]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 4.19
authorSasha Levin <sashal@kernel.org>
Sun, 19 Mar 2023 22:25:14 +0000 (18:25 -0400)
committerSasha Levin <sashal@kernel.org>
Sun, 19 Mar 2023 22:25:14 +0000 (18:25 -0400)
Signed-off-by: Sasha Levin <sashal@kernel.org>
12 files changed:
queue-4.19/drm-amdkfd-fix-an-illegal-memory-access.patch [new file with mode: 0644]
queue-4.19/ext4-fail-ext4_iget-if-special-inode-unallocated.patch [new file with mode: 0644]
queue-4.19/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch [new file with mode: 0644]
queue-4.19/hwmon-adt7475-display-smoothing-attributes-in-correc.patch [new file with mode: 0644]
queue-4.19/hwmon-adt7475-fix-masking-of-hysteresis-registers.patch [new file with mode: 0644]
queue-4.19/hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch [new file with mode: 0644]
queue-4.19/jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch [new file with mode: 0644]
queue-4.19/media-m5mols-fix-off-by-one-loop-termination-error.patch [new file with mode: 0644]
queue-4.19/mmc-atmel-mci-fix-race-between-stop-command-and-star.patch [new file with mode: 0644]
queue-4.19/rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch [new file with mode: 0644]
queue-4.19/series
queue-4.19/sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch [new file with mode: 0644]

diff --git a/queue-4.19/drm-amdkfd-fix-an-illegal-memory-access.patch b/queue-4.19/drm-amdkfd-fix-an-illegal-memory-access.patch
new file mode 100644 (file)
index 0000000..43fa86f
--- /dev/null
@@ -0,0 +1,82 @@
+From aca107507ab38ac43560e4e41952e350159becfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Feb 2023 11:35:16 +0000
+Subject: drm/amdkfd: Fix an illegal memory access
+
+From: Qu Huang <qu.huang@linux.dev>
+
+[ Upstream commit 4fc8fff378b2f2039f2a666d9f8c570f4e58352c ]
+
+In the kfd_wait_on_events() function, the kfd_event_waiter structure is
+allocated by alloc_event_waiters(), but the event field of the waiter
+structure is not initialized; When copy_from_user() fails in the
+kfd_wait_on_events() function, it will enter exception handling to
+release the previously allocated memory of the waiter structure;
+Due to the event field of the waiters structure being accessed
+in the free_waiters() function, this results in illegal memory access
+and system crash, here is the crash log:
+
+localhost kernel: RIP: 0010:native_queued_spin_lock_slowpath+0x185/0x1e0
+localhost kernel: RSP: 0018:ffffaa53c362bd60 EFLAGS: 00010082
+localhost kernel: RAX: ff3d3d6bff4007cb RBX: 0000000000000282 RCX: 00000000002c0000
+localhost kernel: RDX: ffff9e855eeacb80 RSI: 000000000000279c RDI: ffffe7088f6a21d0
+localhost kernel: RBP: ffffe7088f6a21d0 R08: 00000000002c0000 R09: ffffaa53c362be64
+localhost kernel: R10: ffffaa53c362bbd8 R11: 0000000000000001 R12: 0000000000000002
+localhost kernel: R13: ffff9e7ead15d600 R14: 0000000000000000 R15: ffff9e7ead15d698
+localhost kernel: FS:  0000152a3d111700(0000) GS:ffff9e855ee80000(0000) knlGS:0000000000000000
+localhost kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+localhost kernel: CR2: 0000152938000010 CR3: 000000044d7a4000 CR4: 00000000003506e0
+localhost kernel: Call Trace:
+localhost kernel: _raw_spin_lock_irqsave+0x30/0x40
+localhost kernel: remove_wait_queue+0x12/0x50
+localhost kernel: kfd_wait_on_events+0x1b6/0x490 [hydcu]
+localhost kernel: ? ftrace_graph_caller+0xa0/0xa0
+localhost kernel: kfd_ioctl+0x38c/0x4a0 [hydcu]
+localhost kernel: ? kfd_ioctl_set_trap_handler+0x70/0x70 [hydcu]
+localhost kernel: ? kfd_ioctl_create_queue+0x5a0/0x5a0 [hydcu]
+localhost kernel: ? ftrace_graph_caller+0xa0/0xa0
+localhost kernel: __x64_sys_ioctl+0x8e/0xd0
+localhost kernel: ? syscall_trace_enter.isra.18+0x143/0x1b0
+localhost kernel: do_syscall_64+0x33/0x80
+localhost kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
+localhost kernel: RIP: 0033:0x152a4dff68d7
+
+Allocate the structure with kcalloc, and remove redundant 0-initialization
+and a redundant loop condition check.
+
+Signed-off-by: Qu Huang <qu.huang@linux.dev>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_events.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c
+index 892077377339a..8f23192b67095 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c
+@@ -529,16 +529,13 @@ static struct kfd_event_waiter *alloc_event_waiters(uint32_t num_events)
+       struct kfd_event_waiter *event_waiters;
+       uint32_t i;
+-      event_waiters = kmalloc_array(num_events,
+-                                      sizeof(struct kfd_event_waiter),
+-                                      GFP_KERNEL);
++      event_waiters = kcalloc(num_events, sizeof(struct kfd_event_waiter),
++                              GFP_KERNEL);
+       if (!event_waiters)
+               return NULL;
+-      for (i = 0; (event_waiters) && (i < num_events) ; i++) {
++      for (i = 0; i < num_events; i++)
+               init_wait(&event_waiters[i].wait);
+-              event_waiters[i].activated = false;
+-      }
+       return event_waiters;
+ }
+-- 
+2.39.2
+
diff --git a/queue-4.19/ext4-fail-ext4_iget-if-special-inode-unallocated.patch b/queue-4.19/ext4-fail-ext4_iget-if-special-inode-unallocated.patch
new file mode 100644 (file)
index 0000000..6fe8f42
--- /dev/null
@@ -0,0 +1,76 @@
+From c938861db47b05752b219339cc43cda764e5bf92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Jan 2023 11:21:25 +0800
+Subject: ext4: fail ext4_iget if special inode unallocated
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 5cd740287ae5e3f9d1c46f5bfe8778972fd6d3fe ]
+
+In ext4_fill_super(), EXT4_ORPHAN_FS flag is cleared after
+ext4_orphan_cleanup() is executed. Therefore, when __ext4_iget() is
+called to get an inode whose i_nlink is 0 when the flag exists, no error
+is returned. If the inode is a special inode, a null pointer dereference
+may occur. If the value of i_nlink is 0 for any inodes (except boot loader
+inodes) got by using the EXT4_IGET_SPECIAL flag, the current file system
+is corrupted. Therefore, make the ext4_iget() function return an error if
+it gets such an abnormal special inode.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199179
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216541
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216539
+Reported-by: Luís Henriques <lhenriques@suse.de>
+Suggested-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230107032126.4165860-2-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inode.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 6e7989b04d2bf..e844d91c461b0 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4947,13 +4947,6 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
+               goto bad_inode;
+       raw_inode = ext4_raw_inode(&iloc);
+-      if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
+-              ext4_error_inode(inode, function, line, 0,
+-                               "iget: root inode unallocated");
+-              ret = -EFSCORRUPTED;
+-              goto bad_inode;
+-      }
+-
+       if ((flags & EXT4_IGET_HANDLE) &&
+           (raw_inode->i_links_count == 0) && (raw_inode->i_mode == 0)) {
+               ret = -ESTALE;
+@@ -5024,11 +5017,16 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
+        * NeilBrown 1999oct15
+        */
+       if (inode->i_nlink == 0) {
+-              if ((inode->i_mode == 0 ||
++              if ((inode->i_mode == 0 || flags & EXT4_IGET_SPECIAL ||
+                    !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS)) &&
+                   ino != EXT4_BOOT_LOADER_INO) {
+-                      /* this inode is deleted */
+-                      ret = -ESTALE;
++                      /* this inode is deleted or unallocated */
++                      if (flags & EXT4_IGET_SPECIAL) {
++                              ext4_error_inode(inode, function, line, 0,
++                                               "iget: special inode unallocated");
++                              ret = -EFSCORRUPTED;
++                      } else
++                              ret = -ESTALE;
+                       goto bad_inode;
+               }
+               /* The only unlinked inodes we let through here have
+-- 
+2.39.2
+
diff --git a/queue-4.19/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch b/queue-4.19/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch
new file mode 100644 (file)
index 0000000..42e0f86
--- /dev/null
@@ -0,0 +1,97 @@
+From 2a65328d2d133a006abe31cfea4b360194edf92c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 21:34:36 +0800
+Subject: ext4: fix task hung in ext4_xattr_delete_inode
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 0f7bfd6f8164be32dbbdf36aa1e5d00485c53cd7 ]
+
+Syzbot reported a hung task problem:
+==================================================================
+INFO: task syz-executor232:5073 blocked for more than 143 seconds.
+      Not tainted 6.2.0-rc2-syzkaller-00024-g512dee0c00ad #0
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+task:syz-exec232 state:D stack:21024 pid:5073 ppid:5072 flags:0x00004004
+Call Trace:
+ <TASK>
+ context_switch kernel/sched/core.c:5244 [inline]
+ __schedule+0x995/0xe20 kernel/sched/core.c:6555
+ schedule+0xcb/0x190 kernel/sched/core.c:6631
+ __wait_on_freeing_inode fs/inode.c:2196 [inline]
+ find_inode_fast+0x35a/0x4c0 fs/inode.c:950
+ iget_locked+0xb1/0x830 fs/inode.c:1273
+ __ext4_iget+0x22e/0x3ed0 fs/ext4/inode.c:4861
+ ext4_xattr_inode_iget+0x68/0x4e0 fs/ext4/xattr.c:389
+ ext4_xattr_inode_dec_ref_all+0x1a7/0xe50 fs/ext4/xattr.c:1148
+ ext4_xattr_delete_inode+0xb04/0xcd0 fs/ext4/xattr.c:2880
+ ext4_evict_inode+0xd7c/0x10b0 fs/ext4/inode.c:296
+ evict+0x2a4/0x620 fs/inode.c:664
+ ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474
+ __ext4_fill_super fs/ext4/super.c:5516 [inline]
+ ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644
+ get_tree_bdev+0x400/0x620 fs/super.c:1282
+ vfs_get_tree+0x88/0x270 fs/super.c:1489
+ do_new_mount+0x289/0xad0 fs/namespace.c:3145
+ do_mount fs/namespace.c:3488 [inline]
+ __do_sys_mount fs/namespace.c:3697 [inline]
+ __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7fa5406fd5ea
+RSP: 002b:00007ffc7232f968 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fa5406fd5ea
+RDX: 0000000020000440 RSI: 0000000020000000 RDI: 00007ffc7232f970
+RBP: 00007ffc7232f970 R08: 00007ffc7232f9b0 R09: 0000000000000432
+R10: 0000000000804a03 R11: 0000000000000202 R12: 0000000000000004
+R13: 0000555556a7a2c0 R14: 00007ffc7232f9b0 R15: 0000000000000000
+ </TASK>
+==================================================================
+
+The problem is that the inode contains an xattr entry with ea_inum of 15
+when cleaning up an orphan inode <15>. When evict inode <15>, the reference
+counting of the corresponding EA inode is decreased. When EA inode <15> is
+found by find_inode_fast() in __ext4_iget(), it is found that the EA inode
+holds the I_FREEING flag and waits for the EA inode to complete deletion.
+As a result, when inode <15> is being deleted, we wait for inode <15> to
+complete the deletion, resulting in an infinite loop and triggering Hung
+Task. To solve this problem, we only need to check whether the ino of EA
+inode and parent is the same before getting EA inode.
+
+Link: https://syzkaller.appspot.com/bug?extid=77d6fcc37bbb92f26048
+Reported-by: syzbot+77d6fcc37bbb92f26048@syzkaller.appspotmail.com
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230110133436.996350-1-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/xattr.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index 2a70b7556e419..a91b02091b160 100644
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -384,6 +384,17 @@ static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino,
+       struct inode *inode;
+       int err;
++      /*
++       * We have to check for this corruption early as otherwise
++       * iget_locked() could wait indefinitely for the state of our
++       * parent inode.
++       */
++      if (parent->i_ino == ea_ino) {
++              ext4_error(parent->i_sb,
++                         "Parent and EA inode have the same ino %lu", ea_ino);
++              return -EFSCORRUPTED;
++      }
++
+       inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_NORMAL);
+       if (IS_ERR(inode)) {
+               err = PTR_ERR(inode);
+-- 
+2.39.2
+
diff --git a/queue-4.19/hwmon-adt7475-display-smoothing-attributes-in-correc.patch b/queue-4.19/hwmon-adt7475-display-smoothing-attributes-in-correc.patch
new file mode 100644 (file)
index 0000000..f00a360
--- /dev/null
@@ -0,0 +1,44 @@
+From faf63df2260532b44ee290fcf49dc65c747cec7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Feb 2023 13:52:27 +1300
+Subject: hwmon: (adt7475) Display smoothing attributes in correct order
+
+From: Tony O'Brien <tony.obrien@alliedtelesis.co.nz>
+
+[ Upstream commit 5f8d1e3b6f9b5971f9c06d5846ce00c49e3a8d94 ]
+
+Throughout the ADT7475 driver, attributes relating to the temperature
+sensors are displayed in the order Remote 1, Local, Remote 2.  Make
+temp_st_show() conform to this expectation so that values set by
+temp_st_store() can be displayed using the correct attribute.
+
+Fixes: 8f05bcc33e74 ("hwmon: (adt7475) temperature smoothing")
+Signed-off-by: Tony O'Brien <tony.obrien@alliedtelesis.co.nz>
+Link: https://lore.kernel.org/r/20230222005228.158661-2-tony.obrien@alliedtelesis.co.nz
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/adt7475.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/adt7475.c b/drivers/hwmon/adt7475.c
+index 0a87c5b512862..bde5fe10a95a5 100644
+--- a/drivers/hwmon/adt7475.c
++++ b/drivers/hwmon/adt7475.c
+@@ -554,11 +554,11 @@ static ssize_t show_temp_st(struct device *dev, struct device_attribute *attr,
+               val = data->enh_acoustics[0] & 0xf;
+               break;
+       case 1:
+-              val = (data->enh_acoustics[1] >> 4) & 0xf;
++              val = data->enh_acoustics[1] & 0xf;
+               break;
+       case 2:
+       default:
+-              val = data->enh_acoustics[1] & 0xf;
++              val = (data->enh_acoustics[1] >> 4) & 0xf;
+               break;
+       }
+-- 
+2.39.2
+
diff --git a/queue-4.19/hwmon-adt7475-fix-masking-of-hysteresis-registers.patch b/queue-4.19/hwmon-adt7475-fix-masking-of-hysteresis-registers.patch
new file mode 100644 (file)
index 0000000..8340ced
--- /dev/null
@@ -0,0 +1,42 @@
+From f1b880f2f815c935b1e8059e243457d8416bd584 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Feb 2023 13:52:28 +1300
+Subject: hwmon: (adt7475) Fix masking of hysteresis registers
+
+From: Tony O'Brien <tony.obrien@alliedtelesis.co.nz>
+
+[ Upstream commit 48e8186870d9d0902e712d601ccb7098cb220688 ]
+
+The wrong bits are masked in the hysteresis register; indices 0 and 2
+should zero bits [7:4] and preserve bits [3:0], and index 1 should zero
+bits [3:0] and preserve bits [7:4].
+
+Fixes: 1c301fc5394f ("hwmon: Add a driver for the ADT7475 hardware monitoring chip")
+Signed-off-by: Tony O'Brien <tony.obrien@alliedtelesis.co.nz>
+Link: https://lore.kernel.org/r/20230222005228.158661-3-tony.obrien@alliedtelesis.co.nz
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/adt7475.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/adt7475.c b/drivers/hwmon/adt7475.c
+index bde5fe10a95a5..2db2665dcd4dc 100644
+--- a/drivers/hwmon/adt7475.c
++++ b/drivers/hwmon/adt7475.c
+@@ -485,10 +485,10 @@ static ssize_t set_temp(struct device *dev, struct device_attribute *attr,
+               val = (temp - val) / 1000;
+               if (sattr->index != 1) {
+-                      data->temp[HYSTERSIS][sattr->index] &= 0xF0;
++                      data->temp[HYSTERSIS][sattr->index] &= 0x0F;
+                       data->temp[HYSTERSIS][sattr->index] |= (val & 0xF) << 4;
+               } else {
+-                      data->temp[HYSTERSIS][sattr->index] &= 0x0F;
++                      data->temp[HYSTERSIS][sattr->index] &= 0xF0;
+                       data->temp[HYSTERSIS][sattr->index] |= (val & 0xF);
+               }
+-- 
+2.39.2
+
diff --git a/queue-4.19/hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch b/queue-4.19/hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch
new file mode 100644 (file)
index 0000000..bdfc63a
--- /dev/null
@@ -0,0 +1,52 @@
+From 42801d24a5887f28105db4eec1be86b30b2f9908 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 16:40:07 +0800
+Subject: hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to
+ race condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit cb090e64cf25602b9adaf32d5dfc9c8bec493cd1 ]
+
+In xgene_hwmon_probe, &ctx->workq is bound with xgene_hwmon_evt_work.
+Then it will be started.
+
+If we remove the driver which will call xgene_hwmon_remove to clean up,
+there may be unfinished work.
+
+The possible sequence is as follows:
+
+Fix it by finishing the work before cleanup in xgene_hwmon_remove.
+
+CPU0                  CPU1
+
+                    |xgene_hwmon_evt_work
+xgene_hwmon_remove   |
+kfifo_free(&ctx->async_msg_fifo);|
+                    |
+                    |kfifo_out_spinlocked
+                    |//use &ctx->async_msg_fifo
+Fixes: 2ca492e22cb7 ("hwmon: (xgene) Fix crash when alarm occurs before driver probe")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Link: https://lore.kernel.org/r/20230310084007.1403388-1-zyytlz.wz@163.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/xgene-hwmon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hwmon/xgene-hwmon.c b/drivers/hwmon/xgene-hwmon.c
+index a3cd91f232679..2dd19a4203052 100644
+--- a/drivers/hwmon/xgene-hwmon.c
++++ b/drivers/hwmon/xgene-hwmon.c
+@@ -780,6 +780,7 @@ static int xgene_hwmon_remove(struct platform_device *pdev)
+ {
+       struct xgene_hwmon_dev *ctx = platform_get_drvdata(pdev);
++      cancel_work_sync(&ctx->workq);
+       hwmon_device_unregister(ctx->hwmon_dev);
+       kfifo_free(&ctx->async_msg_fifo);
+       if (acpi_disabled)
+-- 
+2.39.2
+
diff --git a/queue-4.19/jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch b/queue-4.19/jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch
new file mode 100644 (file)
index 0000000..d938ba5
--- /dev/null
@@ -0,0 +1,115 @@
+From d2f4d79ba36b69e7dd26468dc82299e6dfa92a18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 15:53:12 +0000
+Subject: jffs2: correct logic when creating a hole in jffs2_write_begin
+
+From: Yifei Liu <yifeliu@cs.stonybrook.edu>
+
+[ Upstream commit 23892d383bee15b64f5463bd7195615734bb2415 ]
+
+Bug description and fix:
+
+1. Write data to a file, say all 1s from offset 0 to 16.
+
+2. Truncate the file to a smaller size, say 8 bytes.
+
+3. Write new bytes (say 2s) from an offset past the original size of the
+file, say at offset 20, for 4 bytes.  This is supposed to create a "hole"
+in the file, meaning that the bytes from offset 8 (where it was truncated
+above) up to the new write at offset 20, should all be 0s (zeros).
+
+4. Flush all caches using "echo 3 > /proc/sys/vm/drop_caches" (or unmount
+and remount) the f/s.
+
+5. Check the content of the file.  It is wrong.  The 1s that used to be
+between bytes 9 and 16, before the truncation, have REAPPEARED (they should
+be 0s).
+
+We wrote a script and helper C program to reproduce the bug
+(reproduce_jffs2_write_begin_issue.sh, write_file.c, and Makefile).  We can
+make them available to anyone.
+
+The above example is shown when writing a small file within the same first
+page.  But the bug happens for larger files, as long as steps 1, 2, and 3
+above all happen within the same page.
+
+The problem was traced to the jffs2_write_begin code, where it goes into an
+'if' statement intended to handle writes past the current EOF (i.e., writes
+that may create a hole).  The code computes a 'pageofs' that is the floor
+of the write position (pos), aligned to the page size boundary.  In other
+words, 'pageofs' will never be larger than 'pos'.  The code then sets the
+internal jffs2_raw_inode->isize to the size of max(current inode size,
+pageofs) but that is wrong: the new file size should be the 'pos', which is
+larger than both the current inode size and pageofs.
+
+Similarly, the code incorrectly sets the internal jffs2_raw_inode->dsize to
+the difference between the pageofs minus current inode size; instead it
+should be the current pos minus the current inode size.  Finally,
+inode->i_size was also set incorrectly.
+
+The patch below fixes this bug.  The bug was discovered using a new tool
+for finding f/s bugs using model checking, called MCFS (Model Checking File
+Systems).
+
+Signed-off-by: Yifei Liu <yifeliu@cs.stonybrook.edu>
+Signed-off-by: Erez Zadok <ezk@cs.stonybrook.edu>
+Signed-off-by: Manish Adkar <madkar@cs.stonybrook.edu>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jffs2/file.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c
+index 3047872fdac9b..bf3d8a4516a52 100644
+--- a/fs/jffs2/file.c
++++ b/fs/jffs2/file.c
+@@ -137,19 +137,18 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
+       struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+       struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
+       pgoff_t index = pos >> PAGE_SHIFT;
+-      uint32_t pageofs = index << PAGE_SHIFT;
+       int ret = 0;
+       jffs2_dbg(1, "%s()\n", __func__);
+-      if (pageofs > inode->i_size) {
+-              /* Make new hole frag from old EOF to new page */
++      if (pos > inode->i_size) {
++              /* Make new hole frag from old EOF to new position */
+               struct jffs2_raw_inode ri;
+               struct jffs2_full_dnode *fn;
+               uint32_t alloc_len;
+-              jffs2_dbg(1, "Writing new hole frag 0x%x-0x%x between current EOF and new page\n",
+-                        (unsigned int)inode->i_size, pageofs);
++              jffs2_dbg(1, "Writing new hole frag 0x%x-0x%x between current EOF and new position\n",
++                        (unsigned int)inode->i_size, (uint32_t)pos);
+               ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len,
+                                         ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
+@@ -169,10 +168,10 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
+               ri.mode = cpu_to_jemode(inode->i_mode);
+               ri.uid = cpu_to_je16(i_uid_read(inode));
+               ri.gid = cpu_to_je16(i_gid_read(inode));
+-              ri.isize = cpu_to_je32(max((uint32_t)inode->i_size, pageofs));
++              ri.isize = cpu_to_je32((uint32_t)pos);
+               ri.atime = ri.ctime = ri.mtime = cpu_to_je32(JFFS2_NOW());
+               ri.offset = cpu_to_je32(inode->i_size);
+-              ri.dsize = cpu_to_je32(pageofs - inode->i_size);
++              ri.dsize = cpu_to_je32((uint32_t)pos - inode->i_size);
+               ri.csize = cpu_to_je32(0);
+               ri.compr = JFFS2_COMPR_ZERO;
+               ri.node_crc = cpu_to_je32(crc32(0, &ri, sizeof(ri)-8));
+@@ -202,7 +201,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
+                       goto out_err;
+               }
+               jffs2_complete_reservation(c);
+-              inode->i_size = pageofs;
++              inode->i_size = pos;
+               mutex_unlock(&f->sem);
+       }
+-- 
+2.39.2
+
diff --git a/queue-4.19/media-m5mols-fix-off-by-one-loop-termination-error.patch b/queue-4.19/media-m5mols-fix-off-by-one-loop-termination-error.patch
new file mode 100644 (file)
index 0000000..c8ceb72
--- /dev/null
@@ -0,0 +1,62 @@
+From b8744174c6cbf5bc910285c1ffda2739bd1a4e48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 13:51:17 -0700
+Subject: media: m5mols: fix off-by-one loop termination error
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit efbcbb12ee99f750c9f25c873b55ad774871de2a ]
+
+The __find_restype() function loops over the m5mols_default_ffmt[]
+array, and the termination condition ends up being wrong: instead of
+stopping when the iterator becomes the size of the array it traverses,
+it stops after it has already overshot the array.
+
+Now, in practice this doesn't likely matter, because the code will
+always find the entry it looks for, and will thus return early and never
+hit that last extra iteration.
+
+But it turns out that clang will unroll the loop fully, because it has
+only two iterations (well, three due to the off-by-one bug), and then
+clang will end up just giving up in the middle of the loop unrolling
+when it notices that the code walks past the end of the array.
+
+And that made 'objtool' very unhappy indeed, because the generated code
+just falls off the edge of the universe, and ends up falling through to
+the next function, causing this warning:
+
+   drivers/media/i2c/m5mols/m5mols.o: warning: objtool: m5mols_set_fmt() falls through to next function m5mols_get_frame_desc()
+
+Fix the loop ending condition.
+
+Reported-by: Jens Axboe <axboe@kernel.dk>
+Analyzed-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+Analyzed-by: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://lore.kernel.org/linux-block/CAHk-=wgTSdKYbmB1JYM5vmHMcD9J9UZr0mn7BOYM_LudrP+Xvw@mail.gmail.com/
+Fixes: bc125106f8af ("[media] Add support for M-5MOLS 8 Mega Pixel camera ISP")
+Cc: HeungJun, Kim <riverful.kim@samsung.com>
+Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Cc: Kyungmin Park <kyungmin.park@samsung.com>
+Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/m5mols/m5mols_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/m5mols/m5mols_core.c b/drivers/media/i2c/m5mols/m5mols_core.c
+index d9a9644306096..9e6827dedab30 100644
+--- a/drivers/media/i2c/m5mols/m5mols_core.c
++++ b/drivers/media/i2c/m5mols/m5mols_core.c
+@@ -492,7 +492,7 @@ static enum m5mols_restype __find_restype(u32 code)
+       do {
+               if (code == m5mols_default_ffmt[type].code)
+                       return type;
+-      } while (type++ != SIZE_DEFAULT_FFMT);
++      } while (++type != SIZE_DEFAULT_FFMT);
+       return 0;
+ }
+-- 
+2.39.2
+
diff --git a/queue-4.19/mmc-atmel-mci-fix-race-between-stop-command-and-star.patch b/queue-4.19/mmc-atmel-mci-fix-race-between-stop-command-and-star.patch
new file mode 100644 (file)
index 0000000..5c2c81f
--- /dev/null
@@ -0,0 +1,58 @@
+From 153b9cf275dad8e0582c90b0330e0b8177d2e98d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Dec 2022 20:43:15 +0100
+Subject: mmc: atmel-mci: fix race between stop command and start of next
+ command
+
+From: Tobias Schramm <t.schramm@manjaro.org>
+
+[ Upstream commit eca5bd666b0aa7dc0bca63292e4778968241134e ]
+
+This commit fixes a race between completion of stop command and start of a
+new command.
+Previously the command ready interrupt was enabled before stop command
+was written to the command register. This caused the command ready
+interrupt to fire immediately since the CMDRDY flag is asserted constantly
+while there is no command in progress.
+Consequently the command state machine will immediately advance to the
+next state when the tasklet function is executed again, no matter
+actual completion state of the stop command.
+Thus a new command can then be dispatched immediately, interrupting and
+corrupting the stop command on the CMD line.
+Fix that by dropping the command ready interrupt enable before calling
+atmci_send_stop_cmd. atmci_send_stop_cmd does already enable the
+command ready interrupt, no further writes to ATMCI_IER are necessary.
+
+Signed-off-by: Tobias Schramm <t.schramm@manjaro.org>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Link: https://lore.kernel.org/r/20221230194315.809903-2-t.schramm@manjaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/atmel-mci.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/mmc/host/atmel-mci.c b/drivers/mmc/host/atmel-mci.c
+index d40bab3d9f4af..fb435a8d37213 100644
+--- a/drivers/mmc/host/atmel-mci.c
++++ b/drivers/mmc/host/atmel-mci.c
+@@ -1857,7 +1857,6 @@ static void atmci_tasklet_func(unsigned long priv)
+                               atmci_writel(host, ATMCI_IER, ATMCI_NOTBUSY);
+                               state = STATE_WAITING_NOTBUSY;
+                       } else if (host->mrq->stop) {
+-                              atmci_writel(host, ATMCI_IER, ATMCI_CMDRDY);
+                               atmci_send_stop_cmd(host, data);
+                               state = STATE_SENDING_STOP;
+                       } else {
+@@ -1890,8 +1889,6 @@ static void atmci_tasklet_func(unsigned long priv)
+                                * command to send.
+                                */
+                               if (host->mrq->stop) {
+-                                      atmci_writel(host, ATMCI_IER,
+-                                                   ATMCI_CMDRDY);
+                                       atmci_send_stop_cmd(host, data);
+                                       state = STATE_SENDING_STOP;
+                               } else {
+-- 
+2.39.2
+
diff --git a/queue-4.19/rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch b/queue-4.19/rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch
new file mode 100644 (file)
index 0000000..31ca1e5
--- /dev/null
@@ -0,0 +1,53 @@
+From 4cd7b8184f841ac7054c8842e070fbdafc54d8d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Dec 2022 12:44:35 +0800
+Subject: rust: arch/um: Disable FP/SIMD instruction to match x86
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Gow <davidgow@google.com>
+
+[ Upstream commit 8849818679478933dd1d9718741f4daa3f4e8b86 ]
+
+The kernel disables all SSE and similar FP/SIMD instructions on
+x86-based architectures (partly because we shouldn't be using floats in
+the kernel, and partly to avoid the need for stack alignment, see:
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=53383 )
+
+UML does not do the same thing, which isn't in itself a problem, but
+does add to the list of differences between UML and "normal" x86 builds.
+
+In addition, there was a crash bug with LLVM < 15 / rustc < 1.65 when
+building with SSE, so disabling it fixes rust builds with earlier
+compiler versions, see:
+https://github.com/Rust-for-Linux/linux/pull/881
+
+Signed-off-by: David Gow <davidgow@google.com>
+Reviewed-by: Sergio González Collado <sergio.collado@gmail.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Makefile.um | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/x86/Makefile.um b/arch/x86/Makefile.um
+index 91085a08de6cb..3694beda02c8a 100644
+--- a/arch/x86/Makefile.um
++++ b/arch/x86/Makefile.um
+@@ -1,6 +1,12 @@
+ # SPDX-License-Identifier: GPL-2.0
+ core-y += arch/x86/crypto/
++#
++# Disable SSE and other FP/SIMD instructions to match normal x86
++#
++KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx
++KBUILD_RUSTFLAGS += -Ctarget-feature=-sse,-sse2,-sse3,-ssse3,-sse4.1,-sse4.2,-avx,-avx2
++
+ ifeq ($(CONFIG_X86_32),y)
+ START := 0x8048000
+-- 
+2.39.2
+
index 9365a6c3c1a1e75c3c18737e9e9191c65e716fc3..b7c352adcd8ab881933ae68ed8d8518df9c164e2 100644 (file)
@@ -14,3 +14,14 @@ ipv4-fix-incorrect-table-id-in-ioctl-path.patch
 net-usb-smsc75xx-move-packet-length-check-to-prevent.patch
 net-iucv-fix-size-of-interrupt-data.patch
 ethernet-sun-add-check-for-the-mdesc_grab.patch
+hwmon-adt7475-display-smoothing-attributes-in-correc.patch
+hwmon-adt7475-fix-masking-of-hysteresis-registers.patch
+hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch
+media-m5mols-fix-off-by-one-loop-termination-error.patch
+mmc-atmel-mci-fix-race-between-stop-command-and-star.patch
+jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch
+rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch
+ext4-fail-ext4_iget-if-special-inode-unallocated.patch
+ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch
+drm-amdkfd-fix-an-illegal-memory-access.patch
+sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch
diff --git a/queue-4.19/sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch b/queue-4.19/sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch
new file mode 100644 (file)
index 0000000..ad8c950
--- /dev/null
@@ -0,0 +1,51 @@
+From 77c2f92f33a28b5bc41c4a7d12780885c737ffb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jan 2023 22:48:16 +0100
+Subject: sh: intc: Avoid spurious sizeof-pointer-div warning
+
+From: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
+
+[ Upstream commit 250870824c1cf199b032b1ef889c8e8d69d9123a ]
+
+GCC warns about the pattern sizeof(void*)/sizeof(void), as it looks like
+the abuse of a pattern to calculate the array size. This pattern appears
+in the unevaluated part of the ternary operator in _INTC_ARRAY if the
+parameter is NULL.
+
+The replacement uses an alternate approach to return 0 in case of NULL
+which does not generate the pattern sizeof(void*)/sizeof(void), but still
+emits the warning if _INTC_ARRAY is called with a nonarray parameter.
+
+This patch is required for successful compilation with -Werror enabled.
+
+The idea to use _Generic for type distinction is taken from Comment #7
+in https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108483 by Jakub Jelinek
+
+Signed-off-by: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
+Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
+Link: https://lore.kernel.org/r/619fa552-c988-35e5-b1d7-fe256c46a272@mkarcher.dialup.fu-berlin.de
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sh_intc.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/sh_intc.h b/include/linux/sh_intc.h
+index c255273b02810..37ad81058d6ae 100644
+--- a/include/linux/sh_intc.h
++++ b/include/linux/sh_intc.h
+@@ -97,7 +97,10 @@ struct intc_hw_desc {
+       unsigned int nr_subgroups;
+ };
+-#define _INTC_ARRAY(a) a, __same_type(a, NULL) ? 0 : sizeof(a)/sizeof(*a)
++#define _INTC_SIZEOF_OR_ZERO(a) (_Generic(a,                 \
++                                 typeof(NULL):  0,           \
++                                 default:       sizeof(a)))
++#define _INTC_ARRAY(a) a, _INTC_SIZEOF_OR_ZERO(a)/sizeof(*a)
+ #define INTC_HW_DESC(vectors, groups, mask_regs,      \
+                    prio_regs, sense_regs, ack_regs)   \
+-- 
+2.39.2
+