From 45a8d69962d66ce5eaced52b1070a410de1516e4 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 24 Sep 2021 07:43:40 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...-uaf-by-deleteing-timer-in-blk_throt.patch | 39 ++++ ...dep-warning-while-mounting-sprout-fs.patch | 170 ++++++++++++++++ ...otations-for-try_nonblocking_invalid.patch | 33 ++++ ...caps-before-updating-the-mtime-in-ce.patch | 108 ++++++++++ queue-5.4/dmaengine-ioat-depends-on-uml.patch | 39 ++++ ...sprd-add-missing-module_device_table.patch | 38 ++++ ...x_dma-set-dma-mask-for-coherent-apis.patch | 50 +++++ ...heinfo-get-rid-of-define_smp_call_ca.patch | 187 ++++++++++++++++++ ...op-selecting-non-existing-hardlockup.patch | 49 +++++ ...y-leak-in-nilfs_sysfs_create_-name-_.patch | 42 ++++ ...y-leak-in-nilfs_sysfs_create_device_.patch | 97 +++++++++ ...y-leak-in-nilfs_sysfs_create_snapsho.patch | 43 ++++ ...y-leak-in-nilfs_sysfs_delete_-name-_.patch | 40 ++++ ...y-leak-in-nilfs_sysfs_delete_snapsho.patch | 40 ++++ ...pointer-in-nilfs_-name-_attr_release.patch | 49 +++++ ...dev_is_behind_card_dino-to-where-it-.patch | 64 ++++++ ...-modify-hw-state-in-.remove-callback.patch | 56 ++++++ ...-t-modify-hw-state-in-.remove-callba.patch | 53 +++++ ...-t-modify-hw-state-in-.remove-callba.patch | 41 ++++ queue-5.4/rtc-rx8010-select-regmap_i2c.patch | 35 ++++ queue-5.4/series | 21 ++ ...-thermal_cooling_device_register-pro.patch | 58 ++++++ 22 files changed, 1352 insertions(+) create mode 100644 queue-5.4/blk-throttle-fix-uaf-by-deleteing-timer-in-blk_throt.patch create mode 100644 queue-5.4/btrfs-fix-lockdep-warning-while-mounting-sprout-fs.patch create mode 100644 queue-5.4/ceph-lockdep-annotations-for-try_nonblocking_invalid.patch create mode 100644 queue-5.4/ceph-request-fw-caps-before-updating-the-mtime-in-ce.patch create mode 100644 queue-5.4/dmaengine-ioat-depends-on-uml.patch create mode 100644 queue-5.4/dmaengine-sprd-add-missing-module_device_table.patch create mode 100644 queue-5.4/dmaengine-xilinx_dma-set-dma-mask-for-coherent-apis.patch create mode 100644 queue-5.4/drivers-base-cacheinfo-get-rid-of-define_smp_call_ca.patch create mode 100644 queue-5.4/kconfig.debug-drop-selecting-non-existing-hardlockup.patch create mode 100644 queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_-name-_.patch create mode 100644 queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_device_.patch create mode 100644 queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_snapsho.patch create mode 100644 queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_-name-_.patch create mode 100644 queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_snapsho.patch create mode 100644 queue-5.4/nilfs2-fix-null-pointer-in-nilfs_-name-_attr_release.patch create mode 100644 queue-5.4/parisc-move-pci_dev_is_behind_card_dino-to-where-it-.patch create mode 100644 queue-5.4/pwm-img-don-t-modify-hw-state-in-.remove-callback.patch create mode 100644 queue-5.4/pwm-rockchip-don-t-modify-hw-state-in-.remove-callba.patch create mode 100644 queue-5.4/pwm-stm32-lp-don-t-modify-hw-state-in-.remove-callba.patch create mode 100644 queue-5.4/rtc-rx8010-select-regmap_i2c.patch create mode 100644 queue-5.4/thermal-core-fix-thermal_cooling_device_register-pro.patch diff --git a/queue-5.4/blk-throttle-fix-uaf-by-deleteing-timer-in-blk_throt.patch b/queue-5.4/blk-throttle-fix-uaf-by-deleteing-timer-in-blk_throt.patch new file mode 100644 index 00000000000..2beb9cae857 --- /dev/null +++ b/queue-5.4/blk-throttle-fix-uaf-by-deleteing-timer-in-blk_throt.patch @@ -0,0 +1,39 @@ +From abda0e9b7ec7d3bfae53364e9df85df4edf87974 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:12:42 +0800 +Subject: blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() + +From: Li Jinlin + +[ Upstream commit 884f0e84f1e3195b801319c8ec3d5774e9bf2710 ] + +The pending timer has been set up in blk_throtl_init(). However, the +timer is not deleted in blk_throtl_exit(). This means that the timer +handler may still be running after freeing the timer, which would +result in a use-after-free. + +Fix by calling del_timer_sync() to delete the timer in blk_throtl_exit(). + +Signed-off-by: Li Jinlin +Link: https://lore.kernel.org/r/20210907121242.2885564-1-lijinlin3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-throttle.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/blk-throttle.c b/block/blk-throttle.c +index 18f773e52dfb..bd870f9ae458 100644 +--- a/block/blk-throttle.c ++++ b/block/blk-throttle.c +@@ -2414,6 +2414,7 @@ int blk_throtl_init(struct request_queue *q) + void blk_throtl_exit(struct request_queue *q) + { + BUG_ON(!q->td); ++ del_timer_sync(&q->td->service_queue.pending_timer); + throtl_shutdown_wq(q); + blkcg_deactivate_policy(q, &blkcg_policy_throtl); + free_percpu(q->td->latency_buckets[READ]); +-- +2.33.0 + diff --git a/queue-5.4/btrfs-fix-lockdep-warning-while-mounting-sprout-fs.patch b/queue-5.4/btrfs-fix-lockdep-warning-while-mounting-sprout-fs.patch new file mode 100644 index 00000000000..b36f8441dd9 --- /dev/null +++ b/queue-5.4/btrfs-fix-lockdep-warning-while-mounting-sprout-fs.patch @@ -0,0 +1,170 @@ +From 49b375f17d46f42ef1be3a32fdb6fa54f757ef60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Aug 2021 09:21:28 +0800 +Subject: btrfs: fix lockdep warning while mounting sprout fs + +From: Anand Jain + +[ Upstream commit c124706900c20dee70f921bb3a90492431561a0a ] + +Following test case reproduces lockdep warning. + + Test case: + + $ mkfs.btrfs -f + $ btrfstune -S 1 + $ mount + $ btrfs device add -f + $ umount + $ mount + $ umount + +The warning claims a possible ABBA deadlock between the threads +initiated by [#1] btrfs device add and [#0] the mount. + + [ 540.743122] WARNING: possible circular locking dependency detected + [ 540.743129] 5.11.0-rc7+ #5 Not tainted + [ 540.743135] ------------------------------------------------------ + [ 540.743142] mount/2515 is trying to acquire lock: + [ 540.743149] ffffa0c5544c2ce0 (&fs_devs->device_list_mutex){+.+.}-{4:4}, at: clone_fs_devices+0x6d/0x210 [btrfs] + [ 540.743458] but task is already holding lock: + [ 540.743461] ffffa0c54a7932b8 (btrfs-chunk-00){++++}-{4:4}, at: __btrfs_tree_read_lock+0x32/0x200 [btrfs] + [ 540.743541] which lock already depends on the new lock. + [ 540.743543] the existing dependency chain (in reverse order) is: + + [ 540.743546] -> #1 (btrfs-chunk-00){++++}-{4:4}: + [ 540.743566] down_read_nested+0x48/0x2b0 + [ 540.743585] __btrfs_tree_read_lock+0x32/0x200 [btrfs] + [ 540.743650] btrfs_read_lock_root_node+0x70/0x200 [btrfs] + [ 540.743733] btrfs_search_slot+0x6c6/0xe00 [btrfs] + [ 540.743785] btrfs_update_device+0x83/0x260 [btrfs] + [ 540.743849] btrfs_finish_chunk_alloc+0x13f/0x660 [btrfs] <--- device_list_mutex + [ 540.743911] btrfs_create_pending_block_groups+0x18d/0x3f0 [btrfs] + [ 540.743982] btrfs_commit_transaction+0x86/0x1260 [btrfs] + [ 540.744037] btrfs_init_new_device+0x1600/0x1dd0 [btrfs] + [ 540.744101] btrfs_ioctl+0x1c77/0x24c0 [btrfs] + [ 540.744166] __x64_sys_ioctl+0xe4/0x140 + [ 540.744170] do_syscall_64+0x4b/0x80 + [ 540.744174] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + [ 540.744180] -> #0 (&fs_devs->device_list_mutex){+.+.}-{4:4}: + [ 540.744184] __lock_acquire+0x155f/0x2360 + [ 540.744188] lock_acquire+0x10b/0x5c0 + [ 540.744190] __mutex_lock+0xb1/0xf80 + [ 540.744193] mutex_lock_nested+0x27/0x30 + [ 540.744196] clone_fs_devices+0x6d/0x210 [btrfs] + [ 540.744270] btrfs_read_chunk_tree+0x3c7/0xbb0 [btrfs] + [ 540.744336] open_ctree+0xf6e/0x2074 [btrfs] + [ 540.744406] btrfs_mount_root.cold.72+0x16/0x127 [btrfs] + [ 540.744472] legacy_get_tree+0x38/0x90 + [ 540.744475] vfs_get_tree+0x30/0x140 + [ 540.744478] fc_mount+0x16/0x60 + [ 540.744482] vfs_kern_mount+0x91/0x100 + [ 540.744484] btrfs_mount+0x1e6/0x670 [btrfs] + [ 540.744536] legacy_get_tree+0x38/0x90 + [ 540.744537] vfs_get_tree+0x30/0x140 + [ 540.744539] path_mount+0x8d8/0x1070 + [ 540.744541] do_mount+0x8d/0xc0 + [ 540.744543] __x64_sys_mount+0x125/0x160 + [ 540.744545] do_syscall_64+0x4b/0x80 + [ 540.744547] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + [ 540.744551] other info that might help us debug this: + [ 540.744552] Possible unsafe locking scenario: + + [ 540.744553] CPU0 CPU1 + [ 540.744554] ---- ---- + [ 540.744555] lock(btrfs-chunk-00); + [ 540.744557] lock(&fs_devs->device_list_mutex); + [ 540.744560] lock(btrfs-chunk-00); + [ 540.744562] lock(&fs_devs->device_list_mutex); + [ 540.744564] + *** DEADLOCK *** + + [ 540.744565] 3 locks held by mount/2515: + [ 540.744567] #0: ffffa0c56bf7a0e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.isra.16+0xdf/0x450 + [ 540.744574] #1: ffffffffc05a9628 (uuid_mutex){+.+.}-{4:4}, at: btrfs_read_chunk_tree+0x63/0xbb0 [btrfs] + [ 540.744640] #2: ffffa0c54a7932b8 (btrfs-chunk-00){++++}-{4:4}, at: __btrfs_tree_read_lock+0x32/0x200 [btrfs] + [ 540.744708] + stack backtrace: + [ 540.744712] CPU: 2 PID: 2515 Comm: mount Not tainted 5.11.0-rc7+ #5 + +But the device_list_mutex in clone_fs_devices() is redundant, as +explained below. Two threads [1] and [2] (below) could lead to +clone_fs_device(). + + [1] + open_ctree <== mount sprout fs + btrfs_read_chunk_tree() + mutex_lock(&uuid_mutex) <== global lock + read_one_dev() + open_seed_devices() + clone_fs_devices() <== seed fs_devices + mutex_lock(&orig->device_list_mutex) <== seed fs_devices + + [2] + btrfs_init_new_device() <== sprouting + mutex_lock(&uuid_mutex); <== global lock + btrfs_prepare_sprout() + lockdep_assert_held(&uuid_mutex) + clone_fs_devices(seed_fs_device) <== seed fs_devices + +Both of these threads hold uuid_mutex which is sufficient to protect +getting the seed device(s) freed while we are trying to clone it for +sprouting [2] or mounting a sprout [1] (as above). A mounted seed device +can not free/write/replace because it is read-only. An unmounted seed +device can be freed by btrfs_free_stale_devices(), but it needs +uuid_mutex. So this patch removes the unnecessary device_list_mutex in +clone_fs_devices(). And adds a lockdep_assert_held(&uuid_mutex) in +clone_fs_devices(). + +Reported-by: Su Yue +Tested-by: Su Yue +Signed-off-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 8deee49a6b3f..f302bbb93f32 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -742,6 +742,8 @@ static int btrfs_free_stale_devices(const char *path, + struct btrfs_device *device, *tmp_device; + int ret = 0; + ++ lockdep_assert_held(&uuid_mutex); ++ + if (path) + ret = -ENOENT; + +@@ -1181,11 +1183,12 @@ static struct btrfs_fs_devices *clone_fs_devices(struct btrfs_fs_devices *orig) + struct btrfs_device *orig_dev; + int ret = 0; + ++ lockdep_assert_held(&uuid_mutex); ++ + fs_devices = alloc_fs_devices(orig->fsid, NULL); + if (IS_ERR(fs_devices)) + return fs_devices; + +- mutex_lock(&orig->device_list_mutex); + fs_devices->total_devices = orig->total_devices; + + list_for_each_entry(orig_dev, &orig->devices, dev_list) { +@@ -1217,10 +1220,8 @@ static struct btrfs_fs_devices *clone_fs_devices(struct btrfs_fs_devices *orig) + device->fs_devices = fs_devices; + fs_devices->num_devices++; + } +- mutex_unlock(&orig->device_list_mutex); + return fs_devices; + error: +- mutex_unlock(&orig->device_list_mutex); + free_fs_devices(fs_devices); + return ERR_PTR(ret); + } +-- +2.33.0 + diff --git a/queue-5.4/ceph-lockdep-annotations-for-try_nonblocking_invalid.patch b/queue-5.4/ceph-lockdep-annotations-for-try_nonblocking_invalid.patch new file mode 100644 index 00000000000..102e3b5ef2a --- /dev/null +++ b/queue-5.4/ceph-lockdep-annotations-for-try_nonblocking_invalid.patch @@ -0,0 +1,33 @@ +From db4b91003a3c45ebafb364a9a3ab0e7923232878 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 08:31:03 -0400 +Subject: ceph: lockdep annotations for try_nonblocking_invalidate + +From: Jeff Layton + +[ Upstream commit 3eaf5aa1cfa8c97c72f5824e2e9263d6cc977b03 ] + +Signed-off-by: Jeff Layton +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index a49bf1fbaea8..0fad044a5752 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1775,6 +1775,8 @@ static u64 __mark_caps_flushing(struct inode *inode, + * try to invalidate mapping pages without blocking. + */ + static int try_nonblocking_invalidate(struct inode *inode) ++ __releases(ci->i_ceph_lock) ++ __acquires(ci->i_ceph_lock) + { + struct ceph_inode_info *ci = ceph_inode(inode); + u32 invalidating_gen = ci->i_rdcache_gen; +-- +2.33.0 + diff --git a/queue-5.4/ceph-request-fw-caps-before-updating-the-mtime-in-ce.patch b/queue-5.4/ceph-request-fw-caps-before-updating-the-mtime-in-ce.patch new file mode 100644 index 00000000000..2932cdfe22b --- /dev/null +++ b/queue-5.4/ceph-request-fw-caps-before-updating-the-mtime-in-ce.patch @@ -0,0 +1,108 @@ +From 28e04fb660c209d51c78b0caf1bc827df6ba15eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Aug 2021 06:40:42 -0400 +Subject: ceph: request Fw caps before updating the mtime in ceph_write_iter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jeff Layton + +[ Upstream commit b11ed50346683a749632ea664959b28d524d7395 ] + +The current code will update the mtime and then try to get caps to +handle the write. If we end up having to request caps from the MDS, then +the mtime in the cap grant will clobber the updated mtime and it'll be +lost. + +This is most noticable when two clients are alternately writing to the +same file. Fw caps are continually being granted and revoked, and the +mtime ends up stuck because the updated mtimes are always being +overwritten with the old one. + +Fix this by changing the order of operations in ceph_write_iter to get +the caps before updating the times. Also, make sure we check the pool +full conditions before even getting any caps or uninlining. + +URL: https://tracker.ceph.com/issues/46574 +Reported-by: Jozef Kováč +Signed-off-by: Jeff Layton +Reviewed-by: Xiubo Li +Reviewed-by: Luis Henriques +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/file.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/fs/ceph/file.c b/fs/ceph/file.c +index a10711a6337a..34785a203461 100644 +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -1469,32 +1469,26 @@ retry_snap: + goto out; + } + +- err = file_remove_privs(file); +- if (err) ++ down_read(&osdc->lock); ++ map_flags = osdc->osdmap->flags; ++ pool_flags = ceph_pg_pool_flags(osdc->osdmap, ci->i_layout.pool_id); ++ up_read(&osdc->lock); ++ if ((map_flags & CEPH_OSDMAP_FULL) || ++ (pool_flags & CEPH_POOL_FLAG_FULL)) { ++ err = -ENOSPC; + goto out; ++ } + +- err = file_update_time(file); ++ err = file_remove_privs(file); + if (err) + goto out; + +- inode_inc_iversion_raw(inode); +- + if (ci->i_inline_version != CEPH_INLINE_NONE) { + err = ceph_uninline_data(file, NULL); + if (err < 0) + goto out; + } + +- down_read(&osdc->lock); +- map_flags = osdc->osdmap->flags; +- pool_flags = ceph_pg_pool_flags(osdc->osdmap, ci->i_layout.pool_id); +- up_read(&osdc->lock); +- if ((map_flags & CEPH_OSDMAP_FULL) || +- (pool_flags & CEPH_POOL_FLAG_FULL)) { +- err = -ENOSPC; +- goto out; +- } +- + dout("aio_write %p %llx.%llx %llu~%zd getting caps. i_size %llu\n", + inode, ceph_vinop(inode), pos, count, i_size_read(inode)); + if (fi->fmode & CEPH_FILE_MODE_LAZY) +@@ -1507,6 +1501,12 @@ retry_snap: + if (err < 0) + goto out; + ++ err = file_update_time(file); ++ if (err) ++ goto out_caps; ++ ++ inode_inc_iversion_raw(inode); ++ + dout("aio_write %p %llx.%llx %llu~%zd got cap refs on %s\n", + inode, ceph_vinop(inode), pos, count, ceph_cap_string(got)); + +@@ -1590,6 +1590,8 @@ retry_snap: + } + + goto out_unlocked; ++out_caps: ++ ceph_put_cap_refs(ci, got); + out: + if (direct_lock) + ceph_end_io_direct(inode); +-- +2.33.0 + diff --git a/queue-5.4/dmaengine-ioat-depends-on-uml.patch b/queue-5.4/dmaengine-ioat-depends-on-uml.patch new file mode 100644 index 00000000000..e43cc1a44e2 --- /dev/null +++ b/queue-5.4/dmaengine-ioat-depends-on-uml.patch @@ -0,0 +1,39 @@ +From 037d3e0d18fadd64b02287e86fb7b3b79d19182e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 11:24:09 +0200 +Subject: dmaengine: ioat: depends on !UML + +From: Johannes Berg + +[ Upstream commit bbac7a92a46f0876e588722ebe552ddfe6fd790f ] + +Now that UML has PCI support, this driver must depend also on +!UML since it pokes at X86_64 architecture internals that don't +exist on ARCH=um. + +Reported-by: Geert Uytterhoeven +Signed-off-by: Johannes Berg +Acked-by: Dave Jiang +Link: https://lore.kernel.org/r/20210809112409.a3a0974874d2.I2ffe3d11ed37f735da2f39884a74c953b258b995@changeid +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/Kconfig b/drivers/dma/Kconfig +index a32d0d715247..1322461f1f3c 100644 +--- a/drivers/dma/Kconfig ++++ b/drivers/dma/Kconfig +@@ -276,7 +276,7 @@ config INTEL_IDMA64 + + config INTEL_IOATDMA + tristate "Intel I/OAT DMA support" +- depends on PCI && X86_64 ++ depends on PCI && X86_64 && !UML + select DMA_ENGINE + select DMA_ENGINE_RAID + select DCA +-- +2.33.0 + diff --git a/queue-5.4/dmaengine-sprd-add-missing-module_device_table.patch b/queue-5.4/dmaengine-sprd-add-missing-module_device_table.patch new file mode 100644 index 00000000000..27ea38c9a18 --- /dev/null +++ b/queue-5.4/dmaengine-sprd-add-missing-module_device_table.patch @@ -0,0 +1,38 @@ +From e6147b89d6180c1b9679144fabcfedbeb8c12c4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 10:22:57 +0800 +Subject: dmaengine: sprd: Add missing MODULE_DEVICE_TABLE + +From: Zou Wei + +[ Upstream commit 4faee8b65ec32346f8096e64c5fa1d5a73121742 ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Reviewed-by: Baolin Wang +Link: https://lore.kernel.org/r/1620094977-70146-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sprd-dma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c +index 8546ad034720..b966115bfad1 100644 +--- a/drivers/dma/sprd-dma.c ++++ b/drivers/dma/sprd-dma.c +@@ -1230,6 +1230,7 @@ static const struct of_device_id sprd_dma_match[] = { + { .compatible = "sprd,sc9860-dma", }, + {}, + }; ++MODULE_DEVICE_TABLE(of, sprd_dma_match); + + static int __maybe_unused sprd_dma_runtime_suspend(struct device *dev) + { +-- +2.33.0 + diff --git a/queue-5.4/dmaengine-xilinx_dma-set-dma-mask-for-coherent-apis.patch b/queue-5.4/dmaengine-xilinx_dma-set-dma-mask-for-coherent-apis.patch new file mode 100644 index 00000000000..87d5a6f79de --- /dev/null +++ b/queue-5.4/dmaengine-xilinx_dma-set-dma-mask-for-coherent-apis.patch @@ -0,0 +1,50 @@ +From 64c2d7923143b208189aceb3aef0f54194caa1f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 14:28:48 +0530 +Subject: dmaengine: xilinx_dma: Set DMA mask for coherent APIs + +From: Radhey Shyam Pandey + +[ Upstream commit aac6c0f90799d66b8989be1e056408f33fd99fe6 ] + +The xilinx dma driver uses the consistent allocations, so for correct +operation also set the DMA mask for coherent APIs. It fixes the below +kernel crash with dmatest client when DMA IP is configured with 64-bit +address width and linux is booted from high (>4GB) memory. + +Call trace: +[ 489.531257] dma_alloc_from_pool+0x8c/0x1c0 +[ 489.535431] dma_direct_alloc+0x284/0x330 +[ 489.539432] dma_alloc_attrs+0x80/0xf0 +[ 489.543174] dma_pool_alloc+0x160/0x2c0 +[ 489.547003] xilinx_cdma_prep_memcpy+0xa4/0x180 +[ 489.551524] dmatest_func+0x3cc/0x114c +[ 489.555266] kthread+0x124/0x130 +[ 489.558486] ret_from_fork+0x10/0x3c +[ 489.562051] ---[ end trace 248625b2d596a90a ]--- + +Signed-off-by: Radhey Shyam Pandey +Reviewed-by: Harini Katakam +Link: https://lore.kernel.org/r/1629363528-30347-1-git-send-email-radhey.shyam.pandey@xilinx.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index ce18bca45ff2..7729b8d22553 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -2703,7 +2703,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) + xdev->ext_addr = false; + + /* Set the dma mask bits */ +- dma_set_mask(xdev->dev, DMA_BIT_MASK(addr_width)); ++ dma_set_mask_and_coherent(xdev->dev, DMA_BIT_MASK(addr_width)); + + /* Initialize the DMA engine */ + xdev->common.dev = &pdev->dev; +-- +2.33.0 + diff --git a/queue-5.4/drivers-base-cacheinfo-get-rid-of-define_smp_call_ca.patch b/queue-5.4/drivers-base-cacheinfo-get-rid-of-define_smp_call_ca.patch new file mode 100644 index 00000000000..fb60255e7b7 --- /dev/null +++ b/queue-5.4/drivers-base-cacheinfo-get-rid-of-define_smp_call_ca.patch @@ -0,0 +1,187 @@ +From b14de9a9d52b31cc2d756a3662cb5de6df00b806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Aug 2021 13:48:34 +0200 +Subject: drivers: base: cacheinfo: Get rid of DEFINE_SMP_CALL_CACHE_FUNCTION() + +From: Thomas Gleixner + +[ Upstream commit 4b92d4add5f6dcf21275185c997d6ecb800054cd ] + +DEFINE_SMP_CALL_CACHE_FUNCTION() was usefel before the CPU hotplug rework +to ensure that the cache related functions are called on the upcoming CPU +because the notifier itself could run on any online CPU. + +The hotplug state machine guarantees that the callbacks are invoked on the +upcoming CPU. So there is no need to have this SMP function call +obfuscation. That indirection was missed when the hotplug notifiers were +converted. + +This also solves the problem of ARM64 init_cache_level() invoking ACPI +functions which take a semaphore in that context. That's invalid as SMP +function calls run with interrupts disabled. Running it just from the +callback in context of the CPU hotplug thread solves this. + +Fixes: 8571890e1513 ("arm64: Add support for ACPI based firmware tables") +Reported-by: Guenter Roeck +Signed-off-by: Thomas Gleixner +Tested-by: Guenter Roeck +Acked-by: Will Deacon +Acked-by: Peter Zijlstra +Link: https://lore.kernel.org/r/871r69ersb.ffs@tglx +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/cacheinfo.c | 7 ++----- + arch/mips/kernel/cacheinfo.c | 7 ++----- + arch/riscv/kernel/cacheinfo.c | 7 ++----- + arch/x86/kernel/cpu/cacheinfo.c | 7 ++----- + include/linux/cacheinfo.h | 18 ------------------ + 5 files changed, 8 insertions(+), 38 deletions(-) + +diff --git a/arch/arm64/kernel/cacheinfo.c b/arch/arm64/kernel/cacheinfo.c +index 7fa6828bb488..587543c6c51c 100644 +--- a/arch/arm64/kernel/cacheinfo.c ++++ b/arch/arm64/kernel/cacheinfo.c +@@ -43,7 +43,7 @@ static void ci_leaf_init(struct cacheinfo *this_leaf, + this_leaf->type = type; + } + +-static int __init_cache_level(unsigned int cpu) ++int init_cache_level(unsigned int cpu) + { + unsigned int ctype, level, leaves, fw_level; + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); +@@ -78,7 +78,7 @@ static int __init_cache_level(unsigned int cpu) + return 0; + } + +-static int __populate_cache_leaves(unsigned int cpu) ++int populate_cache_leaves(unsigned int cpu) + { + unsigned int level, idx; + enum cache_type type; +@@ -97,6 +97,3 @@ static int __populate_cache_leaves(unsigned int cpu) + } + return 0; + } +- +-DEFINE_SMP_CALL_CACHE_FUNCTION(init_cache_level) +-DEFINE_SMP_CALL_CACHE_FUNCTION(populate_cache_leaves) +diff --git a/arch/mips/kernel/cacheinfo.c b/arch/mips/kernel/cacheinfo.c +index 47312c529410..529dab855aac 100644 +--- a/arch/mips/kernel/cacheinfo.c ++++ b/arch/mips/kernel/cacheinfo.c +@@ -17,7 +17,7 @@ do { \ + leaf++; \ + } while (0) + +-static int __init_cache_level(unsigned int cpu) ++int init_cache_level(unsigned int cpu) + { + struct cpuinfo_mips *c = ¤t_cpu_data; + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); +@@ -69,7 +69,7 @@ static void fill_cpumask_cluster(int cpu, cpumask_t *cpu_map) + cpumask_set_cpu(cpu1, cpu_map); + } + +-static int __populate_cache_leaves(unsigned int cpu) ++int populate_cache_leaves(unsigned int cpu) + { + struct cpuinfo_mips *c = ¤t_cpu_data; + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); +@@ -98,6 +98,3 @@ static int __populate_cache_leaves(unsigned int cpu) + + return 0; + } +- +-DEFINE_SMP_CALL_CACHE_FUNCTION(init_cache_level) +-DEFINE_SMP_CALL_CACHE_FUNCTION(populate_cache_leaves) +diff --git a/arch/riscv/kernel/cacheinfo.c b/arch/riscv/kernel/cacheinfo.c +index 4c90c07d8c39..d930bd073b7b 100644 +--- a/arch/riscv/kernel/cacheinfo.c ++++ b/arch/riscv/kernel/cacheinfo.c +@@ -16,7 +16,7 @@ static void ci_leaf_init(struct cacheinfo *this_leaf, + this_leaf->type = type; + } + +-static int __init_cache_level(unsigned int cpu) ++int init_cache_level(unsigned int cpu) + { + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); + struct device_node *np = of_cpu_device_node_get(cpu); +@@ -58,7 +58,7 @@ static int __init_cache_level(unsigned int cpu) + return 0; + } + +-static int __populate_cache_leaves(unsigned int cpu) ++int populate_cache_leaves(unsigned int cpu) + { + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); + struct cacheinfo *this_leaf = this_cpu_ci->info_list; +@@ -95,6 +95,3 @@ static int __populate_cache_leaves(unsigned int cpu) + + return 0; + } +- +-DEFINE_SMP_CALL_CACHE_FUNCTION(init_cache_level) +-DEFINE_SMP_CALL_CACHE_FUNCTION(populate_cache_leaves) +diff --git a/arch/x86/kernel/cpu/cacheinfo.c b/arch/x86/kernel/cpu/cacheinfo.c +index 30f33b75209a..cae566567e15 100644 +--- a/arch/x86/kernel/cpu/cacheinfo.c ++++ b/arch/x86/kernel/cpu/cacheinfo.c +@@ -985,7 +985,7 @@ static void ci_leaf_init(struct cacheinfo *this_leaf, + this_leaf->priv = base->nb; + } + +-static int __init_cache_level(unsigned int cpu) ++int init_cache_level(unsigned int cpu) + { + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); + +@@ -1014,7 +1014,7 @@ static void get_cache_id(int cpu, struct _cpuid4_info_regs *id4_regs) + id4_regs->id = c->apicid >> index_msb; + } + +-static int __populate_cache_leaves(unsigned int cpu) ++int populate_cache_leaves(unsigned int cpu) + { + unsigned int idx, ret; + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); +@@ -1033,6 +1033,3 @@ static int __populate_cache_leaves(unsigned int cpu) + + return 0; + } +- +-DEFINE_SMP_CALL_CACHE_FUNCTION(init_cache_level) +-DEFINE_SMP_CALL_CACHE_FUNCTION(populate_cache_leaves) +diff --git a/include/linux/cacheinfo.h b/include/linux/cacheinfo.h +index 46b92cd61d0c..c8c71eea237d 100644 +--- a/include/linux/cacheinfo.h ++++ b/include/linux/cacheinfo.h +@@ -78,24 +78,6 @@ struct cpu_cacheinfo { + bool cpu_map_populated; + }; + +-/* +- * Helpers to make sure "func" is executed on the cpu whose cache +- * attributes are being detected +- */ +-#define DEFINE_SMP_CALL_CACHE_FUNCTION(func) \ +-static inline void _##func(void *ret) \ +-{ \ +- int cpu = smp_processor_id(); \ +- *(int *)ret = __##func(cpu); \ +-} \ +- \ +-int func(unsigned int cpu) \ +-{ \ +- int ret; \ +- smp_call_function_single(cpu, _##func, &ret, true); \ +- return ret; \ +-} +- + struct cpu_cacheinfo *get_cpu_cacheinfo(unsigned int cpu); + int init_cache_level(unsigned int cpu); + int populate_cache_leaves(unsigned int cpu); +-- +2.33.0 + diff --git a/queue-5.4/kconfig.debug-drop-selecting-non-existing-hardlockup.patch b/queue-5.4/kconfig.debug-drop-selecting-non-existing-hardlockup.patch new file mode 100644 index 00000000000..b747a80c423 --- /dev/null +++ b/queue-5.4/kconfig.debug-drop-selecting-non-existing-hardlockup.patch @@ -0,0 +1,49 @@ +From 26c23afb6b67ac3665b7f854132226e8a9e4e3ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:47 -0700 +Subject: Kconfig.debug: drop selecting non-existing HARDLOCKUP_DETECTOR_ARCH + +From: Lukas Bulwahn + +[ Upstream commit 6fe26259b4884b657cbc233fb9cdade9d704976e ] + +Commit 05a4a9527931 ("kernel/watchdog: split up config options") adds a +new config HARDLOCKUP_DETECTOR, which selects the non-existing config +HARDLOCKUP_DETECTOR_ARCH. + +Hence, ./scripts/checkkconfigsymbols.py warns: + +HARDLOCKUP_DETECTOR_ARCH Referencing files: lib/Kconfig.debug + +Simply drop selecting the non-existing HARDLOCKUP_DETECTOR_ARCH. + +Link: https://lkml.kernel.org/r/20210806115618.22088-1-lukas.bulwahn@gmail.com +Fixes: 05a4a9527931 ("kernel/watchdog: split up config options") +Signed-off-by: Lukas Bulwahn +Cc: Nicholas Piggin +Cc: Masahiro Yamada +Cc: Babu Moger +Cc: Don Zickus +Cc: Randy Dunlap +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/Kconfig.debug | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index ee00c6c8a373..a846f03901db 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -868,7 +868,6 @@ config HARDLOCKUP_DETECTOR + depends on HAVE_HARDLOCKUP_DETECTOR_PERF || HAVE_HARDLOCKUP_DETECTOR_ARCH + select LOCKUP_DETECTOR + select HARDLOCKUP_DETECTOR_PERF if HAVE_HARDLOCKUP_DETECTOR_PERF +- select HARDLOCKUP_DETECTOR_ARCH if HAVE_HARDLOCKUP_DETECTOR_ARCH + help + Say Y here to enable the kernel to act as a watchdog to detect + hard lockups. +-- +2.33.0 + diff --git a/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_-name-_.patch b/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_-name-_.patch new file mode 100644 index 00000000000..fa9f024b003 --- /dev/null +++ b/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_-name-_.patch @@ -0,0 +1,42 @@ +From 53d5a53b39f8e54b2a250b5ce2705223790c2062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:15 -0700 +Subject: nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group + +From: Nanyong Sun + +[ Upstream commit 24f8cb1ed057c840728167dab33b32e44147c86f ] + +If kobject_init_and_add return with error, kobject_put() is needed here to +avoid memory leak, because kobject_init_and_add may return error without +freeing the memory associated with the kobject it allocated. + +Link: https://lkml.kernel.org/r/20210629022556.3985106-4-sunnanyong@huawei.com +Link: https://lkml.kernel.org/r/1625651306-10829-4-git-send-email-konishi.ryusuke@gmail.com +Signed-off-by: Nanyong Sun +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/nilfs2/sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index ca720d958315..31d640a87b59 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -92,8 +92,8 @@ static int nilfs_sysfs_create_##name##_group(struct the_nilfs *nilfs) \ + err = kobject_init_and_add(kobj, &nilfs_##name##_ktype, parent, \ + #name); \ + if (err) \ +- return err; \ +- return 0; \ ++ kobject_put(kobj); \ ++ return err; \ + } \ + static void nilfs_sysfs_delete_##name##_group(struct the_nilfs *nilfs) \ + { \ +-- +2.33.0 + diff --git a/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_device_.patch b/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_device_.patch new file mode 100644 index 00000000000..6a70d6bb822 --- /dev/null +++ b/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_device_.patch @@ -0,0 +1,97 @@ +From f68a961b7523b913c988380ec431b9acfddb55a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:09 -0700 +Subject: nilfs2: fix memory leak in nilfs_sysfs_create_device_group + +From: Nanyong Sun + +[ Upstream commit 5f5dec07aca7067216ed4c1342e464e7307a9197 ] + +Patch series "nilfs2: fix incorrect usage of kobject". + +This patchset from Nanyong Sun fixes memory leak issues and a NULL +pointer dereference issue caused by incorrect usage of kboject in nilfs2 +sysfs implementation. + +This patch (of 6): + +Reported by syzkaller: + + BUG: memory leak + unreferenced object 0xffff888100ca8988 (size 8): + comm "syz-executor.1", pid 1930, jiffies 4294745569 (age 18.052s) + hex dump (first 8 bytes): + 6c 6f 6f 70 31 00 ff ff loop1... + backtrace: + kstrdup+0x36/0x70 mm/util.c:60 + kstrdup_const+0x35/0x60 mm/util.c:83 + kvasprintf_const+0xf1/0x180 lib/kasprintf.c:48 + kobject_set_name_vargs+0x56/0x150 lib/kobject.c:289 + kobject_add_varg lib/kobject.c:384 [inline] + kobject_init_and_add+0xc9/0x150 lib/kobject.c:473 + nilfs_sysfs_create_device_group+0x150/0x7d0 fs/nilfs2/sysfs.c:986 + init_nilfs+0xa21/0xea0 fs/nilfs2/the_nilfs.c:637 + nilfs_fill_super fs/nilfs2/super.c:1046 [inline] + nilfs_mount+0x7b4/0xe80 fs/nilfs2/super.c:1316 + legacy_get_tree+0x105/0x210 fs/fs_context.c:592 + vfs_get_tree+0x8e/0x2d0 fs/super.c:1498 + do_new_mount fs/namespace.c:2905 [inline] + path_mount+0xf9b/0x1990 fs/namespace.c:3235 + do_mount+0xea/0x100 fs/namespace.c:3248 + __do_sys_mount fs/namespace.c:3456 [inline] + __se_sys_mount fs/namespace.c:3433 [inline] + __x64_sys_mount+0x14b/0x1f0 fs/namespace.c:3433 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +If kobject_init_and_add return with error, then the cleanup of kobject +is needed because memory may be allocated in kobject_init_and_add +without freeing. + +And the place of cleanup_dev_kobject should use kobject_put to free the +memory associated with the kobject. As the section "Kobject removal" of +"Documentation/core-api/kobject.rst" says, kobject_del() just makes the +kobject "invisible", but it is not cleaned up. And no more cleanup will +do after cleanup_dev_kobject, so kobject_put is needed here. + +Link: https://lkml.kernel.org/r/1625651306-10829-1-git-send-email-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/1625651306-10829-2-git-send-email-konishi.ryusuke@gmail.com +Reported-by: Hulk Robot +Link: https://lkml.kernel.org/r/20210629022556.3985106-2-sunnanyong@huawei.com +Signed-off-by: Nanyong Sun +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/nilfs2/sysfs.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index c6c8a33c81d5..cbfc132206e8 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -1000,7 +1000,7 @@ int nilfs_sysfs_create_device_group(struct super_block *sb) + err = kobject_init_and_add(&nilfs->ns_dev_kobj, &nilfs_dev_ktype, NULL, + "%s", sb->s_id); + if (err) +- goto free_dev_subgroups; ++ goto cleanup_dev_kobject; + + err = nilfs_sysfs_create_mounted_snapshots_group(nilfs); + if (err) +@@ -1037,9 +1037,7 @@ delete_mounted_snapshots_group: + nilfs_sysfs_delete_mounted_snapshots_group(nilfs); + + cleanup_dev_kobject: +- kobject_del(&nilfs->ns_dev_kobj); +- +-free_dev_subgroups: ++ kobject_put(&nilfs->ns_dev_kobj); + kfree(nilfs->ns_dev_subgroups); + + failed_create_device_group: +-- +2.33.0 + diff --git a/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_snapsho.patch b/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_snapsho.patch new file mode 100644 index 00000000000..9dee62fd787 --- /dev/null +++ b/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_snapsho.patch @@ -0,0 +1,43 @@ +From 0540dd5a73473e5008bef8f2bbeb5d3720e955dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:21 -0700 +Subject: nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group + +From: Nanyong Sun + +[ Upstream commit b2fe39c248f3fa4bbb2a20759b4fdd83504190f7 ] + +If kobject_init_and_add returns with error, kobject_put() is needed here +to avoid memory leak, because kobject_init_and_add may return error +without freeing the memory associated with the kobject it allocated. + +Link: https://lkml.kernel.org/r/20210629022556.3985106-6-sunnanyong@huawei.com +Link: https://lkml.kernel.org/r/1625651306-10829-6-git-send-email-konishi.ryusuke@gmail.com +Signed-off-by: Nanyong Sun +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/nilfs2/sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index 195f42192a15..6c92ac314b06 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -208,9 +208,9 @@ int nilfs_sysfs_create_snapshot_group(struct nilfs_root *root) + } + + if (err) +- return err; ++ kobject_put(&root->snapshot_kobj); + +- return 0; ++ return err; + } + + void nilfs_sysfs_delete_snapshot_group(struct nilfs_root *root) +-- +2.33.0 + diff --git a/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_-name-_.patch b/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_-name-_.patch new file mode 100644 index 00000000000..20b30d5a675 --- /dev/null +++ b/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_-name-_.patch @@ -0,0 +1,40 @@ +From d6ac1634e7482a42e6585a701f428676603e22c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:18 -0700 +Subject: nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group + +From: Nanyong Sun + +[ Upstream commit a3e181259ddd61fd378390977a1e4e2316853afa ] + +The kobject_put() should be used to cleanup the memory associated with the +kobject instead of kobject_del. See the section "Kobject removal" of +"Documentation/core-api/kobject.rst". + +Link: https://lkml.kernel.org/r/20210629022556.3985106-5-sunnanyong@huawei.com +Link: https://lkml.kernel.org/r/1625651306-10829-5-git-send-email-konishi.ryusuke@gmail.com +Signed-off-by: Nanyong Sun +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/nilfs2/sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index 31d640a87b59..195f42192a15 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -97,7 +97,7 @@ static int nilfs_sysfs_create_##name##_group(struct the_nilfs *nilfs) \ + } \ + static void nilfs_sysfs_delete_##name##_group(struct the_nilfs *nilfs) \ + { \ +- kobject_del(&nilfs->ns_##parent_name##_subgroups->sg_##name##_kobj); \ ++ kobject_put(&nilfs->ns_##parent_name##_subgroups->sg_##name##_kobj); \ + } + + /************************************************************************ +-- +2.33.0 + diff --git a/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_snapsho.patch b/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_snapsho.patch new file mode 100644 index 00000000000..16de697ddf6 --- /dev/null +++ b/queue-5.4/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_snapsho.patch @@ -0,0 +1,40 @@ +From 1ca81935451ac09d7be23d9fa7c3b639fb832ecf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:23 -0700 +Subject: nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group + +From: Nanyong Sun + +[ Upstream commit 17243e1c3072b8417a5ebfc53065d0a87af7ca77 ] + +kobject_put() should be used to cleanup the memory associated with the +kobject instead of kobject_del(). See the section "Kobject removal" of +"Documentation/core-api/kobject.rst". + +Link: https://lkml.kernel.org/r/20210629022556.3985106-7-sunnanyong@huawei.com +Link: https://lkml.kernel.org/r/1625651306-10829-7-git-send-email-konishi.ryusuke@gmail.com +Signed-off-by: Nanyong Sun +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/nilfs2/sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index 6c92ac314b06..28a2db3b1787 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -215,7 +215,7 @@ int nilfs_sysfs_create_snapshot_group(struct nilfs_root *root) + + void nilfs_sysfs_delete_snapshot_group(struct nilfs_root *root) + { +- kobject_del(&root->snapshot_kobj); ++ kobject_put(&root->snapshot_kobj); + } + + /************************************************************************ +-- +2.33.0 + diff --git a/queue-5.4/nilfs2-fix-null-pointer-in-nilfs_-name-_attr_release.patch b/queue-5.4/nilfs2-fix-null-pointer-in-nilfs_-name-_attr_release.patch new file mode 100644 index 00000000000..f36a9a936d8 --- /dev/null +++ b/queue-5.4/nilfs2-fix-null-pointer-in-nilfs_-name-_attr_release.patch @@ -0,0 +1,49 @@ +From bbd073a4bb6185cce1c21e218ca9296705cd3492 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:12 -0700 +Subject: nilfs2: fix NULL pointer in nilfs_##name##_attr_release + +From: Nanyong Sun + +[ Upstream commit dbc6e7d44a514f231a64d9d5676e001b660b6448 ] + +In nilfs_##name##_attr_release, kobj->parent should not be referenced +because it is a NULL pointer. The release() method of kobject is always +called in kobject_put(kobj), in the implementation of kobject_put(), the +kobj->parent will be assigned as NULL before call the release() method. +So just use kobj to get the subgroups, which is more efficient and can fix +a NULL pointer reference problem. + +Link: https://lkml.kernel.org/r/20210629022556.3985106-3-sunnanyong@huawei.com +Link: https://lkml.kernel.org/r/1625651306-10829-3-git-send-email-konishi.ryusuke@gmail.com +Signed-off-by: Nanyong Sun +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/nilfs2/sysfs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index cbfc132206e8..ca720d958315 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -64,11 +64,9 @@ static const struct sysfs_ops nilfs_##name##_attr_ops = { \ + #define NILFS_DEV_INT_GROUP_TYPE(name, parent_name) \ + static void nilfs_##name##_attr_release(struct kobject *kobj) \ + { \ +- struct nilfs_sysfs_##parent_name##_subgroups *subgroups; \ +- struct the_nilfs *nilfs = container_of(kobj->parent, \ +- struct the_nilfs, \ +- ns_##parent_name##_kobj); \ +- subgroups = nilfs->ns_##parent_name##_subgroups; \ ++ struct nilfs_sysfs_##parent_name##_subgroups *subgroups = container_of(kobj, \ ++ struct nilfs_sysfs_##parent_name##_subgroups, \ ++ sg_##name##_kobj); \ + complete(&subgroups->sg_##name##_kobj_unregister); \ + } \ + static struct kobj_type nilfs_##name##_ktype = { \ +-- +2.33.0 + diff --git a/queue-5.4/parisc-move-pci_dev_is_behind_card_dino-to-where-it-.patch b/queue-5.4/parisc-move-pci_dev_is_behind_card_dino-to-where-it-.patch new file mode 100644 index 00000000000..ffff90bad09 --- /dev/null +++ b/queue-5.4/parisc-move-pci_dev_is_behind_card_dino-to-where-it-.patch @@ -0,0 +1,64 @@ +From 02e6932934fba1913df6671c53a32b0bb7a38cdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 08:30:41 -0700 +Subject: parisc: Move pci_dev_is_behind_card_dino to where it is used + +From: Guenter Roeck + +[ Upstream commit 907872baa9f1538eed02ec737b8e89eba6c6e4b9 ] + +parisc build test images fail to compile with the following error. + +drivers/parisc/dino.c:160:12: error: + 'pci_dev_is_behind_card_dino' defined but not used + +Move the function just ahead of its only caller to avoid the error. + +Fixes: 5fa1659105fa ("parisc: Disable HP HSC-PCI Cards to prevent kernel crash") +Cc: Helge Deller +Signed-off-by: Guenter Roeck +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/parisc/dino.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/parisc/dino.c b/drivers/parisc/dino.c +index 2f1cac89ddf5..544287e9f449 100644 +--- a/drivers/parisc/dino.c ++++ b/drivers/parisc/dino.c +@@ -156,15 +156,6 @@ static inline struct dino_device *DINO_DEV(struct pci_hba_data *hba) + return container_of(hba, struct dino_device, hba); + } + +-/* Check if PCI device is behind a Card-mode Dino. */ +-static int pci_dev_is_behind_card_dino(struct pci_dev *dev) +-{ +- struct dino_device *dino_dev; +- +- dino_dev = DINO_DEV(parisc_walk_tree(dev->bus->bridge)); +- return is_card_dino(&dino_dev->hba.dev->id); +-} +- + /* + * Dino Configuration Space Accessor Functions + */ +@@ -447,6 +438,15 @@ static void quirk_cirrus_cardbus(struct pci_dev *dev) + DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_CIRRUS, PCI_DEVICE_ID_CIRRUS_6832, quirk_cirrus_cardbus ); + + #ifdef CONFIG_TULIP ++/* Check if PCI device is behind a Card-mode Dino. */ ++static int pci_dev_is_behind_card_dino(struct pci_dev *dev) ++{ ++ struct dino_device *dino_dev; ++ ++ dino_dev = DINO_DEV(parisc_walk_tree(dev->bus->bridge)); ++ return is_card_dino(&dino_dev->hba.dev->id); ++} ++ + static void pci_fixup_tulip(struct pci_dev *dev) + { + if (!pci_dev_is_behind_card_dino(dev)) +-- +2.33.0 + diff --git a/queue-5.4/pwm-img-don-t-modify-hw-state-in-.remove-callback.patch b/queue-5.4/pwm-img-don-t-modify-hw-state-in-.remove-callback.patch new file mode 100644 index 00000000000..30f255723dd --- /dev/null +++ b/queue-5.4/pwm-img-don-t-modify-hw-state-in-.remove-callback.patch @@ -0,0 +1,56 @@ +From 7e15cfa89d7303f77177ce6914ab6633ee6d90b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 18:27:51 +0200 +Subject: pwm: img: Don't modify HW state in .remove() callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit c68eb29c8e9067c08175dd0414f6984f236f719d ] + +A consumer is expected to disable a PWM before calling pwm_put(). And if +they didn't there is hopefully a good reason (or the consumer needs +fixing). Also if disabling an enabled PWM was the right thing to do, +this should better be done in the framework instead of in each low level +driver. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-img.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +diff --git a/drivers/pwm/pwm-img.c b/drivers/pwm/pwm-img.c +index 22c002e685b3..37f9b688661d 100644 +--- a/drivers/pwm/pwm-img.c ++++ b/drivers/pwm/pwm-img.c +@@ -329,23 +329,7 @@ err_pm_disable: + static int img_pwm_remove(struct platform_device *pdev) + { + struct img_pwm_chip *pwm_chip = platform_get_drvdata(pdev); +- u32 val; +- unsigned int i; +- int ret; +- +- ret = pm_runtime_get_sync(&pdev->dev); +- if (ret < 0) { +- pm_runtime_put(&pdev->dev); +- return ret; +- } +- +- for (i = 0; i < pwm_chip->chip.npwm; i++) { +- val = img_pwm_readl(pwm_chip, PWM_CTRL_CFG); +- val &= ~BIT(i); +- img_pwm_writel(pwm_chip, PWM_CTRL_CFG, val); +- } + +- pm_runtime_put(&pdev->dev); + pm_runtime_disable(&pdev->dev); + if (!pm_runtime_status_suspended(&pdev->dev)) + img_pwm_runtime_suspend(&pdev->dev); +-- +2.33.0 + diff --git a/queue-5.4/pwm-rockchip-don-t-modify-hw-state-in-.remove-callba.patch b/queue-5.4/pwm-rockchip-don-t-modify-hw-state-in-.remove-callba.patch new file mode 100644 index 00000000000..0e8d9a3bd1f --- /dev/null +++ b/queue-5.4/pwm-rockchip-don-t-modify-hw-state-in-.remove-callba.patch @@ -0,0 +1,53 @@ +From bb378bef71487cfd8ac2e8b462beeec01baf08dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 18:27:52 +0200 +Subject: pwm: rockchip: Don't modify HW state in .remove() callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 9d768cd7fd42bb0be16f36aec48548fca5260759 ] + +A consumer is expected to disable a PWM before calling pwm_put(). And if +they didn't there is hopefully a good reason (or the consumer needs +fixing). Also if disabling an enabled PWM was the right thing to do, +this should better be done in the framework instead of in each low level +driver. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-rockchip.c | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/drivers/pwm/pwm-rockchip.c b/drivers/pwm/pwm-rockchip.c +index 6ad6aad215cf..8c0af705c5ae 100644 +--- a/drivers/pwm/pwm-rockchip.c ++++ b/drivers/pwm/pwm-rockchip.c +@@ -383,20 +383,6 @@ static int rockchip_pwm_remove(struct platform_device *pdev) + { + struct rockchip_pwm_chip *pc = platform_get_drvdata(pdev); + +- /* +- * Disable the PWM clk before unpreparing it if the PWM device is still +- * running. This should only happen when the last PWM user left it +- * enabled, or when nobody requested a PWM that was previously enabled +- * by the bootloader. +- * +- * FIXME: Maybe the core should disable all PWM devices in +- * pwmchip_remove(). In this case we'd only have to call +- * clk_unprepare() after pwmchip_remove(). +- * +- */ +- if (pwm_is_enabled(pc->chip.pwms)) +- clk_disable(pc->clk); +- + clk_unprepare(pc->pclk); + clk_unprepare(pc->clk); + +-- +2.33.0 + diff --git a/queue-5.4/pwm-stm32-lp-don-t-modify-hw-state-in-.remove-callba.patch b/queue-5.4/pwm-stm32-lp-don-t-modify-hw-state-in-.remove-callba.patch new file mode 100644 index 00000000000..c15284b37eb --- /dev/null +++ b/queue-5.4/pwm-stm32-lp-don-t-modify-hw-state-in-.remove-callba.patch @@ -0,0 +1,41 @@ +From 4d106f059a7e49b95e231ead6430770bea643f19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 18:27:53 +0200 +Subject: pwm: stm32-lp: Don't modify HW state in .remove() callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit d44084c93427bb0a9261432db1a8ca76a42d805e ] + +A consumer is expected to disable a PWM before calling pwm_put(). And if +they didn't there is hopefully a good reason (or the consumer needs +fixing). Also if disabling an enabled PWM was the right thing to do, +this should better be done in the framework instead of in each low level +driver. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-stm32-lp.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/pwm/pwm-stm32-lp.c b/drivers/pwm/pwm-stm32-lp.c +index 67fca62524dc..05bb1f95a773 100644 +--- a/drivers/pwm/pwm-stm32-lp.c ++++ b/drivers/pwm/pwm-stm32-lp.c +@@ -225,8 +225,6 @@ static int stm32_pwm_lp_remove(struct platform_device *pdev) + { + struct stm32_pwm_lp *priv = platform_get_drvdata(pdev); + +- pwm_disable(&priv->chip.pwms[0]); +- + return pwmchip_remove(&priv->chip); + } + +-- +2.33.0 + diff --git a/queue-5.4/rtc-rx8010-select-regmap_i2c.patch b/queue-5.4/rtc-rx8010-select-regmap_i2c.patch new file mode 100644 index 00000000000..22359c6b6e8 --- /dev/null +++ b/queue-5.4/rtc-rx8010-select-regmap_i2c.patch @@ -0,0 +1,35 @@ +From 020dc273bc255d6a031e8be94c30a7397f5a4632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Aug 2021 13:25:32 +0800 +Subject: rtc: rx8010: select REGMAP_I2C + +From: Yu-Tung Chang + +[ Upstream commit 0c45d3e24ef3d3d87c5e0077b8f38d1372af7176 ] + +The rtc-rx8010 uses the I2C regmap but doesn't select it in Kconfig so +depending on the configuration the build may fail. Fix it. + +Signed-off-by: Yu-Tung Chang +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210830052532.40356-1-mtwget@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/rtc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rtc/Kconfig b/drivers/rtc/Kconfig +index 9ae7ce3f5069..0ad8d84aeb33 100644 +--- a/drivers/rtc/Kconfig ++++ b/drivers/rtc/Kconfig +@@ -625,6 +625,7 @@ config RTC_DRV_FM3130 + + config RTC_DRV_RX8010 + tristate "Epson RX8010SJ" ++ select REGMAP_I2C + help + If you say yes here you get support for the Epson RX8010SJ RTC + chip. +-- +2.33.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 2f02afa9ac0..f3140b703eb 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -26,3 +26,24 @@ pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.pa pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch phy-avoid-unnecessary-link-up-delay-in-polling-mode.patch net-stmmac-reset-tx-desc-base-address-before-restarting-tx.patch +kconfig.debug-drop-selecting-non-existing-hardlockup.patch +thermal-core-fix-thermal_cooling_device_register-pro.patch +drivers-base-cacheinfo-get-rid-of-define_smp_call_ca.patch +parisc-move-pci_dev_is_behind_card_dino-to-where-it-.patch +dmaengine-sprd-add-missing-module_device_table.patch +dmaengine-ioat-depends-on-uml.patch +dmaengine-xilinx_dma-set-dma-mask-for-coherent-apis.patch +ceph-request-fw-caps-before-updating-the-mtime-in-ce.patch +ceph-lockdep-annotations-for-try_nonblocking_invalid.patch +btrfs-fix-lockdep-warning-while-mounting-sprout-fs.patch +nilfs2-fix-memory-leak-in-nilfs_sysfs_create_device_.patch +nilfs2-fix-null-pointer-in-nilfs_-name-_attr_release.patch +nilfs2-fix-memory-leak-in-nilfs_sysfs_create_-name-_.patch +nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_-name-_.patch +nilfs2-fix-memory-leak-in-nilfs_sysfs_create_snapsho.patch +nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_snapsho.patch +pwm-img-don-t-modify-hw-state-in-.remove-callback.patch +pwm-rockchip-don-t-modify-hw-state-in-.remove-callba.patch +pwm-stm32-lp-don-t-modify-hw-state-in-.remove-callba.patch +blk-throttle-fix-uaf-by-deleteing-timer-in-blk_throt.patch +rtc-rx8010-select-regmap_i2c.patch diff --git a/queue-5.4/thermal-core-fix-thermal_cooling_device_register-pro.patch b/queue-5.4/thermal-core-fix-thermal_cooling_device_register-pro.patch new file mode 100644 index 00000000000..2793ae3c02d --- /dev/null +++ b/queue-5.4/thermal-core-fix-thermal_cooling_device_register-pro.patch @@ -0,0 +1,58 @@ +From 89afa0c8429068db394e31d61d8a0851501aa60a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 11:06:44 +0200 +Subject: thermal/core: Fix thermal_cooling_device_register() prototype + +From: Arnd Bergmann + +[ Upstream commit fb83610762dd5927212aa62a468dd3b756b57a88 ] + +There are two pairs of declarations for thermal_cooling_device_register() +and thermal_of_cooling_device_register(), and only one set was changed +in a recent patch, so the other one now causes a compile-time warning: + +drivers/net/wireless/mediatek/mt76/mt7915/init.c: In function 'mt7915_thermal_init': +drivers/net/wireless/mediatek/mt76/mt7915/init.c:134:48: error: passing argument 1 of 'thermal_cooling_device_register' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] + 134 | cdev = thermal_cooling_device_register(wiphy_name(wiphy), phy, + | ^~~~~~~~~~~~~~~~~ +In file included from drivers/net/wireless/mediatek/mt76/mt7915/init.c:7: +include/linux/thermal.h:407:39: note: expected 'char *' but argument is of type 'const char *' + 407 | thermal_cooling_device_register(char *type, void *devdata, + | ~~~~~~^~~~ + +Change the dummy helper functions to have the same arguments as the +normal version. + +Fixes: f991de53a8ab ("thermal: make device_register's type argument const") +Signed-off-by: Arnd Bergmann +Reviewed-by: Jean-Francois Dagenais +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210722090717.1116748-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/thermal.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/include/linux/thermal.h b/include/linux/thermal.h +index e45659c75920..a41378bdf27c 100644 +--- a/include/linux/thermal.h ++++ b/include/linux/thermal.h +@@ -501,12 +501,13 @@ static inline void thermal_zone_device_update(struct thermal_zone_device *tz, + static inline void thermal_zone_set_trips(struct thermal_zone_device *tz) + { } + static inline struct thermal_cooling_device * +-thermal_cooling_device_register(char *type, void *devdata, ++thermal_cooling_device_register(const char *type, void *devdata, + const struct thermal_cooling_device_ops *ops) + { return ERR_PTR(-ENODEV); } + static inline struct thermal_cooling_device * + thermal_of_cooling_device_register(struct device_node *np, +- char *type, void *devdata, const struct thermal_cooling_device_ops *ops) ++ const char *type, void *devdata, ++ const struct thermal_cooling_device_ops *ops) + { return ERR_PTR(-ENODEV); } + static inline struct thermal_cooling_device * + devm_thermal_of_cooling_device_register(struct device *dev, +-- +2.33.0 + -- 2.47.3