From: Sasha Levin Date: Mon, 28 Aug 2023 01:51:21 +0000 (-0400) Subject: Fixes for 6.4 X-Git-Tag: v6.4.13~9^2~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35494a584ab9c5b146991df67b9228b4a2e46b52;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.4 Signed-off-by: Sasha Levin --- diff --git a/queue-6.4/asoc-amd-yc-fix-a-non-functional-mic-on-lenovo-82sj.patch b/queue-6.4/asoc-amd-yc-fix-a-non-functional-mic-on-lenovo-82sj.patch new file mode 100644 index 00000000000..f96b6c8568c --- /dev/null +++ b/queue-6.4/asoc-amd-yc-fix-a-non-functional-mic-on-lenovo-82sj.patch @@ -0,0 +1,39 @@ +From 691fe96dc6578ff3747fd2f1cec257af323736c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 20:11:49 -0500 +Subject: ASoC: amd: yc: Fix a non-functional mic on Lenovo 82SJ + +From: Mario Limonciello + +[ Upstream commit c008323fe361bd62a43d9fb29737dacd5c067fb7 ] + +Lenovo 82SJ doesn't have DMIC connected like 82V2 does. Narrow +the match down to only cover 82V2. + +Reported-by: prosenfeld@Yuhsbstudents.org +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217063 +Fixes: 2232b2dd8cd4 ("ASoC: amd: yc: Add Lenovo Yoga Slim 7 Pro X to quirks table") +Signed-off-by: Mario Limonciello +--- + sound/soc/amd/yc/acp6x-mach.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index d80adbea05219..5310ba0734b14 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -217,7 +217,7 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "82"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "82V2"), + } + }, + { +-- +2.40.1 + diff --git a/queue-6.4/asoc-cs35l56-read-firmware-uuid-from-a-device-proper.patch b/queue-6.4/asoc-cs35l56-read-firmware-uuid-from-a-device-proper.patch new file mode 100644 index 00000000000..9c8bf079372 --- /dev/null +++ b/queue-6.4/asoc-cs35l56-read-firmware-uuid-from-a-device-proper.patch @@ -0,0 +1,103 @@ +From 589f6fb462a26642fea7938e9887a7a6a9e89950 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 12:27:11 +0100 +Subject: ASoC: cs35l56: Read firmware uuid from a device property instead of + _SUB + +From: Maciej Strozek + +[ Upstream commit 897a6b5a030e62c21566551c870d81740f82ca13 ] + +Use a device property "cirrus,firmware-uid" to get the unique firmware +identifier instead of using ACPI _SUB. There aren't any products that use +_SUB. + +There will not usually be a _SUB in Soundwire nodes. The ACPI can use a +_DSD section for custom properties. + +There is also a need to support instantiating this driver using software +nodes. This is for systems where the CS35L56 is a back-end device and the +ACPI refers only to the front-end audio device - there will not be any ACPI +references to CS35L56. + +Fixes: e49611252900 ("ASoC: cs35l56: Add driver for Cirrus Logic CS35L56") +Signed-off-by: Maciej Strozek +Signed-off-by: Richard Fitzgerald +Link: https://lore.kernel.org/r/20230817112712.16637-2-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs35l56.c | 31 ++++++++++++------------------- + 1 file changed, 12 insertions(+), 19 deletions(-) + +diff --git a/sound/soc/codecs/cs35l56.c b/sound/soc/codecs/cs35l56.c +index f3fee448d759e..6a2b0797f3c7d 100644 +--- a/sound/soc/codecs/cs35l56.c ++++ b/sound/soc/codecs/cs35l56.c +@@ -5,7 +5,6 @@ + // Copyright (C) 2023 Cirrus Logic, Inc. and + // Cirrus Logic International Semiconductor Ltd. + +-#include + #include + #include + #include +@@ -1327,26 +1326,22 @@ static int cs35l56_dsp_init(struct cs35l56_private *cs35l56) + return 0; + } + +-static int cs35l56_acpi_get_name(struct cs35l56_private *cs35l56) ++static int cs35l56_get_firmware_uid(struct cs35l56_private *cs35l56) + { +- acpi_handle handle = ACPI_HANDLE(cs35l56->dev); +- const char *sub; ++ struct device *dev = cs35l56->dev; ++ const char *prop; ++ int ret; + +- /* If there is no ACPI_HANDLE, there is no ACPI for this system, return 0 */ +- if (!handle) ++ ret = device_property_read_string(dev, "cirrus,firmware-uid", &prop); ++ /* If bad sw node property, return 0 and fallback to legacy firmware path */ ++ if (ret < 0) + return 0; + +- sub = acpi_get_subsystem_id(handle); +- if (IS_ERR(sub)) { +- /* If bad ACPI, return 0 and fallback to legacy firmware path, otherwise fail */ +- if (PTR_ERR(sub) == -ENODATA) +- return 0; +- else +- return PTR_ERR(sub); +- } ++ cs35l56->dsp.system_name = devm_kstrdup(dev, prop, GFP_KERNEL); ++ if (cs35l56->dsp.system_name == NULL) ++ return -ENOMEM; + +- cs35l56->dsp.system_name = sub; +- dev_dbg(cs35l56->dev, "Subsystem ID: %s\n", cs35l56->dsp.system_name); ++ dev_dbg(dev, "Firmware UID: %s\n", cs35l56->dsp.system_name); + + return 0; + } +@@ -1390,7 +1385,7 @@ int cs35l56_common_probe(struct cs35l56_private *cs35l56) + gpiod_set_value_cansleep(cs35l56->reset_gpio, 1); + } + +- ret = cs35l56_acpi_get_name(cs35l56); ++ ret = cs35l56_get_firmware_uid(cs35l56); + if (ret != 0) + goto err; + +@@ -1577,8 +1572,6 @@ void cs35l56_remove(struct cs35l56_private *cs35l56) + + regcache_cache_only(cs35l56->regmap, true); + +- kfree(cs35l56->dsp.system_name); +- + gpiod_set_value_cansleep(cs35l56->reset_gpio, 0); + regulator_bulk_disable(ARRAY_SIZE(cs35l56->supplies), cs35l56->supplies); + } +-- +2.40.1 + diff --git a/queue-6.4/asoc-sof-ipc4-pcm-fix-possible-null-pointer-deferenc.patch b/queue-6.4/asoc-sof-ipc4-pcm-fix-possible-null-pointer-deferenc.patch new file mode 100644 index 00000000000..b3ecf7d73cf --- /dev/null +++ b/queue-6.4/asoc-sof-ipc4-pcm-fix-possible-null-pointer-deferenc.patch @@ -0,0 +1,42 @@ +From 8215b3d86b9fb8f897d52209f61da2df2bf85f69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 16:33:11 +0300 +Subject: ASoC: SOF: ipc4-pcm: fix possible null pointer deference + +From: Chao Song + +[ Upstream commit 2d218b45848b92b03b220bf4d9bef29f058f866f ] + +The call to snd_sof_find_spcm_dai() could return NULL, +add nullable check for the return value to avoid null +pointer defenrece. + +Fixes: 7cb19007baba ("ASoC: SOF: ipc4-pcm: add hw_params") +Signed-off-by: Chao Song +Reviewed-by: Bard Liao +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20230816133311.7523-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/ipc4-pcm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/sof/ipc4-pcm.c b/sound/soc/sof/ipc4-pcm.c +index 9e2b6c45080dd..49eb98605518a 100644 +--- a/sound/soc/sof/ipc4-pcm.c ++++ b/sound/soc/sof/ipc4-pcm.c +@@ -708,6 +708,9 @@ static int sof_ipc4_pcm_hw_params(struct snd_soc_component *component, + struct snd_sof_pcm *spcm; + + spcm = snd_sof_find_spcm_dai(component, rtd); ++ if (!spcm) ++ return -EINVAL; ++ + time_info = spcm->stream[substream->stream].private; + /* delay calculation is not supported by current fw_reg ABI */ + if (!time_info) +-- +2.40.1 + diff --git a/queue-6.4/clk-fix-undefined-reference-to-clk_rate_exclusive_-g.patch b/queue-6.4/clk-fix-undefined-reference-to-clk_rate_exclusive_-g.patch new file mode 100644 index 00000000000..2418d4bafd3 --- /dev/null +++ b/queue-6.4/clk-fix-undefined-reference-to-clk_rate_exclusive_-g.patch @@ -0,0 +1,146 @@ +From 6dd97fd93a83e96b1e74e300060cbbaadbb5cf98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 18:51:40 +0100 +Subject: clk: Fix undefined reference to `clk_rate_exclusive_{get,put}' + +From: Biju Das + +[ Upstream commit 2746f13f6f1df7999001d6595b16f789ecc28ad1 ] + +The COMMON_CLK config is not enabled in some of the architectures. +This causes below build issues: + +pwm-rz-mtu3.c:(.text+0x114): +undefined reference to `clk_rate_exclusive_put' +pwm-rz-mtu3.c:(.text+0x32c): +undefined reference to `clk_rate_exclusive_get' + +Fix these issues by moving clk_rate_exclusive_{get,put} inside COMMON_CLK +code block, as clk.c is enabled by COMMON_CLK. + +Fixes: 55e9b8b7b806 ("clk: add clk_rate_exclusive api") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/all/202307251752.vLfmmhYm-lkp@intel.com/ +Signed-off-by: Biju Das +Link: https://lore.kernel.org/r/20230725175140.361479-1-biju.das.jz@bp.renesas.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + include/linux/clk.h | 80 ++++++++++++++++++++++----------------------- + 1 file changed, 40 insertions(+), 40 deletions(-) + +diff --git a/include/linux/clk.h b/include/linux/clk.h +index 1ef0133242374..06f1b292f8a00 100644 +--- a/include/linux/clk.h ++++ b/include/linux/clk.h +@@ -183,6 +183,39 @@ int clk_get_scaled_duty_cycle(struct clk *clk, unsigned int scale); + */ + bool clk_is_match(const struct clk *p, const struct clk *q); + ++/** ++ * clk_rate_exclusive_get - get exclusivity over the rate control of a ++ * producer ++ * @clk: clock source ++ * ++ * This function allows drivers to get exclusive control over the rate of a ++ * provider. It prevents any other consumer to execute, even indirectly, ++ * opereation which could alter the rate of the provider or cause glitches ++ * ++ * If exlusivity is claimed more than once on clock, even by the same driver, ++ * the rate effectively gets locked as exclusivity can't be preempted. ++ * ++ * Must not be called from within atomic context. ++ * ++ * Returns success (0) or negative errno. ++ */ ++int clk_rate_exclusive_get(struct clk *clk); ++ ++/** ++ * clk_rate_exclusive_put - release exclusivity over the rate control of a ++ * producer ++ * @clk: clock source ++ * ++ * This function allows drivers to release the exclusivity it previously got ++ * from clk_rate_exclusive_get() ++ * ++ * The caller must balance the number of clk_rate_exclusive_get() and ++ * clk_rate_exclusive_put() calls. ++ * ++ * Must not be called from within atomic context. ++ */ ++void clk_rate_exclusive_put(struct clk *clk); ++ + #else + + static inline int clk_notifier_register(struct clk *clk, +@@ -236,6 +269,13 @@ static inline bool clk_is_match(const struct clk *p, const struct clk *q) + return p == q; + } + ++static inline int clk_rate_exclusive_get(struct clk *clk) ++{ ++ return 0; ++} ++ ++static inline void clk_rate_exclusive_put(struct clk *clk) {} ++ + #endif + + #ifdef CONFIG_HAVE_CLK_PREPARE +@@ -583,38 +623,6 @@ struct clk *devm_clk_get_optional_enabled(struct device *dev, const char *id); + */ + struct clk *devm_get_clk_from_child(struct device *dev, + struct device_node *np, const char *con_id); +-/** +- * clk_rate_exclusive_get - get exclusivity over the rate control of a +- * producer +- * @clk: clock source +- * +- * This function allows drivers to get exclusive control over the rate of a +- * provider. It prevents any other consumer to execute, even indirectly, +- * opereation which could alter the rate of the provider or cause glitches +- * +- * If exlusivity is claimed more than once on clock, even by the same driver, +- * the rate effectively gets locked as exclusivity can't be preempted. +- * +- * Must not be called from within atomic context. +- * +- * Returns success (0) or negative errno. +- */ +-int clk_rate_exclusive_get(struct clk *clk); +- +-/** +- * clk_rate_exclusive_put - release exclusivity over the rate control of a +- * producer +- * @clk: clock source +- * +- * This function allows drivers to release the exclusivity it previously got +- * from clk_rate_exclusive_get() +- * +- * The caller must balance the number of clk_rate_exclusive_get() and +- * clk_rate_exclusive_put() calls. +- * +- * Must not be called from within atomic context. +- */ +-void clk_rate_exclusive_put(struct clk *clk); + + /** + * clk_enable - inform the system when the clock source should be running. +@@ -974,14 +982,6 @@ static inline void clk_bulk_put_all(int num_clks, struct clk_bulk_data *clks) {} + + static inline void devm_clk_put(struct device *dev, struct clk *clk) {} + +- +-static inline int clk_rate_exclusive_get(struct clk *clk) +-{ +- return 0; +-} +- +-static inline void clk_rate_exclusive_put(struct clk *clk) {} +- + static inline int clk_enable(struct clk *clk) + { + return 0; +-- +2.40.1 + diff --git a/queue-6.4/dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch b/queue-6.4/dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch new file mode 100644 index 00000000000..b6d5f1754e3 --- /dev/null +++ b/queue-6.4/dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch @@ -0,0 +1,81 @@ +From fc2782f0e61e8f2db97eaaac11cd5d18439ad04a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 07:59:38 -0700 +Subject: dma-buf/sw_sync: Avoid recursive lock during fence signal +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rob Clark + +[ Upstream commit e531fdb5cd5ee2564b7fe10c8a9219e2b2fac61e ] + +If a signal callback releases the sw_sync fence, that will trigger a +deadlock as the timeline_fence_release recurses onto the fence->lock +(used both for signaling and the the timeline tree). + +To avoid that, temporarily hold an extra reference to the signalled +fences until after we drop the lock. + +(This is an alternative implementation of https://patchwork.kernel.org/patch/11664717/ +which avoids some potential UAF issues with the original patch.) + +v2: Remove now obsolete comment, use list_move_tail() and + list_del_init() + +Reported-by: Bas Nieuwenhuizen +Fixes: d3c6dd1fb30d ("dma-buf/sw_sync: Synchronize signal vs syncpt free") +Signed-off-by: Rob Clark +Link: https://patchwork.freedesktop.org/patch/msgid/20230818145939.39697-1-robdclark@gmail.com +Reviewed-by: Christian König +Signed-off-by: Christian König +Signed-off-by: Sasha Levin +--- + drivers/dma-buf/sw_sync.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c +index 348b3a9170fa4..7f5ed1aa7a9f8 100644 +--- a/drivers/dma-buf/sw_sync.c ++++ b/drivers/dma-buf/sw_sync.c +@@ -191,6 +191,7 @@ static const struct dma_fence_ops timeline_fence_ops = { + */ + static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc) + { ++ LIST_HEAD(signalled); + struct sync_pt *pt, *next; + + trace_sync_timeline(obj); +@@ -203,21 +204,20 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc) + if (!timeline_fence_signaled(&pt->base)) + break; + +- list_del_init(&pt->link); ++ dma_fence_get(&pt->base); ++ ++ list_move_tail(&pt->link, &signalled); + rb_erase(&pt->node, &obj->pt_tree); + +- /* +- * A signal callback may release the last reference to this +- * fence, causing it to be freed. That operation has to be +- * last to avoid a use after free inside this loop, and must +- * be after we remove the fence from the timeline in order to +- * prevent deadlocking on timeline->lock inside +- * timeline_fence_release(). +- */ + dma_fence_signal_locked(&pt->base); + } + + spin_unlock_irq(&obj->lock); ++ ++ list_for_each_entry_safe(pt, next, &signalled, link) { ++ list_del_init(&pt->link); ++ dma_fence_put(&pt->base); ++ } + } + + /** +-- +2.40.1 + diff --git a/queue-6.4/gpio-sim-dispose-of-irq-mappings-before-destroying-t.patch b/queue-6.4/gpio-sim-dispose-of-irq-mappings-before-destroying-t.patch new file mode 100644 index 00000000000..b5326bcea9b --- /dev/null +++ b/queue-6.4/gpio-sim-dispose-of-irq-mappings-before-destroying-t.patch @@ -0,0 +1,57 @@ +From 742203e67d80497755949faa2af4067c6b35f709 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Aug 2023 21:29:42 +0200 +Subject: gpio: sim: dispose of irq mappings before destroying the irq_sim + domain + +From: Bartosz Golaszewski + +[ Upstream commit ab4109f91b328ff5cb5e1279f64d443241add2d1 ] + +If a GPIO simulator device is unbound with interrupts still requested, +we will hit a use-after-free issue in __irq_domain_deactivate_irq(). The +owner of the irq domain must dispose of all mappings before destroying +the domain object. + +Fixes: cb8c474e79be ("gpio: sim: new testing module") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-sim.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c +index f1f6f1c329877..8fb11a5395eb8 100644 +--- a/drivers/gpio/gpio-sim.c ++++ b/drivers/gpio/gpio-sim.c +@@ -291,6 +291,15 @@ static void gpio_sim_mutex_destroy(void *data) + mutex_destroy(lock); + } + ++static void gpio_sim_dispose_mappings(void *data) ++{ ++ struct gpio_sim_chip *chip = data; ++ unsigned int i; ++ ++ for (i = 0; i < chip->gc.ngpio; i++) ++ irq_dispose_mapping(irq_find_mapping(chip->irq_sim, i)); ++} ++ + static void gpio_sim_sysfs_remove(void *data) + { + struct gpio_sim_chip *chip = data; +@@ -406,6 +415,10 @@ static int gpio_sim_add_bank(struct fwnode_handle *swnode, struct device *dev) + if (IS_ERR(chip->irq_sim)) + return PTR_ERR(chip->irq_sim); + ++ ret = devm_add_action_or_reset(dev, gpio_sim_dispose_mappings, chip); ++ if (ret) ++ return ret; ++ + mutex_init(&chip->lock); + ret = devm_add_action_or_reset(dev, gpio_sim_mutex_destroy, + &chip->lock); +-- +2.40.1 + diff --git a/queue-6.4/gpio-sim-pass-the-gpio-device-s-software-node-to-irq.patch b/queue-6.4/gpio-sim-pass-the-gpio-device-s-software-node-to-irq.patch new file mode 100644 index 00000000000..fb85d64d9af --- /dev/null +++ b/queue-6.4/gpio-sim-pass-the-gpio-device-s-software-node-to-irq.patch @@ -0,0 +1,37 @@ +From bbb715392049aa63df0edf0744f53bbec5e0ece9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Aug 2023 21:29:43 +0200 +Subject: gpio: sim: pass the GPIO device's software node to irq domain + +From: Bartosz Golaszewski + +[ Upstream commit 6e39c1ac688161b4db3617aabbca589b395242bc ] + +Associate the swnode of the GPIO device's (which is the interrupt +controller here) with the irq domain. Otherwise the interrupt-controller +device attribute is a no-op. + +Fixes: cb8c474e79be ("gpio: sim: new testing module") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-sim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c +index 8fb11a5395eb8..533d815725794 100644 +--- a/drivers/gpio/gpio-sim.c ++++ b/drivers/gpio/gpio-sim.c +@@ -411,7 +411,7 @@ static int gpio_sim_add_bank(struct fwnode_handle *swnode, struct device *dev) + if (!chip->pull_map) + return -ENOMEM; + +- chip->irq_sim = devm_irq_domain_create_sim(dev, NULL, num_lines); ++ chip->irq_sim = devm_irq_domain_create_sim(dev, swnode, num_lines); + if (IS_ERR(chip->irq_sim)) + return PTR_ERR(chip->irq_sim); + +-- +2.40.1 + diff --git a/queue-6.4/maple_tree-disable-mas_wr_append-when-other-readers-.patch b/queue-6.4/maple_tree-disable-mas_wr_append-when-other-readers-.patch new file mode 100644 index 00000000000..25f1d971baf --- /dev/null +++ b/queue-6.4/maple_tree-disable-mas_wr_append-when-other-readers-.patch @@ -0,0 +1,78 @@ +From b91c7f43cef8824a77b803702f2695119b451470 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 20:43:55 -0400 +Subject: maple_tree: disable mas_wr_append() when other readers are possible + +From: Liam R. Howlett + +[ Upstream commit cfeb6ae8bcb96ccf674724f223661bbcef7b0d0b ] + +The current implementation of append may cause duplicate data and/or +incorrect ranges to be returned to a reader during an update. Although +this has not been reported or seen, disable the append write operation +while the tree is in rcu mode out of an abundance of caution. + +During the analysis of the mas_next_slot() the following was +artificially created by separating the writer and reader code: + +Writer: reader: +mas_wr_append + set end pivot + updates end metata + Detects write to last slot + last slot write is to start of slot + store current contents in slot + overwrite old end pivot + mas_next_slot(): + read end metadata + read old end pivot + return with incorrect range + store new value + +Alternatively: + +Writer: reader: +mas_wr_append + set end pivot + updates end metata + Detects write to last slot + last lost write to end of slot + store value + mas_next_slot(): + read end metadata + read old end pivot + read new end pivot + return with incorrect range + set old end pivot + +There may be other accesses that are not safe since we are now updating +both metadata and pointers, so disabling append if there could be rcu +readers is the safest action. + +Link: https://lkml.kernel.org/r/20230819004356.1454718-2-Liam.Howlett@oracle.com +Fixes: 54a611b60590 ("Maple Tree: add new data structure") +Signed-off-by: Liam R. Howlett +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/maple_tree.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/maple_tree.c b/lib/maple_tree.c +index bb28a49d173c0..3315eaf93f563 100644 +--- a/lib/maple_tree.c ++++ b/lib/maple_tree.c +@@ -4315,6 +4315,9 @@ static inline bool mas_wr_append(struct ma_wr_state *wr_mas) + struct ma_state *mas = wr_mas->mas; + unsigned char node_pivots = mt_pivots[wr_mas->type]; + ++ if (mt_in_rcu(mas->tree)) ++ return false; ++ + if ((mas->index != wr_mas->r_min) && (mas->last == wr_mas->r_max)) { + if (new_end < node_pivots) + wr_mas->pivots[new_end] = wr_mas->pivots[end]; +-- +2.40.1 + diff --git a/queue-6.4/pinctrl-renesas-rza2-add-lock-around-pinctrl_generic.patch b/queue-6.4/pinctrl-renesas-rza2-add-lock-around-pinctrl_generic.patch new file mode 100644 index 00000000000..7cd63ed07a1 --- /dev/null +++ b/queue-6.4/pinctrl-renesas-rza2-add-lock-around-pinctrl_generic.patch @@ -0,0 +1,91 @@ +From b8fbaac6de72cf599224d015057b1bfc9deb2eaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 14:15:58 +0100 +Subject: pinctrl: renesas: rza2: Add lock around + pinctrl_generic{{add,remove}_group,{add,remove}_function} + +From: Biju Das + +[ Upstream commit 8fcc1c40b747069644db6102c1d84c942c9d4d86 ] + +The pinctrl group and function creation/remove calls expect +caller to take care of locking. Add lock around these functions. + +Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller") +Signed-off-by: Biju Das +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230815131558.33787-4-biju.das.jz@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rza2.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rza2.c b/drivers/pinctrl/renesas/pinctrl-rza2.c +index 40b1326a10776..5591ddf16fdfd 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rza2.c ++++ b/drivers/pinctrl/renesas/pinctrl-rza2.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -46,6 +47,7 @@ struct rza2_pinctrl_priv { + struct pinctrl_dev *pctl; + struct pinctrl_gpio_range gpio_range; + int npins; ++ struct mutex mutex; /* serialize adding groups and functions */ + }; + + #define RZA2_PDR(port) (0x0000 + (port) * 2) /* Direction 16-bit */ +@@ -358,10 +360,14 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev, + psel_val[i] = MUX_FUNC(value); + } + ++ mutex_lock(&priv->mutex); ++ + /* Register a single pin group listing all the pins we read from DT */ + gsel = pinctrl_generic_add_group(pctldev, np->name, pins, npins, NULL); +- if (gsel < 0) +- return gsel; ++ if (gsel < 0) { ++ ret = gsel; ++ goto unlock; ++ } + + /* + * Register a single group function where the 'data' is an array PSEL +@@ -390,6 +396,8 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev, + (*map)->data.mux.function = np->name; + *num_maps = 1; + ++ mutex_unlock(&priv->mutex); ++ + return 0; + + remove_function: +@@ -398,6 +406,9 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev, + remove_group: + pinctrl_generic_remove_group(pctldev, gsel); + ++unlock: ++ mutex_unlock(&priv->mutex); ++ + dev_err(priv->dev, "Unable to parse DT node %s\n", np->name); + + return ret; +@@ -473,6 +484,8 @@ static int rza2_pinctrl_probe(struct platform_device *pdev) + if (IS_ERR(priv->base)) + return PTR_ERR(priv->base); + ++ mutex_init(&priv->mutex); ++ + platform_set_drvdata(pdev, priv); + + priv->npins = (int)(uintptr_t)of_device_get_match_data(&pdev->dev) * +-- +2.40.1 + diff --git a/queue-6.4/pinctrl-renesas-rzg2l-fix-null-pointer-dereference-i.patch b/queue-6.4/pinctrl-renesas-rzg2l-fix-null-pointer-dereference-i.patch new file mode 100644 index 00000000000..b03a6f50a82 --- /dev/null +++ b/queue-6.4/pinctrl-renesas-rzg2l-fix-null-pointer-dereference-i.patch @@ -0,0 +1,108 @@ +From 8041a043d7086d43441e8c3647102c25bc1a7b45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 14:15:56 +0100 +Subject: pinctrl: renesas: rzg2l: Fix NULL pointer dereference in + rzg2l_dt_subnode_to_map() + +From: Biju Das + +[ Upstream commit 661efa2284bbc2338da0424e219603f034072c74 ] + +Fix the below random NULL pointer crash during boot by serializing +pinctrl group and function creation/remove calls in +rzg2l_dt_subnode_to_map() with mutex lock. + +Crash log: + pc : __pi_strcmp+0x20/0x140 + lr : pinmux_func_name_to_selector+0x68/0xa4 + Call trace: + __pi_strcmp+0x20/0x140 + pinmux_generic_add_function+0x34/0xcc + rzg2l_dt_subnode_to_map+0x314/0x44c + rzg2l_dt_node_to_map+0x164/0x194 + pinctrl_dt_to_map+0x218/0x37c + create_pinctrl+0x70/0x3d8 + +While at it, add comments for bitmap_lock and lock. + +Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver") +Tested-by: Chris Paterson +Signed-off-by: Biju Das +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230815131558.33787-2-biju.das.jz@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzg2l.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +index b53d26167da52..6e8a76556e238 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -149,10 +150,11 @@ struct rzg2l_pinctrl { + struct gpio_chip gpio_chip; + struct pinctrl_gpio_range gpio_range; + DECLARE_BITMAP(tint_slot, RZG2L_TINT_MAX_INTERRUPT); +- spinlock_t bitmap_lock; ++ spinlock_t bitmap_lock; /* protect tint_slot bitmap */ + unsigned int hwirq[RZG2L_TINT_MAX_INTERRUPT]; + +- spinlock_t lock; ++ spinlock_t lock; /* lock read/write registers */ ++ struct mutex mutex; /* serialize adding groups and functions */ + }; + + static const unsigned int iolh_groupa_mA[] = { 2, 4, 8, 12 }; +@@ -362,11 +364,13 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + name = np->name; + } + ++ mutex_lock(&pctrl->mutex); ++ + /* Register a single pin group listing all the pins we read from DT */ + gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); + if (gsel < 0) { + ret = gsel; +- goto done; ++ goto unlock; + } + + /* +@@ -380,6 +384,8 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + goto remove_group; + } + ++ mutex_unlock(&pctrl->mutex); ++ + maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; + maps[idx].data.mux.group = name; + maps[idx].data.mux.function = name; +@@ -391,6 +397,8 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + + remove_group: + pinctrl_generic_remove_group(pctldev, gsel); ++unlock: ++ mutex_unlock(&pctrl->mutex); + done: + *index = idx; + kfree(configs); +@@ -1509,6 +1517,7 @@ static int rzg2l_pinctrl_probe(struct platform_device *pdev) + + spin_lock_init(&pctrl->lock); + spin_lock_init(&pctrl->bitmap_lock); ++ mutex_init(&pctrl->mutex); + + platform_set_drvdata(pdev, pctrl); + +-- +2.40.1 + diff --git a/queue-6.4/pinctrl-renesas-rzv2m-fix-null-pointer-dereference-i.patch b/queue-6.4/pinctrl-renesas-rzv2m-fix-null-pointer-dereference-i.patch new file mode 100644 index 00000000000..d3707a6eee2 --- /dev/null +++ b/queue-6.4/pinctrl-renesas-rzv2m-fix-null-pointer-dereference-i.patch @@ -0,0 +1,103 @@ +From ef50708f969741ab97a56d83a6ddef2de5138b55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 14:15:57 +0100 +Subject: pinctrl: renesas: rzv2m: Fix NULL pointer dereference in + rzv2m_dt_subnode_to_map() + +From: Biju Das + +[ Upstream commit f982b9d57e7f834138fc908804fe66f646f2b108 ] + +Fix the below random NULL pointer crash during boot by serializing +pinctrl group and function creation/remove calls in +rzv2m_dt_subnode_to_map() with mutex lock. + +Crash logs: + pc : __pi_strcmp+0x20/0x140 + lr : pinmux_func_name_to_selector+0x68/0xa4 + Call trace: + __pi_strcmp+0x20/0x140 + pinmux_generic_add_function+0x34/0xcc + rzv2m_dt_subnode_to_map+0x2e4/0x418 + rzv2m_dt_node_to_map+0x15c/0x18c + pinctrl_dt_to_map+0x218/0x37c + create_pinctrl+0x70/0x3d8 + +While at it, add a comment for lock. + +Fixes: 92a9b8252576 ("pinctrl: renesas: Add RZ/V2M pin and gpio controller driver") +Signed-off-by: Biju Das +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230815131558.33787-3-biju.das.jz@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzv2m.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzv2m.c b/drivers/pinctrl/renesas/pinctrl-rzv2m.c +index 35b23c1a5684d..9146101ea9e2f 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzv2m.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzv2m.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -123,7 +124,8 @@ struct rzv2m_pinctrl { + struct gpio_chip gpio_chip; + struct pinctrl_gpio_range gpio_range; + +- spinlock_t lock; ++ spinlock_t lock; /* lock read/write registers */ ++ struct mutex mutex; /* serialize adding groups and functions */ + }; + + static const unsigned int drv_1_8V_group2_uA[] = { 1800, 3800, 7800, 11000 }; +@@ -322,11 +324,13 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + name = np->name; + } + ++ mutex_lock(&pctrl->mutex); ++ + /* Register a single pin group listing all the pins we read from DT */ + gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); + if (gsel < 0) { + ret = gsel; +- goto done; ++ goto unlock; + } + + /* +@@ -340,6 +344,8 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + goto remove_group; + } + ++ mutex_unlock(&pctrl->mutex); ++ + maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; + maps[idx].data.mux.group = name; + maps[idx].data.mux.function = name; +@@ -351,6 +357,8 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + + remove_group: + pinctrl_generic_remove_group(pctldev, gsel); ++unlock: ++ mutex_unlock(&pctrl->mutex); + done: + *index = idx; + kfree(configs); +@@ -1071,6 +1079,7 @@ static int rzv2m_pinctrl_probe(struct platform_device *pdev) + } + + spin_lock_init(&pctrl->lock); ++ mutex_init(&pctrl->mutex); + + platform_set_drvdata(pdev, pctrl); + +-- +2.40.1 + diff --git a/queue-6.4/series b/queue-6.4/series index 1e3a4c01def..1e597c4a9c7 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -110,3 +110,14 @@ can-raw-add-missing-refcount-for-memory-leak-fix.patch drm-i915-fix-error-handling-if-driver-creation-fails-during-probe.patch madvise-madvise_cold_or_pageout_pte_range-don-t-use-mapcount-against-large-folio-for-sharing-check.patch madvise-madvise_free_pte_range-don-t-use-mapcount-against-large-folio-for-sharing-check.patch +clk-fix-undefined-reference-to-clk_rate_exclusive_-g.patch +asoc-sof-ipc4-pcm-fix-possible-null-pointer-deferenc.patch +asoc-cs35l56-read-firmware-uuid-from-a-device-proper.patch +pinctrl-renesas-rzg2l-fix-null-pointer-dereference-i.patch +pinctrl-renesas-rzv2m-fix-null-pointer-dereference-i.patch +pinctrl-renesas-rza2-add-lock-around-pinctrl_generic.patch +dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch +gpio-sim-dispose-of-irq-mappings-before-destroying-t.patch +gpio-sim-pass-the-gpio-device-s-software-node-to-irq.patch +asoc-amd-yc-fix-a-non-functional-mic-on-lenovo-82sj.patch +maple_tree-disable-mas_wr_append-when-other-readers-.patch