--- /dev/null
+From 568a67e742dfa90b19a23305317164c5c350b71e Mon Sep 17 00:00:00 2001
+From: Andrew Powers-Holmes <aholmes@omnom.net>
+Date: Thu, 1 Jun 2023 15:25:16 +0200
+Subject: arm64: dts: rockchip: Fix rk356x PCIe register and range mappings
+
+From: Andrew Powers-Holmes <aholmes@omnom.net>
+
+commit 568a67e742dfa90b19a23305317164c5c350b71e upstream.
+
+The register and range mappings for the PCIe controller in Rockchip's
+RK356x SoCs are incorrect. Replace them with corrected values from the
+vendor BSP sources, updated to match current DT schema.
+
+These values are also used in u-boot.
+
+Fixes: 66b51ea7d70f ("arm64: dts: rockchip: Add rk3568 PCIe2x1 controller")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Powers-Holmes <aholmes@omnom.net>
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Signed-off-by: Nicolas Frattaroli <frattaroli.nicolas@gmail.com>
+Tested-by: Diederik de Haas <didi.debian@cknow.org>
+Link: https://lore.kernel.org/r/20230601132516.153934-1-frattaroli.nicolas@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3568.dtsi | 14 ++++++++------
+ arch/arm64/boot/dts/rockchip/rk356x.dtsi | 7 ++++---
+ 2 files changed, 12 insertions(+), 9 deletions(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3568.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3568.dtsi
+@@ -94,9 +94,10 @@
+ power-domains = <&power RK3568_PD_PIPE>;
+ reg = <0x3 0xc0400000 0x0 0x00400000>,
+ <0x0 0xfe270000 0x0 0x00010000>,
+- <0x3 0x7f000000 0x0 0x01000000>;
+- ranges = <0x01000000 0x0 0x3ef00000 0x3 0x7ef00000 0x0 0x00100000>,
+- <0x02000000 0x0 0x00000000 0x3 0x40000000 0x0 0x3ef00000>;
++ <0x0 0xf2000000 0x0 0x00100000>;
++ ranges = <0x01000000 0x0 0xf2100000 0x0 0xf2100000 0x0 0x00100000>,
++ <0x02000000 0x0 0xf2200000 0x0 0xf2200000 0x0 0x01e00000>,
++ <0x03000000 0x0 0x40000000 0x3 0x40000000 0x0 0x40000000>;
+ reg-names = "dbi", "apb", "config";
+ resets = <&cru SRST_PCIE30X1_POWERUP>;
+ reset-names = "pipe";
+@@ -146,9 +147,10 @@
+ power-domains = <&power RK3568_PD_PIPE>;
+ reg = <0x3 0xc0800000 0x0 0x00400000>,
+ <0x0 0xfe280000 0x0 0x00010000>,
+- <0x3 0xbf000000 0x0 0x01000000>;
+- ranges = <0x01000000 0x0 0x3ef00000 0x3 0xbef00000 0x0 0x00100000>,
+- <0x02000000 0x0 0x00000000 0x3 0x80000000 0x0 0x3ef00000>;
++ <0x0 0xf0000000 0x0 0x00100000>;
++ ranges = <0x01000000 0x0 0xf0100000 0x0 0xf0100000 0x0 0x00100000>,
++ <0x02000000 0x0 0xf0200000 0x0 0xf0200000 0x0 0x01e00000>,
++ <0x03000000 0x0 0x40000000 0x3 0x80000000 0x0 0x40000000>;
+ reg-names = "dbi", "apb", "config";
+ resets = <&cru SRST_PCIE30X2_POWERUP>;
+ reset-names = "pipe";
+--- a/arch/arm64/boot/dts/rockchip/rk356x.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk356x.dtsi
+@@ -951,7 +951,7 @@
+ compatible = "rockchip,rk3568-pcie";
+ reg = <0x3 0xc0000000 0x0 0x00400000>,
+ <0x0 0xfe260000 0x0 0x00010000>,
+- <0x3 0x3f000000 0x0 0x01000000>;
++ <0x0 0xf4000000 0x0 0x00100000>;
+ reg-names = "dbi", "apb", "config";
+ interrupts = <GIC_SPI 75 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 74 IRQ_TYPE_LEVEL_HIGH>,
+@@ -981,8 +981,9 @@
+ phys = <&combphy2 PHY_TYPE_PCIE>;
+ phy-names = "pcie-phy";
+ power-domains = <&power RK3568_PD_PIPE>;
+- ranges = <0x01000000 0x0 0x3ef00000 0x3 0x3ef00000 0x0 0x00100000
+- 0x02000000 0x0 0x00000000 0x3 0x00000000 0x0 0x3ef00000>;
++ ranges = <0x01000000 0x0 0xf4100000 0x0 0xf4100000 0x0 0x00100000>,
++ <0x02000000 0x0 0xf4200000 0x0 0xf4200000 0x0 0x01e00000>,
++ <0x03000000 0x0 0x40000000 0x3 0x00000000 0x0 0x40000000>;
+ resets = <&cru SRST_PCIE20_POWERUP>;
+ reset-names = "pipe";
+ #address-cells = <3>;
--- /dev/null
+From 43721de4aa349adcf785e00ceecddcc4a70ac9f2 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Sat, 17 Jun 2023 19:50:24 -0600
+Subject: io_uring/poll: serialize poll linked timer start with poll removal
+
+From: Jens Axboe <axboe@kernel.dk>
+
+Commit ef7dfac51d8ed961b742218f526bd589f3900a59 upstream.
+
+We selectively grab the ctx->uring_lock for poll update/removal, but
+we really should grab it from the start to fully synchronize with
+linked timeouts. Normally this is indeed the case, but if requests
+are forced async by the application, we don't fully cover removal
+and timer disarm within the uring_lock.
+
+Make this simpler by having consistent locking state for poll removal.
+
+Cc: stable@vger.kernel.org # 6.1+
+Reported-by: Querijn Voet <querijnqyn@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/poll.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/io_uring/poll.c
++++ b/io_uring/poll.c
+@@ -993,8 +993,9 @@ int io_poll_remove(struct io_kiocb *req,
+ struct io_hash_bucket *bucket;
+ struct io_kiocb *preq;
+ int ret2, ret = 0;
+- bool locked;
++ bool locked = true;
+
++ io_ring_submit_lock(ctx, issue_flags);
+ preq = io_poll_find(ctx, true, &cd, &ctx->cancel_table, &bucket);
+ ret2 = io_poll_disarm(preq);
+ if (bucket)
+@@ -1006,12 +1007,10 @@ int io_poll_remove(struct io_kiocb *req,
+ goto out;
+ }
+
+- io_ring_submit_lock(ctx, issue_flags);
+ preq = io_poll_find(ctx, true, &cd, &ctx->cancel_table_locked, &bucket);
+ ret2 = io_poll_disarm(preq);
+ if (bucket)
+ spin_unlock(&bucket->lock);
+- io_ring_submit_unlock(ctx, issue_flags);
+ if (ret2) {
+ ret = ret2;
+ goto out;
+@@ -1035,7 +1034,7 @@ found:
+ if (poll_update->update_user_data)
+ preq->cqe.user_data = poll_update->new_user_data;
+
+- ret2 = io_poll_add(preq, issue_flags);
++ ret2 = io_poll_add(preq, issue_flags & ~IO_URING_F_UNLOCKED);
+ /* successfully updated, don't complete poll request */
+ if (!ret2 || ret2 == -EIOCBQUEUED)
+ goto out;
+@@ -1043,9 +1042,9 @@ found:
+
+ req_set_fail(preq);
+ io_req_set_res(preq, -ECANCELED, 0);
+- locked = !(issue_flags & IO_URING_F_UNLOCKED);
+ io_req_task_complete(preq, &locked);
+ out:
++ io_ring_submit_unlock(ctx, issue_flags);
+ if (ret < 0) {
+ req_set_fail(req);
+ return ret;
--- /dev/null
+From 782e53d0c14420858dbf0f8f797973c150d3b6d7 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Mon, 12 Jun 2023 11:14:56 +0900
+Subject: nilfs2: prevent general protection fault in nilfs_clear_dirty_page()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 782e53d0c14420858dbf0f8f797973c150d3b6d7 upstream.
+
+In a syzbot stress test that deliberately causes file system errors on
+nilfs2 with a corrupted disk image, it has been reported that
+nilfs_clear_dirty_page() called from nilfs_clear_dirty_pages() can cause a
+general protection fault.
+
+In nilfs_clear_dirty_pages(), when looking up dirty pages from the page
+cache and calling nilfs_clear_dirty_page() for each dirty page/folio
+retrieved, the back reference from the argument page to "mapping" may have
+been changed to NULL (and possibly others). It is necessary to check this
+after locking the page/folio.
+
+So, fix this issue by not calling nilfs_clear_dirty_page() on a page/folio
+after locking it in nilfs_clear_dirty_pages() if the back reference
+"mapping" from the page/folio is different from the "mapping" that held
+the page/folio just before.
+
+Link: https://lkml.kernel.org/r/20230612021456.3682-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+53369d11851d8f26735c@syzkaller.appspotmail.com
+Closes: https://lkml.kernel.org/r/000000000000da4f6b05eb9bf593@google.com
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/page.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/nilfs2/page.c
++++ b/fs/nilfs2/page.c
+@@ -369,7 +369,15 @@ void nilfs_clear_dirty_pages(struct addr
+ struct page *page = pvec.pages[i];
+
+ lock_page(page);
+- nilfs_clear_dirty_page(page, silent);
++
++ /*
++ * This page may have been removed from the address
++ * space by truncation or invalidation when the lock
++ * was acquired. Skip processing in that case.
++ */
++ if (likely(page->mapping == mapping))
++ nilfs_clear_dirty_page(page, silent);
++
+ unlock_page(page);
+ }
+ pagevec_release(&pvec);
spi-spi-geni-qcom-correctly-handle-eprobe_defer-from.patch
regulator-pca9450-fix-ldo3out-and-ldo4out-mask.patch
regmap-spi-avmm-fix-regmap_bus-max_raw_write.patch
+arm64-dts-rockchip-fix-rk356x-pcie-register-and-range-mappings.patch
+io_uring-poll-serialize-poll-linked-timer-start-with-poll-removal.patch
+nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
