From dd48d9ab7f7f1d21547611c9034cabce350e05f9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 1 Apr 2022 12:38:40 +0200 Subject: [PATCH] 4.9-stable patches added patches: clk-uniphier-fix-fixed-rate-initialization.patch coresight-fix-trcconfigr.qe-sysfs-interface.patch iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch iio-inkern-make-a-best-effort-on-offset-calculation.patch nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch --- ...iphier-fix-fixed-rate-initialization.patch | 35 ++++++ ...ht-fix-trcconfigr.qe-sysfs-interface.patch | 56 ++++++++++ ...-consumer-scale-on-iio_val_int-cases.patch | 42 +++++++ ...-a-best-effort-on-offset-calculation.patch | 68 ++++++++++++ ...underflow-in-nfssvc_decode_writeargs.patch | 47 ++++++++ ...d_seccomp-permission-on-ptrace_seize.patch | 105 ++++++++++++++++++ ...7xx-clear-rs485-bits-in-the-shutdown.patch | 42 +++++++ queue-4.9/series | 8 ++ ...between-mod_timer-and-del_timer_sync.patch | 49 ++++++++ 9 files changed, 452 insertions(+) create mode 100644 queue-4.9/clk-uniphier-fix-fixed-rate-initialization.patch create mode 100644 queue-4.9/coresight-fix-trcconfigr.qe-sysfs-interface.patch create mode 100644 queue-4.9/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch create mode 100644 queue-4.9/iio-inkern-make-a-best-effort-on-offset-calculation.patch create mode 100644 queue-4.9/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch create mode 100644 queue-4.9/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch create mode 100644 queue-4.9/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch create mode 100644 queue-4.9/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch diff --git a/queue-4.9/clk-uniphier-fix-fixed-rate-initialization.patch b/queue-4.9/clk-uniphier-fix-fixed-rate-initialization.patch new file mode 100644 index 00000000000..166193238a1 --- /dev/null +++ b/queue-4.9/clk-uniphier-fix-fixed-rate-initialization.patch @@ -0,0 +1,35 @@ +From ca85a66710a8a1f6b0719397225c3e9ee0abb692 Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Wed, 9 Mar 2022 15:55:18 +0900 +Subject: clk: uniphier: Fix fixed-rate initialization + +From: Kunihiko Hayashi + +commit ca85a66710a8a1f6b0719397225c3e9ee0abb692 upstream. + +Fixed-rate clocks in UniPhier don't have any parent clocks, however, +initial data "init.flags" isn't initialized, so it might be determined +that there is a parent clock for fixed-rate clock. + +This sets init.flags to zero as initialization. + +Cc: +Fixes: 734d82f4a678 ("clk: uniphier: add core support code for UniPhier clock driver") +Signed-off-by: Kunihiko Hayashi +Link: https://lore.kernel.org/r/1646808918-30899-1-git-send-email-hayashi.kunihiko@socionext.com +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/uniphier/clk-uniphier-fixed-rate.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/uniphier/clk-uniphier-fixed-rate.c ++++ b/drivers/clk/uniphier/clk-uniphier-fixed-rate.c +@@ -33,6 +33,7 @@ struct clk_hw *uniphier_clk_register_fix + + init.name = name; + init.ops = &clk_fixed_rate_ops; ++ init.flags = 0; + init.parent_names = NULL; + init.num_parents = 0; + diff --git a/queue-4.9/coresight-fix-trcconfigr.qe-sysfs-interface.patch b/queue-4.9/coresight-fix-trcconfigr.qe-sysfs-interface.patch new file mode 100644 index 00000000000..91179516951 --- /dev/null +++ b/queue-4.9/coresight-fix-trcconfigr.qe-sysfs-interface.patch @@ -0,0 +1,56 @@ +From ea75a342aed5ed72c87f38fbe0df2f5df7eae374 Mon Sep 17 00:00:00 2001 +From: James Clark +Date: Thu, 20 Jan 2022 11:30:47 +0000 +Subject: coresight: Fix TRCCONFIGR.QE sysfs interface + +From: James Clark + +commit ea75a342aed5ed72c87f38fbe0df2f5df7eae374 upstream. + +It's impossible to program a valid value for TRCCONFIGR.QE +when TRCIDR0.QSUPP==0b10. In that case the following is true: + + Q element support is implemented, and only supports Q elements without + instruction counts. TRCCONFIGR.QE can only take the values 0b00 or 0b11. + +Currently the low bit of QSUPP is checked to see if the low bit of QE can +be written to, but as you can see when QSUPP==0b10 the low bit is cleared +making it impossible to ever write the only valid value of 0b11 to QE. +0b10 would be written instead, which is a reserved QE value even for all +values of QSUPP. + +The fix is to allow writing the low bit of QE for any non zero value of +QSUPP. + +This change also ensures that the low bit is always set, even when the +user attempts to only set the high bit. + +Signed-off-by: James Clark +Reviewed-by: Mike Leach +Fixes: d8c66962084f ("coresight-etm4x: Controls pertaining to the reset, mode, pe and events") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220120113047.2839622-2-james.clark@arm.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Suzuki K Poulose +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c +@@ -379,8 +379,12 @@ static ssize_t mode_store(struct device + mode = ETM_MODE_QELEM(config->mode); + /* start by clearing QE bits */ + config->cfg &= ~(BIT(13) | BIT(14)); +- /* if supported, Q elements with instruction counts are enabled */ +- if ((mode & BIT(0)) && (drvdata->q_support & BIT(0))) ++ /* ++ * if supported, Q elements with instruction counts are enabled. ++ * Always set the low bit for any requested mode. Valid combos are ++ * 0b00, 0b01 and 0b11. ++ */ ++ if (mode && drvdata->q_support) + config->cfg |= BIT(13); + /* + * if supported, Q elements with and without instruction diff --git a/queue-4.9/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch b/queue-4.9/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch new file mode 100644 index 00000000000..da20ff837b5 --- /dev/null +++ b/queue-4.9/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch @@ -0,0 +1,42 @@ +From 1bca97ff95c732a516ebb68da72814194980e0a5 Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:04 -0500 +Subject: iio: inkern: apply consumer scale on IIO_VAL_INT cases + +From: Liam Beguin + +commit 1bca97ff95c732a516ebb68da72814194980e0a5 upstream. + +When a consumer calls iio_read_channel_processed() and the channel has +an integer scale, the scale channel scale is applied and the processed +value is returned as expected. + +On the other hand, if the consumer calls iio_convert_raw_to_processed() +the scaling factor requested by the consumer is not applied. + +This for example causes the consumer to process mV when expecting uV. +Make sure to always apply the scaling factor requested by the consumer. + +Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-2-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -606,7 +606,7 @@ static int iio_convert_raw_to_processed_ + + switch (scale_type) { + case IIO_VAL_INT: +- *processed = raw64 * scale_val; ++ *processed = raw64 * scale_val * scale; + break; + case IIO_VAL_INT_PLUS_MICRO: + if (scale_val2 < 0) diff --git a/queue-4.9/iio-inkern-make-a-best-effort-on-offset-calculation.patch b/queue-4.9/iio-inkern-make-a-best-effort-on-offset-calculation.patch new file mode 100644 index 00000000000..28fcd3acc62 --- /dev/null +++ b/queue-4.9/iio-inkern-make-a-best-effort-on-offset-calculation.patch @@ -0,0 +1,68 @@ +From ca85123354e1a65a22170286387b4791997fe864 Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:06 -0500 +Subject: iio: inkern: make a best effort on offset calculation + +From: Liam Beguin + +commit ca85123354e1a65a22170286387b4791997fe864 upstream. + +iio_convert_raw_to_processed_unlocked() assumes the offset is an +integer. Make a best effort to get a valid offset value for fractional +cases without breaking implicit truncations. + +Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-4-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 32 +++++++++++++++++++++++++++----- + 1 file changed, 27 insertions(+), 5 deletions(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -591,13 +591,35 @@ EXPORT_SYMBOL_GPL(iio_read_channel_avera + static int iio_convert_raw_to_processed_unlocked(struct iio_channel *chan, + int raw, int *processed, unsigned int scale) + { +- int scale_type, scale_val, scale_val2, offset; ++ int scale_type, scale_val, scale_val2; ++ int offset_type, offset_val, offset_val2; + s64 raw64 = raw; +- int ret; + +- ret = iio_channel_read(chan, &offset, NULL, IIO_CHAN_INFO_OFFSET); +- if (ret >= 0) +- raw64 += offset; ++ offset_type = iio_channel_read(chan, &offset_val, &offset_val2, ++ IIO_CHAN_INFO_OFFSET); ++ if (offset_type >= 0) { ++ switch (offset_type) { ++ case IIO_VAL_INT: ++ break; ++ case IIO_VAL_INT_PLUS_MICRO: ++ case IIO_VAL_INT_PLUS_NANO: ++ /* ++ * Both IIO_VAL_INT_PLUS_MICRO and IIO_VAL_INT_PLUS_NANO ++ * implicitely truncate the offset to it's integer form. ++ */ ++ break; ++ case IIO_VAL_FRACTIONAL: ++ offset_val /= offset_val2; ++ break; ++ case IIO_VAL_FRACTIONAL_LOG2: ++ offset_val >>= offset_val2; ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ raw64 += offset_val; ++ } + + scale_type = iio_channel_read(chan, &scale_val, &scale_val2, + IIO_CHAN_INFO_SCALE); diff --git a/queue-4.9/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch b/queue-4.9/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch new file mode 100644 index 00000000000..508fc670836 --- /dev/null +++ b/queue-4.9/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch @@ -0,0 +1,47 @@ +From 184416d4b98509fb4c3d8fc3d6dc1437896cc159 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 15 Mar 2022 13:30:09 +0300 +Subject: NFSD: prevent underflow in nfssvc_decode_writeargs() + +From: Dan Carpenter + +commit 184416d4b98509fb4c3d8fc3d6dc1437896cc159 upstream. + +Smatch complains: + + fs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs() + warn: no lower bound on 'args->len' + +Change the type to unsigned to prevent this issue. + +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsproc.c | 2 +- + fs/nfsd/xdr.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfsproc.c ++++ b/fs/nfsd/nfsproc.c +@@ -207,7 +207,7 @@ nfsd_proc_write(struct svc_rqst *rqstp, + int stable = 1; + unsigned long cnt = argp->len; + +- dprintk("nfsd: WRITE %s %d bytes at %d\n", ++ dprintk("nfsd: WRITE %s %u bytes at %d\n", + SVCFH_fmt(&argp->fh), + argp->len, argp->offset); + +--- a/fs/nfsd/xdr.h ++++ b/fs/nfsd/xdr.h +@@ -32,7 +32,7 @@ struct nfsd_readargs { + struct nfsd_writeargs { + svc_fh fh; + __u32 offset; +- int len; ++ __u32 len; + int vlen; + }; + diff --git a/queue-4.9/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch b/queue-4.9/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch new file mode 100644 index 00000000000..e36bc6cc441 --- /dev/null +++ b/queue-4.9/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch @@ -0,0 +1,105 @@ +From ee1fee900537b5d9560e9f937402de5ddc8412f3 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Sat, 19 Mar 2022 02:08:37 +0100 +Subject: ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE + +From: Jann Horn + +commit ee1fee900537b5d9560e9f937402de5ddc8412f3 upstream. + +Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged +operation because it allows the tracee to completely bypass all seccomp +filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to +be settable by a process with global CAP_SYS_ADMIN, and only if that +process is not subject to any seccomp filters at all. + +However, while these permission checks were done on the PTRACE_SETOPTIONS +path, they were missing on the PTRACE_SEIZE path, which also sets +user-specified ptrace flags. + +Move the permissions checks out into a helper function and let both +ptrace_attach() and ptrace_setoptions() call it. + +Cc: stable@kernel.org +Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume") +Signed-off-by: Jann Horn +Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman +--- + kernel/ptrace.c | 47 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 15 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -371,6 +371,26 @@ bool ptrace_may_access(struct task_struc + return !err; + } + ++static int check_ptrace_options(unsigned long data) ++{ ++ if (data & ~(unsigned long)PTRACE_O_MASK) ++ return -EINVAL; ++ ++ if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { ++ if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || ++ !IS_ENABLED(CONFIG_SECCOMP)) ++ return -EINVAL; ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || ++ current->ptrace & PT_SUSPEND_SECCOMP) ++ return -EPERM; ++ } ++ return 0; ++} ++ + static int ptrace_attach(struct task_struct *task, long request, + unsigned long addr, + unsigned long flags) +@@ -382,8 +402,16 @@ static int ptrace_attach(struct task_str + if (seize) { + if (addr != 0) + goto out; ++ /* ++ * This duplicates the check in check_ptrace_options() because ++ * ptrace_attach() and ptrace_setoptions() have historically ++ * used different error codes for unknown ptrace options. ++ */ + if (flags & ~(unsigned long)PTRACE_O_MASK) + goto out; ++ retval = check_ptrace_options(flags); ++ if (retval) ++ return retval; + flags = PT_PTRACED | PT_SEIZED | (flags << PT_OPT_FLAG_SHIFT); + } else { + flags = PT_PTRACED; +@@ -656,22 +684,11 @@ int ptrace_writedata(struct task_struct + static int ptrace_setoptions(struct task_struct *child, unsigned long data) + { + unsigned flags; ++ int ret; + +- if (data & ~(unsigned long)PTRACE_O_MASK) +- return -EINVAL; +- +- if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { +- if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || +- !IS_ENABLED(CONFIG_SECCOMP)) +- return -EINVAL; +- +- if (!capable(CAP_SYS_ADMIN)) +- return -EPERM; +- +- if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || +- current->ptrace & PT_SUSPEND_SECCOMP) +- return -EPERM; +- } ++ ret = check_ptrace_options(data); ++ if (ret) ++ return ret; + + /* Avoid intermediate state when all opts are cleared */ + flags = child->ptrace; diff --git a/queue-4.9/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch b/queue-4.9/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch new file mode 100644 index 00000000000..d71bc510b8f --- /dev/null +++ b/queue-4.9/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch @@ -0,0 +1,42 @@ +From 927728a34f11b5a27f4610bdb7068317d6fdc72a Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Tue, 8 Mar 2022 19:00:42 +0800 +Subject: serial: sc16is7xx: Clear RS485 bits in the shutdown + +From: Hui Wang + +commit 927728a34f11b5a27f4610bdb7068317d6fdc72a upstream. + +We tested RS485 function on an EVB which has SC16IS752, after +finishing the test, we started the RS232 function test, but found the +RTS is still working in the RS485 mode. + +That is because both startup and shutdown call port_update() to set +the EFCR_REG, this will not clear the RS485 bits once the bits are set +in the reconf_rs485(). To fix it, clear the RS485 bits in shutdown. + +Cc: +Signed-off-by: Hui Wang +Link: https://lore.kernel.org/r/20220308110042.108451-1-hui.wang@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sc16is7xx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -1055,10 +1055,12 @@ static void sc16is7xx_shutdown(struct ua + + /* Disable all interrupts */ + sc16is7xx_port_write(port, SC16IS7XX_IER_REG, 0); +- /* Disable TX/RX */ ++ /* Disable TX/RX, clear auto RS485 and RTS invert */ + sc16is7xx_port_update(port, SC16IS7XX_EFCR_REG, + SC16IS7XX_EFCR_RXDISABLE_BIT | +- SC16IS7XX_EFCR_TXDISABLE_BIT, ++ SC16IS7XX_EFCR_TXDISABLE_BIT | ++ SC16IS7XX_EFCR_AUTO_RS485_BIT | ++ SC16IS7XX_EFCR_RTS_INVERT_BIT, + SC16IS7XX_EFCR_RXDISABLE_BIT | + SC16IS7XX_EFCR_TXDISABLE_BIT); + diff --git a/queue-4.9/series b/queue-4.9/series index 94f46c954cd..7fa47097bbf 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -7,3 +7,11 @@ af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch block-add-a-helper-to-validate-the-block-size.patch virtio-blk-use-blk_validate_block_size-to-validate-block-size.patch usb-usb-storage-fix-use-of-bitfields-for-hardware-data-in-ene_ub6250.c.patch +coresight-fix-trcconfigr.qe-sysfs-interface.patch +iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch +iio-inkern-make-a-best-effort-on-offset-calculation.patch +clk-uniphier-fix-fixed-rate-initialization.patch +ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch +serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch +sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch +nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch diff --git a/queue-4.9/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch b/queue-4.9/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch new file mode 100644 index 00000000000..927e5bf5229 --- /dev/null +++ b/queue-4.9/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch @@ -0,0 +1,49 @@ +From 3848e96edf4788f772d83990022fa7023a233d83 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Tue, 8 Mar 2022 13:42:17 +1100 +Subject: SUNRPC: avoid race between mod_timer() and del_timer_sync() + +From: NeilBrown + +commit 3848e96edf4788f772d83990022fa7023a233d83 upstream. + +xprt_destory() claims XPRT_LOCKED and then calls del_timer_sync(). +Both xprt_unlock_connect() and xprt_release() call + ->release_xprt() +which drops XPRT_LOCKED and *then* xprt_schedule_autodisconnect() +which calls mod_timer(). + +This may result in mod_timer() being called *after* del_timer_sync(). +When this happens, the timer may fire long after the xprt has been freed, +and run_timer_softirq() will probably crash. + +The pairing of ->release_xprt() and xprt_schedule_autodisconnect() is +always called under ->transport_lock. So if we take ->transport_lock to +call del_timer_sync(), we can be sure that mod_timer() will run first +(if it runs at all). + +Cc: stable@vger.kernel.org +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprt.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -1446,7 +1446,14 @@ static void xprt_destroy(struct rpc_xprt + /* Exclude transport connect/disconnect handlers */ + wait_on_bit_lock(&xprt->state, XPRT_LOCKED, TASK_UNINTERRUPTIBLE); + ++ /* ++ * xprt_schedule_autodisconnect() can run after XPRT_LOCKED ++ * is cleared. We use ->transport_lock to ensure the mod_timer() ++ * can only run *before* del_time_sync(), never after. ++ */ ++ spin_lock(&xprt->transport_lock); + del_timer_sync(&xprt->timer); ++ spin_unlock(&xprt->transport_lock); + + rpc_xprt_debugfs_unregister(xprt); + rpc_destroy_wait_queue(&xprt->binding); -- 2.47.3