hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4JBL0
CVE: NA

-------------------------------

Reserve space for struct cpu_stop_work. Changing this struct will
affect set_cpus_allowed_ptr(), so reserve one kabi field.
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Reviewed-by: NCheng Jian <cj.chengjian@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4GFVG?from=project-issue
CVE: NA

-------------------------------

Reserve space for the structures in perf subsystem.
Signed-off-by: NYang Jihong <yangjihong1@huawei.com>
Reviewed-by: NKuohai Xu <xukuohai@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4HE7P?from=project-issue
CVE: NA

--------

Reserve some fields beforehand for net netfilter framework related structures prone
to change.

---------
Signed-off-by: NWang Hai <wanghai38@huawei.com>
Reviewed-by: NWei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4HE7P?from=project-issue
CVE: NA

--------

Reserve some fields beforehand for net bpf framework related structures prone
to change.

---------
Signed-off-by: NWang Hai <wanghai38@huawei.com>
Reviewed-by: NWei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4HE7P?from=project-issue
CVE: NA

--------

Reserve some fields beforehand for net rdma framework related structures prone
to change.

---------
Signed-off-by: NWang Hai <wanghai38@huawei.com>
Reviewed-by: NWei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4HE7P?from=project-issue
CVE: NA

--------

Reserve some fields beforehand for net sunrpc framework related structures prone
to change.

---------
Signed-off-by: NWang Hai <wanghai38@huawei.com>
Reviewed-by: NWei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4HE7P?from=project-issue
CVE: NA

--------

Reserve some fields beforehand for net can framework related structures prone
to change.

---------
Signed-off-by: NWang Hai <wanghai38@huawei.com>
Reviewed-by: NWei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4HE7P?from=project-issue
CVE: NA

--------

Reserve some fields beforehand for net base framework related structures prone
to change.

---------
Signed-off-by: NWang Hai <wanghai38@huawei.com>
Reviewed-by: NWei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4GII8?from=project-issue
CVE: NA

--------

We reserve some fields beforehand for cgroup bpf structures prone to change,
therefore, we can hot add/change features of bpf cgroup with this enhancement.

After reserving, normally cache does not matter as the reserved fields
are not accessed at all.
Signed-off-by: NLu Jialin <lujialin4@huawei.com>
Reviewed-by: Nweiyang wang <wangweiyang2@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4GII8?from=project-issue
CVE: NA

--------

We reserve some fields beforehand for cpu cgroup and cpuset related structures
prone to change, therefore, we can hot add/change features of cpu cgroup cpuset
and cgroup with this enhancement.

After reserving, normally cache does not matter as the reserved fields
are not accessed at all.

--------
Signed-off-by: NLu Jialin <lujialin4@huawei.com>
Reviewed-by: NChen Hui <judy.chenhui@huawei.com>
Reviewed-by: Nweiyang wang <wangweiyang2@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4GII8?from=project-issue
CVE: NA

--------

We reserve some fields beforehand for memcg related structures prone
to change, therefore, we can hot add/change features of memcg with this enhancement.

After reserving, normally cache does not matter as the reserved fields
are not accessed at all.

--------
Signed-off-by: NLu Jialin <lujialin4@huawei.com>
Reviewed-by: Nweiyang wang <wangweiyang2@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4GII8?from=project-issue
CVE: NA

--------

We reserve some fields beforehand for cgroup framework related structures prone
to change, therefore, we can hot add/change features of cgroupv1/cgroupv2 with
this enhancement.

After reserving, normally cache does not matter as the reserved fields
are not accessed at all.

---------
Signed-off-by: NLu Jialin <lujialin4@huawei.com>
Reviewed-by: Nweiyang wang <wangweiyang2@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4JWSP
CVE: NA

--------------------------------------

Reserve space for the structure in memory subsystem.
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
bugzilla: https://gitee.com/openeuler/kernel/issues/I4MZU1
CVE: NA

---------------------------

Add KABI_RESERVE in msi.h
Signed-off-by: NLin Ruizhe <linruizhe@huawei.com>
Reviewed-by: NLiao Chang <liaochang1@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
bugzilla: https://gitee.com/openeuler/kernel/issues/I4MZU1
CVE: NA

---------------------------

Add kabi_reserve in irqdomain.h
Signed-off-by: NLin Ruizhe <linruizhe@huawei.com>
Reviewed-by: NLiao Chang <liaochang1@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
bugzilla: https://gitee.com/openeuler/kernel/issues/I4MZU1
CVE: NA

---------------------------

Add KABI_RESERVE in irq_desc
Signed-off-by: NLin Ruizhe <linruizhe@huawei.com>
Reviewed-by: NLiao Chang <liaochang1@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
bugzilla: https://gitee.com/openeuler/kernel/issues/I4MZU1
CVE: NA

---------------------------

Add kabi_reserve in irq_common_data irq_chip irq_chip_type
in irq.h
Signed-off-by: NLin Ruizhe <linruizhe@huawei.com>
Reviewed-by: NLiao Chang <liaochang1@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
bugzilla: https://gitee.com/openeuler/kernel/issues/I4MZU1
CVE: NA

---------------------------

Add kabi_reserve tasklet_struct and irq_affinity in
interrupt.h
Signed-off-by: NLin Ruizhe <linruizhe@huawei.com>
Reviewed-by: NLiao Chang <liaochang1@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
bugzilla: https://gitee.com/openeuler/kernel/issues/I4MZU1
CVE: NA

---------------------------

Add kabi_resetve in struct acpi_rsdp_addr and setup_header
Signed-off-by: NLin Ruizhe <linruizhe@huawei.com>
Reviewed-by: NLiao Chang <liaochang1@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4JBL0
CVE: NA

-------------------------------

Reserve space for hrtimer related structures.
Signed-off-by: NYu Liao <liaoyu15@huawei.com>
Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4GUAB
CVE: NA

-------------------------------

Reserve space for timer and workqueue subsystem.
Signed-off-by: NYu Liao <liaoyu15@huawei.com>
Reviewed-by: Nwangxiongfeng 00379786 <wangxiongfeng2@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4JBL0
CVE: NA

-------------------------------

Reserve space for struct worker.
Signed-off-by: NYu Liao <liaoyu15@huawei.com>
Reviewed-by: NCheng Jian <cj.chengjian@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4KKML
DTS: NA
CVE: NA

---------------------------------------------------------

Reserve space in net_namespace.h
Signed-off-by: NCui GaoSheng <cuigaosheng1@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4JBL0
CVE: NA

-------------------------------

Reserve space for power management related structure.
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NWei Li <liwei391@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4JBL0
CVE: NA

-------------------------------

Reserve space for the structure in pci subsystem.
Signed-off-by: NTan Xiaojun <tanxiaojun@huawei.com>
Reviewed-by: NXie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: Nwangxiongfeng 00379786 <wangxiongfeng2@huawei.com>
Reviewed-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4JBL0
CVE: NA

-------------------------------

Reserve space for posix clock related structure.
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NWei Li <liwei391@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4JZ0H?from=project-issue
CVE: NA

Add check-kabi tool to detect the kabi changes introduced
by the patch.

Usage:
  ./scripts/check-kabi -k Module.symvers.baseline -s Module.symvers

This tool is ported from CentOS 7.x source packages.
Signed-off-by: NXie XiuQi <xiexiuqi@huawei.com>
Reviewed-by: NLi Bin <huawei.libin@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NCheng Jian <cj.chengjian@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4JZ0H?from=project-issue
CVE: NA

Add a tool to generate the kabi reference relationship for given
module list.

Like this:

memset: 3: nvme-core.ko nvme-fc.ko nvme.ko nvmet.ko
complete: 4: nvme-rdma.ko nvme-fc.ko nvme.ko nvme-fcloop.ko
mutex_unlock: 3: nvme-rdma.ko nvme-core.ko nvme.ko
init_timer_key:	3: nvme-rdma.ko nvme-core.ko nvme-fc.ko nvmet.ko
mutex_lock: 2: nvme-rdma.ko nvme-core.ko

usage:
 ./scripts/kabideps -m <mod list> -s <symvers> -d <dir of modules> -e
Signed-off-by: NXie XiuQi <xiexiuqi@huawei.com>
Reviewed-by: NHanjun Guo <guohanjun@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NCheng Jian <cj.chengjian@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4JZ0H?from=project-issue
CVE: NA

Add a tool to generate the kabi reference relationship for given
module list.

1)  ./scripts/kabisyms -k <symlist> -s <symvers> -o <output>

Generate Module.kabi file via symbol list.

2)  ./scripts/kabisyms -k <symlist> -d <kabideps> -o <output>

memset: 3: nvme-core.ko nvme-fc.ko nvme.ko nvmet.ko
complete: 4: nvme-rdma.ko nvme-fc.ko nvme.ko nvme-fcloop.ko
mutex_unlock: 3: nvme-rdma.ko nvme-core.ko nvme.ko
init_timer_key: 3: nvme-rdma.ko nvme-core.ko nvme-fc.ko nvmet.ko
mutex_lock: 2: nvme-rdma.ko nvme-core.ko
Signed-off-by: NXie XiuQi <xiexiuqi@huawei.com>
Reviewed-by: NTan Xiaojun <tanxiaojun@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NCheng Jian <cj.chengjian@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4K3S5

This option enables more stringent kabi checks. Those must be
disable in case of a debug-build because they allow to change struct
sizes.

We enable this option by default.
Signed-off-by: NXie XiuQi <xiexiuqi@huawei.com>
Reviewed-by: NCheng Jian <cj.chengjian@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4K3S5

This option enables more stringent kabi checks. Those must be
disable in case of a debug-build because they allow to change struct
sizes.
Signed-off-by: NXie XiuQi <xiexiuqi@huawei.com>
Reviewed-by: NCheng Jian <cj.chengjian@huawei.com>
Reviewed-by: NCheng Jian <cj.chengjian@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4K3S5

We intruduce kabi helper macros which derived from RHEL
"include/linux/rh_kabi.h", tried to standardize the kabi work
on openEuler.
Signed-off-by: NXie XiuQi <xiexiuqi@huawei.com>
Reviewed-by: NCheng Jian <cj.chengjian@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 20702,https://gitee.com/openeuler/kernel/issues/I4OG3O?from=project-issue
CVE: NA
---------------------------

When I inject a PCIE Fatal error into a mellanox netdevice, 'dmesg'
shows the device is recovered successfully, but 'lspci' didn't show the
device. I checked the configuration space of the slot where the
netdevice is inserted and found out the bit 'PCI_BRIDGE_CTL_BUS_RESET'
is set. Later, I found out it is because this bit is saved in
'saved_config_space' of 'struct pci_dev' when 'pci_pm_runtime_suspend()'
is called. And 'PCI_BRIDGE_CTL_BUS_RESET' is set every time we restore
the configuration sapce.

This patch avoid saving the bit 'PCI_BRIDGE_CTL_BUS_RESET' when we save
the configuration space of a bridge.
Signed-off-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Reviewed-by: NHanjun Guo <guohanjun@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 4390,https://gitee.com/openeuler/kernel/issues/I4OG3O?from=project-issue
CVE: NA
-------------------

We use 'bir' as the index of array resource[DEVICE_COUNT_RESOURCE].
Wrong 'bir' will cause access out of range. This patch add a check for
'bir'.
Signed-off-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Reviewed-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

euler inclusion
category: bugfix
bugzilla: 4390,https://gitee.com/openeuler/kernel/issues/I4OG3O?from=project-issue
CVE: NA

----------------------------------------

This patch add check for the offset of MSI-X Table. If it is out of range
of the BAR space BIR selects, we just fail this MSI-X mapping.
Signed-off-by: NXiongfeng Wang <xiongfeng.wang@linaro.org>
Reviewed-by: NHanjun Guo <guohanjun@huawei.com>
Signed-off-by: NMao Wenan <maowenan@huawei.com>
Signed-off-by: NHui Wang <john.wanghui@huawei.com>
Signed-off-by: NZhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4OG3O?from=project-issue
CVE: NA

------------------------------------

When I do some aer-inject and sysfs remove stress tests, I got the
following use-after-free Calltrace:

 ==================================================================
 BUG: KASAN: use-after-free in pci_stop_bus_device+0x174/0x178
 Read of size 8 at addr fffffc3e2e402218 by task bash/26311

 CPU: 38 PID: 26311 Comm: bash Tainted: G        W         4.19.105+ #82
 Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B161.01 06/10/2021
 Call trace:
  dump_backtrace+0x0/0x360
  show_stack+0x24/0x30
  dump_stack+0x130/0x164
  print_address_description+0x68/0x278
  kasan_report+0x204/0x330
  __asan_report_load8_noabort+0x30/0x40
  pci_stop_bus_device+0x174/0x178
  pci_stop_and_remove_bus_device_locked+0x24/0x40
  remove_store+0x1c8/0x1e0
  dev_attr_store+0x60/0x80
  sysfs_kf_write+0x104/0x170
  kernfs_fop_write+0x23c/0x430
  __vfs_write+0xec/0x4e0
  vfs_write+0x12c/0x3d0
  ksys_write+0xe8/0x208
  __arm64_sys_write+0x70/0xa0
  el0_svc_common+0x10c/0x450
  el0_svc_handler+0x50/0xc0
  el0_svc+0x10/0x14

 Allocated by task 684:
  kasan_kmalloc+0xe0/0x190
  kmem_cache_alloc_trace+0x110/0x240
  pci_alloc_dev+0x4c/0x110
  pci_scan_single_device+0x100/0x218
  pci_scan_slot+0x8c/0x2d8
  pci_scan_child_bus_extend+0x90/0x628
  pci_scan_child_bus+0x24/0x30
  pci_scan_bridge_extend+0x3b8/0xb28
  pci_scan_child_bus_extend+0x350/0x628
  pci_rescan_bus+0x24/0x48
  pcie_do_fatal_recovery+0x390/0x4b0
  handle_error_source+0x124/0x158
  aer_isr+0x5a0/0x800
  process_one_work+0x598/0x1250
  worker_thread+0x384/0xf08
  kthread+0x2a4/0x320
  ret_from_fork+0x10/0x18

 Freed by task 685:
  __kasan_slab_free+0x120/0x228
  kasan_slab_free+0x10/0x18
  kfree+0x88/0x218
  pci_release_dev+0xb4/0xd8
  device_release+0x6c/0x1c0
  kobject_put+0x12c/0x400
  put_device+0x24/0x30
  pci_dev_put+0x24/0x30
  handle_error_source+0x12c/0x158
  aer_isr+0x5a0/0x800
  process_one_work+0x598/0x1250
  worker_thread+0x384/0xf08
  kthread+0x2a4/0x320
  ret_from_fork+0x10/0x18

 The buggy address belongs to the object at fffffc3e2e402200
  which belongs to the cache kmalloc-4096 of size 4096
 The buggy address is located 24 bytes inside of
  4096-byte region [fffffc3e2e402200, fffffc3e2e403200)
 The buggy address belongs to the page:
 page:ffff7ff0f8b90000 count:1 mapcount:0 mapping:ffffdc365f016e00 index:0x0 compound_mapcount: 0
 flags: 0x6ffffe0000008100(slab|head)
 raw: 6ffffe0000008100 ffff7f70d83aae00 0000000300000003 ffffdc365f016e00
 raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  fffffc3e2e402100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  fffffc3e2e402180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 >fffffc3e2e402200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                             ^
  fffffc3e2e402280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  fffffc3e2e402300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

It is caused by the following race condition:

	CPU0					CPU1
remove_store()				aer_isr()
 device_remove_file_self()		 handle_error_source()
 pci_stop_and_remove_bus_device_locked	  pcie_do_fatal_recovery()
  (blocked)				   pci_lock_rescan_remove()	#CPU1 acquire the lock
					   pci_stop_and_remove_bus_device()
					   pci_unlock_rescan_remove()   #CPU1 release the lock
  pci_lock_rescan_remove()						#CPU0 acquire the lock
					  pci_dev_put()			#free pci_dev
  pci_stop_and_remove_bus_device()
   pci_stop_bus_device()						#use-after-free
  pci_unlock_rescan_remove()

An AER interrupt is triggered on CPU1. CPU1 starts to process it. A work
'aer_isr()' is scheduled on CPU1. It calling into
pcie_do_fatal_recovery(), and aquire lock 'pci_rescan_remove_lock'.
Before it removes the sysfs corresponding to the error pci device, a
sysfs remove operation is executed on CPU0. CPU0 use
device_remove_file_self() to remove the sysfs directory and wait for the
lock to be released. After CPU1 finish pci_stop_and_remove_bus_device(),
it release the lock and free the 'pci_dev' in pci_dev_put(). CPU0 acquire
the lock and access the 'pci_dev'. Then a use-after-free is triggered.

To fix this issue, we increase the reference count in remove_store()
before remove the device and decrease the reference count in the end.
Signed-off-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Reviewed-by: NHanjun Guo <guohanjun@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 16100,20881,https://gitee.com/openeuler/kernel/issues/I4OG3O?from=project-issue
CVE: NA

-------------------------------------------------

When I run a stress test about pcie hotplug and removing operations by
sysfs, I got a hange task, and the following call trace is printed.

 INFO: task irq/746-pciehp:41551 blocked for more than 120 seconds.
       Tainted: P        W  OE     4.19.25-
 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
 irq/746-pciehp  D    0 41551      2 0x00000228
 Call trace:
  __switch_to+0x94/0xe8
  __schedule+0x270/0x8b0
  schedule+0x2c/0x88
  schedule_preempt_disabled+0x14/0x20
  __mutex_lock.isra.1+0x1fc/0x540
  __mutex_lock_slowpath+0x24/0x30
  mutex_lock+0x80/0xa8
  pci_lock_rescan_remove+0x20/0x28
  pciehp_configure_device+0x30/0x140
  pciehp_handle_presence_or_link_change+0x35c/0x4b0
  pciehp_ist+0x1cc/0x1d0
  irq_thread_fn+0x30/0x80
  irq_thread+0x128/0x200
  kthread+0x134/0x138
  ret_from_fork+0x10/0x18
 INFO: task bash:6424 blocked for more than 120 seconds.
       Tainted: P        W  OE     4.19.25-
 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
 bash            D    0  6424   2231 0x00000200
 Call trace:
  __switch_to+0x94/0xe8
  __schedule+0x270/0x8b0
  schedule+0x2c/0x88
  schedule_timeout+0x224/0x448
  wait_for_common+0x198/0x2a0
  wait_for_completion+0x28/0x38
  kthread_stop+0x60/0x190
  __free_irq+0x1c0/0x348
  free_irq+0x40/0x88
  pcie_shutdown_notification+0x54/0x80
  pciehp_remove+0x30/0x50
  pcie_port_remove_service+0x3c/0x58
  device_release_driver_internal+0x1b4/0x250
  device_release_driver+0x28/0x38
  bus_remove_device+0xd4/0x160
  device_del+0x128/0x348
  device_unregister+0x24/0x78
  remove_iter+0x48/0x58
  device_for_each_child+0x6c/0xb8
  pcie_port_device_remove+0x2c/0x48
  pcie_portdrv_remove+0x5c/0x68
  pci_device_remove+0x48/0xd8
  device_release_driver_internal+0x1b4/0x250
  device_release_driver+0x28/0x38
  pci_stop_bus_device+0x84/0xb8
  pci_stop_and_remove_bus_device_locked+0x24/0x40
  remove_store+0xa4/0xb8
  dev_attr_store+0x44/0x60
  sysfs_kf_write+0x58/0x80
  kernfs_fop_write+0xe8/0x1f0
  __vfs_write+0x60/0x190
  vfs_write+0xac/0x1c0
  ksys_write+0x6c/0xd8
  __arm64_sys_write+0x24/0x30
  el0_svc_common+0xa0/0x180
  el0_svc_handler+0x38/0x78
  el0_svc+0x8/0xc

When we remove a slot by sysfs.
'pci_stop_and_remove_bus_device_locked()' will be called. This function
will get the global mutex lock 'pci_rescan_remove_lock', and remove the
slot. If the irq thread 'pciehp_ist' is still running, we will wait
until it exits.

If a pciehp interrupt happens immediately after we remove the slot by
sysfs, but before we free the pciehp irq in
'pci_stop_and_remove_bus_device_locked()'. 'pciehp_ist' will hung
because the global mutex lock 'pci_rescan_remove_lock' is held by the
sysfs operation. But the sysfs operation is waiting for the pciehp irq
thread 'pciehp_ist' ends. Then a hung task occurs.

So this two kinds of operation, removing through attention buttion and
removing through /sys/devices/pci***/remove, should not be excuted at
the same time. This patch add a global variable to mark that one of these
operations is under processing. When this variable is set,  if another
operation is requested, it will be rejected.

We use a global variable 'slot_being_removed_rescaned' to mark whether a
slot is being removed or rescaned. This will cause a slot hotplug
operation is delayed if another slot is being remove or rescaned. But
if these two slots are under different root ports, they should not
influence each other. This patch make the flag
'slot_being_removed_rescanned' per root port so that one slot hotplug
operation doesn't influence slots below another root port.

We record the root port in struct pci_dev when the pci device is
initialized and added into the system instead of using
'pcie_find_root_port()' to find the root port when we need it. Because
iterating the pci tree needs the protection of
'pci_lock_rescan_remove()'. This will make the problem more complexed
because the lock is very coarse-grained. We don't need to worry about
'use-after-free' because child pci devices are always removed before the
root port device is removed.
Signed-off-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Reviewed-by: NHanjun Guo <guohanjun@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

ascend inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4K2U5
CVE: NA

-------------------------------------------------------

Add suspend and resume support for smmuv3. The smmu is
stopped when suspending and started when resuming.
Signed-off-by: NYuan Can <yuancan@huawei.com>
Reviewed-by: NHanjun Guo <guohanjun@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4OF4N

------------------------------------------

task_css() should be protected by rcu. In my environment
if not protected by rcu qemu may fail to start.

Fixes: a885e3f9 ("psi: support psi under cgroup v1")
Reported-by: NYang Yingliang <yangyingliang@huawei.com>
Acked-by: NMichael Wang <yun.wany@linux.alibaba.com>
Signed-off-by: NXunlei Pang <xlpang@linux.alibaba.com>
Signed-off-by: NYihao Wu <wuyihao@linux.alibaba.com>
Acked-by: NYang Shi <yang.shi@linux.alibaba.com>
Signed-off-by: NChen Wandun <chenwandun@huawei.com>
Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4OF4N

------------------------------------------

Fix the build error if CONFIG_CGROUP_CPUACCT is not enabled.

Fixes: a885e3f9 ("psi: support psi under cgroup v1")
Signed-off-by: NJoseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: NXunlei Pang <xlpang@linux.alibaba.com>
Signed-off-by: NChen Wandun <chenwandun@huawei.com>
Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>