--- /dev/null
+From 41a8457f3f6f829be1f8f8fa7577a46b9b7223ef Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Tue, 27 Jul 2021 09:18:24 -0700
+Subject: ACPI: DPTF: Fix reading of attributes
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+commit 41a8457f3f6f829be1f8f8fa7577a46b9b7223ef upstream.
+
+The current assumption that methods to read PCH FIVR attributes will
+return integer, is not correct. There is no good way to return integer
+as negative numbers are also valid.
+
+These read methods return a package of integers. The first integer returns
+status, which is 0 on success and any other value for failure. When the
+returned status is zero, then the second integer returns the actual value.
+
+This change fixes this issue by replacing acpi_evaluate_integer() with
+acpi_evaluate_object() and use acpi_extract_package() to extract results.
+
+Fixes: 2ce6324eadb01 ("ACPI: DPTF: Add PCH FIVR participant driver")
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Cc: 5.10+ <stable@vger.kernel.org> # 5.10+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/dptf/dptf_pch_fivr.c | 51 ++++++++++++++++++++++++++++++++------
+ 1 file changed, 43 insertions(+), 8 deletions(-)
+
+--- a/drivers/acpi/dptf/dptf_pch_fivr.c
++++ b/drivers/acpi/dptf/dptf_pch_fivr.c
+@@ -9,6 +9,42 @@
+ #include <linux/module.h>
+ #include <linux/platform_device.h>
+
++struct pch_fivr_resp {
++ u64 status;
++ u64 result;
++};
++
++static int pch_fivr_read(acpi_handle handle, char *method, struct pch_fivr_resp *fivr_resp)
++{
++ struct acpi_buffer resp = { sizeof(struct pch_fivr_resp), fivr_resp};
++ struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
++ struct acpi_buffer format = { sizeof("NN"), "NN" };
++ union acpi_object *obj;
++ acpi_status status;
++ int ret = -EFAULT;
++
++ status = acpi_evaluate_object(handle, method, NULL, &buffer);
++ if (ACPI_FAILURE(status))
++ return ret;
++
++ obj = buffer.pointer;
++ if (!obj || obj->type != ACPI_TYPE_PACKAGE)
++ goto release_buffer;
++
++ status = acpi_extract_package(obj, &format, &resp);
++ if (ACPI_FAILURE(status))
++ goto release_buffer;
++
++ if (fivr_resp->status)
++ goto release_buffer;
++
++ ret = 0;
++
++release_buffer:
++ kfree(buffer.pointer);
++ return ret;
++}
++
+ /*
+ * Presentation of attributes which are defined for INT1045
+ * They are:
+@@ -23,15 +59,14 @@ static ssize_t name##_show(struct device
+ char *buf)\
+ {\
+ struct acpi_device *acpi_dev = dev_get_drvdata(dev);\
+- unsigned long long val;\
+- acpi_status status;\
++ struct pch_fivr_resp fivr_resp;\
++ int status;\
++\
++ status = pch_fivr_read(acpi_dev->handle, #method, &fivr_resp);\
++ if (status)\
++ return status;\
+ \
+- status = acpi_evaluate_integer(acpi_dev->handle, #method,\
+- NULL, &val);\
+- if (ACPI_SUCCESS(status))\
+- return sprintf(buf, "%d\n", (int)val);\
+- else\
+- return -EINVAL;\
++ return sprintf(buf, "%llu\n", fivr_resp.result);\
+ }
+
+ #define PCH_FIVR_STORE(name, method) \
--- /dev/null
+From 640b7ea5f888b521dcf28e2564ce75d08a783fd7 Mon Sep 17 00:00:00 2001
+From: Mike Rapoport <rppt@linux.ibm.com>
+Date: Tue, 27 Jul 2021 23:38:24 +0300
+Subject: alpha: register early reserved memory in memblock
+
+From: Mike Rapoport <rppt@linux.ibm.com>
+
+commit 640b7ea5f888b521dcf28e2564ce75d08a783fd7 upstream.
+
+The memory reserved by console/PALcode or non-volatile memory is not added
+to memblock.memory.
+
+Since commit fa3354e4ea39 (mm: free_area_init: use maximal zone PFNs rather
+than zone sizes) the initialization of the memory map relies on the
+accuracy of memblock.memory to properly calculate zone sizes. The holes in
+memblock.memory caused by absent regions reserved by the firmware cause
+incorrect initialization of struct pages which leads to BUG() during the
+initial page freeing:
+
+BUG: Bad page state in process swapper pfn:2ffc53
+page:fffffc000ecf14c0 refcount:0 mapcount:1 mapping:0000000000000000 index:0x0
+flags: 0x0()
+raw: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+raw: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+page dumped because: nonzero mapcount
+Modules linked in:
+CPU: 0 PID: 0 Comm: swapper Not tainted 5.7.0-03841-gfa3354e4ea39-dirty #26
+ fffffc0001b5bd68 fffffc0001b5be80 fffffc00011cd148 fffffc000ecf14c0
+ fffffc00019803df fffffc0001b5be80 fffffc00011ce340 fffffc000ecf14c0
+ 0000000000000000 fffffc0001b5be80 fffffc0001b482c0 fffffc00027d6618
+ fffffc00027da7d0 00000000002ff97a 0000000000000000 fffffc0001b5be80
+ fffffc00011d1abc fffffc000ecf14c0 fffffc0002d00000 fffffc0001b5be80
+ fffffc0001b2350c 0000000000300000 fffffc0001b48298 fffffc0001b482c0
+Trace:
+[<fffffc00011cd148>] bad_page+0x168/0x1b0
+[<fffffc00011ce340>] free_pcp_prepare+0x1e0/0x290
+[<fffffc00011d1abc>] free_unref_page+0x2c/0xa0
+[<fffffc00014ee5f0>] cmp_ex_sort+0x0/0x30
+[<fffffc00014ee5f0>] cmp_ex_sort+0x0/0x30
+[<fffffc000101001c>] _stext+0x1c/0x20
+
+Fix this by registering the reserved ranges in memblock.memory.
+
+Link: https://lore.kernel.org/lkml/20210726192311.uffqnanxw3ac5wwi@ivybridge
+Fixes: fa3354e4ea39 ("mm: free_area_init: use maximal zone PFNs rather than zone sizes")
+Reported-by: Matt Turner <mattst88@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
+Signed-off-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/alpha/kernel/setup.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/arch/alpha/kernel/setup.c
++++ b/arch/alpha/kernel/setup.c
+@@ -325,18 +325,19 @@ setup_memory(void *kernel_end)
+ i, cluster->usage, cluster->start_pfn,
+ cluster->start_pfn + cluster->numpages);
+
+- /* Bit 0 is console/PALcode reserved. Bit 1 is
+- non-volatile memory -- we might want to mark
+- this for later. */
+- if (cluster->usage & 3)
+- continue;
+-
+ end = cluster->start_pfn + cluster->numpages;
+ if (end > max_low_pfn)
+ max_low_pfn = end;
+
+ memblock_add(PFN_PHYS(cluster->start_pfn),
+ cluster->numpages << PAGE_SHIFT);
++
++ /* Bit 0 is console/PALcode reserved. Bit 1 is
++ non-volatile memory -- we might want to mark
++ this for later. */
++ if (cluster->usage & 3)
++ memblock_reserve(PFN_PHYS(cluster->start_pfn),
++ cluster->numpages << PAGE_SHIFT);
+ }
+
+ /*
--- /dev/null
+From 5ab189cf3abbc9994bae3be524c5b88589ed56e2 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Tue, 27 Jul 2021 14:38:09 -1000
+Subject: blk-iocost: fix operation ordering in iocg_wake_fn()
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 5ab189cf3abbc9994bae3be524c5b88589ed56e2 upstream.
+
+iocg_wake_fn() open-codes wait_queue_entry removal and wakeup because it
+wants the wq_entry to be always removed whether it ended up waking the
+task or not. finish_wait() tests whether wq_entry needs removal without
+grabbing the wait_queue lock and expects the waker to use
+list_del_init_careful() after all waking operations are complete, which
+iocg_wake_fn() didn't do. The operation order was wrong and the regular
+list_del_init() was used.
+
+The result is that if a waiter wakes up racing the waker, it can free pop
+the wq_entry off stack before the waker is still looking at it, which can
+lead to a backtrace like the following.
+
+ [7312084.588951] general protection fault, probably for non-canonical address 0x586bf4005b2b88: 0000 [#1] SMP
+ ...
+ [7312084.647079] RIP: 0010:queued_spin_lock_slowpath+0x171/0x1b0
+ ...
+ [7312084.858314] Call Trace:
+ [7312084.863548] _raw_spin_lock_irqsave+0x22/0x30
+ [7312084.872605] try_to_wake_up+0x4c/0x4f0
+ [7312084.880444] iocg_wake_fn+0x71/0x80
+ [7312084.887763] __wake_up_common+0x71/0x140
+ [7312084.895951] iocg_kick_waitq+0xe8/0x2b0
+ [7312084.903964] ioc_rqos_throttle+0x275/0x650
+ [7312084.922423] __rq_qos_throttle+0x20/0x30
+ [7312084.930608] blk_mq_make_request+0x120/0x650
+ [7312084.939490] generic_make_request+0xca/0x310
+ [7312084.957600] submit_bio+0x173/0x200
+ [7312084.981806] swap_readpage+0x15c/0x240
+ [7312084.989646] read_swap_cache_async+0x58/0x60
+ [7312084.998527] swap_cluster_readahead+0x201/0x320
+ [7312085.023432] swapin_readahead+0x2df/0x450
+ [7312085.040672] do_swap_page+0x52f/0x820
+ [7312085.058259] handle_mm_fault+0xa16/0x1420
+ [7312085.066620] do_page_fault+0x2c6/0x5c0
+ [7312085.074459] page_fault+0x2f/0x40
+
+Fix it by switching to list_del_init_careful() and putting it at the end.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Rik van Riel <riel@surriel.com>
+Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost")
+Cc: stable@vger.kernel.org # v5.4+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-iocost.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/block/blk-iocost.c
++++ b/block/blk-iocost.c
+@@ -1440,16 +1440,17 @@ static int iocg_wake_fn(struct wait_queu
+ return -1;
+
+ iocg_commit_bio(ctx->iocg, wait->bio, wait->abs_cost, cost);
++ wait->committed = true;
+
+ /*
+ * autoremove_wake_function() removes the wait entry only when it
+- * actually changed the task state. We want the wait always
+- * removed. Remove explicitly and use default_wake_function().
++ * actually changed the task state. We want the wait always removed.
++ * Remove explicitly and use default_wake_function(). Note that the
++ * order of operations is important as finish_wait() tests whether
++ * @wq_entry is removed without grabbing the lock.
+ */
+- list_del_init(&wq_entry->entry);
+- wait->committed = true;
+-
+ default_wake_function(wq_entry, mode, flags, key);
++ list_del_init_careful(&wq_entry->entry);
+ return 0;
+ }
+
--- /dev/null
+From ecc64fab7d49c678e70bd4c35fe64d2ab3e3d212 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 27 Jul 2021 11:24:43 +0100
+Subject: btrfs: fix lost inode on log replay after mix of fsync, rename and inode eviction
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit ecc64fab7d49c678e70bd4c35fe64d2ab3e3d212 upstream.
+
+When checking if we need to log the new name of a renamed inode, we are
+checking if the inode and its parent inode have been logged before, and if
+not we don't log the new name. The check however is buggy, as it directly
+compares the logged_trans field of the inodes versus the ID of the current
+transaction. The problem is that logged_trans is a transient field, only
+stored in memory and never persisted in the inode item, so if an inode
+was logged before, evicted and reloaded, its logged_trans field is set to
+a value of 0, meaning the check will return false and the new name of the
+renamed inode is not logged. If the old parent directory was previously
+fsynced and we deleted the logged directory entries corresponding to the
+old name, we end up with a log that when replayed will delete the renamed
+inode.
+
+The following example triggers the problem:
+
+ $ mkfs.btrfs -f /dev/sdc
+ $ mount /dev/sdc /mnt
+
+ $ mkdir /mnt/A
+ $ mkdir /mnt/B
+ $ echo -n "hello world" > /mnt/A/foo
+
+ $ sync
+
+ # Add some new file to A and fsync directory A.
+ $ touch /mnt/A/bar
+ $ xfs_io -c "fsync" /mnt/A
+
+ # Now trigger inode eviction. We are only interested in triggering
+ # eviction for the inode of directory A.
+ $ echo 2 > /proc/sys/vm/drop_caches
+
+ # Move foo from directory A to directory B.
+ # This deletes the directory entries for foo in A from the log, and
+ # does not add the new name for foo in directory B to the log, because
+ # logged_trans of A is 0, which is less than the current transaction ID.
+ $ mv /mnt/A/foo /mnt/B/foo
+
+ # Now make an fsync to anything except A, B or any file inside them,
+ # like for example create a file at the root directory and fsync this
+ # new file. This syncs the log that contains all the changes done by
+ # previous rename operation.
+ $ touch /mnt/baz
+ $ xfs_io -c "fsync" /mnt/baz
+
+ <power fail>
+
+ # Mount the filesystem and replay the log.
+ $ mount /dev/sdc /mnt
+
+ # Check the filesystem content.
+ $ ls -1R /mnt
+ /mnt/:
+ A
+ B
+ baz
+
+ /mnt/A:
+ bar
+
+ /mnt/B:
+ $
+
+ # File foo is gone, it's neither in A/ nor in B/.
+
+Fix this by using the inode_logged() helper at btrfs_log_new_name(), which
+safely checks if an inode was logged before in the current transaction.
+
+A test case for fstests will follow soon.
+
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -6492,8 +6492,8 @@ void btrfs_log_new_name(struct btrfs_tra
+ * if this inode hasn't been logged and directory we're renaming it
+ * from hasn't been logged, we don't need to log it
+ */
+- if (inode->logged_trans < trans->transid &&
+- (!old_dir || old_dir->logged_trans < trans->transid))
++ if (!inode_logged(trans, inode) &&
++ (!old_dir || !inode_logged(trans, old_dir)))
+ return;
+
+ /*
--- /dev/null
+From b2a616676839e2a6b02c8e40be7f886f882ed194 Mon Sep 17 00:00:00 2001
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Date: Tue, 27 Jul 2021 15:13:03 +0800
+Subject: btrfs: fix rw device counting in __btrfs_free_extra_devids
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+commit b2a616676839e2a6b02c8e40be7f886f882ed194 upstream.
+
+When removing a writeable device in __btrfs_free_extra_devids, the rw
+device count should be decremented.
+
+This error was caught by Syzbot which reported a warning in
+close_fs_devices:
+
+ WARNING: CPU: 1 PID: 9355 at fs/btrfs/volumes.c:1168 close_fs_devices+0x763/0x880 fs/btrfs/volumes.c:1168
+ Modules linked in:
+ CPU: 0 PID: 9355 Comm: syz-executor552 Not tainted 5.13.0-rc1-syzkaller #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ RIP: 0010:close_fs_devices+0x763/0x880 fs/btrfs/volumes.c:1168
+ RSP: 0018:ffffc9000333f2f0 EFLAGS: 00010293
+ RAX: ffffffff8365f5c3 RBX: 0000000000000001 RCX: ffff888029afd4c0
+ RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
+ RBP: ffff88802846f508 R08: ffffffff8365f525 R09: ffffed100337d128
+ R10: ffffed100337d128 R11: 0000000000000000 R12: dffffc0000000000
+ R13: ffff888019be8868 R14: 1ffff1100337d10d R15: 1ffff1100337d10a
+ FS: 00007f6f53828700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000000047c410 CR3: 00000000302a6000 CR4: 00000000001506f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ btrfs_close_devices+0xc9/0x450 fs/btrfs/volumes.c:1180
+ open_ctree+0x8e1/0x3968 fs/btrfs/disk-io.c:3693
+ btrfs_fill_super fs/btrfs/super.c:1382 [inline]
+ btrfs_mount_root+0xac5/0xc60 fs/btrfs/super.c:1749
+ legacy_get_tree+0xea/0x180 fs/fs_context.c:592
+ vfs_get_tree+0x86/0x270 fs/super.c:1498
+ fc_mount fs/namespace.c:993 [inline]
+ vfs_kern_mount+0xc9/0x160 fs/namespace.c:1023
+ btrfs_mount+0x3d3/0xb50 fs/btrfs/super.c:1809
+ legacy_get_tree+0xea/0x180 fs/fs_context.c:592
+ vfs_get_tree+0x86/0x270 fs/super.c:1498
+ do_new_mount fs/namespace.c:2905 [inline]
+ path_mount+0x196f/0x2be0 fs/namespace.c:3235
+ do_mount fs/namespace.c:3248 [inline]
+ __do_sys_mount fs/namespace.c:3456 [inline]
+ __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433
+ do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Because fs_devices->rw_devices was not 0 after
+closing all devices. Here is the call trace that was observed:
+
+ btrfs_mount_root():
+ btrfs_scan_one_device():
+ device_list_add(); <---------------- device added
+ btrfs_open_devices():
+ open_fs_devices():
+ btrfs_open_one_device(); <-------- writable device opened,
+ rw device count ++
+ btrfs_fill_super():
+ open_ctree():
+ btrfs_free_extra_devids():
+ __btrfs_free_extra_devids(); <--- writable device removed,
+ rw device count not decremented
+ fail_tree_roots:
+ btrfs_close_devices():
+ close_fs_devices(); <------- rw device count off by 1
+
+As a note, prior to commit cf89af146b7e ("btrfs: dev-replace: fail
+mount if we don't have replace item with target device"), rw_devices
+was decremented on removing a writable device in
+__btrfs_free_extra_devids only if the BTRFS_DEV_STATE_REPLACE_TGT bit
+was not set for the device. However, this check does not need to be
+reinstated as it is now redundant and incorrect.
+
+In __btrfs_free_extra_devids, we skip removing the device if it is the
+target for replacement. This is done by checking whether device->devid
+== BTRFS_DEV_REPLACE_DEVID. Since BTRFS_DEV_STATE_REPLACE_TGT is set
+only on the device with devid BTRFS_DEV_REPLACE_DEVID, no devices
+should have the BTRFS_DEV_STATE_REPLACE_TGT bit set after the check,
+and so it's redundant to test for that bit.
+
+Additionally, following commit 82372bc816d7 ("Btrfs: make
+the logic of source device removing more clear"), rw_devices is
+incremented whenever a writeable device is added to the alloc
+list (including the target device in btrfs_dev_replace_finishing), so
+all removals of writable devices from the alloc list should also be
+accompanied by a decrement to rw_devices.
+
+Reported-by: syzbot+a70e2ad0879f160b9217@syzkaller.appspotmail.com
+Fixes: cf89af146b7e ("btrfs: dev-replace: fail mount if we don't have replace item with target device")
+CC: stable@vger.kernel.org # 5.10+
+Tested-by: syzbot+a70e2ad0879f160b9217@syzkaller.appspotmail.com
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1078,6 +1078,7 @@ static void __btrfs_free_extra_devids(st
+ if (test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state)) {
+ list_del_init(&device->dev_alloc_list);
+ clear_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state);
++ fs_devices->rw_devices--;
+ }
+ list_del_init(&device->dev_list);
+ fs_devices->num_devices--;
--- /dev/null
+From 240246f6b913b0c23733cfd2def1d283f8cc9bbe Mon Sep 17 00:00:00 2001
+From: Goldwyn Rodrigues <rgoldwyn@suse.de>
+Date: Fri, 9 Jul 2021 11:29:22 -0500
+Subject: btrfs: mark compressed range uptodate only if all bio succeed
+
+From: Goldwyn Rodrigues <rgoldwyn@suse.de>
+
+commit 240246f6b913b0c23733cfd2def1d283f8cc9bbe upstream.
+
+In compression write endio sequence, the range which the compressed_bio
+writes is marked as uptodate if the last bio of the compressed (sub)bios
+is completed successfully. There could be previous bio which may
+have failed which is recorded in cb->errors.
+
+Set the writeback range as uptodate only if cb->errors is zero, as opposed
+to checking only the last bio's status.
+
+Backporting notes: in all versions up to 4.4 the last argument is always
+replaced by "!cb->errors".
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/compression.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/compression.c
++++ b/fs/btrfs/compression.c
+@@ -353,7 +353,7 @@ static void end_compressed_bio_write(str
+ btrfs_record_physical_zoned(inode, cb->start, bio);
+ btrfs_writepage_endio_finish_ordered(cb->compressed_pages[0],
+ cb->start, cb->start + cb->len - 1,
+- bio->bi_status == BLK_STS_OK);
++ !cb->errors);
+ cb->compressed_pages[0]->mapping = NULL;
+
+ end_compressed_writeback(inode, cb);
--- /dev/null
+From 9969e3c5f40c166e3396acc36c34f9de502929f6 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Tue, 27 Jul 2021 20:00:33 +0300
+Subject: can: ems_usb: fix memory leak
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 9969e3c5f40c166e3396acc36c34f9de502929f6 upstream.
+
+In ems_usb_start() MAX_RX_URBS coherent buffers are allocated and
+there is nothing, that frees them:
+
+1) In callback function the urb is resubmitted and that's all
+2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER
+ is not set (see ems_usb_start) and this flag cannot be used with
+ coherent buffers.
+
+So, all allocated buffers should be freed with usb_free_coherent()
+explicitly.
+
+Side note: This code looks like a copy-paste of other can drivers. The
+same patch was applied to mcba_usb driver and it works nice with real
+hardware. There is no change in functionality, only clean-up code for
+coherent buffers.
+
+Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
+Link: https://lore.kernel.org/r/59aa9fbc9a8cbf9af2bbd2f61a659c480b415800.1627404470.git.paskripkin@gmail.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/ems_usb.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -255,6 +255,8 @@ struct ems_usb {
+ unsigned int free_slots; /* remember number of available slots */
+
+ struct ems_cpc_msg active_params; /* active controller parameters */
++ void *rxbuf[MAX_RX_URBS];
++ dma_addr_t rxbuf_dma[MAX_RX_URBS];
+ };
+
+ static void ems_usb_read_interrupt_callback(struct urb *urb)
+@@ -587,6 +589,7 @@ static int ems_usb_start(struct ems_usb
+ for (i = 0; i < MAX_RX_URBS; i++) {
+ struct urb *urb = NULL;
+ u8 *buf = NULL;
++ dma_addr_t buf_dma;
+
+ /* create a URB, and a buffer for it */
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+@@ -596,7 +599,7 @@ static int ems_usb_start(struct ems_usb
+ }
+
+ buf = usb_alloc_coherent(dev->udev, RX_BUFFER_SIZE, GFP_KERNEL,
+- &urb->transfer_dma);
++ &buf_dma);
+ if (!buf) {
+ netdev_err(netdev, "No memory left for USB buffer\n");
+ usb_free_urb(urb);
+@@ -604,6 +607,8 @@ static int ems_usb_start(struct ems_usb
+ break;
+ }
+
++ urb->transfer_dma = buf_dma;
++
+ usb_fill_bulk_urb(urb, dev->udev, usb_rcvbulkpipe(dev->udev, 2),
+ buf, RX_BUFFER_SIZE,
+ ems_usb_read_bulk_callback, dev);
+@@ -619,6 +624,9 @@ static int ems_usb_start(struct ems_usb
+ break;
+ }
+
++ dev->rxbuf[i] = buf;
++ dev->rxbuf_dma[i] = buf_dma;
++
+ /* Drop reference, USB core will take care of freeing it */
+ usb_free_urb(urb);
+ }
+@@ -684,6 +692,10 @@ static void unlink_all_urbs(struct ems_u
+
+ usb_kill_anchored_urbs(&dev->rx_submitted);
+
++ for (i = 0; i < MAX_RX_URBS; ++i)
++ usb_free_coherent(dev->udev, RX_BUFFER_SIZE,
++ dev->rxbuf[i], dev->rxbuf_dma[i]);
++
+ usb_kill_anchored_urbs(&dev->tx_submitted);
+ atomic_set(&dev->active_tx_urbs, 0);
+
--- /dev/null
+From 928150fad41ba16df7fcc9f7f945747d0f56cbb6 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Tue, 27 Jul 2021 20:00:46 +0300
+Subject: can: esd_usb2: fix memory leak
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 928150fad41ba16df7fcc9f7f945747d0f56cbb6 upstream.
+
+In esd_usb2_setup_rx_urbs() MAX_RX_URBS coherent buffers are allocated
+and there is nothing, that frees them:
+
+1) In callback function the urb is resubmitted and that's all
+2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER
+ is not set (see esd_usb2_setup_rx_urbs) and this flag cannot be used
+ with coherent buffers.
+
+So, all allocated buffers should be freed with usb_free_coherent()
+explicitly.
+
+Side note: This code looks like a copy-paste of other can drivers. The
+same patch was applied to mcba_usb driver and it works nice with real
+hardware. There is no change in functionality, only clean-up code for
+coherent buffers.
+
+Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
+Link: https://lore.kernel.org/r/b31b096926dcb35998ad0271aac4b51770ca7cc8.1627404470.git.paskripkin@gmail.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/esd_usb2.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/esd_usb2.c
++++ b/drivers/net/can/usb/esd_usb2.c
+@@ -195,6 +195,8 @@ struct esd_usb2 {
+ int net_count;
+ u32 version;
+ int rxinitdone;
++ void *rxbuf[MAX_RX_URBS];
++ dma_addr_t rxbuf_dma[MAX_RX_URBS];
+ };
+
+ struct esd_usb2_net_priv {
+@@ -545,6 +547,7 @@ static int esd_usb2_setup_rx_urbs(struct
+ for (i = 0; i < MAX_RX_URBS; i++) {
+ struct urb *urb = NULL;
+ u8 *buf = NULL;
++ dma_addr_t buf_dma;
+
+ /* create a URB, and a buffer for it */
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+@@ -554,7 +557,7 @@ static int esd_usb2_setup_rx_urbs(struct
+ }
+
+ buf = usb_alloc_coherent(dev->udev, RX_BUFFER_SIZE, GFP_KERNEL,
+- &urb->transfer_dma);
++ &buf_dma);
+ if (!buf) {
+ dev_warn(dev->udev->dev.parent,
+ "No memory left for USB buffer\n");
+@@ -562,6 +565,8 @@ static int esd_usb2_setup_rx_urbs(struct
+ goto freeurb;
+ }
+
++ urb->transfer_dma = buf_dma;
++
+ usb_fill_bulk_urb(urb, dev->udev,
+ usb_rcvbulkpipe(dev->udev, 1),
+ buf, RX_BUFFER_SIZE,
+@@ -574,8 +579,12 @@ static int esd_usb2_setup_rx_urbs(struct
+ usb_unanchor_urb(urb);
+ usb_free_coherent(dev->udev, RX_BUFFER_SIZE, buf,
+ urb->transfer_dma);
++ goto freeurb;
+ }
+
++ dev->rxbuf[i] = buf;
++ dev->rxbuf_dma[i] = buf_dma;
++
+ freeurb:
+ /* Drop reference, USB core will take care of freeing it */
+ usb_free_urb(urb);
+@@ -663,6 +672,11 @@ static void unlink_all_urbs(struct esd_u
+ int i, j;
+
+ usb_kill_anchored_urbs(&dev->rx_submitted);
++
++ for (i = 0; i < MAX_RX_URBS; ++i)
++ usb_free_coherent(dev->udev, RX_BUFFER_SIZE,
++ dev->rxbuf[i], dev->rxbuf_dma[i]);
++
+ for (i = 0; i < dev->net_count; i++) {
+ priv = dev->nets[i];
+ if (priv) {
--- /dev/null
+From c6eea1c8bda56737752465a298dc6ce07d6b8ce3 Mon Sep 17 00:00:00 2001
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Tue, 6 Jul 2021 19:00:08 +0800
+Subject: can: j1939: j1939_xtp_rx_dat_one(): fix rxtimer value between consecutive TP.DT to 750ms
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+commit c6eea1c8bda56737752465a298dc6ce07d6b8ce3 upstream.
+
+For receive side, the max time interval between two consecutive TP.DT
+should be 750ms.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/r/1625569210-47506-1-git-send-email-zhangchangzhong@huawei.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1869,7 +1869,7 @@ static void j1939_xtp_rx_dat_one(struct
+ if (!session->transmission)
+ j1939_tp_schedule_txtimer(session, 0);
+ } else {
+- j1939_tp_set_rxtimeout(session, 250);
++ j1939_tp_set_rxtimeout(session, 750);
+ }
+ session->last_cmd = 0xff;
+ consume_skb(se_skb);
--- /dev/null
+From fc43fb69a7af92839551f99c1a96a37b77b3ae7a Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Sun, 25 Jul 2021 13:36:30 +0300
+Subject: can: mcba_usb_start(): add missing urb->transfer_dma initialization
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit fc43fb69a7af92839551f99c1a96a37b77b3ae7a upstream.
+
+Yasushi reported, that his Microchip CAN Analyzer stopped working
+since commit 91c02557174b ("can: mcba_usb: fix memory leak in
+mcba_usb"). The problem was in missing urb->transfer_dma
+initialization.
+
+In my previous patch to this driver I refactored mcba_usb_start() code
+to avoid leaking usb coherent buffers. To archive it, I passed local
+stack variable to usb_alloc_coherent() and then saved it to private
+array to correctly free all coherent buffers on ->close() call. But I
+forgot to initialize urb->transfer_dma with variable passed to
+usb_alloc_coherent().
+
+All of this was causing device to not work, since dma addr 0 is not
+valid and following log can be found on bug report page, which points
+exactly to problem described above.
+
+| DMAR: [DMA Write] Request device [00:14.0] PASID ffffffff fault addr 0 [fault reason 05] PTE Write access is not set
+
+Fixes: 91c02557174b ("can: mcba_usb: fix memory leak in mcba_usb")
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990850
+Link: https://lore.kernel.org/r/20210725103630.23864-1-paskripkin@gmail.com
+Cc: linux-stable <stable@vger.kernel.org>
+Reported-by: Yasushi SHOJI <yasushi.shoji@gmail.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Tested-by: Yasushi SHOJI <yashi@spacecubics.com>
+[mkl: fixed typos in commit message - thanks Yasushi SHOJI]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/mcba_usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/usb/mcba_usb.c
++++ b/drivers/net/can/usb/mcba_usb.c
+@@ -653,6 +653,8 @@ static int mcba_usb_start(struct mcba_pr
+ break;
+ }
+
++ urb->transfer_dma = buf_dma;
++
+ usb_fill_bulk_urb(urb, priv->udev,
+ usb_rcvbulkpipe(priv->udev, MCBA_USB_EP_IN),
+ buf, MCBA_USB_RX_BUFF_SIZE,
--- /dev/null
+From 590eb2b7d8cfafb27e8108d52d4bf4850626d31d Mon Sep 17 00:00:00 2001
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+Date: Fri, 25 Jun 2021 15:09:29 +0200
+Subject: can: peak_usb: pcan_usb_handle_bus_evt(): fix reading rxerr/txerr values
+
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+
+commit 590eb2b7d8cfafb27e8108d52d4bf4850626d31d upstream.
+
+This patch fixes an incorrect way of reading error counters in messages
+received for this purpose from the PCAN-USB interface. These messages
+inform about the increase or decrease of the error counters, whose values
+are placed in bytes 1 and 2 of the message data (not 0 and 1).
+
+Fixes: ea8b33bde76c ("can: pcan_usb: add support of rxerr/txerr counters")
+Link: https://lore.kernel.org/r/20210625130931.27438-4-s.grosjean@peak-system.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c
+@@ -117,7 +117,8 @@
+ #define PCAN_USB_BERR_MASK (PCAN_USB_ERR_RXERR | PCAN_USB_ERR_TXERR)
+
+ /* identify bus event packets with rx/tx error counters */
+-#define PCAN_USB_ERR_CNT 0x80
++#define PCAN_USB_ERR_CNT_DEC 0x00 /* counters are decreasing */
++#define PCAN_USB_ERR_CNT_INC 0x80 /* counters are increasing */
+
+ /* private to PCAN-USB adapter */
+ struct pcan_usb {
+@@ -608,11 +609,12 @@ static int pcan_usb_handle_bus_evt(struc
+
+ /* acccording to the content of the packet */
+ switch (ir) {
+- case PCAN_USB_ERR_CNT:
++ case PCAN_USB_ERR_CNT_DEC:
++ case PCAN_USB_ERR_CNT_INC:
+
+ /* save rx/tx error counters from in the device context */
+- pdev->bec.rxerr = mc->ptr[0];
+- pdev->bec.txerr = mc->ptr[1];
++ pdev->bec.rxerr = mc->ptr[1];
++ pdev->bec.txerr = mc->ptr[2];
+ break;
+
+ default:
--- /dev/null
+From 54f93336d000229f72c26d8a3f69dd256b744528 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Thu, 22 Jul 2021 15:08:19 +0800
+Subject: can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 54f93336d000229f72c26d8a3f69dd256b744528 upstream.
+
+We get a bug during ltp can_filter test as following.
+
+===========================================
+[60919.264984] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+[60919.265223] PGD 8000003dda726067 P4D 8000003dda726067 PUD 3dda727067 PMD 0
+[60919.265443] Oops: 0000 [#1] SMP PTI
+[60919.265550] CPU: 30 PID: 3638365 Comm: can_filter Kdump: loaded Tainted: G W 4.19.90+ #1
+[60919.266068] RIP: 0010:selinux_socket_sock_rcv_skb+0x3e/0x200
+[60919.293289] RSP: 0018:ffff8d53bfc03cf8 EFLAGS: 00010246
+[60919.307140] RAX: 0000000000000000 RBX: 000000000000001d RCX: 0000000000000007
+[60919.320756] RDX: 0000000000000001 RSI: ffff8d5104a8ed00 RDI: ffff8d53bfc03d30
+[60919.334319] RBP: ffff8d9338056800 R08: ffff8d53bfc29d80 R09: 0000000000000001
+[60919.347969] R10: ffff8d53bfc03ec0 R11: ffffb8526ef47c98 R12: ffff8d53bfc03d30
+[60919.350320] perf: interrupt took too long (3063 > 2500), lowering kernel.perf_event_max_sample_rate to 65000
+[60919.361148] R13: 0000000000000001 R14: ffff8d53bcf90000 R15: 0000000000000000
+[60919.361151] FS: 00007fb78b6b3600(0000) GS:ffff8d53bfc00000(0000) knlGS:0000000000000000
+[60919.400812] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[60919.413730] CR2: 0000000000000010 CR3: 0000003e3f784006 CR4: 00000000007606e0
+[60919.426479] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[60919.439339] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[60919.451608] PKRU: 55555554
+[60919.463622] Call Trace:
+[60919.475617] <IRQ>
+[60919.487122] ? update_load_avg+0x89/0x5d0
+[60919.498478] ? update_load_avg+0x89/0x5d0
+[60919.509822] ? account_entity_enqueue+0xc5/0xf0
+[60919.520709] security_sock_rcv_skb+0x2a/0x40
+[60919.531413] sk_filter_trim_cap+0x47/0x1b0
+[60919.542178] ? kmem_cache_alloc+0x38/0x1b0
+[60919.552444] sock_queue_rcv_skb+0x17/0x30
+[60919.562477] raw_rcv+0x110/0x190 [can_raw]
+[60919.572539] can_rcv_filter+0xbc/0x1b0 [can]
+[60919.582173] can_receive+0x6b/0xb0 [can]
+[60919.591595] can_rcv+0x31/0x70 [can]
+[60919.600783] __netif_receive_skb_one_core+0x5a/0x80
+[60919.609864] process_backlog+0x9b/0x150
+[60919.618691] net_rx_action+0x156/0x400
+[60919.627310] ? sched_clock_cpu+0xc/0xa0
+[60919.635714] __do_softirq+0xe8/0x2e9
+[60919.644161] do_softirq_own_stack+0x2a/0x40
+[60919.652154] </IRQ>
+[60919.659899] do_softirq.part.17+0x4f/0x60
+[60919.667475] __local_bh_enable_ip+0x60/0x70
+[60919.675089] __dev_queue_xmit+0x539/0x920
+[60919.682267] ? finish_wait+0x80/0x80
+[60919.689218] ? finish_wait+0x80/0x80
+[60919.695886] ? sock_alloc_send_pskb+0x211/0x230
+[60919.702395] ? can_send+0xe5/0x1f0 [can]
+[60919.708882] can_send+0xe5/0x1f0 [can]
+[60919.715037] raw_sendmsg+0x16d/0x268 [can_raw]
+
+It's because raw_setsockopt() concurrently with
+unregister_netdevice_many(). Concurrent scenario as following.
+
+ cpu0 cpu1
+raw_bind
+raw_setsockopt unregister_netdevice_many
+ unlist_netdevice
+dev_get_by_index raw_notifier
+raw_enable_filters ......
+can_rx_register
+can_rcv_list_find(..., net->can.rx_alldev_list)
+
+......
+
+sock_close
+raw_release(sock_a)
+
+......
+
+can_receive
+can_rcv_filter(net->can.rx_alldev_list, ...)
+raw_rcv(skb, sock_a)
+BUG
+
+After unlist_netdevice(), dev_get_by_index() return NULL in
+raw_setsockopt(). Function raw_enable_filters() will add sock
+and can_filter to net->can.rx_alldev_list. Then the sock is closed.
+Followed by, we sock_sendmsg() to a new vcan device use the same
+can_filter. Protocol stack match the old receiver whose sock has
+been released on net->can.rx_alldev_list in can_rcv_filter().
+Function raw_rcv() uses the freed sock. UAF BUG is triggered.
+
+We can find that the key issue is that net_device has not been
+protected in raw_setsockopt(). Use rtnl_lock to protect net_device
+in raw_setsockopt().
+
+Fixes: c18ce101f2e4 ("[CAN]: Add raw protocol")
+Link: https://lore.kernel.org/r/20210722070819.1048263-1-william.xuanziyang@huawei.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/raw.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -546,10 +546,18 @@ static int raw_setsockopt(struct socket
+ return -EFAULT;
+ }
+
++ rtnl_lock();
+ lock_sock(sk);
+
+- if (ro->bound && ro->ifindex)
++ if (ro->bound && ro->ifindex) {
+ dev = dev_get_by_index(sock_net(sk), ro->ifindex);
++ if (!dev) {
++ if (count > 1)
++ kfree(filter);
++ err = -ENODEV;
++ goto out_fil;
++ }
++ }
+
+ if (ro->bound) {
+ /* (try to) register the new filters */
+@@ -588,6 +596,7 @@ static int raw_setsockopt(struct socket
+ dev_put(dev);
+
+ release_sock(sk);
++ rtnl_unlock();
+
+ break;
+
+@@ -600,10 +609,16 @@ static int raw_setsockopt(struct socket
+
+ err_mask &= CAN_ERR_MASK;
+
++ rtnl_lock();
+ lock_sock(sk);
+
+- if (ro->bound && ro->ifindex)
++ if (ro->bound && ro->ifindex) {
+ dev = dev_get_by_index(sock_net(sk), ro->ifindex);
++ if (!dev) {
++ err = -ENODEV;
++ goto out_err;
++ }
++ }
+
+ /* remove current error mask */
+ if (ro->bound) {
+@@ -627,6 +642,7 @@ static int raw_setsockopt(struct socket
+ dev_put(dev);
+
+ release_sock(sk);
++ rtnl_unlock();
+
+ break;
+
--- /dev/null
+From 0e865f0c31928d6a313269ef624907eec55287c4 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Tue, 27 Jul 2021 19:59:57 +0300
+Subject: can: usb_8dev: fix memory leak
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 0e865f0c31928d6a313269ef624907eec55287c4 upstream.
+
+In usb_8dev_start() MAX_RX_URBS coherent buffers are allocated and
+there is nothing, that frees them:
+
+1) In callback function the urb is resubmitted and that's all
+2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER
+ is not set (see usb_8dev_start) and this flag cannot be used with
+ coherent buffers.
+
+So, all allocated buffers should be freed with usb_free_coherent()
+explicitly.
+
+Side note: This code looks like a copy-paste of other can drivers. The
+same patch was applied to mcba_usb driver and it works nice with real
+hardware. There is no change in functionality, only clean-up code for
+coherent buffers.
+
+Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
+Link: https://lore.kernel.org/r/d39b458cd425a1cf7f512f340224e6e9563b07bd.1627404470.git.paskripkin@gmail.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/usb_8dev.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/usb/usb_8dev.c
++++ b/drivers/net/can/usb/usb_8dev.c
+@@ -137,7 +137,8 @@ struct usb_8dev_priv {
+ u8 *cmd_msg_buffer;
+
+ struct mutex usb_8dev_cmd_lock;
+-
++ void *rxbuf[MAX_RX_URBS];
++ dma_addr_t rxbuf_dma[MAX_RX_URBS];
+ };
+
+ /* tx frame */
+@@ -733,6 +734,7 @@ static int usb_8dev_start(struct usb_8de
+ for (i = 0; i < MAX_RX_URBS; i++) {
+ struct urb *urb = NULL;
+ u8 *buf;
++ dma_addr_t buf_dma;
+
+ /* create a URB, and a buffer for it */
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+@@ -742,7 +744,7 @@ static int usb_8dev_start(struct usb_8de
+ }
+
+ buf = usb_alloc_coherent(priv->udev, RX_BUFFER_SIZE, GFP_KERNEL,
+- &urb->transfer_dma);
++ &buf_dma);
+ if (!buf) {
+ netdev_err(netdev, "No memory left for USB buffer\n");
+ usb_free_urb(urb);
+@@ -750,6 +752,8 @@ static int usb_8dev_start(struct usb_8de
+ break;
+ }
+
++ urb->transfer_dma = buf_dma;
++
+ usb_fill_bulk_urb(urb, priv->udev,
+ usb_rcvbulkpipe(priv->udev,
+ USB_8DEV_ENDP_DATA_RX),
+@@ -767,6 +771,9 @@ static int usb_8dev_start(struct usb_8de
+ break;
+ }
+
++ priv->rxbuf[i] = buf;
++ priv->rxbuf_dma[i] = buf_dma;
++
+ /* Drop reference, USB core will take care of freeing it */
+ usb_free_urb(urb);
+ }
+@@ -836,6 +843,10 @@ static void unlink_all_urbs(struct usb_8
+
+ usb_kill_anchored_urbs(&priv->rx_submitted);
+
++ for (i = 0; i < MAX_RX_URBS; ++i)
++ usb_free_coherent(priv->udev, RX_BUFFER_SIZE,
++ priv->rxbuf[i], priv->rxbuf_dma[i]);
++
+ usb_kill_anchored_urbs(&priv->tx_submitted);
+ atomic_set(&priv->active_tx_urbs, 0);
+
--- /dev/null
+From b53e041d8e4308f7324999398aec092dbcb130f5 Mon Sep 17 00:00:00 2001
+From: Dale Zhao <dale.zhao@amd.com>
+Date: Fri, 16 Jul 2021 09:38:17 +0800
+Subject: drm/amd/display: ensure dentist display clock update finished in DCN20
+
+From: Dale Zhao <dale.zhao@amd.com>
+
+commit b53e041d8e4308f7324999398aec092dbcb130f5 upstream.
+
+[Why]
+We don't check DENTIST_DISPCLK_CHG_DONE to ensure dentist
+display clockis updated to target value. In some scenarios with large
+display clock margin, it will deliver unfinished display clock and cause
+issues like display black screen.
+
+[How]
+Checking DENTIST_DISPCLK_CHG_DONE to ensure display clock
+has been update to target value before driver do other clock related
+actions.
+
+Reviewed-by: Cyr Aric <aric.cyr@amd.com>
+Acked-by: Solomon Chiu <solomon.chiu@amd.com>
+Signed-off-by: Dale Zhao <dale.zhao@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/clk_mgr/dcn20/dcn20_clk_mgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn20/dcn20_clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn20/dcn20_clk_mgr.c
+@@ -135,7 +135,7 @@ void dcn20_update_clocks_update_dentist(
+
+ REG_UPDATE(DENTIST_DISPCLK_CNTL,
+ DENTIST_DISPCLK_WDIVIDER, dispclk_wdivider);
+-// REG_WAIT(DENTIST_DISPCLK_CNTL, DENTIST_DISPCLK_CHG_DONE, 1, 5, 100);
++ REG_WAIT(DENTIST_DISPCLK_CNTL, DENTIST_DISPCLK_CHG_DONE, 1, 50, 1000);
+ REG_UPDATE(DENTIST_DISPCLK_CNTL,
+ DENTIST_DPPCLK_WDIVIDER, dppclk_wdivider);
+ REG_WAIT(DENTIST_DISPCLK_CNTL, DENTIST_DPPCLK_CHG_DONE, 1, 5, 100);
--- /dev/null
+From 6aade587d329ebe88319dfdb8e8c7b6aede80417 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 24 Jun 2021 13:11:36 +0200
+Subject: drm/amdgpu: Avoid printing of stack contents on firmware load error
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit 6aade587d329ebe88319dfdb8e8c7b6aede80417 upstream.
+
+In case when psp_init_asd_microcode() fails to load ASD microcode file,
+psp_v12_0_init_microcode() tries to print the firmware filename that
+failed to load before bailing out.
+
+This is wrong because:
+
+- the firmware filename it would want it print is an incorrect one as
+ psp_init_asd_microcode() and psp_v12_0_init_microcode() are loading
+ different filenames
+- it tries to print fw_name, but that's not yet been initialized by that
+ time, so it prints random stack contents, e.g.
+
+ amdgpu 0000:04:00.0: Direct firmware load for amdgpu/renoir_asd.bin failed with error -2
+ amdgpu 0000:04:00.0: amdgpu: fail to initialize asd microcode
+ amdgpu 0000:04:00.0: amdgpu: psp v12.0: Failed to load firmware "\xfeTO\x8e\xff\xff"
+
+Fix that by bailing out immediately, instead of priting the bogus error
+message.
+
+Reported-by: Vojtech Pavlik <vojtech@ucw.cz>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/psp_v12_0.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/psp_v12_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/psp_v12_0.c
+@@ -67,7 +67,7 @@ static int psp_v12_0_init_microcode(stru
+
+ err = psp_init_asd_microcode(psp, chip_name);
+ if (err)
+- goto out;
++ return err;
+
+ snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_ta.bin", chip_name);
+ err = request_firmware(&adev->psp.ta_fw, fw_name, adev->dev);
+@@ -80,7 +80,7 @@ static int psp_v12_0_init_microcode(stru
+ } else {
+ err = amdgpu_ucode_validate(adev->psp.ta_fw);
+ if (err)
+- goto out2;
++ goto out;
+
+ ta_hdr = (const struct ta_firmware_header_v1_0 *)
+ adev->psp.ta_fw->data;
+@@ -105,10 +105,9 @@ static int psp_v12_0_init_microcode(stru
+
+ return 0;
+
+-out2:
++out:
+ release_firmware(adev->psp.ta_fw);
+ adev->psp.ta_fw = NULL;
+-out:
+ if (err) {
+ dev_err(adev->dev,
+ "psp v12.0: Failed to load firmware \"%s\"\n",
--- /dev/null
+From 91e273712ab8dd8c31924ac7714b21e011137e98 Mon Sep 17 00:00:00 2001
+From: Pratik Vishwakarma <Pratik.Vishwakarma@amd.com>
+Date: Fri, 23 Jul 2021 18:08:40 +0530
+Subject: drm/amdgpu: Check pmops for desired suspend state
+
+From: Pratik Vishwakarma <Pratik.Vishwakarma@amd.com>
+
+commit 91e273712ab8dd8c31924ac7714b21e011137e98 upstream.
+
+[Why]
+User might change the suspend behaviour from OS.
+
+[How]
+Check with pm for target suspend state and set s0ix
+flag only for s2idle state.
+
+v2: User might change default suspend state, use target state
+v3: squash in build fix
+
+Suggested-by: Lijo Lazar <Lijo.Lazar@amd.com>
+Signed-off-by: Pratik Vishwakarma <Pratik.Vishwakarma@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+@@ -26,6 +26,7 @@
+ #include <linux/slab.h>
+ #include <linux/power_supply.h>
+ #include <linux/pm_runtime.h>
++#include <linux/suspend.h>
+ #include <acpi/video.h>
+ #include <acpi/actbl.h>
+
+@@ -906,7 +907,7 @@ bool amdgpu_acpi_is_s0ix_supported(struc
+ #if defined(CONFIG_AMD_PMC) || defined(CONFIG_AMD_PMC_MODULE)
+ if (acpi_gbl_FADT.flags & ACPI_FADT_LOW_POWER_S0) {
+ if (adev->flags & AMD_IS_APU)
+- return true;
++ return pm_suspend_target_state == PM_SUSPEND_TO_IDLE;
+ }
+ #endif
+ return false;
--- /dev/null
+From d47255d3f87338164762ac56df1f28d751e27246 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Thu, 24 Jun 2021 13:20:21 +0200
+Subject: drm/amdgpu: Fix resource leak on probe error path
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit d47255d3f87338164762ac56df1f28d751e27246 upstream.
+
+This reverts commit 4192f7b5768912ceda82be2f83c87ea7181f9980.
+
+It is not true (as stated in the reverted commit changelog) that we never
+unmap the BAR on failure; it actually does happen properly on
+amdgpu_driver_load_kms() -> amdgpu_driver_unload_kms() ->
+amdgpu_device_fini() error path.
+
+What's worse, this commit actually completely breaks resource freeing on
+probe failure (like e.g. failure to load microcode), as
+amdgpu_driver_unload_kms() notices adev->rmmio being NULL and bails too
+early, leaving all the resources that'd normally be freed in
+amdgpu_acpi_fini() and amdgpu_device_fini() still hanging around, leading
+to all sorts of oopses when someone tries to, for example, access the
+sysfs and procfs resources which are still around while the driver is
+gone.
+
+Fixes: 4192f7b57689 ("drm/amdgpu: unmap register bar on device init failure")
+Reported-by: Vojtech Pavlik <vojtech@ucw.cz>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -3412,13 +3412,13 @@ int amdgpu_device_init(struct amdgpu_dev
+ r = amdgpu_device_get_job_timeout_settings(adev);
+ if (r) {
+ dev_err(adev->dev, "invalid lockup_timeout parameter syntax\n");
+- goto failed_unmap;
++ return r;
+ }
+
+ /* early init functions */
+ r = amdgpu_device_ip_early_init(adev);
+ if (r)
+- goto failed_unmap;
++ return r;
+
+ /* doorbell bar mapping and doorbell index init*/
+ amdgpu_device_doorbell_init(adev);
+@@ -3644,10 +3644,6 @@ release_ras_con:
+ failed:
+ amdgpu_vf_error_trans_all(adev);
+
+-failed_unmap:
+- iounmap(adev->rmmio);
+- adev->rmmio = NULL;
+-
+ return r;
+ }
+
--- /dev/null
+From 728d392f8a799f037812d0f2b254fb3b5e115fcf Mon Sep 17 00:00:00 2001
+From: Javier Pello <javier.pello@urjc.es>
+Date: Wed, 14 Jul 2021 18:54:48 +0200
+Subject: fs/ext2: Avoid page_address on pages returned by ext2_get_page
+
+From: Javier Pello <javier.pello@urjc.es>
+
+commit 728d392f8a799f037812d0f2b254fb3b5e115fcf upstream.
+
+Commit 782b76d7abdf02b12c46ed6f1e9bf715569027f7 ("fs/ext2: Replace
+kmap() with kmap_local_page()") replaced the kmap/kunmap calls in
+ext2_get_page/ext2_put_page with kmap_local_page/kunmap_local for
+efficiency reasons. As a necessary side change, the commit also
+made ext2_get_page (and ext2_find_entry and ext2_dotdot) return
+the mapping address along with the page itself, as it is required
+for kunmap_local, and converted uses of page_address on such pages
+to use the newly returned address instead. However, uses of
+page_address on such pages were missed in ext2_check_page and
+ext2_delete_entry, which triggers oopses if kmap_local_page happens
+to return an address from high memory. Fix this now by converting
+the remaining uses of page_address to use the right address, as
+returned by kmap_local_page.
+
+Link: https://lore.kernel.org/r/20210714185448.8707ac239e9f12b3a7f5b9f9@urjc.es
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Javier Pello <javier.pello@urjc.es>
+Fixes: 782b76d7abdf ("fs/ext2: Replace kmap() with kmap_local_page()")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext2/dir.c | 12 ++++++------
+ fs/ext2/ext2.h | 3 ++-
+ fs/ext2/namei.c | 4 ++--
+ 3 files changed, 10 insertions(+), 9 deletions(-)
+
+--- a/fs/ext2/dir.c
++++ b/fs/ext2/dir.c
+@@ -106,12 +106,11 @@ static int ext2_commit_chunk(struct page
+ return err;
+ }
+
+-static bool ext2_check_page(struct page *page, int quiet)
++static bool ext2_check_page(struct page *page, int quiet, char *kaddr)
+ {
+ struct inode *dir = page->mapping->host;
+ struct super_block *sb = dir->i_sb;
+ unsigned chunk_size = ext2_chunk_size(dir);
+- char *kaddr = page_address(page);
+ u32 max_inumber = le32_to_cpu(EXT2_SB(sb)->s_es->s_inodes_count);
+ unsigned offs, rec_len;
+ unsigned limit = PAGE_SIZE;
+@@ -205,7 +204,8 @@ static struct page * ext2_get_page(struc
+ if (!IS_ERR(page)) {
+ *page_addr = kmap_local_page(page);
+ if (unlikely(!PageChecked(page))) {
+- if (PageError(page) || !ext2_check_page(page, quiet))
++ if (PageError(page) || !ext2_check_page(page, quiet,
++ *page_addr))
+ goto fail;
+ }
+ }
+@@ -584,10 +584,10 @@ out_unlock:
+ * ext2_delete_entry deletes a directory entry by merging it with the
+ * previous entry. Page is up-to-date.
+ */
+-int ext2_delete_entry (struct ext2_dir_entry_2 * dir, struct page * page )
++int ext2_delete_entry (struct ext2_dir_entry_2 *dir, struct page *page,
++ char *kaddr)
+ {
+ struct inode *inode = page->mapping->host;
+- char *kaddr = page_address(page);
+ unsigned from = ((char*)dir - kaddr) & ~(ext2_chunk_size(inode)-1);
+ unsigned to = ((char *)dir - kaddr) +
+ ext2_rec_len_from_disk(dir->rec_len);
+@@ -607,7 +607,7 @@ int ext2_delete_entry (struct ext2_dir_e
+ de = ext2_next_entry(de);
+ }
+ if (pde)
+- from = (char*)pde - (char*)page_address(page);
++ from = (char *)pde - kaddr;
+ pos = page_offset(page) + from;
+ lock_page(page);
+ err = ext2_prepare_chunk(page, pos, to - from);
+--- a/fs/ext2/ext2.h
++++ b/fs/ext2/ext2.h
+@@ -740,7 +740,8 @@ extern int ext2_inode_by_name(struct ino
+ extern int ext2_make_empty(struct inode *, struct inode *);
+ extern struct ext2_dir_entry_2 *ext2_find_entry(struct inode *, const struct qstr *,
+ struct page **, void **res_page_addr);
+-extern int ext2_delete_entry (struct ext2_dir_entry_2 *, struct page *);
++extern int ext2_delete_entry(struct ext2_dir_entry_2 *dir, struct page *page,
++ char *kaddr);
+ extern int ext2_empty_dir (struct inode *);
+ extern struct ext2_dir_entry_2 *ext2_dotdot(struct inode *dir, struct page **p, void **pa);
+ extern void ext2_set_link(struct inode *, struct ext2_dir_entry_2 *, struct page *, void *,
+--- a/fs/ext2/namei.c
++++ b/fs/ext2/namei.c
+@@ -293,7 +293,7 @@ static int ext2_unlink(struct inode * di
+ goto out;
+ }
+
+- err = ext2_delete_entry (de, page);
++ err = ext2_delete_entry (de, page, page_addr);
+ ext2_put_page(page, page_addr);
+ if (err)
+ goto out;
+@@ -397,7 +397,7 @@ static int ext2_rename (struct user_name
+ old_inode->i_ctime = current_time(old_inode);
+ mark_inode_dirty(old_inode);
+
+- ext2_delete_entry(old_de, old_page);
++ ext2_delete_entry(old_de, old_page, old_page_addr);
+
+ if (dir_de) {
+ if (old_dir != new_dir)
--- /dev/null
+From 6ca2350e11f09d5d3e53777d1eff8ff6d300ed93 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Mon, 19 Jul 2021 13:55:28 -0700
+Subject: HID: wacom: Re-enable touch by default for Cintiq 24HDT / 27QHDT
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit 6ca2350e11f09d5d3e53777d1eff8ff6d300ed93 upstream.
+
+Commit 670e90924bfe ("HID: wacom: support named keys on older devices")
+added support for sending named events from the soft buttons on the
+24HDT and 27QHDT. In the process, however, it inadvertantly disabled the
+touchscreen of the 24HDT and 27QHDT by default. The
+`wacom_set_shared_values` function would normally enable touch by default
+but because it checks the state of the non-shared `has_mute_touch_switch`
+flag and `wacom_setup_touch_input_capabilities` sets the state of the
+/shared/ version, touch ends up being disabled by default.
+
+This patch sets the non-shared flag, letting `wacom_set_shared_values`
+take care of copying the value over to the shared version and setting
+the default touch state to "on".
+
+Fixes: 670e90924bfe ("HID: wacom: support named keys on older devices")
+CC: stable@vger.kernel.org # 5.4+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_wac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -3831,7 +3831,7 @@ int wacom_setup_touch_input_capabilities
+ wacom_wac->shared->touch->product == 0xF6) {
+ input_dev->evbit[0] |= BIT_MASK(EV_SW);
+ __set_bit(SW_MUTE_DEVICE, input_dev->swbit);
+- wacom_wac->shared->has_mute_touch_switch = true;
++ wacom_wac->has_mute_touch_switch = true;
+ }
+ fallthrough;
+
--- /dev/null
+From ef04688871f3386b6d40ade8f5c664290420f819 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 27 Jul 2021 10:50:31 -0600
+Subject: io_uring: don't block level reissue off completion path
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit ef04688871f3386b6d40ade8f5c664290420f819 upstream.
+
+Some setups, like SCSI, can throw spurious -EAGAIN off the softirq
+completion path. Normally we expect this to happen inline as part
+of submission, but apparently SCSI has a weird corner case where it
+can happen as part of normal completions.
+
+This should be solved by having the -EAGAIN bubble back up the stack
+as part of submission, but previous attempts at this failed and we're
+not just quite there yet. Instead we currently use REQ_F_REISSUE to
+handle this case.
+
+For now, catch it in io_rw_should_reissue() and prevent a reissue
+from a bogus path.
+
+Cc: stable@vger.kernel.org
+Reported-by: Fabian Ebner <f.ebner@proxmox.com>
+Tested-by: Fabian Ebner <f.ebner@proxmox.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -2457,6 +2457,12 @@ static bool io_rw_should_reissue(struct
+ */
+ if (percpu_ref_is_dying(&ctx->refs))
+ return false;
++ /*
++ * Play it safe and assume not safe to re-import and reissue if we're
++ * not in the original thread group (or in task context).
++ */
++ if (!same_thread_group(req->task, current) || !in_task())
++ return false;
+ return true;
+ }
+ #else
--- /dev/null
+From 44eff40a32e8f5228ae041006352e32638ad2368 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 26 Jul 2021 14:14:31 +0100
+Subject: io_uring: fix io_prep_async_link locking
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 44eff40a32e8f5228ae041006352e32638ad2368 upstream.
+
+io_prep_async_link() may be called after arming a linked timeout,
+automatically making it unsafe to traverse the linked list. Guard
+with completion_lock if there was a linked timeout.
+
+Cc: stable@vger.kernel.org # 5.9+
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/93f7c617e2b4f012a2a175b3dab6bc2f27cebc48.1627304436.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -1258,8 +1258,17 @@ static void io_prep_async_link(struct io
+ {
+ struct io_kiocb *cur;
+
+- io_for_each_link(cur, req)
+- io_prep_async_work(cur);
++ if (req->flags & REQ_F_LINK_TIMEOUT) {
++ struct io_ring_ctx *ctx = req->ctx;
++
++ spin_lock_irq(&ctx->completion_lock);
++ io_for_each_link(cur, req)
++ io_prep_async_work(cur);
++ spin_unlock_irq(&ctx->completion_lock);
++ } else {
++ io_for_each_link(cur, req)
++ io_prep_async_work(cur);
++ }
+ }
+
+ static void io_queue_async_work(struct io_kiocb *req)
--- /dev/null
+From a890d01e4ee016978776e45340e521b3bbbdf41f Mon Sep 17 00:00:00 2001
+From: Hao Xu <haoxu@linux.alibaba.com>
+Date: Wed, 28 Jul 2021 11:03:22 +0800
+Subject: io_uring: fix poll requests leaking second poll entries
+
+From: Hao Xu <haoxu@linux.alibaba.com>
+
+commit a890d01e4ee016978776e45340e521b3bbbdf41f upstream.
+
+For pure poll requests, it doesn't remove the second poll wait entry
+when it's done, neither after vfs_poll() or in the poll completion
+handler. We should remove the second poll wait entry.
+And we use io_poll_remove_double() rather than io_poll_remove_waitqs()
+since the latter has some redundant logic.
+
+Fixes: 88e41cf928a6 ("io_uring: add multishot mode for IORING_OP_POLL_ADD")
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Hao Xu <haoxu@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20210728030322.12307-1-haoxu@linux.alibaba.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -4924,7 +4924,6 @@ static bool io_poll_complete(struct io_k
+ if (req->poll.events & EPOLLONESHOT)
+ flags = 0;
+ if (!io_cqring_fill_event(ctx, req->user_data, error, flags)) {
+- io_poll_remove_waitqs(req);
+ req->poll.done = true;
+ flags = 0;
+ }
+@@ -4948,6 +4947,7 @@ static void io_poll_task_func(struct cal
+
+ done = io_poll_complete(req, req->result);
+ if (done) {
++ io_poll_remove_double(req);
+ hash_del(&req->hash_node);
+ } else {
+ req->result = 0;
+@@ -5136,7 +5136,7 @@ static __poll_t __io_arm_poll_handler(st
+ ipt->error = -EINVAL;
+
+ spin_lock_irq(&ctx->completion_lock);
+- if (ipt->error)
++ if (ipt->error || (mask && (poll->events & EPOLLONESHOT)))
+ io_poll_remove_double(req);
+ if (likely(poll->head)) {
+ spin_lock(&poll->head->lock);
+@@ -5207,7 +5207,6 @@ static bool io_arm_poll_handler(struct i
+ ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
+ io_async_wake);
+ if (ret || ipt.error) {
+- io_poll_remove_double(req);
+ spin_unlock_irq(&ctx->completion_lock);
+ return false;
+ }
--- /dev/null
+From 8750f9bbda115f3f79bfe43be85551ee5e12b6ff Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 27 Jul 2021 08:43:10 -0400
+Subject: KVM: add missing compat KVM_CLEAR_DIRTY_LOG
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 8750f9bbda115f3f79bfe43be85551ee5e12b6ff upstream.
+
+The arguments to the KVM_CLEAR_DIRTY_LOG ioctl include a pointer,
+therefore it needs a compat ioctl implementation. Otherwise,
+32-bit userspace fails to invoke it on 64-bit kernels; for x86
+it might work fine by chance if the padding is zero, but not
+on big-endian architectures.
+
+Reported-by: Thomas Sattler
+Cc: stable@vger.kernel.org
+Fixes: 2a31b9db1535 ("kvm: introduce manual dirty log reprotect")
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -4183,6 +4183,16 @@ struct compat_kvm_dirty_log {
+ };
+ };
+
++struct compat_kvm_clear_dirty_log {
++ __u32 slot;
++ __u32 num_pages;
++ __u64 first_page;
++ union {
++ compat_uptr_t dirty_bitmap; /* one bit per page */
++ __u64 padding2;
++ };
++};
++
+ static long kvm_vm_compat_ioctl(struct file *filp,
+ unsigned int ioctl, unsigned long arg)
+ {
+@@ -4192,6 +4202,24 @@ static long kvm_vm_compat_ioctl(struct f
+ if (kvm->mm != current->mm)
+ return -EIO;
+ switch (ioctl) {
++#ifdef CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT
++ case KVM_CLEAR_DIRTY_LOG: {
++ struct compat_kvm_clear_dirty_log compat_log;
++ struct kvm_clear_dirty_log log;
++
++ if (copy_from_user(&compat_log, (void __user *)arg,
++ sizeof(compat_log)))
++ return -EFAULT;
++ log.slot = compat_log.slot;
++ log.num_pages = compat_log.num_pages;
++ log.first_page = compat_log.first_page;
++ log.padding2 = compat_log.padding2;
++ log.dirty_bitmap = compat_ptr(compat_log.dirty_bitmap);
++
++ r = kvm_vm_ioctl_clear_dirty_log(kvm, &log);
++ break;
++ }
++#endif
+ case KVM_GET_DIRTY_LOG: {
+ struct compat_kvm_dirty_log compat_log;
+ struct kvm_dirty_log log;
--- /dev/null
+From 121dffe20b141c9b27f39d49b15882469cbebae7 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Thu, 29 Jul 2021 14:53:54 -0700
+Subject: mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit 121dffe20b141c9b27f39d49b15882469cbebae7 upstream.
+
+When I use kfree_rcu() to free a large memory allocated by kmalloc_node(),
+the following dump occurs.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000020
+ [...]
+ Oops: 0000 [#1] SMP
+ [...]
+ Workqueue: events kfree_rcu_work
+ RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline]
+ RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline]
+ RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363
+ [...]
+ Call Trace:
+ kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293
+ kfree_bulk include/linux/slab.h:413 [inline]
+ kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300
+ process_one_work+0x207/0x530 kernel/workqueue.c:2276
+ worker_thread+0x320/0x610 kernel/workqueue.c:2422
+ kthread+0x13d/0x160 kernel/kthread.c:313
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
+
+When kmalloc_node() a large memory, page is allocated, not slab, so when
+freeing memory via kfree_rcu(), this large memory should not be used by
+memcg_slab_free_hook(), because memcg_slab_free_hook() is is used for
+slab.
+
+Using page_objcgs_check() instead of page_objcgs() in
+memcg_slab_free_hook() to fix this bug.
+
+Link: https://lkml.kernel.org/r/20210728145655.274476-1-wanghai38@huawei.com
+Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reviewed-by: Muchun Song <songmuchun@bytedance.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slab.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/slab.h
++++ b/mm/slab.h
+@@ -350,7 +350,7 @@ static inline void memcg_slab_free_hook(
+ continue;
+
+ page = virt_to_head_page(p[i]);
+- objcgs = page_objcgs(page);
++ objcgs = page_objcgs_check(page);
+ if (!objcgs)
+ continue;
+
--- /dev/null
+From 30def93565e5ba08676aa2b9083f253fc586dbed Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Thu, 29 Jul 2021 14:53:44 -0700
+Subject: mm: memcontrol: fix blocking rstat function called from atomic cgroup1 thresholding code
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+commit 30def93565e5ba08676aa2b9083f253fc586dbed upstream.
+
+Dan Carpenter reports:
+
+ The patch 2d146aa3aa84: "mm: memcontrol: switch to rstat" from Apr
+ 29, 2021, leads to the following static checker warning:
+
+ kernel/cgroup/rstat.c:200 cgroup_rstat_flush()
+ warn: sleeping in atomic context
+
+ mm/memcontrol.c
+ 3572 static unsigned long mem_cgroup_usage(struct mem_cgroup *memcg, bool swap)
+ 3573 {
+ 3574 unsigned long val;
+ 3575
+ 3576 if (mem_cgroup_is_root(memcg)) {
+ 3577 cgroup_rstat_flush(memcg->css.cgroup);
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ This is from static analysis and potentially a false positive. The
+ problem is that mem_cgroup_usage() is called from __mem_cgroup_threshold()
+ which holds an rcu_read_lock(). And the cgroup_rstat_flush() function
+ can sleep.
+
+ 3578 val = memcg_page_state(memcg, NR_FILE_PAGES) +
+ 3579 memcg_page_state(memcg, NR_ANON_MAPPED);
+ 3580 if (swap)
+ 3581 val += memcg_page_state(memcg, MEMCG_SWAP);
+ 3582 } else {
+ 3583 if (!swap)
+ 3584 val = page_counter_read(&memcg->memory);
+ 3585 else
+ 3586 val = page_counter_read(&memcg->memsw);
+ 3587 }
+ 3588 return val;
+ 3589 }
+
+__mem_cgroup_threshold() indeed holds the rcu lock. In addition, the
+thresholding code is invoked during stat changes, and those contexts
+have irqs disabled as well. If the lock breaking occurs inside the
+flush function, it will result in a sleep from an atomic context.
+
+Use the irqsafe flushing variant in mem_cgroup_usage() to fix this.
+
+Link: https://lkml.kernel.org/r/20210726150019.251820-1-hannes@cmpxchg.org
+Fixes: 2d146aa3aa84 ("mm: memcontrol: switch to rstat")
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Chris Down <chris@chrisdown.name>
+Reviewed-by: Rik van Riel <riel@surriel.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memcontrol.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -3394,7 +3394,8 @@ static unsigned long mem_cgroup_usage(st
+ unsigned long val;
+
+ if (mem_cgroup_is_root(memcg)) {
+- cgroup_rstat_flush(memcg->css.cgroup);
++ /* mem_cgroup_threshold() calls here from irqsafe context */
++ cgroup_rstat_flush_irqsafe(memcg->css.cgroup);
+ val = memcg_page_state(memcg, NR_FILE_PAGES) +
+ memcg_page_state(memcg, NR_ANON_MAPPED);
+ if (swap)
--- /dev/null
+From 94cbe7db7d757c2d481c3617ab5579a28cfc2175 Mon Sep 17 00:00:00 2001
+From: Mohammad Athari Bin Ismail <mohammad.athari.ismail@intel.com>
+Date: Mon, 26 Jul 2021 10:20:20 +0800
+Subject: net: stmmac: add est_irq_status callback function for GMAC 4.10 and 5.10
+
+From: Mohammad Athari Bin Ismail <mohammad.athari.ismail@intel.com>
+
+commit 94cbe7db7d757c2d481c3617ab5579a28cfc2175 upstream.
+
+Assign dwmac5_est_irq_status to est_irq_status callback function for
+GMAC 4.10 and 5.10. With this, EST related interrupts could be handled
+properly.
+
+Fixes: e49aa315cb01 ("net: stmmac: EST interrupts handling and error reporting")
+Cc: <stable@vger.kernel.org> # 5.13.x
+Signed-off-by: Mohammad Athari Bin Ismail <mohammad.athari.ismail@intel.com>
+Acked-by: Wong Vee Khee <vee.khee.wong@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -1249,6 +1249,7 @@ const struct stmmac_ops dwmac410_ops = {
+ .config_l3_filter = dwmac4_config_l3_filter,
+ .config_l4_filter = dwmac4_config_l4_filter,
+ .est_configure = dwmac5_est_configure,
++ .est_irq_status = dwmac5_est_irq_status,
+ .fpe_configure = dwmac5_fpe_configure,
+ .fpe_send_mpacket = dwmac5_fpe_send_mpacket,
+ .fpe_irq_status = dwmac5_fpe_irq_status,
+@@ -1300,6 +1301,7 @@ const struct stmmac_ops dwmac510_ops = {
+ .config_l3_filter = dwmac4_config_l3_filter,
+ .config_l4_filter = dwmac4_config_l4_filter,
+ .est_configure = dwmac5_est_configure,
++ .est_irq_status = dwmac5_est_irq_status,
+ .fpe_configure = dwmac5_fpe_configure,
+ .fpe_send_mpacket = dwmac5_fpe_send_mpacket,
+ .fpe_irq_status = dwmac5_fpe_irq_status,
--- /dev/null
+From 5e7b30d24a5b8cb691c173b45b50e3ca0191be19 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Wed, 28 Jul 2021 08:49:09 +0200
+Subject: nfc: nfcsim: fix use after free during module unload
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 5e7b30d24a5b8cb691c173b45b50e3ca0191be19 upstream.
+
+There is a use after free memory corruption during module exit:
+ - nfcsim_exit()
+ - nfcsim_device_free(dev0)
+ - nfc_digital_unregister_device()
+ This iterates over command queue and frees all commands,
+ - dev->up = false
+ - nfcsim_link_shutdown()
+ - nfcsim_link_recv_wake()
+ This wakes the sleeping thread nfcsim_link_recv_skb().
+
+ - nfcsim_link_recv_skb()
+ Wake from wait_event_interruptible_timeout(),
+ call directly the deb->cb callback even though (dev->up == false),
+ - digital_send_cmd_complete()
+ Dereference of "struct digital_cmd" cmd which was freed earlier by
+ nfc_digital_unregister_device().
+
+This causes memory corruption shortly after (with unrelated stack
+trace):
+
+ nfc nfc0: NFC: nfcsim_recv_wq: Device is down
+ llcp: nfc_llcp_recv: err -19
+ nfc nfc1: NFC: nfcsim_recv_wq: Device is down
+ BUG: unable to handle page fault for address: ffffffffffffffed
+ Call Trace:
+ fsnotify+0x54b/0x5c0
+ __fsnotify_parent+0x1fe/0x300
+ ? vfs_write+0x27c/0x390
+ vfs_write+0x27c/0x390
+ ksys_write+0x63/0xe0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+KASAN report:
+
+ BUG: KASAN: use-after-free in digital_send_cmd_complete+0x16/0x50
+ Write of size 8 at addr ffff88800a05f720 by task kworker/0:2/71
+ Workqueue: events nfcsim_recv_wq [nfcsim]
+ Call Trace:
+ Â dump_stack_lvl+0x45/0x59
+ Â print_address_description.constprop.0+0x21/0x140
+ Â ? digital_send_cmd_complete+0x16/0x50
+ Â ? digital_send_cmd_complete+0x16/0x50
+ Â kasan_report.cold+0x7f/0x11b
+ Â ? digital_send_cmd_complete+0x16/0x50
+ Â ? digital_dep_link_down+0x60/0x60
+ Â digital_send_cmd_complete+0x16/0x50
+ Â nfcsim_recv_wq+0x38f/0x3d5 [nfcsim]
+ Â ? nfcsim_in_send_cmd+0x4a/0x4a [nfcsim]
+ Â ? lock_is_held_type+0x98/0x110
+ Â ? finish_wait+0x110/0x110
+ Â ? rcu_read_lock_sched_held+0x9c/0xd0
+ Â ? rcu_read_lock_bh_held+0xb0/0xb0
+ Â ? lockdep_hardirqs_on_prepare+0x12e/0x1f0
+
+This flow of calling digital_send_cmd_complete() callback on driver exit
+is specific to nfcsim which implements reading and sending work queues.
+Since the NFC digital device was unregistered, the callback should not
+be called.
+
+Fixes: 204bddcb508f ("NFC: nfcsim: Make use of the Digital layer")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/nfcsim.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/nfc/nfcsim.c
++++ b/drivers/nfc/nfcsim.c
+@@ -192,8 +192,7 @@ static void nfcsim_recv_wq(struct work_s
+
+ if (!IS_ERR(skb))
+ dev_kfree_skb(skb);
+-
+- skb = ERR_PTR(-ENODEV);
++ return;
+ }
+
+ dev->cb(dev->nfc_digital_dev, dev->arg, skb);
--- /dev/null
+From 15bbf8bb4d4ab87108ecf5f4155ec8ffa3c141d6 Mon Sep 17 00:00:00 2001
+From: Paul Jakma <paul@jakma.org>
+Date: Fri, 23 Jul 2021 16:13:04 +0100
+Subject: NIU: fix incorrect error return, missed in previous revert
+
+From: Paul Jakma <paul@jakma.org>
+
+commit 15bbf8bb4d4ab87108ecf5f4155ec8ffa3c141d6 upstream.
+
+Commit 7930742d6, reverting 26fd962, missed out on reverting an incorrect
+change to a return value. The niu_pci_vpd_scan_props(..) == 1 case appears
+to be a normal path - treating it as an error and return -EINVAL was
+breaking VPD_SCAN and causing the driver to fail to load.
+
+Fix, so my Neptune card works again.
+
+Cc: Kangjie Lu <kjlu@umn.edu>
+Cc: Shannon Nelson <shannon.lee.nelson@gmail.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable <stable@vger.kernel.org>
+Fixes: 7930742d ('Revert "niu: fix missing checks of niu_pci_eeprom_read"')
+Signed-off-by: Paul Jakma <paul@jakma.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sun/niu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/sun/niu.c
++++ b/drivers/net/ethernet/sun/niu.c
+@@ -8191,8 +8191,9 @@ static int niu_pci_vpd_fetch(struct niu
+ err = niu_pci_vpd_scan_props(np, here, end);
+ if (err < 0)
+ return err;
++ /* ret == 1 is not an error */
+ if (err == 1)
+- return -EINVAL;
++ return 0;
+ }
+ return 0;
+ }
--- /dev/null
+From f267aeb6dea5e468793e5b8eb6a9c72c0020d418 Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Thu, 29 Jul 2021 14:53:38 -0700
+Subject: ocfs2: fix zero out valid data
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit f267aeb6dea5e468793e5b8eb6a9c72c0020d418 upstream.
+
+If append-dio feature is enabled, direct-io write and fallocate could
+run in parallel to extend file size, fallocate used "orig_isize" to
+record i_size before taking "ip_alloc_sem", when
+ocfs2_zeroout_partial_cluster() zeroout EOF blocks, i_size maybe already
+extended by ocfs2_dio_end_io_write(), that will cause valid data zeroed
+out.
+
+Link: https://lkml.kernel.org/r/20210722054923.24389-1-junxiao.bi@oracle.com
+Fixes: 6bba4471f0cc ("ocfs2: fix data corruption by fallocate")
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -1935,7 +1935,6 @@ static int __ocfs2_change_file_space(str
+ goto out_inode_unlock;
+ }
+
+- orig_isize = i_size_read(inode);
+ switch (sr->l_whence) {
+ case 0: /*SEEK_SET*/
+ break;
+@@ -1943,7 +1942,7 @@ static int __ocfs2_change_file_space(str
+ sr->l_start += f_pos;
+ break;
+ case 2: /*SEEK_END*/
+- sr->l_start += orig_isize;
++ sr->l_start += i_size_read(inode);
+ break;
+ default:
+ ret = -EINVAL;
+@@ -1998,6 +1997,7 @@ static int __ocfs2_change_file_space(str
+ ret = -EINVAL;
+ }
+
++ orig_isize = i_size_read(inode);
+ /* zeroout eof blocks in the cluster. */
+ if (!ret && change_size && orig_isize < size) {
+ ret = ocfs2_zeroout_partial_cluster(inode, orig_isize,
--- /dev/null
+From 9449ad33be8480f538b11a593e2dda2fb33ca06d Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Thu, 29 Jul 2021 14:53:41 -0700
+Subject: ocfs2: issue zeroout to EOF blocks
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit 9449ad33be8480f538b11a593e2dda2fb33ca06d upstream.
+
+For punch holes in EOF blocks, fallocate used buffer write to zero the
+EOF blocks in last cluster. But since ->writepage will ignore EOF
+pages, those zeros will not be flushed.
+
+This "looks" ok as commit 6bba4471f0cc ("ocfs2: fix data corruption by
+fallocate") will zero the EOF blocks when extend the file size, but it
+isn't. The problem happened on those EOF pages, before writeback, those
+pages had DIRTY flag set and all buffer_head in them also had DIRTY flag
+set, when writeback run by write_cache_pages(), DIRTY flag on the page
+was cleared, but DIRTY flag on the buffer_head not.
+
+When next write happened to those EOF pages, since buffer_head already
+had DIRTY flag set, it would not mark page DIRTY again. That made
+writeback ignore them forever. That will cause data corruption. Even
+directio write can't work because it will fail when trying to drop pages
+caches before direct io, as it found the buffer_head for those pages
+still had DIRTY flag set, then it will fall back to buffer io mode.
+
+To make a summary of the issue, as writeback ingores EOF pages, once any
+EOF page is generated, any write to it will only go to the page cache,
+it will never be flushed to disk even file size extends and that page is
+not EOF page any more. The fix is to avoid zero EOF blocks with buffer
+write.
+
+The following code snippet from qemu-img could trigger the corruption.
+
+ 656 open("6b3711ae-3306-4bdd-823c-cf1c0060a095.conv.2", O_RDWR|O_DIRECT|O_CLOEXEC) = 11
+ ...
+ 660 fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2275868672, 327680 <unfinished ...>
+ 660 fallocate(11, 0, 2275868672, 327680) = 0
+ 658 pwrite64(11, "
+
+Link: https://lkml.kernel.org/r/20210722054923.24389-2-junxiao.bi@oracle.com
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/file.c | 99 +++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 60 insertions(+), 39 deletions(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -1529,6 +1529,45 @@ static void ocfs2_truncate_cluster_pages
+ }
+ }
+
++/*
++ * zero out partial blocks of one cluster.
++ *
++ * start: file offset where zero starts, will be made upper block aligned.
++ * len: it will be trimmed to the end of current cluster if "start + len"
++ * is bigger than it.
++ */
++static int ocfs2_zeroout_partial_cluster(struct inode *inode,
++ u64 start, u64 len)
++{
++ int ret;
++ u64 start_block, end_block, nr_blocks;
++ u64 p_block, offset;
++ u32 cluster, p_cluster, nr_clusters;
++ struct super_block *sb = inode->i_sb;
++ u64 end = ocfs2_align_bytes_to_clusters(sb, start);
++
++ if (start + len < end)
++ end = start + len;
++
++ start_block = ocfs2_blocks_for_bytes(sb, start);
++ end_block = ocfs2_blocks_for_bytes(sb, end);
++ nr_blocks = end_block - start_block;
++ if (!nr_blocks)
++ return 0;
++
++ cluster = ocfs2_bytes_to_clusters(sb, start);
++ ret = ocfs2_get_clusters(inode, cluster, &p_cluster,
++ &nr_clusters, NULL);
++ if (ret)
++ return ret;
++ if (!p_cluster)
++ return 0;
++
++ offset = start_block - ocfs2_clusters_to_blocks(sb, cluster);
++ p_block = ocfs2_clusters_to_blocks(sb, p_cluster) + offset;
++ return sb_issue_zeroout(sb, p_block, nr_blocks, GFP_NOFS);
++}
++
+ static int ocfs2_zero_partial_clusters(struct inode *inode,
+ u64 start, u64 len)
+ {
+@@ -1538,6 +1577,7 @@ static int ocfs2_zero_partial_clusters(s
+ struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
+ unsigned int csize = osb->s_clustersize;
+ handle_t *handle;
++ loff_t isize = i_size_read(inode);
+
+ /*
+ * The "start" and "end" values are NOT necessarily part of
+@@ -1558,6 +1598,26 @@ static int ocfs2_zero_partial_clusters(s
+ if ((start & (csize - 1)) == 0 && (end & (csize - 1)) == 0)
+ goto out;
+
++ /* No page cache for EOF blocks, issue zero out to disk. */
++ if (end > isize) {
++ /*
++ * zeroout eof blocks in last cluster starting from
++ * "isize" even "start" > "isize" because it is
++ * complicated to zeroout just at "start" as "start"
++ * may be not aligned with block size, buffer write
++ * would be required to do that, but out of eof buffer
++ * write is not supported.
++ */
++ ret = ocfs2_zeroout_partial_cluster(inode, isize,
++ end - isize);
++ if (ret) {
++ mlog_errno(ret);
++ goto out;
++ }
++ if (start >= isize)
++ goto out;
++ end = isize;
++ }
+ handle = ocfs2_start_trans(osb, OCFS2_INODE_UPDATE_CREDITS);
+ if (IS_ERR(handle)) {
+ ret = PTR_ERR(handle);
+@@ -1856,45 +1916,6 @@ out:
+ }
+
+ /*
+- * zero out partial blocks of one cluster.
+- *
+- * start: file offset where zero starts, will be made upper block aligned.
+- * len: it will be trimmed to the end of current cluster if "start + len"
+- * is bigger than it.
+- */
+-static int ocfs2_zeroout_partial_cluster(struct inode *inode,
+- u64 start, u64 len)
+-{
+- int ret;
+- u64 start_block, end_block, nr_blocks;
+- u64 p_block, offset;
+- u32 cluster, p_cluster, nr_clusters;
+- struct super_block *sb = inode->i_sb;
+- u64 end = ocfs2_align_bytes_to_clusters(sb, start);
+-
+- if (start + len < end)
+- end = start + len;
+-
+- start_block = ocfs2_blocks_for_bytes(sb, start);
+- end_block = ocfs2_blocks_for_bytes(sb, end);
+- nr_blocks = end_block - start_block;
+- if (!nr_blocks)
+- return 0;
+-
+- cluster = ocfs2_bytes_to_clusters(sb, start);
+- ret = ocfs2_get_clusters(inode, cluster, &p_cluster,
+- &nr_clusters, NULL);
+- if (ret)
+- return ret;
+- if (!p_cluster)
+- return 0;
+-
+- offset = start_block - ocfs2_clusters_to_blocks(sb, cluster);
+- p_block = ocfs2_clusters_to_blocks(sb, p_cluster) + offset;
+- return sb_issue_zeroout(sb, p_block, nr_blocks, GFP_NOFS);
+-}
+-
+-/*
+ * Parts of this function taken from xfs_change_file_space()
+ */
+ static int __ocfs2_change_file_space(struct file *file, struct inode *inode,
--- /dev/null
+From 3a34b13a88caeb2800ab44a4918f230041b37dd9 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 30 Jul 2021 15:42:34 -0700
+Subject: pipe: make pipe writes always wake up readers
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3a34b13a88caeb2800ab44a4918f230041b37dd9 upstream.
+
+Since commit 1b6b26ae7053 ("pipe: fix and clarify pipe write wakeup
+logic") we have sanitized the pipe write logic, and would only try to
+wake up readers if they needed it.
+
+In particular, if the pipe already had data in it before the write,
+there was no point in trying to wake up a reader, since any existing
+readers must have been aware of the pre-existing data already. Doing
+extraneous wakeups will only cause potential thundering herd problems.
+
+However, it turns out that some Android libraries have misused the EPOLL
+interface, and expected "edge triggered" be to "any new write will
+trigger it". Even if there was no edge in sight.
+
+Quoting Sandeep Patil:
+ "The commit 1b6b26ae7053 ('pipe: fix and clarify pipe write wakeup
+ logic') changed pipe write logic to wakeup readers only if the pipe
+ was empty at the time of write. However, there are libraries that
+ relied upon the older behavior for notification scheme similar to
+ what's described in [1]
+
+ One such library 'realm-core'[2] is used by numerous Android
+ applications. The library uses a similar notification mechanism as GNU
+ Make but it never drains the pipe until it is full. When Android moved
+ to v5.10 kernel, all applications using this library stopped working.
+
+ The library has since been fixed[3] but it will be a while before all
+ applications incorporate the updated library"
+
+Our regression rule for the kernel is that if applications break from
+new behavior, it's a regression, even if it was because the application
+did something patently wrong. Also note the original report [4] by
+Michal Kerrisk about a test for this epoll behavior - but at that point
+we didn't know of any actual broken use case.
+
+So add the extraneous wakeup, to approximate the old behavior.
+
+[ I say "approximate", because the exact old behavior was to do a wakeup
+ not for each write(), but for each pipe buffer chunk that was filled
+ in. The behavior introduced by this change is not that - this is just
+ "every write will cause a wakeup, whether necessary or not", which
+ seems to be sufficient for the broken library use. ]
+
+It's worth noting that this adds the extraneous wakeup only for the
+write side, while the read side still considers the "edge" to be purely
+about reading enough from the pipe to allow further writes.
+
+See commit f467a6a66419 ("pipe: fix and clarify pipe read wakeup logic")
+for the pipe read case, which remains that "only wake up if the pipe was
+full, and we read something from it".
+
+Link: https://lore.kernel.org/lkml/CAHk-=wjeG0q1vgzu4iJhW5juPkTsjTYmiqiMUYAebWW+0bam6w@mail.gmail.com/ [1]
+Link: https://github.com/realm/realm-core [2]
+Link: https://github.com/realm/realm-core/issues/4666 [3]
+Link: https://lore.kernel.org/lkml/CAKgNAkjMBGeAwF=2MKK758BhxvW58wYTgYKB2V-gY1PwXxrH+Q@mail.gmail.com/ [4]
+Link: https://lore.kernel.org/lkml/20210729222635.2937453-1-sspatil@android.com/
+Reported-by: Sandeep Patil <sspatil@android.com>
+Cc: Michael Kerrisk <mtk.manpages@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/pipe.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -429,20 +429,20 @@ pipe_write(struct kiocb *iocb, struct io
+ #endif
+
+ /*
+- * Only wake up if the pipe started out empty, since
+- * otherwise there should be no readers waiting.
++ * Epoll nonsensically wants a wakeup whether the pipe
++ * was already empty or not.
+ *
+ * If it wasn't empty we try to merge new data into
+ * the last buffer.
+ *
+ * That naturally merges small writes, but it also
+- * page-aligs the rest of the writes for large writes
++ * page-aligns the rest of the writes for large writes
+ * spanning multiple pages.
+ */
+ head = pipe->head;
+- was_empty = pipe_empty(head, pipe->tail);
++ was_empty = true;
+ chars = total_len & (PAGE_SIZE-1);
+- if (chars && !was_empty) {
++ if (chars && !pipe_empty(head, pipe->tail)) {
+ unsigned int mask = pipe->ring_size - 1;
+ struct pipe_buffer *buf = &pipe->bufs[(head - 1) & mask];
+ int offset = buf->offset + buf->len;
--- /dev/null
+From e0eef3690dc66b3ecc6e0f1267f332403eb22bea Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Wed, 28 Jul 2021 23:19:58 +0800
+Subject: Revert "ACPI: resources: Add checks for ACPI IRQ override"
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit e0eef3690dc66b3ecc6e0f1267f332403eb22bea upstream.
+
+The commit 0ec4e55e9f57 ("ACPI: resources: Add checks for ACPI IRQ
+override") introduces regression on some platforms, at least it makes
+the UART can't get correct irq setting on two different platforms,
+and it makes the kernel can't bootup on these two platforms.
+
+This reverts commit 0ec4e55e9f571f08970ed115ec0addc691eda613.
+
+Regression-discuss: https://bugzilla.kernel.org/show_bug.cgi?id=213031
+Reported-by: PGNd <pgnet.dev@gmail.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/resource.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -423,13 +423,6 @@ static void acpi_dev_get_irqresource(str
+ }
+ }
+
+-static bool irq_is_legacy(struct acpi_resource_irq *irq)
+-{
+- return irq->triggering == ACPI_EDGE_SENSITIVE &&
+- irq->polarity == ACPI_ACTIVE_HIGH &&
+- irq->shareable == ACPI_EXCLUSIVE;
+-}
+-
+ /**
+ * acpi_dev_resource_interrupt - Extract ACPI interrupt resource information.
+ * @ares: Input ACPI resource object.
+@@ -468,7 +461,7 @@ bool acpi_dev_resource_interrupt(struct
+ }
+ acpi_dev_get_irqresource(res, irq->interrupts[index],
+ irq->triggering, irq->polarity,
+- irq->shareable, irq_is_legacy(irq));
++ irq->shareable, true);
+ break;
+ case ACPI_RESOURCE_TYPE_EXTENDED_IRQ:
+ ext_irq = &ares->data.extended_irq;
--- /dev/null
+pipe-make-pipe-writes-always-wake-up-readers.patch
+fs-ext2-avoid-page_address-on-pages-returned-by-ext2_get_page.patch
+btrfs-fix-lost-inode-on-log-replay-after-mix-of-fsync-rename-and-inode-eviction.patch
+btrfs-fix-rw-device-counting-in-__btrfs_free_extra_devids.patch
+btrfs-mark-compressed-range-uptodate-only-if-all-bio-succeed.patch
+revert-acpi-resources-add-checks-for-acpi-irq-override.patch
+acpi-dptf-fix-reading-of-attributes.patch
+x86-kvm-fix-vcpu-id-indexed-array-sizes.patch
+kvm-add-missing-compat-kvm_clear_dirty_log.patch
+ocfs2-fix-zero-out-valid-data.patch
+ocfs2-issue-zeroout-to-eof-blocks.patch
+mm-memcontrol-fix-blocking-rstat-function-called-from-atomic-cgroup1-thresholding-code.patch
+mm-memcg-fix-null-pointer-dereference-in-memcg_slab_free_hook.patch
+can-j1939-j1939_xtp_rx_dat_one-fix-rxtimer-value-between-consecutive-tp.dt-to-750ms.patch
+can-raw-raw_setsockopt-fix-raw_rcv-panic-for-sock-uaf.patch
+can-peak_usb-pcan_usb_handle_bus_evt-fix-reading-rxerr-txerr-values.patch
+can-mcba_usb_start-add-missing-urb-transfer_dma-initialization.patch
+can-usb_8dev-fix-memory-leak.patch
+can-ems_usb-fix-memory-leak.patch
+can-esd_usb2-fix-memory-leak.patch
+alpha-register-early-reserved-memory-in-memblock.patch
+hid-wacom-re-enable-touch-by-default-for-cintiq-24hdt-27qhdt.patch
+net-stmmac-add-est_irq_status-callback-function-for-gmac-4.10-and-5.10.patch
+niu-fix-incorrect-error-return-missed-in-previous-revert.patch
+drm-amd-display-ensure-dentist-display-clock-update-finished-in-dcn20.patch
+drm-amdgpu-check-pmops-for-desired-suspend-state.patch
+drm-amdgpu-avoid-printing-of-stack-contents-on-firmware-load-error.patch
+drm-amdgpu-fix-resource-leak-on-probe-error-path.patch
+blk-iocost-fix-operation-ordering-in-iocg_wake_fn.patch
+nfc-nfcsim-fix-use-after-free-during-module-unload.patch
+io_uring-fix-io_prep_async_link-locking.patch
+io_uring-don-t-block-level-reissue-off-completion-path.patch
+io_uring-fix-poll-requests-leaking-second-poll-entries.patch
--- /dev/null
+From 76b4f357d0e7d8f6f0013c733e6cba1773c266d3 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 1 Jul 2021 17:41:00 +0200
+Subject: x86/kvm: fix vcpu-id indexed array sizes
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 76b4f357d0e7d8f6f0013c733e6cba1773c266d3 upstream.
+
+KVM_MAX_VCPU_ID is the maximum vcpu-id of a guest, and not the number
+of vcpu-ids. Fix array indexed by vcpu-id to have KVM_MAX_VCPU_ID+1
+elements.
+
+Note that this is currently no real problem, as KVM_MAX_VCPU_ID is
+an odd number, resulting in always enough padding being available at
+the end of those arrays.
+
+Nevertheless this should be fixed in order to avoid rare problems in
+case someone is using an even number for KVM_MAX_VCPU_ID.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Message-Id: <20210701154105.23215-2-jgross@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/ioapic.c | 2 +-
+ arch/x86/kvm/ioapic.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -96,7 +96,7 @@ static unsigned long ioapic_read_indirec
+ static void rtc_irq_eoi_tracking_reset(struct kvm_ioapic *ioapic)
+ {
+ ioapic->rtc_status.pending_eoi = 0;
+- bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID);
++ bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID + 1);
+ }
+
+ static void kvm_rtc_eoi_tracking_restore_all(struct kvm_ioapic *ioapic);
+--- a/arch/x86/kvm/ioapic.h
++++ b/arch/x86/kvm/ioapic.h
+@@ -43,13 +43,13 @@ struct kvm_vcpu;
+
+ struct dest_map {
+ /* vcpu bitmap where IRQ has been sent */
+- DECLARE_BITMAP(map, KVM_MAX_VCPU_ID);
++ DECLARE_BITMAP(map, KVM_MAX_VCPU_ID + 1);
+
+ /*
+ * Vector sent to a given vcpu, only valid when
+ * the vcpu's bit in map is set
+ */
+- u8 vectors[KVM_MAX_VCPU_ID];
++ u8 vectors[KVM_MAX_VCPU_ID + 1];
+ };
+
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
