-johan+linaro@kernel.org +Fixes: 6e5da6f7d824 ("PCI: qcom: Fix error handling in runtime PM support") +Signed-off-by: Johan Hovold +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Reviewed-by: Manivannan Sadhasivam +Acked-by: Stanimir Varbanov +Cc: stable@vger.kernel.org # 4.20 +Cc: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-qcom.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -1621,17 +1621,14 @@ static int qcom_pcie_probe(struct platfo + pp->ops = &qcom_pcie_dw_ops; + + ret = phy_init(pcie->phy); +- if (ret) { +- pm_runtime_disable(&pdev->dev); ++ if (ret) + goto err_pm_runtime_put; +- } + + platform_set_drvdata(pdev, pcie); + + ret = dw_pcie_host_init(pp); + if (ret) { + dev_err(dev, "cannot initialize host\n"); +- pm_runtime_disable(&pdev->dev); + goto err_pm_runtime_put; + } + diff --git a/queue-5.18/pci-qcom-fix-unbalanced-phy-init-on-probe-errors.patch b/queue-5.18/pci-qcom-fix-unbalanced-phy-init-on-probe-errors.patch new file mode 100644 index 00000000000..acb9b5941c5 --- /dev/null +++ b/queue-5.18/pci-qcom-fix-unbalanced-phy-init-on-probe-errors.patch @@ -0,0 +1,42 @@ +From 83013631f0f9961416abd812e228c8efbc2f6069 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 1 Apr 2022 15:38:54 +0200 +Subject: PCI: qcom: Fix unbalanced PHY init on probe errors + +From: Johan Hovold + +commit 83013631f0f9961416abd812e228c8efbc2f6069 upstream. + +Undo the PHY initialisation (e.g. balance runtime PM) if host +initialisation fails during probe. + +Link: https://lore.kernel.org/r/20220401133854.10421-3-johan+linaro@kernel.org +Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver") +Signed-off-by: Johan Hovold +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Reviewed-by: Manivannan Sadhasivam +Acked-by: Stanimir Varbanov +Cc: stable@vger.kernel.org # 4.5 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-qcom.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -1629,11 +1629,13 @@ static int qcom_pcie_probe(struct platfo + ret = dw_pcie_host_init(pp); + if (ret) { + dev_err(dev, "cannot initialize host\n"); +- goto err_pm_runtime_put; ++ goto err_phy_exit; + } + + return 0; + ++err_phy_exit: ++ phy_exit(pcie->phy); + err_pm_runtime_put: + pm_runtime_put(dev); + pm_runtime_disable(dev); diff --git a/queue-5.18/s390-perf-obtain-sie_block-from-the-right-address.patch b/queue-5.18/s390-perf-obtain-sie_block-from-the-right-address.patch new file mode 100644 index 00000000000..c2b60a17703 --- /dev/null +++ b/queue-5.18/s390-perf-obtain-sie_block-from-the-right-address.patch @@ -0,0 +1,46 @@ +From c9bfb460c3e4da2462e16b0f0b200990b36b1dd2 Mon Sep 17 00:00:00 2001 +From: Nico Boehr +Date: Tue, 24 May 2022 15:43:20 +0200 +Subject: s390/perf: obtain sie_block from the right address + +From: Nico Boehr + +commit c9bfb460c3e4da2462e16b0f0b200990b36b1dd2 upstream. + +Since commit 1179f170b6f0 ("s390: fix fpu restore in entry.S"), the +sie_block pointer is located at empty1[1], but in sie_block() it was +taken from empty1[0]. + +This leads to a random pointer being dereferenced, possibly causing +system crash. + +This problem can be observed when running a simple guest with an endless +loop and recording the cpu-clock event: + + sudo perf kvm --guestvmlinux= --guest top -e cpu-clock + +With this fix, the correct guest address is shown. + +Fixes: 1179f170b6f0 ("s390: fix fpu restore in entry.S") +Cc: stable@vger.kernel.org +Acked-by: Christian Borntraeger +Acked-by: Claudio Imbrenda +Reviewed-by: Heiko Carstens +Signed-off-by: Nico Boehr +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/perf_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kernel/perf_event.c ++++ b/arch/s390/kernel/perf_event.c +@@ -30,7 +30,7 @@ static struct kvm_s390_sie_block *sie_bl + if (!stack) + return NULL; + +- return (struct kvm_s390_sie_block *) stack->empty1[0]; ++ return (struct kvm_s390_sie_block *)stack->empty1[1]; + } + + static bool is_in_guest(struct pt_regs *regs) diff --git a/queue-5.18/s390-stp-clock_delta-should-be-signed.patch b/queue-5.18/s390-stp-clock_delta-should-be-signed.patch new file mode 100644 index 00000000000..14180ccaab9 --- /dev/null +++ b/queue-5.18/s390-stp-clock_delta-should-be-signed.patch @@ -0,0 +1,94 @@ +From 5ace65ebb5ce9fe1cc8fdbdd97079fb566ef0ea4 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Tue, 3 May 2022 09:58:33 +0200 +Subject: s390/stp: clock_delta should be signed + +From: Sven Schnelle + +commit 5ace65ebb5ce9fe1cc8fdbdd97079fb566ef0ea4 upstream. + +clock_delta is declared as unsigned long in various places. However, +the clock sync delta can be negative. This would add a huge positive +offset in clock_sync_global where clock_delta is added to clk.eitod +which is a 72 bit integer. Declare it as signed long to fix this. + +Cc: stable@vger.kernel.org +Signed-off-by: Sven Schnelle +Reviewed-by: Heiko Carstens +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/cio.h | 2 +- + arch/s390/kernel/time.c | 8 ++++---- + drivers/s390/cio/chsc.c | 4 ++-- + 3 files changed, 7 insertions(+), 7 deletions(-) + +--- a/arch/s390/include/asm/cio.h ++++ b/arch/s390/include/asm/cio.h +@@ -369,7 +369,7 @@ void cio_gp_dma_destroy(struct gen_pool + struct gen_pool *cio_gp_dma_create(struct device *dma_dev, int nr_pages); + + /* Function from drivers/s390/cio/chsc.c */ +-int chsc_sstpc(void *page, unsigned int op, u16 ctrl, u64 *clock_delta); ++int chsc_sstpc(void *page, unsigned int op, u16 ctrl, long *clock_delta); + int chsc_sstpi(void *page, void *result, size_t size); + int chsc_stzi(void *page, void *result, size_t size); + int chsc_sgib(u32 origin); +--- a/arch/s390/kernel/time.c ++++ b/arch/s390/kernel/time.c +@@ -364,7 +364,7 @@ static inline int check_sync_clock(void) + * Apply clock delta to the global data structures. + * This is called once on the CPU that performed the clock sync. + */ +-static void clock_sync_global(unsigned long delta) ++static void clock_sync_global(long delta) + { + unsigned long now, adj; + struct ptff_qto qto; +@@ -400,7 +400,7 @@ static void clock_sync_global(unsigned l + * Apply clock delta to the per-CPU data structures of this CPU. + * This is called for each online CPU after the call to clock_sync_global. + */ +-static void clock_sync_local(unsigned long delta) ++static void clock_sync_local(long delta) + { + /* Add the delta to the clock comparator. */ + if (S390_lowcore.clock_comparator != clock_comparator_max) { +@@ -424,7 +424,7 @@ static void __init time_init_wq(void) + struct clock_sync_data { + atomic_t cpus; + int in_sync; +- unsigned long clock_delta; ++ long clock_delta; + }; + + /* +@@ -544,7 +544,7 @@ static int stpinfo_valid(void) + static int stp_sync_clock(void *data) + { + struct clock_sync_data *sync = data; +- u64 clock_delta, flags; ++ long clock_delta, flags; + static int first; + int rc; + +--- a/drivers/s390/cio/chsc.c ++++ b/drivers/s390/cio/chsc.c +@@ -1255,7 +1255,7 @@ exit: + EXPORT_SYMBOL_GPL(css_general_characteristics); + EXPORT_SYMBOL_GPL(css_chsc_characteristics); + +-int chsc_sstpc(void *page, unsigned int op, u16 ctrl, u64 *clock_delta) ++int chsc_sstpc(void *page, unsigned int op, u16 ctrl, long *clock_delta) + { + struct { + struct chsc_header request; +@@ -1266,7 +1266,7 @@ int chsc_sstpc(void *page, unsigned int + unsigned int rsvd2[5]; + struct chsc_header response; + unsigned int rsvd3[3]; +- u64 clock_delta; ++ s64 clock_delta; + unsigned int rsvd4[2]; + } *rr; + int rc; diff --git a/queue-5.18/scsi-dc395x-fix-a-missing-check-on-list-iterator.patch b/queue-5.18/scsi-dc395x-fix-a-missing-check-on-list-iterator.patch new file mode 100644 index 00000000000..8e76b1c82c9 --- /dev/null +++ b/queue-5.18/scsi-dc395x-fix-a-missing-check-on-list-iterator.patch @@ -0,0 +1,56 @@ +From 036a45aa587a10fa2abbd50fbd0f6c4cfc44f69f Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Thu, 14 Apr 2022 12:02:31 +0800 +Subject: scsi: dc395x: Fix a missing check on list iterator + +From: Xiaomeng Tong + +commit 036a45aa587a10fa2abbd50fbd0f6c4cfc44f69f upstream. + +The bug is here: + + p->target_id, p->target_lun); + +The list iterator 'p' will point to a bogus position containing HEAD if the +list is empty or no element is found. This case must be checked before any +use of the iterator, otherwise it will lead to an invalid memory access. + +To fix this bug, add a check. Use a new variable 'iter' as the list +iterator, and use the original variable 'p' as a dedicated pointer to point +to the found element. + +Link: https://lore.kernel.org/r/20220414040231.2662-1-xiam0nd.tong@gmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Xiaomeng Tong +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/dc395x.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/dc395x.c ++++ b/drivers/scsi/dc395x.c +@@ -3585,10 +3585,19 @@ static struct DeviceCtlBlk *device_alloc + #endif + if (dcb->target_lun != 0) { + /* Copy settings */ +- struct DeviceCtlBlk *p; +- list_for_each_entry(p, &acb->dcb_list, list) +- if (p->target_id == dcb->target_id) ++ struct DeviceCtlBlk *p = NULL, *iter; ++ ++ list_for_each_entry(iter, &acb->dcb_list, list) ++ if (iter->target_id == dcb->target_id) { ++ p = iter; + break; ++ } ++ ++ if (!p) { ++ kfree(dcb); ++ return NULL; ++ } ++ + dprintkdbg(DBG_1, + "device_alloc: <%02i-%i> copy from <%02i-%i>\n", + dcb->target_id, dcb->target_lun, diff --git a/queue-5.18/scsi-ufs-qcom-add-a-readl-to-make-sure-ref_clk-gets-enabled.patch b/queue-5.18/scsi-ufs-qcom-add-a-readl-to-make-sure-ref_clk-gets-enabled.patch new file mode 100644 index 00000000000..092a3b56f86 --- /dev/null +++ b/queue-5.18/scsi-ufs-qcom-add-a-readl-to-make-sure-ref_clk-gets-enabled.patch @@ -0,0 +1,51 @@ +From 8eecddfca30e1651dc1c74531ed5eef21dcce7e3 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Wed, 4 May 2022 14:12:10 +0530 +Subject: scsi: ufs: qcom: Add a readl() to make sure ref_clk gets enabled + +From: Manivannan Sadhasivam + +commit 8eecddfca30e1651dc1c74531ed5eef21dcce7e3 upstream. + +In ufs_qcom_dev_ref_clk_ctrl(), it was noted that the ref_clk needs to be +stable for at least 1us. Even though there is wmb() to make sure the write +gets "completed", there is no guarantee that the write actually reached the +UFS device. There is a good chance that the write could be stored in a +Write Buffer (WB). In that case, even though the CPU waits for 1us, the +ref_clk might not be stable for that period. + +So lets do a readl() to make sure that the previous write has reached the +UFS device before udelay(). + +Also, the wmb() after writel_relaxed() is not really needed. Both writel() +and readl() are ordered on all architectures and the CPU won't speculate +instructions after readl() due to the in-built control dependency with read +value on weakly ordered architectures. So it can be safely removed. + +Link: https://lore.kernel.org/r/20220504084212.11605-4-manivannan.sadhasivam@linaro.org +Fixes: f06fcc7155dc ("scsi: ufs-qcom: add QUniPro hardware support and power optimizations") +Cc: stable@vger.kernel.org +Reviewed-by: Bjorn Andersson +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufs-qcom.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ufs/ufs-qcom.c ++++ b/drivers/scsi/ufs/ufs-qcom.c +@@ -682,8 +682,11 @@ static void ufs_qcom_dev_ref_clk_ctrl(st + + writel_relaxed(temp, host->dev_ref_clk_ctrl_mmio); + +- /* ensure that ref_clk is enabled/disabled before we return */ +- wmb(); ++ /* ++ * Make sure the write to ref_clk reaches the destination and ++ * not stored in a Write Buffer (WB). ++ */ ++ readl(host->dev_ref_clk_ctrl_mmio); + + /* + * If we call hibern8 exit after this, we need to make sure that diff --git a/queue-5.18/series b/queue-5.18/series index bc422118fb0..92e4dfd21eb 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -746,3 +746,25 @@ ext4-fix-bug_on-in-__es_tree_search.patch ext4-verify-dir-block-before-splitting-it.patch ext4-avoid-cycles-in-directory-h-tree.patch acpi-property-release-subnode-properties-with-data-nodes.patch +tty-goldfish-introduce-gf_ioread32-gf_iowrite32.patch +tracing-have-event-format-check-not-flag-p-on-__get_dynamic_array.patch +tracing-fix-potential-double-free-in-create_var_ref.patch +tracing-fix-return-value-of-trace_pid_write.patch +tracing-initialize-integer-variable-to-prevent-garbage-return-value.patch +drm-amdgpu-add-beige-goby-pci-id.patch +pci-pm-fix-bridge_d3_blacklist-elo-i2-overwrite-of-gigabyte-x299.patch +pci-qcom-fix-pipe-clock-imbalance.patch +pci-qcom-fix-runtime-pm-imbalance-on-probe-errors.patch +pci-qcom-fix-unbalanced-phy-init-on-probe-errors.patch +staging-r8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch +block-fix-potential-deadlock-in-blk_ia_range_sysfs_show.patch +mm-compaction-fast_find_migrateblock-should-return-pfn-in-the-target-zone.patch +s390-perf-obtain-sie_block-from-the-right-address.patch +s390-stp-clock_delta-should-be-signed.patch +dlm-fix-plock-invalid-read.patch +dlm-uninitialized-variable-on-error-in-dlm_listen_for_all.patch +dlm-fix-wake_up-calls-for-pending-remove.patch +dlm-fix-missing-lkb-refcount-handling.patch +ocfs2-dlmfs-fix-error-handling-of-user_dlm_destroy_lock.patch +scsi-dc395x-fix-a-missing-check-on-list-iterator.patch +scsi-ufs-qcom-add-a-readl-to-make-sure-ref_clk-gets-enabled.patch diff --git a/queue-5.18/staging-r8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch b/queue-5.18/staging-r8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch new file mode 100644 index 00000000000..9f0fd4c9a2d --- /dev/null +++ b/queue-5.18/staging-r8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch @@ -0,0 +1,37 @@ +From bc10916e890948d8927a5c8c40fb5dc44be5e1b8 Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Wed, 18 May 2022 11:00:52 +0400 +Subject: staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan() + +From: Denis Efremov + +commit bc10916e890948d8927a5c8c40fb5dc44be5e1b8 upstream. + +This code has a check to prevent read overflow but it needs another +check to prevent writing beyond the end of the ->Ssid[] array. + +Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver") +Cc: stable +Signed-off-by: Denis Efremov +Link: https://lore.kernel.org/r/20220518070052.108287-1-denis.e.efremov@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/r8188eu/os_dep/ioctl_linux.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c ++++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c +@@ -1131,9 +1131,11 @@ static int rtw_wx_set_scan(struct net_de + break; + } + sec_len = *(pos++); len -= 1; +- if (sec_len > 0 && sec_len <= len) { ++ if (sec_len > 0 && ++ sec_len <= len && ++ sec_len <= 32) { + ssid[ssid_index].SsidLength = sec_len; +- memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength); ++ memcpy(ssid[ssid_index].Ssid, pos, sec_len); + ssid_index++; + } + pos += sec_len; diff --git a/queue-5.18/tracing-fix-potential-double-free-in-create_var_ref.patch b/queue-5.18/tracing-fix-potential-double-free-in-create_var_ref.patch new file mode 100644 index 00000000000..dbec225fe79 --- /dev/null +++ b/queue-5.18/tracing-fix-potential-double-free-in-create_var_ref.patch @@ -0,0 +1,48 @@ +From 99696a2592bca641eb88cc9a80c90e591afebd0f Mon Sep 17 00:00:00 2001 +From: Keita Suzuki +Date: Mon, 25 Apr 2022 06:37:38 +0000 +Subject: tracing: Fix potential double free in create_var_ref() + +From: Keita Suzuki + +commit 99696a2592bca641eb88cc9a80c90e591afebd0f upstream. + +In create_var_ref(), init_var_ref() is called to initialize the fields +of variable ref_field, which is allocated in the previous function call +to create_hist_field(). Function init_var_ref() allocates the +corresponding fields such as ref_field->system, but frees these fields +when the function encounters an error. The caller later calls +destroy_hist_field() to conduct error handling, which frees the fields +and the variable itself. This results in double free of the fields which +are already freed in the previous function. + +Fix this by storing NULL to the corresponding fields when they are freed +in init_var_ref(). + +Link: https://lkml.kernel.org/r/20220425063739.3859998-1-keitasuzuki.park@sslab.ics.keio.ac.jp + +Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers") +CC: stable@vger.kernel.org +Reviewed-by: Masami Hiramatsu +Reviewed-by: Tom Zanussi +Signed-off-by: Keita Suzuki +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -2093,8 +2093,11 @@ static int init_var_ref(struct hist_fiel + return err; + free: + kfree(ref_field->system); ++ ref_field->system = NULL; + kfree(ref_field->event_name); ++ ref_field->event_name = NULL; + kfree(ref_field->name); ++ ref_field->name = NULL; + + goto out; + } diff --git a/queue-5.18/tracing-fix-return-value-of-trace_pid_write.patch b/queue-5.18/tracing-fix-return-value-of-trace_pid_write.patch new file mode 100644 index 00000000000..7ab20ee86b5 --- /dev/null +++ b/queue-5.18/tracing-fix-return-value-of-trace_pid_write.patch @@ -0,0 +1,79 @@ +From b27f266f74fbda4ee36c2b2b04d15992860cf23b Mon Sep 17 00:00:00 2001 +From: Wonhyuk Yang +Date: Tue, 3 May 2022 14:05:46 +0900 +Subject: tracing: Fix return value of trace_pid_write() + +From: Wonhyuk Yang + +commit b27f266f74fbda4ee36c2b2b04d15992860cf23b upstream. + +Setting set_event_pid with trailing whitespace lead to endless write +system calls like below. + + $ strace echo "123 " > /sys/kernel/debug/tracing/set_event_pid + execve("/usr/bin/echo", ["echo", "123 "], ...) = 0 + ... + write(1, "123 \n", 5) = 4 + write(1, "\n", 1) = 0 + write(1, "\n", 1) = 0 + write(1, "\n", 1) = 0 + write(1, "\n", 1) = 0 + write(1, "\n", 1) = 0 + .... + +This is because, the result of trace_get_user's are not returned when it +read at least one pid. To fix it, update read variable even if +parser->idx == 0. + +The result of applied patch is below. + + $ strace echo "123 " > /sys/kernel/debug/tracing/set_event_pid + execve("/usr/bin/echo", ["echo", "123 "], ...) = 0 + ... + write(1, "123 \n", 5) = 5 + close(1) = 0 + +Link: https://lkml.kernel.org/r/20220503050546.288911-1-vvghjk1234@gmail.com + +Cc: Ingo Molnar +Cc: Baik Song An +Cc: Hong Yeon Kim +Cc: Taeung Song +Cc: linuxgeek@linuxgeek.io +Cc: stable@vger.kernel.org +Fixes: 4909010788640 ("tracing: Add set_event_pid directory for future use") +Signed-off-by: Wonhyuk Yang +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -721,13 +721,16 @@ int trace_pid_write(struct trace_pid_lis + pos = 0; + + ret = trace_get_user(&parser, ubuf, cnt, &pos); +- if (ret < 0 || !trace_parser_loaded(&parser)) ++ if (ret < 0) + break; + + read += ret; + ubuf += ret; + cnt -= ret; + ++ if (!trace_parser_loaded(&parser)) ++ break; ++ + ret = -EINVAL; + if (kstrtoul(parser.buffer, 0, &val)) + break; +@@ -753,7 +756,6 @@ int trace_pid_write(struct trace_pid_lis + if (!nr_pids) { + /* Cleared the list of pids */ + trace_pid_list_free(pid_list); +- read = ret; + pid_list = NULL; + } + diff --git a/queue-5.18/tracing-have-event-format-check-not-flag-p-on-__get_dynamic_array.patch b/queue-5.18/tracing-have-event-format-check-not-flag-p-on-__get_dynamic_array.patch new file mode 100644 index 00000000000..e41124df786 --- /dev/null +++ b/queue-5.18/tracing-have-event-format-check-not-flag-p-on-__get_dynamic_array.patch @@ -0,0 +1,56 @@ +From 499f12168aebd6da8fa32c9b7d6203ca9b5eb88d Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Thu, 7 Apr 2022 14:56:32 -0400 +Subject: tracing: Have event format check not flag %p* on __get_dynamic_array() + +From: Steven Rostedt (Google) + +commit 499f12168aebd6da8fa32c9b7d6203ca9b5eb88d upstream. + +The print fmt check against trace events to make sure that the format does +not use pointers that may be freed from the time of the trace to the time +the event is read, gives a false positive on %pISpc when reading data that +was saved in __get_dynamic_array() when it is perfectly fine to do so, as +the data being read is on the ring buffer. + +Link: https://lore.kernel.org/all/20220407144524.2a592ed6@canb.auug.org.au/ + +Cc: stable@vger.kernel.org +Fixes: 5013f454a352c ("tracing: Add check of trace event print fmts for dereferencing pointers") +Reported-by: Stephen Rothwell +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -392,12 +392,6 @@ static void test_event_printk(struct tra + if (!(dereference_flags & (1ULL << arg))) + goto next_arg; + +- /* Check for __get_sockaddr */; +- if (str_has_prefix(fmt + i, "__get_sockaddr(")) { +- dereference_flags &= ~(1ULL << arg); +- goto next_arg; +- } +- + /* Find the REC-> in the argument */ + c = strchr(fmt + i, ','); + r = strstr(fmt + i, "REC->"); +@@ -413,7 +407,14 @@ static void test_event_printk(struct tra + a = strchr(fmt + i, '&'); + if ((a && (a < r)) || test_field(r, call)) + dereference_flags &= ~(1ULL << arg); ++ } else if ((r = strstr(fmt + i, "__get_dynamic_array(")) && ++ (!c || r < c)) { ++ dereference_flags &= ~(1ULL << arg); ++ } else if ((r = strstr(fmt + i, "__get_sockaddr(")) && ++ (!c || r < c)) { ++ dereference_flags &= ~(1ULL << arg); + } ++ + next_arg: + i--; + arg++; diff --git a/queue-5.18/tracing-initialize-integer-variable-to-prevent-garbage-return-value.patch b/queue-5.18/tracing-initialize-integer-variable-to-prevent-garbage-return-value.patch new file mode 100644 index 00000000000..8ec815e055c --- /dev/null +++ b/queue-5.18/tracing-initialize-integer-variable-to-prevent-garbage-return-value.patch @@ -0,0 +1,37 @@ +From 154827f8e53d8c492b3fb0cb757fbcadb5d516b5 Mon Sep 17 00:00:00 2001 +From: Gautam Menghani +Date: Sat, 21 May 2022 23:18:26 -0700 +Subject: tracing: Initialize integer variable to prevent garbage return value + +From: Gautam Menghani + +commit 154827f8e53d8c492b3fb0cb757fbcadb5d516b5 upstream. + +Initialize the integer variable to 0 to fix the clang scan warning: +Undefined or garbage value returned to caller +[core.uninitialized.UndefReturn] + return ret; + +Link: https://lkml.kernel.org/r/20220522061826.1751-1-gautammenghani201@gmail.com + +Cc: stable@vger.kernel.org +Fixes: 8993665abcce ("tracing/boot: Support multiple handlers for per-event histogram") +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Gautam Menghani +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_boot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace_boot.c ++++ b/kernel/trace/trace_boot.c +@@ -300,7 +300,7 @@ trace_boot_hist_add_handlers(struct xbc_ + { + struct xbc_node *node; + const char *p, *handler; +- int ret; ++ int ret = 0; + + handler = xbc_node_get_data(hnode); + diff --git a/queue-5.18/tty-goldfish-introduce-gf_ioread32-gf_iowrite32.patch b/queue-5.18/tty-goldfish-introduce-gf_ioread32-gf_iowrite32.patch new file mode 100644 index 00000000000..85dee55de4b --- /dev/null +++ b/queue-5.18/tty-goldfish-introduce-gf_ioread32-gf_iowrite32.patch @@ -0,0 +1,154 @@ +From 2e2ac4a3327479f7e2744cdd88a5c823f2057bad Mon Sep 17 00:00:00 2001 +From: Laurent Vivier +Date: Wed, 6 Apr 2022 22:15:20 +0200 +Subject: tty: goldfish: Introduce gf_ioread32()/gf_iowrite32() + +From: Laurent Vivier + +commit 2e2ac4a3327479f7e2744cdd88a5c823f2057bad upstream. + +The goldfish TTY device was clearly defined as having little-endian +registers, but the switch to __raw_{read,write}l(() broke its driver +when running on big-endian kernels (if anyone ever tried this). + +The m68k qemu implementation got this wrong, and assumed native-endian +registers. While this is a bug in qemu, it is probably impossible to +fix that since there is no way of knowing which other operating systems +have started relying on that bug over the years. + +Hence revert commit da31de35cd2f ("tty: goldfish: use +__raw_writel()/__raw_readl()", and define gf_ioread32()/gf_iowrite32() +to be able to use accessors defined by the architecture. + +Cc: stable@vger.kernel.org # v5.11+ +Fixes: da31de35cd2fb78f ("tty: goldfish: use __raw_writel()/__raw_readl()") +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20220406201523.243733-2-laurent@vivier.eu +[geert: Add rationale based on Arnd's comments] +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/goldfish.c | 20 ++++++++++---------- + include/linux/goldfish.h | 15 +++++++++++---- + 2 files changed, 21 insertions(+), 14 deletions(-) + +--- a/drivers/tty/goldfish.c ++++ b/drivers/tty/goldfish.c +@@ -61,13 +61,13 @@ static void do_rw_io(struct goldfish_tty + spin_lock_irqsave(&qtty->lock, irq_flags); + gf_write_ptr((void *)address, base + GOLDFISH_TTY_REG_DATA_PTR, + base + GOLDFISH_TTY_REG_DATA_PTR_HIGH); +- __raw_writel(count, base + GOLDFISH_TTY_REG_DATA_LEN); ++ gf_iowrite32(count, base + GOLDFISH_TTY_REG_DATA_LEN); + + if (is_write) +- __raw_writel(GOLDFISH_TTY_CMD_WRITE_BUFFER, ++ gf_iowrite32(GOLDFISH_TTY_CMD_WRITE_BUFFER, + base + GOLDFISH_TTY_REG_CMD); + else +- __raw_writel(GOLDFISH_TTY_CMD_READ_BUFFER, ++ gf_iowrite32(GOLDFISH_TTY_CMD_READ_BUFFER, + base + GOLDFISH_TTY_REG_CMD); + + spin_unlock_irqrestore(&qtty->lock, irq_flags); +@@ -142,7 +142,7 @@ static irqreturn_t goldfish_tty_interrup + unsigned char *buf; + u32 count; + +- count = __raw_readl(base + GOLDFISH_TTY_REG_BYTES_READY); ++ count = gf_ioread32(base + GOLDFISH_TTY_REG_BYTES_READY); + if (count == 0) + return IRQ_NONE; + +@@ -159,7 +159,7 @@ static int goldfish_tty_activate(struct + { + struct goldfish_tty *qtty = container_of(port, struct goldfish_tty, + port); +- __raw_writel(GOLDFISH_TTY_CMD_INT_ENABLE, qtty->base + GOLDFISH_TTY_REG_CMD); ++ gf_iowrite32(GOLDFISH_TTY_CMD_INT_ENABLE, qtty->base + GOLDFISH_TTY_REG_CMD); + return 0; + } + +@@ -167,7 +167,7 @@ static void goldfish_tty_shutdown(struct + { + struct goldfish_tty *qtty = container_of(port, struct goldfish_tty, + port); +- __raw_writel(GOLDFISH_TTY_CMD_INT_DISABLE, qtty->base + GOLDFISH_TTY_REG_CMD); ++ gf_iowrite32(GOLDFISH_TTY_CMD_INT_DISABLE, qtty->base + GOLDFISH_TTY_REG_CMD); + } + + static int goldfish_tty_open(struct tty_struct *tty, struct file *filp) +@@ -202,7 +202,7 @@ static unsigned int goldfish_tty_chars_i + { + struct goldfish_tty *qtty = &goldfish_ttys[tty->index]; + void __iomem *base = qtty->base; +- return __raw_readl(base + GOLDFISH_TTY_REG_BYTES_READY); ++ return gf_ioread32(base + GOLDFISH_TTY_REG_BYTES_READY); + } + + static void goldfish_tty_console_write(struct console *co, const char *b, +@@ -355,7 +355,7 @@ static int goldfish_tty_probe(struct pla + * on Ranchu emulator (qemu2) returns 1 here and + * driver will use physical addresses. + */ +- qtty->version = __raw_readl(base + GOLDFISH_TTY_REG_VERSION); ++ qtty->version = gf_ioread32(base + GOLDFISH_TTY_REG_VERSION); + + /* + * Goldfish TTY device on Ranchu emulator (qemu2) +@@ -374,7 +374,7 @@ static int goldfish_tty_probe(struct pla + } + } + +- __raw_writel(GOLDFISH_TTY_CMD_INT_DISABLE, base + GOLDFISH_TTY_REG_CMD); ++ gf_iowrite32(GOLDFISH_TTY_CMD_INT_DISABLE, base + GOLDFISH_TTY_REG_CMD); + + ret = request_irq(irq, goldfish_tty_interrupt, IRQF_SHARED, + "goldfish_tty", qtty); +@@ -436,7 +436,7 @@ static int goldfish_tty_remove(struct pl + #ifdef CONFIG_GOLDFISH_TTY_EARLY_CONSOLE + static void gf_early_console_putchar(struct uart_port *port, unsigned char ch) + { +- __raw_writel(ch, port->membase); ++ gf_iowrite32(ch, port->membase); + } + + static void gf_early_write(struct console *con, const char *s, unsigned int n) +--- a/include/linux/goldfish.h ++++ b/include/linux/goldfish.h +@@ -8,14 +8,21 @@ + + /* Helpers for Goldfish virtual platform */ + ++#ifndef gf_ioread32 ++#define gf_ioread32 ioread32 ++#endif ++#ifndef gf_iowrite32 ++#define gf_iowrite32 iowrite32 ++#endif ++ + static inline void gf_write_ptr(const void *ptr, void __iomem *portl, + void __iomem *porth) + { + const unsigned long addr = (unsigned long)ptr; + +- __raw_writel(lower_32_bits(addr), portl); ++ gf_iowrite32(lower_32_bits(addr), portl); + #ifdef CONFIG_64BIT +- __raw_writel(upper_32_bits(addr), porth); ++ gf_iowrite32(upper_32_bits(addr), porth); + #endif + } + +@@ -23,9 +30,9 @@ static inline void gf_write_dma_addr(con + void __iomem *portl, + void __iomem *porth) + { +- __raw_writel(lower_32_bits(addr), portl); ++ gf_iowrite32(lower_32_bits(addr), portl); + #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT +- __raw_writel(upper_32_bits(addr), porth); ++ gf_iowrite32(upper_32_bits(addr), porth); + #endif + } + -- 2.47.3