From: Greg Kroah-Hartman Date: Mon, 24 Apr 2023 07:04:07 +0000 (+0200) Subject: 6.2-stable patches X-Git-Tag: v4.14.314~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8a27416010312cef91e5cb48a2d689f9136ef14f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.2-stable patches added patches: asn.1-fix-check-for-strdup-success.patch asoc-fsl_asrc_dma-fix-potential-null-ptr-deref.patch asoc-fsl_sai-fix-pins-setting-for-i.mx8qm-platform.patch asoc-sof-pm-tear-down-pipelines-only-if-dsp-was-active.patch fpga-bridge-properly-initialize-bridge-device-before-populating-children.patch iio-adc-at91-sama5d2_adc-fix-an-error-code-in-at91_adc_allocate_trigger.patch mm-page_alloc-fix-potential-deadlock-on-zonelist_update_seq-seqlock.patch --- diff --git a/queue-6.2/asn.1-fix-check-for-strdup-success.patch b/queue-6.2/asn.1-fix-check-for-strdup-success.patch new file mode 100644 index 00000000000..5ac31d69e92 --- /dev/null +++ b/queue-6.2/asn.1-fix-check-for-strdup-success.patch @@ -0,0 +1,40 @@ +From 5a43001c01691dcbd396541e6faa2c0077378f48 Mon Sep 17 00:00:00 2001 +From: Ekaterina Orlova +Date: Fri, 21 Apr 2023 15:35:39 +0100 +Subject: ASN.1: Fix check for strdup() success + +From: Ekaterina Orlova + +commit 5a43001c01691dcbd396541e6faa2c0077378f48 upstream. + +It seems there is a misprint in the check of strdup() return code that +can lead to NULL pointer dereference. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 4520c6a49af8 ("X.509: Add simple ASN.1 grammar compiler") +Signed-off-by: Ekaterina Orlova +Cc: David Woodhouse +Cc: James Bottomley +Cc: Jarkko Sakkinen +Cc: keyrings@vger.kernel.org +Cc: linux-kbuild@vger.kernel.org +Link: https://lore.kernel.org/r/20230315172130.140-1-vorobushek.ok@gmail.com/ +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + scripts/asn1_compiler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/asn1_compiler.c ++++ b/scripts/asn1_compiler.c +@@ -625,7 +625,7 @@ int main(int argc, char **argv) + p = strrchr(argv[1], '/'); + p = p ? p + 1 : argv[1]; + grammar_name = strdup(p); +- if (!p) { ++ if (!grammar_name) { + perror(NULL); + exit(1); + } diff --git a/queue-6.2/asoc-fsl_asrc_dma-fix-potential-null-ptr-deref.patch b/queue-6.2/asoc-fsl_asrc_dma-fix-potential-null-ptr-deref.patch new file mode 100644 index 00000000000..ca7e202639c --- /dev/null +++ b/queue-6.2/asoc-fsl_asrc_dma-fix-potential-null-ptr-deref.patch @@ -0,0 +1,54 @@ +From 86a24e99c97234f87d9f70b528a691150e145197 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Mon, 17 Apr 2023 06:32:42 -0700 +Subject: ASoC: fsl_asrc_dma: fix potential null-ptr-deref + +From: Nikita Zhandarovich + +commit 86a24e99c97234f87d9f70b528a691150e145197 upstream. + +dma_request_slave_channel() may return NULL which will lead to +NULL pointer dereference error in 'tmp_chan->private'. + +Correct this behaviour by, first, switching from deprecated function +dma_request_slave_channel() to dma_request_chan(). Secondly, enable +sanity check for the resuling value of dma_request_chan(). +Also, fix description that follows the enacted changes and that +concerns the use of dma_request_slave_channel(). + +Fixes: 706e2c881158 ("ASoC: fsl_asrc_dma: Reuse the dma channel if available in Back-End") +Co-developed-by: Natalia Petrova +Signed-off-by: Nikita Zhandarovich +Acked-by: Shengjiu Wang +Link: https://lore.kernel.org/r/20230417133242.53339-1-n.zhandarovich@fintech.ru +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_asrc_dma.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/sound/soc/fsl/fsl_asrc_dma.c ++++ b/sound/soc/fsl/fsl_asrc_dma.c +@@ -209,14 +209,19 @@ static int fsl_asrc_dma_hw_params(struct + be_chan = soc_component_to_pcm(component_be)->chan[substream->stream]; + tmp_chan = be_chan; + } +- if (!tmp_chan) +- tmp_chan = dma_request_slave_channel(dev_be, tx ? "tx" : "rx"); ++ if (!tmp_chan) { ++ tmp_chan = dma_request_chan(dev_be, tx ? "tx" : "rx"); ++ if (IS_ERR(tmp_chan)) { ++ dev_err(dev, "failed to request DMA channel for Back-End\n"); ++ return -EINVAL; ++ } ++ } + + /* + * An EDMA DEV_TO_DEV channel is fixed and bound with DMA event of each + * peripheral, unlike SDMA channel that is allocated dynamically. So no + * need to configure dma_request and dma_request2, but get dma_chan of +- * Back-End device directly via dma_request_slave_channel. ++ * Back-End device directly via dma_request_chan. + */ + if (!asrc->use_edma) { + /* Get DMA request of Back-End */ diff --git a/queue-6.2/asoc-fsl_sai-fix-pins-setting-for-i.mx8qm-platform.patch b/queue-6.2/asoc-fsl_sai-fix-pins-setting-for-i.mx8qm-platform.patch new file mode 100644 index 00000000000..96ea6b4371a --- /dev/null +++ b/queue-6.2/asoc-fsl_sai-fix-pins-setting-for-i.mx8qm-platform.patch @@ -0,0 +1,34 @@ +From 238787157d83969e5149c8e99787d5d90e85fbe5 Mon Sep 17 00:00:00 2001 +From: Chancel Liu +Date: Tue, 18 Apr 2023 17:42:59 +0800 +Subject: ASoC: fsl_sai: Fix pins setting for i.MX8QM platform + +From: Chancel Liu + +commit 238787157d83969e5149c8e99787d5d90e85fbe5 upstream. + +SAI on i.MX8QM platform supports the data lines up to 4. So the pins +setting should be corrected to 4. + +Fixes: eba0f0077519 ("ASoC: fsl_sai: Enable combine mode soft") +Signed-off-by: Chancel Liu +Acked-by: Shengjiu Wang +Reviewed-by: Iuliana Prodan +Link: https://lore.kernel.org/r/20230418094259.4150771-1-chancel.liu@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_sai.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -1543,7 +1543,7 @@ static const struct fsl_sai_soc_data fsl + .use_imx_pcm = true, + .use_edma = true, + .fifo_depth = 64, +- .pins = 1, ++ .pins = 4, + .reg_offset = 0, + .mclk0_is_mclk1 = false, + .flags = 0, diff --git a/queue-6.2/asoc-sof-pm-tear-down-pipelines-only-if-dsp-was-active.patch b/queue-6.2/asoc-sof-pm-tear-down-pipelines-only-if-dsp-was-active.patch new file mode 100644 index 00000000000..db39594db1a --- /dev/null +++ b/queue-6.2/asoc-sof-pm-tear-down-pipelines-only-if-dsp-was-active.patch @@ -0,0 +1,59 @@ +From 0b186bb06198653d74a141902a7739e0bde20cf4 Mon Sep 17 00:00:00 2001 +From: Daniel Baluta +Date: Wed, 5 Apr 2023 12:26:55 +0300 +Subject: ASoC: SOF: pm: Tear down pipelines only if DSP was active + +From: Daniel Baluta + +commit 0b186bb06198653d74a141902a7739e0bde20cf4 upstream. + +With PCI if the device was suspended it is brought back to full +power and then suspended again. + +This doesn't happen when device is described via DT. + +We need to make sure that we tear down pipelines only if the device +was previously active (thus the pipelines were setup). + +Otherwise, we can break the use_count: + +[ 219.009743] sof-audio-of-imx8m 3b6e8000.dsp: +sof_ipc3_tear_down_all_pipelines: widget PIPELINE.2.SAI3.IN is still in use: count -1 + +and after this everything stops working. + +Fixes: d185e0689abc ("ASoC: SOF: pm: Always tear down pipelines before DSP suspend") +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Signed-off-by: Daniel Baluta +Link: https://lore.kernel.org/r/20230405092655.19587-1-daniel.baluta@oss.nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/pm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/soc/sof/pm.c ++++ b/sound/soc/sof/pm.c +@@ -183,6 +183,7 @@ static int sof_suspend(struct device *de + const struct sof_ipc_tplg_ops *tplg_ops = sdev->ipc->ops->tplg; + pm_message_t pm_state; + u32 target_state = snd_sof_dsp_power_target(sdev); ++ u32 old_state = sdev->dsp_power_state.state; + int ret; + + /* do nothing if dsp suspend callback is not set */ +@@ -192,7 +193,12 @@ static int sof_suspend(struct device *de + if (runtime_suspend && !sof_ops(sdev)->runtime_suspend) + return 0; + +- if (tplg_ops && tplg_ops->tear_down_all_pipelines) ++ /* we need to tear down pipelines only if the DSP hardware is ++ * active, which happens for PCI devices. if the device is ++ * suspended, it is brought back to full power and then ++ * suspended again ++ */ ++ if (tplg_ops && tplg_ops->tear_down_all_pipelines && (old_state == SOF_DSP_PM_D0)) + tplg_ops->tear_down_all_pipelines(sdev, false); + + if (sdev->fw_state != SOF_FW_BOOT_COMPLETE) diff --git a/queue-6.2/fpga-bridge-properly-initialize-bridge-device-before-populating-children.patch b/queue-6.2/fpga-bridge-properly-initialize-bridge-device-before-populating-children.patch new file mode 100644 index 00000000000..8c919d9325b --- /dev/null +++ b/queue-6.2/fpga-bridge-properly-initialize-bridge-device-before-populating-children.patch @@ -0,0 +1,56 @@ +From dc70eb868b9cd2ca01313e5a394e6ea001d513e9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alexis=20Lothor=C3=A9?= +Date: Tue, 4 Apr 2023 15:31:02 +0200 +Subject: fpga: bridge: properly initialize bridge device before populating children +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexis Lothoré + +commit dc70eb868b9cd2ca01313e5a394e6ea001d513e9 upstream. + +The current code path can lead to warnings because of uninitialized device, +which contains, as a consequence, uninitialized kobject. The uninitialized +device is passed to of_platform_populate, which will at some point, while +creating child device, try to get a reference on uninitialized parent, +resulting in the following warning: + +kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is +being called. + +The warning is observed after migrating a kernel 5.10.x to 6.1.x. +Reverting commit 0d70af3c2530 ("fpga: bridge: Use standard dev_release for +class driver") seems to remove the warning. +This commit aggregates device_initialize() and device_add() into +device_register() but this new call is done AFTER of_platform_populate + +Fixes: 0d70af3c2530 ("fpga: bridge: Use standard dev_release for class driver") +Signed-off-by: Alexis Lothoré +Acked-by: Xu Yilun +Link: https://lore.kernel.org/r/20230404133102.2837535-2-alexis.lothore@bootlin.com +Signed-off-by: Xu Yilun +Signed-off-by: Greg Kroah-Hartman +--- + drivers/fpga/fpga-bridge.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/fpga/fpga-bridge.c ++++ b/drivers/fpga/fpga-bridge.c +@@ -360,7 +360,6 @@ fpga_bridge_register(struct device *pare + bridge->dev.parent = parent; + bridge->dev.of_node = parent->of_node; + bridge->dev.id = id; +- of_platform_populate(bridge->dev.of_node, NULL, NULL, &bridge->dev); + + ret = dev_set_name(&bridge->dev, "br%d", id); + if (ret) +@@ -372,6 +371,8 @@ fpga_bridge_register(struct device *pare + return ERR_PTR(ret); + } + ++ of_platform_populate(bridge->dev.of_node, NULL, NULL, &bridge->dev); ++ + return bridge; + + error_device: diff --git a/queue-6.2/iio-adc-at91-sama5d2_adc-fix-an-error-code-in-at91_adc_allocate_trigger.patch b/queue-6.2/iio-adc-at91-sama5d2_adc-fix-an-error-code-in-at91_adc_allocate_trigger.patch new file mode 100644 index 00000000000..64e90835a5e --- /dev/null +++ b/queue-6.2/iio-adc-at91-sama5d2_adc-fix-an-error-code-in-at91_adc_allocate_trigger.patch @@ -0,0 +1,32 @@ +From 73a428b37b9b538f8f8fe61caa45e7f243bab87c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 29 Mar 2023 07:35:32 +0300 +Subject: iio: adc: at91-sama5d2_adc: fix an error code in at91_adc_allocate_trigger() + +From: Dan Carpenter + +commit 73a428b37b9b538f8f8fe61caa45e7f243bab87c upstream. + +The at91_adc_allocate_trigger() function is supposed to return error +pointers. Returning a NULL will cause an Oops. + +Fixes: 5e1a1da0f8c9 ("iio: adc: at91-sama5d2_adc: add hw trigger and buffer support") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/5d728f9d-31d1-410d-a0b3-df6a63a2c8ba@kili.mountain +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/at91-sama5d2_adc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -1409,7 +1409,7 @@ static struct iio_trigger *at91_adc_allo + trig = devm_iio_trigger_alloc(&indio->dev, "%s-dev%d-%s", indio->name, + iio_device_id(indio), trigger_name); + if (!trig) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + trig->dev.parent = indio->dev.parent; + iio_trigger_set_drvdata(trig, indio); diff --git a/queue-6.2/mm-page_alloc-fix-potential-deadlock-on-zonelist_update_seq-seqlock.patch b/queue-6.2/mm-page_alloc-fix-potential-deadlock-on-zonelist_update_seq-seqlock.patch new file mode 100644 index 00000000000..555f2eef481 --- /dev/null +++ b/queue-6.2/mm-page_alloc-fix-potential-deadlock-on-zonelist_update_seq-seqlock.patch @@ -0,0 +1,184 @@ +From 1007843a91909a4995ee78a538f62d8665705b66 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Tue, 4 Apr 2023 23:31:58 +0900 +Subject: mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tetsuo Handa + +commit 1007843a91909a4995ee78a538f62d8665705b66 upstream. + +syzbot is reporting circular locking dependency which involves +zonelist_update_seq seqlock [1], for this lock is checked by memory +allocation requests which do not need to be retried. + +One deadlock scenario is kmalloc(GFP_ATOMIC) from an interrupt handler. + + CPU0 + ---- + __build_all_zonelists() { + write_seqlock(&zonelist_update_seq); // makes zonelist_update_seq.seqcount odd + // e.g. timer interrupt handler runs at this moment + some_timer_func() { + kmalloc(GFP_ATOMIC) { + __alloc_pages_slowpath() { + read_seqbegin(&zonelist_update_seq) { + // spins forever because zonelist_update_seq.seqcount is odd + } + } + } + } + // e.g. timer interrupt handler finishes + write_sequnlock(&zonelist_update_seq); // makes zonelist_update_seq.seqcount even + } + +This deadlock scenario can be easily eliminated by not calling +read_seqbegin(&zonelist_update_seq) from !__GFP_DIRECT_RECLAIM allocation +requests, for retry is applicable to only __GFP_DIRECT_RECLAIM allocation +requests. But Michal Hocko does not know whether we should go with this +approach. + +Another deadlock scenario which syzbot is reporting is a race between +kmalloc(GFP_ATOMIC) from tty_insert_flip_string_and_push_buffer() with +port->lock held and printk() from __build_all_zonelists() with +zonelist_update_seq held. + + CPU0 CPU1 + ---- ---- + pty_write() { + tty_insert_flip_string_and_push_buffer() { + __build_all_zonelists() { + write_seqlock(&zonelist_update_seq); + build_zonelists() { + printk() { + vprintk() { + vprintk_default() { + vprintk_emit() { + console_unlock() { + console_flush_all() { + console_emit_next_record() { + con->write() = serial8250_console_write() { + spin_lock_irqsave(&port->lock, flags); + tty_insert_flip_string() { + tty_insert_flip_string_fixed_flag() { + __tty_buffer_request_room() { + tty_buffer_alloc() { + kmalloc(GFP_ATOMIC | __GFP_NOWARN) { + __alloc_pages_slowpath() { + zonelist_iter_begin() { + read_seqbegin(&zonelist_update_seq); // spins forever because zonelist_update_seq.seqcount is odd + spin_lock_irqsave(&port->lock, flags); // spins forever because port->lock is held + } + } + } + } + } + } + } + } + spin_unlock_irqrestore(&port->lock, flags); + // message is printed to console + spin_unlock_irqrestore(&port->lock, flags); + } + } + } + } + } + } + } + } + } + write_sequnlock(&zonelist_update_seq); + } + } + } + +This deadlock scenario can be eliminated by + + preventing interrupt context from calling kmalloc(GFP_ATOMIC) + +and + + preventing printk() from calling console_flush_all() + +while zonelist_update_seq.seqcount is odd. + +Since Petr Mladek thinks that __build_all_zonelists() can become a +candidate for deferring printk() [2], let's address this problem by + + disabling local interrupts in order to avoid kmalloc(GFP_ATOMIC) + +and + + disabling synchronous printk() in order to avoid console_flush_all() + +. + +As a side effect of minimizing duration of zonelist_update_seq.seqcount +being odd by disabling synchronous printk(), latency at +read_seqbegin(&zonelist_update_seq) for both !__GFP_DIRECT_RECLAIM and +__GFP_DIRECT_RECLAIM allocation requests will be reduced. Although, from +lockdep perspective, not calling read_seqbegin(&zonelist_update_seq) (i.e. +do not record unnecessary locking dependency) from interrupt context is +still preferable, even if we don't allow calling kmalloc(GFP_ATOMIC) +inside +write_seqlock(&zonelist_update_seq)/write_sequnlock(&zonelist_update_seq) +section... + +Link: https://lkml.kernel.org/r/8796b95c-3da3-5885-fddd-6ef55f30e4d3@I-love.SAKURA.ne.jp +Fixes: 3d36424b3b58 ("mm/page_alloc: fix race condition between build_all_zonelists and page allocation") +Link: https://lkml.kernel.org/r/ZCrs+1cDqPWTDFNM@alley [2] +Reported-by: syzbot + Link: https://syzkaller.appspot.com/bug?extid=223c7461c58c58a4cb10 [1] +Signed-off-by: Tetsuo Handa +Acked-by: Michal Hocko +Acked-by: Mel Gorman +Cc: Petr Mladek +Cc: David Hildenbrand +Cc: Ilpo Järvinen +Cc: John Ogness +Cc: Patrick Daly +Cc: Sergey Senozhatsky +Cc: Steven Rostedt +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -6590,7 +6590,21 @@ static void __build_all_zonelists(void * + int nid; + int __maybe_unused cpu; + pg_data_t *self = data; ++ unsigned long flags; + ++ /* ++ * Explicitly disable this CPU's interrupts before taking seqlock ++ * to prevent any IRQ handler from calling into the page allocator ++ * (e.g. GFP_ATOMIC) that could hit zonelist_iter_begin and livelock. ++ */ ++ local_irq_save(flags); ++ /* ++ * Explicitly disable this CPU's synchronous printk() before taking ++ * seqlock to prevent any printk() from trying to hold port->lock, for ++ * tty_insert_flip_string_and_push_buffer() on other CPU might be ++ * calling kmalloc(GFP_ATOMIC | __GFP_NOWARN) with port->lock held. ++ */ ++ printk_deferred_enter(); + write_seqlock(&zonelist_update_seq); + + #ifdef CONFIG_NUMA +@@ -6629,6 +6643,8 @@ static void __build_all_zonelists(void * + } + + write_sequnlock(&zonelist_update_seq); ++ printk_deferred_exit(); ++ local_irq_restore(flags); + } + + static noinline void __init diff --git a/queue-6.2/series b/queue-6.2/series index a54ac3cbbd0..857f880ff4c 100644 --- a/queue-6.2/series +++ b/queue-6.2/series @@ -101,3 +101,10 @@ pci-msi-remove-over-zealous-hardware-size-check-in-pci_msix_validate_entries.pat gcc-disable-warray-bounds-for-gcc-13-too.patch input-cyttsp5-fix-sensing-configuration-data-structure.patch input-pegasus-notetaker-check-pipe-type-when-probing.patch +iio-adc-at91-sama5d2_adc-fix-an-error-code-in-at91_adc_allocate_trigger.patch +fpga-bridge-properly-initialize-bridge-device-before-populating-children.patch +mm-page_alloc-fix-potential-deadlock-on-zonelist_update_seq-seqlock.patch +asoc-sof-pm-tear-down-pipelines-only-if-dsp-was-active.patch +asoc-fsl_asrc_dma-fix-potential-null-ptr-deref.patch +asoc-fsl_sai-fix-pins-setting-for-i.mx8qm-platform.patch +asn.1-fix-check-for-strdup-success.patch