--- /dev/null
+From 09b1d5dc6ce1c9151777f6c4e128a59457704c97 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 25 Oct 2021 13:31:12 +0200
+Subject: cfg80211: fix management registrations locking
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 09b1d5dc6ce1c9151777f6c4e128a59457704c97 upstream.
+
+The management registrations locking was broken, the list was
+locked for each wdev, but cfg80211_mgmt_registrations_update()
+iterated it without holding all the correct spinlocks, causing
+list corruption.
+
+Rather than trying to fix it with fine-grained locking, just
+move the lock to the wiphy/rdev (still need the list on each
+wdev), we already need to hold the wdev lock to change it, so
+there's no contention on the lock in any case. This trivially
+fixes the bug since we hold one wdev's lock already, and now
+will hold the lock that protects all lists.
+
+Cc: stable@vger.kernel.org
+Reported-by: Jouni Malinen <j@w1.fi>
+Fixes: 6cd536fe62ef ("cfg80211: change internal management frame registration API")
+Link: https://lore.kernel.org/r/20211025133111.5cf733eab0f4.I7b0abb0494ab712f74e2efcd24bb31ac33f7eee9@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cfg80211.h | 2 --
+ net/wireless/core.c | 2 +-
+ net/wireless/core.h | 2 ++
+ net/wireless/mlme.c | 26 ++++++++++++++------------
+ 4 files changed, 17 insertions(+), 15 deletions(-)
+
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -5202,7 +5202,6 @@ struct cfg80211_cqm_config;
+ * netdev and may otherwise be used by driver read-only, will be update
+ * by cfg80211 on change_interface
+ * @mgmt_registrations: list of registrations for management frames
+- * @mgmt_registrations_lock: lock for the list
+ * @mgmt_registrations_need_update: mgmt registrations were updated,
+ * need to propagate the update to the driver
+ * @mtx: mutex used to lock data in this struct, may be used by drivers
+@@ -5249,7 +5248,6 @@ struct wireless_dev {
+ u32 identifier;
+
+ struct list_head mgmt_registrations;
+- spinlock_t mgmt_registrations_lock;
+ u8 mgmt_registrations_need_update:1;
+
+ struct mutex mtx;
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -501,6 +501,7 @@ use_default_name:
+ INIT_WORK(&rdev->propagate_cac_done_wk, cfg80211_propagate_cac_done_wk);
+ INIT_WORK(&rdev->mgmt_registrations_update_wk,
+ cfg80211_mgmt_registrations_update_wk);
++ spin_lock_init(&rdev->mgmt_registrations_lock);
+
+ #ifdef CONFIG_CFG80211_DEFAULT_PS
+ rdev->wiphy.flags |= WIPHY_FLAG_PS_ON_BY_DEFAULT;
+@@ -1256,7 +1257,6 @@ void cfg80211_init_wdev(struct wireless_
+ INIT_LIST_HEAD(&wdev->event_list);
+ spin_lock_init(&wdev->event_lock);
+ INIT_LIST_HEAD(&wdev->mgmt_registrations);
+- spin_lock_init(&wdev->mgmt_registrations_lock);
+ INIT_LIST_HEAD(&wdev->pmsr_list);
+ spin_lock_init(&wdev->pmsr_lock);
+ INIT_WORK(&wdev->pmsr_free_wk, cfg80211_pmsr_free_wk);
+--- a/net/wireless/core.h
++++ b/net/wireless/core.h
+@@ -101,6 +101,8 @@ struct cfg80211_registered_device {
+ struct work_struct propagate_cac_done_wk;
+
+ struct work_struct mgmt_registrations_update_wk;
++ /* lock for all wdev lists */
++ spinlock_t mgmt_registrations_lock;
+
+ /* must be last because of the way we do wiphy_priv(),
+ * and it should at least be aligned to NETDEV_ALIGN */
+--- a/net/wireless/mlme.c
++++ b/net/wireless/mlme.c
+@@ -448,9 +448,9 @@ static void cfg80211_mgmt_registrations_
+
+ ASSERT_RTNL();
+
+- spin_lock_bh(&wdev->mgmt_registrations_lock);
++ spin_lock_bh(&rdev->mgmt_registrations_lock);
+ if (!wdev->mgmt_registrations_need_update) {
+- spin_unlock_bh(&wdev->mgmt_registrations_lock);
++ spin_unlock_bh(&rdev->mgmt_registrations_lock);
+ return;
+ }
+
+@@ -475,7 +475,7 @@ static void cfg80211_mgmt_registrations_
+ rcu_read_unlock();
+
+ wdev->mgmt_registrations_need_update = 0;
+- spin_unlock_bh(&wdev->mgmt_registrations_lock);
++ spin_unlock_bh(&rdev->mgmt_registrations_lock);
+
+ rdev_update_mgmt_frame_registrations(rdev, wdev, &upd);
+ }
+@@ -499,6 +499,7 @@ int cfg80211_mlme_register_mgmt(struct w
+ int match_len, bool multicast_rx,
+ struct netlink_ext_ack *extack)
+ {
++ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
+ struct cfg80211_mgmt_registration *reg, *nreg;
+ int err = 0;
+ u16 mgmt_type;
+@@ -544,7 +545,7 @@ int cfg80211_mlme_register_mgmt(struct w
+ if (!nreg)
+ return -ENOMEM;
+
+- spin_lock_bh(&wdev->mgmt_registrations_lock);
++ spin_lock_bh(&rdev->mgmt_registrations_lock);
+
+ list_for_each_entry(reg, &wdev->mgmt_registrations, list) {
+ int mlen = min(match_len, reg->match_len);
+@@ -579,7 +580,7 @@ int cfg80211_mlme_register_mgmt(struct w
+ list_add(&nreg->list, &wdev->mgmt_registrations);
+ }
+ wdev->mgmt_registrations_need_update = 1;
+- spin_unlock_bh(&wdev->mgmt_registrations_lock);
++ spin_unlock_bh(&rdev->mgmt_registrations_lock);
+
+ cfg80211_mgmt_registrations_update(wdev);
+
+@@ -587,7 +588,7 @@ int cfg80211_mlme_register_mgmt(struct w
+
+ out:
+ kfree(nreg);
+- spin_unlock_bh(&wdev->mgmt_registrations_lock);
++ spin_unlock_bh(&rdev->mgmt_registrations_lock);
+
+ return err;
+ }
+@@ -598,7 +599,7 @@ void cfg80211_mlme_unregister_socket(str
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
+ struct cfg80211_mgmt_registration *reg, *tmp;
+
+- spin_lock_bh(&wdev->mgmt_registrations_lock);
++ spin_lock_bh(&rdev->mgmt_registrations_lock);
+
+ list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) {
+ if (reg->nlportid != nlportid)
+@@ -611,7 +612,7 @@ void cfg80211_mlme_unregister_socket(str
+ schedule_work(&rdev->mgmt_registrations_update_wk);
+ }
+
+- spin_unlock_bh(&wdev->mgmt_registrations_lock);
++ spin_unlock_bh(&rdev->mgmt_registrations_lock);
+
+ if (nlportid && rdev->crit_proto_nlportid == nlportid) {
+ rdev->crit_proto_nlportid = 0;
+@@ -624,15 +625,16 @@ void cfg80211_mlme_unregister_socket(str
+
+ void cfg80211_mlme_purge_registrations(struct wireless_dev *wdev)
+ {
++ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
+ struct cfg80211_mgmt_registration *reg, *tmp;
+
+- spin_lock_bh(&wdev->mgmt_registrations_lock);
++ spin_lock_bh(&rdev->mgmt_registrations_lock);
+ list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) {
+ list_del(®->list);
+ kfree(reg);
+ }
+ wdev->mgmt_registrations_need_update = 1;
+- spin_unlock_bh(&wdev->mgmt_registrations_lock);
++ spin_unlock_bh(&rdev->mgmt_registrations_lock);
+
+ cfg80211_mgmt_registrations_update(wdev);
+ }
+@@ -780,7 +782,7 @@ bool cfg80211_rx_mgmt_khz(struct wireles
+ data = buf + ieee80211_hdrlen(mgmt->frame_control);
+ data_len = len - ieee80211_hdrlen(mgmt->frame_control);
+
+- spin_lock_bh(&wdev->mgmt_registrations_lock);
++ spin_lock_bh(&rdev->mgmt_registrations_lock);
+
+ list_for_each_entry(reg, &wdev->mgmt_registrations, list) {
+ if (reg->frame_type != ftype)
+@@ -804,7 +806,7 @@ bool cfg80211_rx_mgmt_khz(struct wireles
+ break;
+ }
+
+- spin_unlock_bh(&wdev->mgmt_registrations_lock);
++ spin_unlock_bh(&rdev->mgmt_registrations_lock);
+
+ trace_cfg80211_return_bool(result);
+ return result;
--- /dev/null
+From a2083eeb119fb9307258baea9b7c243ca9a2e0b6 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 30 Sep 2021 13:11:21 +0200
+Subject: cfg80211: scan: fix RCU in cfg80211_add_nontrans_list()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit a2083eeb119fb9307258baea9b7c243ca9a2e0b6 upstream.
+
+The SSID pointer is pointing to RCU protected data, so we
+need to have it under rcu_read_lock() for the entire use.
+Fix this.
+
+Cc: stable@vger.kernel.org
+Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
+Link: https://lore.kernel.org/r/20210930131120.6ddfc603aa1d.I2137344c4e2426525b1a8e4ce5fca82f8ecbfe7e@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/scan.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -418,14 +418,17 @@ cfg80211_add_nontrans_list(struct cfg802
+ }
+ ssid_len = ssid[1];
+ ssid = ssid + 2;
+- rcu_read_unlock();
+
+ /* check if nontrans_bss is in the list */
+ list_for_each_entry(bss, &trans_bss->nontrans_list, nontrans_list) {
+- if (is_bss(bss, nontrans_bss->bssid, ssid, ssid_len))
++ if (is_bss(bss, nontrans_bss->bssid, ssid, ssid_len)) {
++ rcu_read_unlock();
+ return 0;
++ }
+ }
+
++ rcu_read_unlock();
++
+ /* add to the list */
+ list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
+ return 0;
--- /dev/null
+From 5afa7898ab7a0ec9c28556a91df714bf3c2f725e Mon Sep 17 00:00:00 2001
+From: Thelford Williams <tdwilliamsiv@gmail.com>
+Date: Wed, 13 Oct 2021 16:04:13 -0400
+Subject: drm/amdgpu: fix out of bounds write
+
+From: Thelford Williams <tdwilliamsiv@gmail.com>
+
+commit 5afa7898ab7a0ec9c28556a91df714bf3c2f725e upstream.
+
+Size can be any value and is user controlled resulting in overwriting the
+40 byte array wr_buf with an arbitrary length of data from buf.
+
+Signed-off-by: Thelford Williams <tdwilliamsiv@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+@@ -264,7 +264,7 @@ static ssize_t dp_link_settings_write(st
+ if (!wr_buf)
+ return -ENOSPC;
+
+- if (parse_write_buffer_into_params(wr_buf, size,
++ if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
+ (long *)param, buf,
+ max_param_num,
+ ¶m_nums)) {
--- /dev/null
+From 0db55f9a1bafbe3dac750ea669de9134922389b5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Wed, 20 Oct 2021 19:19:46 +0200
+Subject: drm/ttm: fix memleak in ttm_transfered_destroy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+commit 0db55f9a1bafbe3dac750ea669de9134922389b5 upstream.
+
+We need to cleanup the fences for ghost objects as well.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reported-by: Erhard F. <erhard_f@mailbox.org>
+Tested-by: Erhard F. <erhard_f@mailbox.org>
+Reviewed-by: Huang Rui <ray.huang@amd.com>
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214029
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214447
+CC: <stable@vger.kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211020173211.2247-1-christian.koenig@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/ttm/ttm_bo_util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/ttm/ttm_bo_util.c
++++ b/drivers/gpu/drm/ttm/ttm_bo_util.c
+@@ -322,6 +322,7 @@ static void ttm_transfered_destroy(struc
+ struct ttm_transfer_obj *fbo;
+
+ fbo = container_of(bo, struct ttm_transfer_obj, base);
++ dma_resv_fini(&fbo->base.base._resv);
+ ttm_bo_put(fbo->bo);
+ kfree(fbo);
+ }
--- /dev/null
+From eac96c3efdb593df1a57bb5b95dbe037bfa9a522 Mon Sep 17 00:00:00 2001
+From: Yang Shi <shy828301@gmail.com>
+Date: Thu, 28 Oct 2021 14:36:11 -0700
+Subject: mm: filemap: check if THP has hwpoisoned subpage for PMD page fault
+
+From: Yang Shi <shy828301@gmail.com>
+
+commit eac96c3efdb593df1a57bb5b95dbe037bfa9a522 upstream.
+
+When handling shmem page fault the THP with corrupted subpage could be
+PMD mapped if certain conditions are satisfied. But kernel is supposed
+to send SIGBUS when trying to map hwpoisoned page.
+
+There are two paths which may do PMD map: fault around and regular
+fault.
+
+Before commit f9ce0be71d1f ("mm: Cleanup faultaround and finish_fault()
+codepaths") the thing was even worse in fault around path. The THP
+could be PMD mapped as long as the VMA fits regardless what subpage is
+accessed and corrupted. After this commit as long as head page is not
+corrupted the THP could be PMD mapped.
+
+In the regular fault path the THP could be PMD mapped as long as the
+corrupted page is not accessed and the VMA fits.
+
+This loophole could be fixed by iterating every subpage to check if any
+of them is hwpoisoned or not, but it is somewhat costly in page fault
+path.
+
+So introduce a new page flag called HasHWPoisoned on the first tail
+page. It indicates the THP has hwpoisoned subpage(s). It is set if any
+subpage of THP is found hwpoisoned by memory failure and after the
+refcount is bumped successfully, then cleared when the THP is freed or
+split.
+
+The soft offline path doesn't need this since soft offline handler just
+marks a subpage hwpoisoned when the subpage is migrated successfully.
+But shmem THP didn't get split then migrated at all.
+
+Link: https://lkml.kernel.org/r/20211020210755.23964-3-shy828301@gmail.com
+Fixes: 800d8c63b2e9 ("shmem: add huge pages support")
+Signed-off-by: Yang Shi <shy828301@gmail.com>
+Reviewed-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Suggested-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/page-flags.h | 23 +++++++++++++++++++++++
+ mm/huge_memory.c | 2 ++
+ mm/memory-failure.c | 14 ++++++++++++++
+ mm/memory.c | 9 +++++++++
+ mm/page_alloc.c | 4 +++-
+ 5 files changed, 51 insertions(+), 1 deletion(-)
+
+--- a/include/linux/page-flags.h
++++ b/include/linux/page-flags.h
+@@ -169,6 +169,15 @@ enum pageflags {
+ /* Compound pages. Stored in first tail page's flags */
+ PG_double_map = PG_workingset,
+
++#ifdef CONFIG_MEMORY_FAILURE
++ /*
++ * Compound pages. Stored in first tail page's flags.
++ * Indicates that at least one subpage is hwpoisoned in the
++ * THP.
++ */
++ PG_has_hwpoisoned = PG_mappedtodisk,
++#endif
++
+ /* non-lru isolated movable page */
+ PG_isolated = PG_reclaim,
+
+@@ -667,6 +676,20 @@ static inline int PageTransCompoundMap(s
+ atomic_read(compound_mapcount_ptr(head));
+ }
+
++#if defined(CONFIG_MEMORY_FAILURE) && defined(CONFIG_TRANSPARENT_HUGEPAGE)
++/*
++ * PageHasHWPoisoned indicates that at least one subpage is hwpoisoned in the
++ * compound page.
++ *
++ * This flag is set by hwpoison handler. Cleared by THP split or free page.
++ */
++PAGEFLAG(HasHWPoisoned, has_hwpoisoned, PF_SECOND)
++ TESTSCFLAG(HasHWPoisoned, has_hwpoisoned, PF_SECOND)
++#else
++PAGEFLAG_FALSE(HasHWPoisoned)
++ TESTSCFLAG_FALSE(HasHWPoisoned)
++#endif
++
+ /*
+ * PageTransTail returns true for both transparent huge pages
+ * and hugetlbfs pages, so it should only be called when it's known
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -2464,6 +2464,8 @@ static void __split_huge_page(struct pag
+ xa_lock(&swap_cache->i_pages);
+ }
+
++ ClearPageHasHWPoisoned(head);
++
+ for (i = nr - 1; i >= 1; i--) {
+ __split_huge_page_tail(head, i, lruvec, list);
+ /* Some pages can be beyond i_size: drop them from page cache */
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1381,6 +1381,20 @@ int memory_failure(unsigned long pfn, in
+ }
+
+ if (PageTransHuge(hpage)) {
++ /*
++ * The flag must be set after the refcount is bumped
++ * otherwise it may race with THP split.
++ * And the flag can't be set in get_hwpoison_page() since
++ * it is called by soft offline too and it is just called
++ * for !MF_COUNT_INCREASE. So here seems to be the best
++ * place.
++ *
++ * Don't need care about the above error handling paths for
++ * get_hwpoison_page() since they handle either free page
++ * or unhandlable page. The refcount is bumped iff the
++ * page is a valid handlable page.
++ */
++ SetPageHasHWPoisoned(hpage);
+ if (try_to_split_thp_page(p, "Memory Failure") < 0) {
+ action_result(pfn, MF_MSG_UNSPLIT_THP, MF_IGNORED);
+ return -EBUSY;
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -3921,6 +3921,15 @@ vm_fault_t finish_fault(struct vm_fault
+ page = vmf->page;
+
+ /*
++ * Just backoff if any subpage of a THP is corrupted otherwise
++ * the corrupted page may mapped by PMD silently to escape the
++ * check. This kind of THP just can be PTE mapped. Access to
++ * the corrupted subpage should trigger SIGBUS as expected.
++ */
++ if (unlikely(PageHasHWPoisoned(page)))
++ return ret;
++
++ /*
+ * check even for read faults because we might have lost our CoWed
+ * page
+ */
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -1232,8 +1232,10 @@ static __always_inline bool free_pages_p
+
+ VM_BUG_ON_PAGE(compound && compound_order(page) != order, page);
+
+- if (compound)
++ if (compound) {
+ ClearPageDoubleMap(page);
++ ClearPageHasHWPoisoned(page);
++ }
+ for (i = 1; i < (1 << order); i++) {
+ if (compound)
+ bad += free_tail_pages_check(page, page + i);
--- /dev/null
+From 74c42e1baacf206338b1dd6b6199ac964512b5bb Mon Sep 17 00:00:00 2001
+From: Rongwei Wang <rongwei.wang@linux.alibaba.com>
+Date: Thu, 28 Oct 2021 14:36:27 -0700
+Subject: mm, thp: bail out early in collapse_file for writeback page
+
+From: Rongwei Wang <rongwei.wang@linux.alibaba.com>
+
+commit 74c42e1baacf206338b1dd6b6199ac964512b5bb upstream.
+
+Currently collapse_file does not explicitly check PG_writeback, instead,
+page_has_private and try_to_release_page are used to filter writeback
+pages. This does not work for xfs with blocksize equal to or larger
+than pagesize, because in such case xfs has no page->private.
+
+This makes collapse_file bail out early for writeback page. Otherwise,
+xfs end_page_writeback will panic as follows.
+
+ page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:ffff0003f88c86a8 index:0x0 pfn:0x84ef32
+ aops:xfs_address_space_operations [xfs] ino:30000b7 dentry name:"libtest.so"
+ flags: 0x57fffe0000008027(locked|referenced|uptodate|active|writeback)
+ raw: 57fffe0000008027 ffff80001b48bc28 ffff80001b48bc28 ffff0003f88c86a8
+ raw: 0000000000000000 0000000000000000 00000000ffffffff ffff0000c3e9a000
+ page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u))
+ page->mem_cgroup:ffff0000c3e9a000
+ ------------[ cut here ]------------
+ kernel BUG at include/linux/mm.h:1212!
+ Internal error: Oops - BUG: 0 [#1] SMP
+ Modules linked in:
+ BUG: Bad page state in process khugepaged pfn:84ef32
+ xfs(E)
+ page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:0 index:0x0 pfn:0x84ef32
+ libcrc32c(E) rfkill(E) aes_ce_blk(E) crypto_simd(E) ...
+ CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Tainted: ...
+ pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
+ Call trace:
+ end_page_writeback+0x1c0/0x214
+ iomap_finish_page_writeback+0x13c/0x204
+ iomap_finish_ioend+0xe8/0x19c
+ iomap_writepage_end_bio+0x38/0x50
+ bio_endio+0x168/0x1ec
+ blk_update_request+0x278/0x3f0
+ blk_mq_end_request+0x34/0x15c
+ virtblk_request_done+0x38/0x74 [virtio_blk]
+ blk_done_softirq+0xc4/0x110
+ __do_softirq+0x128/0x38c
+ __irq_exit_rcu+0x118/0x150
+ irq_exit+0x1c/0x30
+ __handle_domain_irq+0x8c/0xf0
+ gic_handle_irq+0x84/0x108
+ el1_irq+0xcc/0x180
+ arch_cpu_idle+0x18/0x40
+ default_idle_call+0x4c/0x1a0
+ cpuidle_idle_call+0x168/0x1e0
+ do_idle+0xb4/0x104
+ cpu_startup_entry+0x30/0x9c
+ secondary_start_kernel+0x104/0x180
+ Code: d4210000 b0006161 910c8021 94013f4d (d4210000)
+ ---[ end trace 4a88c6a074082f8c ]---
+ Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt
+
+Link: https://lkml.kernel.org/r/20211022023052.33114-1-rongwei.wang@linux.alibaba.com
+Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS")
+Signed-off-by: Rongwei Wang <rongwei.wang@linux.alibaba.com>
+Signed-off-by: Xu Yu <xuyu@linux.alibaba.com>
+Suggested-by: Yang Shi <shy828301@gmail.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Yang Shi <shy828301@gmail.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Song Liu <song@kernel.org>
+Cc: William Kucharski <william.kucharski@oracle.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/khugepaged.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -1758,6 +1758,10 @@ static void collapse_file(struct mm_stru
+ filemap_flush(mapping);
+ result = SCAN_FAIL;
+ goto xa_unlocked;
++ } else if (PageWriteback(page)) {
++ xas_unlock_irq(&xas);
++ result = SCAN_FAIL;
++ goto xa_unlocked;
+ } else if (trylock_page(page)) {
+ get_page(page);
+ xas_unlock_irq(&xas);
+@@ -1793,7 +1797,8 @@ static void collapse_file(struct mm_stru
+ goto out_unlock;
+ }
+
+- if (!is_shmem && PageDirty(page)) {
++ if (!is_shmem && (PageDirty(page) ||
++ PageWriteback(page))) {
+ /*
+ * khugepaged only works on read-only fd, so this
+ * page is dirty because it hasn't been flushed
--- /dev/null
+From 92b18252b91de567cd875f2e84722b10ab34ee28 Mon Sep 17 00:00:00 2001
+From: Wenbin Mei <wenbin.mei@mediatek.com>
+Date: Tue, 26 Oct 2021 15:08:12 +0800
+Subject: mmc: cqhci: clear HALT state after CQE enable
+
+From: Wenbin Mei <wenbin.mei@mediatek.com>
+
+commit 92b18252b91de567cd875f2e84722b10ab34ee28 upstream.
+
+While mmc0 enter suspend state, we need halt CQE to send legacy cmd(flush
+cache) and disable cqe, for resume back, we enable CQE and not clear HALT
+state.
+In this case MediaTek mmc host controller will keep the value for HALT
+state after CQE disable/enable flow, so the next CQE transfer after resume
+will be timeout due to CQE is in HALT state, the log as below:
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: timeout for tag 2
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: ============ CQHCI REGISTER DUMP ===========
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Caps: 0x100020b6 | Version: 0x00000510
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Config: 0x00001103 | Control: 0x00000001
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Int stat: 0x00000000 | Int enab: 0x00000006
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Int sig: 0x00000006 | Int Coal: 0x00000000
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: TDL base: 0xfd05f000 | TDL up32: 0x00000000
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Doorbell: 0x8000203c | TCN: 0x00000000
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Dev queue: 0x00000000 | Dev Pend: 0x00000000
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Task clr: 0x00000000 | SSC1: 0x00001000
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: SSC2: 0x00000001 | DCMD rsp: 0x00000000
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: RED mask: 0xfdf9a080 | TERRI: 0x00000000
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Resp idx: 0x00000000 | Resp arg: 0x00000000
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: CRNQP: 0x00000000 | CRNQDUN: 0x00000000
+<4>.(4)[318:kworker/4:1H]mmc0: cqhci: CRNQIS: 0x00000000 | CRNQIE: 0x00000000
+
+This change check HALT state after CQE enable, if CQE is in HALT state, we
+will clear it.
+
+Signed-off-by: Wenbin Mei <wenbin.mei@mediatek.com>
+Cc: stable@vger.kernel.org
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: a4080225f51d ("mmc: cqhci: support for command queue enabled host")
+Link: https://lore.kernel.org/r/20211026070812.9359-1-wenbin.mei@mediatek.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/cqhci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/host/cqhci.c
++++ b/drivers/mmc/host/cqhci.c
+@@ -273,6 +273,9 @@ static void __cqhci_enable(struct cqhci_
+
+ cqhci_writel(cq_host, cqcfg, CQHCI_CFG);
+
++ if (cqhci_readl(cq_host, CQHCI_CTL) & CQHCI_HALT)
++ cqhci_writel(cq_host, 0, CQHCI_CTL);
++
+ mmc->cqe_on = true;
+
+ if (cq_host->ops->enable)
--- /dev/null
+From 697542bceae51f7620af333b065dd09d213629fb Mon Sep 17 00:00:00 2001
+From: Jaehoon Chung <jh80.chung@samsung.com>
+Date: Fri, 22 Oct 2021 17:21:06 +0900
+Subject: mmc: dw_mmc: exynos: fix the finding clock sample value
+
+From: Jaehoon Chung <jh80.chung@samsung.com>
+
+commit 697542bceae51f7620af333b065dd09d213629fb upstream.
+
+Even though there are candiates value if can't find best value, it's
+returned -EIO. It's not proper behavior.
+If there is not best value, use a first candiate value to work eMMC.
+
+Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Christian Hewitt <christianshewitt@gmail.com>
+Cc: stable@vger.kernel.org
+Fixes: c537a1c5ff63 ("mmc: dw_mmc: exynos: add variable delay tuning sequence")
+Link: https://lore.kernel.org/r/20211022082106.1557-1-jh80.chung@samsung.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/dw_mmc-exynos.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mmc/host/dw_mmc-exynos.c
++++ b/drivers/mmc/host/dw_mmc-exynos.c
+@@ -464,6 +464,18 @@ static s8 dw_mci_exynos_get_best_clksmpl
+ }
+ }
+
++ /*
++ * If there is no cadiates value, then it needs to return -EIO.
++ * If there are candiates values and don't find bset clk sample value,
++ * then use a first candiates clock sample value.
++ */
++ for (i = 0; i < iter; i++) {
++ __c = ror8(candiates, i);
++ if ((__c & 0x1) == 0x1) {
++ loc = i;
++ goto out;
++ }
++ }
+ out:
+ return loc;
+ }
+@@ -494,6 +506,8 @@ static int dw_mci_exynos_execute_tuning(
+ priv->tuned_sample = found;
+ } else {
+ ret = -EIO;
++ dev_warn(&mmc->class_dev,
++ "There is no candiates value about clksmpl!\n");
+ }
+
+ return ret;
--- /dev/null
+From e8a1ff65927080278e6826f797b7c197fb2611a6 Mon Sep 17 00:00:00 2001
+From: Wenbin Mei <wenbin.mei@mediatek.com>
+Date: Thu, 28 Oct 2021 10:20:49 +0800
+Subject: mmc: mediatek: Move cqhci init behind ungate clock
+
+From: Wenbin Mei <wenbin.mei@mediatek.com>
+
+commit e8a1ff65927080278e6826f797b7c197fb2611a6 upstream.
+
+We must enable clock before cqhci init, because crypto needs read
+information from CQHCI registers, otherwise, it will hang in MediaTek mmc
+host controller.
+
+Signed-off-by: Wenbin Mei <wenbin.mei@mediatek.com>
+Fixes: 88bd652b3c74 ("mmc: mediatek: command queue support")
+Cc: stable@vger.kernel.org
+Acked-by: Chaotian Jing <chaotian.jing@mediatek.com>
+Link: https://lore.kernel.org/r/20211028022049.22129-1-wenbin.mei@mediatek.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mtk-sd.c | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -2503,6 +2503,25 @@ static int msdc_drv_probe(struct platfor
+ host->dma_mask = DMA_BIT_MASK(32);
+ mmc_dev(mmc)->dma_mask = &host->dma_mask;
+
++ host->timeout_clks = 3 * 1048576;
++ host->dma.gpd = dma_alloc_coherent(&pdev->dev,
++ 2 * sizeof(struct mt_gpdma_desc),
++ &host->dma.gpd_addr, GFP_KERNEL);
++ host->dma.bd = dma_alloc_coherent(&pdev->dev,
++ MAX_BD_NUM * sizeof(struct mt_bdma_desc),
++ &host->dma.bd_addr, GFP_KERNEL);
++ if (!host->dma.gpd || !host->dma.bd) {
++ ret = -ENOMEM;
++ goto release_mem;
++ }
++ msdc_init_gpd_bd(host, &host->dma);
++ INIT_DELAYED_WORK(&host->req_timeout, msdc_request_timeout);
++ spin_lock_init(&host->lock);
++
++ platform_set_drvdata(pdev, mmc);
++ msdc_ungate_clock(host);
++ msdc_init_hw(host);
++
+ if (mmc->caps2 & MMC_CAP2_CQE) {
+ host->cq_host = devm_kzalloc(mmc->parent,
+ sizeof(*host->cq_host),
+@@ -2523,25 +2542,6 @@ static int msdc_drv_probe(struct platfor
+ mmc->max_seg_size = 64 * 1024;
+ }
+
+- host->timeout_clks = 3 * 1048576;
+- host->dma.gpd = dma_alloc_coherent(&pdev->dev,
+- 2 * sizeof(struct mt_gpdma_desc),
+- &host->dma.gpd_addr, GFP_KERNEL);
+- host->dma.bd = dma_alloc_coherent(&pdev->dev,
+- MAX_BD_NUM * sizeof(struct mt_bdma_desc),
+- &host->dma.bd_addr, GFP_KERNEL);
+- if (!host->dma.gpd || !host->dma.bd) {
+- ret = -ENOMEM;
+- goto release_mem;
+- }
+- msdc_init_gpd_bd(host, &host->dma);
+- INIT_DELAYED_WORK(&host->req_timeout, msdc_request_timeout);
+- spin_lock_init(&host->lock);
+-
+- platform_set_drvdata(pdev, mmc);
+- msdc_ungate_clock(host);
+- msdc_init_hw(host);
+-
+ ret = devm_request_irq(&pdev->dev, host->irq, msdc_irq,
+ IRQF_TRIGGER_NONE, pdev->name, host);
+ if (ret)
--- /dev/null
+From 9af372dc70e9fdcbb70939dac75365e7b88580b4 Mon Sep 17 00:00:00 2001
+From: Haibo Chen <haibo.chen@nxp.com>
+Date: Fri, 15 Oct 2021 10:00:36 +0800
+Subject: mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+commit 9af372dc70e9fdcbb70939dac75365e7b88580b4 upstream.
+
+To reset standard tuning circuit completely, after clear ESDHC_MIX_CTRL_EXE_TUNE,
+also need to clear bit buffer_read_ready, this operation will finally clear the
+USDHC IP internal logic flag execute_tuning_with_clr_buf, make sure the following
+normal data transfer will not be impacted by standard tuning logic used before.
+
+Find this issue when do quick SD card insert/remove stress test. During standard
+tuning prodedure, if remove SD card, USDHC standard tuning logic can't clear the
+internal flag execute_tuning_with_clr_buf. Next time when insert SD card, all
+data related commands can't get any data related interrupts, include data transfer
+complete interrupt, data timeout interrupt, data CRC interrupt, data end bit interrupt.
+Always trigger software timeout issue. Even reset the USDHC through bits in register
+SYS_CTRL (0x2C, bit28 reset tuning, bit26 reset data, bit 25 reset command, bit 24
+reset all) can't recover this. From the user's point of view, USDHC stuck, SD can't
+be recognized any more.
+
+Fixes: d9370424c948 ("mmc: sdhci-esdhc-imx: reset tuning circuit when power on mmc card")
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1634263236-6111-1-git-send-email-haibo.chen@nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -1157,6 +1157,7 @@ static void esdhc_reset_tuning(struct sd
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host);
+ u32 ctrl;
++ int ret;
+
+ /* Reset the tuning circuit */
+ if (esdhc_is_usdhc(imx_data)) {
+@@ -1169,7 +1170,22 @@ static void esdhc_reset_tuning(struct sd
+ } else if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) {
+ ctrl = readl(host->ioaddr + SDHCI_AUTO_CMD_STATUS);
+ ctrl &= ~ESDHC_MIX_CTRL_SMPCLK_SEL;
++ ctrl &= ~ESDHC_MIX_CTRL_EXE_TUNE;
+ writel(ctrl, host->ioaddr + SDHCI_AUTO_CMD_STATUS);
++ /* Make sure ESDHC_MIX_CTRL_EXE_TUNE cleared */
++ ret = readl_poll_timeout(host->ioaddr + SDHCI_AUTO_CMD_STATUS,
++ ctrl, !(ctrl & ESDHC_MIX_CTRL_EXE_TUNE), 1, 50);
++ if (ret == -ETIMEDOUT)
++ dev_warn(mmc_dev(host->mmc),
++ "Warning! clear execute tuning bit failed\n");
++ /*
++ * SDHCI_INT_DATA_AVAIL is W1C bit, set this bit will clear the
++ * usdhc IP internal logic flag execute_tuning_with_clr_buf, which
++ * will finally make sure the normal data transfer logic correct.
++ */
++ ctrl = readl(host->ioaddr + SDHCI_INT_STATUS);
++ ctrl |= SDHCI_INT_DATA_AVAIL;
++ writel(ctrl, host->ioaddr + SDHCI_INT_STATUS);
+ }
+ }
+ }
--- /dev/null
+From 4217d07b9fb328751f877d3bd9550122014860a2 Mon Sep 17 00:00:00 2001
+From: Shawn Guo <shawn.guo@linaro.org>
+Date: Mon, 4 Oct 2021 10:49:35 +0800
+Subject: mmc: sdhci: Map more voltage level to SDHCI_POWER_330
+
+From: Shawn Guo <shawn.guo@linaro.org>
+
+commit 4217d07b9fb328751f877d3bd9550122014860a2 upstream.
+
+On Thundercomm TurboX CM2290, the eMMC OCR reports vdd = 23 (3.5 ~ 3.6 V),
+which is being treated as an invalid value by sdhci_set_power_noreg().
+And thus eMMC is totally broken on the platform.
+
+[ 1.436599] ------------[ cut here ]------------
+[ 1.436606] mmc0: Invalid vdd 0x17
+[ 1.436640] WARNING: CPU: 2 PID: 69 at drivers/mmc/host/sdhci.c:2048 sdhci_set_power_noreg+0x168/0x2b4
+[ 1.436655] Modules linked in:
+[ 1.436662] CPU: 2 PID: 69 Comm: kworker/u8:1 Tainted: G W 5.15.0-rc1+ #137
+[ 1.436669] Hardware name: Thundercomm TurboX CM2290 (DT)
+[ 1.436674] Workqueue: events_unbound async_run_entry_fn
+[ 1.436685] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 1.436692] pc : sdhci_set_power_noreg+0x168/0x2b4
+[ 1.436698] lr : sdhci_set_power_noreg+0x168/0x2b4
+[ 1.436703] sp : ffff800010803a60
+[ 1.436705] x29: ffff800010803a60 x28: ffff6a9102465f00 x27: ffff6a9101720a70
+[ 1.436715] x26: ffff6a91014de1c0 x25: ffff6a91014de010 x24: ffff6a91016af280
+[ 1.436724] x23: ffffaf7b1b276640 x22: 0000000000000000 x21: ffff6a9101720000
+[ 1.436733] x20: ffff6a9101720370 x19: ffff6a9101720580 x18: 0000000000000020
+[ 1.436743] x17: 0000000000000000 x16: 0000000000000004 x15: ffffffffffffffff
+[ 1.436751] x14: 0000000000000000 x13: 00000000fffffffd x12: ffffaf7b1b84b0bc
+[ 1.436760] x11: ffffaf7b1b720d10 x10: 000000000000000a x9 : ffff800010803a60
+[ 1.436769] x8 : 000000000000000a x7 : 000000000000000f x6 : 00000000fffff159
+[ 1.436778] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000ffffffff
+[ 1.436787] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff6a9101718d80
+[ 1.436797] Call trace:
+[ 1.436800] sdhci_set_power_noreg+0x168/0x2b4
+[ 1.436805] sdhci_set_ios+0xa0/0x7fc
+[ 1.436811] mmc_power_up.part.0+0xc4/0x164
+[ 1.436818] mmc_start_host+0xa0/0xb0
+[ 1.436824] mmc_add_host+0x60/0x90
+[ 1.436830] __sdhci_add_host+0x174/0x330
+[ 1.436836] sdhci_msm_probe+0x7c0/0x920
+[ 1.436842] platform_probe+0x68/0xe0
+[ 1.436850] really_probe.part.0+0x9c/0x31c
+[ 1.436857] __driver_probe_device+0x98/0x144
+[ 1.436863] driver_probe_device+0xc8/0x15c
+[ 1.436869] __device_attach_driver+0xb4/0x120
+[ 1.436875] bus_for_each_drv+0x78/0xd0
+[ 1.436881] __device_attach_async_helper+0xac/0xd0
+[ 1.436888] async_run_entry_fn+0x34/0x110
+[ 1.436895] process_one_work+0x1d0/0x354
+[ 1.436903] worker_thread+0x13c/0x470
+[ 1.436910] kthread+0x150/0x160
+[ 1.436915] ret_from_fork+0x10/0x20
+[ 1.436923] ---[ end trace fcfac44cb045c3a8 ]---
+
+Fix the issue by mapping MMC_VDD_35_36 (and MMC_VDD_34_35) to
+SDHCI_POWER_330 as well.
+
+Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211004024935.15326-1-shawn.guo@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -2043,6 +2043,12 @@ void sdhci_set_power_noreg(struct sdhci_
+ break;
+ case MMC_VDD_32_33:
+ case MMC_VDD_33_34:
++ /*
++ * 3.4 ~ 3.6V are valid only for those platforms where it's
++ * known that the voltage range is supported by hardware.
++ */
++ case MMC_VDD_34_35:
++ case MMC_VDD_35_36:
+ pwr = SDHCI_POWER_330;
+ break;
+ default:
--- /dev/null
+From 8c8171929116cc23f74743d99251eedadf62341a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 13:56:08 +0200
+Subject: mmc: vub300: fix control-message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 8c8171929116cc23f74743d99251eedadf62341a upstream.
+
+USB control-message timeouts are specified in milliseconds and should
+specifically not vary with CONFIG_HZ.
+
+Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
+Cc: stable@vger.kernel.org # 3.0
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211025115608.5287-1-johan@kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/vub300.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/mmc/host/vub300.c
++++ b/drivers/mmc/host/vub300.c
+@@ -576,7 +576,7 @@ static void check_vub300_port_status(str
+ GET_SYSTEM_PORT_STATUS,
+ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0x0000, 0x0000, &vub300->system_port_status,
+- sizeof(vub300->system_port_status), HZ);
++ sizeof(vub300->system_port_status), 1000);
+ if (sizeof(vub300->system_port_status) == retval)
+ new_system_port_status(vub300);
+ }
+@@ -1241,7 +1241,7 @@ static void __download_offload_pseudocod
+ SET_INTERRUPT_PSEUDOCODE,
+ USB_DIR_OUT | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, 0x0000, 0x0000,
+- xfer_buffer, xfer_length, HZ);
++ xfer_buffer, xfer_length, 1000);
+ kfree(xfer_buffer);
+ if (retval < 0)
+ goto copy_error_message;
+@@ -1284,7 +1284,7 @@ static void __download_offload_pseudocod
+ SET_TRANSFER_PSEUDOCODE,
+ USB_DIR_OUT | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, 0x0000, 0x0000,
+- xfer_buffer, xfer_length, HZ);
++ xfer_buffer, xfer_length, 1000);
+ kfree(xfer_buffer);
+ if (retval < 0)
+ goto copy_error_message;
+@@ -1991,7 +1991,7 @@ static void __set_clock_speed(struct vub
+ usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
+ SET_CLOCK_SPEED,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- 0x00, 0x00, buf, buf_array_size, HZ);
++ 0x00, 0x00, buf, buf_array_size, 1000);
+ if (retval != 8) {
+ dev_err(&vub300->udev->dev, "SET_CLOCK_SPEED"
+ " %dkHz failed with retval=%d\n", kHzClock, retval);
+@@ -2013,14 +2013,14 @@ static void vub300_mmc_set_ios(struct mm
+ usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
+ SET_SD_POWER,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- 0x0000, 0x0000, NULL, 0, HZ);
++ 0x0000, 0x0000, NULL, 0, 1000);
+ /* must wait for the VUB300 u-proc to boot up */
+ msleep(600);
+ } else if ((ios->power_mode == MMC_POWER_UP) && !vub300->card_powered) {
+ usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
+ SET_SD_POWER,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- 0x0001, 0x0000, NULL, 0, HZ);
++ 0x0001, 0x0000, NULL, 0, 1000);
+ msleep(600);
+ vub300->card_powered = 1;
+ } else if (ios->power_mode == MMC_POWER_ON) {
+@@ -2275,14 +2275,14 @@ static int vub300_probe(struct usb_inter
+ GET_HC_INF0,
+ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0x0000, 0x0000, &vub300->hc_info,
+- sizeof(vub300->hc_info), HZ);
++ sizeof(vub300->hc_info), 1000);
+ if (retval < 0)
+ goto error5;
+ retval =
+ usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
+ SET_ROM_WAIT_STATES,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- firmware_rom_wait_states, 0x0000, NULL, 0, HZ);
++ firmware_rom_wait_states, 0x0000, NULL, 0, 1000);
+ if (retval < 0)
+ goto error5;
+ dev_info(&vub300->udev->dev,
+@@ -2297,7 +2297,7 @@ static int vub300_probe(struct usb_inter
+ GET_SYSTEM_PORT_STATUS,
+ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0x0000, 0x0000, &vub300->system_port_status,
+- sizeof(vub300->system_port_status), HZ);
++ sizeof(vub300->system_port_status), 1000);
+ if (retval < 0) {
+ goto error4;
+ } else if (sizeof(vub300->system_port_status) == retval) {
--- /dev/null
+From db6c3c064f5d55fa9969f33eafca3cdbefbb3541 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 26 Oct 2021 12:36:17 +0200
+Subject: net: lan78xx: fix division by zero in send path
+
+From: Johan Hovold <johan@kernel.org>
+
+commit db6c3c064f5d55fa9969f33eafca3cdbefbb3541 upstream.
+
+Add the missing endpoint max-packet sanity check to probe() to avoid
+division by zero in lan78xx_tx_bh() in case a malicious device has
+broken descriptors (or when doing descriptor fuzz testing).
+
+Note that USB core will reject URBs submitted for endpoints with zero
+wMaxPacketSize but that drivers doing packet-size calculations still
+need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
+endpoint descriptors with maxpacket=0")).
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Cc: stable@vger.kernel.org # 4.3
+Cc: Woojung.Huh@microchip.com <Woojung.Huh@microchip.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -3745,6 +3745,12 @@ static int lan78xx_probe(struct usb_inte
+
+ dev->maxpacket = usb_maxpacket(dev->udev, dev->pipe_out, 1);
+
++ /* Reject broken descriptors. */
++ if (dev->maxpacket == 0) {
++ ret = -ENODEV;
++ goto out4;
++ }
++
+ /* driver requires remote-wakeup capability during autosuspend. */
+ intf->needs_remote_wakeup = 1;
+
--- /dev/null
+From 25e1f67eda4a19c91dc05c84d6d413c53efb447b Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Sun, 24 Oct 2021 10:43:31 +0300
+Subject: nvme-tcp: fix H2CData PDU send accounting (again)
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit 25e1f67eda4a19c91dc05c84d6d413c53efb447b upstream.
+
+We should not access request members after the last send, even to
+determine if indeed it was the last data payload send. The reason is
+that a completion could have arrived and trigger a new execution of the
+request which overridden these members. This was fixed by commit
+825619b09ad3 ("nvme-tcp: fix possible use-after-completion").
+
+Commit e371af033c56 broke that assumption again to address cases where
+multiple r2t pdus are sent per request. To fix it, we need to record the
+request data_sent and data_len and after the payload network send we
+reference these counters to determine weather we should advance the
+request iterator.
+
+Fixes: e371af033c56 ("nvme-tcp: fix incorrect h2cdata pdu offset accounting")
+Reported-by: Keith Busch <kbusch@kernel.org>
+Cc: stable@vger.kernel.org # 5.10+
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/tcp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -910,12 +910,14 @@ static void nvme_tcp_fail_request(struct
+ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req)
+ {
+ struct nvme_tcp_queue *queue = req->queue;
++ int req_data_len = req->data_len;
+
+ while (true) {
+ struct page *page = nvme_tcp_req_cur_page(req);
+ size_t offset = nvme_tcp_req_cur_offset(req);
+ size_t len = nvme_tcp_req_cur_length(req);
+ bool last = nvme_tcp_pdu_last_send(req, len);
++ int req_data_sent = req->data_sent;
+ int ret, flags = MSG_DONTWAIT;
+
+ if (last && !queue->data_digest && !nvme_tcp_queue_more(queue))
+@@ -942,7 +944,7 @@ static int nvme_tcp_try_send_data(struct
+ * in the request where we don't want to modify it as we may
+ * compete with the RX path completing the request.
+ */
+- if (req->data_sent + ret < req->data_len)
++ if (req_data_sent + ret < req_data_len)
+ nvme_tcp_advance_req(req, ret);
+
+ /* fully successful last send in current PDU */
--- /dev/null
+From 6f1b228529ae49b0f85ab89bcdb6c365df401558 Mon Sep 17 00:00:00 2001
+From: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
+Date: Thu, 28 Oct 2021 14:36:17 -0700
+Subject: ocfs2: fix race between searching chunks and release journal_head from buffer_head
+
+From: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
+
+commit 6f1b228529ae49b0f85ab89bcdb6c365df401558 upstream.
+
+Encountered a race between ocfs2_test_bg_bit_allocatable() and
+jbd2_journal_put_journal_head() resulting in the below vmcore.
+
+ PID: 106879 TASK: ffff880244ba9c00 CPU: 2 COMMAND: "loop3"
+ Call trace:
+ panic
+ oops_end
+ no_context
+ __bad_area_nosemaphore
+ bad_area_nosemaphore
+ __do_page_fault
+ do_page_fault
+ page_fault
+ [exception RIP: ocfs2_block_group_find_clear_bits+316]
+ ocfs2_block_group_find_clear_bits [ocfs2]
+ ocfs2_cluster_group_search [ocfs2]
+ ocfs2_search_chain [ocfs2]
+ ocfs2_claim_suballoc_bits [ocfs2]
+ __ocfs2_claim_clusters [ocfs2]
+ ocfs2_claim_clusters [ocfs2]
+ ocfs2_local_alloc_slide_window [ocfs2]
+ ocfs2_reserve_local_alloc_bits [ocfs2]
+ ocfs2_reserve_clusters_with_limit [ocfs2]
+ ocfs2_reserve_clusters [ocfs2]
+ ocfs2_lock_refcount_allocators [ocfs2]
+ ocfs2_make_clusters_writable [ocfs2]
+ ocfs2_replace_cow [ocfs2]
+ ocfs2_refcount_cow [ocfs2]
+ ocfs2_file_write_iter [ocfs2]
+ lo_rw_aio
+ loop_queue_work
+ kthread_worker_fn
+ kthread
+ ret_from_fork
+
+When ocfs2_test_bg_bit_allocatable() called bh2jh(bg_bh), the
+bg_bh->b_private NULL as jbd2_journal_put_journal_head() raced and
+released the jounal head from the buffer head. Needed to take bit lock
+for the bit 'BH_JournalHead' to fix this race.
+
+Link: https://lkml.kernel.org/r/1634820718-6043-1-git-send-email-gautham.ananthakrishna@oracle.com
+Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: <rajesh.sivaramasubramaniom@oracle.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/suballoc.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+--- a/fs/ocfs2/suballoc.c
++++ b/fs/ocfs2/suballoc.c
+@@ -1253,7 +1253,7 @@ static int ocfs2_test_bg_bit_allocatable
+ {
+ struct ocfs2_group_desc *bg = (struct ocfs2_group_desc *) bg_bh->b_data;
+ struct journal_head *jh;
+- int ret;
++ int ret = 1;
+
+ if (ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap))
+ return 0;
+@@ -1261,14 +1261,18 @@ static int ocfs2_test_bg_bit_allocatable
+ if (!buffer_jbd(bg_bh))
+ return 1;
+
+- jh = bh2jh(bg_bh);
+- spin_lock(&jh->b_state_lock);
+- bg = (struct ocfs2_group_desc *) jh->b_committed_data;
+- if (bg)
+- ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap);
+- else
+- ret = 1;
+- spin_unlock(&jh->b_state_lock);
++ jbd_lock_bh_journal_head(bg_bh);
++ if (buffer_jbd(bg_bh)) {
++ jh = bh2jh(bg_bh);
++ spin_lock(&jh->b_state_lock);
++ bg = (struct ocfs2_group_desc *) jh->b_committed_data;
++ if (bg)
++ ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap);
++ else
++ ret = 1;
++ spin_unlock(&jh->b_state_lock);
++ }
++ jbd_unlock_bh_journal_head(bg_bh);
+
+ return ret;
+ }
nfc-port100-fix-using-errno-as-command-type-mask.patch
revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch
+mmc-vub300-fix-control-message-timeouts.patch
+mmc-cqhci-clear-halt-state-after-cqe-enable.patch
+mmc-mediatek-move-cqhci-init-behind-ungate-clock.patch
+mmc-dw_mmc-exynos-fix-the-finding-clock-sample-value.patch
+mmc-sdhci-map-more-voltage-level-to-sdhci_power_330.patch
+mmc-sdhci-esdhc-imx-clear-the-buffer_read_ready-to-reset-standard-tuning-circuit.patch
+ocfs2-fix-race-between-searching-chunks-and-release-journal_head-from-buffer_head.patch
+nvme-tcp-fix-h2cdata-pdu-send-accounting-again.patch
+cfg80211-scan-fix-rcu-in-cfg80211_add_nontrans_list.patch
+cfg80211-fix-management-registrations-locking.patch
+net-lan78xx-fix-division-by-zero-in-send-path.patch
+mm-filemap-check-if-thp-has-hwpoisoned-subpage-for-pmd-page-fault.patch
+mm-thp-bail-out-early-in-collapse_file-for-writeback-page.patch
+drm-ttm-fix-memleak-in-ttm_transfered_destroy.patch
+drm-amdgpu-fix-out-of-bounds-write.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
